Point-to-Multipoint COW QKD Protocol

• The paper demonstrates a point-to-multipoint extension of the COW QKD protocol that enables simultaneous secret key distribution to multiple receivers using an efficient XOR key combination.
• It employs dual-SPD and dual-receiver configurations along with precise fiber-optic attenuation and optimized detector settings to enhance secret key rates while keeping QBER below 6%.
• The security analysis underscores that reducing photon intensity to around 0.2 mitigates collective beam-splitting attacks, supporting robust secure group communications.

The point-to-multipoint extension of the Coherent-One-Way (COW) Quantum Key Distribution (QKD) protocol is an experimentally validated architecture enabling a single quantum transmitter to distribute secret keys simultaneously to multiple receivers over separate channels. By leveraging component and post-processing optimizations, this protocol addresses experimental bottlenecks arising from detector limitations, while extending standard two-party QKD to a network regime suitable for secure group communication. Security analysis, implementation details, and empirical benchmarks demonstrate the protocol’s viability under realistic device constraints and collective attack models (Abhignan et al., 8 Jan 2026).

1. Fundamentals of the COW QKD Protocol

The Coherent-One-Way (COW) protocol encodes logical bits using time-bin qubits, where Alice—serving as the transmitter—sends either

$$\ket{0}_t\ket{\sqrt\mu}_{t-\tau} \quad(\text{bit } 1)$$

or

$$\ket{\sqrt\mu}_t\ket{0}_{t-\tau} \quad(\text{bit } 0)$$

in consecutive time bins $t$ and $t-\tau$. With probability $f$, Alice introduces "decoy" states $\ket{\sqrt\mu}_t\ket{\sqrt\mu}_{t-\tau}$ to enable quantum channel monitoring. Here, $\mu$ is the mean photon number per pulse, and $\tau = 1/F$, with $F$ the system repetition rate.

After transmission, Bob(s) announce detected pulses (time bins), Alice identifies decoys, and sifting yields a sifted-basis rate $S_Z$ (bits/s). The quantum bit error rate (QBER) is defined as

$$e_Z = \frac{\text{erroneous detections}}{\text{all detections}}$$

With error correction inefficiency $f \geq 1$ (e.g., $1.1\!-\!1.2$), the asymptotic Devetak–Winter bound gives the secure key rate: $$R \;=\; S_Z \;-\; f\,S_Z\,H_2(e_Z)\;-\;\Delta_{\mathrm{PA}}$$ where $H_2$ is the binary entropy and $\Delta_{\mathrm{PA}}$ is the privacy amplification penalty.

2. Experimental Apparatus and Detector Enhancement

The experimental setup features a 1550.12 nm CW laser carved by an intensity modulator controlled at $F=1$ GHz, stabilized via a 1% bias-controller loop, and followed by two variable optical attenuators (VOA$_1$, VOA$_2$) to set $\mu$. The attenuation $\alpha$ is determined by

$$\alpha = 10 \log_{10}\left(\frac{P_f}{P_i}\right), \quad P_f = \mu F \frac{hc}{\lambda}$$

where $P_i$ is modulator output, $\lambda=1550$ nm.

Bob, the receiver, employs a 90:10 fiber beamsplitter (BS) to route 90% of incoming photons to the data line and 10% to a monitoring interferometer (not used for this improvement). On the data line, an additional $1 \times 2$ (50:50) splitter feeds two InGaAs/InP single-photon detectors (SPDs), labeled SPD$_a$ and SPD$_b$, each characterized by quantum efficiency $\eta$ and dead time $\tau_d$.

Theoretical per-detector count rates (accounting for fiber loss $\alpha_d\approx0.22$ dB/km and distance $L$) are given by

$$C_{\rm th}^{(0)} = 0.9\,\eta\,\mu\,(F/2)\,10^{-\alpha_d L/10}$$

Factoring in detector dead time,

$$C_{\rm th} = \frac{C_{\rm th}^{(0)}}{1 + \tau_d\,C_{\rm th}^{(0)}}$$

Experimental rates $C_{\rm exp}$ approach $C_{\rm th}$ for a single SPD and $2\,C_{\rm th}$ for dual SPDs before saturation, thus the data line split between two SPDs mitigates the throughput limit imposed by detector dead time.

3. Point-to-Multipoint Network Architecture

Point-to-multipoint extension involves distributing Alice’s modulated quantum pulse train to two independent receivers (Bobs), establishing two parallel COW QKD channels. Post-attenuation, a 50:50 BS splits the modulated sequence, and each branch passes through individual attenuator chains and fiber spools of length $L$. Synchronized by a shared FPGA clock (or calibrated with fixed delay), both Bobs maintain time alignment for coherent state detection.

Each Bob's measurement setup mirrors the single-receiver configuration: a 90:10 BS, a 50:50 splitter, and two SPDs. This two-channel extension is directly compatible with generic COW protocol deployments.

4. Secret-Key Generation and Post-Processing Workflow

The secret-key generation process for the dual-receiver architecture comprises the following steps:

• Sifting: Each Bob $i$ records counts $n_0^{(i)}, n_1^{(i)}$ in non-decoy time bins; decoy bins are excluded. Sifted key rate is $S_Z^{(i)} \approx n_0^{(i)} + n_1^{(i)}$ (minus decoys).
• Error Correction: A disclosure ratio $\mathrm{DR}=10\%$ of sifted bits estimates $e_Z^{(i)}$. Error correction—via low-density parity-check codes—leaks $f\,S_Z^{(i)}\,H_2(e_Z^{(i)})$ bits.
• Privacy Amplification: With compression ratio $\mathrm{CR}$ (up to 90%), the final SKR per Bob is

$$R_i = S_Z^{(i)} (1-\mathrm{DR})(1-\mathrm{CR}) - \Delta_{\mathrm{PA}}^{(i)}$$

• Key Combination: Alice aligns key lengths $|k_{A1}| = |k_{A2}|$ and broadcasts the XOR $k_{12} = k_{A1} \oplus k_{A2}$ using one-time pad. Bob 1 can reconstruct $k_{A2}$; Bob 2 reconstructs $k_{A1}$, and all three share $k_{12}$ of length $\min\{R_1, R_2\}$.
• Aggregate Key Rate: Since one raw key is sacrificed by XOR, the end-user shared SKR is

$R_{\rm total} = \max\{R_1, R_2\}$

5. Empirical Performance Benchmarks

Experimental benchmarking demonstrates efficiency gains from both dual-SPD and dual-Bob approaches:

Channel Length ($L$)	$\eta$	$\tau_d$ ($\mu$s)	1 SPD SKR (kb/s)	2 SPDs SKR (kb/s)	QBER (%)
80 km	0.15	15	2.1	3.7	3–5
100 km	0.20	20	1.8	2.9	4–6
120 km	–	–	–	50–80% gain	<6

In the dual-Bob scenario at $L=100$ km:

• For $\mu=0.5, \eta=0.2$, each Bob achieves SKR $\approx1.8$ kb/s, QBER $<5$\%.
• For $\mu=0.2$, SKR $\approx1.2$ kb/s per Bob with improved QBER.
• The shared-key rate $k_{12}$ reflects $\min \{ R_1, R_2 \}$; aggregate SKR $\approx1.8$ kb/s.

6. Security Analysis and Parameter Optimization

The security proof utilizes the asymptotic, collective-attack model (Devetak–Winter bound). The principal threat modeled is the collective beam-splitting attack (BSA), where Eve replaces the transmission line by a lossless channel and a beamsplitter of transmission $t_B = 10^{-\alpha_d L/10}$, retaining a mode with amplitude $\sqrt{\mu t_E}$ and inter-bit overlap $\gamma_E = e^{-\mu t_E}$. The Holevo information per pulse is

$\chi_E = H_2\left(\frac{1-\gamma_E}{2}\right)$

and Bob’s per-pulse detection probability is $p_{\rm click} = \tfrac12(1-e^{-\mu t_B \eta})$. The per-pulse secure rate is

$r_{\rm COW} = p_{\rm click}[1-\chi_E]$

In the dual-Bob configuration, a worst-case scenario is assumed: Eve attacks both branches coherently, doubling her Holevo gain $\chi_E \to 2\chi_E$.

Optimizing $\mu$ is crucial: higher $\mu$ raises Bob’s click rate but increases $\chi_E$, reducing long-distance security. For $L>80$ km in the dual-Bob scenario, $\mu=0.2$ offers superior security rates relative to $\mu=0.5$. Detector settings ($\tau_d \approx 20\!-\!50~\mu$s, $\eta \approx 0.2$) are adjusted to optimize throughput against QBER and loss constraints.

7. Conclusion and Practical Implications

By (i) splitting each data line into two SPDs to bypass detector saturation limits, and (ii) constructing a three-party shared key via the XOR of two independently generated keys, the point-to-multipoint COW QKD protocol demonstrates substantial increases in achievable secret-key rates and user scalability. Experimentally, QBER remains within the established threshold ($\leq$6%), and the approach is generalizable to further COW implementations. Both empirical observation and theoretical BSA-derived limits confirm that lower $\mu$ values (around 0.2) are optimal under broadcast-channel and collective attack security conditions (Abhignan et al., 8 Jan 2026).