Single-photon-memory measurement-device-independent quantum secure direct communication

Xiang-Jie Li , Dong Pan , Gui-Lu Long , and Lajos Hanzo This work is supported by the National Natural Science Foundation of China under Grants No. 11974205 and No. 12205011, the Key R&D Program of Guangdong province (2018B030325002), Beijing Advanced Innovation Center for Future Chip (ICFC), Tsinghua University Initiative Scientific Research Program. Xiang-Jie Li is with State Key Laboratory of Low-dimensional Quantum Physics and Department of Physics, Tsinghua University, Beijing 100084, China.Dong Pan is with Beijing Academy of Quantum Information Sciences, Beijing 100193, China.Gui-Lu Long is with State Key Laboratory of Low-dimensional Quantum Physics and Department of Physics, Tsinghua University, Beijing 100084, China; Beijing Academy of Quantum Information Sciences, Beijing 100193, China; Frontier Science Center for Quantum Information, Beijing 100084, China; Beijing National Research Center for Information Science and Technology, Beijing 100084, China. (e-mail:gllong@mail.tsinghua.edu.cn).Lajos Hanzo is with School of Electronics and Computer Science, University of Southampton, Southampton SO17 1BJ, United Kingdom.

Abstract

Quantum secure direct communication (QSDC) uses the quantum channel to transmit information reliably and securely. In order to eliminate the security loopholes resulting from practical detectors, the measurement-device-independent (MDI) QSDC protocol has been proposed. However, block-based transmission of quantum states is utilized in MDI-QSDC, which requires practical quantum memory that is still unavailable at the time of writing. For circumventing this impediment, we propose a single-photon-memory MDI QSDC protocol (SPMQC) for dispensing with high-performance quantum memory. The performance of the proposed protocol is characterized by simulations considering realistic experimental parameters, and the results show that it is feasible to implement SPMQC by relying on present-day technology.

I Introduction

Quantum communication relies on quantum physical principles to ensure secure transmission of information. Bennett and Brassard proposed the first quantum key distribution (QKD) protocol in 1984 [1], which is deemed to be the earliest form of quantum communication conceived for secure key negotiation between two distant legitimate users. An important step in secure communication, namely the negotiation of a symmetric random secret key, is constituted by QKD. The secret key is then used for the one-time-pad encryption of messages to obtain the ciphertexts, but the transmission of ciphertext relies on classical communication.

Quantum secure direct communication (QSDC) is another quantum communication protocol that uses a quantum channel for directly transmitting secret messages. But indeed, QSDC can also be utilized for distributing secret keys from the transmitter to the receiver. In 2000, Long and Liu proposed the first QSDC protocol [2], in which the messages are mapped onto block-based entangled pairs. Then, in 2003, Deng et al. [3] developed the so-called two-step QSDC protocol for encoding the messages. Inspired by these protocols, many other entanglement-based QSDC protocols have been conceived, such as the high-dimensional QSDC protocol of [4], the multi-step QSDC protocol of [5], the quantum secure direct dialogue protocol of [6], the single-photon-memory two-step QSDC of [7], the continuous-variable QSDC of [8], the QSDC network of [9], and so on. A QSDC protocol based on a single photon was proposed by Deng and Long in 2004 [10], which is termed as the DL04 protocol. A review of QSDC protocols was given in Ref. [11].

Recently, there have been several experimental demonstrations of QSDC both in fiber [12, 13, 14] and in free-space [15, 16] relying on the QSDC protocols proposed in Refs. [3, 17, 10]. In 2021 multi-user QSDC networks relying on secure-repeaters or on direct links [18, 9, 19] have been reported. It has been demonstrated that a secure and reliable communication can be achieved over a noisy quantum channel in the face of eavesdropping based on Wyner’s wiretap theory [20, 14, 21, 22, 23].

But again, in the original QSDC protocols, quantum memory is required so that the level of security can be examined in the course of transmission. However, practical quantum memory [24, 25] is still decades away. To solve this difficulty, quantum-memory-free (QMF) protocols were proposed. Explicitly, in the QMF QSDC [24, 25], the information is transformed by the transmitter to the ciphertext using a shared secure transmission sequence (SSTS), which is similar to a secret key. Then using module 2 additions, Alice encodes the ciphertext into a codeword, which is mapped into quantum states, which are transmitted to Bob. Both then demodulates, decodes and recovers the plaintext message. The SSTS is then extracted from the ciphertext by the pair of communicating parties for later transmission. In the communication process, the coding efficiency and the length of the SSTS extracted from the ciphertext are determined by the channel’s security capacity, which can be calculated from the error rate. The QMF coding scheme enables simultaneous ciphertext transmission and SSTS negotiation. In this scheme, the ciphertext bits can be transmitted one by one upon mapping them to the quantum state, hence eliminating the requirement for block-based transmission of quantum states. The security of the message will be guaranteed by SSTS encryption, which is effectively the classic one-time-pad encryption. QMF-DL04-QSDC using dynamic joint encryption and error-control coding has been experimentally demonstrated over a maximum communication distance of 18.5 km [25]. QMF coding is suitable not only for single-photon QSDC, but also for entanglement-based QSDC [7].

There is always a gap between theory relying on idealized simplifying assumptions and practice in any technology, hence quantum communication is no exception. Hence, realistic imperfect devices cannot meet the idealized simplifying assumptions of theory, which might lead to security loopholes. The measurement-device-independent version of quantum communication protocols [26, 27, 28, 29, 30, 31, 32] bridges this gap between theory and practice by removing the detector-side channels. The MDI QSDC protocol uses quantum teleportation and message encoding to send the messages [28]. It has a pair of eavesdropping detection facilities. The first one is used to detect whether there is an eavesdropper in the vicinity before encoding the information, while the second one for integrity detection, namely for detecting whether the transmitted information is tampered with. The eavesdropping detection relies on block-based transmission, since some samples of qubits will be randomly chosen for eavesdropping detection, and the remaining qubits in the block will wait for the results of checking in quantum memory. However, similar to the original QSDC protocol’s block-based transmission regime, it is difficult to realize by current quantum memory technology. Normally, we use an optical delay line instead of quantum memory to store photons [13], which inevitably introduces high attenuation. Hence, for the practical application of MDI QSDC, the conception of a new quantum-memory-free coding-assisted MDI QSDC protocol is essential.

II Details of our protocol

Here we use QMF coding to replace the quantum memory required for block-transition-based MDI QSDC. Our SPMQC-DL04 protocol is illustrated in Fig. 1. We use the following single qubit states: $|0\rangle$ , $|1\rangle$ , $|\pm\rangle=(|0\rangle\pm|1\rangle)/\sqrt{2}$ , and $|\widetilde{\pm}\rangle=(|0\rangle\pm i|1\rangle)/\sqrt{2}$ . The four Bell-basis states are, $|\phi^{\pm}\rangle=(|00\rangle\pm|11\rangle)/\sqrt{2}$ , $|\psi^{\pm}\rangle=(|01\rangle\pm|10\rangle)/\sqrt{2}$ and $M\in\{0,1\}^{m}$ represents the message that Alice wants to transmit to Bob. Furthermore, $K\in\{0,1\}^{m}$ represents the keys in the key sink used for encryption and decryption, while $M^{\prime}\in\{0,1\}^{m}$ and $C\in\{0,1\}^{c}$ represent the ciphertext and code word, respectively. We divide the code word into frames, and each round of communication includes the following six steps to send a frame of information. We note that the key sink is empty in the first round. So Alice and Bob should select the appropriate values to estimate the secrecy capacity and the key $K$ [25].

Refer to caption — Figure 1: Schematic diagram of SPMQC. BS, beam splitter; BSM, Bell-state measurement; D₁, D₂, D₃, D₄, detector; PBS, polarizing beam splitter; SPM, single photon measurement.

Step 1, state preparation. Alice randomly prepares a Bell-state $|\psi^{-}\rangle$ or a single photon state which is randomly in one of the four states $\left\{|+\rangle_{\rm A},|-\rangle_{\rm A},|0\rangle_{\rm A},|1\rangle_{\rm A}\right\}$ . The entangled state and single photon state is used for information transmission and security check, respectively. Bob prepares a single photon state, which is randomly in one of the four states $\left\{|+\rangle_{\rm B},|-\rangle_{\rm B},|0\rangle_{\rm B},|1\rangle_{\rm B}\right\}$ .

Step 2, transmission and measurement. Alice and Bob send their own qubit to Charlie at the same time. Note that if Alice has prepared a pair of entangled qubits, one of the qubits will be forwarded to Charlie and the remaining one is retained by Alice. Charlie receives the qubits sent by Alice as well as Bob, and then he performs a Bell-state measurement (BSM) and announces the measurement result through classical channels.

Step 3, security check. If Alice prepares a single photon, she informs Bob through the classical channel and then they complete the eavesdropping detection and estimate the detection bit error rate (DBER), as detailed in Ref. [28]. This procedure completes the first security check. If the DBER is below the maximum tolerable threshold, then they move to the next step. Otherwise, they return to Step 1.

TABLE I: Correspondence between Alice’s states and Bob’s initial state as well as BSM results [28]. For instance, if the BSM result is

|\psi^{+}\rangle

and Bob’s initial state is

|0\rangle_{\rm B}

, the retained qubit of Alice will be

|0\rangle_{\rm A}

. The state of qubit retained by Alice is only known to Bob, since the initial state is prepared by Bob.

Bob’s initial state	$\|\psi^{-}\rangle$	$\|\psi^{+}\rangle$	$\|\phi^{-}\rangle$	$\|\phi^{+}\rangle$
$\|0\rangle_{\rm B}$	$-\|0\rangle_{\rm A}$	$\|0\rangle_{\rm A}$	$-\|1\rangle_{\rm A}$	$-\|1\rangle_{\rm A}$
$\|1\rangle_{\rm B}$	$-\|1\rangle_{\rm A}$	$-\|1\rangle_{\rm A}$	$-\|0\rangle_{\rm A}$	$\|0\rangle_{\rm A}$
$\|+\rangle_{\rm B}$	$-\|+\rangle_{\rm A}$	$\|-\rangle_{\rm A}$	$-\|+\rangle_{\rm A}$	$\|-\rangle_{\rm A}$
$\|-\rangle_{\rm B}$	$-\|-\rangle_{\rm A}$	$\|+\rangle_{\rm A}$	$\|-\rangle_{\rm A}$	$-\|+\rangle_{\rm A}$

Step 4, state recovery and transmitted message coding. As shown in Table I, if Alice prepares an entangled state, the qubit which is retained by her will have one of the four single-photon states with equal probabilities after Charlie’s BSM. Bob announces the basis that he used for prepareing the initial state. Alice then recovers the qubit she retained by performing the unitary operation $U_{T}\in\{I,i\sigma_{y}\}$ according to the BSM result. To elaborate a little further, if Bob’s initial state is prepared in the basis $Z$ and the BSM result is $|\phi^{-}\rangle$ or $|\phi^{+}\rangle$ , applying a unitary operation $U_{T}=i\sigma_{y}$ to Alice’ qubit will transform it to the same state as Bob’s initial state. We refer to this step as the state recovery, since it completes the teleportation of Bob’s initial state to Alice. Alice applies the exclusive or (XOR) operation both to the message $\mathnormal{M}$ and to the key $\mathnormal{K}$ distilled from the previous round of information, for producing an encrypted ciphertext $\mathnormal{M^{\prime}}$ , where $\mathnormal{M^{\prime}=M\oplus K}$ . Next Alice performs dynamic joint encryption and error-control coding [25] to ensure the secure and reliable transmission of the ciphertext. Then Alice maps the ciphertext onto the qubit by using $U_{m}\in\{I,i\sigma_{y}\}$ , where $\mathnormal{I}$ is used for bit 0, $i\sigma_{y}$ for bit 1. Alice also randomly chooses some qubits for transmission to carry out a subsequent integrity check, rather than mapping them to the ciphertext.

Step 5, qubit transmission and measurement. Alice sends the qubit containing the ciphertext to Charlie. Charlie measures it in the specific preparation basis that Bob has announced and publishes the measurement results through the classical channel.

Step 6, message decoding and integrity check. Alice announces the random check bits and their position via the classical channel. Then the quantum bit error rate (QBER) is estimated both by Alice and Bob. If the QBER is below the maximum tolerable threshold, the ciphertext transmission is deemed reliable. This procedure represents the integrity check. Then Bob decodes the ciphertext to get the message $\mathnormal{M}$ . If the message frame has not been transmitted, they return to Step 1. Otherwise, Alice and Bob use the DBER and the QBER to estimate the secrecy capacity of the current round of communication and calculate the number of keys they can distill from the ciphertext. Finally, both of them distill and insert the same keys into the key sink to encrypt and decrypt the next round of transmission. The current round of communication is over. Note that the recently proposed solution of increasing the channel capacity using masking (INCUM) [33] in QSDC can be invoked for improving performance as detailed in V-A.

Note that only a single-photon storage is required for the qubit retained by Alice, which can be realized by an optical delay line. This is a common characteristic of entanglement-based protocols [34, 35, 7]. In this sense, we simply term the proposed protocol as SPMQC.

III Performance analysis

Based on the security analysis of MDI DL04 QSDC [30], there exists a secrecy capacity $C_{s}$ , which allows us to use a forward encoding scheme having a coding rate lower than $C_{s}$ to transmit the message reliably and securely to receivers. The associated asymptotic secrecy capacity lower bound $C_{s}$ is given by [30]

\mathnormal{C_{s}}=\mathnormal{Q}[1-h(e)-gh(\epsilon_{u})],

(1)

where $Q$ is the signal gain of Bob for message decoding and $g$ is the gain difference between the channels of $AB$ and $AE$ , while $e$ and $\epsilon_{u}$ represent the QBER and DBER, respectively. This is presented in more detail in V-B. The DBER $\epsilon_{u}$ originates from the three bases $u\in\{X,Y,Z\}$ that are used for the security check [30] in Step 3. Subsequently, Alice chooses one of the unitary operations $U_{m}\in\{\sigma_{x},i\sigma_{y},\sigma_{z}\}$ for encoding bit 1 in Step 4, and the paired qubits containing the eigenstate of the encoding operation $\sigma_{u}$ will be discarded. However, this optimal procedure has not been taken into account in our protocol’s description.

To determine the DBER of the proposed protocol using different bases, we perform simulation under the assumption of having ideal quantum sources. The detail derivation is presented in V-C. The key parameter settings for our simulations are shown in Table II.

TABLE II: Key parameter settings of simulation.

Parameter	Value	Description
$\delta$	0.2 dB/km	the attenuation coefficient
$\eta_{d}$	60%	the efficiency of detectors
$e_{0}$	$1/2$	the error rate of background
$e_{\rm det}$	1.31%	the intrinsic detector error rate
$p_{d}$	$1\times 10^{-6}$	dark count
$e_{d}$	0.015	the misalignment probability

As seen in Fig. 2, the DBER $e_{Z}$ is higher than $e_{X}$ and $e_{Y}$ . Both the DBER $e_{X}$ and $e_{Y}$ exhibit the same trends. This means that Alice and Bob will have different secrecy capacity, if they use different security check bases. The difference between $C^{Z}_{s}$ and $C^{X}_{s}$ ( $C^{Y}_{s}$ ) can only be seen, when we focus our attention on a very short distance, as shown in the inset graph of Fig. 3. Hence, we can choose an optimized security check basis $X$ or $Y$ to obtain a higher secrecy capacity. Note that the above results were obtained under the simplifying assumeption of having ideal quantum sources. It is plausible that the difference between $C^{Z}_{s}$ and $C^{X}_{s}$ ( $C^{Y}_{s}$ ) will be larger, if practical light sources, such as weak-coherent pulses and parametric down-conversion, are considered. This is because the distribution of the number photons may play an important role in the associated DBER estimation.

Under such circumstances, the importance of choosing an optimised basis for security check becomes plausible. The results demonstrate the feasibility of SPMQC for applications in metropolitan quantum communications with a range for a few tens of kilometers.

Fig. 4 shows the secrecy capacity of the SPMQC protocol both with and without increasing the capacity using masking (INCUM). Indeed, the INCUM technology [33] can substantially increase the secrecy capacity and the transmission distance of the protocol.

Finally, we performed numerical simulations for characterizing the influence of dark count on the upper limit of transmission distance. As shown in Fig. 5, the dark count has a significant impact on the transmission distance. The secrecy capacity will be significantly reduced, when the signal is attenuated to be comparable to the dark count. Therefore, we can improve the transmission distance of our SPMQC protocol by reducing the dark count rate of the detector.

IV Conclusion

We have proposed the SPMQC protocol and analyzed its performance. Selecting the optimal security basis $X$ or $Y$ increases beneficially the security capacity of the proposed protocol. The results show our SPMQC is eminently suitable for metropolitan areas covering a range of a few tens of kilometers. with given the rapid evolution of experimental techniques, our SPMQC protocol has the potential of finding its way into practical applications.

But before that, there are some further open issues for future research. Firstly, practical imperfect light sources have to be integrated into our proposed protocol. Secondly, the method of decoy-state based techniques could be utilized to estimate the error rate and reception rate. Thirdly, the family of optimal QMF coding techniques may be combined with optimal MDI protocols [36, 37, 38, 39] for supporting high-rate and long-distance MDI QSDC.

V Appendix

V-A Increasing the channel capacity using masking

Recently, Long et al. [33] proposed a solution to increase the channel capacity using masking (INCUM) in QSDC. We can appropriately adapt the solutions in [33] for our encryption and encoding operation, as shown in Fig. 6: (1) Alice masks all data using local random numbers after the dynamic joint encryption and error-control coding process is completed in step 4. She generates a local random bit string $L$ and masks each qubits in the ciphertext $\mathnormal{C^{\prime}}$ to form the masked message $\mathnormal{S}$ , which is formulated as $S=L\oplus C^{\prime}$ . (2) Bob unmasks the received data after the integrity check is completed in step 6. Bob publicly announces the positions of his measurements, which have valid results. Based on this information, Alice publicly announces the values of the random bits mapped to the qubits in the positions announced by Bob. In such a masking scheme, Eve cannot obtain secret information for the lost photons, since the information bits mapped to lost photons are masked by local random numbers that are only known by Alice. Hence Eve can only infer secret information from the specific photons that were detected successfully by Charlie. Hence, the secrecy capacity of QSDC can be significantly improved.

V-B Derivation details of secrecy capacity

In this section, we follow the analysis of [30] to derive the secrecy capacity of the SPMQC protocol using different bases for DBER estimation and message encoding.

The maximum information Eve can infer is given by the Holevo bound [40]

I(A:E)\leq S(\sum_{k}p_{k}\rho_{AE}^{k})-\sum_{k}p_{k}S(\rho_{AE}^{k}),

(2)

where $\rho_{AE}$ is the joint state of Alice and Eve, and it is given by

\rho_{AE}=\mathnormal{\rm Tr_{B}}(|\Psi_{ABE}\rangle\langle\Psi_{ABE}|)=\frac{1}{2}(P_{|\varphi_{1}\rangle}+P_{|\varphi_{2}\rangle}),

(3)

where $\Psi_{ABE}$ is the system $ABE$ , and $P_{|\varphi\rangle}$ is the projection operator of state $|\varphi\rangle$ .

According to [30], the definition of state $|\varphi_{1}\rangle$ and $|\varphi_{2}\rangle$ is

	$\displaystyle\|\varphi_{1}\rangle=\|0\rangle_{A}(\sqrt{\delta_{3}}\|E_{3}\rangle+\sqrt{\delta_{4}}\|E_{4}\rangle)+\|1\rangle_{A}(\sqrt{\delta_{2}}\|E_{2}\rangle-\sqrt{\delta_{1}}\|E_{1}\rangle),$
	$\displaystyle\|\varphi_{2}\rangle=\|0\rangle_{A}(\sqrt{\delta_{1}}\|E_{1}\rangle+\sqrt{\delta_{2}}\|E_{2}\rangle)+\|1\rangle_{A}(\sqrt{\delta_{4}}\|E_{4}\rangle-\sqrt{\delta_{3}}\|E_{3}\rangle).$		(4)

After encoding, the state becomes

	$\displaystyle\rho_{AE}^{0}=I\cdot\rho_{AE}\cdot I=\frac{1}{2}(\|\varphi_{1}\rangle\langle\varphi_{1}\|+\|\varphi_{2}\rangle\langle\varphi_{2}\|).$
	$\displaystyle\rho_{AE}^{1}=\sigma_{\mu}\cdot\rho_{AE}\cdot\sigma^{\dagger}_{\mu}=\frac{1}{2}(\sigma_{\mu}\|\varphi_{1}\rangle\langle\varphi_{1}\|\sigma^{\dagger}_{\mu}+\sigma_{\mu}\|\varphi_{2}\rangle\langle\varphi_{2}\|\sigma_{\mu}^{\dagger})\equiv\frac{1}{2}(\|\varphi_{1}^{\prime}\rangle\langle\varphi_{1}^{\prime}\|+\|\varphi_{2}^{\prime}\rangle\langle\varphi_{2}^{\prime}\|).$		(5)

If the DBER is estimated by the basis $X$ and Alice chooses $\sigma_{\mu}=\sigma_{x}$ to encode bit 1, then

	$\displaystyle\|\varphi_{1}^{\prime}\rangle=\|0\rangle_{A}(\sqrt{\delta_{2}}\|E_{2}\rangle-\sqrt{\delta_{1}}\|E_{1}\rangle)+\|1\rangle_{A}(\sqrt{\delta_{3}}\|E_{3}\rangle+\sqrt{\delta_{4}}\|E_{4}\rangle),$
	$\displaystyle\|\varphi_{2}^{\prime}\rangle=\|0\rangle_{A}(\sqrt{\delta_{4}}\|E_{4}\rangle-\sqrt{\delta_{3}}\|E_{3}\rangle)+\|1\rangle_{A}(\sqrt{\delta_{1}}\|E_{1}\rangle+\sqrt{\delta_{2}}\|E_{2}\rangle),$		(6)

and

\sum_{k}p_{k}\rho_{AE}^{k}=\frac{1}{2}\rho_{AE}^{0}+\frac{1}{2}\rho_{AE}^{1}=\frac{1}{4}(|\varphi_{1}\rangle\langle\varphi_{1}|+|\varphi_{2}\rangle\langle\varphi_{2}|+|\varphi_{1}^{\prime}\rangle\langle\varphi_{1}^{\prime}|+|\varphi_{2}^{\prime}\rangle\langle\varphi_{2}^{\prime}|).

(7)

The Gram matrix of $\sum_{k}p_{k}\rho_{AE}^{k}$ is [41]

G_{AE}=\frac{1}{4}\begin{bmatrix}1&0&0&-\delta_{1}+\delta_{2}-\delta_{3}+\delta_{4}\\ 0&1&-\delta_{1}+\delta_{2}-\delta_{3}+\delta_{4}&0\\ 0&-\delta_{1}+\delta_{2}-\delta_{3}+\delta_{4}&1&0\\ -\delta_{1}+\delta_{2}-\delta_{3}+\delta_{4}&0&0&1\end{bmatrix}.

(8)

By observing that $-\delta_{1}+\delta_{2}-\delta_{3}+\delta_{4}=-(1-2\epsilon_{X})$ [30], the eigenvalue $\lambda_{AE}$ of $G_{AE}$ is

\lambda_{AE}=\frac{1}{4}\begin{bmatrix}1+(1-2\epsilon_{X})\\ 1+(1-2\epsilon_{X})\\ 1-(1-2\epsilon_{X})\\ 1-(1-2\epsilon_{X})\end{bmatrix}.

(9)

We then obtain the entropy

S\left(\sum_{k}p_{k}\rho_{AE}^{k}\right)=1+h(\epsilon_{X}).

(10)

Since $\sum_{k}p_{k}S(\rho_{AE}^{k})=1$ , $I(A:E)$ is given by

I(A:E)\leq h(\epsilon_{X}).

(11)

Finally, the secrecy capacity becomes

\mathnormal{C^{X}_{s}}\geq\mathnormal{Q}[1-\mathnormal{h(e)-gh(\epsilon_{X})]}.

(12)

If the DBER is estimated by the basis $Z$ and Alice chooses $\sigma_{\mu}=\sigma_{z}$ to encode bit 1, then we have

	$\displaystyle\|\varphi_{1}^{\prime}\rangle=\|0\rangle_{A}(\sqrt{\delta_{3}}\|E_{3}\rangle+\sqrt{\delta_{4}}\|E_{4}\rangle)-\|1\rangle_{A}(\sqrt{\delta_{2}}\|E_{2}\rangle-\sqrt{\delta_{1}}\|E_{1}\rangle)$
	$\displaystyle\|\varphi_{2}^{\prime}\rangle=\|0\rangle_{A}(\sqrt{\delta_{1}}\|E_{1}\rangle+\sqrt{\delta_{2}}\|E_{2}\rangle)-\|1\rangle_{A}(\sqrt{\delta_{4}}\|E_{4}\rangle-\sqrt{\delta_{3}}\|E_{3}\rangle),$		(13)

and

\sum_{k}p_{k}\rho_{AE}^{k}=\frac{1}{2}\rho_{AE}^{0}+\rho_{AE}^{1}\\ =\frac{1}{4}(|\varphi_{1}\rangle\langle\varphi_{1}|+|\varphi_{2}\rangle\langle\varphi_{2}|+|\varphi_{1}^{\prime}\rangle\langle\varphi_{1}^{\prime}|+|\varphi_{2}^{\prime}\rangle\langle\varphi_{2}^{\prime}|).

(14)

The Gram matrix of $\sum_{k}p_{k}\rho_{AE}^{k}$ is

G_{AE}=\frac{1}{4}\begin{bmatrix}1&0&-\delta_{1}-\delta_{2}+\delta_{3}+\delta_{4}&0\\ 0&1&0&\delta_{1}+\delta_{2}-\delta_{3}-\delta_{4}\\ -\delta_{1}-\delta_{2}+\delta_{3}+\delta_{4}&0&1&0\\ 0&\delta_{1}+\delta_{2}-\delta_{3}-\delta_{4}&0&1\end{bmatrix}.

(15)

We notice that $\delta_{1}+\delta_{2}-\delta_{3}-\delta_{4}=1-2\epsilon_{Z}$ [30]. So the eigenvalue $\lambda_{AE}$ of $G_{AE}$ is

\lambda_{AE}=\frac{1}{4}\begin{bmatrix}1+(1-2\epsilon_{Z})\\ 1+(1-2\epsilon_{Z})\\ 1-(1-2\epsilon_{Z})\\ 1-(1-2\epsilon_{Z})\end{bmatrix}.

(16)

Finally, the secrecy capacity is formulated as:

\mathnormal{C^{Z}_{s}}\geq\mathnormal{Q}[1-\mathnormal{h(e)-gh(\epsilon_{Z})]}.

(17)

V-C Performance analysis

To determine the secrecy capacity of the proposed protocol using different bases, we perform simulation under the assumption of having ideal quantum sources. Let us assume that $\mathnormal{\eta_{c}}=\eta_{d}10^{\frac{-\delta d}{10}}$ [15] represents the channel transmittance, where $\eta_{d}$ is the detection efficiency, $\delta$ is the attenuation coefficient of the fiber, and $d$ is the transmission distance. Furthermor, $p_{d}$ is the dark count of single-photon detectors and we assume that $g=1/\eta_{c}$ . If we use the method of increasing capacity using masking [33], the correlation between the qubits stolen by Eve and the qubits received by Bob will be cut off. This means that the difference between the channels of $AB$ and $AE$ will disappear, i.e. $g=1$ . In our protocol, Charlie performed measurement, which are part of Step 2 and Step 5, respectively. Henus, the gain of Bob upon decoding the message is given by

Q=p_{A}(n_{A})p_{B}(n_{B})q_{C1}q_{C2},

(18)

where $p_{A}(n_{A}=1)=p_{B}(n_{B}=1)=1$ represents having ideal quantum sources, while $q_{C1}$ and $q_{C2}$ is the click rate of Charlie upon receiving photons from Alice as well as Bob Step 2 and in Step 5, respectively. According to the model of [42], the gain for the different basis of $u\in\{X,Y,Z\}$ is given by

\displaystyle G_{u}=\frac{1}{4}\sum_{(i,j)\in\mathcal{S}}\left(\mathcal{P}_{ij}^{\zeta_{1}\zeta_{2}}+\mathcal{P}_{ij}^{\zeta_{2}\zeta_{1}}+\mathcal{P}_{ij}^{\zeta_{1}\zeta_{1}}+\mathcal{P}_{ij}^{\zeta_{2}\zeta_{2}}\right),

(19)

where $(i,j)$ is the detector index in Fig.1. It represents the successful events of Bell-state measurements containing the two-fold click of detectors and $\mathcal{S}=\{(1,4),(2,3),(1,2),(3,4)\}$ , while $\zeta_{1}$ and $\zeta_{2}$ denote the incident polarization eigenstates of basis $u$ . $\zeta_{1}$ and $\zeta_{2}$ could be $H$ , $V$ , $+$ , $-$ , $\widetilde{+}$ or $\widetilde{-}$ , where $H$ and $V$ represent the marks of horizontal and vertical states, while $|+\rangle=(|H\rangle+|V\rangle)/\sqrt{2}$ , $|-\rangle=(|H\rangle-|V\rangle)/\sqrt{2}$ , $|\widetilde{+}\rangle=(|H\rangle+i|V\rangle)/\sqrt{2}$ , and $|-\rangle=(|H\rangle-i|V\rangle)/\sqrt{2}$ . To elaborate a little further, for a successful Bell-state measurement the detector $D_{1}$ and $D_{4}$ or $D_{2}$ and $D_{3}$ of Charlie will successfully detect the signal if Alice and Bob respectively send out the polarized photon $+$ and $-$ or $-$ and $+$ in X basis

In the linear channel attenuation model, $\mathcal{P}_{ij}^{\zeta_{1}\zeta_{2}}$ is given by

\displaystyle\begin{aligned} \mathcal{P}_{ij}^{\zeta_{1}\zeta_{2}}=\sum_{k_{1},k_{2}}[C^{k_{1}}_{n_{A}}\eta_{c}^{k_{1}}(1-\eta_{c})^{n_{A}-k_{1}}\\ \times C^{k_{2}}_{n_{B}}\eta_{c}^{k_{2}}(1-\eta_{c})^{n_{B}-k_{2}}p_{ij}^{\zeta_{1}\zeta_{2}}(k_{1},k_{2})],\end{aligned}

(20)

where the single-photon source of Alice and Bob are associated with the photon number of $n_{A}=n_{B}=1$ , hence we have $k_{1},k_{1}\in\{0,1\}$ , while $p_{ij}^{\zeta_{1}\zeta_{2}}(k_{1},k_{2})$ is the conditional probability of the specific event $(i,j)$ . We can deduce the result of $\mathcal{P}_{ij}^{\zeta_{1}\zeta_{2}}$ given that the value of $p_{ij}^{\zeta_{1}\zeta_{2}}(k_{1},k_{2})$ can be found in [42], see the Sec. V-D for further detail. The click rate $q_{C1}$ of Charlie is given by

q_{C1}=\begin{cases}\frac{\eta_{c}}{3}(G_{Y}+G_{Z})&\text{ if }\epsilon_{X}\text{\;is estimated}\\ \frac{\eta_{c}}{3}(G_{X}+G_{Z})&\text{ if }\epsilon_{Y}\text{\;is estimated}\\ \frac{\eta_{c}}{3}(G_{X}+G_{Y})&\text{ if }\epsilon_{Z}\text{\;is estimated}\\ \end{cases},

(21)

where the denominator 3 is derived from the three bases that are used in the security check. Obviously, $G_{u}$ has no contribution to $q_{C2}$ , since the paired qubits used for eavesdropping detection will be discarded. The click rate $q_{C2}$ of Charlie is given by

q_{C2}=\eta_{c}+(1-\eta_{c})p_{d}.

(22)

The QBER and DBER is quantified by the ratio of the wrong clicks to the total number of clicks. Then we have

e=\frac{e_{0}p_{d}+e_{\rm edt}\eta_{c}}{\eta_{c}+(1-\eta_{c})p_{d}},

(23)

and

$\displaystyle\hat{\epsilon_{X}}$	$\displaystyle=\frac{\sum\limits_{(i,j)\in\{(1,4),(2,3)\}}(\mathcal{P}_{ij}^{++}+\mathcal{P}_{ij}^{--})+\sum\limits_{(i,j)\in\{(1,2),(3,4)\}}(\mathcal{P}_{ij}^{+-}+\mathcal{P}_{ij}^{-+})}{4G_{X}},$	(24)
$\displaystyle\hat{\epsilon_{Y}}$	$\displaystyle=\frac{\sum\limits_{(i,j)\in\{(1,4),(2,3)\}}(\mathcal{P}_{ij}^{\widetilde{+}\widetilde{+}}+\mathcal{P}_{ij}^{\widetilde{-}\widetilde{-}})+\sum\limits_{(i,j)\in\{(1,2),(3,4)\}}(\mathcal{P}_{ij}^{\widetilde{+}\widetilde{-}}+\mathcal{P}_{ij}^{\widetilde{-}\widetilde{+}})}{4G_{Y}},$
$\displaystyle\hat{\epsilon_{Z}}$	$\displaystyle=\frac{\sum\limits_{(i,j)\in\mathcal{S}}\left(\mathcal{P}_{ij}^{HH}+\mathcal{P}_{ij}^{VV}\right)}{4G_{Z}}.$

The polarization misalignment is the major source of errors for the polarization-encoding based MDI system [43], thus the DBER $\hat{\epsilon_{u}}$ should be modified as

\epsilon_{u}=e_{d}(1-2\hat{\epsilon_{u}})+\hat{\epsilon_{u}},

(25)

where $e_{0}$ is the error rate of the background and $e_{\rm det}$ represents the intrinsic detector error rates, while $e_{d}$ is the misalignment probability.

V-D The derivation of $\mathcal{P}_{ij}^{\zeta_{1}\zeta_{2}}$

The derivation of $\mathcal{P}_{ij}^{\zeta_{1}\zeta_{2}}$ under different polarization states are summarized as follows [44].

\mathcal{P}_{ij}^{HV}=\mathcal{P}_{ij}^{VH}=(1-\eta_{c})^{2}p_{d}^{2}(1-p_{d})^{2}+(1-\eta_{c})\eta_{c}p_{d}(1-p_{d})^{2}+\frac{1}{4}\eta_{c}^{2}(1-p_{d})^{2}.

(26)

\mathcal{P}_{ij}^{HH}=\mathcal{P}_{ij}^{VV}=(1-\eta_{c})^{2}p_{d}^{2}(1-p_{d})^{2}+(1-\eta_{c})\eta_{c}p_{d}(1-p_{d})^{2}+\frac{1}{2}\eta_{c}^{2}p_{d}(1-p_{d})^{2}.

(27)

\mathcal{P}_{12}^{-+}=\mathcal{P}_{12}^{+-}=\mathcal{P}_{34}^{-+}=\mathcal{P}_{34}^{+-}=(1-\eta_{c})^{2}p_{d}^{2}(1-p_{d})^{2}+(1-\eta_{c})\eta_{c}p_{d}(1-p_{d})^{2}+\frac{1}{4}\eta_{c}^{2}p_{d}(1-p_{d})^{2}.

(28)

\mathcal{P}_{14}^{-+}=\mathcal{P}_{14}^{+-}=\mathcal{P}_{23}^{-+}=\mathcal{P}_{23}^{+-}=(1-\eta_{c})^{2}p_{d}^{2}(1-p_{d})^{2}+(1-\eta_{c})\eta_{c}p_{d}(1-p_{d})^{2}+\frac{1}{4}\eta_{c}^{2}(p_{d}+1)(1-p_{d})^{2}.

(29)

\mathcal{P}_{12}^{++}=\mathcal{P}_{34}^{++}=\mathcal{P}_{12}^{--}=\mathcal{P}_{34}^{--}=(1-\eta_{c})^{2}p_{d}^{2}(1-p_{d})^{2}+(1-\eta_{c})\eta_{c}p_{d}(1-p_{d})^{2}+\frac{1}{4}\eta_{c}^{2}(p_{d}+1)(1-p_{d})^{2}.

(30)

\mathcal{P}_{14}^{++}=\mathcal{P}_{23}^{++}=\mathcal{P}_{14}^{--}=\mathcal{P}_{23}^{--}=(1-\eta_{c})^{2}p_{d}^{2}(1-p_{d})^{2}+(1-\eta_{c})\eta_{c}p_{d}(1-p_{d})^{2}+\frac{1}{4}\eta_{c}^{2}p_{d}(1-p_{d})^{2}.

(31)

The derivation of $\mathcal{P}_{ij}^{\zeta_{1}\zeta_{2}}$ for the polarization eigenstates of basis $Y$ follows similar lines to that of the basis $X$ .

References

[1] C. H. Bennett and G. Brassard, “Quantum cryptography: public key distribution and coin tossing,” in Proceedings of IEEE International Conference on Computers, Systems, and Signal Processing, Bangalore, India, IEEE, 1984, pp. 175–179.
[2] G.-L. Long and X.-S. Liu, “Theoretically efficient high-capacity quantum-key-distribution scheme,” Physical Review A, vol. 65, no. 3, Art. no. 032302, 2002. (arXiv preprint quant-ph/0012056, 2000).
[3] F.-G. Deng, G. L. Long, and X.-S. Liu, “Two-step quantum direct communication protocol using the Einstein-Podolsky-Rosen pair block,” Physical Review A, vol. 68, no. 4, Art. no. 042317, 2003.
[4] C. Wang, F.-G. Deng, Y.-S. Li, X.-S. Liu, and G. L. Long, “Quantum secure direct communication with high-dimension quantum superdense coding,” Physical Review A, vol. 71, no. 4, Art. no. 044305, 2005.
[5] C. Wang, F. G. Deng, and G. L. Long, “Multi-step quantum secure direct communication using multi-particle Green–Horne–Zeilinger state,” Optics communications, vol. 253, no. 1-3, pp. 15–20, 2005.
[6] C. Zheng and G. Long, “Quantum secure direct dialogue using Einstein-Podolsky-Rosen pairs,” Science China Physics, Mechanics & Astronomy, vol. 57, no. 7, pp. 1238–1243, 2014.
[7] D. Pan, K. Li, D. Ruan, S. X. Ng, and L. Hanzo, “Single-photon-memory two-step quantum secure direct communication relying on Einstein-Podolsky-Rosen pairs,” IEEE Access, vol. 8, pp. 121146–121161, 2020.
[8] Z. Cao, L. Wang, K. Liang, G. Chai, and J. Peng, “Continuous-variable quantum secure direct communication based on Gaussian mapping,” Physical Review Applied, vol. 16, no. 2, Art. no. 024012, 2021.
[9] Z. Qi, Y. Li, Y. Huang, J. Feng, Y. Zheng, and X. Chen, “A 15-user quantum secure direct communication network,” Light: Science & Applications, vol. 10, Art. no. 183, 2021.
[10] F.-G. Deng and G. L. Long, “Secure direct communication with a quantum one-time pad,” Physical Review A, vol. 69, no. 5, Art. no. 052319, 2004.
[11] G.-L. Long, F.-G. Deng, C. Wang, X.-H. Li, K. Wen, and W.-Y. Wang, “Quantum secure direct communication and deterministic secure quantum communication,” Frontiers of Physics in China, vol. 2, no. 3, pp. 251–272, 2007.
[12] J.-Y. Hu, B. Yu, M.-Y. Jing, L.-T. Xiao, S.-T. Jia, G.-Q. Qin, and G.-L. Long, “Experimental quantum secure direct communication with single photons,” Light: Science & Applications, vol. 5, Art. no. e16144, 2016.
[13] F. Zhu, W. Zhang, Y. Sheng, and Y. Huang, “Experimental long-distance quantum secure direct communication,” Science Bulletin, vol. 62, no. 22, pp. 1519–1524, 2017.
[14] R. Qi, Z. Sun, Z. Lin, P. Niu, W. Hao, L. Song, Q. Huang, J. Gao, L. Yin, and G.-L. Long, “Implementation and security analysis of practical quantum secure direct communication,” Light: Science & Applications, vol. 8, Art. no. 22, 2019.
[15] D. Pan, Z. Lin, J. Wu, Z. Sun, D. Ruan, L. Yin, and G. Long, “Experimental free-space quantum secure direct communication and its security analysis,” Photonics Research, vol. 8, no. 9, pp. 1522–1531, 2020.
[16] W. Zhang, D.-S. Ding, Y.-B. Sheng, L. Zhou, B.-S. Shi, and G.-C. Guo, “Quantum secure direct communication with quantum memory,” Physical Review Letters, vol. 118, no. 22, Art. no. 220501, 2017.
[17] F.-G. Deng and G. L. Long, “Bidirectional quantum key distribution protocol with practical faint laser pulses,” Physical Review A, vol. 70, no. 1, Art. no. 012311, 2004.
[18] G.-L. Long, “In quantum secure direct communication: Current status and perspective application in network, ws-08,” Globecom, 2020.
[19] G.-L. Long, D. Pan, Y.-B. Sheng, Q. Xue, J. Lu, and L. Hanzo, “An evolutionary pathway for the quantum Internet relying on secure classical repeaters,” IEEE Network, vol. 36, pp. 82–88, 2022.
[20] A. D. Wyner, “The wire-tap channel,” Bell system technical journal, vol. 54, no. 8, pp. 1355–1387, 1975.
[21] J. Wu, Z. Lin, L. Yin, and G.-L. Long, “Security of quantum secure direct communication based on Wyner’s wiretap channel theory,” Quantum Engineering, vol. 1, no. 4, Art. no. e26, 2019.
[22] Z.-D. Ye, D. Pan, Z. Sun, C.-G. Du, L.-G. Yin, and G.-L. Long, “Generic security analysis framework for quantum secure direct communication,” Frontiers of Physics, vol. 16, no. 2, Art. no. 21503, 2021.
[23] J. Wu, G.-L. Long, and M. Hayashi, “Quantum secure direct communication with private dense coding using a general preshared quantum state,” Phys. Rev. Applied, vol. 17, no. 6, Art. no. 064011, 2022.
[24] Z. Sun, R. Qi, Z. Lin, L. Yin, G. Long, and J. Lu, “Design and implementation of a practical quantum secure direct communication system,” in 2018 IEEE Globecom Workshops (GC Wkshps). IEEE, 2018, pp. 1–6.
[25] Z. Sun, L. Song, Q. Huang, L. Yin, G. Long, J. Lu, and L. Hanzo, “Toward practical quantum secure direct communication: A quantum-memory-free protocol and code design,” IEEE Transactions on Communications, vol. 68, no. 9, pp. 5778–5792, 2020.
[26] H.-K. Lo, M. Curty, and B. Qi, “Measurement-device-independent quantum key distribution,” Physical Review Letters, vol. 108, no. 13, Art. no. 130503, 2012.
[27] S. L. Braunstein and S. Pirandola, “Side-channel-free quantum key distribution,” Physical Review Letters, vol. 108, no. 13, Art. no. 130502, 2012.
[28] Z. Zhou, Y. Sheng, P. Niu, L. Yin, G. Long, and L. Hanzo, “Measurement-device-independent quantum secure direct communication,” Science China Physics, Mechanics & Astronomy, vol. 63, no. 3, Art. no. 230362, 2020.
[29] P.-H. Niu, Z.-R. Zhou, Z.-S. Lin, Y.-B. Sheng, L.-G. Yin, and G.-L. Long, “Measurement-device-independent quantum communication without encryption,” Science Bulletin, vol. 63, no. 20, pp. 1345–1350, 2018.
[30] P.-H. Niu, J.-W. Wu, L.-G. Yin, and G.-L. Long, “Security analysis of measurement-device-independent quantum secure direct communication,” Quantum Information Processing, vol. 19, Art. no. 356, 2020.
[31] N. Das and G. Paul, “Improving the security of” measurement-device-independent quantum communication without encryption”,” Science Bulletin, vol. 65, no. 24, pp. 2048–2049, 2020.
[32] D. Pan, S. X. Ng, D. Ruan, L. Yin, G. Long, and L. Hanzo, “Simultaneous two-way classical communication and measurement-device-independent quantum key distribution with coherent states,” Physical Review A, vol. 101, no. 1, Art. no. 012343, 2020.
[33] G.-L. Long and H. Zhang, “Drastic increase of channel capacity in quantum secure direct communication using masking,” Science Bulletin, vol. 66, no. 13, pp. 1267–1269, 2021.
[34] A. K. Ekert, “Quantum cryptography based on Bell’s theorem,” Physical Review Letters, vol. 67, no. 6, pp. 661–663, 1991.
[35] C. H. Bennett, G. Brassard, and N. D. Mermin, “Quantum cryptography without Bell’s theorem,” Physical Review Letters, vol. 68, no. 5, pp. 557–559, 1992.
[36] L. Liu, J. L. Niu, C. R. Fan, X. T. Feng, and C. Wang, “High-dimensional measurement-device-independent quantum secure direct communication,” Quantum Information Processing, vol. 19, Art. no. 404, 2020.
[37] X.-D. Wu, L. Zhou, W. Zhong, and Y.-B. Sheng, “High-capacity measurement-device-independent quantum secure direct communication,” Quantum Information Processing, vol. 19, Art. no. 354, 2020.
[38] Z.-K. Zou, L. Zhou, W. Zhong, and Y.-B. Sheng, “Measurement-device–independent quantum secure direct communication of multiple degrees of freedom of a single photon,” EPL (Europhysics Letters), vol. 131, no. 4, Art. no. 40005, 2020.
[39] Z. Gao, T. Li, and Z. Li, “Long-distance measurement-device–independent quantum secure direct communication,” EPL (Europhysics Letters), vol. 125, no. 4, Art. no. 40004, 2019.
[40] A. S. Holevo, “Bounds for the quantity of information transmitted by a quantum communication channel,” Problemy Peredachi Informatsii, vol. 9, no. 3, pp. 3–11, 1973.
[41] R. Jozsa and J. Schlienz, “Distinguishability of states and von Neumann entropy,” Physical Review A, vol. 62, no. 1, Art. no. 012301, 2000.
[42] Q. Wang and X.-B. Wang, “Simulating of the measurement-device independent quantum key distribution with phase randomized general sources,” Scientific reports, vol. 4, Art. no. 4612, 2014.
[43] F. Xu, M. Curty, B. Qi, and H.-K. Lo, “Practical aspects of measurement-device-independent quantum key distribution,” New Journal of Physics, vol. 15, no. 11, Art. no. 113007, 2013.
[44] P. Niu, “Research on measurement-device-independent quantum secure direct communication,” Ph.D. dissertation, Tsinghua University, 2020.

Bob’s initial state	$\|\psi^{-}\rangle$	$\|\psi^{+}\rangle$	$\|\phi^{-}\rangle$	$\|\phi^{+}\rangle$
$\|0\rangle_{\rm B}$	$-\|0\rangle_{\rm A}$	$\|0\rangle_{\rm A}$	$-\|1\rangle_{\rm A}$	$-\|1\rangle_{\rm A}$
$\|1\rangle_{\rm B}$	$-\|1\rangle_{\rm A}$	$-\|1\rangle_{\rm A}$	$-\|0\rangle_{\rm A}$	$\|0\rangle_{\rm A}$
$\|+\rangle_{\rm B}$	$-\|+\rangle_{\rm A}$	$\|-\rangle_{\rm A}$	$-\|+\rangle_{\rm A}$	$\|-\rangle_{\rm A}$
$\|-\rangle_{\rm B}$	$-\|-\rangle_{\rm A}$	$\|+\rangle_{\rm A}$	$\|-\rangle_{\rm A}$	$-\|+\rangle_{\rm A}$