Tight security bounds for quantum key distribution

(1)

Thesis

Reference

Tight security bounds for quantum key distribution

LIM, Ci Wen

Abstract

Despite the significant progress made in both theoretical and experimental quantum key distribution (QKD), the security of current QKD implementations is still not yet established rigorously. One of the major causes of this impasse is that existing security analyses are strongly dependently on the classical-post-processing block size, and as a consequence, the resulting security bounds are unduly pessimistic. In other words, applying these security bounds to current QKD implementations would severely impair the efficiency of these implementations. In this thesis, we overcome this impasse by providing a novel security framework that allows one to derive tight non-asymtptotic security bounds on a wide range of QKD implementations. This essentially closes the gap between theory and practice of QKD.

LIM, Ci Wen. Tight security bounds for quantum key distribution. Thèse de doctorat : Univ. Genève, 2014, no. Sc. 4681

URN : urn:nbn:ch:unige-390915

DOI : 10.13097/archive-ouverte/unige:39091

Available at:

http://archive-ouverte.unige.ch/unige:39091

Disclaimer: layout of this document may differ from the published version.

1 / 1

(2)

Université de Genève Groupe de Physique Appliquée

Faculté des Sciences Professeur Hugo Zbinden

Tight Security Bounds for Quantum Key Distribution

Thèse

présentée à la Faculté des Sciences de l’Université de Genève pour obtenir le grade de Docteur ès Sciences, mention physique

par

Charles Ci Wen Lim de Singapour

Thèse N

^◦

4681

GENÈVE

Atelier d’impression ReproMail

2014

(3)

(4)

Résumé

Malgré les progrès expérimentaux et théoriques récents réalisés dans le domaine de la distribution de clés quantiques (Quantum Key Distribution, abbr. QKD), la sécurité des implémentations disponibles actuellement sur le marché n’est pas établie de manière rigoureuse. Cette impasse s’explique en grande partie du fait que les analyses de sécurité dépendent fortement de la taille des blocs utilisés lors du post-traitement classique, et, en conséquence, les bornes de sécurité résultantes sont trop pessimistes. Autrement dit, appliquer ces bornes de sécurité aux implémentations QKD existantes réduirait de manière sévère leur efficacité.

Dans la première de cette thèse, nous évitons cette impasse par l’introduction d’une technique de preuve générale, permettant de calculer des bornes pré- cises lors de l’évaluation de la sécurité de systèmes QKD. Plus spécifique- ment, nous montrons que deux découvertes récentes, c’est-à-dire une relation d’incertitude entropique de typesmoothet uneconcentration inequality, perme- ttent de borner précisément la longueur de la clé secrète pouvant être extraite lors de différents protocoles de QKD. Par exemple, nous appliquons cette technique de preuve à la QKD decoy-state, l’un des protocoles de QKD les plus répandus, et montrons que des clés secrètes peuvent être distribuées même en présence de pertes importantes, quand bien même le post-processing classique utilise des tailles de blocs très petites.

Dans la dernière partie de cette thèse, nous portons notre attention sur le protocole de cryptographiecoherent one-way (COW), basé sur la transmission de pulses de laser cohérentes. Ce protocole a été implémenté lors de plusieurs expériences, bien qu’une analyse de sécurité formelle soit toujours manquante.

Dans ce travail, nous présentons une étape importante de cette analyse, soit l’extension des bornes de sécurité asymptotiques existantes pour COW (valides contre une classe restreinte d’attaques) au régime de clés à taille finies.

iii

(5)

(6)

Abstract

Despite the significant progress made in both theoretical and experimental quantum key distribution (QKD), the security of current QKD implementations is still not yet established rigorously. One of the major causes of this impasse is that existing security analyses are strongly dependently on the classical-post-processing block size, and as a consequence, the resulting security bounds are unduly pessimistic. In other words, applying these security bounds to current QKD implementations would severely impair the efficiency of these implementations.

In the first part of the thesis, we overcome this impasse by introducing a general security proof technique that can be used to derive tight security bounds for QKD. Specifically, we show that by using a recently formulated entropic uncertainty relation for smooth entropies and a newly derived concentration inequality, tight bounds on the extractable secret key length can be established for QKD. Our security proof technique can also be applied to practical QKD protocols. For example, we apply this security proof technique to decoy-state QKD, which is one of the most widely implemented QKD protocols, and show that secure keys can be distributed in the presence of high channel loss, even if the underlying classical-post-processing block size is very small. This provides an important step towards the implementation of truly secure and practical QKD systems.

In the later part of the thesis, we switch our focus to the coherent one-way (COW) QKD protocol, which is based on the transmission of coherent laser pulses. This protocol has been implemented in several experiments, however a formal security analysis is still missing. Here, we overcome this issue by extending existing asymptotic security bounds (valid against restricted class of attacks) for the COW protocol to the finite-key length regime.

v

(7)

(8)

Introduction

The cryptographic task of sending secret messages via an insecure communication channel is one of the most intriguing and profoundly studied problems in cryptography. In 1949, Shannon showed that secure communication, in the case of symmetric cryptographic systems, can be achieved if the two commu- nicating parties, called Alice and Bob, share an initial secret key that is as long as the message to be exchanged [1]. In other words, secure communication automatically follows once we know how to distribute cryptographic keys between two remote parties connected by an insecure communication channel.

There are, in fact, a few solutions to the key distribution problem, depending on the type of assumptions, and the number of assumptions one is willing to make (for a comprehensive survey of the key distribution problem and existing solutions, see Ref. [2] and references therein). For instance, the most straightforward solution is to entrust a courier (e.g., a postman with a platoon of well-trained soldiers) to distribute the secret key. Another solution, which is widely adopted in current communication systems, is to work in the framework of computational security where the security of the key is based on some computational hardness assumption. However, none of the above solutions are entirely satisfactory: either in terms of practicalities, or when the notions of long-term security and universal composability are considered [3]. Specifically, the first solution would require the secure storage of an arbitrarily long secret key for an indefinite amount of time, which is highly impractical, and the second solution faces the threats of future algorithmic progress [4].

To solve the key distribution problem, in 1984, Bennet and Brassard proposed the concept of quantum key distribution (QKD) [5]. On a general level, QKD is rather similar to the first solution described above, apart from the fact that it uses quantum systems to deliver the secret key; in this case, there are two communication channels, namely an authenticated classical channel and a quantum channel. The protocol (henceforth called the BB84 protocol) basically works as follows. First, Alice generates a string of random bits, where for each bit, she prepares a two-level quantum system (or simply a qubit) either in

(11)

Fig. 1. In nowadays society, for efficiency reasons, private messages are commonly exchanged using encryption schemes that are computationally secure. That is, these encryption schemes are secure under the assumption that the adversary is unable to solve certain computational problems in a reason- able amount of time. However, such an assumption is rather hard to justify in practice, since an adversary can store the encrypted message and wait for future algorithmic developments that are capable of breaking the encryption scheme. In other words, the adversary may retrospectively break the security of the encryption scheme.

the computational basis {|0i,|1i} or the Hadamard¹ basis {|+i,|−i} to rep- resent that bit, and sends it to Bob via the quantum channel. For example, bit 0 is represented either by |0i or|+i, depending on Alice’s basis choice for that bit. On Bob’s side, he recovers the bit values by measuring each qubit either in the computational basis or the Hadamard basis. Then after the measurement, he informs Alice of his basis choices, and she confirms which basis choices are the correct ones, i.e., those that match her basis choices. At the end of the confirmation, Alice and Bob are thus left with a raw key pair. Finally, they perform error correction [6] and privacy amplification [7] to extract a secret key pair from the raw key pair.

The security of QKD, roughly speaking, lies in the fact that there is a fundamental limit on the amount of information an observer can extract from a quantum system, and that learning something about the state of the system

1Here,|+i:= (|0i+|1i)/√

2and |−i:= (|0i − |1i)/√ 2.

(12)

xi

necessarily introduces some disturbance to it. Put in the context of QKD, this means that if an adversary (called Eve) tries to learn something about the secret key, for example, by making measurements on the quantum systems, she would inevitably introduce some noise to them (or equivalently, the quantum channel). The key aspect of QKD is that the preceding statement can be made quantitative, in the sense that the amount of information Eve has about the raw key pair can be estimated in terms of the level of noise in the quantum channel. Simply put, Alice and Bob can determine the amount of private randomness in their raw key just by checking the noise level in the quantum channel.

Although the principles behind QKD are intuitively simple, it turns out that making a formal security analysis is rather challenging. The root of the problem lies in that the number of possible attack strategies mountable by Eve is generally very large², which makes it virtually impossible to parameterize them in an efficient way. Not surprisingly, it was only after more than a decade that a formal security proof of the BB84 protocol was obtained [8,9]; however, due to the complexity of the security analysis, the result received rather limited attention. Soon after, several alternative security proofs of the BB84 protocol were obtained, notably Refs. [10,11] whose security proofs were based on an in- teresting connection between privacy amplification, entanglement purification and quantum error correction [12].

In the last decade, it has been noticed that by exploiting the inherent sym- metry within permutation invariant³QKD protocols, it is sufficient to consider a much smaller class of attacks, called collective attacks, where Eve interacts identically and independently with each individual quantum systems [15,16].

As a result, the security analysis of QKD is significantly simplified. For instance, see Refs. [15,16] for the security proof of the BB84 protocol in the scenario where Alice and Bob share an infinite amount of resources (i.e., they exchange an infinite number of quantum systems). In a more general framework where Alice and Bob share a finite amount of resources, a similar conclusion can be reached by using powerful reduction techniques like the quantum de Finetti theorem [17] and the post-selection technique [18], but the equiva-

2As a matter of fact, the dimension of the state space describing these attack strategies increases exponentially with the number of quantum systems exchanged between Alice and Bob.

3Here, a permutation invariant QKD protocol is one whose output remains the same under permutations of input states; for example, the BB84 [5] protocol and the six-state [13,14] protocol are such protocols.

(13)

lence between collective and general attacks is no longer achieved. That is, in the finite-key length regime, it is more advantageous for Eve to consider attack strategies beyond those of collective attacks. As a consequence, the resulting security bounds obtained from these proof techniques are unduly pessimistic, even in the most optimistic scenario where the QKD devices are ideal qubit devices [19,20].

In this thesis, we present a solution to the above problem by providing a general non-asymptotic security analysis that can be used to derive tight security bounds for QKD. Particularly, we make use of a recently formulated entropic uncertainty relation and a sharp concentration inequality to provide tight bounds on the extractable secret key length. The security analysis is then applied to an efficient BB84 protocol [21] with biased basis choice and a practical decoy-state QKD protocol [22–24]. In both of these protocols, we evaluate the performance of their security bounds using realistic system models based on recent QKD experiments. We also consider the non-asymptotic security of the coherent one-way (COW) QKD protocol [25] against an experimentally relevant class of collective attacks, and evaluate its security performance under realistic conditions.

Related work

The security of finite-length secret keys has long been seen as an essential component of practical QKD, but it was only in the recent years that accessible proof techniques have been developed for it. The first security proof of finite- length secret keys for the BB84 protocol was obtained in Ref. [26] (based on the earlier results of Mayers [8,9]), and remarkably, it already considered the security of practical devices, i.e., imperfect single-photon sources, imperfect detectors, and lossy quantum channels. Subsequently, this result was followed up by alternative security analyses [27–29]. However, all these results are based on a security definition that is not composable (e.g., see Ref. [30]), and thus cannot be used in practical cryptography scenarios, where keys generated from QKD are used for other applications like encryption. In the recent years, security analyses based on the notion of composable security have been made for various QKD protocols [19,20,31–35], and some of them have been used in QKD experiments, e.g., see Refs. [36,37].

The security bounds presented in this thesis, namely those in Chapter2(Sec- tion2.2) and Chapter3(Section3.3), are significantly tighter and more concise

(14)

xiii

than the ones in the literature. In particular, the presented bounds allows existing practical QKD systems to distribute secure cryptographic keys in the presence of high channel loss, even if the underlying classical-post-processing block sizes are small.

Outline of thesis

The following is an overview of the main discussions in each chapter.

Chapter 1: Security of QKD

In this chapter, we introduce the security framework and the technical tools on which this thesis is based. At the beginning, we introduce basic concepts in QKD and discuss what it means for QKD to be secure (and briefly on the notion of universal composability). Then, the theoretical tools necessary to understand the security analyses are introduced.

Chapter 2: Bennett-Brassard 1984 QKD

Here, we consider a biased basis choice BB84 protocol that is based on the transmission of qubits. The security of finite-length secret keys is obtained by using a recently formulated uncertainty relation and an improved parameter estimation technique. Specifically, we build on our earlier security analysis [B.1]

by deriving a new concentration inequality that provides significantly sharper estimates than the one used there. As a result, the security bounds obtained here are much tighter than those given in Ref. [B.1].

Chapter 3: Decoy-state QKD

This chapter is based on Ref. [B.6]. Here, we analyze the security of a practical decoy-state QKD protocol. In particular, we use the improved security analysis obtained in the previous chapter and a novel decoy-state method analysis to derive tight security bounds on the extractable secret key length. Furthermore, we evaluate the performance of these security bounds under two realistic channel models, namely one based on dedicated optical fiber and the other based on dense wavelength division multiplexing. In both cases, we see that secret keys can be securely distributed over large distances even with relatively small post-processing block sizes.

(15)

Chapter 4: QKD using coherent laser pulses

In this chapter, we focus on the COW protocol which is based on the transmission of coherent laser pulses. The key advantage of the protocol is that it is highly practical, in the sense that it can be implemented with convenient optical components and that it offers high secret key throughputs. Unlike standard QKD protocols where the measurements of Bob are restricted to each individual quantum system, the COW protocol measures the phase coherence between successive laser pulses. In other words, the protocol is constantly measuring the phase relation between successive quantum systems. However, because of the phase measurement, it is not clear how existing security proof techniques can be applied to the COW protocol. Despite this impasse, a security analysis of the COW protocol can still be made under the assumption of collective attacks. In particular, we extend the result of Ref. [38], which considers an experimentally relevant class of collective attacks, to the finite-key length regime.

This result was applied to a recent implementation of the COW protocol [B.5].

Chapter 5: Conclusion and perspectives

Here, we discuss about the future perspectives of QKD, and the application of device-independent QKD in practical scenarios.

(16)

1. Basic concepts in QKD

1.1. Notation

We assume that all Hibert spaces (denoted byH) are finite-dimensional. The state of a quantum system A is described by a density operator ρ_A which is a positive-semidefinite matrix of trace one acting on some Hilbert space HA. We denote the set of positive semi-definite matrices acting on HA by P(HA), the set of normalized states by S(HA) = {ρ ∈ P(HA) : tr(ρ) = 1} and the set of sub-normalized states by S≤(HA) = {ρ ∈ P(HA) : tr(ρ) ≤ 1}. The Hilbert space of a bipartite system is defined as HAB = HA⊗HB

and for any state ρ_AB ∈ S(HAB), the reduced density operators are ρ_A = tr_B(ρ_AB) and ρ_B = tr_A(ρ_AB). If a quantum state ρ_A is diagonal, then we may see it as a classical register, i.e., A is a discrete random variable with probability distribution {P_A(a)}a∈A taking values from a finite set A. In this case, the classical system A is represented by a diagonal matrix whose eigenvalues are given by probabilities {P_A(a)}a∈A; note that we sometimes denote by Pr[A = a] as the probability that A = a, i.e., P_A(a) = Pr[A = a].

If only one half of a bipartite system is classical, then the system is described by a classical-quantum state ρ_XE =P

xP_X(x)|xihx| ⊗ρ_E_|_X_=x, where {|xi}x

is an orthonormal basis inHX and ρ_E_|_X_=x is a quantum state conditioned on X =x.

We say two classical systems S and Q are -close if the total variation distance between them is

1 2

X

x∈X

|S_X(x)−Q_X(x)| ≤.

For quantum systems, we say two quantum systems ρ_S and ρ_Q are -close if D(ρ_S, ρ_Q) := 1

2kρ_S−ρ_Qk¹ ≤.

The trace distance is, in fact, a generalization of the total variation distance: if ρ_S and ρ_Q are diagonal in the same basis, then their trace distance is equal to

(17)

the total variation distance between their eigenvalue distributions. Moreover, the trace distance measure has an operational meaning in that it can be used to quantify the minimum probability of error in distinguishing these two systems.

That is, for any strategy, the probability thatρ_S can be distinguished fromρ_Q is at most (1 +)/2.

1.2. General concepts in QKD

Recall that in the setting considered by QKD, Alice and Bob are connected by an authenticated classical channel and a potentially insecure quantum channel.

Here, as with any cryptographic schemes, the secure authentication¹ channel is necessary to prevent impersonation attacks like the man-in-the-middle attack.

Such a channel, for instance, can be implemented with the Wegman-Carter authentication scheme [39,40] provided Alice and Bob share a short secret key.

For this reason, QKD is sometimes called quantum key expansion: due to the fact that an initial short secret key is needed. In this thesis, for simplicity, we omit a formal analysis of the authentication scheme and assume that it is perfectly secure. This is however not a problem, since we can easily extend the results in this thesis to the case where the authentication scheme is imperfect (for reasons that will be explained in the next section).

A QKD protocol generally comprises of two phases, namely a prepare-and- measure phase and a classical post-processing phase. In the prepare-and- measure phase, Alice generates a random N bits string X⁰⁰, where for each bit, she encodes it into a quantum system and sends it through the quantum channel to Bob, who then makes a random measurement on it. At the end of the measurement, Bob records all the outcomes into a stringXˆ⁰⁰; note that the string is not necessarily a bit-string due to losses, e.g., detection inefficiency.

Then, depending on the type of QKD protocol, Alice and Bob communicate via the public channel to agree on a smaller set of binary strings,X⁰andXˆ⁰. Dur- ing this communication, it is assumed that a certain amount of data-processing is done to convert the initial pair of strings to a pair of binary strings, e.g., by assigning random bit values to the inconclusive events. Finally, Alice and Bob perform random sampling without replacement to estimate the amount of correlation between their bit strings. Specifically, they publicly reveal a random subset of X⁰ and Xˆ⁰ on the public channel to compute the amount

1By secure authentication, we mean that the authentication scheme is information- theoretically secure.

(18)

1.2. General concepts in QKD 3

of correlation (e.g., the bit error rate), which is then used to estimate the amount of correlation between the remaining (unrevealed) bit strings. This step is commonly known as parameter estimation. In the following, we will refer to the pair of unrevealed bit strings X and Xˆ as the raw key pair, and assume that they take values from the set of binary string of size n≤N.

Alice Bob

X X ˆ

S ˆ S

Random inputs Random inputs

1. Prepare & measure 2. Sifting

3. Parameter estimation

4. Error correction 5. Error verification 6. Privacy amplification

Fig. 1.1. Typically, a QKD protocol proceeds in six steps, and it is only in the first step that involves the manipulation of quantum states. The remaining five steps are data processing techniques that convert the shared data into a pair of identical and secret bit strings. Note that the sifting and parameter estimation steps are dependent on the type of QKD protocol, while the error correction, error verification and privacy amplification steps are common to most QKD protocols.

In the classical-post-processing phase, there are three successive steps: error correction, error verification and privacy amplification. In the first step, Alice sends error correcting information aboutX to Bob, who then tries to make an estimate of Alice’s raw key with this information and his raw key. We denote Bob’s estimate of Alice’s raw key by Xˆ_G. Then, Alice and Bob carry out an error verification step to check if their key pairX andXˆ_G are identical. If they pass the verification step, they proceed to privacy amplification, otherwise they abort the QKD protocol. Finally, conditioned on passing the error verification

(19)

step, they carry out privacy amplification to convert the partially secret key pair X and Xˆ_G into a secret key pair S and S. In the following section, weˆ define what it means for the secret key pair to be secure.

1.3. Security criteria

A QKD protocol either aborts or outputs a secret key pair S and Sˆfor Alice and Bob, respectively. Here, we assume that the secret key pairS and Sˆhave the same length`. That is, the secret key space (given that the protocol does not abort) is the set of all binary strings of length `. In the event that the protocol aborts, it outputs S = ˆS =⊥.

Ideally, we like the QKD protocol to meet two criteria, namely the correctness criterion andsecrecy criterion. The correctness criterion is satisfied if the secret keys are identical, i.e., S = ˆS. To state the secrecy criterion, we first need to have a description of the correlation between the secret key and Eve.

In particular, let system E be the information that Eve gathers during the execution of the QKD protocol, then the correlation between Alice and Eve can be described by a classical-quantum state ρ_SE =P

sP_S(s)|sihs| ⊗σ_E_|_S=s, where{σ_E_|_S=s} is the set of conditional quantum states held by Eve. The secrecy criterion is satisfied if the classical-quantum stateρ_SE =U_S⊗ρ_E, where U_S is the uniform mixture of all possible secret key values (or the uniform distribution on S).

However, in reality, perfect correctness and secrecy are not possible. To allow for some errors, we consider the following correctness criterion and secrecy criterion.

Definition 1 (Correctness). A QKD protocol is called_cor-correct ifPr[ ˆS6= S]≤_cor.

Definition 2 (Secrecy). A QKD protocol is called _sec-secret if it outputs a secret key S with kρ_SE −U_S ⊗ρ_Ek¹ ≤ 2∆ and (1−p_abort)∆ ≤ _sec, where p_abort is the probability that the protocol aborts.

Note that if the QKD protocol aborts (i.e., S = ˆS =⊥), then the secrecy criterion is trivially satisfied. In addition, it is useful to mention that we do not need to define the secrecy criterion for Bob’s secret key: since if both the correctness criterion (Def. 1) and secrecy criterion (Def. 2) are satisfied, then the secrecy of Bob’s secret key is automatically satisfied. In the following, we state what it means for the protocol to be secure.

(20)

1.3. Security criteria 5

Definition 3(Security). A QKD protocol is called-secure if it is_cor-correct and _sec-secret with_cor+_sec ≤.

We note that the security definition given above is universal composable [17, 41], in the sense that secret keys generated by a secure QKD protocol can be safely used in other composable cryptographic tasks, e.g., the one-time-pad (OTP) encryption scheme. For example, letKeyGen_realbe a QKD protocol that is₁-secure and Encrypt_real be an encryption scheme that is₂-secure (i.e., it is ₂-indistinguishable² from the ideal encryption scheme Encrypt_ideal), then universal composability means that the combined crypto-system KeyGen_real◦ Encrypt_real is (₁+₂)-secure. If Encrypt_real is the OTP encryption scheme, then the security of the crypto-system is ₁-secure. This means that the ciphertexts generated by the OTP encryption scheme are ₁-indistinguishable from ciphertexts that would have been generated with a perfectly secret key.

Similarly, if the authentication scheme used in the QKD protocol is _auth- indistinguishable from an ideal authentication scheme, then the QKD protocol is simply_auth+₁-secure [42]. This also explains why the security of QKD can be analyzed under the assumption of a perfectly secure authentication scheme without any loss of generality.

In the literature, the correctness _cor is usually determined by the error verification scheme (as we will see later), while the secrecy _sec is generally arbitrarily fixed, e.g.,10⁻⁵ to10⁻¹⁴. Basically speaking, there is no consensus on how sec should be chosen, however, it should still be chosen in such a way that when the key is used with other cryptographic applications, the overall security is still reasonably good. In particular, we recommend to use_sec=κ`, whereκis a secrecy constant that is ideally comparable to the probability of an

“extremely improbable” event. Here,κ can be seen as the information leakage per generated secret bit, i.e., for any strategy, Eve has at most a probability of 1/2 +κ/2of guessing correctly the secret bit. Fixing the secrecy to be directly proportional to the secret key length also exemplifies the meaning of universal composability. For example, the secrecy of a ` bits key that is combined from two successively generated `/2 bits keys is the same as a ` bits key obtained in a single generation. In other words, choosing a smaller κ would just allow

2More precisely, we consider a hypothetical game in which an abstract device called thedistinguisher has to guess correctly the identity of the protocol (i.e., whether it is the real protocol P or the ideal protocol P^∗) when given access to the inputs/outputs of the protocol. We say PandP^∗ are-indistinguishable if, for any distinguisher, the probability of guessing correctly is at most1/2 +/2.

(21)

the composition of more cryptographic primitives.

1.4. Extractable secret key length

Central to the security proof of QKD is the privacy amplification step, whose goal is to take a key pair, X and Xˆ_G, which is partially correlated with system E, and convert it into a shorter secret key pair, S and S, that isˆ uniform and independent of E. This step is commonly implemented with a seeded randomness extractor, i.e., a device that takes, sayX, and a short seed of random bits Y, and outputs a shorter string S (together with Y) that is

“almost” uniform and independent of E. Here, we remind that it is sufficient to consider only the secrecy of Alice’s key, since the correctness criterion automatically ensures the secrecy of Bob’s key. In particular, for the correctness to hold after the error verification step, it is necessary that Alice informs Bob the choice of extractor she is using. This is why strong extractors are used here: to ensure that the secret key is independent of the seed as well.

More formally, let the systemXE be described by a classical-quantum state ρ_XE = P

xP_X(x)|xihx| ⊗ρ_E_|_X_=x, and let F be a family of functions {h_y}y

from X to S where {P_Y(y)}y is a probability distribution on F. The quality of the output stringS =h_y(X) is given, on the average, by

d_sec(S|EY) := 1

2kρ_SEY −U_S ⊗ρ_E ⊗U_Yk1≤∆, (1.1) where

ρ_SEY =X

y

P_Y(y)ρ_h_y_(X_)E ⊗ |yihy|,

is the final state after averaging over all possible choices of h_y. Note that d_sec(S|EY) ≤ ∆ implies a ∆-secret (see Def. 2) key S due to the fact that the trace distance measure cannot increase when applying a trace-preserving quantum operation (in our case a partial trace operation).

In order to quantify the amount of randomness that can be extracted from X given quantum side informationE, we would need an entropy measure that captures (appropriately) the amount of correlation between X and E. This brings us to the min-entropy of X givenE, which is defined as

H_min(X|E) :=−log₂P_guess(X|E), (1.2)

(22)

1.4. Extractable secret key length 7

where

P_guess(X|E) := max

M:E→V

X

v

P_V(v|M^{) max}_x

P_X_|_V(x|v,M⁾ ^. ^(1.3) The guessing probability P_guess(X|E) can be understood as follows. Suppose M is the positive-operator valued measure (POVM) which Eve uses to measure her quantum state E and the outcome is stored into a classical register V. Then for each v, the probability that Eve guesses correctly X is the maximum of {P_X_|_V(x|v,M⁾}^x. Using the fact that the measurement is prob- abilistic, Eve’s guessing probability (for a fixed M⁾ is on the average given byP

vP_V(v|M^{) max}^x

P_X_|_V(x|v,M⁾ . The maximum guessing probability is then obtained by maximizing over all POVMs. In the case where X and E are independent systems, it can be easily verified that H_min(X|E) reduces to H_min(X) = −log₂max_x{P_X(x)}, which measures the amount of randomness inX and, is in fact, the strongest notion of entropy measure.

Now, we are ready to state a result due to Ref. [17], which is essentially a quantum version of the leftover-hash lemma with the min-entropy characterization. Specifically, letF be a two-universal³ family of hash functions, then a

`-bit secret key S of quality d_sec(S|EF)≤∆ can be extracted from X, where d_sec(S|EF)≤ 1

2 p

2^`⁻^H^min^(X^|^E)^ρ = ∆. (1.4) This implies that the extractable secret key length is

`=j

H_min(X|E)_ρ−2 log₂ 1 2∆

k

. (1.5)

To deal with single-shot scenarios, i.e., scenarios based on finite resources, it turns out that a smoothed version of the min-entropy (i.e., the smooth min-entropy [17]) is optimal, as we will see later, especially in the case of randomness extraction. The smooth min-entropy is actually an optimization of the min-entropy: it maximizes H_min(X|E) (which is evaluated on ρ_XE) by evaluating it over a set of quantum states ρ_XE that are in close proximity to ρ_XE. More specifically, the set of statesρ_XE that are used in the optimization is defined as

B^ε(ρ_XE) :={σ_XE ∈ S≤(HXE) :P(σ_XE, ρ_XE)≤ε},

3Introduced by Wegman and Carter [39,43],Fis calledtwo-universal ifPr[h_y(x) = h_y(x⁰)]≤1/|S|for any two differentx, x⁰ ∈ X and for any hash functionh_ychosen uniformly at random.

(23)

whereP(σ, ρ) := (1−k√

σ√ρk²1)^1/2is thepurified distance(see Ref. [44]). Note that the original definition of smooth min-entropy is based on the trace distance instead of the purified distance. For normalized states, the purified distance is related to the trace distance as follows: D(σ, ρ) ≤ P(σ, ρ) ≤ p

2D(σ, ρ).

Formally, for some 0 ≤ ε < 1, the smooth min-entropy of ρ_XE is defined as [17,44]

H_min^ε (X|E) := max

ρ_XE∈B^ε(ρXE)H_min(X|E). (1.6) In the following, we provide a simple and operational example that illustrates the optimality of smooth min-entropy. Suppose we have a weak random source X of length k where P_X(x₁) = 1/k and P_X(x_j) = (1−1/k)/(2^k −1) for all j >1. The min-entropy of the source is then H_min(X) = log₂k, which implies that the number of extractable random bits is log₂k. Now, if we allow the extraction to have a small error 1/k (i.e., the output is 1/k-close to uniform), then we may consider a probability distribution Q_X that is 1/k-close to P_X. Specifically, using Def. 1.6, we have H_min^1/k(X)_P_X = H_min(X)_Q_X = k, where the maximization is obtained with the uniform distribution Q_X(x) = U_X = 1/2^k. Indeed, we have D(P_X, U_X) = P(P_X, U_X) = 1/k. This shows that by considering a slightly less ideal output, the number of extractable random bits can be increased to k (which is exponentially more than the min-entropy characterization).

Finally, we are ready to present the quantum leftover-hash lemma using the smooth min-entropy characterization.

Lemma 4 (Quantum leftover-hash lemma [17,45,46]). Let ρ_XE be the classical-quantum state describing system XE, letF be a two-universal family of hash functions from X to S ={0,1}^`, and let 0< β≤/2<1. Then

d_sec(S|EY)≤2

2 −β

+ 2³²

2^`⁻^H^min^/2⁻^β^(X^|^E) ¹₄

, (1.7)

for ρ_SEY =ρ_F(X)EY.

The secrecy of the output stringScan be made independent ofβby choosing the secret key length to be

` = max

β

j

H_min^/2⁻^β(X|E) + 4 log₂β−2 k

, (1.8)

where the maximization is taken over allβ ∈(0, /2]. In particular, this choice of ` gives d_sec(S|EY)≤.

(24)

1.4. Extractable secret key length 9

Based on the above, it is clear that the security of QKD is achieved as soon as one has an estimate on the smooth min-entropy. To compute the smooth min-entropy, security analyses generally work in an entanglement-based picture, where Alice and Bob make random local measurements on entangled bipartite quantum systems to obtain the raw keys [47,48]. The benefit of working in an entanglement-based picture lies in that the amount of information Eve can have about the raw keys is directly related to the amount of entanglement between Alice and Bob: a consequence due to the monogamy of entanglement [49,50]. Therefore, a large part of the security analysis con- sists in parameterizing the initial quantum systems shared between Alice and Bob. However, as mentioned in the introduction, the state space of the overall quantum system is typically very large, and as a result, the security analysis becomes extremely intractable. For example, a 10⁶ bits raw key would require about 16¹⁰⁶ real parameters to parameterize the initial quantum systems.

To tackle the above problem, powerful techniques like the exponential de Finetti theorem [17] and the post-selection technique [18] have been proposed.

In particular, these techniques allow one to restrict the security analysis to collective attacks, which significantly reduces the number of parameters needed.

As a case in point, applying the exponential de Finetti (or the post-selection technique) to the earlier example would reduce the number of real parameters from16¹⁰⁶ to just15. However, there is a price to pay in that these techniques necessarily introduce correction terms that are highly dependent on the raw key size (or, the classical-post-processing block size). In fact, it turns out that at least a 10⁶ bits block size is needed to generate positive secret keys.

In the following chapter, we show that, for a variant of the BB84 protocol, a more direct approach to calculate the smooth min-entropy can be realized by using a family of entropic uncertainty relations.

(25)

(26)

2. Bennett-Brassard 1984 QKD

In this section, we consider an asymmetric encoding entanglement-based BB84 protocol [21], where one basis is used for secret key generation and the other basis is used for parameter estimation. Recall that in QKD, Alice and Bob are connected by a potentially insecure quantum channel. Here, on one end of this channel, Alice controls a source device that allows her to prepare one of the four qubit states, |0i,|1i,|+i,|−i, where {|0i,|1i} is given by the computational basis and {|+i,|−i} is given by the Hadamard basis. On the other end of the channel, Bob controls a measurement device that has two measurement settings, namely settingXand Z, and it outputs one of the three possible outcomes, {0,1,∅}¹, whenever he chooses one of the settings. It is assumed that for any input quantum state to the measurement device, the probability of getting a conclusive outcome, 0 or 1, is independent of Bob’s measurement choice, and that each successive use of the measurement device is independent. Apart from these two assumptions, no more other assumptions are required about Bob’s measurement device.

2.1. Protocol description

We now define a QKD protocol that is parameterized by the following parameters: the post-processing block size,n, the number of bits used for parameter estimation, k, the secret key length, `, the channel error tolerance, Q_tol, the required correctness, _cor, and the error correction leakage, Synd_EC. In the following, the protocol is specified in more details, and we assume that Alice’s source device is operated for i = 1,2, . . . , N times until the condition in the sifting step is met.

Preparation: Alice first chooses a basis a_i ∈ {X,Z}, where X is chosen with probability p_x := 1 +p

k/n₋1

and Z with probability p_z := 1−p_x.

1Here,∅is used to indicate all non-conclusive events, e.g., no detection and double detection.

(27)

Then, she chooses a uniformly random bit y_i ∈ {0,1} and prepares a qubit in a state of basisa_i, given byy_i, and sends it through the quantum channel to Bob.

Measurement: On Bob’s side, he chooses a basis b_i ∈ {X, Z} with probabilities p_x and 1−p_x, respectively, and records the measurement outcome inyˆ_i∈ {0,1,∅}.

Sifting: After the measurement, Alice and Bob broadcast their basis choices over the public channel and identify the setsX :={i:a_i =b_i=X∧yˆ_i6=

∅} and Z := {i : a_i =b_i = Z∧yˆ_i 6= ∅}. The sifting condition is met if

|X | ≥n and |Z| ≥ k.

Parameter Estimation: Alice and Bob choose a random subset of size n of X and store the corresponding bits, y_i and yˆ_i, into raw keys, X and X,ˆ respectively. Likewise, they choose a random subset of size k of Z and store the corresponding bits into strings Z and Z, respectively. Next,ˆ they compute the average errorλ := ¹

|Z||Z⊕Zˆ|, where|A⊕B|is defined as the Hamming weight between strings A and B. The protocol aborts if λ > Q_tol.

Error Correction/verification: An error correction scheme that publishes at most Synd_EC bits of classical error correction data is applied. This allows Bob to compute an estimate, Xˆ_G, of X. Then, Alice computes a hash of length dlog(1/cor)e by applying a random two-universal hash function [39,40] toX. She sends the choice of the hash function and the hash to Bob. If the hash ofXˆ_G disagrees with the hash ofX, Bob aborts the protocol.

Privacy Amplification Alice extracts ` bits of secret key S from X using a random two-universal hash function [17,45,46]. The choice of function is communicated to Bob, who then uses it to calculate S.ˆ

2.2. Bounds on secret key length

Recently, entropic uncertainty relations [51,52]—a family of state independent entropic inequalities—have been proposed as a tool to analyze the security of QKD [B.1]. In contrast to the uncertainty principle which constraints the

(28)

2.2. Bounds on secret key length 13

amount of information one can extract from a quantum system, entropic uncertainty relations provide constraints on how correlations are distributed among multiple quantum systems. To some extent, one can think of entropic uncertainty relations as a consequence of two quantum phenomena, namely the monogamy of entanglement and the uncertainty principle.

To illustrate the physics of entropic uncertainty relations, it is useful to consider the following guessing game between three remote players, Alice, Bob and Eve [51]. In this game, Bob and Eve are collaborators and their goal is to predict the outcome of Alice’s measurements. The game basically proceeds as follows. Bob and Eve prepare a tripartite quantum state, ρ_ABE, and sends one part of it, ρ_A = tr_BE(ρ_ABE), to Alice, who performs a measurement in either the Xbasis or the Z basis². Then, Alice communicates her basis choice to Bob and Eve, who each makes a guess of Alice’s measurement outcome by performing a measurement on their respective quantum states. The game is won if both Bob and Eve guess correctly the outcome of Alice’s measurement. Indeed, if Alice and Bob share a maximally entangled state, then Bob can predict correctly the outcome of Alice’s measurement by using the same measurement. However, due to the monogamy of entanglement, ifρ_AB is maximally entangled, thenρ_AE is necessarily unentangled. That is, systemsB and E are independent systems. This implies that Eve, at best, can only make a random guess of Alice’s measurement outcome. More generally, it can be shown that the better Bob is able to guess correctly Alice’s measurement outcome in theZbasis, the less Eve is able to guess correctly Alice’s measurement outcome in theXbasis. In other words, entropic uncertainty relations examine the relationship between two hypothetical measurement scenarios.

Applying the above observation to the above protocol, we see that the secrecy ofX depends on how well Bob is able to guess correctly the measurement outcome of Alice, if she would have measured in the Z basis instead. This information is not directly given in the protocol, but it can be estimated from the events with which Alice and Bob both choose theZ basis. Specifically, by using the fact that the attack strategies of Eve are independent of Alice’s and Bob’s basis choices, it can be shown that the error rate (denoted by λ_key³) in the hypothetical measurement scenario concentrates around the observed error rate λ (calculated from bit strings Z and Z). This comparison betweenˆ

2Here, theXandZbases are given by the computational basis and Hadamard basis, respectively.

3In the literature, this is sometimes called the phase error rate.

(29)

· · ·

X Z X X Z Z X X X X X Z X

· · ·

X Z X X ZZ Z Z Z X X XZ Z Z X X Z XZ Z Z Actual Scenario

Hypothetical Scenario

Fig. 2.1. Here, the n hypothetical red boxes associated with the n blue boxes are combined with the k red boxes in the actual scenario to form a hypothetical scenario where Alice and Bob only measure in the Z basis. In other words, the k red boxes in the actual scenario is a random sample taken without replacement from n+k red boxes. Therefore, the error rate in the n hypothetical red boxes can be estimated from the error rate in thek red boxes of the actual scenario: by using sampling techniques from probability theory.

the actual and hypothetical scenarios is depicted in Fig.2.1. Recall that in the actual scenario, there aren events where Alice and Bob measure in theXbasis (illustrated with blue boxes marked with “X”), and k events where Alice and Bob measure in the Z basis (illustrated with red boxes marked with “Z”). To estimate the error rate λ_key in the hypothetical scenario associated with the blue boxes, we can combine the n red boxes in the hypothetical scenario with the k red boxes in the actual scenario to form a picture in which both Alice and Bob only measure in the Z basis. In this case, the k red boxes in the actual scenario constitute a random sample—drawn without replacement—from n+k red boxes. Then, by using standard concentration inequalities (e.g., see Refs. [53–55]) from probability theory, we have that the error rate,λ_key, in the nred boxes is roughly smaller than the error rate,λ, in thekred boxes, except with a probability exponentially small inn+k. More formally, for some small α >0, we have [55]

Pr

"

λ_key ≥λ+

r(n+k)(k+ 1) nk² log 1

α

#

≤α. (2.1)

This basically says that the probability that λ_key is greater than λ plus a deviation term is extremely unlikely.

Now, we are ready to state a result from Ref. [B.1], which uses the above estimation technique and a class of entropic uncertainty relations [52] to bound

(30)

the smooth min-entropy. In particular, we have

H_min⁰ (X|E)≥n−nh(λ+r(, n, k)), (2.2) where

r(, n, k) :=

rn+k nk

k+ 1 k log1

, (2.3)

and = ⁰√

1−p_abort; recall that p_abort is the probability that the protocol fails the parameter estimation step. Here, we see that for given parameters, n, k, and λ, the only way Eq. (2.2) can be improved is to use tighter concentration inequalities, i.e., a smaller deviation term for a fixed confidence level, . To start with, we note that most standard concentration inequalities are inherently based on the Markov’s inequality, which has the remarkable prop- erty that it applies to any distribution with positive values. In particular, Markov’s inequality says that the probability of a random variable, Y, taking values equal or greater than some positive constant, a, is upper bounded by the expectation value of Y divided by a. However, due to the generality of Markov’s inequality, the bounds given by it are generally weak. In other words, standard concentration inequalities based on the Markov’s inequality have a fundamental limitation in their accuracy.

In the below, we derive a concentration inequality that is specially tailored for the estimation problem at hand, and as a result, we obtain a deviation term that is about 10 times smaller than the one given by Eq. (2.3) for the same confidence level. As a side note, we remark that this result may be of independent interest, e.g., in machine learning theory.

Lemma 5. Let Z :={z₁, z₂, z₃,· · · , z_n+k} be a list of bits, where the number of ones is unknown. Let Z^pe be a random sample (taken without replacement) of size k of Z, and let kλ be the number of ones observed, where 0< λ≤1/2.

In addition, let the remaining bits beZkey =Z \Zpe withλ_key =P

zi∈Z^keyz_i/n.

Then, for >0,

Pr

λ_key ≥λ+t(, n, k, λ)

< , (2.4)

where

t(, n, k, λ) :=

s

2(n+k)λ(1−λ)

kn log

√n+kC(n, k, λ)

p2πnkλ(1−λ), (2.5)

C(n, k, λ) := exp

1

8(n+k)+ 1

12k − 1

12kλ+ 1 − 1

12k(1−λ) + 1

.

(31)

Proof. Let random variables,W_pe andW_key, be the number of ones inZ^pe and Zkey, respectively. Then, the number of ones in the list is given by random variableW =W_pe+W_key. The goal here is to show that the joint probability of W_key ≥ (n/k)W_pe+nt and W_pe = kλ, for some small t > 0, is extremely unlikely for sufficiently largen+k. To do that, we first note that

Pr

W_key/n ≥λ+t

= Pr

Wpe =kλ, W_key ≥nλ+nt

= Pr [W_pe =kλ, W ≥(n+k)λ+nt]

= X

w=(n+k)λ+nt

Pr [W_pe =kλ, W =w]

= X

w=(n+k)λ+nt

Pr [W_pe =kλ|W =w] Pr[W =w]

= X

w=(n+k)λ+nt k kλ

_n

w−kλ

n+k w

^Pr[W ⁼^w],

where the last inequality uses the fact that Pr [W_pe =kλ|W =w] is given by a hypergeometric distribution: i.e., probability of getting kλ ones in k bits drawn randomly without replacement from n+k bits with w ones. Then, by noting that Pr [W_pe =kλ|W =w]is strictly decreasing forw >(n+k)λ+nt, we further get

Pr

W_key/n≥λ+t

≤

k kλ

_n

nλ+nt

n+k (n+k)λ+nt

⁼

k kλ

_n

nλkey

n+k (n+k)λall

^, ^(2.6)

whereλ_key =λ+t and λ_all=kλ/(n+k) +nλ_key/(n+t). Next, we make use of a sharp double inequality for binomial coefficient [56]:

e⁻⁸ⁿ¹ G(α, n)<

n αn

< e

1

12n−12nα+1¹ −12n(1¹−α)+1

G(α, n),

where forα ∈(0,1/2]and for n ∈N⁺^,

G(α, n) := α⁻^αn(1−α)⁻⁽¹⁻^α)n p2πnα(1−α) . Applying this inequality to Eq. (2.6), we get

k kλ

_n

nλkey

n+k (n+k)λall

^< exp log(2)[kh(λ)−(n+k)h(λ_all) +nh(λ_key)]

C(n, k, λ) p2πnkλ(1−λ)/(n+k) ,

(2.7)

(32)

where

C(n, k, λ) := exp

1

8(n+k) + 1

12k − 1

12kλ+ 1 − 1

12k(1−λ) + 1

.

Note that we used p

λ_all(1−λ_all) ≤ p

λ_key(1−λ_key) (recall that by con- struction, we have λ_key ≥ λ_all), and exp(log(2)h(α)) = (α)⁻^α(1−α)⁻⁽¹⁻^α). Then, by using an inequality for the binary entropy function, i.e., h(x) ≤ h(x₀) +h⁰(x₀)(x−x₀) +h⁰⁰(x₀)(x−x₀)²/2 +h⁰⁰⁰(x₀)(x−x₀)³/6, we further get

nh(λ_key)−(n+k)h(λ_all) + (k)h(λ)≤ h⁰⁰(λ_all) 2

t²nk n+k

=− t²nk

2 log(2)(n+k)λ_all(1−λ_all) ≤ − t²nk

2 log(2)(n+k)λ(1−λ), (2.8) where the last inequality is obtained by noting that[x(1−x)]⁻¹ is a decreasing function for x∈ (0,1/2] and that λ_all ≥ λ. Inserting Eq. (2.8) into Eq. (2.7) gives

k kλ

_n

nλkey

n+k (n+k)λall

^<

exp

−_2(n+k)λ(1^t²^nk ₋_λ)

C(n, k, λ) p2πnkλ(1−λ)/(n+k) =:,

The deviation parameter,t, is thus t(, n, k, λ) :=

s

2(n+k)λ(1−λ)

nk log

√n+kC(n, k, λ₁) p2πnkλ(1−λ).

Comparing the deviation terms, r(, n, k) and t(, n, k, λ), we see that the new deviation term has an improvement factor roughly given byp

2λ(1−λ).

Indeed, for typical error rates, e.g., λ ≈ 0.01, t(, n, k, λ) is approximately 10 times more accurate than r(, n, k,). As we will see later, this improved accuracy in estimating λ_key allows us to extract secret bits from X even for very small post-processing blocksizes (e.g., n≈400 bits).

With the relevant tools in hand now, we show that the protocol described above is both cor-correct and sec-secret, if the secret key length, `, is chosen appropriately. In particular,

Theorem 1. For protocol parameters, n, k, `, Q_tol, _cor and Synd_EC, the protocol is _cor-correct.

(33)

Proof. In the error verification step, Alice chooses a two-universal hash function, h_y, uniformly at random, and sends it to Bob via the public channel.

Then, they calculate the hash value of their respective strings, and compare them on the public channel. If the hash values do not match, they abort the protocol. Let {h_y}y be a two-universal family of hash functions that takes {0,1}ⁿ to {0,1}^c, and let it be the one used in the error verification step.

By definition, for any randomly chosen hash function, h_y and X 6= ˆX_G, the probability that h_y(X) and h_y( ˆX_G) are identical is at most 1/2^c. Condition- ing on passing the error verification step, i.e., h_y(X) = h_y( ˆX_G), and using Pr[S 6= ˆS] = Pr[h_y(X)6=h_y( ˆX_G)]≤Pr[X 6= ˆX_G], we thus have

Pr

S 6= ˆS

≤2⁻^c =_cor,

where the equality is given byc:=dlog₂(1/_cor)e.

Theorem 2. For protocol parameters, n, k, `, Q_tol, _cor and Synd_EC, the protocol is _sec-secret if the secret key length ` satisfies

`≤max

pe,β

n−nh(Q_tol+t(_pe, n, k, λ))−Synd_EC−log₂ 8 β⁴_cor

, (2.9) where the maximization is taken over _pe, β >0 such that 2_pe+ 2β≤_sec. Proof. We recall thatE is the information that Eve gathers during the distribution phase. To account for the classical information that has been revealed in the classical-post-processing phase, we need to consider a new system E⁺ that takes into account the information revealed during the error correction and error verification steps. That is, E⁺ is a collection of E, Synd_EC and dlog₂(1/sec)e. From Lemma 4, we know that by applying a two-universal family of hash functions from {0,1}ⁿ to {0,1}^`, a ∆-secret key of size ` can be extracted from X, where

∆ = 2

2 −β

+ 2³²

2^`⁻^H^min^/2⁻^β(X|E⁺)¹₄

. (2.10)

and 0< β≤/2<1.

Next, we need to show that H_min^/2⁻^β X|E⁺

≥ n−nh

λ+t

2 −β, n, k, λ

−Synd_EC −log₂ 2 _cor.

(2.11)

(34)

2.3. Simulation: comparison with existing results 19

To do that, we first use a chain-rule [17, Theorem 3.2.12] for smooth min- entropies to get

H_min^/2⁻^β X|E⁺

≥H_min^/2⁻^β(X|E)−Synd_EC −log₂ 2 _cor.

This inequality has an intuitive interpretation in that the maximum amount of information Eve can gather aboutX during the classical-post-processing phase is simply the size of the information published. Now it remains to bound the smooth min-entropy of X given E. This is obtained by using Eq. (2.2) with the new deviation term, t(_pe, , n, k, λ), (i.e., see Eq. (2.4)),

H_min^/2⁻^β(X|E)≥n−nh(λ+t(_pe, n, k, λ)), where _pe = (₂ −β)√

1−p_abort. Putting the last two expressions together gives Eq. (2.11). Next, we combine Eq. (2.10) and Eq. (2.11) to get

∆ ≤ 2

2 −β

+ 2³²

2^`⁻(n−nh(λ+t(pe,λ,n,k))−Synd_EC−log₂ _cor² )¹₄

. (2.12) Finally, by using the proposed secret key length` (i.e., Eq. (2.9)), we have

∆≤2 2−β

+ 2β,

which is conditioned on the protocol passing all the tests. If we remove this conditioning, we thus have

(1−p_abort)∆ ≤2_pe+ 2β ≤_sec.

2.3. Simulation: comparison with existing results

To evaluate the performance of Theorem 2 with respect to the classical-post- processing block size, we numerically maximize the secret key rate, `/N, for a given classical-post-processing block size, n. In order to do that, we assume that the quantum channel connecting Alice and Bob is modeled by a binary symmetric quantum channel and it has zero channel loss. Furthermore, we model the size of the error correcting information sent from Alice to Bob with

Tight security bounds for quantum key distribution

Thesis

Reference

Tight security bounds for quantum key distribution

Tight Security Bounds for Quantum Key Distribution

Thèse

présentée à la Faculté des Sciences de l’Université de Genève pour obtenir le grade de Docteur ès Sciences, mention physique

par

Charles Ci Wen Lim de Singapour

Thèse N

4681

GENÈVE

Atelier d’impression ReproMail

2014

Résumé

Abstract

Contents

Introduction

Related work

Outline of thesis

1. Basic concepts in QKD

1.1. Notation

1.2. General concepts in QKD

X X ˆ

S ˆ S

1.3. Security criteria

1.4. Extractable secret key length

2. Bennett-Brassard 1984 QKD

2.1. Protocol description

2.2. Bounds on secret key length

· · ·

· · ·

2.3. Simulation: comparison with existing results