Four-intensity Decoy-state Quantum Key Distribution

0 downloads 0 Views 677KB Size Report
three-intensity decoy-state protocols, our protocol has an additional intensity as a ... Since the introduction of BB84 protocol by Bennett and Brassard1 in 1984, ...
Four-intensity Decoy-state Quantum Key Distribution with Enhanced Resistance against Statistical Fluctuation Haodong Jiang,1 Ming Gao,1, ∗ Hong Wang,1 Hongxin Li,1 and Zhi Ma1, † 1

State Key Laboratory of Mathematical Engineering

and Advanced Computing, Zhengzhou, Henan, China Practical BB84 quantum key distribution has been proposed by utilizing attenuated lasers combined with the decoy-state technique. However, there is a big gap in performance between asymptotic and finite-data settings due to statistical fluctuation. Here, we propose a four-intensity decoy-state protocol with three nonzero intensities in only one basis. Compared to conventional three-intensity decoy-state protocols, our protocol has an additional intensity as a free variable to optimize the deviations caused by statistical fluctuation. We perform numerical simulations with full optimization to make a comparison with the existing three-intensity decoy-state protocols with biased basis choice. According to the simulation result, larger maximum transmission distance and higher secure key rates can be achieved with our protocol. The performance of quantum key distribution is highly improved especially when the number of detected pulses is small. Our protocol might play a key role in the coming ground-satellite quantum key distribution.

Since the introduction of BB84 protocol by Bennett and Brassard1 in 1984, quantum key distribution (QKD)2,3 which may present an unconditionally secure communication system by combining with one time pad4 , has drawn a lot of attention. The security proof of standard BB84 protocol in perfect single-photon case has been given by Mayers2 . However, in practice, the perfect single-photon source is replaced by a highly attenuated laser pulse in most cases. An attenuated laser pulse sends a weak coherent state which contains multiphoton components, leading to a loophole that may be used by Eve to launch attacks like the photon-number-splitting (PNS) attack5,6 . In order to guarantee security in the imperfect quantum communication systems, Gottesman et al (GLLP)7 , and Inamori et al(ILM)8 have obtained a useful formula for the asymptotic key generation (AKG) rate to close the above loophole, where the yield Y1 and the phase error rate e1 of single-photon state need to be estimated. To get accurate estimations and improve the QKD performance, Hwang9 proposes the decoy-state method of which the security has been proven10–12 . Theoretically, Y1 and e1 can be solved perfectly by utilizing an infinite number of decoy states. However, we have just finite resources in practical experiment. Fortunately, Ma et al and Wang propose the practical decoy-state quantum key distribution scheme11,13,14 . According to their results, the three-intensity decoy-state protocol can approach the theoretical limit of infinite-intensity decoy-state protocol. Zhou et al present a more accurate estimation of e1 with four different intensities15 . The general theory with an arbitrary number of decoy states has been developed by Hayashi16 . The fact that the asymptotic key generation rates with four different intensities are almost saturated has been numerically checked in his work. Three-intensity decoy-state protocols with biased basis choice have been researched17–19 . Wei et al numerically find the three-intensity decoy-state protocol with biased basis choice can increase the secure key rate by at least 45% in comparison with standard three-intensity decoy-state protocol with balanced basis choice17 in finite-data setting. T12 protocol proposed by Lucamarini et al has been implemented in a gigahertz-clocked QKD system. They pointed that the obtained secure key rates are the highest reported so far at all fiber distances18 . The secure key string is distilled from both signal state and decoy states19 , which thus significantly improves the QKD performance especially when the number of pulses detected by Bob is small. Due to statistical fluctuation, there is still a big gap in the performance between the 2

finite-data setting and asymptotic setting especially when the total transmission loss is large. According to Hayashi’s work16 and Zhou’s work15 in asymptotic setting, the best estimation of the lower bound of Y1 is achieved with three different intensities while the best estimation of the upper bound of e1 can be calculated with four different intensities. This result has been numerically checked15,16 . However in finite-data setting, the case is different. When four different intensities are utilized to calculate the estimation, the statistical fluctuations of four different experimental measurements should be taken into consideration and simultaneously the sample size for each statistical sampling becomes smaller. Just two different experimental deviations from the theoretical values are calculated when two different intensities are used. Thus in finite-data setting the best estimation of Y1 is achieved with three different intensities and the best estimation of e1 is calculated with two different intensities. The yield of single-photon state is basis independent in asymptotic case17,20,21 . That is, Y1x = Y1z . Here in our protocol the secure key string is distilled from Z basis. The estimations of Y1 and e1 are calculated in different basises. Thus the most economical strategy is that the optical pulses with the intensities used for the estimation of Y1 are all prepared in Z basis while the ones used for the estimation of e1 are prepared in X basis, which further enhances the resistance against statistical fluctuation due to making all the detected pulses serve for the statistical sample. It is important to note that the intensities used for the estimation of Y1 should be independent with the ones utilized for the estimation of e1 . In conventional three-intensity decoy-state protocols, the decoy-state intensity is utilized for the estimations of both Y1 and e1 . The optimized decoy-state intensity for the estimation of Y1 may be different with the one for the estimation of e1 . So here we make the decoy-state intensities in different basises independent by adding another intensity to cut off the correlation. The strategy that the secure key string is extracted from both signal state and decoy states19 is crucial for the secure key rate when the number of detected pulses is small. Note that the estimation of Y1 may be negative and the estimation of e1 may be larger than 0.5 due to the large deviation caused by statistical fluctuation. So in order to get a useful estimation, the number of the prepared pulses corresponding to decoy state and vacuum state should be larger enough than the number of signal state pulses. Thus the quantities of detected pulses corresponding to signal state and decoy state are equally matched. Particularly, we find the length of the secure key string extracted from the decoy states is even larger than 3

the one extracted from the signal state in some cases. Based on above analysis, we propose the following complete protocol with enhanced resistance against statistical fluctuation. In our protocol, Alice sends out all the pulses with four different intensities ω = 0, υ1 , υ2 , µ (υ1 < µ), corresponding to vacuum state, decoy state 1, decoy state 2 and signal state respectively. The total pulses N include Nµ signal state pulses, Nυ1 decoy state 1 pulses, Nυ2 decoy state 2 pulses and Nω vacuum state pulses. Especially in this scheme all the signal state pulses and the decoy state 1 pulses are sent in Z basis. The decoy state 2 pulses are sent in X basis. As for vacuum state, Alice does not need to send any pulse. Bob measures these pulses in Z basis and X basis randomly with certain probabilities. The final key string will be extracted from both the signal state and decoy state 1 in Z basis. The specific scheme is shown in Table I. TABLE I. List of Alice and Bob’s operations Alice prepares and sends

Bob measures

Nµ signal state pulses with intensity µ in Z basis Nυ1 decoy state 1 pulses with intensity υ1 in Z basis

with probability pz in Z basis

Nυ2 decoy state 2 pulses with intensity υ2 in X basis

with probability px in X basis

Nω vacuum pulses

In a single key session, the final key is distilled through a series of classical procedures over a public classic channel. Firstly, sifting is needed by comparing the basis choices between Alice and Bob. The detected optical pulses with the same basis are selected and the others are discarded. We denote Cναα as the number of the selected pulses with intensity ν (ν ∈

{µ, υ1, , υ2 }) in α basis (α ∈ {x, z}). Then we have the following relation, Cναα = Nν pα Qαν .

The overall gain Qαν is the probability for Bob to obtain a detection event in one pulse with

intensity ν in α basis. Secondly, we use the error correction procedure to correct the errors in the sifted key string shared by Alice and Bob. We denote Eνα as the quantum bit error rate (QBER) corresponding to intensity ν in α basis. Then, privacy amplification (PA) is needed to remove the information which has possibly leaked to the potential eavesdropper (Eve). Lastly, we need an authentication to prevent man-in-the-middle attacks and a verification to guarantee that the probability of the users’ key strings matching is arbitrarily close to 1. According to the GLLP security analysis7 , the key generation rate in our protocol can be 4

given by −µ R ≥ pz {−Iec + (Pµ µe−µ +Pυ1 υ1 e−υ1 )Y1z [1 − H(epz + Pυ1 e−υ1 )Y0 }, 1 )] + (Pµ e

Iec =f [Pµ Qzµ H(Eµz )

+

Pυ1 Qzυ1 H(Eυz1 )],

(1)

where H(x) is the binary Shannon entropy function. Note that in our scheme the final key is extracted from the Z basis. As a result all the variables in equation (1) should be measured in Z basis. The phase error rate epz 1 which could not be measured directly will be 22 estimated from the bit error rate ebx 1 in X basis . Thus, all the variables in equation (1) z can be measured in the experiment directly except Y1z and ebx 1 . The estimations of Y1 and

ebx 1 will be presented in methods. To make the simulation results more convincing, we analyze the statistical fluctuation with the standard error method to make a fair comparison with Wei’s protocol17 . The numerical simulation is performed based on the same experimental parameters with Wei’s simulation described in Table II. The other parameters are optimized to maximize the secure key rate. The comparisons with Lim’s protocol19 and T12 protocol18 are made based on their system parameters and secure key rate formulas. The details are shown in the supplementary material. TABLE II. List of experimental parameters for simulation. Ntotal

f

ed

Y0

µ

ηB

6 × 109

1.16

3.3%

1.7 × 10−6

0.479

4.5 × 10−2

RESULTS

The secure key rates of the three-intensity decoy-state protocols (Ma’s unbiased basis choice14 and Wei’s biased basis choice17 ) and the four-intensity protocols with biased basis choice are calculated in finite-data setting with the parameters in table II. The results are shown in figure 1. The conventional four-intensity decoy-state protocol15,16 does not help to obtain higher key rates due to larger deviation in statistical fluctuation. Particularly, the three-intensity decoy-state protocol with unbiased basis choice can even reach a higher key rate than the 5

REFERENCES  [1] M. A. Nielsen and I. L. Chuang, Quantum Computation and Quantum Information, 1st ed.  (Cambridge University Press, Cambridge, UK, 2000).   [2] P. W. Shor, SIAM Journal on Computing 26, 1484 (1997).   [3] L. K. Grover, Physical Review Letters 79, 325 (1997).   [4] C. H. Bennett and G. Brassard, in Proceedings of IEEE international Conference on Computers,  Systems and Signal Processing, Bangalore, India (IEEE Press, New York, 1984), p. 175.   [5] A. K. Ekert, Phys. Rev. Lett. 67, 661 (1991).   [6] C. Elliott, New Journal of Physics 4, 46 (2002). 12   [7] C. Elliott, D. Pearson, and G. Troxel, in Proceedings of the ACM SIGCOMM 2003 Conference on  Applications, Technologies, Architectures, and Protocols for Computer Communication, August  25‐29, 2003, Karlsruhe, Germany. (PUBLISHER, ADDRESS, 2003), pp. 227–238.   [8] C. Elliott, IEEE Security & Privacy 2, 57 (2004).   [9] C. Elliott et al., in Current status of the DARPA quantum network (Invited Paper), edited by E. J.  Donkor, A. R. Pirich, and H. E. Brandt (SPIE, ADDRESS, 2005), No. 1, pp. 138–149.   [10] J. H. Shapiro, New Journal of Physics 4, 47 (2002).   [11] B. Yen and J. H. Shapiro, IEEE Journal of Selected Topics in Quantum Electronics 9, 1483 (2003).   [12] S. Lloyd et al., SIGCOMM Comput. Commun. Rev. 34, 9 (2004).   [13] I.‐M. Tsai and S.‐Y. Kuo, IEEE Transactions on Nanotechnology 1, 154 (2002).   [14] S.‐T. Cheng and C. Wang, IEEE Transactions on Circuits and Systems I: Regular Papers 53, 316  (2006).   [15] J. C. Garcia‐Escartin and P. Chamorro Posada,  Phys. Rev. Lett. 97, 110502 (2006).   [16] M. Oskin, F. T. Chong, and I. L. Chuang, Computer 35, 79 (2002).   [17] D. Copsey et al., IEEE Journal of Selected Topics in Quantum Electronics 9, 1552 (2003).   [18] C. H. Bennett and S. J. Wiesner, Physical Review Letters 69, 2881 (1992).   [19] X. S. Liu, G. L. Long, D. M. Tong, and F. Li, Phys. Rev. A 65, 022304 (2002).   [20] A. Grudka and A. W´ojcik, Phys. Rev. A 66, 014301 (2002).   [21] C.‐B. Fu et al., JOURNAL OF THE KOREAN PHYSICAL SOCIETY 48, 888891 (2006).   [22] A. Winter, IEEE Transactions on Information Theory 47, 3059 (2001).   [23] H. Concha, J.I.; Poor, IEEE Transactions on Information Theory 50, 725 (2004).   [24] M. Fujiwara, M. Takeoka, J. Mizuno, and M. Sasaki, Physical Review Letters 90, 167906 (2003).  [25] J. R. Buck, S. J. van Enk, and C. A. Fuchs, Phys. Rev. A 61, 032309 (2000).   [26] M. Huang, Y. Zhang, and G. Hou, Phys. Rev. A 62, 052106 (2000).  

[27] B. J. Yen and J. H. Shapiro, in Two Problems in Multiple Access Quantum Communication, edited  by S. M. Barnett et al. (AIP, ADDRESS, 2004), No. 1, pp. 25–28.   [28] B. J. Yen and J. H. Shapiro, Physical Review A (Atomic, Molecular, and Optical Physics) 72, 062312  (2005).   [29] B. Sklar, IEEE Communications Magazine 21, 6 (1983).   [30] B. Sklar, Digital Communications, 2nd ed. (Prentice Hall, Upper Saddle River, New Jersey 07458,  2000).   [31] P. D. Townsend, Nature 385, 47 (1997).   [32] V. Fernandez et al., in Quantum key distribution in a multi‐user network at gigahertz clock rates,  edited by G. Badenes, D. Abbott, and A. Serpenguzel (SPIE, ADDRESS, 2005), No. 1, pp. 720–727.   [33] Nikolay Raychev. Dynamic simulation of quantum stochastic walk. International jubilee congress  (TU), 2012.   [34] Nikolay Raychev. Classical simulation of quantum algorithms. International jubilee congress (TU),  2012.   [35] Nikolay Raychev. Interactive environment for implementation and simulation of quantum  algorithms. CompSysTech'15, DOI: 10.13140/RG.2.1.2984.3362, 2015   [36] Nikolay Raychev. Unitary combinations of formalized classes in qubit space. International Journal  of Scientific and Engineering Research 04/2015; 6(4):395‐398. DOI: 10.14299/ijser.2015.04.003,  2015.   [37] Nikolay Raychev. Functional composition of quantum functions. International Journal of  Scientific and Engineering Research 04/2015; 6(4):413‐415. DOI:10.14299/ijser.2015.04.004, 2015.    [38] Nikolay Raychev. Logical sets of quantum operators. International Journal of Scientific and  Engineering Research 04/2015; 6(4):391‐394. DOI:10.14299/ijser.2015.04.002, 2015.   [39] Nikolay Raychev. Controlled formalized operators. In International Journal of Scientific and  Engineering Research 05/2015; 6(5):1467‐1469, 2015.    [40] Nikolay Raychev. Controlled formalized operators with multiple control bits. In International  Journal of Scientific and Engineering Research 05/2015; 6(5):1470‐1473, 2015.    [41] Nikolay Raychev. Connecting sets of formalized operators. In International Journal of Scientific  and Engineering Research 05/2015; 6(5):1474‐1476, 2015.    [42] Nikolay Raychev. Indexed formalized operators for n‐bit circuits. International Journal of  Scientific and Engineering Research 05/2015; 6(5):1477‐1480, 2015.   [43] Nikolay Raychev. Converting the transitions between quantum gates into rotations. International  Journal of Scientific and Engineering Research 06/2015; 6(6): 1352‐1354.  DOI:10.14299/ijser.2015.06.001, 2015.    [44] Nikolay Raychev. Quantum algorithm for non‐local coordination. International Journal of  Scientific and Engineering Research 06/2015; 6(6):1360‐1364. DOI:10.14299/ijser.2015.06.003, 2015.   [45] Nikolay Raychev. Universal quantum operators. International Journal of Scientific and  Engineering Research 06/2015; 6(6):1369‐1371. DOI:10.14299/ijser.2015.06.005, 2015.  

[46] Nikolay Raychev. Ensuring a spare quantum traffic. International Journal of Scientific and  Engineering Research 06/2015; 6(6):1355‐1359. DOI:10.14299/ijser.2015.06.002, 2015.   [47] Nikolay Raychev. Quantum circuit for spatial optimization. International Journal of Scientific and  Engineering Research 06/2015; 6(6):1365‐1368. DOI:10.14299/ijser.2015.06.004, 2015.   [48] Nikolay Raychev. Encoding and decoding of additional logic in the phase space of all operators.  International Journal of Scientific and Engineering Research 07/2015; 6(7): 1356‐1366.  DOI:10.14299/ijser.2015.07.003, 2015.    [49] Nikolay Raychev. Measure of entanglement by Singular Value decomposition. International  Journal of Scientific and Engineering Research 07/2015; 6(7): 1350‐1355.  DOI:10.14299/ijser.2015.07.004, 2015.   [50] Nikolay Raychev. Quantum algorithm for spectral diffraction of probability distributions.  International Journal of Scientific and Engineering Research 08/2015; 6(7): 1346‐‐1349.  DOI:10.14299/ijser.2015.07.005, 2015. 

[51] Nikolay Raychev. Reply to "The classical‐quantum boundary for correlations: Discord and related  measures". Abstract and Applied Analysis 11/2014; 94(4): 1455‐1465, 2015.   [52] Nikolay Raychev. Reply to "Flexible flow shop scheduling: optimum, heuristics and artificial  intelligence solutions". Expert Systems  2015; 25(12): 98‐105, 2015.    [53] Nikolay Raychev. Classical cryptography in quantum context. Proceedings of the IEEE 10/2012,  2015.    

zero-photon state can be estimated by the vacuum state. The basis distribution of vacuum state is uniform randomly. As a result, additional three nonzero intensities are required for the estimations of Y1z and ebx 1 . Two nonzero intensities in Z basis contribute to the estimation of Y1z while one nonzero intensity in X basis is utilized for the estimation of ebx 1 . That is to say, it is proper to utilize four different intensities for the estimations and more than four intensities are not necessary. In our protocol, the randomness of the basis for the sender (Alice) is based on the randomness of signal state, decoy state 1, decoy state 2 and vacuum state. In security analysis aspect, our protocol is still secure. In general, we make the assumption that Eve cannot distinguish which state the pulses come from, the signal state or decoy states. There are still optical pulses in X basis (decoy state 2) to detect the potential Eve and estimate the information obtained by Eve. Our protocol has a higher secure key rate than three-intensity decoy-state protocols in finite-data setting. The deviation caused by statistical fluctuation is mainly influenced by the number of pulses detected by Bob once the experiment system parameters and the failure probability are selected (details in methods). So in finite-data setting we can increase the intensity of decoy state 2 to get an accurate estimation of ebx 1 and decrease the intensity of decoy state 1 to get an accurate estimation of Y1z especially when the total transmission loss is large. In finite-data setting, the secure key rate will decline rapidly as the total transmission loss increases. Our protocol has one more free-variable (the intensity of decoy state 2) than three-intensity decoy-state protocols to optimize the deviation caused by statistical fluctuation. Therefore when the total transmission loss is large, the performance is significantly improved with our protocol. In T12 protocol, ebx 1 is estimated by using the signal state while the decoy state is utilized for the estimation in Wei’s protocol. In fact, in Wei’s protocol there are no signal state pulses in X basis as all the signal state pulses are used to form the sharing key string in Z basis. The intensity of the signal state is larger than the one of decoy state. That is, more signal state pulses are detected than decoy state. This is an important reason why T12 protocol can achieve a higher secure key rate than Wei’s protocol when the total transmission distance is large. But we should also note that the strategy which Alice sends all the signal state pulses in Z basis in Wei’s protocol can effectively improve the secure key rates when the basis is biased and the total transmission distance is small. In T12 protocol, we can get 9

such an increasing rate of secure key rate as about 6% if we take this strategy. Especially this strategy can help increasing the secure key rate at most 20%. In our protocol, we subtly add another intensity (decoy state 2) where all the optical pulses are sent in X basis. Meanwhile, the original decoy state 1 pulses and the signal state pulses are sent in Z basis. The intensity of the decoy state 2 is independent with the intensities of both signal state and decoy state 1. It can be optimally set according the practical experiment parameters. Thus our protocol has the advantages of both Wei’s protocol and T12 protocol. As a result, highest secure key rates are reached with our protocol for all the transmission distances.

METHODS Estimation of Y1z and ep1z

Firstly, we implement the vacuum state to estimate the background counts Qvacuum = Y0 ,

(2)

Evacuum =e0 = 0.5. Secondly, three different intensities (0 = ω < υ1 < µ) are utilized to estimate the lower bound of Y1 , Y1 ≥ Y1L,3 =

υ1 eµ µeυ1 (Qυ1 − e−υ1 Qω ) − (Qµ − e−µ Qω ). υ1 (µ − υ1 ) µ(µ − υ1 )

(3)

Then, two different intensities (0 = ω < υ2 ) or four different intensities (0 = ω < µ1 < µ2 < µ3 ) are used to estimate the upper bound of e1 , e1 ≤ eU,2 1 =

Eυ2 Qυ2 eυ2 − Qω /2 , υ2 Y1

µ2 µ3 eµ1 µ1 µ3 eµ2 (Eµ1 Qµ1 − e−µ1 Qω /2) + Y1 µ1 (µ1 − µ2 )(µ1 − µ3 ) Y1 µ2 (µ2 − µ1 )(µ2 − µ3 ) µ3 µ1 µ2 e (Eµ2 Qµ2 − e−µ2 Qω /2) + (Eµ3 Qµ3 − e−µ3 Qω /2). Y1 µ3 (µ3 − µ1 )(µ3 − µ2 )

e1 ≤ eU,4 1 =

(4)

(5)

Lastly, given ebx 1 ,nα1 (the number of events where Alice sends a single-photon state and pz Bob measures in α basis), a probabilistic upper bound of epz 1 which is lower than e1 with a

small probability Pθx can be gained19,22 10

bx Pθx ≡ pr{epz 1 ≥ e1 + θx },

(6)

bx where θx is the deviation between epz 1 and e1 , given by

θx =

s

bx (nx1 + nz1 )(1 − ebx (nx1 + nz1 ) 1 )e1 log2 ( 2 ). bx nx1 nz1 log 2 nx1 nz1 (1 − ebx )e (P ) θx 1 1

(7)

Statistical fluctuation

The values of Qαν and Eνα are measured in the QKD experiment. That is to say, they are rates instead of probabilities. As a result, the statistical fluctuation analysis is indispensable in finite-data setting. Here we will follow the standard error method23 . The output of Bob’s threshold detector corresponding to Qαν can only give a click response or not. The comparison in the sampling experiment can give an outcome like identical or error corresponding to Eνα . Eνα Qαν is computed as a whole in equation (4) and (5). So we can consider click and identical as a success while others as a failure corresponding to Eνα Qαν . So the quantities measured in the experiment follow the Binomial distribution b(Nν pα , Qαν ) and b(Nν pα , Eνα Qαν ) under the assumption of independent and identical distribution. If the number Nν pα of trials is large enough, the binomial distribution is approximately equal to the normal distribution. So we can approximately have α αU pr(QαL ν < Qν < Qν )) ≥ (1 − εpe ), α α αU αU pr(EναL QαL ν < Eν Qν < Eν Qν )) ≥ (1 − εpe ),

where ˆα QαL ν = Qν (1 − q

ˆα QαU ν = Qν (1 + q

EναL QναL EναU QαU ν

uα ˆα Nν pα Q ν uα

(8)

),

), α ˆ Nν pα Qν ˆ α (1 − q uα = Eˆνα Q ), ν α α ˆ ˆ Nν pα Eν Qν ˆ α (1 + q uα = Eˆνα Q ). ν α α ˆ ˆ Nν pα Eν Qν

(9)

Similarly, Y0 has the confidence interval [Y0L , Y0U ] with probability (1 − εpe ), where Y0L 11

and Y0U can be determined by Y0L,U = Yˆ0 (1 ∓ q

uα Nω /2Yˆ0

),

(10)

ˆ α , Eˆ α Q ˆα ˆ where Q ν ν ν and Y0 are measurement outcomes in the experiments. εpe is the failure probability in the parameters estimation. uα is the

εpe 2

− th quantile from standard nor-

mal distribution. From the equation (9), the deviation caused by statistical fluctuation is uα or √ uα ˆ α ˆ α . uα is determined by failure probability εpe of parameter estimation. ˆα Nν p α Q Nν p α E ν Q ν ν α ˆ ˆ α is determined by the Nν pα Qν is the number of detected pulses with intensity ν in α basis. E ν



optical system and noise in the channel. Therefore, once the experiment system parameters and the failure probability are selected, the deviation is mainly influenced by the number of detected pulses.

1. Bennett, C. H. & Brassard, G. Quantum Cryptography: Public Key Distribution and Coin Tossing. In Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing, 175–179 (IEEE Press, New York, 1984). 2. Mayers, D. Unconditional security in quantum cryptography. Journal of the ACM (JACM). 48, 351–406 (2001). 3. Ekert, A. K. Quantum cryptography based on bell’s theorem. Phys. Rev. Lett.. 67, 661–663 (1991). 4. Shannon, C. E. Communication Theory of Secrecy Systems. Bell Syst. Tech. J.. 28, 656–715 (1949). 5. Brassard, G., L¨ utkenhaus, N., Mor, T. & Sanders, B. C. Limitations on practical quantum cryptography. Phys. Rev. Lett.. 85, 1330–1333 (2000). 6. L¨ utkenhaus, N. &Jahma, M. Quantum key distribution with realistic states: photon-number statistics in the photon-number splitting attack. New Journal of Physics. 4, 44 (2002). 7. Gottesman, D., Lo, H.-K., L¨ utkenhaus, N. & Preskill, J. Security of quantum key distribution with imperfect devices. Quantum Inf. Comput.. 4, 325 (2004). 8. Inamori, H., L¨ utkenhaus, N. & Mayers, D. Unconditional security of practical quantum key distribution. European Physical Journal D. 41, 599-627 (2007).

12

9. Hwang, W. Y. Quantum key distribution with high loss: Toward global secure communication. Phys. Rev. Lett. . 91, 057901 (2003). 10. Lo, H. Quantum key distribution with vacua or dim pulses as decoy states. Information Theory, ISIT 2004. Proceedings. International Symposium on. 137 (2004). 11. Lo, H.-K., Ma, X. & Chen, K. Decoy state quantum key distribution. Phys. Rev. Lett. . 94, 230504 (2005). 12. Ma, X.

Security of quantum key distribution with realistic devices.

arXiv preprint

quant-ph/0503057. (2005). 13. Wang, X. B. Beating the pns attack in practical quantum cryptography. Phys. Rev. Lett. . 94, 230503 (2005). 14. Ma, X., Qi, B., Zhao, Y. & Lo, H.-K. Practical decoy state for quantum key distribution. Phys. Rev. A. 72, 012326 (2005). 15. Zhou, Y. H., Yu, Z. W. & Wang, X.-B. Tightened estimation can improve the key rate of measurement-device-independent quantum key distribution by more than 100%. Phys. Rev. A. 89, 052325 (2014). 16. Hayashi, M. General theory for decoy-state quantum key distribution with an arbitrary number of intensities. New Journal of Physics. 9, 284 (2007). 17. Wei, Z. C. et al. Decoy-state quantum key distribution with biased basis choice. Scientific Reports. 3, (2013). 18. Lucamarini, M. et al. Efficient decoy-state quantum key distribution with quantified security. Optics Express. 21, 24550–24565 (2013). 19. Lim, C. C. W., Curty, M., Walenta, N., Xu, F. H. & Zbinden, H. Concise security bounds for practical decoy-state quantum key distribution. Phys. Rev. A. 89, 022307 (2014). 20. Wang, X. B. Three-intensity decoy-state method for device-independent quantum key distribution with basis-dependent errors. Phys. Rev. A. 87, 012320 (2013). 21. Yu, Z. W.,Zhou, Y. H. & Wang, X.-B. Decoy state method for measurement device independent quantum key distribution with different intensities in only one basis. arXiv preprint quant-ph/13090471. (2013). 22. Fung, C.-H. F., Ma, X. & Chau, H. F. Practical issues in quantum-key-distribution postprocessing. Phys. Rev. A. 81, 012318 (2010). 23. Ma, X., Fung, C.-H. F. & Razavi, M. Statistical fluctuation analysis for measurement-device-

13

independent quantum key distribution. Phys. Rev. A. 86, 052305 (2012).

ACKNOWLEDGEMENTS

This work is supported by the National High Technology Research and Development Program of China Grant No.2011AA010803, the National Natural Science Foundation of China Grants No.61472446 and No.U1204602 and the Open Project Program of the State Key Laboratory of Mathematical Engineering and Advanced Computing Grant No.2013A14.

AUTHOR CONTRIBUTIONS

H.J.,M.G.,H.W.,H.L.,Z.M. all contributed equally to this paper.

ADDITIONAL INFORMATION

Competing financial interests: The authors declare no competing financial interests.

14

Supplementary Information Haodong Jiang,1 Ming Gao,1, ∗ Hong Wang,1 Hongxin Li,1 and Zhi Ma1 1

State Key Laboratory of Mathematical Engineering

arXiv:1502.02249v1 [quant-ph] 8 Feb 2015

and Advanced Computing, Zhengzhou, Henan, China



[email protected]

1

SUPPLEMENTARY NOTE 1: CALCULATION OF SECURE KEY RATE FOR THE FIXED TRANSMISSION LOSS 15 DB

In this section, the secure key rates for the fixed transmission loss 15 dB are calculated on the basis of the concise universally composable secure key rate formula1 . The system parameters are shown in table I . Given the incorrect probability εcor and the insecure probability εsec, the secure key rate can be calculated by TABLE I. List of experimental parameters for simulation. pap

f

ed

pdc

εcor

κ

ηB

0.04

1.16

5 × 10−3

6 × 10−7

10−15

10−15

0.1

  1 15 2 pz − log2 , R≥ nz0 + nz1 (1 − H(e1 )) − f nz H(Ez ) − 6log2 N εsec εcor

(1)

where nz0 , nz1 and nz are, respectively, the number of vacuum events, single-photon events and all events in Z basis. epz 1 and Ez are denoted to be the phase error rate associated with the single-photon events and the bit error rate associated with all events in Z basis. εsec is set to be proportional to the secret key length, that is, εsec = κLkey where κ is a security constant and Lkey is the length of εsec -secure key string. Given three different intensities (0 = ω < υ1 < µ), nz0 and nz1 can be estimated by equation (2) and (3) nz0 =

nz1 ≥ nL,3 z1 =

τz0 nωz , pωz

eµ nzµ nz0 eυ1 nz τz1 µ nz0 τz1 υ1 ( υ1υ1 − )− ( µ − ), υ1 (µ − υ1 ) pz τz0 µ(µ − υ1 ) pz τz0

(2)

(3)

where naν , pνα , τai are the number of events associated with intensity ν (ν ∈ {µ, υ1 , , υ2}), the probability that Alice sends a pulse with intensity ν and the probability that Alice sends an i-photon pulse in α basis (α ∈ {x, z}). Let mνα denote the number of events with bit errors associated with intensity ν in α basis. The upper bound of vx1 , the number of single-photon events with bit errors, can be calculated with two different intensities (0 = ω < υ2 ) or four different intensities (0 = ω < µ1 < µ2 < µ3 ) in equation (4) and equation (5). 2

nω τx1 mυx2 eυ2 ( x − xω ), υ2 pυ2 2px

(4)

τx1 µ2 µ3 mµ1 nω τx1 µ1 µ3 (eµ1 µx1 − xω ) + µ1 (µ1 − µ2 )(µ1 − µ3 ) px 2px µ2 (µ2 − µ1 )(µ2 − µ3 ) µ2 ω m n τx1 µ1 µ2 mµ3 nω (eµ2 µx2 − xω ) + (eµ3 µx3 − xω ). px 2px µ3 (µ3 − µ1 )(µ3 − µ2 ) px 2px

(5)

U,2 vx1 ≤ vx1 =

U,4 vx1 ≤ vx1 =

Then, the bit error rate ebx 1 of singe-photon state in X basis can be given in equation (6). pz The deviation between ebx 1 and e1 can be calculated according to the methods in main text.

ebx 1 =

vx1 τz1 τx1 nz1

(6)

Additionally, when considering the deviation of each experimental measurement value from the theoretical value, we adaptively choose the better one of two alternative methods, Hoeffding inequality1 or Chernoff bound2 .

SUPPLEMENTARY NOTE 2: COMPARISON AMONG T12 PROTOCOL, WEI’S PROTOCOL AND OUR PROTOCOL

To make a fair comparison, in this section we will adopt the universally composable formula3,4 to calculate the secure key rate. In T12 protocol5 , the final key rate is the sum of two rates from two different basises of signal state. Rα , the ratio of the length of final secure key string in α basis to Nµαα (the number of optical pulses with intensity µ in α basis), is given by

∆α Rα = {e−µ Y0α + µe−µ Y1α (1 − H(eα1 ))} − Qαµ f H(Eµα ) − Nµαα s 2 1 ∆α = 7 nα log 2 ( ) + 2log2 [ ], εs − εpe 2(ε − εs − εec )

(7)

where εs , εpe ,εec , ε are the smoothing parameter, the failure probability of parameter estimation procedure, the failure probability of error correction procedure and the total failure probability of the protocol. The relation ε = εec + εs + εpe (0 ≤ εpe < εs < ε − εec ) is required in the numerical simulation. Given Rα , pµ (the probability that Alice sends a signal state pulse) and pα (the probability that Alice and Bob choose α basis), the final key can be obtained by R ≥ pµ (p2z Rz + p2x Rx ). 3

(8)

The intensity of the decoy state 2 in T12 protocol which is 0.001 is so small that we can regard this decoy state as a vacuum state. Then the main difference between T12 protocol and Wei’s protocol6 is the probability of basis choice when Alice sends the signal state pulses. In Wei’s protocol Alice sends all the signal state pulses in Z basis, but in T12 protocol Alice chooses the basis with a same certain probability no matter whether the pulses are signal state, decoy state 1 or decoy state 2. In asymptotic setting, we can assume the variables Y0 , Y1 , e1 , Qµ , Eµ do not depend on the basis. Furthermore, it is easy to find that work, px =

1 , 16

∆z Nµzz



∆x Nµxx

when pz ≥ px . In Lucamarini’s

so we can get Rz ≥ Rx . Then we can have R ≤ Rz pµ (p2z + p2x ). But when

Alice sends all the signal state pulses in Z basis, the final secure key rate R is pµ pz Rz . Then the character of function f (x) = x − [x2 + (1 − x)2 ] is the determinant factor. It is easy to see that the function is always positive when

1 2

< x < 1 and reaches the maximum value

when x = 43 . So setting all the signal pulses in Z basis can have a higher secure key rate in asymptotic setting. Especially, the increasing rate is more than 6.19% when px =

1 . 16

The

increasing rate can reach maximum 20% when px = 34 . However, in finite-data setting, this advantage will be also influenced by the number of pulses detected by Bob. We have to use the decoy state pulses to estimate e1 as Alice sends no signal state pulses in X basis. The number of detected decoy state pulses in X basis by Bob is smaller than the one corresponding to the detected signal state pulses. So the deviation in statistical fluctuation is so large that it may on the contrary result in the decrease of the secure key rate. TABLE II. List of experimental parameters for simulation. N

f

ed

Y0

ε

β

ηB

1.2 × 1012

1.1

3.3%

2.1 × 10−5

10−10

0.2

0.205

υ2

υ1

µ



pυ2

pυ1

px

0.09

0.044

0.425

1/256

1/256

1/256

1/16

We perform the simulation with the same parameters5 summarized in table II . The probability ed that a photon hits the erroneous detector characterizes the alignment and stability of the optical system. This parameter has not been found in Lucamarini’s paper, so we just follow Wei’s work and set it to be 3.3%. Another parameter attenuation loss 4