# Fundamental rate-loss tradeoff for optical quantum key distribution

###### Abstract

Since 1984, various optical quantum key distribution (QKD) protocols have been proposed and examined. In all of them, the rate of secret key generation decays exponentially with distance. A natural and fundamental question is then whether there are yet-to-be discovered optical QKD protocols (without quantum repeaters) that could circumvent this rate-distance tradeoff. This paper provides a major step towards answering this question. We show that the secret-key-agreement capacity of a lossy and noisy optical channel assisted by unlimited two-way public classical communication is limited by an upper bound that is solely a function of the channel loss, regardless of how much optical power the protocol may use. Our result has major implications for understanding the secret-key-agreement capacity of optical channels—a long-standing open problem in optical quantum information theory—and strongly suggests a real need for quantum repeaters to perform QKD at high rates over long distances.

^{†}

^{†}preprint:

2013 LABEL:FirstPage1 LABEL:LastPage10

The goal of quantum key distribution (QKD) is to generate a shared secret key between two distant parties Alice and Bob, such that the key is perfectly secret from any eavesdropper, Eve. Since the invention of the BB84 protocol BB84 , the theory and practice of QKD has come a long way. Various different QKD protocols have been proposed in the last three decades SBCDLP09 , some of which are now turning from science into practical technologies SECOQC ; TOKYO_QKD ; Elliott02 . Security of QKD has now been proven for many protocols and under practical limitations such as a finite key length TLGR12 ; FFBLSTR12 .

It is well recognized that the key rates of all known QKD protocols (such as BB84 BB84 , E91 E91 , CV-GG02 GG02 ) decay exponentially with distance. To obtain a large key rate across a long distance link, the link can be divided into many low-loss segments separated by trusted (physically-secured) relay nodes. Interestingly however, quantum mechanics permits building QKD protocols using devices called quantum repeaters, which if supplied at the relay nodes, would make it unnecessary to physically secure them, thus enabling long-distance high-rate QKD.

Quantum repeater technology, in particular ones built using quantum memories, have been a subject of intense investigation in recent years SST_2011 ; LST_2009 , but an operational demonstration of a quantum repeater has proven extremely challenging and has yet to be conducted (note that some repeater protocols without quantum memory have been proposed recently MSDHN12 ; ATL13 , but their implementation is still challenging).

The natural question that thus arises, is whether there are yet-to-be-discovered optical QKD protocols that could circumvent the exponential rate-distance tradeoff of BB84 and transmit at high rates over long distances without the need for quantum repeaters. In this paper, we establish that it is not possible to do so. We employ information-theoretic techniques in order to establish our main result.

The secret key agreement capacity of a quantum channel is the highest rate (bits per channel use) at which a shared key can be reliably and securely generated using the channel many times in conjunction with unlimited two-way classical communication over an authenticated public channel. This paper establishes that, regardless of the QKD protocol used, a fundamental limit on the secret key agreement capacity of a lossy optical channel is given by an upper bound that is solely a function of the channel loss, i.e., independent of the transmit power. We show that the bound is nearly optimal at high loss, the regime relevant for practical QKD. We also compare our upper bound and the best-known achievable rate with the ideal BB84 and CV-GG02 protocols. We find that even though there is room for improvement over these protocols, there is essentially no gap in the rate-loss scaling. We thereby place on a firm foundation the need for quantum repeaters for high rate QKD over long distances with no trusted relays. We note that the upper bound proved here is a so-called ‘weak converse’ upper bound, meaning that if the communication rate of any secret key agreement protocol exceeds this bound, then our theorem implies that its reliability and security can never be perfect, even in the asymptotic limit of many channel uses (we will also discuss the issue of a finite number of channel uses below and the Methods section).

A generic point-to-point QKD protocol is illustrated in Fig. 1. In the protocol, the sender Alice transmits over independent uses of the quantum channel . The legitimate receiver Bob obtains the outputs of the channel uses. Note that Alice could send product or entangled states. They are also allowed unlimited two-way public classical communication over an authenticated channel, in order to generate shared secret key. The adversary Eve is assumed to be ‘all-powerful’: one who has access to the full environment of the Alice-to-Bob quantum channel, the ‘maximal’ quantum system to which she can have access. Optically, this translates to Eve being able to collect every single photon that does not enter Bob’s receiver. Eve may also actively attack, for instance by injecting a quantum state into the channel. She has access to all the public classical communication between Alice and Bob. Finally, Eve is assumed to be able to store the quantum states she obtains over all channel uses without any loss or degradation, and she can make any collective quantum measurement on those systems, in an attempt to learn the secret key. In the theory of QKD, one attributes all channel impairments (such as loss, noise, turbulence, detector imperfections) collectively measured by Alice and Bob during a channel-estimation step of the protocol, to adversarial actions of the worst case Eve with which the measured channel is ‘consistent’ (even though in reality all those impairments may have been caused by non-adversarial natural phenomena). Alice and Bob then run a key generation protocol aiming to generate secret key at a rate close to the secret key agreement capacity of that channel. It is hard in general to calculate this capacity precisely, and even more so to come up with protocols that can attain key rates close to that capacity.

In this paper, we show a strong limitation on the secret key agreement capacity of a general memoryless quantum channel. More precisely, we provide a simple upper bound on the two-way assisted private capacity of a quantum channel . Note that the capacity for secret-key agreement using QKD as discussed above is equal to the capacity for private communication with unlimited public discussion, due to the one-time pad protocol. We first define a new quantity, the squashed entanglement of a quantum channel, and show that it is a simple upper bound on for any quantum channel . We then apply it to the pure-loss optical channel with transmittance . Channel loss is an important and measurable impairment both for free-space and fiber optical links, and is directly tied to the communication distance (for example, a low-loss fiber may have a loss of dBkm). Since any excess noise in the channel or detectors can only reduce the extractable key rate, our upper bound on imposes a fundamental upper limit on the secret key rate of any point-to-point QKD protocol over a lossy optical channel not assisted by any quantum repeater. We will establish the following upper bound:

(1) |

In the practical regime of high loss (), we will argue that this upper bound is only a factor of two higher than the best known lower bound, GPLS09 . We will also extend our upper bound to the more general scenario of QKD using a two-way quantum channel with unlimited public discussion, which was discussed recently in Ref. PMLB08 . Finally, we will compare our upper bound and the best-known lower bound to the rate achievable by the BB84 and the CV-GG02 protocols under best-case operating conditions as well as compare to the performance of these protocols under realistic operating conditions.

## Results

Squashed entanglement. Before discussing our main results, we briefly review the squashed entanglement, which plays an important role in our work. The secret-key agreement capacity assisted by public communication was defined for a classical channel ( Alice, Bob, Eve), independently by Maurer M93 , and Ahlswede and Csiszár AC93 , who proved lower and upper bounds on the capacity. Maurer and Wolf later introduced the intrinsic information , and proved that this quantity optimized over all channel input distributions is a sharp upper bound on the secret key agreement capacity of MW99 . Leveraging strong parallels discovered between secrecy and quantum coherence SW98 ; LC99 ; SP00 , Christandl and Winter extended the intrinsic information quantity to the realm of quantum information theory. They defined the squashed entanglement of a bipartite quantum state , and proved it to be an upper bound on the rate at which two parties can distill maximally entangled (Bell) states from many copies of using local operations and classical communication (LOCC) CW04 . Using a similar technique, the squashed entanglement was proved to upper bound the distillable secret key rate CEHHOR07 ; C06 . The squashed entanglement of a bipartite state is defined as

(2) |

where is the conditional quantum mutual information and the infimum is taken over all noisy ‘squashing channels’ taking the system of a purification of to a system of arbitrary dimension. In related work, Tucci has defined a functional bearing some similarities to squashed entanglement T99 ; T02 . We can interpret as quantifying the minimum remnant quantum correlations between and after an adversary possessing the purifying system performs a quantum operation on it with the intent of ‘squashing down’ the correlations that and share. It should also be noted that among the many entanglement measures, squashed entanglement is the only one known to satisfy all eight desirable properties that have arisen in the axiomatization of entanglement theory CW04 ; KW04 ; AF04 ; BCY11 .

Squashed entanglement of a quantum channel. The upper bound from CEHHOR07 on the distillable key rate applies to the scenario in which Alice and Bob share many copies of some bipartite state . In order to upper bound the key agreement capacity of a channel, we define the squashed entanglement of a quantum channel as the maximum squashed entanglement that can be registered between a sender and receiver with access to the input and output of this channel, respectively:

(3) |

where . Note that, in the above formula, we can take a maximum rather than a supremum if the input space is finite-dimensional because in this case, the input space is compact and the squashed entanglement measure is continuous AF04 . Also, we can restrict the optimization to be taken over pure bipartite states, due to the convexity of squashed entanglement CW04 .

We now prove that plays an operational role analogous to intrinsic information, i.e., it upper bounds the secret-key agreement capacity .

Theorem 1: is an upper bound on , the private capacity of assisted by unlimited forward and backward classical communication:

(4) |

Proof: First recall that the squashed entanglement is a secrecy monotone, that is, it does not increase under local operations and public classical communication (LOPC) in the sense that if Alice and Bob can obtain the state from by LOPC C06 ; CEHHOR07 . The method for doing so was to exploit the fact that LOPC distillation of secret key is equivalent to LOCC distillation of private states HHHO05 ; HHHO09 . A private state has the following form HHHO05 ; HHHO09 :

where is a global unitary operation, is a maximally entangled state of Schmidt rank , and and are complete orthonormal bases for quantum systems and , respectively. Furthermore, the squashed entanglement is normalized, in the sense that (see Proposition 4.19 of C06 ). Finally, the squashed entanglement satisfies the following continuity inequality AF04 ; C06 :

(5) |

where and is the binary entropy function with the property that .

The most general protocol in this setting is described as follows, where is the number of channel uses, is the key generation rate (measured in secret key bits per channel use), and is a parameter quantifying the security (see below for their formal definitions). The protocol begins with Alice preparing a state on systems. She then transmits the system through one use of the channel , and considering its isometric extension , we write the output state as . Let be a system that purifies this state. There is then a round of an arbitrary amount of LOPC between Alice and Bob, resulting in a state . This procedure continues, with Alice transmitting system through the channel, leading to a state , etc. After the th channel use, the state is (note that the dimension of the system might change throughout the protocol). Let be a reference system that purifies this state. There is a final round of LOPC, producing a state , whose reduction satisfies

where is a private state of bits. Note that we are implicitly including the systems and in and , respectively.

We can now proceed by bounding the secret key generation rate of any such protocol as follows:

The first inequality follows from the normalization of the squashed entanglement on private states (as mentioned above). The second inequality follows from the continuity of squashed entanglement, with an appropriate choice of so that (see the Methods section for more details). To continue, we introduce the following new subadditivity inequality for the squashed entanglement:

Lemma 2: For any five-party pure state ,

Proof: See the Supplementary Note 1 for a proof.

With this new inequality in hand, we can establish the following chain of inequalities:

The first inequality follows from monotonicity of the squashed entanglement under LOCC. The second inequality is an application of the subadditivity inequality in Lemma 2. The third inequality follows because (there is a particular input to the th channel, while the systems purify the system being input to the channel). The sole equality follows because the squashed entanglement is invariant under local isometries (the isometry here being the isometric extension of the channel). The last inequality follows by induction, i.e., repeating this procedure by using secrecy monotonicity and subadditivity, “peeling off” one term at a time. Putting everything together, we arrive at

which we can divide by and take the limit as to recover the result that . This completes the proof of Theorem 1.

It should be stressed that the right hand of (4) is a ‘single-letter’ expression, meaning that the expression is a function of a single channel use. This is in spite of the fact that the quantity serves as an upper bound on the secret key agreement capacity, which involves using the channel many independent times, entangled input states, and/or measurements over many channel outputs. Lemma 2 is critical for establishing the ‘single-letterization.’ The simple expression in (4) allows us to apply the bound to various channels, including the optical channel as shown below.

Also, as mentioned in the introduction, Theorem 1 states that is a weak converse upper bound which bounds the key rate in the asymptotic limit of many channel uses. However, our bound is also valid for any finite number of channel uses, in the sense that the key rate is upper bounded in terms of and the reliability and security of the protocol. It might be possible to improve upon our upper bound, by establishing a so-called strong converse theorem (see, e.g., ON99 ; W99 ) or a refined second-order analysis, along the lines of TH12 , which is left as an important open question. We point the reader to the Methods section for a quantitative discussion and an example scenario involving a pure-loss optical channel.

A variation of this setting is one in which there is a forward quantum channel from Alice to Bob and a backward quantum channel from Bob to Alice. The most general protocol for generating a shared secret will have Alice and Bob each prepare a state on systems, Alice sending one system through the forward channel, them conducting a round of LOPC, Bob sending one of his systems through the backward channel, them conducting a round of LOPC, etc. Using essentially the same proof technique as above, it follows that serves as an upper bound on the total rate at which Alice and Bob can generate a shared secret key using these two channels many independent times. It is also worth noting that is an upper bound on the two-way assisted quantum capacity (defined in BDS97 ) because holds in general.

Pure-loss optical channel. Now we are in a position to derive a limit on the key generation rate of any QKD protocol which uses a lossy optical channel. The following input-output relation models linear loss in the propagation of an optical mode, such as through a lossy fiber or free space:

where , , and are bosonic mode operators corresponding to the sender Alice’s input, the receiver Bob’s output, and the environmental input, respectively. For the pure-loss bosonic channel, the environment mode is in its vacuum state. The transmittance of the channel, is the fraction of input photons that makes it to the output on average. Let denote the channel from Alice to Bob. For a secret-key agreement protocol assisted by two-way classical-communication over this channel, we assume that it begins and ends with finite-dimensional states, but the processing between the first and final step can be conducted with infinite-dimensional systems (see the Methods section for further discussion of this point). Furthermore, as is common in bosonic channel analyses GGLMSY04 , we begin by imposing a mean input power constraint. That is, for each input mode, we require that , with . Thus, , with the additional photon number constraint on the channel input is an upper bound on . By taking the squashing channel for the environment Eve to be another pure-loss bosonic channel of transmittance (see Fig. 2), noting that the resulting conditional mutual information can be written as a sum of two conditional entropies, and applying the extremality of Gaussian states with respect to conditional entropies EW07 ; WGC06 , we find that the following quantity serves as an upper bound on for all (see Supplementary Note 2 for a detailed proof):

(6) |

where is the Shannon entropy of a geometric distribution with mean . The function is also equal to the von Neumann entropy of a zero-mean circularly-symmetric thermal state with mean photon number . Since the function in (6) is symmetric and convex in , its minimum occurs at , leading to the following simpler upper bound:

By taking the limit of this upper bound as , we obtain the photon-number independent expression,

which recovers the upper bound stated in (1).

As mentioned in the introduction, any excess noise in the channel can only reduce the squashed entanglement of a quantum channel and thus (1) serves as a fundamental upper limit on the secret key agreement capacity of a lossy optical channel. This statement follows from a quantum data processing argument, i.e., the quantum conditional mutual information does not increase under processing (including noise additions) of one of the systems that is not the conditioning system (see Proposition 3 of CW04 ). Note that the statement does not prohibit the improvement of the key rates by applying ‘noisy processing’ in specific existing QKD protocols such as BB84 as proposed in RGK05 ; RS07 . However, such an improved key rate is always equal or lower than our bound in (1).

## Discussion

It is instructive to compare our upper bound to the known lower bounds on the secret-key agreement capacity of optical QKD protocols. BB84 is the most widely examined QKD protocol. When operating under polarization encoding and ideal conditions over a lossy channel (perfect single photon sources and detectors, and with the efficient BB84 protocol as proposed in LCA06 ), and with no excess noise (i.e., Eve can do only passive attacks consistent with the channel loss alone), the key rate is simply given by secret key bits per mode SBCDLP09 ; LCA06 . The best known lower bound on the secret-key agreement capacity of the pure-loss channel was established in Ref. PGBL09 :

(7) |

These lower bounds and our upper bound are compared in Fig. 3, where we also plot the rate achievable with coherent-state continuous variable protocol (CV-GG02) SBCDLP09 ; GG02 , another major protocol, without any excess noise or imperfections. Also, as examples of the practical performance of QKD, we plot the decoy-state BB84 protocol including device imperfections as well as the imperfect CV-GG02 with uncalibrated- and calibrated-device scenarios (see the Methods section for the details of the protocols and parameters).

We note the following important observations. First, the two bounds in (1) and (7) become close for (the high-loss regime, relevant for long-distance QKD). Thus, for small , our upper bound demonstrates that the protocol from PGBL09 achieving the lower bound in (7) is nearly optimal. To be precise, the upper and the lower bounds are well approximated by and key bits per mode, when (see Fig. 3). Furthermore, the ideal BB84 rate ( key bits per mode) is worse than the reverse coherent information lower bound, only by a constant () factor in the high-loss regime where the factor 2 reflects the fact that the BB84 uses two polarization (or other) modes to send one bit and reflects some kind of gap between the qubit and continuous variable protocols. On the other hand, the protocol described in PGBL09 that attains the reverse coherent information rate, requires an ideal SPDC source, and collective quantum operations and measurements, structured realizations of which are not known. In addition, even with detector impairments, both the decoy-state BB84 as well as the CV-GG02 protocol (with or without the assumption of calibrated devices) can achieve secret key rates that scale linearly with the channel transmittance, until a maximum channel loss threshold where the rate plummets to zero. For BB84, this loss value where the rate-cliff occurs is driven by the detector dark counts, whereas for CV-GG02, it is driven primarily by the electronic noise in Bob’s homodyne detector. Hence, given the comparisons shown in Fig. 3, and since BB84 and CV protocols are realizable with currently available resources, it does not seem very worthwhile to pursue alternative repeater-less QKD protocols for higher key generation rate over a lossy channel.

Second, our bound significantly advances one of the long-standing open problems in quantum information theory, that of finding a good upper bound on , as well as for the two-way assisted quantum capacity (number of qubits that can be sent perfectly per use of a quantum channel with two-way classical-communication assistance). This is true for a general quantum channel , and in particular for optical quantum channels such as . One of the important open questions is whether or not the true is additive. In other words, the question is whether the protocol that attains requires an input state that is entangled over several channel uses, or if a product input state suffices. In general, it is likely that is super-additive for some channel as is the case for the unassisted secret-key agreement capacity LWZG09 and the classical capacity of quantum channels H09 . On the other hand, it is known that the classical capacity and the unassisted quantum capacity of the lossy optical (bosonic) channel are additive GGLMSY04 ; WPG07 . As mentioned above, our upper bound on is a single-letter expression for any channel, i.e., the input optimization to evaluate our upper bound needs to be performed over a single channel use. The lower bound (7) is the single-letter reverse coherent information evaluated for the lossy bosonic channel, whose operational interpretation is an entanglement distribution rate achievable via a product input realizable using a two-mode squeezed vacuum state, and collective quantum operations in the subsequent steps of the protocol, which uses classical feedback GPLS09 . Thus, despite the fact that the additivity question for remains open, any super-additive gain cannot be very large in the high loss regime, and must scale as , when .

As a final point, consider a two-way QKD protocol, i.e., when Alice and Bob may use the lossy optical channel in both directions, and also communicate freely over a two-way public channel. In such a case, the secret-key agreement capacity is upper bounded by secret key bits per mode transmitted in both directions.

In summary, we have established in (1) an upper bound on the rate at which any QKD protocol can generate a shared secret key over a point-to-point lossy optical channel. This upper bound is a function of the channel loss only, and it does not increase with increasing transmit power. We compared our upper bound with the best known lower bound on the key rate and a key rate attainable in principle by the BB84 and CV-GG02 protocols under ideal operating conditions. This comparison reveals that there is essentially no scaling gap between the rates of known protocols and the ultimate secret-key agreement capacity, and thereby that there is no escaping the fundamental exponential decay of key rate with distance. The result of this paper on the one hand provides a powerful new tool for upper bounding the private capacity with two-way classical communication assistance, for a general quantum channel. On the other hand, the application to QKD over optical channels strongly suggests the need for quantum repeaters to perform QKD at high rates over long distances, no matter which actual QKD protocol one may choose to use.

Some important open questions remain. Although our bound applies for any finite number of channel uses, one might be able to improve upon our result by establishing a strong converse theorem or even better by considering a second-order analysis, along the lines discussed in TH12 . For establishing a strong converse theorem, some combination of the ideas presented in BBCW13 ; Oppenheim08 might be helpful. Another important open question is whether our upper bound in (1) could be achievable using some QKD protocol, or whether the bound can be further tightened by choosing a squashing channel for Eve other than the pure-loss channel (as shown in Fig. 2) or by investigating upper bounds other than . For this last question, some recent results in classical information theory GA10-1 ; GA10-2 might be helpful.

## Methods

Weak converse and the key rate upper bound for a finite number of channel uses. Although our main result establishes only a weak converse theorem, it is possible to estimate the effect of a finite number of channel uses, which is always the case in any practical setting. We carefully estimate discussed in the proof of Theorem 1. From the continuity inequality in (5), we can explicitly describe the additional term :

where . This implies the following bound:

In the limit of large , the second term vanishes and the upper bound becomes

which suggests that there might be room for a trade-off between communication rate and error probability/security as quantified by . If one could establish a strong converse theorem, this would eliminate the implied trade-off given above, in the ideal case showing that the bound would hold in the large limit regardless of the value of .

Let us consider a quantitative example, consisting of a pure-loss channel with and (these are not too far from realistic QKD parameters TOKYO_QKD ). For these values, we get

(8) | ||||

(9) |

Furthermore, a 200km fiber with dBkm corresponds to and . Replacing with our upper bound (see (1)) and plugging in the above values of and , we find that

which is rather close to . However, one can improve upon our upper bound by establishing a strong converse theorem or even better by providing a refined second-order analysis along the lines discussed in TH12 .

Infinite-dimensional system. An optical channel can transmit infinite-dimensional (i.e., continuous variable) quantum states while Theorem 1 implicitly assumes finite-dimensional systems. We can circumvent this subtlety by assuming the protocol between Alice and Bob begins and ends with finite-dimensional states, but the processing between the first and final step can be conducted with infinite-dimensional systems. That is, their objective is to generate a maximally entangled state or a finite number of secret key bits, and they do so by Alice encoding a finite-dimensional quantum state into an infinite-dimensional system and the final step of the protocol has them truncate their systems to be of finite dimension. In this way, the continuity inequality in the proof of Theorem 1 safely applies and all of the other steps in between involve only the quantum data processing inequality, which has been proven to hold in the general infinite-dimensional setting U77 .

Decoy state BB84 and CV-GG02 protocols with experimental imperfections. The asymptotic secret key rates of the decoy state BB84 protocol and the CV-GG02 in Fig. 3 are calculated from the theoretical models including imperfections summarized in SBCDLP09 . The parameters used for the plots are as follows: For the decoy BB84, the visibility of interference at Bob’s receiver is 0.99, the transmittance of Bob’s device is unity, the detector efficiency is 0.2, dark count rate is , and the information leakage parameter due to the practical error code is set to be 1.2. For the CV-GG02 protocol, the optical noise is 0.005, the detector efficiency is 0.5, the electronic noise of the detector is 0.01, and the efficiency of the error correction code is set to be 0.9. These parameters are chosen to reflect the state of the art device technologies. In the ‘uncalibrated-device’ scenario, Eve is able to access Bob’s homodyne detector imperfections, e.g. to entangle the loss and noise of the detector. The ‘calibrated-device’ scenario is based on the assumption that the homodyne detector is calibrated in a secure laboratory such that Eve cannot entangle her system to the detector imperfections. This assumption allows Alice and Bob to significantly extend the key rate and the loss tolerance. Note that the purpose of these plots is to compare these protocols under imperfections with our fundamental upper bound but is not to compare the practical aspects between these protocols (for example, our model does not include important practical conditions such as phase stability, repetition rate of the system, actual coding strategies, etc). For completeness, the key rate formulae for each protocol and scenario are described in Supplementary Note 3.

Acknowledgements. We are grateful to Francesco Buscemi, Mikio Fujiwara, Min-Hsiu Hsieh, Seth Lloyd, Cosmo Lupo, Kiyoshi Tamaki, and Andreas Winter for insightful discussions. We also acknowledge Mark Byrd, Eric Chitambar, and the other participants of the Boris Musulin Workshop on Open Quantum Systems and Information Processing for helpful feedback. Finally, we thank Bob Tucci for kindly pointing us to his related work on squashed entanglement. This research was supported by the DARPA Quiness Program through US Army Research Office award W31P4Q-12-1-0019. MT was partially supported by Open Partnership Joint Projects of JSPS Bilateral Joint Research Projects. SG acknowledges partial support from the SeaKey program, through the US Office of Naval Research contract number N00014-14-C-0002.

Author contributions. All authors contributed to this work extensively and the write of the manuscript.

Competing financial interests. The authors declare no competing financial interests.

## References

- (1) Charles H. Bennett and Gilles Brassard. Quantum cryptography: public key distribution and coin tossing. Proceedings of the IEEE International Conference on Computers, Systems, and Signal Processing, page 175, 1984.
- (2) Valerio Scarani, Helle Bechmann-Pasquinucci, Nicolas J. Cerf, Miloslav Dušek, Norbert Lütkenhaus, and Momtchil Peev. The security of practical quantum key distribution. Review of Modern Physics, 81:1301–1350, 2009. arXiv:0802.4155.
- (3) M Peev, C Pacher, R Alléaume, C Barreiro, J Bouda, W Boxleitner, T Debuisschert, E Diamanti, M Dianati, J. F Dynes, S Fasel, S Fossier, M Fürst, J-D Gautier, O Gay, N Gisin, P Grangier, A Happe, Y Hasani, M Hentschel, H Hübel, G Humer, T Länger, M Legr, R Lieger, J Lodewyck, T Lorünser, N Lütkenhaus, A Marhold, T Matyus, O Maurhart, L Monat, S Robyr, L Salvail, A. W Sharpe, A. J Shields, D Stucki, M Suda, C Tamas, T Themel, R. T Thew, Y Thoma, A Treiber, P Trinkler, R Tualle-Brouri, F Vannel, N Walenta, H Weier, H Weinfurter, I Wimberger, Z. L Yuan, H Zbinden, and A Zeilinger. New Journal of Physics, 11.
- (4) M. Sasaki, M. Fujiwara, H. Ishizuka, W. Klaus, K. Wakui, M. Takeoka, A. Tanaka, K. Yoshino, Y. Nambu, S. Takahashi, A. Tajima, A. Tomita, T. Domeki, T. Hasegawa, Y. Sakai, H. Kobayashi, T. Asai, K. Shimizu, T. Tokura, T. Tsurumaru, M. Matsui, T. Honjo, K. Tamaki, H. Takesue, Y. Tokura, J. F. Dynes, A. R. Dixon, A. W. Sharpe, Z. L. Yuan, A. J. Shields, S. Uchikoga, M. Legre, S. Robyr, P. Trinkler, L. Monat, J.-B. Page, G. Ribordy, A. Poppe, A. Allacher, O. Maurhart, T. Langer, M. Peev, and A. Zeilinger. Field test of quantum key distribution in the Tokyo QKD network. Optics Express, 19(11):10387–10409, 2011. arXiv:quant-ph/1103.3566.
- (5) Chip Elliott. Building the quantum network. New Journal of Physics, 46:1–12, 2002.
- (6) Marco Tomamichel, Charles Ci Wen Lim, Nicolas Gisin, and Renato Renner. Tight finite-key analysis for quantum cryptography. Nature Communications, 3:634, 2012.
- (7) F. Furrer, T. Franz, M. Berta, A. Leverrier, V. B. Scholz, M. Tomamichel, and R. F. Werner. Continuous Variable Quantum Key Distribution: Finite-Key Analysis of Composable Security against Coherent Attacks. Physical Review Letters, 109(10):100502, September 2012.
- (8) Artur K. Ekert. Quantum cryptography based on bell’s theorem. Physical Review Letters, 67:661–663, 1991.
- (9) Frédéric Grosshans and Philippe Grangier. Continuous variable quantum cryptography using coherent states. Physical Review Letters, 88:057902, 2002.
- (10) Artur Scherer, Barry C. Sanders, and Wolfgang Tittel. Long-distance practical quantum key distribution by entanglement swapping. Optics Express, pages 3004–3018, 2011. arXiv:quant-ph/1012.5675.
- (11) Alexander I. Lvovsky, Barry C. Sanders, and Wolfgang Tittel. Optical quantum memory. Nature Photonics, 3:706–714, December 2009.
- (12) W. J. Munro, A. M. Stephens, S. J. Devitt, K. A. Harrison, and K Nemot. Quantum communication without the necessity of quantum memories. Nature Photonics, 6:777–781, October 2012.
- (13) Koji Azuma, Kiyoshi Tamaki, and Hoi-Kwong Lo. All photonic quantum repeaters. arXiv preprint arXiv:1309.7207, pages 1–16, 2013.
- (14) Raúl García-Patrón, Stefano Pirandola, Seth Lloyd, and Jeffrey H. Shapiro. Reverse coherent information. Physical Review Letters, 102:210501, May 2009. arXiv:0808.0210.
- (15) Stefano Pirandola, Stefano Mancini, Seth Lloyd, and Samuel L. Braunstein. Continuous-variable quantum cryptography using two-way quantum communication. Nature Physics, 4:726–730, 2008. arXiv:quant-ph/0611167v3.
- (16) Ueli M. Maurer. Secret key agreement by public discussion from common information. IEEE Transactions on Information Theory, 39(3):733–742, May 1993.
- (17) Rudolf Ahlswede and Imre Csiszár. Common randomness in information theory and cryptography. I. Secret sharing. IEEE Transactions on Information Theory, 39(4):1121–1132, July 1993.
- (18) Ueli M. Maurer and Stefan Wolf. Unconditionally secure key agreement and the intrinsic conditional information. IEEE Transactions on Information Theory, 45(2):499–514, March 1999.
- (19) Benjamin Schumacher and Michael D. Westmoreland. Quantum privacy and quantum coherence. Physical Review Letters, 80(25):5695–5697, June 1998. arXiv:quant-ph/9709058.
- (20) Hoi-Kwong Lo and Hoi Fung Chau. Unconditional security of quantum key distribution over arbitrarily long distances. Science, 283(5410):2050–2056, 1999. arXiv:quant-ph/9803006.
- (21) Peter W. Shor and John Preskill. Simple proof of security of the BB84 quantum key distribution protocol. Physical Review Letters, 85(2):441, 2000. arXiv:quant-ph/0003004.
- (22) Matthias Christandl and Andreas Winter. “Squashed entanglement”: An additive entanglement measure. Journal of Mathematical Physics, 45(3):829–840, March 2004. arXiv:quant-ph/0308088.
- (23) Matthias Christandl, Artur Ekert, Michal Horodecki, Pawel Horodecki, Jonathan Oppenheim, and Renato Renner. Unifying classical and quantum key distillation. Proceedings of the 4th Theory of Cryptography Conference, Lecture Notes in Computer Science, 4392:456–478, February 2007. arXiv:quant-ph/0608199.
- (24) Matthias Christandl. The Structure of Bipartite Quantum States: Insights from Group Theory and Cryptography. PhD thesis, University of Cambridge, April 2006. arXiv:quant-ph/0604183.
- (25) Robert R. Tucci. Quantum entanglement and conditional information transmission. 1999. arXiv:quant-ph/9909041.
- (26) Robert R. Tucci. Entanglement of distillation and conditional mutual information. 2002. arXiv:quant-ph/0202144.
- (27) Masato Koashi and Andreas Winter. Monogamy of quantum entanglement and other correlations. Physical Review A, 69:022309, February 2004. arXiv:quant-ph/0310037.
- (28) Robert Alicki and Mark Fannes. Continuity of quantum conditional information. Journal of Physics A: Mathematical and General, 37(5):L55–L57, 2004. arXiv:quant-ph/0312081.
- (29) Fernando G. S. L. Brandão, Matthias Christandl, and Jon Yard. Faithful squashed entanglement. Communications in Mathematical Physics, 306(3):805–830, September 2011. arXiv:1010.1750.
- (30) Karol Horodecki, Michał Horodecki, Paweł Horodecki, and Jonathan Oppenheim. Secure key from bound entanglement. Physical Review Letters, 94(16):160502, April 2005. arXiv:quant-ph/0309110.
- (31) Karol Horodecki, Michal Horodecki, Pawel Horodecki, and Jonathan Oppenheim. General paradigm for distilling classical key from quantum states. IEEE Transactions on Information Theory, 55(4):1898–1929, April 2009. arXiv:quant-ph/0506189.
- (32) Tomohiro Ogawa and Hiroshi Nagaoka. Strong converse to the quantum channel coding theorem. IEEE Transactions on Information Theory, 45(7):2486–2489, November 1999. arXiv:quant-ph/9808063.
- (33) Andreas Winter. Coding theorem and strong converse for quantum channels. IEEE Transactions on Information Theory, 45(7):2481–2485, 1999.
- (34) Marco Tomamichel and Masahito Hayashi. A hierarchy of information quantities for finite block length analysis of quantum tasks. IEEE Transactions on Information Theory, 59(11):7693–7710, November 2013. arXiv:1208.1478.
- (35) Charles H. Bennett, David P. DiVincenzo, and John A. Smolin. Capacities of quantum erasure channels. Physical Review Letters, 78(16):3217–3220, April 1997. arXiv:quant-ph/9701015.
- (36) Vittorio Giovannetti, Saikat Guha, Seth Lloyd, Lorenzo Maccone, Jeffrey H. Shapiro, and Horace P. Yuen. Classical capacity of the lossy bosonic channel: the exact solution. Physical Review Letters, 92:027902, 2004.
- (37) Jens Eisert and Michael M. Wolf. Quantum Information with Continous Variables of Atoms and Light, chapter Gaussian quantum channels, pages 23–42. Imperial College Press, 2007. arXiv:quant-ph/0505151.
- (38) Michael M. Wolf, Geza Giedke, and J. Ignacio Cirac. Extremality of Gaussian quantum states. Physical Review Letters, 96:080502, March 2006. arXiv:quant-ph/0509154.
- (39) Renato Renner, Nicolas Gisin, and Barbara Kraus. Information-theoretic security proof for quantum-key-distribution protocols. Physical Review A, 72(1):012332, July 2005.
- (40) Joseph Renes and Graeme Smith. Noisy Processing and Distillation of Private Quantum States. Physical Review Letters, 98(2):020502, January 2007.
- (41) Hoi-Kwong Lo, H. F. Chau, and M. Ardehali. Efficient quantum key distribution scheme and proof of its unconditional security. Journal of Cryptography, 18:133–165, 2006. arXiv:quant-ph/0011056.
- (42) Stefano Pirandola, Raul García-Patrón, Samuel L. Braunstein, and Seth Lloyd. Direct and reverse secret-key capacities of a quantum channel. Physical Review Letters, 102:050503, February 2009. arXiv:0809.3273.
- (43) Ke Li, Andreas Winter, XuBo Zou, and GuangCan Guo. Private capacity of quantum channels is not additive. Physical Review Letters, 103:120501, 2009. arXiv:0903.4308.
- (44) M. B. Hastings. Superadditivity of communication capacity using entangled inputs. Nature Physics, 5:255–257, 2009. arXiv:0809.3972.
- (45) Michael M. Wolf, David Pérez-García, and Geza Giedke. Quantum capacities of bosonic channels. Physical Review Letters, 98(13):130501, March 2007.
- (46) Mario Berta, Fernando G. S. L. Brandão, Matthias Christandl, and Stephanie Wehner. Entanglement cost of quantum channels. IEEE Transactions on Information Theory, 59(10):6779–6795, October 2013. arXiv:1108.5357.
- (47) Jonathan Oppenheim. A paradigm for entanglement theory based on quantum communication. January 2008. arXiv:0801.0458.
- (48) Amin Aminzadeh Gohari and Venkat Anantharam. Information-Theoretic Key Agreement of Multiple Terminals–Part I. IEEE Transactions on Information Theory, 56(8):3973–3996, August 2010.
- (49) Amin Aminzadeh Gohari and Venkat Anantharam. Information-Theoretic Key Agreement of Multiple Terminals–Part II: Channel Model. IEEE Transactions on Information Theory, 56(8):3997–4010, August 2010.
- (50) Armin Uhlmann. Relative entropy and the Wigner-Yanase-Dyson-Lieb concavity in an interpolation theory. Communications in Mathematical Physics, 54:21–32, 1977.

## I Supplementary note 1: Proof of the subadditivity inequality (Lemma 2)

Let us restate the statement of the lemma: For any five-party pure state , the following subadditivity inequality holds

Proof. Let

where each is an arbitrary local squashing channel. Let be a purification of with purifying system . The inequality in Lemma 2 is a consequence of the following chain of inequalities:

The first inequality follows from the definition in (2). The first equality is a rewriting of the conditional mutual information. The second equality exploits duality of conditional entropy: for any pure tripartite state on systems , the equality holds. The second inequality results from several applications of strong subadditivity (SSA) of quantum entropy (SSA is the statement that for an arbitrary state on systems ) LR73 . The third equality again exploits duality of conditional entropy and the last equality is just a rewriting in terms of conditional mutual informations. The final inequality is a result of a quantum data processing inequality for conditional mutual information (see the proof of Proposition 3 of CW04 ). Since the calculation above is independent of the choice of the maps , the system purifies the state on , and the system purifies the state on , the subadditivity inequality in the statement of the theorem follows.

## Ii Supplementary note 2: Squashed entanglement upper bound for the pure-loss bosonic channel

Here we detail a proof that (5) is an upper bound on , where is a pure-loss bosonic channel with transmittance .

As mentioned before, we need to consider only pure states when optimizing the squashed entanglement of a quantum channel. Let be an isometric extension of Eve’s squashing channel . Let , so that, . Then

(10) |

The first equality follows from the definition of the squashed entanglement. The second equality follows from the definition of conditional quantum mutual information. The third equality uses the duality of conditional entropy and the fact that is pure.

Now suppose that Alice and Bob are connected by a pure-loss bosonic channel with transmittance . It is not necessarily an easy task to optimize Eve’s squashing channel . Instead, we consider a specific squashing channel: a pure-loss bosonic channel with transmittance . As shown above, the squashed entanglement can be written as a sum of two conditional entropies, each of which is a function of the reduced state Tr on . Since the overall channel from to is Gaussian and the overall channel from to is Gaussian and due to the photon-number constraint at the input, it follows from the extremality of Gaussian states for conditional entropy EW07 ; WGC06 that a thermal state on of mean photon number maximizes both of these quantities. With this and the fact that is a pure state, we can conclude that the optimal is a two-mode squeezed vacuum (TMSV) state. Let be the average photon number of one share of the TMSV. Then the covariance matrix of the reduced thermal state at is given by

Note that the covariance matrix is defined such that a vacuum state (or coherent state) is described by an identity matrix. Therefore a covariance matrix of the initial state in system is given by . The beamsplitting operations are given by the transformation

where

(the superscript “” means that the same matrix is applied to both and quadratures. Because of the symmetry of the state and the beamsplitter operation in phase space, basically we need to consider only one quadrature.) This transformation is easily calculated and we get a covariance matrix for the state :

It immediately implies a covariance matrix of the marginal state on :

which is the covariance matrix for a thermal state with photon number . Thus we have

where . Similarly, we get

The other entropies and are also obtained by considering the corresponding submatrices and diagonalizing them. Then we can find

(11) |

As a consequence, we obtain the upper bound,

(12) |

The minimal value is achieved by because the function is symmetric and convex in (with convexity checked by computing the second derivative). The expression converges to as .

## Iii Supplementary note 3: Secret key rates for the decoy BB84 and CV-GG02 protocols

In this supplementary note, we describe the asymptotic key rate formulae for the decoy BB84 and Gaussian modulated coherent-state CV-GG02 protocols. Detailed description of the protocols and the derivation of their key rates are for example found in SBCDLP09 and references therein. Note that we only consider the asymptotic limit, that is, the channel estimation is perfectly done by negligibly small amount of pulses.

Decoy BB84 protocol. Let be the mean photon number of the pulse which is tunable to generate decoy states. For each , the key rate is given by

(13) |

We can assume that a given value is almost always used for . Thus in the following we only consider and then optimize to maximize the key rate in Eq. (13). The parameters in the rhs of Eq. (13) are as follows: is the total detection rate (here it is given by the rate per mode per pulse. Note that the deocy BB84 usually uses two modes, such as polarization or time bins, to send one bit of quantum information), where is the detection rate for the events when Alice sent photons ( and thus ), is the error rate on the photon signal, is the binary entropy function, is the quantum bit error rate (QBER), and and represents the efficiency of the error correction code. For the decoy BB84 protocol, these terms are given by

(14) | |||||

(15) | |||||

(16) | |||||

(17) | |||||

(18) |

where , is the channel transmittance, is the efficiency of Bob’s devices, is the efficiency of Bob’s detectors. is the dark counts of the detector, and with the visibility . The optimal key rate is then given by

(19) |

CV-GG02 protocol. The key rate is given by

(20) |

where is the repetition rate, which is omitted in our calculation, is the reconciliation efficiency, is the mutual information between Alice and Bob, and is the Holevo information between Bob and Eve. In the following we consider the uncalibrated- and calibrated-device scenarios. For both scenarios, has the same expression:

(21) |

where is the variance of the Alice’s output thermal state and is the variance of the Alice’s Gaussian modulation. is the total noise between Alice and Bob:

(22) |

where is the channel noise with the channel tarnsmittance and the optical excess noise , and is the noise of the Bob’s homodyne detector with the homodyne detector’s electronic noise and quantum efficiency .

The amount of the Holevo information depends on the scenario. For the uncalibrated-device scenario, Eve can hold a whole environmental part including the loss and noise of the homodyne detector at Bob’s side. Then the Holevo information is calculated to be SBCDLP09

(23) |

where ,

(24) | |||||

(25) |

and

(26) | |||||

(27) |

The achievable key rate is then obtained by maximizing over .

For the calibrated-device scenario, Eve cannot access to the homodyne detector’s imperfections. The Holevo information for such a scenario is for example given in LBGFKDDCBMG07 . We summarize it here for the completeness:

(28) |

where ,

(29) | |||||

(30) |

and

(31) | |||||

(32) | |||||

(33) | |||||

(34) |

The achievable key rate is again obtained by maximizing over .

## References

- (1)
- (2)