Protocol description

p_µ3

!

. (3.9)

In addition, we denote by λ_X,1 the single-photon error rate, i.e., λ_X,1 := v˜_X,1

˜

s_X,1. (3.10)

As mentioned earlier, Eqns. (3.6), (3.7), (3.9) and (3.10) also apply to the Z basis; just change the subscript X toZ.

3.2. Protocol description

Similar to the previous chapter, we consider a biased basis choice BB84 pro-tocol, however, instead of using a single-photon source, Alice uses a phase-randomized laser source to generate quantum systems. Additionally, the in-tensity of each laser pulse is randomly set to one of the three intensities, K:={µ₁, µ₂, µ₃}, whereµ₁> µ₂+µ₃ and µ₂ > µ₃ ≥0.

The protocol is characterized by the following parameters: N, the number of laser pulses sent by Alice, n_X,k, the number of detections given that Alice chooses Xbasis and intensity k and Bob chooses X basis, n_Z,k, the number of detections given that Alice chooses Z basis and intensityk and Bob choose Z basis,p_k, the probability of choosing intensityk,φ_tol, the tolerated error rate, Synd_EC, the size of the error correcting information, _cor, the correctness,_pe, the error in the estimation, and, `, the secret key length. The protocol runs as follows.

Preparation: The first three steps of the protocol are repeated fori= 1,2, . . . , N until the conditions in the sifting step are fulfilled. Alice chooses a bit value uniformly at random and records the value in y_i. Then, she selects a basis choicea_i ∈ {X,Z} with probabilities q_x and 1−q_x, respectively, whereq_x := (1+p

n_Z/n_X)⁻¹, and an intensity choicek_i∈ Kwith proba-bilitiesp_µ1,p_µ2 andp_µ3 = 1−p_µ1−p_µ2, respectively. Finally, she prepares a weak laser pulse based on the chosen values and sends it to Bob via the quantum channel.

Measurement: Bob chooses a basis b_i ∈ {X,Z} with probabilities q_x and 1−q_x, respectively. Then, he performs a measurement in basis b_i and

3.3. Bounds on secret key length 29

records the outcome iny_i⁰. In practice, the measurement device is usually implemented with two single-photon detectors. In this case, there are four possible outcomes{0,1,∅,⊥}, where0and1are the bit values, and

∅ and ⊥ are the no detection and double detection events, respectively.

For the first three outcomes, Bob assigns what he observes toy⁰_i, and for the last outcome⊥, he assigns a random bit value to y_i⁰.

Sifting: Alice and Bob announce their basis and intensity choices over an authenticated public channel and identify the following sets: Xk := {i: a_i=b_i =X∧k_i =k∧y_i⁰ 6=∅}andZk :={i:a_i =b_i=Z∧k_i=k∧y_i⁰ 6=∅}

for all k ∈ K. Then, they check for |Xk| ≥ n_X,k and |Zk| ≥ n_Z,k for all values of k.

Parameter Estimation: First, a raw key pair, X and X, is generated byˆ choosing a random sample of size n_X = P

k∈Kn_X,k of X = ∪k∈KXk, where n_X is the post-processing block size. Second, they announce the setsZk and compute the corresponding number of bit errors,c_Z,k. Third, they calculate the number of vacuum events s˜_X,0 and the number of single-photon eventss˜_X,1 in the raw key pair. Finally, they calculate the error rate,λ_Z,1, of the single-photon events in the setsZk, and check that it satisfies λ_Z,1+t _pe,˜s_X,1,˜s_Z,1, λ_Z,1

≤ Q_tol. If it does, they proceed to the classical-post-processing step, otherwise, they abort the protocol.

Classical-post-processing: First, Alice and Bob perform an error correction step that reveals at most Synd_EC-bits of information. In this step, we assume that they try to correct for an error rate that is predetermined.

Next, to ensure that they share a pair of identical keys, they perform an error-verification step using two-universal hash functions that publishes dlog₂1/_core-bits of information. Finally, conditioned on passing this last step, they perform privacy amplification on their keys to extract a secret key pair,S and S, of sizeˆ `.

3.3. Bounds on secret key length

The security analysis of the protocol follows roughly along the lines of the one in the previous chapter. This is the case for the analysis of the correctness, since both protocols use the same error verification procedure, i.e., by using a family of two-universal hash functions to ensure that the raw keys are identical,

except with some (negligible) probability, _cor. For this reason, we refer the correctness of the protocol to Theorem 1. The secrecy of the protocol is given below.

Theorem 3. For protocol parameters, n_X,k, n_Z,k, p_k, Q_tol, Synd_EC, cor, and

`, the secret key is _sec-secret if

` ≤ max

pe,β

$

˜

s_X,0 + ˜s_X,1 − s˜_X,1h(Q_tol) − Synd_EC − log₂ 32 β⁸_cor

%

, (3.11) where the maximization is taken over pe, β >0 such that 4pe+ 18β ≤sec. Proof. Let us denote byE⁺ the information that Eve gathers on X up to the error verification step. Then, according to Lemma4, the protocol is ∆-secret if

d_sec(S|E⁺Y)≤2

2 −β

+ 2³²

2^{`−Hmin/2−β}(X|E⁺)¹₄

= ∆, (3.12)

where Y is the seed used to randomly choose a hash function in the privacy amplification step. To see why the proposed secret key length, Eq. (3.11), gives a _sec-secret key, we first need to show that the smooth min-entropy in the above expression is lower bounded by

H_min^/2−β X|E⁺

≥s˜_X,0+ ˜s_X,1−˜s_X,1h(Q_tol)−Synd_EC−log₂ 8

α²₂α²_3cor, (3.13) for some α₂, α₃ ≥0.

To start with, we use a chain rule [17, Theorem 3.2.12] for smooth min-entropies to get

H_min^/2−β X|E⁺

≥H_min^/2−β(X|E)−Synd_EC −log₂ 2 _cor.

We note that X may contain contributions due to vacuum and multi-photon states. More specifically, X may be a concatenation of three different types of bit strings, X^vX^sX^m, which correspond to Alice sending vacuum, single-photon and multi-single-photon states, respectively. Therefore, to analyze the secrecy ofX, we would need to decompose the smooth min-entropy ofX in such a way that it is lower bounded by the smooth min-entropy of X^s. This is achieved by using a recently formulated chain rule [60] for smooth min-entropies, i.e., for ₁>0 and ₂, ₃ ≥0,

H_min¹⁺²²⁺³(AB|C)≥H_min² (A|BC) +H_min³ (B|C)−2 log₂ 1 ₁ −1.

3.3. Bounds on secret key length 31

In particular, we apply the above chain rule to H_min^/2−β(X^vX^sX^m|E) to get H_min^/2−β(X^vX^sX^m|E)≥H_min^α1 (X^s|X^vX^mE)

+H_min^α3+2α4+α5(X^vX^m|E)−2 log₂ 1 α₂ −1, where/2−β = 2α₁+α₂+ (α₃+ 2α₄+α₅)withα₁, α₃ ≥0and α₂>0. Then, we use the same chain-rule again on the second term on the r.h.s. to get

H_min^α3+2α4+α5(X^vX^m|E)≥H_min^α4 (X^m|X^vE)

+H_min^α5 (X^v|E)−2 log₂ 1 α₃ −1

≥˜s_X,0−2 log₂ 1 α₃ −1,

for α₄, α₅ ≥ 0 and α₃ > 0. To get the second inequality, we used H_min^α4 (X^m| X^vE) ≥ 0 and H_min^α5 (X^v|E) ≥ H_min(X^v|E) = H_min(X^v) ≥ log₂2^˜sX,0 =

˜

s_X,0. The former is given by the fact that all multi-photon events are pessimisti-cally taken to be insecure, e.g., due to photon number dependent attacks. The latter is based on the assumption that vacuum contributions contain zero infor-mation about Alice’s raw key, and the key value is drawn uniformly at random.

Putting the above expressions together therefore gives H_min^/2−β X|E⁺

≥s˜_X,0+H_min^α1 (X^s|X^vX^mE)−Synd_EC −log₂ 8 α²₂α²₃cor

.

Next, we use Eq. (2.2) to place a lower bound onH_min^α1 (X^s|X^vX^mE). That is, H_min^α1 (X^s|X^vX^mE) ≥ s˜_X,1+ ˜s_X,1h(λ_Z,1+t(α₁,s˜_X,1,s˜_Z,1, λ_Z,1))

≥ s˜_X,1+ ˜s_X,1h(Q_tol),

where we used Q_tol ≥ λ_Z,1 +t(_pe,s˜_X,1,s˜_Z,1, λ_Z,1) and _pe = α₁√

1−p_abort. Combining everything together therefore gives Eq. (3.13).

Finally, putting Eq. (3.13) into Eq. (3.12), and composing the errors due to the estimation of decoy-state method parameters, it is easy to verify that the proposed secret key length, Eq. (3.11), gives a total error (conditioned on passing all the tests) of

∆≤2(2α₁+α₂+α₃) + 2β+ 10₁+ 2₂. Removing the conditioning thus gives

(1−p_abort)∆ ≤4_pe+ 2(α₂+α₃+β) + 10₁+ 2₂,

which can be simplified by choosing ₁ =₂ =α₂=α₃ =β, i.e., (1−p_abort)∆≤4_pe+ 18β ≤_sec.

3.4. Simulation: evaluation with real-world