Tight finite-key analysis for passive decoy-state quantum key distribution under general attacks

Tight finite-key analysis for passive decoy-state quantum key distribution under general attacks

Chun Zhou    Wan-Su Bao 2010thzz@sina.com Zhengzhou Information Science and Technology Institute, Zhengzhou, 450004, China Synergetic Innovation Center of Quantum Information and Quantum Physics, University of Science and Technology of China, Hefei, Anhui 230026, China    Hong-Wei Li Zhengzhou Information Science and Technology Institute, Zhengzhou, 450004, China Key Laboratory of Quantum Information,University of Science and Technology of China, Hefei, 230026, China Synergetic Innovation Center of Quantum Information and Quantum Physics, University of Science and Technology of China, Hefei, Anhui 230026, China    Yang Wang    Yuan Li Zhengzhou Information Science and Technology Institute, Zhengzhou, 450004, China Synergetic Innovation Center of Quantum Information and Quantum Physics, University of Science and Technology of China, Hefei, Anhui 230026, China    Zhen-Qiang Yin    Wei Chen    Zheng-Fu Han Key Laboratory of Quantum Information,University of Science and Technology of China, Hefei, 230026, China Synergetic Innovation Center of Quantum Information and Quantum Physics, University of Science and Technology of China, Hefei, Anhui 230026, China
August 17, 2019

For quantum key distribution (QKD) using spontaneous parametric-down-conversion sources (SPDCSs), the passive decoy-state protocol has been proved to be efficiently close to the theoretical limit of an infinite decoy-state protocol. In this paper, we apply a tight finite-key analysis for the passive decoy-state QKD using SPDCSs. Combining the security bound based on the uncertainty principle with the passive decoy-state protocol, a concise and stringent formula for calculating the key generation rate for QKD using SPDCSs is presented. The simulation shows that the secure distance under our formula can reach up to 182 km when the number of sifted data is . Our results also indicate that, under the same deviation of statistical fluctuation due to finite-size effects, the passive decoy-state QKD with SPDCSs can perform as well as the active decoy-state QKD with a weak coherent source.

03.67.Dd, 03.67.Hk

I introduction

Quantum key distribution (QKD) allows two legal communication parties to acquire the identical key based on quantum mechanics. Since the invention of the first pioneer QKD protocol, BB84 protocol BB84 , people have achieved great progress both in QKD’s theory and experiment Lo99 ; GLLP04 ; Tomamichel11 ; Guo12 ; Zeilinger12 ; Bacco13 ; Pan13 ; Shield13 . On the way toward the industrialization of QKD, people have faced sorts of obstacles, one of which comes from the fact that the necessary assumptions required for QKD’s unconditional security are not easy to satisfy in a real situation Scarani09 . Practical factors, i.e., inefficient authentication of classical communication, imperfections of setups and finite-size data, will undoubtedly threaten the security of a real QKD system and quantum hacking strategies can be successfully derived to attack the practical QKD system Hacking1 ; Hacking2 ; Hacking3 . However, corresponding countermeasures can be applied to combat these attacks. One approach is to employ the notion of device-independent QKD (DI-QKD) DI1 ; DI2 ; DI3 ; MDI1 ; MDI2 ; MDI-Lo ; MDI-Ma ; Bao13-1 . The other, although difficult to implement, is to mathematically characterize the impact of imperfect factors on QKD’s security as comprehensively as possible by a security proofScarani09 .

The notion of finite-length keys is one of practical imperfections need to be solved in the practical security of QKD. In the case of finite-length keys, the security bound in the asymptotic regime should be reconsidered, and several attempts have been made to tackle this problem Hayashi07 ; Cai09 ; Li09 ; Song11 ; Somma13 . In recent years, based on the composable security definition derived from trace distance Renner05 , several significant advances have been achieved Scarani08-1 ; Scarani08-2 ; Christandl09 ; Bratzik11 ; Ng12 ; Hayashi12 ; Hayashi13 , with the most pioneering one being the bound from the smooth min-entropy by Scarani and Renner Scarani08-2 . By noting that the uncertainty relation can be generalized to one formulated in terms of smooth entropies and that this directly implies the security of QKD protocols Tomamichel11 , Tomamichel et al. Tomamichel12 creatively introduced the entropic formulation of the uncertainty relation into the security analysis of finite-length keys. Since then, many attempts were made to improve the security bound of finite resources, such as the situations for permutation-invariant protocols under coherent attacks Mertz13 , active decoy-state QKD Lim13 , measurement-device-independent QKD Curty13 , one-sided device-independent QKD Bao13-2 , and the B92 protocol Mafu13 . It should be noted that, by applying generalized chain rules for smooth min-entropies Vitanov13 , information leakage from multiphoton pulses and vacuum pulses that the eavesdropper may exploit can be well bounded Lim13 . Thus, the result of Ref. Tomamichel12 can be applied to most real situations when practical photon sources are used, e.g., weak coherent sources (WCSs) and spontaneous-parametric-down-conversion sources (SPDCSs).

SPDCS, like the commonly used WCSs, is also within reach of current technology and can be considered as another candidate of the perfect single photon source. However, due to the multiphoton fraction, QKD using SPDCSs is also vulnerable to the photon-number-splitting attack Brassard00 . The active decoy-state method decoy03 ; decoy-Lo ; decoy-Wang , i.e., actively and randomly varying the intensity of each signal state by a variable optical attenuator (VOA), can be conducted to combat this attack. But in some cases the imperfections of VOA might cause some physical parameters to rely on the particular setting selected and then threaten QKD’s security Curty10 . Thus, passive preparation of intensity might be desirable in practice, and the first passive decoy-state protocol was presented by introducing a photon number resolving detector Pas-Mauerer07 . Then, Adachi et al. Pas-Adachi07 presented an efficient passive decoy-state proposal (AYKI protocol) which can be easily realized with a practical threshold detector. More importantly, it is proved to be efficient enough for estimating the contribution of the single-photon pulse. Later, Ma and Lo Pas-Ma08 generalized the results of Refs. Pas-Adachi07 and Pas-Mauerer07 to the most common case and Curty et al. Pas-Curty09 proposed a new passive decoy-state scheme for QKD using WCSs by subtly fitting a beam splitter with a threshold detector for triggering. However, all of the above results regarding the passive decoy-state scheme are obtained in the condition of asymptotic infinite-length keys. An effort to derive the security bound for the passive decoy-state method under finite resources has been made by Tan and Cai Tan11 . Their work is based on an indirect approach of tracing coherent attacks to collective attacks by the de Finetti theorem Renner07 . And for the direct approach based on the uncertainty principle Tomamichel12 , how the finite-size effect influences the performance of a passive decoy-state protocol needs further studying. This is just what we intend to clarify here.

In this paper, we directly introduce the formula of key generation rate obtained from Ref. Lim13 into the cases for passive decoy-state protocol. The difference is in the parameter estimation step, i.e., the way to estimate the single-photon yield and error rate in the scenario of finite-length keys. The starting point of the passive decoy-state protocol under asymptotic infinite-length keys is that the yield and bit error rate of the -photon states from the triggered pulses are both equal to that from the nontriggered pulses. But this condition is no longer true under the condition of finite-length keys due to statistical fluctuations. Hence, we shall reconsider the steps of a passive decoy-state protocol for estimating single-photon yield and error rate. Luckily, it is found that the yield and bit error rate of -photon states can be considered as random variables emanating from sampling without replacement. Then, by applying the Serfling bound Serfling74 in sample theory, one can construct confidence regions of the interval estimate for these variables, which was first introduced into the parameter estimation of QKD by Scarani et al. Scarani08-2 and then improved by Tomamichel et al. Tomamichel12 and Mertz et al. Mertz13 . Thus, in the confidence regions, there certainly exist relationships for the parameters between triggered events and nontriggered events, which can be directly applied to estimate the gain and bit error rate of triggered and non-triggered single-photon events, respectively. In particular, without relying on any approximation, we introduce a rigorous method based on a hypergeometric argument Hayashi12 to bound the quantity of the maximal information of an eavesdropper on the single-photon events. Note that our security analysis is conducted based on the uncertainty principle and that bound in Hayashi12 holds true under no approximation; thus the formulas we obtain are valid for general coherent attacks and our results guarantee unconditional security. We compare our results with those derived from active decoy protocol Lim13 and the simulations show the efficiency of our protocol.

The paper is organized as follows. In Sec. II, we fix the security preliminaries, clarify the formalism used to calculate secret key rates under the assumption of general attacks and introduce the bound for estimating the phase error rate in our protocol. Section III recalls the AYKI protocol for QKD with asymptotic infinite-length keys. The main results of this paper, i.e., tight formulas for estimating the yield and bit error rate for single-photon events, are presented in Sec. IV. Section V numerically simulates our results and Sec. VI concludes the paper.

Ii Security criteria and smooth min-entropy

In this paper we consider an asymmetric coding BB84 protocol, where the bases and are chosen with probabilities and that are biased. The protocol consists of these steps: state preparation, state measurement, sifting, parameter estimation (PE), error correction (EC), error verification, and privacy amplification (PA) (for a detailed description, see Ref. Lim13 ). The protocol outputs are and on Alice’s and Bob’s side respectively. Only and only if successfully passing all of the above steps can and be considered secure. Here, the security criterion based on trace distance, seminally proposed by Renner, is introduced in our analysis Renner05 :

Definition 1 (composable security definition). Assume a QKD protocol outputs keys of and on Alice s and Bob s side respectively. It is considered to be if it satisfies both the correctness and the secrecy. Correctness means that the protocol is -correct if , namely the probability of will not exceed . Secrecy means that the protocol is if where represents either of the keys and , is the system that the eavesdropper owns, is the classical-quantum state describing the joint state of and , is the uniform mixture of all possible values of , and is the probability that all steps of the protocol are successfully conducted.

Smooth min-entropy, relying on a generalization of the von Neumann entropy, is an essential tool in the security proof based on information theory Renner05 . Combined with the uncertainty principle, it directly implies a security proof without the assumption that the measurement devices work according to the specifications of the protocol Tomamichel11 . In particular, it can provide us an efficient method for the finite-key analysis Tomamichel12 . If we denote as a finite dimensional Hilbert space and let be the set of positive semidefinite operators on . Then, the set of normalized quantum states and subnormalized ones can be presented by and , respectively. Given theses, the definition of smooth min-entropy can be defined as the followingRenner05 :

Definition 2 (smooth min-entropy). Let , and . The smooth min-entropy , taken over a set of states that are -close to , is defined as the quantity


where , is the identity operator on , is a distance measure based on fidelity and is called the smoothing parameter.

There exists the following chain rule for the smooth min-entropyVitanov13 ; Dupuis14 :

Lemma 1 (Chain-rule inequality for the smooth min-entropy). Let , , and . Then


where .

Let system be the information that Eve obtains on the raw key of Alice, prior to the error-verification step. Then, after the privacy amplification step, the length of the secure key can be expressed by the following lemma.

Lemma 2 (Secret key based on smooth min-entropy) Renner05 ; Lim13 : By applying privacy amplification with two-universal hashing, a secret key extracted from is -secret if its length is chosen such that


where with and chosen to be proportional to , and quantifies the amount of uncertainty system has on .

Iii AYKI protocol with infinite-length keys

In the AYKI protocol, two-mode states are prerequisite and we consider thoses emitted from the nondegenerate spontaneous-parametric-down-conversion (SPDC) process. This type of SPDC processes creates the two-mode state SPDC00


Set the intensity of the source to , then the above description simplifies to


When the sender (Alice) measures one mode of her states from the above SPDCS with a practical threshold detector described by detection efficiency and dark-count rate , the other mode can be divided into two parts according to the response of the threshold detector, i.e., the triggered events and nontriggered events. Both of the them are sent to the lossy channel, detected by the receiver’s (Bob’s) detector and devoted to the final secret key. In particular, the nontriggered events, acting as the role of decoy states, can be used to estimate the single-photon contribution and single-photon error.

In this case, the signal -photon events with probability are also divided into two parts, the triggered -photon events with probability of and the nontriggered -photon events with probability of . Let be the probability of detection (triggering) when photons are emitted from the SPDC process. Then, and with Pas-Adachi07


In this paper, we consider the measurement model mentioned in Ref. Pas-Adachi07 . It should be noted that, in the case of asymptotic infinite-length keys, it is assumed that the detection rate (yield) and quantum bit error rate (QBER) of the triggered -photon events are the same as those of the nontriggered -photon events, i.e.,


Under this condition, it is not easy to find that Pas-Adachi07


where , and . Noting that and considering the overall detection rate with triggering and without triggering, one can obtain a lower bound for the single-photon detection rate without triggering Pas-Adachi07 :


where . Then, taking the overall QBER with triggering and the one without triggering into account, one can derive a upper bound for the single-photon error rate Pas-Adachi07 :


where .

Takeing both of the keys derived from the triggered events and nontriggered events into consideration, and applying the GLLP formula GLLP04 , one can obtain the final key rate which is shown by Eqs.(13) and (14) in Ref. Pas-Adachi07 .

Iv Passive decoy-state protocol with finite-length keys

Due to the effect of finite-size data sets in real-life experiments, there exist various fluctuations in the parameter-estimation step decoy-Ma . For a SPDCS, it is proved that the AYKI protocol actually always holds with whatever intensity fluctuation of pump light Wang10 . Hence, in this paper, we mainly consider the influence of the finite-size effect on the estimation of single-photon yield, single-photon error rate, and phase error rate.

iv.1 Phase error rate

Here, the phase errors, an argument arising from the Shor–Preskill formalism Lo99 , means that the maximal virtual errors come from the activity of smart eavesdroppers. It can not be directly measured in experiment and, in the case of a finite-size data set, has to be estimated via a random-sampling theory according to the observed bit errors. In this paper, we apply the interval estimation based on the straightforward bounds Hayashi12 from an approaching technique for the hypergeometric distribution. It should be noted that this estimation is in accordance with the security criteria based on trace distance and, most importantly, is proved to be tighter than the one in Ref. Tomamichel12 and more stringent than the one in Ref. Fung10 .

Lemma 3 (straightforward bound). Let , and be the sifted bits, sample bits and observed error bits, respectively. Suppose the final keys of the QKD protocol are -secret, then their phase error rate is given by Hayashi12




where is chosen satisfying


Here, and .

iv.2 single-photon yield

In the case of finite-length keys, the yield of the triggered -photon events are no longer equal to that of the nontriggered ones, i.e.,


However, by the theory of probability statistics, there certainly exist relations between the two parts in concrete confidence regions. This means, that the yield of the triggered -photon events is close to that of the nontriggered ones, which corresponds to the two parts being equal except with a probability of . Here, we consider the bound widely used in finite-key QKD and first introduce the following lemma into estimating the relation between the yields Tomamichel12 ; Mertz13 :

Lemma 4. Let and . Let and be the quantum state of the triggered and nontriggered -photon events, respectively. They are both permutation-invariant quantum states, and let be a positive-operator-value measure (POVM) on which outputs the yield and quantum bit error rate, where . Let and be the frequency distribution of the measurement events, e.g., the yield, when applying the measurement and , respectively. Then, for any element and from and except with probability ,


with , where and are the number of -photon triggered events and -photon nontriggered events, respectively, chosen for parameter estimation.

Note that the overall detection rate with triggering and without triggering are expressed respectively by


Equation (17) is multiplied by and we obtain


From Eq.(15), we can find that , where . Then, the third term of the right-hand side of the above equation satisfies


where . Hence, from Eq.(17), one can obtain


We thus obtain a minimum value of as a function of :


Let be the probability of choosing a pulse from the SPDC process as the sample bits used for parameter estimation. Then, if we assume and note that and in , the above bound can be further represented by


where denotes the number of total pulses emitted from the SPDC process, and . From Eq.(15), one can also find that . Therefore, we can also obtain a lower bound for :


where .

iv.3 single-photon error rate

The overall quantum bit error rate for the triggered events and nontriggered events can be represented, respectively, by


From Eqs.(15), (23) and (24) with , an upper bound on is given by


where .

Similarly, from Eqs.(15), (22) and (25) with , one can have an upper bound on , which is shown by


iv.4 Secret key length

If we consider the secret key only from the triggered events and apply Lemma 2, a -secret key of length can be given by


where is the raw key extracted from the triggered events, with and chosen to be proportional to .

Then, applying the results of Ref. Lim13 , the length of secret key from the triggered events can be represented by


where is the binary entropy function, with , , denotes the phase error rate which is calculated by Lemma 3, . It should be noted that where is the failure probability of estimating the single-photon yield and error rate mentioned in the previous subsection. Let , then , which is different from Ref. Lim13 . is the security parameter of the error-verification step. Hence, the length of the secret key from the triggered events can be shown as


where with or , is the probability of choosing a pulse from the SPDC process as the sample events used for parameter estimation and . The minimum is numerically taken over the range .

However, if we also take the secret key from the nontriggered events into account when the error reconciliation is separately applied to the triggered events and to the nontriggered events, but the privacy amplification is applied together, Eq.(28) no longer holds true and we shall recalculate the length of the secret key by


where and are the raw key extracted from the triggered and nontriggered events respectively, and are the information that Eve gathers on and , respectively, up to the error verification step. In the following, we will show how to estimate a lower bound of the left term in Eq.(31).

By Lemma 1, we have that




In the above equations, and denote the remaining quantum information that Eve has on and , respectively, after the error correction and error verification steps. According to the analysis of Ref. Lim13 , the terms and in Eq.(33) can be lower bounded by the generalized chain-rule result (Lemma 1 Vitanov13 ) and the uncertainty relation for smooth entropies Tomamichel12 . Precisely, they are given by


where and .

Combing Eqs.(31-34), the final secret key from both the triggered and nontriggered events is said to be -secret if its length is chosen by




where is the failure probability of estimating the single-photon yield and error rate.

For evaluation, we set each error term in Eq.(38) to a common value and let . Therefore, the secrecy for the key obtained from both the triggered events and nontriggered events is . Then, considering the bounds of single-photon yield and error rate given in the previous subsections, can be obtained as the following




In Eqs.(37) and (38), the minimum is numerically taken over the range Pas-Adachi07 .

To conclude, the length of the final secret key can be given as .

V numerical simulation

In this section, by assuming a fiber-based channel model, we numerically show the performance of our protocol with finite-length key. Let being the fiber transmission with dB/km the attenuation coefficient, the quantum efficiency of Bob’s detectors and . For better comparison, we borrow experimental parameters from Ref. Lim13 , which assumes that Bob uses an active measurement setup with two single-photon detectors with total detection efficiency and dark-count probability . On the sender’s side, we assume Alice uses a SPDCS and a typical silicon avalanche photodiode as threshold detector with and . The numerical parameters used are listed in Table I.

0.20 1.16 0.1 0.005 0.5
Table 1: List of experimental parameters for simulations: is the loss coefficient of the fiber, is the error-correction efficiency, is the detection efficiency of Bob’s detectors, is the error rate due to optical errors, which is the probability that a photon sent from Alice hits the erroneous detector, is the background dark-count rate of Bob’s detectors, and are the detection efficiency and dark count rate of Alice’s detector, respectively.

For the average overall gain and , also the average quantum bit error rate (QBER) and , they can be directly measured in the experiment. In this paper, for simulation purpose, we neglect the finite size effect in the calculation of the average overall gain and QBER. Then, according to the channel model, it is given that


with and . The summations in Eq.(39) can be solved mathematically. However, for simplicity, we do not give their expressions here.

Figure 1: (Color online) Secret key rate vs transmission distance. The secret key rates from left to right are numerically optimized for fixed number of total pulses from the SPDC process with . The dashed curve denotes to the asymptotic secret key rate calculated from Eqs.(9)-(14) in Ref. Pas-Adachi07 , i.e., the key rate of the AYKI protocol with keys of infinite length; The intensity of the SPDCS and the probability of sample events in the total pulses are numerically chosen to be optimal for different transmission distances.

In our simulations, the key’s secrecy and correctness are set to be and , respectively. For the estimation of the phase error rate, we assume . Note that the analysis in Ref. Hayashi12 is based on the QKD protocol with an ideal single-photon source. However, in our paper, a practical SPDCS is used in our protocol, which is within reach of current technology. Hence, the sifted key bits should be replaced by the fraction bits of the single-photon contribution, that is, . Here, represents the gain from the single-photon detections. Then, for the estimate of phase error rate in Eqs.(30) and (37), i.e., and , we shall set their be and , respectively. Likewise, the number of sample bits used for parameter estimation, i.e., and , are set to be and , respectively. Under these conditions, we apply an optimization about the secret key rate