4. Quantum key distribution using coherent laser pulses 37
4.3. Upper bounds on secret key length
Data assignment Dvis,0 Dvis,1
Bit 0 no click click
Bit 1 click no click
Random bit click click
Empty detection,∅ no click no click
Table 4.2. Data interpretation table for Dvis,0 and Dvis,1.
Sifting Alice and Bob announce their basis choices over the public channel; in addition, on Bob’s side, he announces all recordings observed in the phase coherence measurement. Using these announcements, they identify the following sets,X ={i:ai =bi=X∧yi0 6=∅}, V1={i:ai=V∧ai−1= X∧yi−1 = 1∧bi = V∧w2i−1 6= ∅} ∪ {i : ai = V∧ai−1 = V∧bi = V∧w2i−1 6= ∅} and V2 = {i : ai = bi = V∧w2i 6= ∅}. If |X | ≥ nX,
|V1| ≥nV,1 and |V2| ≥nV,2 are met, they proceed to the next step.
Parameter Estimation First, a raw key pair,X andX, is generated by choos-ˆ ing a random sample of size nX of X. Then, they compute the fraction of errors in V1 ∪ V2, λV := (P
i∈V1w2i−1 + P
i∈V2w2i)/(|V1|+ |V2|).
Note that the visibility is related to 1−2λV. Finally, they check for λV +t(pe, nX, nV, λV) ≤ Qtol. If this condition is true, then they pro-ceed to do classical-post-processing, else they abort the protocol.
Classical-post-processing First, Alice and Bob perform an error correction step that reveals at most SyndEC-bits of information. In this step, we assume that they try to correct for an error rate that is predetermined.
Next, to ensure that they share a pair of identical keys, they perform an error-verification step using two-universal hash functions that publishes dlog21/core-bits of information. Finally, conditioned on passing this last step, they perform privacy amplification on their keys to extract a secret key pair,S and S, of sizeˆ `.
4.3. Upper bounds on secret key length
Since the error verification step is implemented with two-universal hash func-tions, the correctness is thus given by Theorem 1. The secrecy of the protocol is as follows
Theorem 4. For protocol parameters, µ, nX, nZ, qx, Qtol, SyndEC, cor, `, the secret key is sec-secret if
`≤max
β
$ nX
1−Qtol−(1−Qtol)h 1
2+ ξ(µ, Qtol) 2
−10 r
nX
1−2 log2 sec
4 −β
−SyndEC−log2 8 β4cor,
%
, (4.2)
with
ξ(µ, Qtol) := (1−4Qtol) exp(−µ)−2p
(1−2Qtol)2Qtol(1−exp(−2µ)),
where the maximization is taken over 0< β≤sec/4.
Proof. As usual, let us denote by E+ the information that Eve gathers on X up to the error verification step. Then, according to Lemma 4, the protocol is
∆-secret if
dsec(S|E+Y)≤2
2 −β
+ 232
2`−Hmin/2−β(X|E+)14
= ∆, (4.3) where Y is the seed used to randomly choose a hash function in the privacy amplification step. To see why the proposed secret key length, Eq. (3.11), gives a sec-secret key, we first need to show that the smooth min-entropy in the above expression is lower bounded by
Hmin/2−β X|E+
≥nX
1−Qtol−(1−Qtol)h 1
2+ ξ(µ, Qtol) 2
−10 r
nX
1−2 log2
2 −β
−SyndEC−log2 2 cor, where ξ(µ, Qtol) is some function to be defined later. Next, we use a chain rule [17, Theorem 3.2.12] to get
Hmin/2−β X|E+
≥Hmin/2−β(X|E)−SyndEC −log2 2 cor
.
Then, under the assumption that Eve interacts independently and identically with each individual two-mode coherent state, the smooth min-entropy of X
4.4. Simulation: evaluation with real-world parameters 43
given E can be lower bounded by using [81, Theorem 9] and [38, Eqs. (15) and (B.8)]. In particular,
Hmin/2−β(X|E)≥nX
1−Qtol−(1−Qtol)h 1
2 +ξ(µ, Qtol) 2
−10 r
nX
1−2 log2
2 −β
,
where
ξ(µ, Qtol) = (1−4Qtol) exp(−µ)−2p
(1−2Qtol)2Qtol(1−exp(−2µ)).
Putting everything together and composing the error term due to random sampling without replacement (i.e., pe), we thus have (after removing the conditioning of passing the parameter estimation test),
dsec(S|E+Y)≤∆≤+pe ≤sec. (4.4) Choosing =pe =sec/2 concludes the proof.
4.4. Simulation: evaluation with real-world parameters
In order to simulate the performance of Eq. (4.2), we consider a realistic fiber-based system model that partially borrows results from a recent COW QKD experiment Ref. [B.5]. On Alice’s side, the COW states are generated by using a continuous wave laser and an intensity modulator: here, the repetition rate is set to 625 MHZ and the bit error rate due to finite extinction ratio is about Q = 0.3%. In addition, we assume that Alice can optimize the intensity of the laser pulses, µ, and the probability of generating a test state, 1 −qX. On Bob’s side, the bit and phase coherence measurements are implemented with single-photon detectors, where each detector has a detection efficiency of ηBob = 10%, a dark count probability of pdc = 6×10−7 and an after-pulse probability of pap = 4×10−2 [61]. We also assume that Bob can optimize,tB, the splitting ratio of the fibre coupler (i.e., see Fig.4.2): the measurement setup is a passive basis choice setup, i.e., with probability tB the incoming quantum state is sent to top channel for bit decoding, and with probability 1−tB the state is sent to the bottom channel for phase coherence measurement. The
30 40 50 60 70 80 90 100 110 120 10−7
10−6 10−5 10−4 10−3
Fiber length (km)
Secret key rate (per signal sent)
Fig. 4.2. We numerically optimize the secret key rates for various classical-post-processing block sizes nX = 10s with s = 5,6,7,8; the dashed line repre-sents the asymptotic limit. The secrecy sec and correctness cor are fixed to 10−9 and 10−15, respectively.
quantum channel connecting Alice and Bob is simulated using an optical fiber with an attenuation coefficient of0.2dB/km. Therefore, the transmittance of aL km optical fiber is given by ηch = 10−0.2L/10.
Based on the above specifications and using µt1 (for long distance oper-ation), the expected detection rate in the data channel is about
Rdata =qX(µttBηBob+ 2pdc)(1 +pap). (4.5) For the phase coherence measurement, the expected detection rates (condi-tioned on Alice sending constructive interference sequences) in the2iand2i−1 time bins are given by
Rph,2i = (1−qX)(µt(1−tB)ηBob + 2pdc)(1 +pap), (4.6) and
Rph,2i-1 = (1−3qX/2 +qX2/2)(µt(1−tB)ηBob+ 2pdc)(1 +pap), (4.7) respectively. The expected error rate for the data channel is
edata = qX[(1 +ppa)pdc+ (0.5ppa+Q)µttBηBob]
Rdata , (4.8)
4.4. Simulation: evaluation with real-world parameters 45
and the expected error rates for the phase coherence measurement are eph,2i= (1−qX)[((1 +ppa)pdc+ (0.5ppa+Q)µt(1−tB)ηBob)]
Rph,2i (4.9)
and
eph,2i-1 = (1−3qX/2 +q2X/2)[((1 +ppa)pdc+ (0.5ppa+Q)µt(1−tB)ηBob)]
Rph,2i-1 ,
(4.10) respectively.
The size of the syndrome in the error correction step is fixed to SyndEC = nX1.2h(Qtol) bits of information. That is, we assume an error correction step that reveals at most nX1.2h(Qtol) bits regardless of the error rate of the raw key; this is not a problem since if the error correction step fails, it is highly likely to be detected in the error verification step. The secrecy of the protocol is set to sec = 10−9: using sec = κ` implies that κ ≤ 10−9. The correctness is fixed tocor = 10−15.
For the evaluation, we fix the classical-post-processing block size to a range of realistic values nX = 10s with s = 5,6,7,8, and investigate the maximum secret key rate achievable based on the above channel model. From Fig. 4.2, we see that secret keys can already be distributed up to about 75 km for a block size of 105 bits, which is significantly further than those of the non phase-randomized BB84 protocol [76].
To conclude, we have extended the asymptotic security analysis given in Ref. [38] to the finite-key length regime, where concise security bounds for the extractable secret key length are derived. The security bounds are evaluated with a realistic system model, and we found that the security performance of these bounds are far better than those of the BB84 protocol with coherent laser pulses. This suggests that the phase coherence measurement between successive laser pulses indeed provides a form of protection against the PNS and USD attacks. Admittedly, these results are only valid against a restricted class of collective attacks, however, based on the preliminary results obtained in Ref. [B.2], it appears that bounds against collective attacks are not too far from those against general attacks.
5. Conclusion and outlook
In this thesis, we have introduced a general security proof technique that can be used to analyze the security of practical QKD. Compared to existing security proof techniques in the literature, the security bounds due to our technique are significantly tighter, in the sense that secret keys can still be distributed even if the underlying classical-post-processing block sizes are small; whereas those based on existing security proof techniques require unrealistic block sizes. In addition, since our proof technique only requires a minimal number of assump-tions about Bob’s measurement device, this allows us to consider a large class of practical measurement setups. However, this is not the case for existing proof techniques as one has to find a so-called squashing model [82–84] for the measurement setup.
Although our security bounds are rather general and can be applied to a wide range of devices, some conditions on the implementation are still required. In particular, we require that the probability of having a detection in Bob’s mea-surement device is independent of his basis choice. This condition is normally met when the detectors are operating according to specification. However, if the detectors are not implemented correctly, then there may be serious secu-rity consequences, e.g., see Ref. [85,86] where they exploit the physics of the detectors to “hack” the QKD system. Basically, the idea of hacking is to create a gap between the QKD system and the theoretical model assumed by the security analysis, so that side-channels attacks can be mounted.
Unfortunately, as with any crypto system, side-channels cannot be com-pletely ruled out since practical devices generally have inadvertent flaws. As an attempt to mitigate this complication, the concept of device-independent QKD (DIQKD) has been proposed [87–90], where the security is based en-tirely on the violation of Bell’s theorem [91](see Ref. [92] for a survey of the field and the references therein). The central idea there is to exploit the fact that Bell’s theorem only looks at Alice’s and Bob’s joint statistics, and how these statistics are obtained is irrelevant. For these reasons, in DIQKD, the security of the output key is completely independent of the internal workings
of the devices, and thus side-channels—to a large extent—are ruled out. Here, it is important to emphasize that the Bell’s theorem can only guarantee the security of the key generation process, i.e., the distribution and measurement of entangled bipartite quantum systems, therefore one still has to be prudent with the classical aspect of QKD, i.e., the classical-post-processing phase and the secure storage of the output keys.
In the recent years, much progress has been made in theory of DIQKD, and most notably, a rigorous security has been obtained [90]. However, on the practical side, an implementation of device-independent QKD is still a work in progress. That is, a complete loophole-free Bell test is still not yet available;
although individual loopholes have been closed in different Bell experiments, e.g. see Refs. [93–97]. On the theoretical side, to help overcome the detection loophole [98–100] due to high channel loss, alternative DIQKD protocols have been proposed: for example, our group in Geneva has suggested two proposals, i.e. one based on qubit amplifier [101] and the other based on local Bell test [B.3].
Very recently, it has been pointed out that it may be more practical to con-sider a slightly weaker DIQKD protocol, i.e., measurement-device-independent QKD (MDIQKD) [102], where only the measurement setup is made device-independent. This protocol has a nice balance in that it offers security against detector side-channel attacks (which is the most common type of side-channel attack in QKD) and can be implemented with current experimental tech-niques [103–105]. In fact, using materials from Ref. [B.6], we provide for the first time a rigorous security proof of MDIQKD [B.7].
Based on the above, it is clear that significant progress has been made in closing the gap between the theory and practice of QKD. In particular, on the theoretical side, we now have theoretical tools that can be used to analyze the security of practical QKD systems (and we also know how to rule out most side-channel attacks), and on the practical side, QKD experiments have been carried out in real-world scenarios. For these reasons, it is not hard to imagine a future where QKD plays an important role in our communication networks.
References
[1] C Shannon. A Mathematical Theory of Communication. Bell Syst. Tech.
J., 27:379–423, 1948.
[2] Carlo Blundo and Paolo D’Arco. The Key Establishment Problem. In Riccardo Focardi and Roberto Gorrieri, editors,Foundations of Security Analysis and Design II SE - 2, volume 2946 ofLecture Notes in Computer Science, pages 44–90. Springer Berlin Heidelberg, 2004.
[3] Jörn Müller-Quade and Dominique Unruh. Long-Term Security and Uni-versal Composability. In SalilP. Vadhan, editor,Theory of Cryptography SE - 3, volume 4392 ofLecture Notes in Computer Science, pages 41–60.
Springer Berlin Heidelberg, 2007.
[4] Daniel. Bernstein. Introduction to post-quantum cryptography. In Daniel. Bernstein, Johannes Buchmann, and Erik Dahmen, editors, Post-Quantum Cryptography SE - 1, pages 1–14. Springer Berlin Heidelberg, 2009.
[5] Charles H Bennett and Gilles Brassard. Quantum cryptography: Public key distribution and coin tossing. In Proc. IEEE Int. Conf. on Comp., Sys. and Signal Process., pages 175–179, Bangalore, 1984.
[6] Gilles Brassard and Louis Salvail. Secret-Key Reconciliation by Public Discussion. In Tor Helleseth, editor, Advances in Cryptology, EURO-CRYPT’ 93 SE, 35, volume 765 of Lecture Notes in Computer Science, pages 410–423. Springer Berlin Heidelberg, 1994.
[7] Charles H Bennett, Gilles Brassard, C Crepeau, and Ueli M Mau-rer. Generalized Privacy Amplification. IEEE Trans. on Inf. Theory, 41(6):1915–1923, 1995.
[8] Dominic Mayers. Quantum Key Distribution and String Oblivious Trans-fer in Noisy Channels. InAdvances in Cryptography — CRYPTO, LNCS (Springer), pages 343–357, 1996.
[9] Dominic Mayers. Unconditional security in quantum cryptography. J.
ACM, 48(3):351–406, May 2001.
[10] Hoi-Kwong Lo and H F Chau. Unconditional Security Of Quantum Key Distribution Over Arbitrarily Long Distances. Science, 283(5410):2050–
2056, 1998.
[11] Peter W Shor and John Preskill. Simple Proof of Security of the BB84 Quantum Key Distribution Protocol. Phys. Rev. Lett., 85(2):441–444, July 2000.
[12] Charles H. Bennett, David P. DiVincenzo, John A. Smolin, and William K. Wootters. Mixed-state entanglement and quantum error cor-rection. Physical Review A (Atomic, Molecular, and Optical Physics), 54(5):3824, 1996.
[13] Dagmar Bruß. Optimal Eavesdropping in Quantum Cryptography with Six States. Physical Review Letters, 81(14):3018–3021, October 1998.
[14] H. Bechmann-Pasquinucci and N. Gisin. Incoherent and coherent eaves-dropping in the six-state protocol of quantum cryptography. Physical Review A, 59(6):4238–4248, June 1999.
[15] B Kraus, N Gisin, and R Renner. Lower and upper bounds on the se-cret key rate for QKD protocols using one–way classical communication.
Physical Review Letters, 95(8):1–4, 2004.
[16] Renato Renner, Nicolas Gisin, and Barbara Kraus. Information-theoretic security proof for quantum-key-distribution protocols. Phys. Rev. A, 72(1):12332, July 2005.
[17] Renato Renner. Security of Quantum Key Distribution. PhD thesis, ETH Zurich, 2005.
[18] Matthias Christandl, Robert König, and Renato Renner. Postselection Technique for Quantum Channels with Applications to Quantum Cryp-tography. Phys. Rev. Lett., 102(2):20504, January 2009.
References 51
[19] Valerio Scarani and Renato Renner. Quantum Cryptography with Finite Resources: Unconditional Security Bound for Discrete-Variable Proto-cols with One-Way Postprocessing. Phys. Rev. Lett., 100(20):200501, May 2008.
[20] Lana Sheridan, Thinh Phuc Le, and Valerio Scarani. Finite-key security against coherent attacks in quantum key distribution. New Journal of Physics, 12(12):123019, 2010.
[21] Hoi-Kwong Lo, Hoi-Fung Chau, and M Ardehali. Efficient quantum key distribution scheme and a proof of its unconditional security. Journal of Cryptology, 18(2):133–165, 2005.
[22] Won-Young Hwang. Quantum Key Distribution with High Loss: Toward Global Secure Communication. Phys. Rev. Lett., 91(5):57901, August 2003.
[23] Hoi-Kwong Lo, Xiongfeng Ma, and Kai Chen. Decoy State Quantum Key Distribution. Phys. Rev. Lett., 94(23):230504, June 2005.
[24] Xiongfeng Ma, Bing Qi, Yi Zhao, and Hoi-Kwong Lo. Practical decoy state for quantum key distribution. Physical Review A, 72(1):012326, July 2005.
[25] Damien Stucki, Nicolas Brunner, Nicolas Gisin, Valerio Scarani, and Hugo Zbinden. Fast and simple one-way quantum key distribution. Ap-plied Physics Letters, 87(19):194108, 2005.
[26] H. Inamori, N. Lütkenhaus, and D. Mayers. Unconditional security of practical quantum key distribution. Eur. Phys. J. D, 41(3):599–627, 2007.
[27] Shun Watanabe, Ryutaroh Matsumoto, and Tomohiko Uyematsu. Noise tolerance of the BB84 protocol with random privacy amplification. In-ternational Journal of Quantum Information, 04(06):935–946, December 2006.
[28] Masahito Hayashi. Practical evaluation of security for quantum key dis-tribution. Phys. Rev. A, 74(2):22307, August 2006.
[29] Tim Meyer, Hermann Kampermann, Matthias Kleinmann, and Dagmar Bruss. Finite key analysis for symmetric attacks in quantum key distri-bution. Physical Review A, 74(4):9, 2006.
[30] Robert König, Renato Renner, Andor Bariska, and Ueli Maurer. Small accessible quantum information does not imply security. Physical review letters, 98(14):140502, 2007.
[31] Masahito Hayashi. Upper bounds of eavesdropper’s performances in finite-length code with the decoy method. Phys. Rev. A, 76(1):12329, July 2007.
[32] Raymond Y Q Cai and Valerio Scarani. Finite-key analysis for practical implementations of quantum key distribution. New Journal of Physics, 11(4):45024, 2008.
[33] Masahito Hayashi and Toyohiro Tsurumaru. Concise and tight security analysis of the Bennett Brassard 1984 protocol with finite key lengths.
New Journal of Physics, 14(9):93014, 2012.
[34] Masahito Hayashi and Ryota Nakayama. Security analysis of the decoy method with the Bennett-Brassard 1984 protocol for finite key lengths.
February 2013.
[35] Rolando D. Somma and Richard J. Hughes. Security of decoy-state protocols for general photon-number-splitting attacks. Physical Review A, 87(6):062330, 2013.
[36] Jun Hasegawa, Masahito Hayashi, Tohya Hiroshima, and Akihisa Tomita. Security analysis of decoy state quantum key distribution in-corporating finite statistics. page 13, July 2007.
[37] Bernd Fröhlich, James F Dynes, Marco Lucamarini, Andrew W Sharpe, Zhiliang Yuan, and Andrew J Shields. A quantum access network. Na-ture, 501(7465):69–72, September 2013.
[38] Cyril Branciard, Nicolas Gisin, and Valerio Scarani. Upper bounds for the security of two distributed-phase reference protocols of quantum cryptography. New Journal of Physics, 10(1):13031, 2008.
References 53
[39] Mark N Wegman and J Lawrence Carter. New Hash Functions and Their Use in Authentication and Set Equality. J. Comp. Syst. Sci., 22(3):265–
279, 1981.
[40] D R Stinson. Universal Hashing and Authentication Codes. Designs, Codes and Cryptography, 4(3):369–380, July 1994.
[41] Joern Mueller-Quade and Renato Renner. Composability in quantum cryptography. New Journal of Physics, 11(8):18, 2010.
[42] Christopher Portmann. Key recycling in authentication. ArXiv, page 6, 2012.
[43] J Lawrence Carter and Mark N Wegman. Universal Classes of Hash Functions. J. Comp. Syst. Sci., 18(2):143–154, 1979.
[44] Marco Tomamichel, Roger Colbeck, and Renato Renner. Duality Be-tween Smooth Min- and Max-Entropies. IEEE Trans. on Inf. Theory, 56(9):4674–4681, September 2010.
[45] Marco Tomamichel, Christian Schaffner, Adam Smith, and Renato Ren-ner. Leftover Hashing Against Quantum Side Information. February 2010.
[46] Marco Tomamichel and Masahito Hayashi. A Hierarchy of Information Quantities for Finite Block Length Analysis of Quantum Tasks. IEEE Transactions on Information Theory, 59(11):7693–7710, 2013.
[47] Artur K Ekert. Quantum cryptography based on Bell’s theorem. Phys.
Rev. Lett., 67(6):661–663, August 1991.
[48] Charles Bennett, Gilles Brassard, and N Mermin. Quantum cryptogra-phy without Bell’s theorem. Phys. Rev. Lett., 68(5):557–559, February 1992.
[49] Masato Koashi and Andreas Winter. Monogamy of entanglement and other correlations. Physical Review A, 69(2):7, 2003.
[50] Marcos Curty, Maciej Lewenstein, and Norbert Lütkenhaus. Entangle-ment as a Precondition for Secure Quantum Key Distribution. Physical Review Letters, 92(21):217903, May 2004.
[51] Mario Berta, Matthias Christandl, Roger Colbeck, Joseph M Renes, and Renato Renner. The uncertainty principle in the presence of quantum memory. Nat. Phys., 6(9):659–662, July 2010.
[52] Marco Tomamichel and Renato Renner. Uncertainty relation for smooth entropies. Physical Review Letters, 106(11):110506, 2010.
[53] Herman Chernoff. A Measure of Asymptotic Efficiency for Tests of a Hypothesis Based on the Sum of Observations.Ann. Math. Stat., 23:493–
507, December 1952.
[54] Wassily Hoeffding. Probability Inequalities for Sums of Bounded Ran-dom Variables. J. Amer. Statistical Assoc., 58:13–30, March 1963.
[55] R J Serfling. Probability Inequalities for the Sum in Sampling without Replacement. Ann. Stat., 2(1):39–48, January 1974.
[56] Pantelimon Stanica. Good lower and upper bounds on binomial co-efficients. Journal Of Inequalities In Pure And Applied Mathematics, 2(3):Article 30, 2001.
[57] B Huttner, N Imoto, N Gisin, and T Mor. Quantum cryptography with coherent states. Physical Review A, 51(3):1863–1869, 1995.
[58] G Brassard, N Lutkenhaus, T Mor, and Bc Sanders. Limitations on practical quantum cryptography. Physical Review Letters, 85(6):1330–3, 2000.
[59] Norbert Lütkenhaus and Mika Jahma. Quantum key distribution with realistic states: photon-number statistics in the photon-number splitting attack. New Journal of Physics, 4(44):4, 2001.
[60] Alexander Vitanov, Frédéric Dupuis, Marco Tomamichel, and Renato Renner. Chain Rules for Smooth Min- and Max-Entropies. IEEE Trans.
on Inf. Theory, 59(5):2603–2612, 2013.
[61] Nino Walenta, Tommaso Lunghi, Olivier Guinnard, Raphael Houlmann, Hugo Zbinden, and Nicolas Gisin. Sine gating detector with simple filter-ing for low-noise infra-red sfilter-ingle photon detection at room temperature.
Journal of Applied Physics, 112(6):063106, 2012.
References 55
[62] Daniel Gottesman, Hoi-Kwong Lo, Norbert Lutkenhaus, and John Preskill. Security of quantum key distribution with imperfect devices.
Quant.Inf.Comput., 5:325–360, 2004.
[63] N A Peters, P Toliver, T E Chapuran, R J Runser, S R McNown, C G Peterson, D Rosenberg, N Dallmann, R J Hughes, K P McCabe, J E Nordholt, and K T Tyagi. Dense wavelength multiplexing of 1550 nm QKD with strong classical channels in reconfigurable networking envi-ronments, 2009.
[64] P Eraerds, N Walenta, M Legré, N Gisin, and H Zbinden. Quantum key distribution and 1 Gbps data encryption over a single fibre, 2010.
[64] P Eraerds, N Walenta, M Legré, N Gisin, and H Zbinden. Quantum key distribution and 1 Gbps data encryption over a single fibre, 2010.