OSA's Digital Library

Optics Express

Optics Express

  • Editor: Andrew M. Weiner
  • Vol. 21, Iss. 21 — Oct. 21, 2013
  • pp: 24550–24565
« Show journal navigation

Efficient decoy-state quantum key distribution with quantified security

M. Lucamarini, K. A. Patel, J. F. Dynes, B. Fröhlich, A. W. Sharpe, A. R. Dixon, Z. L. Yuan, R. V. Penty, and A. J. Shields  »View Author Affiliations


Optics Express, Vol. 21, Issue 21, pp. 24550-24565 (2013)
http://dx.doi.org/10.1364/OE.21.024550


View Full Text Article

Acrobat PDF (1530 KB)





Browse Journals / Lookup Meetings

Browse by Journal and Year


   


Lookup Conference Papers

Close Browse Journals / Lookup Meetings

Article Tools

Share
Citations

Abstract

We analyse the finite-size security of the efficient Bennett-Brassard 1984 protocol implemented with decoy states and apply the results to a gigahertz-clocked quantum key distribution system. Despite the enhanced security level, the obtained secure key rates are the highest reported so far at all fibre distances.

© 2013 Optical Society of America

1. Introduction

In recent years, the possibility to use quantum key distribution (QKD) [1

1. S. Wiesner, “Conjugate coding,” Sigact News 15(1), 78–88 (1983). [CrossRef]

5

5. V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dušek, N. Lütkenhaus, and M. Peev, “The security of practical quantum key distribution,” Rev. Mod. Phys. 81(3), 1301–1350 (2009). [CrossRef]

] to securely transmit cryptographic keys to remote users has received increasing attention. Consequently, QKD has rapidly grown from early stage experiments to sophisticated demonstrations, suitable for real-world applications [6

6. P. D. Townsend, J. G. Rarity, and P. R. Tapster, “Enhanced single-photon fringe visibility in a 10 km-long prototype quantum cryptography,” Electron. Lett. 29(14), 1291 (1993). [CrossRef]

10

10. B. Fröhlich, J. F. Dynes, M. Lucamarini, A. W. Sharpe, Z. Yuan, and A. J. Shields, “A quantum access network,” Nature 501(7465), 69–72 (2013). [CrossRef] [PubMed]

].

This problem has been theoretically addressed in a few security proofs [11

11. D. Mayers, D. Coppersmith, ed., in Advances in Cryptology:Proceedings of CRYPTO '95, vol. 963 of Lecture Notes in Computer Science, D. Coppersmith, Ed. (Springer-Verlag, 1995), pp. 124–135; in Advances in Cryptology: Proceedings of CRYPTO '96, vol. 1109 of Lecture Notes in Computer Science, N. Koblitz, Ed. (Springer-Verlag, 1996), pp. 343–357.

18

18. M. Tomamichel, C. C. W. Lim, N. Gisin, and R. Renner, “Tight finite-key analysis for quantum cryptography,” Nat Commun 3, 634 (2012). [CrossRef] [PubMed]

], some of which also guarantee composable security [19

19. R. Renner, N. Gisin, and B. Kraus, “Information-theoretic security proof for quantum-key-distribution protocols,” Phys. Rev. A 72(1), 012332 (2005). [CrossRef]

, 20

20. B. Kraus, N. Gisin, and R. Renner, “Lower and upper bounds on the secret-key rate for quantum key distribution protocols using one-way classical communication,” Phys. Rev. Lett. 95(8), 080501 (2005). [CrossRef] [PubMed]

]. Most of them consider a QKD setup running with the BB84 protocol [2

2. C. H. Bennett and G. Brassard, “Quantum cryptography: public-key distribution and coin tossing,” in Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing (Institute of Electrical and Electronics Engineers, New York, 1984), pp. 175–179.

] and making use of an ideal single-photon source. However, in practice, this is not the most convenient choice. Firstly, it is advantageous to use an efficient version of the BB84 protocol [21

21. H.-K. Lo, H. F. Chau, and M. Ardehali, “Efficient quantum key distribution scheme and proof of its unconditional security,” J. of Crypt. 18(2), 133–165 (2005). [CrossRef]

] rather than the standard one, to increase the key rate of the system. Secondly, an attenuated laser combined with the decoy state technique [22

22. W.-Y. Hwang, “Quantum key distribution with high loss: toward global secure communication,” Phys. Rev. Lett. 91(5), 057901 (2003). [CrossRef] [PubMed]

25

25. X. Ma, B. Qi, Y. Zhao, and H.-K. Lo, “Practical decoy state for quantum key distribution,” Phys. Rev. A 72(1), 012326 (2005). [CrossRef]

] is by far more effective than a single-photon source. Therefore, it would be beneficial to study the security of this more profitable QKD configuration.

To realise that, we purposely designed a protocol, termed “T12”, which removes the aforementioned idealisations and encompasses all the features that can possibly increase the practicality of a QKD protocol. Among these, the efficient selection of the basis and that of the light intensity, plus others that will follow from the protocol’s security proof. In turn, the security analysis is facilitated by the definition of a protocol, because all the steps leading to the final secure key rate are reunited under a unique description.

However, one severe drawback of the aforementioned proof is that when decoy states are taken into account, the key rate remains positive only for very large sample sizes. In fact, in [26

26. R. Y. Q. Cai and V. Scarani, “Finite-key analysis for practical implementations of quantum key distribution,” New J. Phys. 11(4), 045024 (2009). [CrossRef]

] a numerical simulation shows that the data sample must contain at least 106 bits in order to provide a positive key rate. This minimum sample size becomes considerably worse, in fact more than 16 times larger, if the same simulation is run with experimental parameters similar to the ones presented in this work. Moreover, even for a reasonably large sample of 108 bits, the secure key rate is reduced to half its asymptotic value.

Here, we show that the main cause of these problems is the adopted parameter estimation (PE) procedure. Therefore, we review the security proof of [26

26. R. Y. Q. Cai and V. Scarani, “Finite-key analysis for practical implementations of quantum key distribution,” New J. Phys. 11(4), 045024 (2009). [CrossRef]

] and endow it with a more efficient PE, based on numerical optimisation. This improves the results dramatically. We use the new estimates in the security proof to quantify the secure key rate of a gigahertz-clocked QKD system and obtain record rates at all optical fibre distances tested. The approach shows high resistance against small size effects. Using the experimental parameters obtained on a 50 Km optical fibre, the finite-size rate reaches 85% its asymptotic value for a data sample of 108 bits and remains positive for sample sizes as small as 1.4 × 105 bits.

2. Protocol

We start from a description of the T12 protocol. We assume that the transmitter (Alice) has a phase-randomised source of coherent states [34

34. H. K. Lo and J. Preskill, “Security of quantum key distribution using weak coherent states with nonrandom phases,” Quantum Inf. Comput. 7, 431 (2007).

]. This makes the source statistically equal to a Poissonian distribution of number states such that, when the average photon number, or simply the intensity, from the light source is μ, the probability to send a k-photon pulse is Poissonian: eμk/k!. The light pulses are modulated both in intensity and in another degree of freedom, which is used to encode the quantum information. It can be, e.g., the polarisation, or the relative phase from an asymmetric Mach-Zehnder interferometer, like in our setup (see Fig. 1
Fig. 1 Experimental setup for the T12 protocol. In Alice’s layout, light pulses are emitted by a 1550 nm laser diode (LD), pulsed at 1 GHz, and transmitted through an intensity modulator (IM) and an unbalanced Mach-Zehnder interferometer. This is composed by a fibre-integrated beam-splitter (BS), a phase modulator (PM) and a final polarising BS (PBS). A variable attenuator (VA) is used to set the intensity of the pulses at the desired level. An optical power meter (OPM) measures the total flux in the fibre and adjust the VA in real-time in order to keep it constant. After a fibre spool of different lengths, the light passes through a polarization control (PC) and a second interferometer that matches Alice’s. In one arm, a fibre-stretcher (FS) is used to match the arm’s length between the two distant interferometers, thus generating interference at the final BS. Pulses are eventually measured by a detection unit (DU).
in Section 5 for a description). For the intensity, Alice randomly chooses among three possible values [25

25. X. Ma, B. Qi, Y. Zhao, and H.-K. Lo, “Practical decoy state for quantum key distribution,” Phys. Rev. A 72(1), 012326 (2005). [CrossRef]

], which we denote with u (signal), v (decoy1) and w (decoy2). It is convenient to introduce a specific intensity label μj, with j = {0,1,2}, so that μ0=u, μ1=v and μ2=w. Then the symbol μ indicates a generic intensity value, while the symbol μj is an intensity index taking on the three specific intensity values u, v and w. The values μj are selected with probabilities pμj=(pu,pv,pw), and usually pupv>pw. For the encoding, Alice randomly selects one of four possible states, as in the standard BB84 protocol [2

2. C. H. Bennett and G. Brassard, “Quantum cryptography: public-key distribution and coin tossing,” in Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing (Institute of Electrical and Electronics Engineers, New York, 1984), pp. 175–179.

], indicated as |0Zñ, |1Zñ (Z basis) and |0Xñ= (|0Zñ+|1Zñ)/√2, |1Xñ= (|0Zñ-|1Zñ)/√2 (X basis). The bases Z and X are selected with probabilities pZ1/2 andpX=1pZ. According to this convention, Z is the majority basis, i.e., the one selected most often, and X the minority basis. When pZ>pX, there is an increase of efficiency with respect to the standard BB84 protocol, in which pX=pZ. Intensities and states are chosen independently by Alice, so that it is possible to pair any state with any different intensity. This allows for a simpler implementation and prevents accidental correlations between the intensity and the information encoding. In addition, it is possible to distill key bits from both the bases and obtain the standard BB84 result as a particular case when pX=pZ. This adaptability is useful in practice, as the optimal ratio between the bases can depend on the characteristics of the quantum channel.

In a single key session, N pulses are sent by the transmitter to the receiver (Bob). Because of channel and detector losses, onlyCNnon-empty counts are registered by Bob in each session. From these counts, the users distil the final key, through a series of classical procedures which require communication over a public channel. These include sifting, to select the non-empty counts with matching bases; error correction (EC), to determine the number of transmission errors, E, in the non-empty counts and correct them; privacy amplification (PA), to remove from a potential eavesdropper (Eve) the information which has possibly leaked to her; authentication and verification, to prevent man-in-the-middle attacks and guarantee that the users strings match with probability arbitrarily close to 1.

All this information can be used to split the numbers N, C and E, into smaller groups, according to the users choices of the basis and of the intensity for each pulse, thus realising the advanced data analysis necessary for the T12 protocol. Whenever the bases do not match, the data are discarded through the sifting procedure. From the results with matching bases, the quantities summarized in Table 1

Table 1. Quantities for the advanced data analysis of the T12 protocol

table-icon
View This Table
| View All Tables
can be drawn.

The number of pulses N satisfies the following relations: N=j={0,1,2}Nμj, Nμj=NμjZZ+NμjZX+NμjXZ+NμjXX. Similar relations hold for C and E. These quantities and the knowledge of μj are used to assess the security of the protocol in the finite-size scenario. The final rate of the protocol is given by the sum of the two secure key rates distilled from the signal pulses separately in the two bases.

3. Secure key rate

In this section we determine the rate equation for the T12 protocol using the proof method of [16

16. V. Scarani and R. Renner, “Quantum cryptography with finite resources: unconditional security bound for discrete-variable protocols with one-way postprocessing,” Phys. Rev. Lett. 100(20), 200501 (2008). [CrossRef] [PubMed]

], later extended in [26

26. R. Y. Q. Cai and V. Scarani, “Finite-key analysis for practical implementations of quantum key distribution,” New J. Phys. 11(4), 045024 (2009). [CrossRef]

]. The proof starts by providing an entanglement-based description of the preparation and distribution stage of the T12 protocol.

As a second step, we assume that Bob’s detectors are threshold detectors with equal efficiency. When no detector clicks, an empty count is registered by Bob, while all the other cases are non-empty counts. This can be treated as a binary positive-operator valued measure (POVM), a particular 2-dimensional case of the proof method in [16

16. V. Scarani and R. Renner, “Quantum cryptography with finite resources: unconditional security bound for discrete-variable protocols with one-way postprocessing,” Phys. Rev. Lett. 100(20), 200501 (2008). [CrossRef] [PubMed]

]. Also, the results from Bob’s measurement are non-ambiguous if we assign orthogonal outcomes to the two detectors and double counts to one of the two detectors, chosen at random. Overall, this description of the T12 protocol detection stage coincides with that adopted in various security proofs, among which those more relevant to the present paper, described in [16

16. V. Scarani and R. Renner, “Quantum cryptography with finite resources: unconditional security bound for discrete-variable protocols with one-way postprocessing,” Phys. Rev. Lett. 100(20), 200501 (2008). [CrossRef] [PubMed]

, 17

17. V. Scarani and R. Renner, “Security bounds for quantum cryptography with finite resources,” in Theory of Quantum Computation, Communication, and Cryptography, vol. 5106 of Lecture Notes in Computer Science, (Berlin Springer, 2008), pp 83–95.

, 26

26. R. Y. Q. Cai and V. Scarani, “Finite-key analysis for practical implementations of quantum key distribution,” New J. Phys. 11(4), 045024 (2009). [CrossRef]

, 35

35. M. Koashi, “Efficient quantum key distribution with practical sources and detectors,” arXiv:quant-ph/0609180 (2006).

].

After N signals have been distributed, C non-empty counts are detected by Bob. Using a public (authenticated) channel, the users run the sifting procedure, in which they discard the data corresponding to empty counts and non-matching bases and remain with a pair of raw keys. By performing the PE procedure, they can compute from their data the statistics λ(a,b), i.e. the frequencies of the detected symbols and of the errors in the detected symbols. This will let them infer the maximum information gained by Eve during the key session. After that, EC and PA will complete the key distillation procedure and provide them with the final key.

In [16

16. V. Scarani and R. Renner, “Quantum cryptography with finite resources: unconditional security bound for discrete-variable protocols with one-way postprocessing,” Phys. Rev. Lett. 100(20), 200501 (2008). [CrossRef] [PubMed]

], it is shown how to calculate in the finite-size scenario, under the assumption of collective attacks, the rate per detected qubit r=L/n for any protocol which comply with the description given above. This legitimates us to use this method for estimating the T12 protocol secure key rate in the finite-size case. In the definition of r, the symbol L is the number of secure bits after PA, while n is the number of raw key bits before EC that will contribute to the final key. In the T12 protocol, it is n=CuZZ or n=CuXX according to whether the secure bits are distilled from the Z basis or from the X basis, respectively.

In what follows, we assume for simplicity that the secure bits are distilled from the Z basis. Therefore we omit the basis label. However, all the results hold for the X basis too and the final rate is given by the sum of the two rates from the two separate bases. From [16

16. V. Scarani and R. Renner, “Quantum cryptography with finite resources: unconditional security bound for discrete-variable protocols with one-way postprocessing,” Phys. Rev. Lett. 100(20), 200501 (2008). [CrossRef] [PubMed]

], we can write the rate per detected qubit as follows:

r=HξPE(A|E)(leakEC+Δ)/n,
(1)

with

HξPE(A|E)=minσAEΓξPEH(A|E),
(2)

and

Δ=7nlog2(2εsεPE)+2log2[12(εεsεEC)].
(3)

The term leakECin Eq. (1) accounts for the number of bits publicly transmitted during EC; it is a classical quantity and can be directly measured in the experiment. A common way to appraise it is by using the expression leakEC=nfECh(QZ), where h(.) is the binary entropy and QZ is the bit error rate measured in the Z basis. The parameter fEC1 accounts for the EC efficiency.

In Eq. (2), the conditional von Neumann entropy H(A|E) represents Eve’s uncertainty about Alice’s string. It has to be minimised over all possible Alice-Eve joint states σAE which are contained in a set ΓξPE, specified later on together with the other quantities appearing in Eq. (3). The entropy H(A|E) has been explicitly given in Eq. (13) of [26

26. R. Y. Q. Cai and V. Scarani, “Finite-key analysis for practical implementations of quantum key distribution,” New J. Phys. 11(4), 045024 (2009). [CrossRef]

] under the same protocol description given so far. After translating that result into our notation, it reads:
H(A|E)=g˜uZ(0)+g˜uZ(1)[1h(q˜X(1))]
(4)
where
g˜uZ(k)=y˜Z(k)(euuk/k!)(CuZZ/NuZZ)
(5)
In Eq. (4), q˜X(1) is the error rate in the X basis of the pulses containing 1 photon. In Eq. (5), the quantity y˜Z(k) is the k-photon yield, i.e. the conditional probability that Bob registers a count when Alice emits k photons, in the Z basis. These quantities are indicated with a tilde to recall that they have to be optimised in the finite-size setting in order to obtain the final key rate, as prescribed by the minimisation procedure contained in Eq. (2).

It is worthy to point out that the result in Eq. (4) has been initially obtained by Koashi [35

35. M. Koashi, “Efficient quantum key distribution with practical sources and detectors,” arXiv:quant-ph/0609180 (2006).

], under the same entanglement-based description of an efficient BB84 protocol with decoy states and imperfect devices as the one adopted thus far for the T12 protocol. Specifically, the Heisenberg uncertainty principle was used to show that Eve’s uncertainty about Alice’s string distilled in the Z basis can be quantified as 1HX, with HX=1gZ(0)gZ(1)[1h(qX(1))] (see Eq. (9) of [35

35. M. Koashi, “Efficient quantum key distribution with practical sources and detectors,” arXiv:quant-ph/0609180 (2006).

]). In fact, this leads to an expression equal to that in Eq. (4).

The conditional von Neumann entropy in Eq. (2) is the result of a lower bound to the smooth min entropy Hminεs(An|En) given in Lemma 2 of [16

16. V. Scarani and R. Renner, “Quantum cryptography with finite resources: unconditional security bound for discrete-variable protocols with one-way postprocessing,” Phys. Rev. Lett. 100(20), 200501 (2008). [CrossRef] [PubMed]

]. Under the assumption of collective attacks by Eve, this bound holds for any protocol which can be described as an entanglement-distribution protocol and adopts the proper PE procedure to compute the statistics λ(a,b). We have already shown the entanglement-based description of the T12 protocol. The discussion of the PE procedure involves the definition of the set ΓξPE in Eq. (2), which, in [16

16. V. Scarani and R. Renner, “Quantum cryptography with finite resources: unconditional security bound for discrete-variable protocols with one-way postprocessing,” Phys. Rev. Lett. 100(20), 200501 (2008). [CrossRef] [PubMed]

], was defined via the following relation:
ΓξPE={σAE:λmλξPE}.
(8)
The meaning of Eq. (8) is that if the statistics λm, acquired from a data set of size m, is closer than ξPE to the asymptotic statistics λ, obtained from an infinite data set, then the state σAE belongs to ΓξPE, except with a probability εPE. In this case, σAE is a legitimate state for the minimisation procedure set forth in Eq. (2) and then in Eq. (6).

In order to turn Eq. (8) into an operative definition, it is necessary to find a relation between the upper bound to the variation distance ξPE and the probability εPE that PE will fail to select the correct set of states for the minimisation of Eq. (2). In [16

16. V. Scarani and R. Renner, “Quantum cryptography with finite resources: unconditional security bound for discrete-variable protocols with one-way postprocessing,” Phys. Rev. Lett. 100(20), 200501 (2008). [CrossRef] [PubMed]

], this relation was governed by a Lemma through the law of large numbers. We limit here to the case of a binary POVM, because this is the only one present in the T12 protocol. In this case, it was proven that if ξPE=[2ln(m+1/εPE)]/m then Pr(λλm>ξPE)εPE. Hence, the subsequent assignment λm=λ±ξPE was used to select an interval around λ in which the true value of the statistics falls with probability 1εPE. Such a method clearly requires the knowledge of the asymptotic statistics λ, without which the finite-size statistics λm cannot be drawn. In [26

26. R. Y. Q. Cai and V. Scarani, “Finite-key analysis for practical implementations of quantum key distribution,” New J. Phys. 11(4), 045024 (2009). [CrossRef]

], λ was taken from the analytical expressions given in [23

23. X.-B. Wang, “Beating the photon-number-splitting attack in practical quantum cryptography,” Phys. Rev. Lett. 94(23), 230503 (2005). [CrossRef] [PubMed]

]. Then the m-size statistics was obtained from the assignment λm=λ±ξPE, as said, with the sign chosen according to whether a lower or an upper bound was needed for the quantities appearing in a rate equation analogous to our Eq. (7).

For an easy comparison with [16

16. V. Scarani and R. Renner, “Quantum cryptography with finite resources: unconditional security bound for discrete-variable protocols with one-way postprocessing,” Phys. Rev. Lett. 100(20), 200501 (2008). [CrossRef] [PubMed]

], we note that our approach would be equivalent to choosing ξPE=λλ (ξPE+=λ+λ) for a parameter that needs to be minimised (maximised) in Eq. (7). In this case, the exact value of λ would not be relevant anymore, because of the assignment λm=λξPE (λm=λ+ξPE+), which removes λ from the problem and leaves λm=λ (λm=λ+). From this, it is straightforward to see that Pr(λλm>ξPE±) coincides with the probability that the true value of the statistics falls outside IεPE. This probability is, by construction of IεPE, less than or equal to εPE, as required in [16

16. V. Scarani and R. Renner, “Quantum cryptography with finite resources: unconditional security bound for discrete-variable protocols with one-way postprocessing,” Phys. Rev. Lett. 100(20), 200501 (2008). [CrossRef] [PubMed]

].

Finally, we should complete the description of the parameters given in Eq. (3). The smoothing parameter εs0 descends from the smooth min entropy Hminεs(An|En), used after Lemma 1 in [16

16. V. Scarani and R. Renner, “Quantum cryptography with finite resources: unconditional security bound for discrete-variable protocols with one-way postprocessing,” Phys. Rev. Lett. 100(20), 200501 (2008). [CrossRef] [PubMed]

] to quantify the number of uniform bits that can be extracted from an error-corrected key using PA. A perfectly uniform distribution of the output bits is attainable only in the asymptotic limit. In the finite-size case, it is necessary to accept some deviation from the ideal uniform distribution, quantified by εs. The failure probability of the PE procedure is indicated as εPE. It has the meaning mentioned above that the estimated confidence interval IεPE fails to contain the true value of the statistics. Generally speaking, the wider the interval, the lower εPE. Moreover, it is intuitive that smaller values of εPE correspond to a higher security level and to a lower key rate. The probability that EC fails is denoted by εEC. However, it should be said that EC includes also the verification step in which the users verify that their keys are equal. So εEC more properly represents the probability that EC fails to correct the key, with the users unaware of this failure. Finally, the total failure probability of the system is ɛ, which is given by the sum of the other failure probabilities, ε=εEC+εs+εPE. It amounts to 10−10 in the present work. We choose and fix the numerical values of all the epsilon values so to fulfil the chain relation εεEC>εs>εPE0, as required in [16

16. V. Scarani and R. Renner, “Quantum cryptography with finite resources: unconditional security bound for discrete-variable protocols with one-way postprocessing,” Phys. Rev. Lett. 100(20), 200501 (2008). [CrossRef] [PubMed]

].

4. Finite-size statistical analysis and parameter estimation

The T12 protocol rate in Eq. (7) contains three optimisation procedures which have to be performed over a range specified by the statistics acquired during the PE procedure. In this section, we give a more detailed description of such a procedure.

In the asymptotic setting, the decoy state technique allows to put the measurable quantities in one-to-one correspondence with the parameters to be estimated [24

24. H.-K. Lo, X. Ma, and K. Chen, “Decoy state quantum key distribution,” Phys. Rev. Lett. 94(23), 230504 (2005). [CrossRef] [PubMed]

]:
YμZ=keμμkk!yZ(k),
(9)
BμX=keμμkk!yX(k)qX(k).
(10)
With the implicit assumption that the single terms in the sums, e.g. yZ(k), do not depend explicitly on μ [23

23. X.-B. Wang, “Beating the photon-number-splitting attack in practical quantum cryptography,” Phys. Rev. Lett. 94(23), 230503 (2005). [CrossRef] [PubMed]

], the above set of equations allows to determine all the unknown parameters exactly. The measurable quantities are on the LHS while the unknowns are on the RHS, coupled with the Poissonian distribution of the photon number. YμZ is the rate of Bob’s detections when a pulse with average photon number μwas prepared and the Z basis used. BμX is the bit error rate measured from pulses with average photon number μ, in the X basis.

In the finite-size setting, there is no more exact correspondence between measured quantities and estimated parameters and the acquired statistics allows for different realisations of yZ(k) and qX(k). Among these, security imposes to select the one which maximises Eve’s information through a constrained optimisation process.

A first optimisation is required because there is only a finite number of intensities that Alice can prepare. A second optimisation is required because the data sample itself is finite. These two processes are usually carried out separately: the former gives rise to analytical estimates [23

23. X.-B. Wang, “Beating the photon-number-splitting attack in practical quantum cryptography,” Phys. Rev. Lett. 94(23), 230503 (2005). [CrossRef] [PubMed]

25

25. X. Ma, B. Qi, Y. Zhao, and H.-K. Lo, “Practical decoy state for quantum key distribution,” Phys. Rev. A 72(1), 012326 (2005). [CrossRef]

] which are then corrected to take the latter into account [26

26. R. Y. Q. Cai and V. Scarani, “Finite-key analysis for practical implementations of quantum key distribution,” New J. Phys. 11(4), 045024 (2009). [CrossRef]

, 29

29. Z. Wei, W. Wang, Z. Zhang, M. Gao, Z. Ma, and X. Ma, “Decoy-state quantum key distribution with biased basis choice,” Sci Rep 3, 2453 (2013). [CrossRef] [PubMed]

]. While this can provide positive key rates, it might not be the ideal strategy. In fact, there is no guarantee that the analytical estimates are optimal. Moreover, the numerical fluctuations in the finite sample are often treated using an approximate method, like the Wald statistical test [36

36. A. Wald, “Tests of statistical hypotheses concerning several parameters when the number of observations is large,” in Transactions of the American Mathematical Society, vol. 54 (1943), pp. 426–482.

], in which the actual coverage probability of the confidence interval is much smaller than expected [37

37. A. Agresti and B. A. Coull, “Approximate is better than ‘exact’ for interval estimation of binomial proportions,” Am. Stat. 52, 119 (1998).

].

To overcome these limitations, we use a combination of statistical analysis and constrained optimisation [38

38. J. W. Harrington, J. M. Ettinger, R. J. Hughes, and J. E. Nordholt, “Enhancing practical security of quantum key distribution with a few decoy states,” arXiv:quant-ph/0503002 (2005).

, 39

39. P. Rice and J. W. Harrington, “Numerical analysis of decoy state quantum key distribution protocols,” arXiv:0901.0013 (2009).

]. The statistical analysis relies on the Clopper-Pearson (CP) test [40

40. C. Clopper and E. S. Pearson, “The use of confidence or fiducial limits illustrated in the case of the binomial,” Biometrika 26(4), 404–413 (1934). [CrossRef]

], which avoids approximations and provides the most conservative confidence interval compatible with the statistics acquired from the PE procedure. This allows us to map the experimental quantities of Table 1 into useful bounds with confidence level 1εPE. Then, using these bounds as constraints, we can obtain the estimated quantities through an optimisation algorithm. Both these steps can be efficiently performed via standard numerical routines. In Table 2

Table 2. Relations among experimental, statistical and estimated quantities.

table-icon
View This Table
| View All Tables
we summarise the relevant steps and quantities involved in this approach.

When the data sample is finite, Eqs. (9), (10) turn into a set of inequalities which can still be used to guarantee the security of the protocol [25

25. X. Ma, B. Qi, Y. Zhao, and H.-K. Lo, “Practical decoy state for quantum key distribution,” Phys. Rev. A 72(1), 012326 (2005). [CrossRef]

, 38

38. J. W. Harrington, J. M. Ettinger, R. J. Hughes, and J. E. Nordholt, “Enhancing practical security of quantum key distribution with a few decoy states,” arXiv:quant-ph/0503002 (2005).

, 39

39. P. Rice and J. W. Harrington, “Numerical analysis of decoy state quantum key distribution protocols,” arXiv:0901.0013 (2009).

]. In fact, they can be rewritten for the three intensity levels μj of the T12 protocol as:
YμjZkeμj(μj)kk!y˜Z(k)YμjZ+,j={0,1,2},
(11)
BμjXkeμj(μj)kk!y˜X(k)q˜X(k)BμjX+,j={0,1,2}
(12)
The quantity YμjZ± (BμjX±) contains lower and upper bounds to the detection rate (error rate) of the pulses with intensity μj measured by the users in the Z (X) basis. From this, we can draw the confidence intervals introduced in Section 3, IεPEY=[YμjZ,YμjZ+] for the detection rate and IεPEB=[BμjX,BμjX+] for the error rate, each with the appropriate confidence level coming from the CP test.

Now we can use constrained optimisation to minimise y˜Z(0), y˜Z(1) and maximise q˜X(1) in their respective confidence intervals. The explicit problems are shown in the Appendix. The solutions have already been introduced in Section 3 and written in Eq. (7) as y¯Z(k), k = {0,1}, and q¯X(1). Because objective functions and constraints in the optimisation problems are all reduced to linear functions, the solutions are guaranteed to be global maxima or minima [41

41. R. Renner, “Symmetry of large physical systems implies independence of subsystems,” Nat. Phys. 3(9), 645–649 (2007). [CrossRef]

]. This ensures that when they are finally plugged into Eq. (7), the obtained finite-size secure key rate of the T12 protocol is an absolute minimum, given the experimental statistics acquired by the users, i.e. a worst-case bound to the real rate.

5. Experimental implementation and numerical simulation

In this section, we describe the experimental implementation of the T12 protocol in a high bit rate QKD system. In all the experiments, we set ε=1010. Moreover, we choose the probability of the minority basis to be pX=24=1/16. To determine this value, we initially run a simulation and find the value pXopt that maximises the secure key rate. Then, for experimental convenience, we choose the power-of-2 value which is the closest to pXopt. Following the same logic, we choose the intensity probabilities as pw=28=1/256, pv=27=1/128 and pu=1pwpv. The values for the average photon number are u=0.425, v=0.044, w=0.001. They are derived from a simulation under the constraint of being compatible with the actual intensity modulator used in the setup. Small variations of these values do not affect the overall secure rate, thus showing that they are all close to optimal.

The QKD experimental setup is shown in Fig. 1. The system operates in the telecom band at a wavelength of 1550 nm. On Alice’s side, encoding is accomplished through phase modulator voltages corresponding to (0, π) for the Z basis and (π/2, 3π/2) for the X basis. Bob uses a (0, π/2) modulation for decoding. The two communicating parties are linked together via a dispersion shifted fibre which has a dispersion coefficient of 4 ps/(km·nm). Single photons are detected by gated InGaAs avalanche photodiode (APD) in the self-differencing mode [42

42. S. Boyd and L. Vandenberghe, Convex Optimization (Cambridge University Press, 2004).

]. The APDs are cooled thermoelectrically to –30°C and operated at a detection efficiency of 20.5%, dark count probability per gate of 2.1 × 10−5 and after pulse probability 5.25%. A software program controls all the equipment continuously, calculates the QBER for the fibre-stretcher to counteract any drift in the phase and corrects the detector gate delay and polarisation so as to maximise the count rate. The average photon number is stabilised using the feedback from a power meter connected to the main channel through a beam splitter with fixed known splitting ratio.

The experimental parameters given above have been used to numerically simulate the secure key rate of the T12 protocol as a function of the detected sample size on a fibre distance of 50 Km. This is shown in Fig. 2
Fig. 2 Secure key rate of the T12 protocol versus the size of the detected data sample, for ε=1010. Parameters are obtained with the setup of Fig. 1 from an experimental QKD run over a 50 Km optical fibre. The key rate, depicted with a red line, is measured in percentage from the asymptotic value. Pie-charts with the breakdown of the counts leading to the final secure bits are given for sample sizes of 1011 counts and 1.4×105 counts. The latter value is the smallest sample size providing a positive rate and can be acquired in less than 60 ms with our system. For a typical acquisition time of 20 minutes, the block size is ~5×109 counts and the corresponding secure key rate is indicated by a violet circle on the red line. In addition, the minority basis probability has been optimised so to obtain the highest secure key rate at all distances. It goes from pX = 0.0065 for a sample of 1011 counts to pX = 0.2290 for a sample of 1.4×105 counts.
, with the sample size decreasing from left to right. The secure key rate is calculated by applying Eq. (7), separately to each basis, and then adding up the two resulting partial rates. As expected, it decreases when the sample size becomes smaller. However, already for a sample size of 108 counts, the protocol performs at about 85% of its asymptotic value. Moreover, the key rate remains positive up to a sample size of 1.4×105 counts. With the same experimental parameters, the security proof by Cai and Scarani [26

26. R. Y. Q. Cai and V. Scarani, “Finite-key analysis for practical implementations of quantum key distribution,” New J. Phys. 11(4), 045024 (2009). [CrossRef]

] would provide 50% of the asymptotic rate for a sample size of 108 counts, and 1.6×107 counts as the minimum size tolerated by the protocol. Therefore our model is significantly more resilient to finite size effects. In Fig. 2, we also show two pie-charts with the breakdown of the counts collected in the experiment, one for a large data sample (1011 counts) and the other for the minimum data sample tolerated by the protocol (1.4×105 counts). The total detected sample is reduced by basis sifting, EC and PA applied to multi-photon events and phase-errors before reaching the final secure key fraction. The detrimental contribution of the finite-size effects becomes apparent for smaller sample sizes.

6. Experimental results

With the setup shown in Fig. 1, a series of experiments were conducted to verify the feasibility and practicality of the T12 protocol. The main feature to be demonstrated is the capability to measure the quantities in Table 1 which enter the secure key rate of the protocol. This requires an advanced data analysis of the experimental sample, which takes into account not only the basis information [21

21. H.-K. Lo, H. F. Chau, and M. Ardehali, “Efficient quantum key distribution scheme and proof of its unconditional security,” J. of Crypt. 18(2), 133–165 (2005). [CrossRef]

, 44

44. C. Erven, X. Ma, R. Laflamme, and G. Weihs, “Entangled quantum key distribution with a biased basis choice,” New J. Phys. 11(4), 045025 (2009). [CrossRef]

], but also the intensity information. To our knowledge, such an advanced data analysis has never been shown before in QKD.

Because in the T12 protocol pX=1/16, only 11.7% of the detected counts are discarded, as opposed to 50% in the BB84 protocol. This increases the theoretical efficiency of the T12 protocol to 88.3%, which is 76.6% higher than the standard BB84 protocol. The experimental results in Fig. 4 agree well with this value. In fact, the obtained enhancement is 73.5%, very close to the theoretical limit.

7. Conclusion

We have investigated the finite-size security of the efficient version of the BB84 protocol, implemented with attenuated laser and decoy state technique. For that, we have purposely defined a protocol, namely the T12, which includes several practical advantages.

After gathering all aspects under a unified description, we have applied the Scarani and Renner proof method [16

16. V. Scarani and R. Renner, “Quantum cryptography with finite resources: unconditional security bound for discrete-variable protocols with one-way postprocessing,” Phys. Rev. Lett. 100(20), 200501 (2008). [CrossRef] [PubMed]

] to assess the protocol secure key rate. Then we have adopted a more efficient parameter estimation procedure to improve the resistance of the protocol to finite-size effects. As a result, the minimum data sample size providing a positive key rate has now greatly improved, by more than two orders of magnitude. Numerical simulations have been provided, showing explicitly the effect of the data sample finiteness on the secure key rate. With samples of 108 bits, finite-size effects reduce the asymptotic key rate by about 15%. For higher sample sizes, the reduction becomes negligible.

We have then implemented the T12 protocol using a gigahertz-clocked QKD system. All the main features of the protocol, including the high key rate and the increased efficiency over the standard BB84 protocol, have been experimentally tested and agree well with the theoretical predictions.

To demonstrate the correct execution of the protocol, we have shown the results from an advanced data analysis, in which experimental quantities are acquired and processed in real time according to their basis and intensity information.

The high bit rate of the system allows to collect 5×109 counts in a typical session of 20 minutes thus providing a key rate that is not appreciably affected by the finiteness of the sample. Despite its large security level, represented by a failure probability ε = 10−10, the system provides the highest secure key rates reported to date over tens of kilometres in optical fibre.

Appendix

Acknowledgments

Discussions with R. Renner, M. Tomamichel, N. Lütkenhaus, S. Kunz-Jacques are gratefully acknowledged. The work is partly supported by the Commissioned Research of National Institute of Information and Communications Technology (NICT), Japan. K. A. Patel acknowledges personal support via the EPSRC funded CDT in Photonics System Development.

References and links

1.

S. Wiesner, “Conjugate coding,” Sigact News 15(1), 78–88 (1983). [CrossRef]

2.

C. H. Bennett and G. Brassard, “Quantum cryptography: public-key distribution and coin tossing,” in Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing (Institute of Electrical and Electronics Engineers, New York, 1984), pp. 175–179.

3.

A. K. Ekert, “Quantum cryptography based on Bell’s theorem,” Phys. Rev. Lett. 67(6), 661–663 (1991). [CrossRef] [PubMed]

4.

N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, “Quantum cryptography,” Rev. Mod. Phys. 74(1), 145–195 (2002). [CrossRef]

5.

V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dušek, N. Lütkenhaus, and M. Peev, “The security of practical quantum key distribution,” Rev. Mod. Phys. 81(3), 1301–1350 (2009). [CrossRef]

6.

P. D. Townsend, J. G. Rarity, and P. R. Tapster, “Enhanced single-photon fringe visibility in a 10 km-long prototype quantum cryptography,” Electron. Lett. 29(14), 1291 (1993). [CrossRef]

7.

M. Peev, C. Pacher, R. Alléaume, C. Barreiro, J. Bouda, W. Boxleitner, T. Debuisschert, E. Diamanti, M. Dianati, J. F. Dynes, S. Fasel, S. Fossier, M. Fürst, J.-D. Gautier, O. Gay, N. Gisin, P. Grangier, A. Happe, Y. Hasani, M. Hentschel, H. Hübel, G. Humer, T. Länger, M. Legré, R. Lieger, J. Lodewyck, T. Lorünser, N. Lütkenhaus, A. Marhold, T. Matyus, O. Maurhart, L. Monat, S. Nauerth, J.-B. Page, A. Poppe, E. Querasser, G. Ribordy, S. Robyr, L. Salvail, A. W. Sharpe, A. J. Shields, D. Stucki, M. Suda, C. Tamas, T. Themel, R. T. Thew, Y. Thoma, A. Treiber, P. Trinkler, R. Tualle-Brouri, F. Vannel, N. Walenta, H. Weier, H. Weinfurter, I. Wimberger, Z. L. Yuan, H. Zbinden, and A. Zeilinger, “The SECOQC quantum key distribution network in Vienna,” New J. Phys. 11(7), 075001 (2009). [CrossRef]

8.

M. Sasaki, M. Fujiwara, H. Ishizuka, W. Klaus, K. Wakui, M. Takeoka, S. Miki, T. Yamashita, Z. Wang, A. Tanaka, K. Yoshino, Y. Nambu, S. Takahashi, A. Tajima, A. Tomita, T. Domeki, T. Hasegawa, Y. Sakai, H. Kobayashi, T. Asai, K. Shimizu, T. Tokura, T. Tsurumaru, M. Matsui, T. Honjo, K. Tamaki, H. Takesue, Y. Tokura, J. F. Dynes, A. R. Dixon, A. W. Sharpe, Z. L. Yuan, A. J. Shields, S. Uchikoga, M. Legré, S. Robyr, P. Trinkler, L. Monat, J. B. Page, G. Ribordy, A. Poppe, A. Allacher, O. Maurhart, T. Länger, M. Peev, and A. Zeilinger, “Field test of quantum key distribution in the Tokyo QKD Network,” Opt. Express 19(11), 10387–10409 (2011). [CrossRef] [PubMed]

9.

K. Patel, J. F. Dynes, I. Choi, A. W. Sharpe, A. R. Dixon, Z. L. Yuan, R. V. Penty, and A. J. Shields, “Coexistence of high-bit-rate quantum key distribution and data on optical fiber,” Phys. Rev. X 2(4), 041010 (2012). [CrossRef]

10.

B. Fröhlich, J. F. Dynes, M. Lucamarini, A. W. Sharpe, Z. Yuan, and A. J. Shields, “A quantum access network,” Nature 501(7465), 69–72 (2013). [CrossRef] [PubMed]

11.

D. Mayers, D. Coppersmith, ed., in Advances in Cryptology:Proceedings of CRYPTO '95, vol. 963 of Lecture Notes in Computer Science, D. Coppersmith, Ed. (Springer-Verlag, 1995), pp. 124–135; in Advances in Cryptology: Proceedings of CRYPTO '96, vol. 1109 of Lecture Notes in Computer Science, N. Koblitz, Ed. (Springer-Verlag, 1996), pp. 343–357.

12.

H. Inamori, N. Lütkenhaus, and D. Mayers, “Unconditional security of practical quantum key distribution,” Eur. Phys. J. D 41(3), 599–627 (2007). [CrossRef]

13.

S. Watanabe, R. Matsumoto, and T. Uyematsu, “Noise tolerance of the BB84 protocol with random privacy amplification,” Int. J. Quantum Inf. 4(6), 935–946 (2006). [CrossRef]

14.

M. Hayashi, “Practical evaluation of security for quantum key distribution,” Phys. Rev. A 74(2), 022307 (2006). [CrossRef]

15.

M. Hayashi, “Upper bounds of eavesdropper’s performances in finite-length code with the decoy method,” Phys. Rev. A 76(1), 012329 (2007). [CrossRef]

16.

V. Scarani and R. Renner, “Quantum cryptography with finite resources: unconditional security bound for discrete-variable protocols with one-way postprocessing,” Phys. Rev. Lett. 100(20), 200501 (2008). [CrossRef] [PubMed]

17.

V. Scarani and R. Renner, “Security bounds for quantum cryptography with finite resources,” in Theory of Quantum Computation, Communication, and Cryptography, vol. 5106 of Lecture Notes in Computer Science, (Berlin Springer, 2008), pp 83–95.

18.

M. Tomamichel, C. C. W. Lim, N. Gisin, and R. Renner, “Tight finite-key analysis for quantum cryptography,” Nat Commun 3, 634 (2012). [CrossRef] [PubMed]

19.

R. Renner, N. Gisin, and B. Kraus, “Information-theoretic security proof for quantum-key-distribution protocols,” Phys. Rev. A 72(1), 012332 (2005). [CrossRef]

20.

B. Kraus, N. Gisin, and R. Renner, “Lower and upper bounds on the secret-key rate for quantum key distribution protocols using one-way classical communication,” Phys. Rev. Lett. 95(8), 080501 (2005). [CrossRef] [PubMed]

21.

H.-K. Lo, H. F. Chau, and M. Ardehali, “Efficient quantum key distribution scheme and proof of its unconditional security,” J. of Crypt. 18(2), 133–165 (2005). [CrossRef]

22.

W.-Y. Hwang, “Quantum key distribution with high loss: toward global secure communication,” Phys. Rev. Lett. 91(5), 057901 (2003). [CrossRef] [PubMed]

23.

X.-B. Wang, “Beating the photon-number-splitting attack in practical quantum cryptography,” Phys. Rev. Lett. 94(23), 230503 (2005). [CrossRef] [PubMed]

24.

H.-K. Lo, X. Ma, and K. Chen, “Decoy state quantum key distribution,” Phys. Rev. Lett. 94(23), 230504 (2005). [CrossRef] [PubMed]

25.

X. Ma, B. Qi, Y. Zhao, and H.-K. Lo, “Practical decoy state for quantum key distribution,” Phys. Rev. A 72(1), 012326 (2005). [CrossRef]

26.

R. Y. Q. Cai and V. Scarani, “Finite-key analysis for practical implementations of quantum key distribution,” New J. Phys. 11(4), 045024 (2009). [CrossRef]

27.

M. Lucamarini, J. F. Dynes, Z. L. Yuan, and A. J. Shields, “Practical treatment of quantum bugs,” Proc. SPIE8542, Electro-Optical Remote Sensing, Photonic Technologies, and Applications VI (2012).

28.

M. Hayashi and R. Nakayama, “Security analysis of the decoy method with the Bennett-Brassard 1984 protocol for finite key lengths,” arXiv:1302.4139 (2013).

29.

Z. Wei, W. Wang, Z. Zhang, M. Gao, Z. Ma, and X. Ma, “Decoy-state quantum key distribution with biased basis choice,” Sci Rep 3, 2453 (2013). [CrossRef] [PubMed]

30.

N. J. Beaudry, T. Moroder, and N. Lütkenhaus, “Squashing models for optical measurements in quantum communication,” Phys. Rev. Lett. 101(9), 093601 (2008). [CrossRef] [PubMed]

31.

T. Tsurumaru and K. Tamaki, “Security proof for QKD systems with threshold detectors,” Phys. Rev. A 78, 032302 (2008). [CrossRef]

32.

J. Hasegawa, M. Hayashi, T. Hiroshima, and A. Tomita, “Security analysis of decoy state quantum key distribution incorporating finite statistics,” arXiv:0707.3541 (2007).

33.

M. Koashi and J. Preskill, “Secure quantum key distribution with an uncharacterized source,” Phys. Rev. Lett. 90(5), 057902 (2003). [CrossRef] [PubMed]

34.

H. K. Lo and J. Preskill, “Security of quantum key distribution using weak coherent states with nonrandom phases,” Quantum Inf. Comput. 7, 431 (2007).

35.

M. Koashi, “Efficient quantum key distribution with practical sources and detectors,” arXiv:quant-ph/0609180 (2006).

36.

A. Wald, “Tests of statistical hypotheses concerning several parameters when the number of observations is large,” in Transactions of the American Mathematical Society, vol. 54 (1943), pp. 426–482.

37.

A. Agresti and B. A. Coull, “Approximate is better than ‘exact’ for interval estimation of binomial proportions,” Am. Stat. 52, 119 (1998).

38.

J. W. Harrington, J. M. Ettinger, R. J. Hughes, and J. E. Nordholt, “Enhancing practical security of quantum key distribution with a few decoy states,” arXiv:quant-ph/0503002 (2005).

39.

P. Rice and J. W. Harrington, “Numerical analysis of decoy state quantum key distribution protocols,” arXiv:0901.0013 (2009).

40.

C. Clopper and E. S. Pearson, “The use of confidence or fiducial limits illustrated in the case of the binomial,” Biometrika 26(4), 404–413 (1934). [CrossRef]

41.

R. Renner, “Symmetry of large physical systems implies independence of subsystems,” Nat. Phys. 3(9), 645–649 (2007). [CrossRef]

42.

S. Boyd and L. Vandenberghe, Convex Optimization (Cambridge University Press, 2004).

43.

Z. L. Yuan, B. E. Kardynal, A. W. Sharpe, and A. J. Shields, “High speed single photon detection in the near infrared,” Appl. Phys. Lett. 91(4), 041114 (2007). [CrossRef]

44.

C. Erven, X. Ma, R. Laflamme, and G. Weihs, “Entangled quantum key distribution with a biased basis choice,” New J. Phys. 11(4), 045025 (2009). [CrossRef]

45.

J. Hasegawa, M. Hayashi, T. Hiroshima, A. Tanaka, and A. Tomita, “Experimental decoy state quantum key distribution with unconditional security incorporating finite statistics,” arXiv:0705.3081 (2007).

46.

D. Rosenberg, C. G. Peterson, J. W. Harrington, P. R. Rice, N. Dallmann, K. T. Tyagi, K. P. McCabe, S. Nam, B. Baek, R. H. Hadfield, R. J. Hughes, and J. E. Nordholt, “Practical long-distance quantum key distribution system using decoy levels,” New J. Phys. 11(4), 045009 (2009). [CrossRef]

47.

P. Jouguet, S. Kunz-Jacques, A. Leverrier, P. Grangier, and E. Diamanti, “Experimental demonstration of long-distance continuous-variable quantum key distribution,” Nat. Photonics 7(5), 378–381 (2013). [CrossRef]

OCIS Codes
(060.0060) Fiber optics and optical communications : Fiber optics and optical communications
(060.4510) Fiber optics and optical communications : Optical communications
(270.5568) Quantum optics : Quantum cryptography

ToC Category:
Quantum Optics

History
Original Manuscript: August 2, 2013
Revised Manuscript: September 20, 2013
Manuscript Accepted: September 24, 2013
Published: October 7, 2013

Citation
M. Lucamarini, K. A. Patel, J. F. Dynes, B. Fröhlich, A. W. Sharpe, A. R. Dixon, Z. L. Yuan, R. V. Penty, and A. J. Shields, "Efficient decoy-state quantum key distribution with quantified security," Opt. Express 21, 24550-24565 (2013)
http://www.opticsinfobase.org/oe/abstract.cfm?URI=oe-21-21-24550


Sort:  Author  |  Year  |  Journal  |  Reset  

References

  1. S. Wiesner, “Conjugate coding,” Sigact News15(1), 78–88 (1983). [CrossRef]
  2. C. H. Bennett and G. Brassard, “Quantum cryptography: public-key distribution and coin tossing,” in Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing (Institute of Electrical and Electronics Engineers, New York, 1984), pp. 175–179.
  3. A. K. Ekert, “Quantum cryptography based on Bell’s theorem,” Phys. Rev. Lett.67(6), 661–663 (1991). [CrossRef] [PubMed]
  4. N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, “Quantum cryptography,” Rev. Mod. Phys.74(1), 145–195 (2002). [CrossRef]
  5. V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dušek, N. Lütkenhaus, and M. Peev, “The security of practical quantum key distribution,” Rev. Mod. Phys.81(3), 1301–1350 (2009). [CrossRef]
  6. P. D. Townsend, J. G. Rarity, and P. R. Tapster, “Enhanced single-photon fringe visibility in a 10 km-long prototype quantum cryptography,” Electron. Lett.29(14), 1291 (1993). [CrossRef]
  7. M. Peev, C. Pacher, R. Alléaume, C. Barreiro, J. Bouda, W. Boxleitner, T. Debuisschert, E. Diamanti, M. Dianati, J. F. Dynes, S. Fasel, S. Fossier, M. Fürst, J.-D. Gautier, O. Gay, N. Gisin, P. Grangier, A. Happe, Y. Hasani, M. Hentschel, H. Hübel, G. Humer, T. Länger, M. Legré, R. Lieger, J. Lodewyck, T. Lorünser, N. Lütkenhaus, A. Marhold, T. Matyus, O. Maurhart, L. Monat, S. Nauerth, J.-B. Page, A. Poppe, E. Querasser, G. Ribordy, S. Robyr, L. Salvail, A. W. Sharpe, A. J. Shields, D. Stucki, M. Suda, C. Tamas, T. Themel, R. T. Thew, Y. Thoma, A. Treiber, P. Trinkler, R. Tualle-Brouri, F. Vannel, N. Walenta, H. Weier, H. Weinfurter, I. Wimberger, Z. L. Yuan, H. Zbinden, and A. Zeilinger, “The SECOQC quantum key distribution network in Vienna,” New J. Phys.11(7), 075001 (2009). [CrossRef]
  8. M. Sasaki, M. Fujiwara, H. Ishizuka, W. Klaus, K. Wakui, M. Takeoka, S. Miki, T. Yamashita, Z. Wang, A. Tanaka, K. Yoshino, Y. Nambu, S. Takahashi, A. Tajima, A. Tomita, T. Domeki, T. Hasegawa, Y. Sakai, H. Kobayashi, T. Asai, K. Shimizu, T. Tokura, T. Tsurumaru, M. Matsui, T. Honjo, K. Tamaki, H. Takesue, Y. Tokura, J. F. Dynes, A. R. Dixon, A. W. Sharpe, Z. L. Yuan, A. J. Shields, S. Uchikoga, M. Legré, S. Robyr, P. Trinkler, L. Monat, J. B. Page, G. Ribordy, A. Poppe, A. Allacher, O. Maurhart, T. Länger, M. Peev, and A. Zeilinger, “Field test of quantum key distribution in the Tokyo QKD Network,” Opt. Express19(11), 10387–10409 (2011). [CrossRef] [PubMed]
  9. K. Patel, J. F. Dynes, I. Choi, A. W. Sharpe, A. R. Dixon, Z. L. Yuan, R. V. Penty, and A. J. Shields, “Coexistence of high-bit-rate quantum key distribution and data on optical fiber,” Phys. Rev. X2(4), 041010 (2012). [CrossRef]
  10. B. Fröhlich, J. F. Dynes, M. Lucamarini, A. W. Sharpe, Z. Yuan, and A. J. Shields, “A quantum access network,” Nature501(7465), 69–72 (2013). [CrossRef] [PubMed]
  11. D. Mayers, D. Coppersmith, ed., in Advances in Cryptology:Proceedings of CRYPTO '95, vol. 963 of Lecture Notes in Computer Science, D. Coppersmith, Ed. (Springer-Verlag, 1995), pp. 124–135; in Advances in Cryptology: Proceedings of CRYPTO '96, vol. 1109 of Lecture Notes in Computer Science, N. Koblitz, Ed. (Springer-Verlag, 1996), pp. 343–357.
  12. H. Inamori, N. Lütkenhaus, and D. Mayers, “Unconditional security of practical quantum key distribution,” Eur. Phys. J. D41(3), 599–627 (2007). [CrossRef]
  13. S. Watanabe, R. Matsumoto, and T. Uyematsu, “Noise tolerance of the BB84 protocol with random privacy amplification,” Int. J. Quantum Inf.4(6), 935–946 (2006). [CrossRef]
  14. M. Hayashi, “Practical evaluation of security for quantum key distribution,” Phys. Rev. A74(2), 022307 (2006). [CrossRef]
  15. M. Hayashi, “Upper bounds of eavesdropper’s performances in finite-length code with the decoy method,” Phys. Rev. A76(1), 012329 (2007). [CrossRef]
  16. V. Scarani and R. Renner, “Quantum cryptography with finite resources: unconditional security bound for discrete-variable protocols with one-way postprocessing,” Phys. Rev. Lett.100(20), 200501 (2008). [CrossRef] [PubMed]
  17. V. Scarani and R. Renner, “Security bounds for quantum cryptography with finite resources,” in Theory of Quantum Computation, Communication, and Cryptography, vol. 5106 of Lecture Notes in Computer Science, (Berlin Springer, 2008), pp 83–95.
  18. M. Tomamichel, C. C. W. Lim, N. Gisin, and R. Renner, “Tight finite-key analysis for quantum cryptography,” Nat Commun3, 634 (2012). [CrossRef] [PubMed]
  19. R. Renner, N. Gisin, and B. Kraus, “Information-theoretic security proof for quantum-key-distribution protocols,” Phys. Rev. A72(1), 012332 (2005). [CrossRef]
  20. B. Kraus, N. Gisin, and R. Renner, “Lower and upper bounds on the secret-key rate for quantum key distribution protocols using one-way classical communication,” Phys. Rev. Lett.95(8), 080501 (2005). [CrossRef] [PubMed]
  21. H.-K. Lo, H. F. Chau, and M. Ardehali, “Efficient quantum key distribution scheme and proof of its unconditional security,” J. of Crypt.18(2), 133–165 (2005). [CrossRef]
  22. W.-Y. Hwang, “Quantum key distribution with high loss: toward global secure communication,” Phys. Rev. Lett.91(5), 057901 (2003). [CrossRef] [PubMed]
  23. X.-B. Wang, “Beating the photon-number-splitting attack in practical quantum cryptography,” Phys. Rev. Lett.94(23), 230503 (2005). [CrossRef] [PubMed]
  24. H.-K. Lo, X. Ma, and K. Chen, “Decoy state quantum key distribution,” Phys. Rev. Lett.94(23), 230504 (2005). [CrossRef] [PubMed]
  25. X. Ma, B. Qi, Y. Zhao, and H.-K. Lo, “Practical decoy state for quantum key distribution,” Phys. Rev. A72(1), 012326 (2005). [CrossRef]
  26. R. Y. Q. Cai and V. Scarani, “Finite-key analysis for practical implementations of quantum key distribution,” New J. Phys.11(4), 045024 (2009). [CrossRef]
  27. M. Lucamarini, J. F. Dynes, Z. L. Yuan, and A. J. Shields, “Practical treatment of quantum bugs,” Proc. SPIE8542, Electro-Optical Remote Sensing, Photonic Technologies, and Applications VI (2012).
  28. M. Hayashi and R. Nakayama, “Security analysis of the decoy method with the Bennett-Brassard 1984 protocol for finite key lengths,” arXiv:1302.4139 (2013).
  29. Z. Wei, W. Wang, Z. Zhang, M. Gao, Z. Ma, and X. Ma, “Decoy-state quantum key distribution with biased basis choice,” Sci Rep3, 2453 (2013). [CrossRef] [PubMed]
  30. N. J. Beaudry, T. Moroder, and N. Lütkenhaus, “Squashing models for optical measurements in quantum communication,” Phys. Rev. Lett.101(9), 093601 (2008). [CrossRef] [PubMed]
  31. T. Tsurumaru and K. Tamaki, “Security proof for QKD systems with threshold detectors,” Phys. Rev. A78, 032302 (2008). [CrossRef]
  32. J. Hasegawa, M. Hayashi, T. Hiroshima, and A. Tomita, “Security analysis of decoy state quantum key distribution incorporating finite statistics,” arXiv:0707.3541 (2007).
  33. M. Koashi and J. Preskill, “Secure quantum key distribution with an uncharacterized source,” Phys. Rev. Lett.90(5), 057902 (2003). [CrossRef] [PubMed]
  34. H. K. Lo and J. Preskill, “Security of quantum key distribution using weak coherent states with nonrandom phases,” Quantum Inf. Comput.7, 431 (2007).
  35. M. Koashi, “Efficient quantum key distribution with practical sources and detectors,” arXiv:quant-ph/0609180 (2006).
  36. A. Wald, “Tests of statistical hypotheses concerning several parameters when the number of observations is large,” in Transactions of the American Mathematical Society, vol. 54 (1943), pp. 426–482.
  37. A. Agresti and B. A. Coull, “Approximate is better than ‘exact’ for interval estimation of binomial proportions,” Am. Stat.52, 119 (1998).
  38. J. W. Harrington, J. M. Ettinger, R. J. Hughes, and J. E. Nordholt, “Enhancing practical security of quantum key distribution with a few decoy states,” arXiv:quant-ph/0503002 (2005).
  39. P. Rice and J. W. Harrington, “Numerical analysis of decoy state quantum key distribution protocols,” arXiv:0901.0013 (2009).
  40. C. Clopper and E. S. Pearson, “The use of confidence or fiducial limits illustrated in the case of the binomial,” Biometrika26(4), 404–413 (1934). [CrossRef]
  41. R. Renner, “Symmetry of large physical systems implies independence of subsystems,” Nat. Phys.3(9), 645–649 (2007). [CrossRef]
  42. S. Boyd and L. Vandenberghe, Convex Optimization (Cambridge University Press, 2004).
  43. Z. L. Yuan, B. E. Kardynal, A. W. Sharpe, and A. J. Shields, “High speed single photon detection in the near infrared,” Appl. Phys. Lett.91(4), 041114 (2007). [CrossRef]
  44. C. Erven, X. Ma, R. Laflamme, and G. Weihs, “Entangled quantum key distribution with a biased basis choice,” New J. Phys.11(4), 045025 (2009). [CrossRef]
  45. J. Hasegawa, M. Hayashi, T. Hiroshima, A. Tanaka, and A. Tomita, “Experimental decoy state quantum key distribution with unconditional security incorporating finite statistics,” arXiv:0705.3081 (2007).
  46. D. Rosenberg, C. G. Peterson, J. W. Harrington, P. R. Rice, N. Dallmann, K. T. Tyagi, K. P. McCabe, S. Nam, B. Baek, R. H. Hadfield, R. J. Hughes, and J. E. Nordholt, “Practical long-distance quantum key distribution system using decoy levels,” New J. Phys.11(4), 045009 (2009). [CrossRef]
  47. P. Jouguet, S. Kunz-Jacques, A. Leverrier, P. Grangier, and E. Diamanti, “Experimental demonstration of long-distance continuous-variable quantum key distribution,” Nat. Photonics7(5), 378–381 (2013). [CrossRef]

Cited By

Alert me when this paper is cited

OSA is able to provide readers links to articles that cite this paper by participating in CrossRef's Cited-By Linking service. CrossRef includes content from more than 3000 publishers and societies. In addition to listing OSA journal articles that cite this paper, citing articles from other participating publishers will also be listed.

Figures

Fig. 1 Fig. 2 Fig. 3
 
Fig. 4 Fig. 5
 

« Previous Article  |  Next Article »

OSA is a member of CrossRef.

CrossCheck Deposited