Finite-key analysis for time-energy high-dimensional quantum key distribution

Finite-key analysis for time-energy high-dimensional quantum key distribution

Murphy Yuezhen Niu Research Laboratory of Electronics, Massachusetts Institute of Technology, 77 Massachusetts Avenue, Cambridge, Massachusetts 02139, USA Department of Physics, Massachusetts Institute of Technology, Cambridge, Massachusetts 02139, USA    Feihu Xu Research Laboratory of Electronics, Massachusetts Institute of Technology, 77 Massachusetts Avenue, Cambridge, Massachusetts 02139, USA    Fabian Furrer NTT Basic Research Laboratories, NTT Corporation, 3-1 Morinosato-Wakamiya, Atsugi, Kanagawa, 243-0198, Japan    Jeffrey H. Shapiro Research Laboratory of Electronics, Massachusetts Institute of Technology, 77 Massachusetts Avenue, Cambridge, Massachusetts 02139, USA
July 14, 2019
Abstract

Time-energy high-dimensional quantum key distribution (HD-QKD) leverages the high-dimensional nature of time-energy entangled biphotons and the loss tolerance of single-photon detection to achieve long-distance key distribution with high photon information efficiency. To date, the general-attack security of HD-QKD has only been proven in the asymptotic regime, while HD-QKD’s finite-key security has only been established for a limited set of attacks. Here we fill this gap by providing a rigorous HD-QKD security proof for general attacks in the finite-key regime. Our proof relies on a novel entropic uncertainty relation that we derive for time and conjugate-time measurements using dispersive optics, and our analysis includes an efficient decoy-state protocol in its parameter estimation. We present numerically-evaluated secret-key rates illustrating the feasibility of secure and composable HD-QKD over metropolitan-area distances when the system is subjected to the most powerful eavesdropping attack.

I Introduction

Quantum key distribution (QKD) enables secure communication based on fundamental laws of quantum physics bennett1984quantum (); ekert1991quantum (), as opposed to the security that is presumed from computational complexity in conventional public-key cryptography. Current work on QKD focuses on patching security holes in practical implementations, increasing secret-key rates and secure-transmission distances, and unifying understanding of the many different protocols lo2014review (). Existing QKD protocols can be divided into two major categories: discrete-variable (DV) bennett1984quantum (); Huang2003 (); Wang2003 (); Lo2005 () and continuous-variable (CV) grosshans2002continuous () QKD. The predominant DV-QKD is more robust to loss than CV-QKD, and thus offers longer secure-transmission distance liu2010decoy (); wang2012 (); korzh2015 (); curty2014finite (). CV-QKD, on the other hand, offers higher photon information efficiency (PIE) than DV-QKD, and thus potentially higher key rates at short distances jouguet2013experimental ().

High-dimensional QKD (HD-QKD) exploits the best features of DV and CV protocols to simultaneously achieve high PIE and long secure-transmission distance cerf2002security (); Gisin2004 (); WalmsleyPRL2008 (); lee2014entanglement (); zhong2015photon (); mirhosseini2015high (); Boyd2015 (). One of the most appealing candidates for implementation is time-energy HD-QKD zhong2015photon (); Kwiat2013 (); mower2013high (); lee2013finite (); zhang2014unconditional (); DariusPRA2015 (); bao2016finite (). It generates keys using the detection times of time-energy entangled photon pairs, whose continuous nature permits encoding of extremely large alphabets. The security analysis of time-energy HD-QKD has been improving ever since the protocol was proposed Kwiat2013 (); mower2013high (); DariusPRA2015 (); lee2013finite (); zhang2014unconditional (); bao2016finite (). Nevertheless, a rigorous security proof that satisfies the composability condition renner2005security () and takes full account of the finite-size effects against general attacks (the most powerful eavesdropping attack) has been missing. For this reason, the feasibility of secure, metropolitan-area, time-energy HD-QKD using a reasonable time interval for signal transmission has yet to be fully established.

In this paper we make three contributions. First, we derive a new entropic uncertainty relation between time and conjugate-time measurements that are made via non-local dispersion cancellation. Second, we use the new uncertainty principle to prove the composable security of time-energy HD-QKD in the finite-key regime against general (coherent) attacks. Third, we find the dispersion strength for the conjugate-time basis transformation mower2013high () that maximizes HD-QKD’s secret-key rate.

The entropic uncertainty relation is indispensable for analyzing general attacks against time-energy HD-QKD. Although an entropic uncertainty relation for field quadratures has been developed furrer2014position (), and applied recently to CV-QKD security analysis furrer2012continuous (), it cannot be directly applied to time-energy HD-QKD because time and conjugate-time measurements are not described by maximally incompatible operators walach2001 (), such as position and momentum. To overcome this challenge, we construct a new entropic uncertainty relation specifically for time and conjugate-time measurements. Because entropic uncertainty relations figure prominently in quantum metrology metrology (), quantum randomness certification random (); XuQRNG (), entanglement witnesses entanglement1 (); entanglement2 (), two-party cryptography crypto1 (); crypto2 (), QKD security analysis (curty2014finite, ; QKD, ; tomamichel2011uncertainty, ; tomamichel2012tight, ; Wang2013, ; Zhou2014, ), and other applications Patrick2015 (), we expect that our uncertainty relation for time and conjugate-time measurements may have uses well beyond what will be presented below.

The secret-key rate formula we obtain using our entropic uncertainty relation allows us to verify important advantages that HD-QKD offers over alternative protocols. In particular, HD-QKD offers higher PIE (3.3 bits/photon) than both CV-QKD (0.5 bits/photon furrer2014reverse ()) and DV-QKD (0.1 bits/photon lim2014concise ()), thus ensuring higher secret-key rates under photon-starved conditions, in which the photon-detection rate is much lower than the photon-generation rate because of the loss incurred in long-distance propagation and the relatively long recovery times of available single-photon detectors. Also, HD-QKD offers a longer maximum secure-transmission distance for general attacks (e.g., 160 km for a 30-min session using the system parameters given below in Table 1) as compared to that for CV-QKD furrer2012continuous (); leverrier2013security (), even in the case of reverse reconciliation (e.g., 16 km furrer2014reverse ()). Furthermore, because our entropic uncertainty relation is parametrized by the HD-QKD protocol’s time-bin duration, , and conjugate-time basis transformation’s group-velocity dispersion (GVD) coefficient, , optimizing the value can increase HD-QKD’s secure-transmission distance to 210 km—and provide a 17 Mbit/s expected secret-key rate at zero distance—without resorting to a higher clock rate.

The remainder of the paper is organized as follows. The HD-QKD protocol is described briefly in Sec. II, with a detailed account—including its use of decoy states for channel estimation—appearing in Appendix A. The security analysis for coherent attacks in the finite-key regime is contained in Sec. III. Its security proof relies on the entropic uncertainty relation that is derived in Sec. IV. (For comparison, the entropic uncertainty relation obtained from the conventional dilation assumption is presented in Appendix B.) A numerical evaluation of HD-QKD’s secret-key rate and PIE follows in Sec. V, which illustrates the advantages offered by this protocol, and Sec. VI provides summarizing discussion.

Ii Protocol

Time-energy HD-QKD that relies on dispersive optics works as follows mower2013high (); lee2013finite (). In each round, Alice generates a time-energy entangled photon pair from a spontaneous parametric down-conversion (SPDC) source, sends one photon to Bob and retains the other. Alice and Bob choose independently and at random to measure their photons in either the time basis () or the conjugate-time basis (), where the latter is a dispersive-optics proxy for a frequency measurement. Alice and Bob discretize their outcomes into time bins of duration . The process repeats for rounds until Alice and Bob obtain enough detections to begin post-processing. At the end of all measurements, the two sides reveal their basis choices and discard all data measured using mismatched bases. Secret keys are extracted from the events in which Alice and Bob both chose the basis, while the basis outcomes are publicly announced for parameter estimation. Using the decoy-state method Huang2003 (); Wang2003 (); Lo2005 (); DariusPRA2015 (); lim2014concise (), Alice and Bob estimate the number of detections in that were generated from single-pair SPDC emissions, and the corresponding code distance in the basis, see Appendix C for the details. They abort the protocol if this distance exceeds a predetermined value (see Appendix D). Otherwise, they perform error correction and privacy amplification to generate the secret key.

The conjugate-time measurement for the basis is realized by direct detection at Alice and Bob’s terminals after they have sent their photons through normal and anomalous GVD elements, respectively mower2013high (); lee2013finite (). These GVD elements’ dispersion coefficients have equal magnitudes (and opposite signs) so their effects are non-locally canceled Franson1992 (). As a result, Alice and Bob’s -basis measurements are as strongly correlated as those in the basis, i.e., the dispersion transformation allows them to perform a spectral-correlation measurement with only time-resolved single-photon detection mower2013high (); lee2013finite ().

Iii Security Analysis

iii.1 Security Definition

Given that the parameter-estimation test is passed with probability , Alice and Bob end up with final keys that are classical random vectors, and , which might be correlated with a quantum system, , held by Eve. Mathematically, this situation corresponds to a classical-quantum state , where denotes an orthonormal basis for Alice’s dimension- key space, and the subscript indicates Eve’s quantum state. We characterize a QKD protocol by its correctness and secrecy. For that we use a notion of security based on the approach developed in renner2005security (). A protocol is called -correct if the probability that differs from is smaller than . We say that a protocol is -secret if the state is -close to the ideal situation described by the tensor product of uniformly distributed keys on Alice’s side and Eve’s quantum state, , such that . A QKD protocol is then said to be -secure if it is both -correct and -secret, with . Our security definitions ensure that the protocol remains secure in combination with any other protocol, i.e., the protocol is secure in the universally composable framework renner2005security ().

iii.2 Assumptions

Before deriving our lower bound on secret-key length, we first specify the assumptions that will be employed: (1) Alice’s SPDC source produces independent, identically-distributed biphotons whose correlation time and coherence time are well characterized. (2) For each pump pulse, Alice is able to randomly set her SPDC source’s biphoton intensity (mean photon-pairs generated per pump pulse) to be either , , or with probabilities , , and . (3). Alice and Bob’s laboratories are secure, i.e., free from any information leakage. (4) Alice and Bob independently and randomly choose between measuring in the time and conjugate-time bases with probabilities and . Most of these assumptions are already made in conventional CV-QKD and DV-QKD security analysis.

iii.3 Security Proof

In order to characterize information leakage in a realistic quantum communication system with a finite number of communication rounds, we use smooth min-entropy instead of von Neumann entropy renner2005security (); tomamichel2011leftover (). Discretizing Alice and Bob’s photon-detection times to time bins of duration results in data vectors comprised of integers representing bin numbers. In particular, with random vectors and denoting Alice and Bob’s raw keys from her -intensity transmissions, Eve’s uncertainty (lack of knowledge) is measured by her difficulty in guessing Alice’s raw key , i.e., the conditional smooth min-entropy , where denotes Eve’s quantum state. quantifies the randomness that can be extracted from which is statistically independent of  renner2005security (); tomamichel2011leftover () with error probability .

The secret-key length that is -secret is given by renner2005security ()

(1)

Here, is the information leaked to Eve during error correction, which can be directly measured during that correction process, and is the smooth min-entropy maximized over states that are close to the classical-quantum state . The correctness of the protocol is guaranteed by the key-verification step, which uses a two-universal hash function to ensure that Bob’s corrected key differs from Alice’s with probability at most , implying that the protocol is -correct with .

The essential insight is that Eve’s information about the -intensity, -basis detection times can be bounded using the complementary -basis measurements. In particular, if Alice and Bob’s -basis measurements are highly correlated, then Eve’s knowledge about the outcome of their -basis measurements is nearly zero, because the two observables are incompatible.

Let and be Alice and Bob’s random vectors of -intensity conjugate-time measurement outcomes. Without loss of generality we set the length of these four classical strings to be equal: . Then, from tomamichel2012tight (); furrer2012continuous (); tomamichel2011uncertainty (); furrer2014position (), we have the uncertainty relation:

(2)

where the smooth max-entropy measures the amount of information needed to reconstruct given with error probability bounded above by , and is the overlap between the time and conjugate-time measurement operators, which depends on , the time-bin duration, and , the magnitude of the GVD elements’ dispersion coefficient.

With and being an arbitrary pair of positive operator-valued meausurements (POVMs), their overlap, , quantifies their incompatibility, i.e., lower values of mean increased incompatibility. Our uncertainty bound involves the overlap-quantified incompatibility between the time and conjugate-time POVMs whose outcomes are used for key generation and parameter estimation, respectively. Typically, see Sec. V, lower values allow longer secret keys to be extracted. Our tri-partite entropic uncertainty relation and the security analysis that follows therefrom are adapted from CV-QKD’s finite-key analysis furrer2012continuous (), an approach that works for all QKD protocols which rely on a pair of incompatible continuous measurements for key generation and parameter estimation. In our case, the security analysis requires accounting for our use of discretized time and conjugate-time measurements that are obtained from underlying continuous POVMs. Note that the different measurement operators employed in different QKD protocols lead to different overlap behaviors in their entropic uncertainty relations.

The major difficulty in determining for our protocol comes from the absence of negative energy for electromagnetic-field modes, which implies that under the conventional commutation relation, the time-measurement operator cannot be projective busch1994 (); delgado1997 (), thus preventing existing results Fabian2015 () being applied to the time and conjugate-time POVMs. We can, however, dilate the time and conjugate-time operators by forsaking the constraint of positive frequency on photon-annihilation operators werner1987 (); kiukas2012 (). Such dilations are well justified for the quantum theory of coincidence measurement Jeff (); Franson1992 (), because the negative frequency components do not contribute to detection outcomes. But, because we are not assured that the dilation-assumption will suffice for our security proof, we derive the following entropic uncertainty relation for time and conjugate-time measurements without dilation in Sec. IV:

(3)

Next, we use a generalized chain-rule result vitanov2013chain () to decompose into , which is a concatenation of the raw keys arising from vacuum, single-pair, and multi-pair coincidences. Neglecting the multi-pair contribution, we have , with and being lower bounds on and , the coincidence-count contributions from vacuum and single-pair events, respectively, when Alice’s SPDC intensity is (see Appendix C). We then have the following lower bound on the smooth min-entropy lim2014concise ():

(4)

Using a result from CV-QKD furrer2012continuous (), we get the following upper bound on the smooth max-entropy:

(5)

where obeys

(6)

The parameter is the statistical fluctuation that quantifies how well the data subset used for parameter estimation represents the entire dataset,

(7)

where . and is the probability, for a given pump pulse, that Alice and Bob detect photons separated by more than a frame duration, , and .

Combining the preceding results, we obtain the following lower bound on the secret-key length:

(8)

Iv Time-Conjugate Time Entropic Uncertainty Relation

To justify (3), we only need to evaluate the overlap, , in (2) for the discretized single-photon time and conjugate-time measurement operators that derive from their continuous-time counterparts, and , by coarse-graining to time bins of duration . Here, we omit polarization degrees of freedom as they do not affect the overlap. Our starting point is the infinite-dimensional version of the general uncertainty relation for smooth min-entropy and smooth max-entropy tomamichel2011uncertainty () that was derived in furrer2014position ().

We use to denote the single-photon state detuned by frequency from some fixed center frequency . (Later, this center frequency will be , i.e., half the SPDC source’s pump frequency.) This state satisfies the orthonormality condition . The single-photon Hilbert space is simply , i.e., the space of square-integrable, complex-valued functions on the frequency-domain region , where the minimum detuning satisfies . In particular, we associate a function to the state

(9)

so the inner product between two such states, and , is .

Using the above notation we have that the time-measurement operator can be expressed as

(10)

where . Similarly, we can write

(11)

where . We then introduce partitions, and , of the time and conjugate-time axes, from which we obtain the coarse-grained versions of and , namely the POVMs and , where

(12)

From tomamichel2011uncertainty (); furrer2014position () the overlap for these discrete POVMs satisfies

(13)

where and .

Because the and are not projective, it is difficult to evaluate Eq. (13) directly. Instead, we will use the approximation from furrer2014position (), in which an uncertainty relation is derived in the continuous-time case. We take and to represent the continuous-time classical outcomes of the time and conjugate-time measurements, and and to be their discretized versions. From furrer2014position () we have that

(14)
(15)

where and are the differential min-entropy and differential max-entropy of the continuous-time outcome conditioned on Eve’s state () and Bob’s state (), respectively. We also know that these differential entropies satisfy furrer2014position ()

(16)

where

(17)

Inequalities (14) and (15) yield the following uncertainty relation for coarse-grained measurements:

(18)

We can find the overlap for the differential entropies via

(19)

where we have used and similarly for . Inserting the definitions of and from Eqs. (10) and (11), we obtain

(20)

A simple calculation now gives us

(21)

For , performing the optimization with and yields the maximum overlap

(22)

Inserting the above result into (18) gives us the overlap for the discrete measurements used in the secret-key length bound

(23)

This uncertainty bound is tighter than the overlap, obtained in Appendix B, when dilation is used by taking so that the and operators become projective and maximally incompatible, i.e., analogous to position and momentum. These overlap results showcase the subtle difference between the entropic uncertainty relation of quantum time and conjugate-time measurements and that of the homodyne measurements from furrer2012continuous (). Indeed, the factor of 1.37 in Eq. (23) is crucial for the general-attack security of HD-QKD, because a secret-key length that presumed the dilation result for the overlap would be insecure.

V Performance Example

90% 1 kHz 18 ps 0.21 dB/km  ps 55.6 MHz Footnote1 ()
2 ps 6 ns 20 ps 0.91 0.9
Table 1: List of parameters, mostly from zhong2015photon (), used in numerical evaluation: detection efficiency , dark-count rate , detector time jitter  Tang2012 (), fiber-loss coefficient , GVD coefficient , system clock rate , biphoton correlation time , pump coherence time , time-bin duration , reconciliation (error-correction) efficiency , probability of choosing the time basis , and overall security bound .
Parameters BB84 lim2014concise () CV-QKD furrer2014reverse () HD-QKD
PIE (bits/photon)111PIE in HD-QKD is defined as secret bits per single photon detection by Bob given that Alice has made a detection in the same basis; PIE in BB84 is defined as secret bits per use lucamarini2013efficient (); and PIE in CV-QKD is defined as secret bits per signal furrer2014reverse (). 0.1 0.5 3.3
Key rate at 0 Dist (bits/s) 8 M222Assumes a decoy-state BB84 system with a 1 GHz clock rate lucamarini2013efficient (). 6 M333Assumes a CV-QKD system with the same 55.6 MHz clock rate as HD-QKD. 8.6 M
Max Dist. (km) 170 16 96
Table 2: Performance comparison for different protocols with finite-key analysis against general attacks. The first and second rows compare the PIEs and the secret keys rate at 0 km fiber length. The third row compares the maximum secure-transmission distance. All three protocols are evaluated at the a block size of , equivalent to a 1 min running time in HD-QKD with parameters specified in Table 1.

Figure 1: Numerically-evaluated performance of time-energy HD-QKD with threshold code distance and other parameters as listed in Table 1. (a) Secret-key rate (bits/s) versus transmission distance (km) for different total running times of transmission: top curve (yellow) 30 min, middle curve (red) 10 min, bottom curve (blue) 1 min. (b) PIE (bits/photon) versus transmission distance (km) for different running times: top curve (yellow) 30 min, middle curve (red) 10 min, bottom curve (blue) 1 min. (c) Secret-key rate (bits/s) versus block size (running time/clock rate) for different transmission distances: top curve (blue) 0 km, middle curve (red) 20 km, bottom curve (yellow) 40 km. (d) Secret-key rate (bits/s) versus transmission distance (km) for different time-bin durations , where the running time is fixed at 30 min: top curve (blue) 20 ps, middle curve (red), 80 ps, bottom curve (yellow) 100 ps.

Based on the secret-key rate formula (8), we numerically evaluated the performance of the time-energy HD-QKD protocol in the finite-key regime under general attacks. See Table 1 for the parameters that were assumed. The calculated secret-key rates and PIEs at different lengths of standard telecom fiber are shown in Figs. 1(a) and 1(b). We see that HD-QKD can easily tolerate a 100 km standard fiber within a reasonable running time for transmission (e.g., 10 min). This secure-transmission distance significantly exceeds that of CV-QKD (around 10 km furrer2014reverse ()). In addition, the secret-key rate of HD-QKD at zero distance is about 8.6 Mbit/s (see Table 2), which is comparable to that of CV-QKD with the same 55.6 MHz clock rate, and to that of decoy-state BB84 with a state-of-the-art 1 GHz clock rate lucamarini2013efficient (). Moreover, HD-QKD can offer a higher PIE, up to 4.3 bits/photon (with 30 min running time), than does decoy-state BB84 lim2014concise (), whose PIE can never exceed 1 bit per use.

In Fig. 1(c) we show the secret-key rate as a function of block size. Here we see that the minimum required block size for HD-QKD is slightly larger than those of decoy-state BB84 lim2014concise () and CV-QKD furrer2014reverse (). Finally, Fig. 1(d) plots the secret-key rate versus transmission distance for different time-bin durations, showing that shorter duration time bins offer higher key rates for a given biphoton source. We remark that detectors with less than 20 ps jitter have already been demonstrated in recent experiments Tang2012 ().


Figure 2: Secret-key rate at zero distance versus GVD coefficient for 30 min running time. The conventional units for are employed here: ps per nm of bandwidth at telecom wavelength. The secret-key rate at zero distance achieves its 17 Mbit/s maximum at  ps/nm at telecom wavelength, which is equivalent to  ps in the units used in Table 1.

Our work clarifies how the secret-key rate of time-energy HD-QKD using dispersive-optics depends on the time-bin duration and the GVD coefficient . Indeed, a higher GVD coefficient and a lower detector time jitter—so that time-bin duration may be decreased—might increase HD-QKD’s secret-key rate. The secret-key rates shown in Fig.  1 have already presumed a bin duration limited by state-of-the-art detector time jitter, but the value used is achievable with commercial devices lee2014entanglement (). Increasing the GVD coefficient without changing the other system parameters, however, does not always increase the secret-key rate. In particular, (8) shows that a -fold increase in increases secret-key length by , if there is no offsetting increase in the error rate between Alice and Bob’s raw keys, as quantified by the term in (5). Our numerical evaluation of the secret-key rate at zero distance versus —using the other parameters from Table 1 and the threshold code distance employed in Fig. 1—verifies this insight, see Fig. 2. Here we see the secret-key rate initially increasing linearly with increasing , until it saturates and begins to decrease. Saturation occurs because our protocol requires for there to be a positive secret-key rate, and the minimum threshold code distance increases with increasing , as shown in Appendix D. So, the secret-key rate saturation and decay in Fig. 2 results from the increases that are required at high values. That said, Fig. 2 still shows that the highest key rate, 17 Mbit/s, is realized with the experimentally feasible ps lee2014entanglement (), and we have found that the maximum distance for a non-zero secret-key rate is then 210 km.

Vi Summary

We have reported the general-attack security analysis for the time-energy HD-QKD protocol in the finite-key regime by combining the entropic uncertainty-relation security analysis of CV-QKD with the decoy-state technique from DV-QKD. In particular, we derived a new entropic uncertainty relation for the time and conjugate-time operators using optical dispersion transformations. This result validates the difference between the uncertainty relation of time and conjugate-time operators and that of conventional maximally-incompatible operators, such as position and momentum. With the new uncertainty bound, we showed that under the most powerful attacks time-energy HD-QKD can produce a higher PIE than conventional decoy-state BB84 and CV-QKD, and still tolerate long-distance fiber transmission. We also showed that optimizing the HD-QKD protocol’s GVD coefficient enables realizing a  Mbit/s secret-key rate at zero distance and a 210 km maximum secure-transmission distance, the latter being comparable to that of state-of-the-art decoy-state BB84. We expect this finding will provide theoretical support for optimizing HD-QKD implementations. Our results constitute an important step toward the unified understanding of distinct QKD schemes that is needed for development of practical long-distance high-rate quantum communication.

Acknowledgment

The authors thank Zheshen Zhang, Catherine Lee, Darius Bunandar, and Franco Wong for many helpful discussions. We acknowledge support from ONR grant number N00014-13-1-0774 and AFOSR grant number FA9550-14-1-0052. F. Xu acknowledges support from an NSERC postdoctoral fellowship.

Appendix A Protocol

a. Preliminaries

Before contacting Bob, Alice makes measurements on her trusted spontaneous parametric down-conversion (SPDC) source of time-energy entangled biphotons to determine the coherence time of the pulsed pump field , the biphoton correlation time , and the SPDC intensities , i.e., the mean photon-pairs generated per pump pulse with different pump powers. Then, Alice and Bob use a pre-shared key to authenticate each other, after which they negotiate parameters to be employed during the protocol run.

b. Biphoton preparation and distribution

Alice pumps her SPDC source at a clock rate (repetition rate) . For each pump pulse, Alice prepares a time-energy entangled state within a -duration () frame centered on the peak of the pump pulse. She sends one photon to Bob via a quantum channel (e.g., an optical fiber) and retains the companion photon for her own measurements. To implement decoy states Wang2003 (); Lo2005 (); DariusPRA2015 (), Alice randomly pumps the SPDC source to select intensities with probabilities .

c. Measurement phase

For each frame, Alice and Bob select their measurement basis at random and independently from with probabilities and perform measurements in their chosen bases. Their -basis measurements are made using time-resolved single-photon detectors with a temporal resolution set primarily by the detectors’ time jitter,  zhong2015photon (). They sort their data into time bins of duration , where , that will generate raw-key bits when they both obtain -basis photon detections in the same frame. Their -basis measurements are realized by means of dispersive optics and single-photon detection mower2013high (), i.e., they pass their photons through normal and anomalous group-velocity dispersion (GVD) elements, respectively, measure them with time-resolved single-photon detectors, and then sort that data into duration- time bins.

d. Basis reconciliation

Alice and Bob announce their measurement bases over an authenticated public channel and discard all measurement results for frames in which they measured in different bases. They are then left with detection-time coincidence measurements of () frames in which they both used the () basis and both obtained one photon detection.

e. Decoy-state processing

Alice announces her SPDC intensity choice for each frame. Alice and Bob thus identify sets and for , in which they have both made -basis or -basis measurements when Alice’s SPDC source intensity was . They repeat their quantum communication, i.e., steps (b)–(e), until the cardinality of these sets satisfies: and , where are pre-chosen values that ensure sufficient quality in the ensuing parameter estimation steps. Note that . Next, they publicly announce their -basis detection times {, } for each SPDC intensity, where , denote Alice and Bob, indexes the frame, and each detection-time value is relative to the peak of its associated pump pulse. After that, they compute these detection times’ mean-squared differences for each , viz., . By virtue of their use of normal and anomalous GVD elements, can be used to find the anti-correlation between the detunings from the SPDC outputs’ center frequencies of the single-photon pairs (i.e., biphotons) that Alice and Bob detected in their -basis measurements when Alice’s SPDC intensity was  mower2013high (), see Appendix C.

f. Parameter estimation

Alice and Bob use only their data for secret-key generation, while they use their and data for parameter estimation. Alice and Bob use their -basis data to estimate , the number of frames out of their that are due to vacuum coincidences (either Alice or Bob did not detect a photon), and , the number of frames out of their that are due to single-pair coincidences (Alice and Bob each detected one photon). They use their -basis data to estimate , the distance between their detected photons’ frequency detunings (after accounting for their anti-correlation) that is due to single-pair coincidences DariusPRA2015 (); lim2014concise () (see Appendix. C). Finally, they check that is less than , where is a predetermined threshold (see Appendix. D). If this condition is not met, they abort the protocol. Otherwise they proceed to the protocol’s next step.

g. Key generation and error correction

Alice and Bob use their -basis data to generate raw keys from the frames in which Alice’s SPDC intensity was . Each frame used in generating these raw keys contains bits. Alice and Bob perform error correction on their raw keys using an algorithm with reconciliation efficiency  zhou2013layered (). This procedure reveals at most bits of information to Eve. Next, to ensure that they have shared identical keys, Alice and Bob perform key verification using a two-universal hash function that publishes bits of information, with being the probability that a pair of non-identical keys passes the test.

h. Calculation of secret-key length

Using the results from (f) and (g), Alice and Bob calculate the secret-key length . If is negative, they abort the protocol. Otherwise, they apply another (different) two-universal hash function (for privacy amplification) to their error-corrected raw keys to produce the length- secret keys, and .

Appendix B Time-frequency uncertainty relation for dilated measurements

To compare with the overlap developed in the main text, we derive the overlap with dilation in this appendix. Instead of the frequency domain, it is now more convenient to work in the time domain, using to denote the single-photon localized at time that satisfies the orthonormality condition . The single-photon Hilbert space is simply , i.e., the space of square-integrable, complex-valued functions on the time-domain . We evaluate the overlap under dilation werner1987 (); kiukas2012 () when . In this case, the POVMs and for the time and conjugate-time measurements are projection valued mower2013high ():

(24)
(25)

Here, is obtained from via the unitary transformation

(26)

The associated time and conjugate-time observables are then

(27)
(28)

The conjugate-time observable can be further simplified as follows:

(29)
(30)
(31)
(32)

where is the conventional unbounded-frequency observable that is maximally incompatible with the time observable. It immediately follows that

(33)

Finally, using the overlap result for maximally-incompatible observables Fabian2015 (), we obtain

(34)

for the dilated measurements. Compared with the overlap derived with non-projective POVM in Sec. IV, this overlap is slightly smaller, and thus offers a weaker bound on the uncertainty relation. In the paper we therefore used the non-dilated overlap in bounding the secret-key length.

Appendix C Decoy states with finite keys

A decoy-state method for HD-QKD in the asymptotic regime was previously derived in DariusPRA2015 (). Here, based on lim2014concise (), we extend the work in DariusPRA2015 () to the finite-key case against general attacks (i.e., without any assumptions on the statistical distributions). We presume that Alice randomly chooses between three intensity levels, and for her SPDC source. Let  be the number of frames in which Alice and Bob both measure in the basis and Alice’s source has emitted biphotons in each frame, so that is the total number of frames in which Alice and Bob both made -basis measurements. In the asymptotic regime, , the number frames in which Alice’s source intensity was and she and Bob made -basis measurements, approaches its ensemble-average value, namely

where is the conditional probability of Alice’s source emitting biphotons in a frame, given its source intensity was . For finite sample sizes, Hoeffding’s inequality for independent events hoeffding1963probability () implies that will satisfy

(35)

with probability at least , where . Note that the deviation term is the same for all . Inequality (35) allows us to establish a relation between the asymptotic values and the observed values . More precisely, we have the following bounds for finite-key analysis:

(36)
(37)

c.0.1 Lower-bound on the number of vacuum coincidences,

The following lower bound on was derived in Ref. lim2014concise ():

(38)

Using this result we obtain the lower bound on the number of vacuum coincidences when Alice’s source intensity is given by

c.0.2 Lower bound on the number of single-pair coincidences,

The following lower bound on was derived in Ref. lim2014concise ():

(39)

Using this result we obtain the lower bound on the number of single-pair coincidences when Alice’s source intensity is given by

with probability at least .

c.0.3 Upper bound on the distance of single-pair coincidences,

After the non-local dispersion cancellation that occurs when Alice and Bob both make -basis measurements on the same frame, their mean-square time difference, for , can be written as

where and are the mean-squared differences due to single-pair and multiple-pair coincidences including all source intensities, and is the number of frames in which Alice and Bob both measure in the basis given that Alice’s source has emitted biphoton in each frame. Then, we have

(40)

where the term on the right is non-negative for . Dropping the term, the preceding result can be rearranged to provide the lower bound

(41)

where the lower bound, , can be derived using the same method employed in lim2014concise () to obtain inequality (39). Our upper bound on the distance of single-pair coincidences is then

(42)

where the factor arises from relating distance to the mean-squared difference of jointly Gaussian random variables.

Appendix D Theoretical model for the threshold,

To find the threshold, , for the mean-squared difference between Alice and Bob’s single-pair -basis measurements beyond which Alice and Bob will abort the QKD protocol, we start from the time and frequency wave-functions for the biphoton emission when Alice’s SPDC source is pumped by a pulse centered at time zhang2014unconditional (), i.e.,

(43)
(44)

Here: and denote the times of the biphoton’s signal and idler photons, and and denote their frequencies; , , , and ; and we have assumed that Alice’s source is phase matched at frequency degeneracy for its pump’s center frequency.

When both Alice and Bob choose the conjugate-time basis, they send their photons into normal and anomalous group-velocity dispersion elements whose dispersion coefficients have common magnitude but opposite signs. After the propagation through the dispersive elements at Alice and Bob’s terminal, the frequency wave-function becomes

(45)

from which the associated time wave-function can be found via

(46)

The -basis mean-squared time difference in the absence of Eve is therefore