Papers in Physics, vol. 8, art. 080002 (2016) Received: 11 November 2015, Accepted: 7 January 2016 Edited by: O. Mart́ınez Licence: Creative Commons Attribution 3.0 DOI: http://dx.doi.org/10.4279/PIP.080002 www.papersinphysics.org ISSN 1852-4249 Autonomous open-source hardware apparatus for quantum key distribution Ignacio H. López Grande,1 Christian T. Schmiegelow,2 Miguel A. Larotonda1∗ We describe an autonomous, fully functional implementation of the BB84 quantum key distribution protocol using open source hardware microcontrollers for the synchronization, communication, key sifting and real-time key generation diagnostics. The quantum bits are prepared in the polarization of weak optical pulses generated with light emitting diodes, and detected using a sole single-photon counter and a temporally multiplexed scheme. The system generates a shared cryptographic key at a rate of 365 bps, with a raw quantum bit error rate of 2.7%. A detailed description of the peripheral electronics for control, driving and communication between stages is released as supplementary material. The device can be built using simple and reliable hardware and it is presented as an alternative for a practical realization of sophisticated, yet accessible quantum key distribution systems. I. Introduction The main goal of cryptography is to obtain a se- cure method to share information. This is usu- ally achieved by the encryption of the data, us- ing a shared cryptographic key. The security of the protocol then relies on the secrecy of this key. The distribution of a secret key is therefore a cru- cial task for any symmetric-key cryptographic algo- rithm. Classically, this can be achieved using the Diffie-Hellman method, or some variation based on it [1]. Quantum Key Distribution (QKD) protocols ex- ploit the quantum no-cloning theorem [2] and the ∗E-mail: mlarotonda@citedef.gob.ar 1 DEILAP-UNIDEF (CITEDEF-CONICET), J. B. de La Salle 4397, B1603ALO Villa Martelli, Buenos Aires, Ar- gentina. 2 Laboratorio de Iones y Átomos Fŕıos, Departamento de F́ısica, Facultad de Ciencias Exactas y Naturales, Uni- versidad de Buenos Aires & IFIBA-CONICET, Pabellón 1, Ciudad Universitaria, 1428 C.A.B.A., Argentina. indistinguishability upon measurement of quan- tum states belonging to non-orthogonal, conjugate bases to accomplish secure distribution of crypto- graphic keys [3]. These features, combined with the fact that a measurement performed on a quantum system disturbs its original state in some manner, are the fundamental principles in which every QKD protocol is based on, since they allow for the de- tection of an eventual eavesdropper by monitoring errors on the exchanged key: the attacker cannot completely determine the measured quantum state, nor can she/he copy it; therefore she/he must re- send some imperfect copy to the receiver, which may introduce errors in the key. However, a practi- cal real-world QKD implementation is still a tech- nical challenge that combines concepts and tech- nologies from different areas, such as classical and quantum information theory, quantum optics, elec- tronics and optoelectronics [4]. In this work, we de- scribe a functional autonomous apparatus that im- plements the BB84 quantum key distribution pro- tocol [5] where we implement several solutions that contribute to the affordability of a naturally costly 080002-1 Papers in Physics, vol. 8, art. 080002 (2016) / I. H. López Grande et al. piece of equipment. A critical parameter for the security of any quan- tum cryptography protocol is the Quantum Bit Er- ror Rate (QBER), which is obtained after an error estimation from the sifted keys SA and SB —which in theory should be identical— and in the absence of an eavesdropper they are similar up to experi- mental errors: a small part of the key is randomly selected and used to obtain the QBER, which gives an estimation of the error rate in the whole length of the key. Once the protocol is running, the QBER is routinely monitored by resigning part of the key. It is assumed that any increase of the QBER may be generated by the presence of an eavesdropper; in such case the whole key is discarded. Theoretical upper limits have been found for the QBER rate that if preserved, unconditional security of the key can be granted [6] by applying classical error cor- rection and privacy amplification protocols to the sifted key [7]. The first implementation of a quantum crypto- graphic protocol dates from 1992 [8]. Since then, the field has rapidly advanced towards sophisti- cated systems that provide high speed key gener- ation [9], long distance key distribution [10, 11], transmitting photons either over optical fiber or open air, using polarization or time bin [12], or both [13], for qubit-encoding. Such protocols can be based on single photon pulses [14, 15] or on en- tangled photon states [19]. The use of advanced op- toelectronics and high performance detectors is in- tensive on any QKD implementation. In this work we show that the technologies used in such quan- tum information algorithms are mature enough to attempt a low cost, yet functional and robust imple- mentation of a quantum key distribution protocol. We give a detailed explanation of the communica- tion scheme and we release the firmware code and the circuit schematics to build the control units as Supplementary Material. The following section is devoted to the description of the optical arrange- ments used on Alice and Bob stages. Section III. discusses the initial setup, synchronization, trans- mission and processing routines needed in order to generate a sifted key. The overall performance of the apparatus and its response to different pertur- bations are discussed thereafter. II. Device layout The developed system comprises an emission stage and a reception stage for the quantum channel, and an ad-hoc classical communication system. Quan- tum bits are encoded in the polarization of weak co- herent pulses. These pulses are used as an approx- imation of a single photon pulsed source. We iden- tify the canonical polarization states {|H〉 , |V 〉} with the computational basis BC = {|0〉 , |1〉} and the diagonal polarization states {|D〉 , |A〉} with the diagonal basis BD = {|+〉 , |−〉}. The complete scheme of the apparatus is shown in Fig. 1. BobAlice PC LED DRIVER V D A H Arduino Mega Arduino Mega D A H V Demux SPCM PBS BS BS PBSBPF BPF HWP HWP PC Figure 1: Setup of the QKD system: Polarization selection and spatial overlap between states is ob- tained with a combination of Polarizing (PBS) and non-polarizing (BS) Beam Splitters. Bob uses a BS to randomly choose the measurement basis. Polar- ization projections are obtained with a PBS and a half waveplate (HWP). Projected light is coupled into optical fibers and temporally multiplexed with selected delays. A single photon counting module (SPCM) is used for detection and bandpass filters (BPF) are used to reject unwanted light. ∆t: 250 ns delay. Polarized weak light pulses are generated by fast pulsing four infrared LEDs and combining them with Polarizing (PBS) and Non-Polarizing (BS) Beamsplitters: each of the LEDs is used to encode one of the four possible polarization states. The LEDs outputs are coupled and later decoupled to multimode optical fibers to define a propagation direction and divergence, and also to equalize the intensities of the four outputs. This setup is based on off-the-shelf economic infrared LEDs and avoids the use of expensive Pockel’s cells and high per- formance HV drivers for polarization state prepa- 080002-2 Papers in Physics, vol. 8, art. 080002 (2016) / I. H. López Grande et al. ration. The mean photon number per pulse was set to approximately 0.1, measured between the emission and detection stages. Assuming Poisso- nian photon statistics, this means that in average nearly 90% of the clock pulses carry no photons at all, while less than 0.5% of the pulses are multi- photon pulses. Both empty and multiple detection runs are considered null. It is worth to note that this particular choice of photon number per pulse does not guarantee the generation of a secure key by itself; rather, the conditions for distillation of a secure key from a raw key and the optimum photon rate depend on specific conditions of the setup, such as the length of the quantum channel –that implies distance-dependent losses–, the loss on Bob’s re- ceiver stage, and the efficiency and dark count rate of the detectors. Security conditions under differ- ent kind of attacks on non-ideal QKD systems have been reported for example in [16, 17] and reviewed in [18]. The light paths from the sources entering a po- larization beam splitter (PBS) at different inputs were combined by pairs: the reflected beams exit the PBS vertically polarized, while the transmit- ted outputs are left horizontally polarized. A half- waveplate retarder placed in one of the outputs ro- tates the polarization of these two paths 45 degrees. A beam splitter cube further combines the paired sources into one common path. Basis selection at the receiver stage is obtained using a 50% beam splitter cube to randomly obtain either a transmitted photon or a reflected photon. Projection onto the states of the canonical basis is achieved by means of a PBS, while the diagonal basis projections are obtained adding a half-wave plate retarder between the beam splitter and the PBS in one of the paths. A straightforward im- plementation of the detection stage demands four single photon counting modules (SPCMs), which are expensive devices. With the purpose of obtain- ing a practical, cost-effective setup we implemented a time multiplexed detection, adding 250 ns delays between the projection paths. The four possible measurement outcomes are encoded into temporal bins: photons are detected using only one commer- cial single photon counting module and labeled by the time of arrival with respect to a clock reference. Temporal demultiplexing and state determination are obtained measuring coincidences between the single photon detector output and temporal gates with selected delays. The use of a sole detector also avoids the unbalance of detection efficiencies that is present in multiple detector setups. As a drawback, this scheme presents 4 dB insertion loss per coupler, which attenuates the input signal and lowers the extractable secure key rate, due to the reduced optimal photon rate. This issue can be circumvented by implementing a decoy-state strat- egy together with the BB84 protocol [20–22]. Such application is currently under development at our laboratory. The following section deals with the synchroniza- tion and control tasks performed by the open source hardware microcontrollers that allow the system to operate in an autonomous manner. III. Control, driving and synchro- nization i. Control and temporal synchronization Open-source hardware was chosen for the process- ing of the cryptographic key and controlling units of the system, in order to obtain a practical, small- scale photonic implementation of the quantum pro- tocol: all the synchronization, communication and processing operations, as well as system diagnosis were programmed on Arduino Mega 2560 micro- controllers. A diagram of the key generation pro- tocol is sketched in Fig. 2. The communication scheme is divided in stages where classical informa- tion is exchanged (C COM) and a quantum com- munication stage (Q COM). An initial calibration of the system can be performed, where both par- ties measure the photon rate per pulse, the total temporal delay of the link and the delay between temporal bins. The communication begins with an exchange of the protocol parameters such as data structure and target key length. Then, after a syn- chronization sequence, they exchange the quantum bits and the sifting procedure follows: both par- ties exchange information on basis emission and detection and coincidences between them, keeping only the bits that come from coincident bases. The routine is repeated until the target key length is reached. The shared key is locally transferred to personal computers on each stage via USB ports. 080002-3 Papers in Physics, vol. 8, art. 080002 (2016) / I. H. López Grande et al. DEMUX PHOTON DETECTION LED DRIVER + CLOCK CLOCK C COM HANDSHAKE BASES COINCIDENCES CLOCK SYNCHRONIZATION Q COM POLARIZATION QUBITS 8-pulse bursts DELAY PATTERN PC ARDUINO SERIAL ENABLE (D.O.28) IRQ (D.I.3) D.O. 30/32/34/36 USB ARDUINO SERIAL IRQ (D.O.28) D.I. 48/50/52/53 USB PC INTERRUPT ENABLE ALICE BOB Figure 2: Communication and control setup of the BB84 QKD apparatus. The protocol is controlled by two Arduino Mega microprocessors. The synchronization start byte is generated at Bob’s side and sent through an interrupt channel. After the quantum bits are sent and detected, bases are exchanged and the key is sifted. Specific input and output pins of the Arduino controllers are detailed in the figure. ii. Electronic driving and peripherals The communication routines described above are implemented directly by the microcontrollers. Spe- cific tasks such as driving the pulsed LEDs, syn- chronizing the temporal mask and demultiplexing the temporal signals at the receiver side are per- formed with dedicated electronic peripherals. Based on a random 2-bit sequence, the Arduino microcontroller sets a logic high on one of the four possible outputs. A monostable multivibrator uses this logic transition to generate a 20 ns pulse that is used as the input for a high speed LED driver. The shunt driving circuit that pulses the current on each LED is constructed using the high-current, low impedance pull-up and pull-down MOSFET tran- sistors at the output of NAND gates and a passive network to provide a prebias current and current overshoot to increase the performance of pulsed LED drivers [23]. The optical pulse duration of 25 ns is limited by the LED response. At Bob’s side, single photon pulses are routed through different delay paths according to their po- larization, and the delayed photon clicks are iden- tified as polarization state projections by temporal demultiplexing the digital detections. Pulses from the single photon detector are addressed to the corresponding state channel by comparison with a pulse pattern that repeats the temporal delays added by the optical fibers. IV. System performance and self- diagnostics The main cause of bit errors are the non-ideal polar- ization splitting contrast of the PBSs and low qual- ity waveplates that produce incomplete rotations and distort the ideal linear polarization states at the input and output. Also, off-the plane misalign- ment of the light paths within the preparation and measuring states can induce undesired rotations of the polarization axes. These are well-known prob- lems for an open air optical setup, and workarounds to minimize them are common to any polarization- sensitive arrangement. Detector dark counts and stray light that leaks through the optical setup are also a source of error. The gated detection helps to minimize these errors. The contribution of this effect to the overall error rate depends linearly on the gate pulse duration. The other main source of error is the tempo- ral jitter of the signals, which can produce erro- neous bit assignment of the temporally multiplexed pulses. The signal jitter is limited by the duration of the light pulse, which is approximately half the Arduino clock period. Larger pulse timing fluctu- ations can be produced at the generation and de- tection stages due to missed or added clock pulses at the microprocessors, specifically when handling interrupt signals. These temporal fluctuations can shift states from earlier to later temporal bins, in- 080002-4 Papers in Physics, vol. 8, art. 080002 (2016) / I. H. López Grande et al. ducing errors on the key. The temporal order of the multiplexed states can be arranged to minimize such errors. A natural choice is to order the detec- tions in the sequence H (first), V , D, A (last). Such choice has an increased probability that temporal jitter can produce an error: assuming delayed de- tections that deterministically shift the states; in this configuration the probability of producing a bit error is 0.3125. If the delays are arranged to output the temporal sequence H (first), D, V , A (last), consecutive states at the detection pattern do not belong to the same basis. The probabil- ity of producing an error provided the states are identified in an adjacent temporal bin in this ar- rangement is 0.1875, and it is therefore chosen to minimize the error rate. An estimation of the bit error rate produced by this artifact in the actual protocol execution can be obtained as the product of this probability and the state-shift rate due to the overall timing jitter (0.6%), and gives approxi- mately 1.1%. The system was tested using a mean photon rate of µ=0.09. A typical light distribution at the outputs for each polarization state generated by Alice is shown in Fig. 3a). The apparatus autonomously generates a crypto- graphic key until the target key length is reached. During the tests, light pulses were emitted in bursts of 19200 pulses per second, while a constant back- ground light of 3000 counts/s at the detector was present in the actual experimental conditions. We obtained a raw key generation rate of 363 bits/s, with a quantum bit error rate (QBER) of 2.7 %. Approximately one third of this rate (0.9 %) cor- responds to errors produced by stray light and de- tector dark counts, while the rest of the errors are due to the electronic jitter as discussed above, and to an imperfect preparation and selection of the polarization states at the optical setup. The mea- sured key generation rate is limited by (and it can be also estimated from) the photon-per-pulse rate, the 50% data that is discarded in average due to non-coincident bases, and the dead times on the communication stage that allow for data process- ing, which represents roughly two thirds of the total execution time. During a key generation session, some param- eters can be monitored for eavesdropping, incon- sistencies or anomalous behavior. The sifted key can be periodically sampled and analyzed for error rate, key generation rate and bias rate (the rela- Time4[minutes] aQ bQ A D V H gk-6- gk-66 gk-:5 gk-:7 M e a s u re d 4% B O B Q gk5 gk4 gk: gk- gko g H4444444444V44444444444444D444444444444A Prepared4%ALICEQ g og -g :g 4g 5g 6g 7g 8g 9g ogg 44444- 44 : 444444 [I ] QBER [b it s ys ] g og -g :g 4g 5g 6g 7g 8g 9g ogg -gg :gg 4gg key4generation4rate [I ] g og -g :g 4g 5g 6g 7g 8g 9g ogg 45 5g 55 6g bit9bias4%g:o4rateQ g o Figure 3: a) Light distribution at the detection channels, for each generated polarization state. Percentages on each row of the graph are the rela- tive amounts of light obtained by adding the counts at each detection channel, for all the emitted states. b) Temporal evolution of different system parame- ters during normal operation. tive abundance of “1”s to “0”s in the key, 0.98 in our setup), leading to charts like the one presented on Fig. 3b). Under normal operation conditions, the three parameters are constant through a typi- cal one hour and a half experiment, with a relative dispersion on their average values below 2 × 10−2 for key rate, 7 × 10−3 for bit bias and 2 × 10−3 for QBER (statistics obtained over 20 kbit partitions from a total 1.9 Mbit key). The response of the system under anomalous conditions was tested disturbing the quantum chan- nel in different manners, while the above parame- ters were being monitored. Figure 4 shows a se- quence of such perturbations: first, in a), the de- tector was blocked, which caused the key rate to 080002-5 Papers in Physics, vol. 8, art. 080002 (2016) / I. H. López Grande et al. vanish with a characteristic time given by the in- tegration time of the monitoring process. If one of the detection channels (V ) is blocked [Fig. 4 b)], the effect is a diminished key rate and a key bias of 2/3. In c), both channels of a basis are blocked. If two channels that encode the same bit are blocked, the key rate remains at half the original rate, but now the series is completely biased, since only one logic bit is produced. More interestingly, during e), a PBS was inserted in the quantum channel, which has the following effect on the transmitted quan- tum states: |H〉 are left unchanged —since they are transmitted through the PBS— |V 〉 states are reflected out of the path at the PBS, while |D〉 and |A〉 are transmitted as |H〉 with a 50% chance. This last feature resembles the action of an eavesdrop- per (Eve) using an intercept-resend strategy, where the bases in which Eve resends bits to Bob are ran- domly chosen. In this situation, states sent as |V 〉, and (in average) half of the states originally sent on the diagonal basis, are lost at the PBS reflection, leading to a reduction of the key generation rate by a factor of two. More importantly, half of the states originally sent on the diagonal basis are transmit- ted through the PBS and transformed to the |H〉 state. If these states are measured on the diagonal basis, they can be detected as either |D〉 or |A〉, regardless of the original state. The result of these successive projections is that a |D〉 (|A〉) state has a non-negligible probability to be detected as a |A〉 (|D〉) state. The quantum bit error rate now raises to 25% for this particular perturbation, signaling a possible eavesdropper. The bit bias of Bob’s key is 0.75: the action of the PBS that prevents all the emitted |V 〉 states to be detected generates a ratio of “1”s to “0”s of 3:1. Periodically sampling and an analysis of the generated key thus provides a means for detecting intercept-resend attacks, at the cost of reducing the final key length. With the setup placed on an optical table, QBER variations as low as 0.2% can be detected. V. Concluding remarks We have implemented an open source hardware based autonomous QKD apparatus. Its stabil- ity and performance have been tested on megabit- length key distribution sessions, during which some key parameters were monitored. The device was 0 2 4 6 0 200 400 Key Rate 0 2 4 6 0 20 40 QBER 4 6 Bit Bias 0 2 Time [minutes] [s -1 ] [% ] 2.7% 25% 0.66 365 bps a) b) c) e)d) 0 1 [% ] 100 50 0 Figure 4: Behavior of the system under different perturbations on the detection stage and the quan- tum channel, labeled a) to e), consisting in blocking one or more detection channels and inserting a po- larizing beamsplitter in the quantum channel. See the text for a detailed explanation. designed with a cost-effectiveness approach which includes a LED-based single photon probabilistic source, a time multiplexed detection scheme that employs only one SPCM and Arduino-based con- trolling and processing units for Alice and Bob. The actual bit error rate can be lowered if the po- larization dependent elements (PBS) on Alice and Bob sides are replaced with high-extinction ratio polarizers (at present around 1%). Another way in which the error rate can be improved is by minimiz- ing the incidence of errors originated by detector’s dark counts. This can be accomplished with a re- duction on the light pulse width that leads to nar- rower temporal gates. Also, an increase of the mean photon number per pulse can reduce the QBER without compromising security, provided a decoy state protocol is implemented instead. The overall protocol speed can be raised by re- placing the Arduino microcontrollers with faster FPGA-based boards, where the communication and the processing blocks may be parallelized. Also, as mentioned above, the temporal demulti- 080002-6 Papers in Physics, vol. 8, art. 080002 (2016) / I. H. López Grande et al. plexing can be done directly on the board. Faster clock boards allow for an additional reduction of the temporal delays between channels on the time multiplexed detection scheme. These can be set to be as short as 50 ns, depending on pulse width and temporal jitter. The developed apparatus is able to au- tonomously generate a cryptographic key with lim- ited yet simply improvable performance. The whole system can be used to establish a small-scale se- cure information channel between eye of sight dis- tance sites, for academic purposes, or it can serve as a testbed for different quantum information- related resources, such as original protocols, de- tectors, light sources, or the development of al- ternative physical quantum channels. We under- stand that a cryptographic system based on well- known, simple and available technology that can be fully mastered and controlled by the end user may turn out more useful and secure than a sophisti- cated, “black box” type system that has many parts that are beyond the user’s control, and which may depend on third party services to be operated or maintained. Acknowledgements - This work was supported by the ANPCyT PICT 2010-2483 and MINDEF PIDDEF 012/11 grants. M.A.L. is a CONICET fellow, C.T.S. and I.H.L.G. were funded by CON- ICET scholarships. [1] W Diffie, M Hellman, New directions in cryp- tography, IEEE T Inform. Theory 22, 644 (1976). [2] W K Wootters, W H Zurek, A single quantum cannot be cloned, Nature 299, 802 (1982). [3] M Planat, H C Rosu, S Perrine, A survey of finite algebraic geometrical structures underly- ing mutually unbiased quantum measurements, Found. Phys. 36, 1662 (2006). [4] N Gisin, G Ribordy, W Tittel, H Zbinden, Quantum cryptography, Rev. Mod. Phys. 74, 145 (2002). [5] C H Bennett, G Brassard, Quantum cryptogra- phy: Public key distribution and coin tossing, Theor. Comput. Sci. 560, 7 (2014). [6] N J Cerf, M Bourennane, A Karlsson, N Gisin, Security of quantum key distribution using d- level systems, Phys. Rev. Lett. 88, 127902 (2002). [7] C H Bennett, G Brassard, C Crépeau, U M Maurer, Generalized privacy amplification, IEEE T Inform. Theory 41, 1915 (1995). [8] C H Bennett et al., Experimental quantum cryptography, J. Cryptol. 5, 3 (1992). [9] A R Dixon et al., Gigahertz decoy quantum key distribution with 1 mbit/s secure key rate, Opt. Express 16, 18790 (2008). [10] P A Hiskett et al., Long-distance quantum key distribution in optical fibre, New J. Phys. 8, 193 (2006). [11] R Ursin et al., Entanglement-based quantum communication over 144 km, Nat. Phys. 3 481 (2007). [12] I Marcikic et al., Distribution of time-bin en- tangled qubits over 50 km of optical fiber, Phys. Rev. Lett. 93, 180502 (2004). [13] W T Buttler et al., Practical four-dimensional quantum key distribution without entangle- ment, Quantum Inf. Comput. 12, 1 (2012). [14] C H Bennett, Quantum cryptography using any two nonorthogonal states, Phys. Rev. Lett. 68, 3121 (1992). [15] H Bechmann-Pasquinucci, W Tittel, Quan- tum cryptography using larger alphabets, Phys. Rev. A 61, 062308 (2000). [16] N Lütkenhaus, Security against individual at- tacks for realistic quantum key distribution, Phys. Rev. A 61, 052304 (2000). [17] A Acin et al., Device-independent security of quantum cryptography against collective at- tacks, Phys. Rev. Lett. 98, 230501 (2007). [18] V Scarani et al., The security of practical quantum key distribution, Rev. Mod. Phys. 81, 1301 (2009). 080002-7 Papers in Physics, vol. 8, art. 080002 (2016) / I. H. López Grande et al. [19] A K Ekert, Quantum cryptography based on bell’s theorem, Phys. Rev. Lett. 67, 661 (1991). [20] W Y Hwang, Quantum key distribution with high loss: Toward global secure communica- tion, Phys. Rev. Lett. 91, 057901 (2003). [21] Y Zhao et al., Experimental quantum key dis- tribution with decoy states, Phys. Rev. Lett. 96, 070502 (2006). [22] Z L Yuan et al., Unconditionally secure one-way quantum key distribution using decoy pulses, Appl. Phys. Lett. 90, 011118 (2007). [23] Agilent Application Bulletin 78, Low cost fiber-optic links for digital applications up to 155 MBd, Agilent Technologies Inc. (1999). 080002-8