Article
Reference
Security of quantum-key-distribution protocols using two-way classical communication or weak coherent pulses
KRAUS, Barbara, BRANCIARD, Cyril, RENNER, Renato
Abstract
We apply the techniques introduced by Kraus et al. [Phys. Rev. Lett. 95, 080501 (2005)] to prove security of quantum-key-distribution (QKD) schemes using two-way classical post-processing as well as QKD schemes based on weak coherent pulses instead of single-photon pulses. As a result, we obtain improved bounds on the secret-key rate of these schemes. For instance, for the six-state protocol using two-way classical post-processing we recover the known threshold for the maximum tolerated bit error rate of the channel, 0.276, but demonstrate that the secret-key rate can be substantially higher than previously shown.
Moreover, we provide a detailed analysis of the Bennett-Brassard 1984 (BB84) and the SARG protocol using weak coherent pulses (with and without decoy states) in the so-called untrusted-device scenario, where the adversary might influence the detector efficiencies. We evaluate lower bounds on the secret-key rate for realistic channel parameters and show that, for channels with low noise level, the bounds for the SARG protocol are superior to those for the BB84 protocol, whereas this advantage disappears with [...]
KRAUS, Barbara, BRANCIARD, Cyril, RENNER, Renato. Security of quantum-key-distribution protocols using two-way classical communication or weak coherent pulses. Physical Review. A , 2007, vol. 75, no. 1
DOI : 10.1103/PhysRevA.75.012316
Available at:
http://archive-ouverte.unige.ch/unige:47357
Disclaimer: layout of this document may differ from the published version.
Security of quantum-key-distribution protocols using two-way classical communication or weak coherent pulses
Barbara Kraus,1 Cyril Branciard,2and Renato Renner3
1Institute for Theoretical Physics, University of Innsbruck, Austria
2Group of Applied Physics, University of Geneva, 1211 Geneva 4, Switzerland
3Department of Applied Mathematics and Theoretical Physics, University of Cambridge, Cambridge CB3 OWA, United Kingdom 共Received 20 October 2006; published 16 January 2007兲
We apply the techniques introduced by Krauset al.关Phys. Rev. Lett. 95, 080501共2005兲兴to prove security of quantum-key-distribution共QKD兲schemes using two-way classical post-processing as well as QKD schemes based on weak coherent pulses instead of single-photon pulses. As a result, we obtain improved bounds on the secret-key rate of these schemes. For instance, for the six-state protocol using two-way classical post- processing we recover the known threshold for the maximum tolerated bit error rate of the channel, 0.276, but demonstrate that the secret-key rate can be substantially higher than previously shown. Moreover, we provide a detailed analysis of the Bennett-Brassard 1984共BB84兲and the SARG protocol using weak coherent pulses 共with and without decoy states兲in the so-called untrusted-device scenario, where the adversary might influence the detector efficiencies. We evaluate lower bounds on the secret-key rate for realistic channel parameters and show that, for channels with low noise level, the bounds for the SARG protocol are superior to those for the BB84 protocol, whereas this advantage disappears with increasing noise level.
DOI:10.1103/PhysRevA.75.012316 PACS number共s兲: 03.67.Dd
I. INTRODUCTION
A fundamental problem in cryptography is to enable two distant parties, traditionally calledAliceandBob, to commu- nicate in absolute privacy, even in presence of an eavesdrop- per Eve. It is a well-known fact that a secret key, i.e., a randomly chosen bit string held by both Alice and Bob, but unknown to Eve, is sufficient to perform this task共one-time pad encryption兲. Thus, the problem of secret communication reduces to the problem of distributing a secret key.
Classical key distribution protocols are typically based on unproven computational assumptions, e.g., that the task of decomposing a large number into its prime factors is intrac- table. In contrast to that, the security of quantum-key- distribution (QKD) protocols merely relies on the laws of physics, or, more specifically, quantum mechanics. This ulti- mate security is certainly one of the main reasons why so much theoretical and experimental effort is undertaken to- wards the implementation of secure QKD protocols关1,2兴.
Typically关3–5兴, in the first step of a QKD protocol, Alice chooses a random bit string and encodes each bit into the state of a quantum system, which she then sends to Bob 共using a quantum channel兲. Bob applies a certain measure- ment on the received quantum system to decode the bit value. In a second step, calledsifting, Alice and Bob publicly exchange some information about the encoding and decoding of each of the bits which allows them to discard bit pairs which are not共or only weakly兲correlated.
After this sifting process, Alice and Bob hold a pair of classical correlated bit strings, in the following called raw key pair. Alice and Bob can determine the quality of the raw key pair by comparing the values of some randomly chosen bit pairs 共using an authenticated classical communication channel兲. This so-calledparameter estimationgives an esti- mate for thequantum bit error rate (QBER), i.e., the ratio of positions for which the values of the bits held by Alice and
Bob do not coincide. A fundamental principle of QKD is that this error rate also imposes a bound on the amount of infor- mation an adversary can have on the raw key: The smaller the QBER, the more secret-key bits can be extracted from the raw key. If the QBER is above a certain threshold, then no secret key can be generated at all, and Alice and Bob must abort the protocol关6兴.
The purpose of the remaining part of the protocol, called classical post-processing, is to transform the raw key pair into a pair of identical and secret keys. In this paper, we consider classical post-processing which consists of the fol- lowing three subprotocols: 共i兲 local randomization 共also called preprocessing兲, where Alice randomly flips each of her bits with some given probabilityq,共ii兲error correction, where Alice and Bob equalize their strings, and共iii兲privacy amplification, where Alice and Bob apply some compression function to their bit string with the aim to reduce Eve’s in- formation on the outcome. Steps 共i兲–共iii兲 described above only require共classical兲 one-way communicationfrom Alice to Bob. However, in practical implementations, the error cor- rection is sometimes done with two-way protocols共e.g., the cascade protocol关7兴兲.
In Refs.关8,9兴, an information-theoretic technique to ana- lyze QKD protocols of the type described above has been presented. In contrast to most previously known methods 共e.g., Ref.关10兴兲, the technique does not require a transforma- tion of the key distillation protocol into an entanglement pu- rification scheme, which makes it very general. It has been applied to prove the security of various schemes such as the Bennett-Brassard 1984 共BB84兲, the six-state, the Bennett 1992共B92兲, and the SARG protocol关11–14兴 共see Refs.关8,9兴 for an analysis of the first three protocols and Ref.关15兴for an analysis of the latter兲. In particular, it has been shown that the local randomization, i.e., step 共i兲 described above, in- creases the bounds on the maximum tolerated QBER by roughly 10%–15%.
In this paper, we extend the technique of Refs.关8,9兴 共Sec.
II兲and apply it to two classes of QKD protocols which have not been covered in Refs. 关8,9兴. The first 共Sec. III兲 is the class of so-calledtwo-way protocols. These use an additional subprotocol, calledadvantage distillation, which is invoked between the parameter estimation and the classical post- processing step described above. In contrast to the classical post-processing considered in Refs.关8,9兴, advantage distilla- tion uses two-way communication between Alice and Bob.
Second, we study protocols which use weak coherent pulses instead of single-photon pulses共Sec. IV兲. For both scenarios, we show that local randomization increases the secret-key rates.
II. INFORMATION-THEORETIC ANALYSIS OF QKD SCHEMES
In this section we first review the results presented in Refs. 关8,9兴 and then show how they can be generalized.
Throughout this paper we use subscripts to indicate the sub- systems on which a state is defined. Alice’s and Bob’s quan- tum systems are labeled byAandB, respectively. Similarly, the classical values obtained by measuring their quantum systems are denoted byXandY, respectively. Typically, we writeAB, orn, to denote the state of all the qubits held by Alice and Bob, whereas AB is a two-qubit state. We will often consider two-qubit Bell-diagonal states, i.e., states that are diagonal in the Bell basis, 兩⌽ij典=关兩0 , 0 +i典+共−1兲j兩1 , 1 +i典兴/
冑
2. P兩⌽典 denotes the projector onto the state 兩⌽典. Fur- thermore, we denote by h共x兲= −xlog2共x兲−共1 −x兲log2共1 −x兲 the binary entropy function.A. Review of the technique
The information-theoretic technique proposed in Refs.
关8,9兴 directly applies to a general class of quantum-key- distribution protocols using one-way classical communica- tion. However, it is required that the protocol can be repre- sented as a so-called entanglement-based scheme, as described below.
Generally, a QKD protocol uses a set of so-calledencod- ing bases. We consider the special case where each basisjis defined by two states兩j0典and兩j1典, which are used to encode the bit values 0 and 1, respectively. In a prepare-and- measurescheme, Alice repeatedly chooses at random a biti and a basis j, prepares the state 兩j
i典, and sends the state to Bob. Bob then measures the state in a randomly chosen basis k. This measuring process can be seen as some filtering op- erationBk=兩0典具1,k⬜兩+兩1典具0,k⬜兩, where 兩i,k⬜典 is some state or- thogonal to兩k
i典, followed by a measurement in the compu- tational basis.
In an entanglement-based view, the above can equiva- lently be described as follows: Alice prepares the two-qubit states Aj兩⌽00典, where 兩⌽00典 denotes the Bell state 1 /
冑
2共兩0 , 0典+兩1 , 1典兲 andAj is an encoding operator共for de- tails see Ref.关8兴兲such that 具i兩Aj兩⌽00典=兩ji典. She then sends the second qubit to Bob and prepares Bob’s system at a distance by measuring her system in the computational basis.
Bob’s measurement is described in the same way as in the prepare-and-measure scheme.
Note that, in an experimental realization of a QKD proto- col, one might prefer to implement a prepare-and-measure scheme. However, when analyzing the security of a protocol, it is usually more convenient to consider its entanglement- based version.
As an illustration, consider the BB84 protocol, which uses thezbasis and thexbasis for the encoding. Using the above notation, we have兩0
i典=兩iz典and兩1
i典=兩ix典, fori= 0 , 1. Hence, the operators applied by Alice areA0=1andA1=H, whereH denotes the Hadamard transformation. Because the bases are orthonormal, the same operators describe Bob’s measure- ment as well.
For the following, we assume that Alice and Bob apply a randomly chosen permutation to rearrange the order of their qubit pairs, in the following denoted byPS, and, additionally, apply to each of the qubit pairs at random either the identity or the operationx丢x.共Note that the symmetrization op- erations commute with the measurement and can therefore be applied to the classical bit strings.兲Then, as shown in Ref.
关8兴, the stateABdescribing theNqubit pairs shared by Alice and Bob can generally共after the most general attack by Eve, a so-calledcoherentattack兲be considered to be of a simple form, namely
AB=n
兺
1,. . .,n4
n1,n2,n3,n4PS共P兩⌽丢n001典丢P兩⌽
01典 丢n2
丢P兩⌽
10典 丢n3
丢P兩⌽
11典 丢n4
兲. 共1兲 The sum runs over all non-negativen1, . . . ,n4 such that n1 +n2+n3+n4=N. The set of possible values of the coefficients
n1,n2,n3,n4 depends on the specific protocol and the param- eters estimated by Alice and Bob共e.g., the QBER of the raw key兲. Furthermore, one can assume without loss of generality that Eve has a purification of this state, i.e., the situation is fully described by a pure state 兩⌿典ABE such that AB
= trE共P兩⌿典ABE兲.共However, as we shall see, dropping this as- sumption might lead to better estimates of the key rate.兲Af- ter this distribution of quantum information Alice and Bob measure their systems. Thus they are left with classical bit strings.
Consider now any situation where Alice and Bob have a classical pair of raw keys Xn and Yn consisting of n bits whereas Eve controls a quantum system E. The secret-key rate, i.e., the rate at which secret-key bits can be generated per bit of the raw key, for any one-way protocol共with com- munication from Alice to Bob兲, is given by
r= lim
→0 lim
n→⬁
1 n sup
Un←Xn
S2共UnEn兲−S0共En兲−H0共Un兩Yn兲. 共2兲 Here,S␣,H␣ denote the smooth Rényi entropies共also called min-entropy if ␣=⬁ and max-entropy if ␣= 0兲 关16兴. More- over, the supremum runs over all classical valuesUnthat can be computed from共the classical value兲Xn.
For a QKD protocol as described above 关where the dis- tributed state is of the form of Eq.共1兲兴, formula共2兲 can be lower bounded by an expression which only involves two- qubit systems. More precisely关8兴,
r艌 sup
U←X
ABinf苸⌫Q
S共U兩E兲−H共U兩Y兲, 共3兲 where ⌫Q is the set of all two-qubit states AB 共after the filtering operation兲which can result from a collective attack 关17兴and which are compatible with the parameters estimated by Alice and Bob共in particular, the QBER兲. Here,S andH denote the von Neumann entropy and its classical counter- part, the Shannon entropy, respectively. Moreover,X andY denote the classical outcomes of measurements ofAB共onA andB, respectively兲in the computational basis, andEis any system that purifiesAB. Similarly to the above formula, the supremum runs over all mappings fromX toU关18兴.
B. Local randomization
The local randomization step described above has been considered in Refs. 关8,9兴 and later been improved in Ref.
关19兴. In Ref.关20兴, the local randomization is nicely explained in the context of entanglement purification.
To get an intuition why the local randomization can help to increase the secret-key rate, it is useful to describe the process as a quantum operation共as in关20兴兲. LetABbe the state of a qubit pair held by Alice and Bob and let兩⌿典ABEbe a purification ofAB. The state after Alice randomly flips her bit value A with probability q can be described by 兩⌿典AA⬘BE=
冑
1 −q兩⌿典ABE兩0典A⬘+冑
qxA兩⌿典ABE兩1典A⬘, where A⬘ is an auxiliary system on Alice’s side. The measurement of systemAgives the raw key. Note that兩⌿典AA⬘BEresults from the application of acontrolled-NOToperation on systemAA⬘, where system A⬘ is prepared in the state
冑
1 −q兩0典A⬘ +冑
q兩1典A⬘. The randomization of Alice thus entangles her sys- tem to some auxiliary system共which is not under Eve’s con- trol兲. This, in turn, reduces the entanglement between Alice’s relevant system 共A兲 and Eve’s systems 共monogamy of en- tanglement兲, as Eve does not have a purification of the state on the systemsA andB, since now she only has the purifi- cation of the stateAA⬘B. Note that Bob’s information onAis also reduced by the randomization process, but—for certain values of the parameter q—he is less penalized than Eve.From this point of view, it can be easily understood that the local randomization can help to increase the secret-key rate.
C. Comparison to known bounds
For protocols based on qubit pairs, where the raw key pair is obtained by orthogonal measurements of Alice and Bob on some Bell-diagonal stateAB=兺i,jijP⌽
ij 共e.g., the BB84 or the six-state protocol兲, it follows from共3兲that the secret-key rater共even without the local randomization兲is bounded by
r艌1 −S共AB兲艌1 −h共eb兲−h共ep兲.
Here,eb=10+11 is the QBER and ep=01+11 the phase error rate, i.e., the probability that Alice and Bob get differ- ent bits when measuring in thezand thexbasis, respectively.
Because the QBER and the phase error rate are not changed by applying at randomxorz, which makes any state Bell diagonal, the bound 1 −h共eb兲−h共ep兲holds for arbitrary states
AB. Note that the above bound implies any of the lower
bounds on the one-way secret-key rate derived in previous works关10,21兴.
D. Generalization of the lower bound
Because we assume above that Eve controls a system that purifies the stateABheld by Alice and Bob, the bound共3兲is fully determined by AB. However, this assumption on Eve might overestimate her possibilities, in which case the bound is not optimal. In the following we drop this assumption to derive better lower bounds on the secret-key rate.
Suppose that the state distributed in an entanglement- based scheme is of the form PS关共DAB丢1兲丢n共ABE0 兲兴, where PS again denotes the map that randomly permutes the order of the qubit pairs,DABis some completely positive map on two-qubit states, andABE0 is some tripartite state. Then, it is an immediate consequence of Lemma A.4 in Ref.关9兴that the bound共3兲on the secret-key rate can be generalized to
r艌 sup
U←X
inf
˜ABE苸⌫˜ Q
S共U兩E兲−H共U兩Y兲. 共4兲
Here, the infimum ranges over the set⌫˜Qof all states ˜ABE
which can result from a collective attack and are compatible with the parameters estimated by Alice and Bob 共e.g., the QBER兲.
We refer to Appendix C for an application of this result to improve the analysis of the one-way SARG protocol for single-photon pulses.
Consider now the general situation where the state de- scribing the Alice, Bob, and Eve system is the reduced den- sity operator of a state 兩⌿典ABER=兺n␣n兩⌿n典ABE兩n典R, where 兵兩n典其 forms an orthonormal basis of the Hilbert space of an auxiliary system R, i.e., none of the three parties has the auxiliary system at their disposal. Starting from共4兲and using the concavity of the entropy, we find that the secret-key rate is bounded by
r艌 sup
U←X
inf
˜ABE苸⌫˜
Q
冉 兺n=0⬁ 兩␣n兩2S共U兩E,n兲冊
−H共U兩Y兲, 共5兲
whereS共U兩E,n兲=S共UE兩n兲−S共E兩n兲is the entropy ofUcon- ditioned on E and the event that the measurement of the auxiliary systemR in the basis兵兩n典其 yieldsn.
One might also improve the bound using the following observation which has also been used to derive the bound given in Eq. 共3兲. Let us consider the situation where some auxiliary system is at Alice’s and/or Bob’s disposal, but not at Eve’s共this could be for instance some additional qubits兲.
Suppose that the state shared by ABE and some auxiliary system R 共which is not under Eve’s control兲 is given by 兩⌿典ABER=兺n␣n兩⌿n典ABE兩n典R, where兵兩n典其is an orthonormal ba- sis ofHR, the Hilbert space corresponding to systemR. The state兩⌿˜典ABER=兺n␣nUnAB兩⌿n典ABE兩n典R, withUnABunitary opera- tors diagonal in thez basis leads to the same measurement outcome for any measurement by Alice and Bob in the com- putational basis as兩⌿典ABER, that is
兩k,l典AB具k,l兩ABE兩k,l典AB具k,l兩=兩k,l典AB具k,l兩˜ABE兩k,l典AB具k,l兩, where
ABE= trR共P兩⌿典ABER兲 and
˜ABE= trR共P兩⌿˜典ABER兲.
Assuming that Eve has a purification of the state ˜AB can only provide her with more power compared to the situation where she has a purification of the state ABR, since this is equivalent to giving her the systemR, which she could sim- ply measure, leading to the same result as before共for details see also Ref.关8兴兲. Thus, we can consider the situation where Alice and Bob share the state˜ABand Eve has a purification of it. This can only increase Eve’s power. We will use this observation in Appendix B, in order to determine a good lower bound on the secret-key rate for a QKD protocol using the so-called XOR process.
III. QKD PROTOCOLS WITH TWO-WAY POST-PROCESSING
In the following, we will consider QKD protocols where, before the post-processing of the raw key as described above, Alice and Bob additionally invoke a so-called advantage- distillation subprotocol, which requires two-way communi- cation between Alice and Bob. The notion of advantage dis- tillation has been investigated in the context of classical key agreement关22兴and later been generalized to QKD关23,24兴.
The advantage-distillation protocol we consider here has the following form: Alice publicly announces to Bob the position of a block ofmbits which have all the same value 共of course, she does not tell him which value兲. Then Bob tells Alice whether for the given position, his corresponding bits are all identical as well. If this is the case, they both continue using the first bit of the block as a new raw-key bit, otherwise they discard the whole block. We emphasize here that our analysis below works for any fixed value of the block size m 共not only asymptotically for large m兲. This is important for realistic protocols, where m is usually small 共e.g.,m= 3兲.
To simplify the study of such protocols, we first show that it suffices to analyze the action of the advantage distillation process on two-qubit Bell-diagonal states. More precisely, Lemma 1 below implies that the state¯n¯obtained by apply- ing a blockwise operationE共for blocks of sizem兲to a sym- metric staten 关see Eq.共1兲兴has virtually the same statistics as ifEwas applied to a state丢m.
Lemma 1. Letnbe a state on n particle pairs of the form
n=PS共P兩⌽丢n001典丢P兩⌽
01典 丢n2
丢P兩⌽
10典 丢n3
丢P兩⌽
11典 丢n4 兲
and letbe a two-qubit Bell-diagonal state with eigenvalues
n1
n, . . . ,nn4.Moreover, letE be an operation which maps Bell states of blocks of m particle pairs to Bell states of one single particle pair. Finally, let
¯n¯=
兺
¯n1,. . .,n¯4
¯n¯1,n¯2,n¯3,n¯4PS共P兩⌽
00典 丢¯n1
丢P兩⌽
01典 丢¯n2
丢P兩⌽
10典 丢n¯3
丢P兩⌽
11典 丢¯n4
兲 be the state describing n¯=mn particle pairs defined by
¯n¯ªE丢¯n共n兲 and let ¯
1, . . . ,¯
4 be the eigenvalues of
¯ªE共丢m兲.Then, for any艌0,
共¯n1,. . .,n¯4兲苸B
兺
共¯ 1,. . .,¯4兲
¯¯n 1,n¯
2,n¯ 3,n¯
4艌1 − 2−⌰共¯n2兲+O共log2n兲, whereB共¯
1, . . . ,¯
4兲denotes the set of all tuples共n¯1, . . . ,n¯4兲 such that
共
n¯n1, . . . ,¯nn4兲
is-close to共¯1, . . . ,¯
4兲and⌰共n¯2兲is asymptotically the same as n¯2,up to a constant factor.
The lemma is a direct consequence of the exponential quantum de Finetti theorem 关16兴. It states that, for any n-partite quantum statenwhich is invariant under permuta- tions of the subsystems, any partm= trn−m共n兲consisting of m subsystems is exponentially 共in n−m兲 close to a convex combination of states that virtually are of the form丢m. For completeness, we give a direct proof of Lemma 1共without referring to de Finetti’s theorem兲in Appendix A.
In order to analyze protocols with advantage distillation using Lemma 1, we use the following quantum mechanical description of the advantage-distillation subprotocol:
Alice and Bob both apply the operation Xadm=兩0典具0 , . . . , 0兩 +兩1典具1 , . . . , 1兩onmqubits. It is straightforward to check that
共Xad2 兲丢2共兩⌽i,j典兩⌽k,l典兲= 1
冑
2␦i,k兩⌽i,j+l典, 共6兲 where the sum j+lof indices is understood to be modulo 2.Hence, applying advantage distillation to m identical Bell- diagonal qubit pairs with eigenvalues关25兴leads to a Bell- diagonal state with eigenvalues⬘given by
i,j⬘ =1
T关共i,0+i,1兲m+共− 1兲j共i,0−i,1兲m兴, 共7兲 where T= 2关共1 −Q兲m+Qm兴 and where Q=10+11 is the QBER before the advantage distillation. The QBERQ⬘ after the advantage distillation is thus given by Q⬘=10⬘ +11⬘
=共1−QQ兲mm+Qm and 共1 −Q兲m+Qm is the probability that the ad- vantage distillation is successful共i.e., Alice and Bob end up with a new raw-key bit兲. If Alice and Bob apply, after the advantage distillation, the one-way classical post-processing described above, the lower bound on the secret-key rate is given by Eq.共3兲, where the eigenvalues ofABare given by the’s in共7兲 关26兴. For instance for the six-state protocol one obtains a positive key rate for any QBER⬍0.276 共for m
→⬁兲. Note that for the six-state protocol it has been shown that the tolerable QBER cannot be larger than 0.276, if the first step in the post-processing is advantage distillation关27兴.
As mentioned before, the bound on the secret-key rate is not only valid, form→⬁, but for any value of the block size on which advantage distillation is applied.
In Ref.关24兴, Chau considered the secret-key rate obtained when applying the above-described advantage distillation followed by the XOR transformation, where Alice and Bob locally compute new raw-key bits by taking the XOR of a block of given bits.共For the sake of completeness we dem- onstrate in Appendix B how the XOR protocol can be in- cluded in our analysis.兲 Both procedures were analyzed in the asymptotic limit for infinitely large block sizes. The re- sult found there is that the six-state protocol tolerates a
QBER of up to 0.276. Surprisingly, the same threshold for the QBER can be obtained, as shown above, by a simpler protocol where the XOR transformation is replaced by a lo- cal randomization on single bits on Alice’s side. Moreover, the rate of this modified protocol is much larger than that of Chau’s protocol, as local randomization consumes less bits than the XOR transformation. Note that, as shown recently by Bae and Acin关28兴, if one omits the local randomization completely, the protocol still tolerates a QBER of up to 0.276, but the secret-key rate for large values of the QBER might be smaller.
IV. PROTOCOLS USING WEAK COHERENT PULSES A. Preliminaries
We now consider protocols where Alice does not send single photons to Bob, but uses weak coherent pulses in- stead. This scenario is practically motivated by the fact that, with current technologies, it is difficult to create single- photon pulses. In fact, many of today’s implementations of QKD rely on weak coherent pulses.
We start with a description of a prepare-and-measure scheme and then translate it to an equivalent entanglement- based scheme, for which we will prove security.
In the prepare-and-measure scheme, Alice encodes the bit values into phase randomized coherent states关29兴. More pre- cisely, she randomly chooses a basis j and encodes the bit valuekinto the statej
k=兺n艌0pn兩j k典具j
k兩丢n, where兩j k典具j
k兩丢0 denotes the vacuum for any value of j and k and pn
=e−n/n!, with the mean photon number共for a Poisso- nian source关30兴兲.
The description of Bob’s measurement depends on the experimental setup. We focus on the situation where Bob’s detectors do not distinguish between the cases where they receive one or more than one photon, since with current tech- nology, it is difficult to count the number of photons. The
POVM describing the photon detector is thus given by the operators兵D0†D0,D1†D1其, with D0=兺n艌0
冑
pn.d.共n兲P兩n典 andD1=兺n艌0
冑
1 −pnd共n兲P兩n典, where pnd共n兲 is the probability of not detecting any photon in casen photons arrived at the detec- tor. This probability is given by pnd共n兲=共1 −pd兲共1 −兲n, where pd is the probability of a dark count, and is the detection efficiency, i.e., overall transmission factor. ThePOVMelementD0corresponds to the case where no photon is detected, whereasD1 corresponds to the detection of one or more photons. In the prepare-and-measure scheme Bob would randomly choose a basis j and measure the arriving photons in that basis.
In the following, we consider the so-called untrusted- device scenario, where it is assumed that Eve exchanges Bob’s detectors with perfect ones共having perfect efficiency and no dark counts兲 and introduces all errors herself 关31兴.
Clearly, security under this assumption implies security in a situation where Eve might not be able to corrupt Bob’s de- tectors. Additionally, we assume that Bob’s detector is con- structed in such a way that, whenever a pulse consisting of more than one photon arrives, then the detector output cor- responds to the measurement of one of the photons in the pulse chosen at random关32兴.
In the described scenario, we can without loss of general- ity assume that Eve only sends single photons to Bob. This follows directly from the fact that the situation obtained by sending a multiphoton pulse is the same as if Eve randomly selected one photon from the pulse and sent this single pho- ton to Bob. Bob’s measurement can therefore simply be de- scribed by the operators Bj=兩0典具1,j⬜兩+兩1典具0,j⬜兩 as defined previously.
Alice and Bob can estimate the following parameters re- lated to their raw key:共i兲the total sifting rateRª兺nRn, for RnªpnYnwhereYnis the probability for Bob to find a con- clusive result in case Alice sent n photons;共ii兲the average QBER Q=兺n
Rn
RQn, where Qn denotes the QBER for the pairs where Alice sent ann-photon pulse. These two param- eters will determine the amount of key that can be extracted from the particular raw key.
We use similar techniques as in Refs.关8,9兴to describe the same protocol in the entanglement-based scheme. The states prepared by Alice are
兩⌿j典ABR1=n
兺
艌0冑
pn兩⌿jn典AB兩n典R1, 共8兲where兩⌿j
n典AB= 1 /
冑
2共兩0典A兩j0典B丢n+兩1典A兩1j典B丢
n兲. Here, we have introduced an auxiliary system R1 containing the photon number 共which is neither controlled by Alice nor Bob兲. If Alice measures her qubit in the computational basis and re- ceives outcomek, the state Bob is left with in the noiseless case 共without interaction of Eve兲 is B= 2 trR1共P具k兩⌿j典ABR
1兲
=兺n艌0pnP兩
j
k典丢n, which corresponds to the coherent state 共with randomized phase兲 sent by Alice in the prepare-and- measure scheme关33兴. The operation on Bob’s side is given by the operatorsBj, as described above.
The state describing the situation after Bob’s operation is given by
兩典ABER1R2=
兺
j BjUEB共兩⌿j典ABR1兲兩j典R2,wherejcorresponds to the basis chosen by Alice andUEBis a unitary describing the attack of Eve. Note that this state is not necessarily normalized, but its weight tr共兩典具兩兲 corre- sponds to the sifting rate.
Restricted to Alice’s and Bob’s systems, 兩典ABER1R2 is a two-qubit state. We can thus apply the techniques presented in Sec. II to analyze the security of the protocol. More pre- cisely, we need to evaluate the rhs of共5兲to get a lower bound on the secret-key rate. First we do not take the local random- ization into account; i.e., we chooseU=X. The case includ- ing local randomization will be treated in the next section.
We thus obtain for the key rate
r艌 inf
苸⌫R,Q
兺
n=0
⬁
RnS共X兩E,n兲−RS共X兩Y兲. 共9兲 The set ⌫R,Q contains all states which can result from a collective attack by Eve and are compatible with the average sifting rateRand the QBERQ, as estimated by Alice and Bob.
Because the共conditional兲 entropy of a classical variable cannot be negative, the right-hand side 共rhs兲 of 共9兲 can be lower bounded by restricting to any of the terms in the sum overn. Note that, in 共9兲, the average over n is only taken over the term for the entropy conditioned on Eve’s system, but not on the term for the entropy conditioned on Bob’s system. This is because Eve might be able to measure the photon number, whereas this is not the case for Bob.
B. Protocols with local randomization
So far we did not consider the possibility for Alice to apply some local randomization on her classical bits. The randomization can easily be included in the analysis: if the randomization is acting on single bits,U←X 共bit flip with probabilityq兲,共9兲simply writes
r艌 inf
苸⌫R,Q
兺
n=0
⬁
RnS共U兩E,n兲−RS共U兩Y兲. 共10兲 Bob’s uncertainty is now given by S共U兩Y兲=h共Qq兲, where Qq=共1 −q兲Q+q共1 −Q兲. Since R=兺nRn,共10兲can also be written as
r艌 inf
苸⌫R,Q
兺
n=0
⬁
Rn关S共U兩E,n兲−h共q兲兴−R关h共Qq兲−h共q兲兴. 共11兲 Note that, for anyn艌0, the termS共U兩E,n兲on the rhs of this inequality can be bounded by S共U兩E,n兲艌S共U兩X兲=h共q兲 共sinceUis only computed fromX兲, and therefore the rhs of 共11兲 can again be lower bounded by restricting the sum to any of its terms.
As we will see, the local randomization allows us to get better lower bounds for the secret-key rate as well as better lower bounds for the maximum distance for which the rate is positive.
C. Examples: the BB84 and the SARG protocols Using the results above, in particular 共9兲, we now com- pute the lower bound on the secret-key rate of the BB84 as well as the SARG protocols. In Section IV E we compare the results we derive here with previous results, in particular with the ones presented in Refs.关34,35兴.
In contrast to the single-photon case, where the lower bound on the secret-key rate was a function of the QBER, we are aiming here for a lower bound that depends on the only two measurable quantitiesR共the total sifting rate兲 andQ 共the total QBER兲. For simplicity, we will in the following not explicitly include the local randomization, except in the final results 共see Figs. 1 and 2兲. We remind the reader that, in order to include the local randomization,共9兲simply must be replaced by共11兲.
Our computation of the bound given by共9兲is subdivided into two steps: First, for anyn艌0 and for anyQn, we com- puteSn共Qn兲ªinf
n苸⌫QnS共X兩E,n兲, where⌫Qnis the set of all states n which can result from a collective attack on a
n-photon pulse causing a QBER ofQn. In a second step, we compute the infimum
inf
兵Rn,Qn其苸⌫˜ R,Q
兺
n=0⬁
RnSn共Qn兲, 共12兲
where⌫˜R
,Qdenotes the set of all parameters兵Rn,Qn其which are compatible withRandQ. All the technical details can be found in Appendix D.
1. BB84
For the BB84 protocol, it is easy to verify that for any pulse consisting of n艌2 photons, Eve has full in- formation on Alice’s measurement outcome X, i.e.,
0 (a)
10 20 30 40 50
10−6 10−5 10−4 10−3
distance [km]
Secret Key Rate [bits/pulse]
SARG
BB84
0 (b)
10 20 30 40 50
10−2 10−1 100
distance [km]
optimalµ
SARG
BB84
FIG. 1. 共Color online兲Lower bound on the secret-key rate per pulse and optimal for Poissonian sources as a function of the distance, for the BB84 and SARG protocols, when Alice and Bob share a quantum channel with perfect visibility V= 1. The other experimental parameters are ␣= 0.25 dB/ km, det= 0.1, and pd
= 10−5. The thick lines are the results we obtain when Alice per- forms an optimal bitwise local randomization; the thin lines are the same, without randomization共q= 0兲.
inf
n苸⌫QnS共X兩E,n兲= 0∀n艌2. The lower bound is thus given by关36兴 共see also Ref.关46兴兲
r艌 inf
兵R1,Q1其苸⌫˜ R,Q
R1S1BB84共Q1兲−Rh共Q兲, 共13兲
whereS1BB84共Q1兲ª1 −h共Q1兲 共see Appendix D or Refs.关8,9兴兲.
As shown in Appendix D, the conditions in the untrusted- device scenario forR1 andQ1to be compatible withRand Qare the following:
R1艋12p1,
R1艌R−1 2n
兺
艌2pn,R1Q1艋RQ. 共14兲 LetR1min=R−12兺n艌2pn. IfR1min艋0, thenR1can be set equal to zero, and the lower bound onris negative; i.e., Alice and Bob must abort the protocol. If R1min⬎0, let Q1max
= min共RQ/R1min,12兲. Due to the decreasing ofS1BB84共Q1兲for Q1艋1 / 2, we then get
r艌R1min关1 −h共Q1max兲兴−Rh共Q兲. 共15兲 Note that this bound has been derived in Ref.关37兴using a different technique. This bound can be interpreted as follows:
For an optimal attack, Eve should makeR1 as small as pos- sible 共i.e., block as many single-photon pulses as possible兲 and, at the same time, make Q1 as large as possible 共i.e., introduce as many errors as possible on the single-photon pulses that she forwards, which reduces her uncertainty on Alice’s system as much as possible兲.
To get an idea of how good this bound is, we evaluate the rate for the situation where there is no Eve present, instead, the errors are introduced due to a realistic channel. The chan- nel we consider is a lossy depolarizing channel with visibil- ity V 共or fidelity F=1+V2 and disturbance D=1−V2 兲, and a transmission factort= 10−␣ᐉ/10at distanceᐉ共␣is the attenu-
ation coefficient兲. Furthermore, we consider the situation where Bob’s detectors have an efficiencydetand a probabil- ity of dark counts pd. An explicit calculation共see Appendix D兲shows that under these assumptions, the rates that Alice and Bob would get are
R=12共1 −¯pd2e−兲,
RQ= 14共1 +¯pde−F−¯pde−D−¯pd2e−兲,
where =tdet, ¯pd= 1 −pd. When we insert these values in 共15兲for experimentally reasonable values of␣,pd, anddet, and optimize for different distances over the mean photon number共which Alice is free to choose兲, we get the results illustrated in Fig. 1 for 共for V= 1兲 and Fig.2 共for V= 0.95兲.
We find that the optimalis proportional to the transmission factort, and our bound on the secret-key rate is proportional tot2 共at least for short distances, i.e., in the regime where dark counts are not dominant兲; this was already observed in Refs.关38,37兴.
2. SARG
A major difference between the SARG protocol and the BB84 protocols is that Eve cannot get full information on Alice’s value even if the pulse contains two photons. In order to take this into account, we include the contribution of the two-photon components in our formula for the secret-key rate; i.e., we compute关39兴:
r艌inf兵R1,Q1,R2,Q2其R1S1SARG共Q1兲+R2S2SARG共Q2兲−Rh共Q兲.
共16兲 In Appendix D we describe how to computeS1SARG共Q1兲and S2SARG共Q2兲 共see also Appendix C and Ref.关35兴兲, and we de- rive the following conditions for R1, Q1, R2, and Q2 to be compatible withRandQ:
R1共1 −Q1兲艋 14p1, R2共1 −Q2兲艋 14p2,
R1共1 −Q1兲+R2共1 −Q2兲艌R共1 −Q兲−1 4
兺
n艌3
pn,
R1Q1+R2Q2艋RQ. 共17兲 IfR共1 −Q兲−14兺n艌3pn⬎0, one can see in共16兲that Eve’s optimal choice is to setR1 andR2as small as possible, and Q1andQ2as large as possible关S1SARG共Q1兲andS1SARG共Q2兲are decreasing兴: she should therefore set the equality in the third constraint.
However, contrary to BB84, we have not been able to give a simpler analytical expression for the infimum in共16兲;
we therefore resort to numerical computations.
Again, in order to estimate the previous bound in a prac- tical implementation of the protocol, we compute the typical values of the parametersRandQwhen Alice and Bob use a Poisson source and a lossy depolarizing channel共see Ap- pendix D兲:
0 5 10 15 20 25 30 35
10−6 10−5 10−4 10−3
distance [km]
Secret Key Rate [bits/pulse]
BB84 SARG
FIG. 2. 共Color online兲 Same plot as in Fig. 1共top兲, but for a quantum channel with nonperfect visibility,V= 0.95.