Info-Theoretic Secure COW-QKD Protocol

Updated 18 January 2026

Information-theoretic secure COW-QKD is a quantum key distribution protocol using time-bin encoded coherent and vacuum states to enable composable security.
It uses passive beamsplitter design and decoy state monitoring to effectively counter coherent and side-channel attacks.
Finite-key analysis and experimental validations support secure key rates over metropolitan distances up to 100 km.

The information-theoretically secure coherent one-way @@@@1@@@@ (COW-QKD) protocol is a quantum cryptographic scheme designed to combine practical simplicity with rigorous, composable security against arbitrary quantum attacks. Distinguished by its use of time-bin encoded coherent states and strong resistance to side-channel vulnerabilities and coherent (general) attacks, the protocol’s finite-key analysis ensures security guarantees appropriate for large-scale deployments and metropolitan quantum networks.

1. Protocol Structure and State Preparation

COW-QKD encodes raw key bits in pairs of temporal optical pulses using two main state types—coherent and vacuum. Each transmission round consists of Alice emitting a two-mode quantum state chosen from the set

$\{|0⟩|α⟩,\,|α⟩|0⟩,\,|α⟩|α⟩,\,|0⟩|0⟩\},$

where $|α⟩$ is a coherent state (intensity $μ=|α|^2$ ), and $|0⟩$ is vacuum.

Z basis (key generation):
- Logical 0: $|0⟩_{2k-1}|α⟩_{2k}$
- Logical 1: $|α⟩_{2k-1}|0⟩_{2k}$
X basis (monitoring/decoy):
- $|α⟩_{2k-1}|α⟩_{2k}$
- $|0⟩_{2k-1}|0⟩_{2k}$

States are selected with probabilities $p_z, p_z, p_{d1}, p_{d2}$ ensuring $2p_z + p_{d1} + p_{d2} = 1$ .

Bob receives each pair and uses a passive beam splitter to randomly choose between data arm (Z basis: direct single-photon detection for key generation) and monitoring arm (X basis: interference measurement for coherence and phase-error estimation), with typical splitting ratios of 30:70 (Cao et al., 11 Jan 2026). Detection events are publicly announced for sifting, allowing both parties to extract raw key and properly estimate statistical parameters.

2. Security Model and Universally Composable Framework

The security proof operates in the universally-composable framework. It guarantees two primary criteria:

Correctness: The probability that Alice and Bob’s raw keys disagree is bounded (e.g., $\Pr[\hat{S}_A \neq \hat{S}_B] \leq \epsilon_{\text{cor}}$ ).
Secrecy: The trace distance between the joint state of the key and adversary and an ideal state is similarly bounded ( $\leq \epsilon_{\text{sec}}$ ).

Security is ensured against the strongest class of attacks—coherent attacks—meaning the adversary can process all transmitted pulses jointly. Furthermore, the design defends against COW-specific “zero-error” attacks where standard monitoring would otherwise provide insufficient security (Cao et al., 11 Jan 2026, Gao et al., 2021).

Device independence at the source level is achieved by strictly using only “on” and vacuum pulses, preventing source-based side-channel leaks (Cao et al., 11 Jan 2026). All practical deviations from ideal device behavior (such as detector efficiency imbalance and dark counts) are explicitly modeled.

3. Finite-Key Security Analysis and Key Rate Formula

The extractable secret-key length $l$ in the finite-key regime is lower-bounded as

$l \geq n_z \bigl[ 1 - h(\overline{E}_p) \bigr] - \mathrm{Leak}_{\rm EC} - \log_2 \biggl( \frac{2}{\epsilon_{\rm cor}} \biggr) - 2\log_2 \biggl( \frac{5}{\epsilon_{\rm sec}} \biggr),$

where:

$n_z$ : number of accepted Z-basis (key) detection events,
$h(x)$ : binary entropy function,
$\mathrm{Leak}_{\rm EC}$ : information revealed during error correction ( $f\,n_z\,h(E_z)$ , with $f\geq 1$ error correction efficiency and $E_z$ Z-basis QBER),
$\overline{E}_p$ : upper bound on the phase error rate in the raw Z key,
$\epsilon_{\rm cor}, \epsilon_{\rm sec}$ : correctness and secrecy failure probabilities, typically $\leq 10^{-15}$ and $\leq 10^{-10}$ , respectively (Li et al., 2023, Cao et al., 11 Jan 2026).

Key analytical tools include:

Leftover hash lemma for privacy amplification,
Entropic uncertainty relations connecting phase error rates with adversary’s uncertainty,
Chain rules for smooth (min/max) entropies,
Kato’s inequality for tight, finite-statistics estimation of rare-event parameters.

In the infinite-key (asymptotic) limit, statistical fluctuations vanish, leading to the asymptotic secret-key rate per pulse pair: $R_\infty = p_z \bigl[ 1 - h(E_p^*) \bigr] - f\, p_z\, h(E_z),$ where $E_p^*$ is the limiting phase error rate (Li et al., 2023, Gao et al., 2021).

4. Phase Error Estimation and Statistical Methods

Direct preparation of virtual X-basis states ( $|0_x⟩, |1_x⟩$ ) is avoided; instead, phase errors are indirectly estimated using decoy statistics from observable states ( $|αα⟩, |00⟩$ ). The approach leverages

Basis-invariance: phase error in Z-basis protocol is provably equal to bit error in a virtual X-basis experiment, following McKague et al.
Linear program and analytic bounds: Upper and lower bounds on unobserved detector click rates are computed using formulas involving measured decoy gains and Cauchy–Schwarz inequality,

$\overline Q_{0_x}^{M_1} = \frac{1}{N^+}\left[ e^{μ/2}\sqrt{Q_{αα}^{M_1}} + e^{-μ/2}\sqrt{Q_{00}^{M_1}} \right]^2,$

with analogous lower bounds for other terms (Li et al., 2023, Gao et al., 2021).

To handle finite-size fluctuations, Kato’s inequality is employed. For an observed count $n_{\text{obs}}$ in $k$ rounds, the expected true value is bounded with high confidence: $\Delta = \left[ b + a (2 n_{\text{obs}}/k -1) \right] \sqrt{k}$ where $(a, b)$ are parameters set to distribute total failure probability $\epsilon_s$ (Li et al., 2023).

This produces statistically tight, composable bounds on all quantities appearing in key-rate expressions, ensuring security even for extremely rare “vacuum–vacuum” events that are critical for tightening phase-error bounds in high-loss channels.

5. Experimental Realizations and Performance

Recent experimental implementations (Cao et al., 11 Jan 2026) have demonstrated COW-QKD with composable, information-theoretic security over distances up to 100 km. Table 1 summarizes achieved secure key rates under finite-size security assumptions:

Distance	$μ$	Z-basis QBER ( $E_z$ )	Key rate $l$ (bps)
25 km	$3.5 \times 10^{-3}$	0.30%	$1.37 \times 10^{4}$
50 km	$1.4 \times 10^{-3}$	0.20%	$2.47 \times 10^{3}$
75 km	$5.7 \times 10^{-4}$	0.34%	$2.82 \times 10^{2}$
100 km	$2.4 \times 10^{-4}$	0.76%	12.8

The experiments used high-extinction LiNbO₃ modulators, superconducting nanowire SPDs (efficiency $>70\%$ on the Z arm), passive beamsplitters for basis choice, and Michelson interferometers (X basis) with performance maintained for interference visibilities $\gtrsim99\%$ even at 100 km. This enables secure key rates sufficient for real-time encrypted voice and file transfer across metropolitan distances (Cao et al., 11 Jan 2026).

Notably, the implementation utilizes a strictly binary “on/off” encoding—excluding multiple intensity levels and phase encoding—thereby closing practical side channels and simplifying source qualification.

6. Side-Channel Countermeasures and Device Assumptions

Information-theoretic security is contingent on eliminating or tightly bounding device-side leakages:

Source independence is enforced by using only $|0⟩$ and $|α⟩$ , and mapping practical device behavior to a virtual, ideal source via a unitary transformation that shunts any side-channel degrees of freedom to orthogonal subspaces (Appendix S1 of (Cao et al., 11 Jan 2026)).
Optical extinction requirements on intensity modulators ( $>30$ dB) and interferometer symmetry for X-basis detectors minimize information leakage.
Detector trust: Model assumes threshold detectors with well-characterized efficiencies and dark counts.
Trojan-horse and other advanced channel attacks are excluded under the assumption of negligible optical leakage and trusted random post-processing equipment.

No additional hardware beyond standard COW-QKD modules is required, and additional countermeasures (e.g., Faraday-mirror-based splitting for polarization robustness) further reduce device imperfections (Cao et al., 11 Jan 2026).

7. Deployment Implications, Scalability and Comparisons

The refined protocol structure and rigorous security analysis close key vulnerabilities exposed by previously demonstrated “zero-error” attacks, which previously limited secure deployment distances to $\lesssim20$ km and undermined claims of unconditional security in practical COW-QKD (Gao et al., 2021, Cao et al., 11 Jan 2026). With vacuum decoy states and composable finite-key analysis, positive key rates are achieved beyond 100 km under realistic experimental assumptions, with quadratic scaling of the key rate with channel transmittance ( $R \sim \eta^2$ ), matching the best-known theoretical upper bounds for this class (Lavie et al., 2022).

Advantages of this protocol family include:

Simplicity and hardware compatibility: Retains hallmark COW-QKD simplicity; adapts to photonic chip integration without the need for phase modulators or multi-level decoy intensities.
Metropolitan network suitability: Secure kilobit/s rates for links up to 50 km, with demonstrated scalability at higher clock rates; small-scale campus and backbone quantum links feasible for up to 100 km.
Extensibility: The protocol is compatible with modular extension toward measurement-device-independent (MDI) or twin-field QKD schemes to extend distance or improve robustness.

References

"Experimental Coherent One-Way Quantum Key Distribution with Simplicity and Practical Security" (Cao et al., 11 Jan 2026)
"Finite-Key Analysis for Coherent One-Way Quantum Key Distribution" (Li et al., 2023)
"Simple security proof of coherent-one-way quantum key distribution" (Gao et al., 2021)
"Improved coherent one-way quantum key distribution for high-loss channels" (Lavie et al., 2022)