Security of quantum-key-distribution protocols using two-way classical communication or weak coherent pulses

Article

Reference

Security of quantum-key-distribution protocols using two-way classical communication or weak coherent pulses

KRAUS, Barbara, BRANCIARD, Cyril, RENNER, Renato

Abstract

We apply the techniques introduced by Kraus et al. [Phys. Rev. Lett. 95, 080501 (2005)] to prove security of quantum-key-distribution (QKD) schemes using two-way classical post-processing as well as QKD schemes based on weak coherent pulses instead of single-photon pulses. As a result, we obtain improved bounds on the secret-key rate of these schemes. For instance, for the six-state protocol using two-way classical post-processing we recover the known threshold for the maximum tolerated bit error rate of the channel, 0.276, but demonstrate that the secret-key rate can be substantially higher than previously shown.

Moreover, we provide a detailed analysis of the Bennett-Brassard 1984 (BB84) and the SARG protocol using weak coherent pulses (with and without decoy states) in the so-called untrusted-device scenario, where the adversary might influence the detector efficiencies. We evaluate lower bounds on the secret-key rate for realistic channel parameters and show that, for channels with low noise level, the bounds for the SARG protocol are superior to those for the BB84 protocol, whereas this advantage disappears with [...]

KRAUS, Barbara, BRANCIARD, Cyril, RENNER, Renato. Security of quantum-key-distribution protocols using two-way classical communication or weak coherent pulses. Physical Review. A , 2007, vol. 75, no. 1

DOI : 10.1103/PhysRevA.75.012316

Available at:

http://archive-ouverte.unige.ch/unige:47357

Disclaimer: layout of this document may differ from the published version.

Security of quantum-key-distribution protocols using two-way classical communication or weak coherent pulses

Barbara Kraus,¹ Cyril Branciard,²and Renato Renner³

1Institute for Theoretical Physics, University of Innsbruck, Austria

2Group of Applied Physics, University of Geneva, 1211 Geneva 4, Switzerland

3Department of Applied Mathematics and Theoretical Physics, University of Cambridge, Cambridge CB3 OWA, United Kingdom 共Received 20 October 2006; published 16 January 2007兲

We apply the techniques introduced by Krauset al.关Phys. Rev. Lett. 95, 080501共2005兲兴to prove security of quantum-key-distribution共QKD兲schemes using two-way classical post-processing as well as QKD schemes based on weak coherent pulses instead of single-photon pulses. As a result, we obtain improved bounds on the secret-key rate of these schemes. For instance, for the six-state protocol using two-way classical post- processing we recover the known threshold for the maximum tolerated bit error rate of the channel, 0.276, but demonstrate that the secret-key rate can be substantially higher than previously shown. Moreover, we provide a detailed analysis of the Bennett-Brassard 1984共BB84兲and the SARG protocol using weak coherent pulses 共with and without decoy states兲in the so-called untrusted-device scenario, where the adversary might influence the detector efficiencies. We evaluate lower bounds on the secret-key rate for realistic channel parameters and show that, for channels with low noise level, the bounds for the SARG protocol are superior to those for the BB84 protocol, whereas this advantage disappears with increasing noise level.

DOI:10.1103/PhysRevA.75.012316 PACS number共s兲: 03.67.Dd

I. INTRODUCTION

A fundamental problem in cryptography is to enable two distant parties, traditionally calledAliceandBob, to commu- nicate in absolute privacy, even in presence of an eavesdrop- per Eve. It is a well-known fact that a secret key, i.e., a randomly chosen bit string held by both Alice and Bob, but unknown to Eve, is sufficient to perform this task共one-time pad encryption兲. Thus, the problem of secret communication reduces to the problem of distributing a secret key.

Classical key distribution protocols are typically based on unproven computational assumptions, e.g., that the task of decomposing a large number into its prime factors is intrac- table. In contrast to that, the security of quantum-key- distribution (QKD) protocols merely relies on the laws of physics, or, more specifically, quantum mechanics. This ulti- mate security is certainly one of the main reasons why so much theoretical and experimental effort is undertaken to- wards the implementation of secure QKD protocols关1,2兴.

Typically关3–5兴, in the first step of a QKD protocol, Alice chooses a random bit string and encodes each bit into the state of a quantum system, which she then sends to Bob 共using a quantum channel兲. Bob applies a certain measure- ment on the received quantum system to decode the bit value. In a second step, calledsifting, Alice and Bob publicly exchange some information about the encoding and decoding of each of the bits which allows them to discard bit pairs which are not共or only weakly兲correlated.

After this sifting process, Alice and Bob hold a pair of classical correlated bit strings, in the following called raw key pair. Alice and Bob can determine the quality of the raw key pair by comparing the values of some randomly chosen bit pairs 共using an authenticated classical communication channel兲. This so-calledparameter estimationgives an esti- mate for thequantum bit error rate (QBER), i.e., the ratio of positions for which the values of the bits held by Alice and

Bob do not coincide. A fundamental principle of QKD is that this error rate also imposes a bound on the amount of infor- mation an adversary can have on the raw key: The smaller the QBER, the more secret-key bits can be extracted from the raw key. If the QBER is above a certain threshold, then no secret key can be generated at all, and Alice and Bob must abort the protocol关6兴.

The purpose of the remaining part of the protocol, called classical post-processing, is to transform the raw key pair into a pair of identical and secret keys. In this paper, we consider classical post-processing which consists of the fol- lowing three subprotocols: 共i兲 local randomization 共also called preprocessing兲, where Alice randomly flips each of her bits with some given probabilityq,共ii兲error correction, where Alice and Bob equalize their strings, and共iii兲privacy amplification, where Alice and Bob apply some compression function to their bit string with the aim to reduce Eve’s in- formation on the outcome. Steps 共i兲–共iii兲 described above only require共classical兲 one-way communicationfrom Alice to Bob. However, in practical implementations, the error cor- rection is sometimes done with two-way protocols共e.g., the cascade protocol关7兴兲.

In Refs.关8,9兴, an information-theoretic technique to ana- lyze QKD protocols of the type described above has been presented. In contrast to most previously known methods 共e.g., Ref.关10兴兲, the technique does not require a transforma- tion of the key distillation protocol into an entanglement pu- rification scheme, which makes it very general. It has been applied to prove the security of various schemes such as the Bennett-Brassard 1984 共BB84兲, the six-state, the Bennett 1992共B92兲, and the SARG protocol关11–14兴 共see Refs.关8,9兴 for an analysis of the first three protocols and Ref.关15兴for an analysis of the latter兲. In particular, it has been shown that the local randomization, i.e., step 共i兲 described above, in- creases the bounds on the maximum tolerated QBER by roughly 10%–15%.

In this paper, we extend the technique of Refs.关8,9兴 共Sec.

II兲and apply it to two classes of QKD protocols which have not been covered in Refs. 关8,9兴. The first 共Sec. III兲 is the class of so-calledtwo-way protocols. These use an additional subprotocol, calledadvantage distillation, which is invoked between the parameter estimation and the classical post- processing step described above. In contrast to the classical post-processing considered in Refs.关8,9兴, advantage distilla- tion uses two-way communication between Alice and Bob.

Second, we study protocols which use weak coherent pulses instead of single-photon pulses共Sec. IV兲. For both scenarios, we show that local randomization increases the secret-key rates.

II. INFORMATION-THEORETIC ANALYSIS OF QKD SCHEMES

In this section we first review the results presented in Refs. 关8,9兴 and then show how they can be generalized.

Throughout this paper we use subscripts to indicate the sub- systems on which a state is defined. Alice’s and Bob’s quan- tum systems are labeled byAandB, respectively. Similarly, the classical values obtained by measuring their quantum systems are denoted byXandY, respectively. Typically, we write␳AB, or␳n, to denote the state of all the qubits held by Alice and Bob, whereas ␴AB is a two-qubit state. We will often consider two-qubit Bell-diagonal states, i.e., states that are diagonal in the Bell basis, 兩⌽ij典=关兩0 , 0 +i典+共−1兲^j兩1 , 1 +i典兴/

冑

2. P_兩⌽典 denotes the projector onto the state 兩⌽典. Fur- thermore, we denote by h共x兲= −xlog₂共x兲−共1 −x兲log2共1 −x兲 the binary entropy function.

A. Review of the technique

The information-theoretic technique proposed in Refs.

关8,9兴 directly applies to a general class of quantum-key- distribution protocols using one-way classical communica- tion. However, it is required that the protocol can be repre- sented as a so-called entanglement-based scheme, as described below.

Generally, a QKD protocol uses a set of so-calledencod- ing bases. We consider the special case where each basisjis defined by two states兩␾j0典and兩␾j1典, which are used to encode the bit values 0 and 1, respectively. In a prepare-and- measurescheme, Alice repeatedly chooses at random a biti and a basis j, prepares the state 兩␾j

i典, and sends the state to Bob. Bob then measures the state in a randomly chosen basis k. This measuring process can be seen as some filtering op- erationBk=兩0典具␾_1,k^⬜兩+兩1典具␾_0,k^⬜兩, where 兩␾_i,k^⬜典 is some state or- thogonal to兩␾k

i典, followed by a measurement in the compu- tational basis.

In an entanglement-based view, the above can equiva- lently be described as follows: Alice prepares the two-qubit states Aj兩⌽00典, where 兩⌽00典 denotes the Bell state 1 /

冑

2共兩0 , 0典+兩1 , 1典兲 andAj is an encoding operator共for de- tails see Ref.关8兴兲such that 具i兩Aj兩⌽₀₀典=兩␾j

i典. She then sends the second qubit to Bob and prepares Bob’s system at a distance by measuring her system in the computational basis.

Bob’s measurement is described in the same way as in the prepare-and-measure scheme.

Note that, in an experimental realization of a QKD proto- col, one might prefer to implement a prepare-and-measure scheme. However, when analyzing the security of a protocol, it is usually more convenient to consider its entanglement- based version.

As an illustration, consider the BB84 protocol, which uses thezbasis and thexbasis for the encoding. Using the above notation, we have兩␾0

i典=兩i_z典and兩␾1

i典=兩i_x典, fori= 0 , 1. Hence, the operators applied by Alice areA₀=1andA₁=H, whereH denotes the Hadamard transformation. Because the bases are orthonormal, the same operators describe Bob’s measure- ment as well.

For the following, we assume that Alice and Bob apply a randomly chosen permutation to rearrange the order of their qubit pairs, in the following denoted byPS, and, additionally, apply to each of the qubit pairs at random either the identity or the operation␴x丢␴x.共Note that the symmetrization op- erations commute with the measurement and can therefore be applied to the classical bit strings.兲Then, as shown in Ref.

关8兴, the state␳ABdescribing theNqubit pairs shared by Alice and Bob can generally共after the most general attack by Eve, a so-calledcoherentattack兲be considered to be of a simple form, namely

␳AB=_n

兺

1,. . .,n₄

␭n₁,n₂,n₃,n₄PS共P_兩⌽^丢n₀₀¹_典丢P_兩⌽

01典 丢n₂

丢P_兩⌽

10典 丢n₃

丢P_兩⌽

11典 丢n₄

兲. 共1兲 The sum runs over all non-negativen₁, . . . ,n₄ such that n₁ +n₂+n₃+n₄=N. The set of possible values of the coefficients

␭n₁,n₂,n₃,n₄ depends on the specific protocol and the param- eters estimated by Alice and Bob共e.g., the QBER of the raw key兲. Furthermore, one can assume without loss of generality that Eve has a purification of this state, i.e., the situation is fully described by a pure state 兩⌿典ABE such that ␳AB

= trE共P_兩⌿典ABE兲.共However, as we shall see, dropping this as- sumption might lead to better estimates of the key rate.兲Af- ter this distribution of quantum information Alice and Bob measure their systems. Thus they are left with classical bit strings.

Consider now any situation where Alice and Bob have a classical pair of raw keys Xⁿ and Yⁿ consisting of n bits whereas Eve controls a quantum system E. The secret-key rate, i.e., the rate at which secret-key bits can be generated per bit of the raw key, for any one-way protocol共with com- munication from Alice to Bob兲, is given by

r= lim

␧→0 lim

n→⬁

1 n sup

Uⁿ←Xⁿ

S₂^␧共UⁿEⁿ兲−S₀^␧共Eⁿ兲−H₀^␧共Uⁿ兩Yⁿ兲. 共2兲 Here,S_␣^␧,H_␣^␧ denote the smooth Rényi entropies共also called min-entropy if ␣⁼⬁ and max-entropy if ␣= 0兲 关16兴. More- over, the supremum runs over all classical valuesUⁿthat can be computed from共the classical value兲Xⁿ.

For a QKD protocol as described above 关where the dis- tributed state is of the form of Eq.共1兲兴, formula共2兲 can be lower bounded by an expression which only involves two- qubit systems. More precisely关8兴,

r艌 sup

U←X

␴ABinf苸⌫Q

S共U兩E兲−H共U兩Y兲, 共3兲 where ⌫Q is the set of all two-qubit states ␴AB 共after the filtering operation兲which can result from a collective attack 关17兴and which are compatible with the parameters estimated by Alice and Bob共in particular, the QBER兲. Here,S andH denote the von Neumann entropy and its classical counter- part, the Shannon entropy, respectively. Moreover,X andY denote the classical outcomes of measurements of␴AB共onA andB, respectively兲in the computational basis, andEis any system that purifies␴AB. Similarly to the above formula, the supremum runs over all mappings fromX toU关18兴.

B. Local randomization

The local randomization step described above has been considered in Refs. 关8,9兴 and later been improved in Ref.

关19兴. In Ref.关20兴, the local randomization is nicely explained in the context of entanglement purification.

To get an intuition why the local randomization can help to increase the secret-key rate, it is useful to describe the process as a quantum operation共as in关20兴兲. Let␴ABbe the state of a qubit pair held by Alice and Bob and let兩⌿典ABEbe a purification of␴AB. The state after Alice randomly flips her bit value A with probability q can be described by 兩⌿典AA⬘^BE=

冑

_{1 −q兩⌿典ABE兩0典A⬘}+

冑

q␴x

A兩⌿典ABE兩1典A⬘, where A⬘ ^is an auxiliary system on Alice’s side. The measurement of systemAgives the raw key. Note that兩⌿典AA⬘^BEresults from the application of acontrolled-NOToperation on systemAA⬘^, where system A⬘ is prepared in the state

冑

1 −q兩0典A⬘ +

冑

q兩1典A⬘. The randomization of Alice thus entangles her sys- tem to some auxiliary system共which is not under Eve’s con- trol兲. This, in turn, reduces the entanglement between Alice’s relevant system 共A兲 and Eve’s systems 共monogamy of en- tanglement兲, as Eve does not have a purification of the state on the systemsA andB, since now she only has the purifi- cation of the state␳AA⬘^B. Note that Bob’s information onAis also reduced by the randomization process, but—for certain values of the parameter q—he is less penalized than Eve.

From this point of view, it can be easily understood that the local randomization can help to increase the secret-key rate.

C. Comparison to known bounds

For protocols based on qubit pairs, where the raw key pair is obtained by orthogonal measurements of Alice and Bob on some Bell-diagonal state␴AB=兺i,j␭ijP_⌽

ij 共e.g., the BB84 or the six-state protocol兲, it follows from共3兲that the secret-key rater共even without the local randomization兲is bounded by

r艌1 −S共␴AB兲艌1 −h共e_b兲−h共e_p兲.

Here,e_b=␭₁₀+␭₁₁ is the QBER and e_p=␭₀₁+␭₁₁ the phase error rate, i.e., the probability that Alice and Bob get differ- ent bits when measuring in thezand thexbasis, respectively.

Because the QBER and the phase error rate are not changed by applying at random␴xor␴z, which makes any state Bell diagonal, the bound 1 −h共e_b兲−h共e_p兲holds for arbitrary states

␴AB. Note that the above bound implies any of the lower

bounds on the one-way secret-key rate derived in previous works关10,21兴.

D. Generalization of the lower bound

Because we assume above that Eve controls a system that purifies the state␳ABheld by Alice and Bob, the bound共3兲is fully determined by ␳AB. However, this assumption on Eve might overestimate her possibilities, in which case the bound is not optimal. In the following we drop this assumption to derive better lower bounds on the secret-key rate.

Suppose that the state distributed in an entanglement- based scheme is of the form PS关共DAB丢1兲^丢n共␳ABE0 兲兴, where PS again denotes the map that randomly permutes the order of the qubit pairs,DABis some completely positive map on two-qubit states, and␳ABE0 is some tripartite state. Then, it is an immediate consequence of Lemma A.4 in Ref.关9兴that the bound共3兲on the secret-key rate can be generalized to

r艌 sup

U←X

inf

␴

˜_ABE苸⌫˜ Q

S共U兩E兲−H共U兩Y兲. 共4兲

Here, the infimum ranges over the set⌫˜_Qof all states ␴^˜ABE

which can result from a collective attack and are compatible with the parameters estimated by Alice and Bob 共e.g., the QBER兲.

We refer to Appendix C for an application of this result to improve the analysis of the one-way SARG protocol for single-photon pulses.

Consider now the general situation where the state de- scribing the Alice, Bob, and Eve system is the reduced den- sity operator of a state 兩⌿典ABER=兺n␣n兩⌿n典ABE兩n典R, where 兵兩n典其 forms an orthonormal basis of the Hilbert space of an auxiliary system R, i.e., none of the three parties has the auxiliary system at their disposal. Starting from共4兲and using the concavity of the entropy, we find that the secret-key rate is bounded by

r艌 sup

U←X

inf

␴

˜_ABE苸⌫˜

Q

冉 ^兺

^{n=0⬁ 兩␣n兩2S共U兩E,n兲}

冊

^{−H共U兩Y兲, 共5兲}

whereS共U兩E,n兲=S共UE兩n兲−S共E兩n兲is the entropy ofUcon- ditioned on E and the event that the measurement of the auxiliary systemR in the basis兵兩n典其 yieldsn.

One might also improve the bound using the following observation which has also been used to derive the bound given in Eq. 共3兲. Let us consider the situation where some auxiliary system is at Alice’s and/or Bob’s disposal, but not at Eve’s共this could be for instance some additional qubits兲.

Suppose that the state shared by ABE and some auxiliary system R 共which is not under Eve’s control兲 is given by 兩⌿典ABER=兺n␣n兩⌿n典ABE兩n典R, where兵兩n典其is an orthonormal ba- sis ofHR, the Hilbert space corresponding to systemR. The state兩⌿˜典ABER=兺n␣nU_n^AB兩⌿n典ABE兩n典R, withU_n^ABunitary opera- tors diagonal in thez basis leads to the same measurement outcome for any measurement by Alice and Bob in the com- putational basis as兩⌿典ABER, that is

兩k,l典AB具k,l兩␳ABE兩k,l典AB具k,l兩=兩k,l典AB具k,l兩␳^˜ABE兩k,l典AB具k,l兩, where

␳ABE= trR共P_{兩⌿典ABER}兲 and

␳

˜_ABE= trR共P_兩⌿^˜_典ABER兲.

Assuming that Eve has a purification of the state ␳^˜AB can only provide her with more power compared to the situation where she has a purification of the state ␳ABR, since this is equivalent to giving her the systemR, which she could sim- ply measure, leading to the same result as before共for details see also Ref.关8兴兲. Thus, we can consider the situation where Alice and Bob share the state␳^˜ABand Eve has a purification of it. This can only increase Eve’s power. We will use this observation in Appendix B, in order to determine a good lower bound on the secret-key rate for a QKD protocol using the so-called XOR process.

III. QKD PROTOCOLS WITH TWO-WAY POST-PROCESSING

In the following, we will consider QKD protocols where, before the post-processing of the raw key as described above, Alice and Bob additionally invoke a so-called advantage- distillation subprotocol, which requires two-way communi- cation between Alice and Bob. The notion of advantage dis- tillation has been investigated in the context of classical key agreement关22兴and later been generalized to QKD关23,24兴.

The advantage-distillation protocol we consider here has the following form: Alice publicly announces to Bob the position of a block ofmbits which have all the same value 共of course, she does not tell him which value兲. Then Bob tells Alice whether for the given position, his corresponding bits are all identical as well. If this is the case, they both continue using the first bit of the block as a new raw-key bit, otherwise they discard the whole block. We emphasize here that our analysis below works for any fixed value of the block size m 共not only asymptotically for large m兲. This is important for realistic protocols, where m is usually small 共e.g.,m= 3兲.

To simplify the study of such protocols, we first show that it suffices to analyze the action of the advantage distillation process on two-qubit Bell-diagonal states. More precisely, Lemma 1 below implies that the state␳^¯n¯obtained by apply- ing a blockwise operationE共for blocks of sizem兲to a sym- metric state␳n 关see Eq.共1兲兴has virtually the same statistics as ifEwas applied to a state␴^丢m.

Lemma 1. Let␳nbe a state on n particle pairs of the form

␳n=PS共P_兩⌽^丢n₀₀¹_典丢P_兩⌽

01典 丢n₂

丢P_兩⌽

10典 丢n₃

丢P_兩⌽

11典 丢n₄ 兲

and let␴be a two-qubit Bell-diagonal state with eigenvalues

n₁

n, . . . ,ⁿ_n⁴.Moreover, letE be an operation which maps Bell states of blocks of m particle pairs to Bell states of one single particle pair. Finally, let

␳

¯_n¯=

兺

¯n₁,. . .,n¯₄

␮

¯_n¯₁,n¯₂,n¯₃,n¯₄PS共P_兩⌽

00典 丢¯n₁

丢P_兩⌽

01典 丢¯n₂

丢P_兩⌽

10典 丢n¯₃

丢P_兩⌽

11典 丢¯n₄

兲 be the state describing n¯=_mⁿ particle pairs defined by

␳

¯_n¯ªE^丢¯n共␳n兲 and let ¯␭

1, . . . ,¯␭

4 be the eigenvalues of

␴

¯ªE共␴^丢m兲.Then, for any␧艌0,

共¯n₁,. . .,n¯₄兲苸B

兺

^␧共␭¯ 1,. . .,␭¯

4兲

␮

¯¯_n 1,n¯

2,n¯ 3,n¯

4艌1 − 2^{−⌰共¯n␧2兲+O共log2n兲}, whereB^␧共␭¯

1, . . . ,␭¯

4兲denotes the set of all tuples共n¯₁, . . . ,n¯₄兲 such that

共

^n¯_n¹, . . . ,^¯n_n⁴

兲

is␧-close to共␭¯

1, . . . ,¯␭

4兲and⌰共n¯␧²兲is asymptotically the same as n¯␧²,up to a constant factor.

The lemma is a direct consequence of the exponential quantum de Finetti theorem 关16兴. It states that, for any n-partite quantum state␳nwhich is invariant under permuta- tions of the subsystems, any part␳m= tr_n−m共␳n兲consisting of m subsystems is exponentially 共in n−m兲 close to a convex combination of states that virtually are of the form␴^{丢m. For} completeness, we give a direct proof of Lemma 1共without referring to de Finetti’s theorem兲in Appendix A.

In order to analyze protocols with advantage distillation using Lemma 1, we use the following quantum mechanical description of the advantage-distillation subprotocol:

Alice and Bob both apply the operation X_ad^m=兩0典具0 , . . . , 0兩 +兩1典具1 , . . . , 1兩onmqubits. It is straightforward to check that

共X_ad² 兲^丢2共兩⌽i,j典兩⌽k,l典兲= 1

冑

2␦i,k兩⌽i,j+l典, 共6兲 where the sum j+lof indices is understood to be modulo 2.

Hence, applying advantage distillation to m identical Bell- diagonal qubit pairs with eigenvalues␭关25兴leads to a Bell- diagonal state with eigenvalues␭⬘^{given by}

␭_i,j⬘ ⁼¹

T关共␭i,0+␭i,1兲^m+共− 1兲^j共␭i,0−␭i,1兲^m兴, 共7兲 where T= 2关共1 −Q兲^m+Q^m兴 and where Q=␭10+␭11 is the QBER before the advantage distillation. The QBERQ⬘ ^after the advantage distillation is thus given by Q⬘^=␭10⬘ ⁺␭₁₁⬘

=_共1−Q^Q_兲^mm+Q^m and 共1 −Q兲^m+Q^m is the probability that the ad- vantage distillation is successful共i.e., Alice and Bob end up with a new raw-key bit兲. If Alice and Bob apply, after the advantage distillation, the one-way classical post-processing described above, the lower bound on the secret-key rate is given by Eq.共3兲, where the eigenvalues of␴ABare given by the␭’s in共7兲 关26兴. For instance for the six-state protocol one obtains a positive key rate for any QBER⬍0.276 共for m

→⬁兲. Note that for the six-state protocol it has been shown that the tolerable QBER cannot be larger than 0.276, if the first step in the post-processing is advantage distillation关27兴.

As mentioned before, the bound on the secret-key rate is not only valid, form→⬁, but for any value of the block size on which advantage distillation is applied.

In Ref.关24兴, Chau considered the secret-key rate obtained when applying the above-described advantage distillation followed by the XOR transformation, where Alice and Bob locally compute new raw-key bits by taking the XOR of a block of given bits.共For the sake of completeness we dem- onstrate in Appendix B how the XOR protocol can be in- cluded in our analysis.兲 Both procedures were analyzed in the asymptotic limit for infinitely large block sizes. The re- sult found there is that the six-state protocol tolerates a

QBER of up to 0.276. Surprisingly, the same threshold for the QBER can be obtained, as shown above, by a simpler protocol where the XOR transformation is replaced by a lo- cal randomization on single bits on Alice’s side. Moreover, the rate of this modified protocol is much larger than that of Chau’s protocol, as local randomization consumes less bits than the XOR transformation. Note that, as shown recently by Bae and Acin关28兴, if one omits the local randomization completely, the protocol still tolerates a QBER of up to 0.276, but the secret-key rate for large values of the QBER might be smaller.

IV. PROTOCOLS USING WEAK COHERENT PULSES A. Preliminaries

We now consider protocols where Alice does not send single photons to Bob, but uses weak coherent pulses in- stead. This scenario is practically motivated by the fact that, with current technologies, it is difficult to create single- photon pulses. In fact, many of today’s implementations of QKD rely on weak coherent pulses.

We start with a description of a prepare-and-measure scheme and then translate it to an equivalent entanglement- based scheme, for which we will prove security.

In the prepare-and-measure scheme, Alice encodes the bit values into phase randomized coherent states关29兴. More pre- cisely, she randomly chooses a basis j and encodes the bit valuekinto the state␳j

k=兺n艌0pn兩␾j k典具␾j

k兩^丢n, where兩␾j k典具␾j

k兩^丢0 denotes the vacuum for any value of j and k and pn

=e^−␮␮^{n/n!, with}␮ the mean photon number共for a Poisso- nian source关30兴兲.

The description of Bob’s measurement depends on the experimental setup. We focus on the situation where Bob’s detectors do not distinguish between the cases where they receive one or more than one photon, since with current tech- nology, it is difficult to count the number of photons. The

POVM describing the photon detector is thus given by the operators兵D₀^†D₀,D₁^†D₁其, with D₀=兺n艌0

冑

^pn.d.共n兲P_兩n典 andD₁

=兺n艌0

冑

^{1 −pnd共n兲P}兩n典, where pnd共n兲 is the probability of not detecting any photon in casen photons arrived at the detec- tor. This probability is given by p_nd共n兲=共1 −p_d兲共1 −␩兲ⁿ, where pd is the probability of a dark count, and ␩ ^{is the} detection efficiency, i.e., overall transmission factor. The

POVMelementD₀corresponds to the case where no photon is detected, whereasD₁ corresponds to the detection of one or more photons. In the prepare-and-measure scheme Bob would randomly choose a basis j and measure the arriving photons in that basis.

In the following, we consider the so-called untrusted- device scenario, where it is assumed that Eve exchanges Bob’s detectors with perfect ones共having perfect efficiency and no dark counts兲 and introduces all errors herself 关31兴.

Clearly, security under this assumption implies security in a situation where Eve might not be able to corrupt Bob’s de- tectors. Additionally, we assume that Bob’s detector is con- structed in such a way that, whenever a pulse consisting of more than one photon arrives, then the detector output cor- responds to the measurement of one of the photons in the pulse chosen at random关32兴.

In the described scenario, we can without loss of general- ity assume that Eve only sends single photons to Bob. This follows directly from the fact that the situation obtained by sending a multiphoton pulse is the same as if Eve randomly selected one photon from the pulse and sent this single pho- ton to Bob. Bob’s measurement can therefore simply be de- scribed by the operators Bj=兩0典具␾_1,j^⬜兩+兩1典具␾_0,j^⬜兩 as defined previously.

Alice and Bob can estimate the following parameters re- lated to their raw key:共i兲the total sifting rateR_␮ª兺nRn, for RnªpnYnwhereYnis the probability for Bob to find a con- clusive result in case Alice sent n photons;共ii兲the average QBER Q_␮=兺n

R_n

R_␮Qn, where Qn denotes the QBER for the pairs where Alice sent ann-photon pulse. These two param- eters will determine the amount of key that can be extracted from the particular raw key.

We use similar techniques as in Refs.关8,9兴to describe the same protocol in the entanglement-based scheme. The states prepared by Alice are

兩⌿j典ABR₁=_n

兺

_艌0

^冑

^{pn兩⌿jn典AB兩n典R1, 共8兲}

where兩⌿j

n典AB= 1 /

冑

2共兩0典A兩␾j0典B^丢

n+兩1典A兩␾1j典B^丢

n兲. Here, we have introduced an auxiliary system R₁ containing the photon number 共which is neither controlled by Alice nor Bob兲. If Alice measures her qubit in the computational basis and re- ceives outcomek, the state Bob is left with in the noiseless case 共without interaction of Eve兲 is ␳B= 2 trR₁共P_具k兩⌿_j典_ABR

1兲

=兺n艌0pnP_兩␾

j

k典^丢n, which corresponds to the coherent state 共with randomized phase兲 sent by Alice in the prepare-and- measure scheme关33兴. The operation on Bob’s side is given by the operatorsBj, as described above.

The state describing the situation after Bob’s operation is given by

兩␹典ABER₁R₂=

兺

_j ^{BjUEB共兩⌿j典ABR1兲兩j典R2,}

wherejcorresponds to the basis chosen by Alice andUEBis a unitary describing the attack of Eve. Note that this state is not necessarily normalized, but its weight tr共兩␹典具␹兩兲 corre- sponds to the sifting rate.

Restricted to Alice’s and Bob’s systems, 兩␹典ABER₁R₂ is a two-qubit state. We can thus apply the techniques presented in Sec. II to analyze the security of the protocol. More pre- cisely, we need to evaluate the rhs of共5兲to get a lower bound on the secret-key rate. First we do not take the local random- ization into account; i.e., we chooseU=X. The case includ- ing local randomization will be treated in the next section.

We thus obtain for the key rate

r艌 inf

␴苸⌫R_␮,Q_␮

兺

n=0

⬁

RnS共X兩E,n兲−R_␮S共X兩Y兲. 共9兲 The set ⌫R_␮,Q_␮ contains all states which can result from a collective attack by Eve and are compatible with the average sifting rateR_␮and the QBERQ_␮, as estimated by Alice and Bob.

Because the共conditional兲 entropy of a classical variable cannot be negative, the right-hand side 共rhs兲 of 共9兲 can be lower bounded by restricting to any of the terms in the sum overn. Note that, in 共9兲, the average over n is only taken over the term for the entropy conditioned on Eve’s system, but not on the term for the entropy conditioned on Bob’s system. This is because Eve might be able to measure the photon number, whereas this is not the case for Bob.

B. Protocols with local randomization

So far we did not consider the possibility for Alice to apply some local randomization on her classical bits. The randomization can easily be included in the analysis: if the randomization is acting on single bits,U←X 共bit flip with probabilityq兲,共9兲simply writes

r艌 inf

␴苸⌫R_␮,Q_␮

兺

n=0

⬁

RnS共U兩E,n兲−R_␮S共U兩Y兲. 共10兲 Bob’s uncertainty is now given by S共U兩Y兲=h共Q_␮^q兲, where Q_␮^q=共1 −q兲Q_␮+q共1 −Q_␮兲. Since R_␮=兺nRn,共10兲can also be written as

r艌 inf

␴苸⌫R_␮,Q_␮

兺

n=0

⬁

Rn关S共U兩E,n兲−h共q兲兴−R_␮关h共Q_␮^q兲−h共q兲兴. 共11兲 Note that, for anyn艌0, the termS共U兩E,n兲on the rhs of this inequality can be bounded by S共U兩E,n兲艌S共U兩X兲=h共q兲 共sinceUis only computed fromX兲, and therefore the rhs of 共11兲 can again be lower bounded by restricting the sum to any of its terms.

As we will see, the local randomization allows us to get better lower bounds for the secret-key rate as well as better lower bounds for the maximum distance for which the rate is positive.

C. Examples: the BB84 and the SARG protocols Using the results above, in particular 共9兲, we now com- pute the lower bound on the secret-key rate of the BB84 as well as the SARG protocols. In Section IV E we compare the results we derive here with previous results, in particular with the ones presented in Refs.关34,35兴.

In contrast to the single-photon case, where the lower bound on the secret-key rate was a function of the QBER, we are aiming here for a lower bound that depends on the only two measurable quantitiesR_␮共the total sifting rate兲 andQ_␮ 共the total QBER兲. For simplicity, we will in the following not explicitly include the local randomization, except in the final results 共see Figs. 1 and 2兲. We remind the reader that, in order to include the local randomization,共9兲simply must be replaced by共11兲.

Our computation of the bound given by共9兲is subdivided into two steps: First, for anyn艌0 and for anyQn, we com- puteS_n共Q_n兲ªinf_␴

n苸⌫Q_nS共X兩E,n兲, where⌫Q_nis the set of all states ␴n which can result from a collective attack on a

n-photon pulse causing a QBER ofQ_n. In a second step, we compute the infimum

inf

兵R_n,Q_n其苸⌫˜ R_␮,Q_␮

兺

n=0

⬁

RnSn共Qn兲, 共12兲

where⌫˜_R

␮,Q_␮denotes the set of all parameters兵Rn,Qn其which are compatible withR_␮andQ_␮. All the technical details can be found in Appendix D.

1. BB84

For the BB84 protocol, it is easy to verify that for any pulse consisting of n艌2 photons, Eve has full in- formation on Alice’s measurement outcome X, i.e.,

0 (a)

10 20 30 40 50

10⁻⁶ 10⁻⁵ 10⁻⁴ 10⁻³

distance [km]

Secret Key Rate [bits/pulse]

SARG

BB84

0 (b)

10 20 30 40 50

10⁻² 10⁻¹ 10⁰

distance [km]

optimalµ

SARG

BB84

FIG. 1. 共Color online兲Lower bound on the secret-key rate per pulse and optimal ␮ for Poissonian sources as a function of the distance, for the BB84 and SARG protocols, when Alice and Bob share a quantum channel with perfect visibility V= 1. The other experimental parameters are ␣= 0.25 dB/ km, ␩det= 0.1, and p_d

= 10⁻⁵. The thick lines are the results we obtain when Alice per- forms an optimal bitwise local randomization; the thin lines are the same, without randomization共q= 0兲.

inf_␴

n苸⌫Q_nS共X兩E,n兲= 0∀n艌2. The lower bound is thus given by关36兴 共see also Ref.关46兴兲

r艌 inf

兵R₁,Q₁其苸⌫˜ R_␮,Q_␮

R₁S₁^BB84共Q1兲−R_␮h共Q_␮兲, 共13兲

whereS₁^BB84共Q1兲ª1 −h共Q1兲 共see Appendix D or Refs.关8,9兴兲.

As shown in Appendix D, the conditions in the untrusted- device scenario forR₁ andQ₁to be compatible withR_␮and Q_␮are the following:

R₁艋¹2p₁,

R₁艌R_␮−1 2_n

兺

_艌2^pn,

R₁Q₁艋R_␮Q_␮. 共14兲 LetR₁^min=R_␮−¹₂兺n艌2pn. IfR₁^min艋0, thenR₁can be set equal to zero, and the lower bound onris negative; i.e., Alice and Bob must abort the protocol. If R₁^min⬎0, let Q₁^max

= min共R_␮Q_␮/R₁^min,¹₂兲. Due to the decreasing ofS₁^BB84共Q1兲for Q₁艋1 / 2, we then get

r艌R₁^min关1 −h共Q₁^max兲兴−R_␮h共Q_␮兲. 共15兲 Note that this bound has been derived in Ref.关37兴using a different technique. This bound can be interpreted as follows:

For an optimal attack, Eve should makeR₁ as small as pos- sible 共i.e., block as many single-photon pulses as possible兲 and, at the same time, make Q₁ as large as possible 共i.e., introduce as many errors as possible on the single-photon pulses that she forwards, which reduces her uncertainty on Alice’s system as much as possible兲.

To get an idea of how good this bound is, we evaluate the rate for the situation where there is no Eve present, instead, the errors are introduced due to a realistic channel. The chan- nel we consider is a lossy depolarizing channel with visibil- ity V 共or fidelity F=^1+V₂ and disturbance D=^1−V₂ 兲, and a transmission factort= 10^−␣ᐉ/10at distanceᐉ共␣is the attenu-

ation coefficient兲. Furthermore, we consider the situation where Bob’s detectors have an efficiency␩detand a probabil- ity of dark counts pd. An explicit calculation共see Appendix D兲shows that under these assumptions, the rates that Alice and Bob would get are

R_␮=¹₂共1 −¯p_d²e^−␮␩兲,

R_␮Q_␮= ¹₄共1 +¯p_de^−␮F␩−¯p_de^−␮D␩−¯p_d²e^−␮␩兲,

where ␩^=t␩det, ¯p_d= 1 −pd. When we insert these values in 共15兲for experimentally reasonable values of␣^,pd, and␩det, and optimize for different distances over the mean photon number␮共which Alice is free to choose兲, we get the results illustrated in Fig. 1 for 共for V= 1兲 and Fig.2 共for V= 0.95兲.

We find that the optimal␮is proportional to the transmission factort, and our bound on the secret-key rate is proportional tot² 共at least for short distances, i.e., in the regime where dark counts are not dominant兲; this was already observed in Refs.关38,37兴.

2. SARG

A major difference between the SARG protocol and the BB84 protocols is that Eve cannot get full information on Alice’s value even if the pulse contains two photons. In order to take this into account, we include the contribution of the two-photon components in our formula for the secret-key rate; i.e., we compute关39兴:

r艌inf_兵R₁,Q₁,R₂,Q₂其R₁S₁^SARG共Q1兲+R₂S₂^SARG共Q2兲−R_␮h共Q_␮兲.

共16兲 In Appendix D we describe how to computeS₁^SARG共Q₁兲and S₂^SARG共Q2兲 共see also Appendix C and Ref.关35兴兲, and we de- rive the following conditions for R₁, Q₁, R₂, and Q₂ to be compatible withR_␮andQ_␮:

R₁共1 −Q₁兲艋 ¹4p₁, R₂共1 −Q₂兲艋 ¹₄p₂,

R₁共1 −Q₁兲+R₂共1 −Q₂兲艌R_␮共1 −Q_␮兲−1 4

兺

n艌3

pn,

R₁Q₁+R₂Q₂艋R_␮Q_␮. 共17兲 IfR_␮共1 −Q_␮兲−¹₄兺n艌3pn⬎0, one can see in共16兲that Eve’s optimal choice is to setR₁ andR₂as small as possible, and Q₁andQ₂as large as possible关S₁^SARG共Q₁兲andS₁^SARG共Q₂兲are decreasing兴: she should therefore set the equality in the third constraint.

However, contrary to BB84, we have not been able to give a simpler analytical expression for the infimum in共16兲;

we therefore resort to numerical computations.

Again, in order to estimate the previous bound in a prac- tical implementation of the protocol, we compute the typical values of the parametersR_␮andQ_␮when Alice and Bob use a Poisson source and a lossy depolarizing channel共see Ap- pendix D兲:

0 5 10 15 20 25 30 35

10⁻⁶ 10⁻⁵ 10⁻⁴ 10⁻³

distance [km]

Secret Key Rate [bits/pulse]

BB84 SARG

FIG. 2. 共Color online兲 Same plot as in Fig. 1共top兲, but for a quantum channel with nonperfect visibility,V= 0.95.