Tight finite-key analysis for passive decoy-state quantum key distribution under general attacks

# Tight finite-key analysis for passive decoy-state quantum key distribution under general attacks

## Abstract

For quantum key distribution (QKD) using spontaneous parametric-down-conversion sources (SPDCSs), the passive decoy-state protocol has been proved to be efficiently close to the theoretical limit of an infinite decoy-state protocol. In this paper, we apply a tight finite-key analysis for the passive decoy-state QKD using SPDCSs. Combining the security bound based on the uncertainty principle with the passive decoy-state protocol, a concise and stringent formula for calculating the key generation rate for QKD using SPDCSs is presented. The simulation shows that the secure distance under our formula can reach up to 182 km when the number of sifted data is . Our results also indicate that, under the same deviation of statistical fluctuation due to finite-size effects, the passive decoy-state QKD with SPDCSs can perform as well as the active decoy-state QKD with a weak coherent source.

###### pacs:
03.67.Dd, 03.67.Hk

## I introduction

Quantum key distribution (QKD) allows two legal communication parties to acquire the identical key based on quantum mechanics. Since the invention of the first pioneer QKD protocol, BB84 protocol (1), people have achieved great progress both in QKD’s theory and experiment (2); (3); (4); (5); (6); (7); (8); (9). On the way toward the industrialization of QKD, people have faced sorts of obstacles, one of which comes from the fact that the necessary assumptions required for QKD’s unconditional security are not easy to satisfy in a real situation (10). Practical factors, i.e., inefficient authentication of classical communication, imperfections of setups and finite-size data, will undoubtedly threaten the security of a real QKD system and quantum hacking strategies can be successfully derived to attack the practical QKD system (11); (12); (13). However, corresponding countermeasures can be applied to combat these attacks. One approach is to employ the notion of device-independent QKD (DI-QKD) (14); (15); (16); (17); (18); (19); (20); (21). The other, although difficult to implement, is to mathematically characterize the impact of imperfect factors on QKD’s security as comprehensively as possible by a security proof(10).

The notion of finite-length keys is one of practical imperfections need to be solved in the practical security of QKD. In the case of finite-length keys, the security bound in the asymptotic regime should be reconsidered, and several attempts have been made to tackle this problem (22); (23); (24); (25); (26). In recent years, based on the composable security definition derived from trace distance (27), several significant advances have been achieved (28); (29); (30); (31); (32); (33); (34), with the most pioneering one being the bound from the smooth min-entropy by Scarani and Renner (29). By noting that the uncertainty relation can be generalized to one formulated in terms of smooth entropies and that this directly implies the security of QKD protocols (4), Tomamichel et al. (35) creatively introduced the entropic formulation of the uncertainty relation into the security analysis of finite-length keys. Since then, many attempts were made to improve the security bound of finite resources, such as the situations for permutation-invariant protocols under coherent attacks (36), active decoy-state QKD (37), measurement-device-independent QKD (38), one-sided device-independent QKD (39), and the B92 protocol (40). It should be noted that, by applying generalized chain rules for smooth min-entropies (41), information leakage from multiphoton pulses and vacuum pulses that the eavesdropper may exploit can be well bounded (37). Thus, the result of Ref. (35) can be applied to most real situations when practical photon sources are used, e.g., weak coherent sources (WCSs) and spontaneous-parametric-down-conversion sources (SPDCSs).

SPDCS, like the commonly used WCSs, is also within reach of current technology and can be considered as another candidate of the perfect single photon source. However, due to the multiphoton fraction, QKD using SPDCSs is also vulnerable to the photon-number-splitting attack (42). The active decoy-state method (43); (44); (45), i.e., actively and randomly varying the intensity of each signal state by a variable optical attenuator (VOA), can be conducted to combat this attack. But in some cases the imperfections of VOA might cause some physical parameters to rely on the particular setting selected and then threaten QKD’s security (46). Thus, passive preparation of intensity might be desirable in practice, and the first passive decoy-state protocol was presented by introducing a photon number resolving detector (47). Then, Adachi et al. (48) presented an efficient passive decoy-state proposal (AYKI protocol) which can be easily realized with a practical threshold detector. More importantly, it is proved to be efficient enough for estimating the contribution of the single-photon pulse. Later, Ma and Lo (49) generalized the results of Refs. (48) and (47) to the most common case and Curty et al. (50) proposed a new passive decoy-state scheme for QKD using WCSs by subtly fitting a beam splitter with a threshold detector for triggering. However, all of the above results regarding the passive decoy-state scheme are obtained in the condition of asymptotic infinite-length keys. An effort to derive the security bound for the passive decoy-state method under finite resources has been made by Tan and Cai (51). Their work is based on an indirect approach of tracing coherent attacks to collective attacks by the de Finetti theorem (52). And for the direct approach based on the uncertainty principle (35), how the finite-size effect influences the performance of a passive decoy-state protocol needs further studying. This is just what we intend to clarify here.

In this paper, we directly introduce the formula of key generation rate obtained from Ref. (37) into the cases for passive decoy-state protocol. The difference is in the parameter estimation step, i.e., the way to estimate the single-photon yield and error rate in the scenario of finite-length keys. The starting point of the passive decoy-state protocol under asymptotic infinite-length keys is that the yield and bit error rate of the -photon states from the triggered pulses are both equal to that from the nontriggered pulses. But this condition is no longer true under the condition of finite-length keys due to statistical fluctuations. Hence, we shall reconsider the steps of a passive decoy-state protocol for estimating single-photon yield and error rate. Luckily, it is found that the yield and bit error rate of -photon states can be considered as random variables emanating from sampling without replacement. Then, by applying the Serfling bound (53) in sample theory, one can construct confidence regions of the interval estimate for these variables, which was first introduced into the parameter estimation of QKD by Scarani et al. (29) and then improved by Tomamichel et al. (35) and Mertz et al. (36). Thus, in the confidence regions, there certainly exist relationships for the parameters between triggered events and nontriggered events, which can be directly applied to estimate the gain and bit error rate of triggered and non-triggered single-photon events, respectively. In particular, without relying on any approximation, we introduce a rigorous method based on a hypergeometric argument (33) to bound the quantity of the maximal information of an eavesdropper on the single-photon events. Note that our security analysis is conducted based on the uncertainty principle and that bound in (33) holds true under no approximation; thus the formulas we obtain are valid for general coherent attacks and our results guarantee unconditional security. We compare our results with those derived from active decoy protocol (37) and the simulations show the efficiency of our protocol.

The paper is organized as follows. In Sec. II, we fix the security preliminaries, clarify the formalism used to calculate secret key rates under the assumption of general attacks and introduce the bound for estimating the phase error rate in our protocol. Section III recalls the AYKI protocol for QKD with asymptotic infinite-length keys. The main results of this paper, i.e., tight formulas for estimating the yield and bit error rate for single-photon events, are presented in Sec. IV. Section V numerically simulates our results and Sec. VI concludes the paper.

## Ii Security criteria and smooth min-entropy

In this paper we consider an asymmetric coding BB84 protocol, where the bases and are chosen with probabilities and that are biased. The protocol consists of these steps: state preparation, state measurement, sifting, parameter estimation (PE), error correction (EC), error verification, and privacy amplification (PA) (for a detailed description, see Ref. (37)). The protocol outputs are and on Alice’s and Bob’s side respectively. Only and only if successfully passing all of the above steps can and be considered secure. Here, the security criterion based on trace distance, seminally proposed by Renner, is introduced in our analysis (27):

Definition 1 (composable security definition). Assume a QKD protocol outputs keys of and on Alice¡¯s and Bob¡¯s side respectively. It is considered to be if it satisfies both the correctness and the secrecy. Correctness means that the protocol is -correct if , namely the probability of will not exceed . Secrecy means that the protocol is if where represents either of the keys and , is the system that the eavesdropper owns, is the classical-quantum state describing the joint state of and , is the uniform mixture of all possible values of , and is the probability that all steps of the protocol are successfully conducted.

Smooth min-entropy, relying on a generalization of the von Neumann entropy, is an essential tool in the security proof based on information theory (27). Combined with the uncertainty principle, it directly implies a security proof without the assumption that the measurement devices work according to the specifications of the protocol (4). In particular, it can provide us an efficient method for the finite-key analysis (35). If we denote as a finite dimensional Hilbert space and let be the set of positive semidefinite operators on . Then, the set of normalized quantum states and subnormalized ones can be presented by and , respectively. Given theses, the definition of smooth min-entropy can be defined as the following(27):

Definition 2 (smooth min-entropy). Let , and . The smooth min-entropy , taken over a set of states that are -close to , is defined as the quantity

 max~ρ∈Bε(ρAB){−log2min{λ>0:∃σB:~ρAB≤λid% A⊗σB}}, (1)

where , is the identity operator on , is a distance measure based on fidelity and is called the smoothing parameter.

There exists the following chain rule for the smooth min-entropy(41); (54):

Lemma 1 (Chain-rule inequality for the smooth min-entropy). Let , , and . Then

 Hε+ε′+2ε′′min(AB|C)ρ≥Hε′′min(A|BC)ρ+Hε′min(B|C)ρ−f(ε), (2)

where .

Let system be the information that Eve obtains on the raw key of Alice, prior to the error-verification step. Then, after the privacy amplification step, the length of the secure key can be expressed by the following lemma.

Lemma 2 (Secret key based on smooth min-entropy) (27); (37): By applying privacy amplification with two-universal hashing, a secret key extracted from is -secret if its length is chosen such that

 ⌊Hνmin(XA|E′)−2log212¯¯¯ν⌋, (3)

where with and chosen to be proportional to , and quantifies the amount of uncertainty system has on .

## Iii AYKI protocol with infinite-length keys

In the AYKI protocol, two-mode states are prerequisite and we consider thoses emitted from the nondegenerate spontaneous-parametric-down-conversion (SPDC) process. This type of SPDC processes creates the two-mode state (55)

 (coshχ)−1∞∑n=0(tanhχ)neinθ|n,n⟩. (4)

Set the intensity of the source to , then the above description simplifies to

 ∞∑n=0√μn(1+μ)n+1einθ|n,n⟩ (5)

When the sender (Alice) measures one mode of her states from the above SPDCS with a practical threshold detector described by detection efficiency and dark-count rate , the other mode can be divided into two parts according to the response of the threshold detector, i.e., the triggered events and nontriggered events. Both of the them are sent to the lossy channel, detected by the receiver’s (Bob’s) detector and devoted to the final secret key. In particular, the nontriggered events, acting as the role of decoy states, can be used to estimate the single-photon contribution and single-photon error.

In this case, the signal -photon events with probability are also divided into two parts, the triggered -photon events with probability of and the nontriggered -photon events with probability of . Let be the probability of detection (triggering) when photons are emitted from the SPDC process. Then, and with (48)

 pn=μn(1+μ)n+1,γn=1−(1−dA)(1−ηA)n. (6)

In this paper, we consider the measurement model mentioned in Ref. (48). It should be noted that, in the case of asymptotic infinite-length keys, it is assumed that the detection rate (yield) and quantum bit error rate (QBER) of the triggered -photon events are the same as those of the nontriggered -photon events, i.e.,

 Y(t)n=Y(nt)n,e(t)n=e(nt)n. (7)

Under this condition, it is not easy to find that (48)

 Q(t)n=δnQ(nt)n, (8)

where , and . Noting that and considering the overall detection rate with triggering and without triggering, one can obtain a lower bound for the single-photon detection rate without triggering (48):

 Q(nt)1≥(δ2−δ)Q(% nt)−(δ2−δ0)Q(nt)0δ2−δ1≜ξ(Q(nt)0), (9)

where . Then, taking the overall QBER with triggering and the one without triggering into account, one can derive a upper bound for the single-photon error rate (48):

 e1≤min(2δE(t)Q(nt)−δ0Q(nt)02δ1ξ(Q(nt)0),2E(% nt)Q(nt)−Q(nt)02ξ(Q(nt)0))≜ϵ(Q(nt)0), (10)

where .

Takeing both of the keys derived from the triggered events and nontriggered events into consideration, and applying the GLLP formula (3), one can obtain the final key rate which is shown by Eqs.(13) and (14) in Ref. (48).

## Iv Passive decoy-state protocol with finite-length keys

Due to the effect of finite-size data sets in real-life experiments, there exist various fluctuations in the parameter-estimation step (56). For a SPDCS, it is proved that the AYKI protocol actually always holds with whatever intensity fluctuation of pump light (57). Hence, in this paper, we mainly consider the influence of the finite-size effect on the estimation of single-photon yield, single-photon error rate, and phase error rate.

### iv.1 Phase error rate

Here, the phase errors, an argument arising from the Shor–Preskill formalism (2), means that the maximal virtual errors come from the activity of smart eavesdroppers. It can not be directly measured in experiment and, in the case of a finite-size data set, has to be estimated via a random-sampling theory according to the observed bit errors. In this paper, we apply the interval estimation based on the straightforward bounds (33) from an approaching technique for the hypergeometric distribution. It should be noted that this estimation is in accordance with the security criteria based on trace distance and, most importantly, is proved to be tighter than the one in Ref. (35) and more stringent than the one in Ref. (58).

Lemma 3 (straightforward bound). Let , and be the sifted bits, sample bits and observed error bits, respectively. Suppose the final keys of the QKD protocol are -secret, then their phase error rate is given by (33)

 ep=(n+l)^e(c+2)−leob(c+2)n≜g(eob(c)), (11)

with

 ^e(c)=eob(c)+2τ+2√τ{eob(c)[1−eob(c)]+τ}1+4τ,τ=ω2n4l(n+l−1),eob(c)=c/l, (12)

where is chosen satisfying

 √n+ln√ω2+2π2eνΦ(ω)⩽116εsec2. (13)

Here, and .

### iv.2 single-photon yield

In the case of finite-length keys, the yield of the triggered -photon events are no longer equal to that of the nontriggered ones, i.e.,

 Y(t)n≠Y(nt)n. (14)

However, by the theory of probability statistics, there certainly exist relations between the two parts in concrete confidence regions. This means, that the yield of the triggered -photon events is close to that of the nontriggered ones, which corresponds to the two parts being equal except with a probability of . Here, we consider the bound widely used in finite-key QKD and first introduce the following lemma into estimating the relation between the yields (35); (36):

Lemma 4. Let and . Let and be the quantum state of the triggered and nontriggered -photon events, respectively. They are both permutation-invariant quantum states, and let be a positive-operator-value measure (POVM) on which outputs the yield and quantum bit error rate, where . Let and be the frequency distribution of the measurement events, e.g., the yield, when applying the measurement and , respectively. Then, for any element and from and except with probability ,

 12∥Y(t)n−Y(nt)n∥⩽ξ(ϵn,n1,n2), (15)

with , where and are the number of -photon triggered events and -photon nontriggered events, respectively, chosen for parameter estimation.

Note that the overall detection rate with triggering and without triggering are expressed respectively by

 Q(t)=∞∑n=0Q(t)n=∞∑n=0Y(t)npnγn, (16)
 Q(nt)=∞∑n=0Q(nt)n=∞∑n=0Y(nt)npn(1−γn). (17)

Equation (17) is multiplied by and we obtain

 δ2Q(nt)=δ2Q(nt)0+δ2Q(nt)1+δ2∞∑k=2Q(nt% )k. (18)

From Eq.(15), we can find that , where . Then, the third term of the right-hand side of the above equation satisfies

 δ2∞∑k=2Q(nt)k⩽δ2∞∑k=2(Y(t)k+2ξk)pk(1−γk)⩽∞∑k=2(Y(t)k+2ξk)pkγk=∞∑k=2Q(t)k+2∞∑k=2ξkpkγk, (19)

where . Hence, from Eq.(17), one can obtain

 δ2(Q(nt)−Q(nt)0−Q(% nt)1)⩽Q(t)−Q(t)0−Q(t)1+2∞∑k=2ξkpkγk⩽Q(t)+(2ξ1−Y(nt)1)p1γ1+(2ξ0−Y(nt)0)p0γ0+2∞∑k=2ξkpkγk=Q(t)−δ0Q(nt)0−δ1Q(nt)1+2∞∑k=0ξkpkγk. (20)

We thus obtain a minimum value of as a function of :

 Q(nt)1⩾δ2Q(nt)−Q(t)−(δ2−δ0)Q(nt)0−2∞∑k=0ξkpkγkδ2−δ1. (21)

Let be the probability of choosing a pulse from the SPDC process as the sample bits used for parameter estimation. Then, if we assume and note that and in , the above bound can be further represented by

 Q(nt)1Q(nt)⩾[(δ2−δ)−(δ2−δ0)x−χ]δ2−δ1≜ζ(x), (22)

where denotes the number of total pulses emitted from the SPDC process, and . From Eq.(15), one can also find that . Therefore, we can also obtain a lower bound for :

 Q(t)1⩾δ1Q(nt)1−χ1⩾δ1Q(nt)ζ(x)−χ1, (23)

where .

### iv.3 single-photon error rate

The overall quantum bit error rate for the triggered events and nontriggered events can be represented, respectively, by

 Q(t)E(t)=∞∑n=0Q(t)ne(t)n=∞∑n=0Y(t)ne(t)npnγn, (24)
 Q(nt)E(nt)=∞∑n=0Q(nt)ne(nt)n=∞∑n=0Y(nt)ne(nt)npn(1−γn). (25)

From Eqs.(15), (23) and (24) with , an upper bound on is given by

 e(t)1⩽Q(t)E(t)−Q(t)0e(t)0Q(t)1⩽2Q(t)E(t)−Q(t)02(δ1Q(nt)1−χ1)⩽2Q(t)E(t)−δ0Q(nt)0+χ02[δ1Q(nt)ζ(x)−χ1]⩽2δE(t)−δ0x+χ0/Q(nt)2δ1ζ(x)−2χ1/Q(nt)≜Wt(x), (26)

where .

Similarly, from Eqs.(15), (22) and (25) with , one can have an upper bound on , which is shown by

 e(nt)1⩽Q(nt)E% (nt)−Q(nt)0e(nt)0Q(nt)1⩽2E(nt)−x2ζ(x)≜Wnt(x) (27)

### iv.4 Secret key length

If we consider the secret key only from the triggered events and apply Lemma 2, a -secret key of length can be given by

 ⌊Hνmin(X(t)A|E′)−2log212¯¯¯ν⌋, (28)

where is the raw key extracted from the triggered events, with and chosen to be proportional to .

Then, applying the results of Ref. (37), the length of secret key from the triggered events can be represented by

 ⌊n(t)0+n(t)1(1−h(e(t)p))−λ(t)EC−6log210εsec−log22εcor⌋, (29)

where is the binary entropy function, with , , denotes the phase error rate which is calculated by Lemma 3, . It should be noted that where is the failure probability of estimating the single-photon yield and error rate mentioned in the previous subsection. Let , then , which is different from Ref. (37). is the security parameter of the error-verification step. Hence, the length of the secret key from the triggered events can be shown as

 ℓT=minx{N(1−ppe)Q(nt)[δ0x−χ0Q(nt)+(δ1ζ(x)−χ1Q(nt))(1−h(e(t)p))]}−N(1−ppe)Q(t)fECh(E(t))−6log210εsec−log22εcor, (30)

where with or , is the probability of choosing a pulse from the SPDC process as the sample events used for parameter estimation and . The minimum is numerically taken over the range .

However, if we also take the secret key from the nontriggered events into account when the error reconciliation is separately applied to the triggered events and to the nontriggered events, but the privacy amplification is applied together, Eq.(28) no longer holds true and we shall recalculate the length of the secret key by

 ⌊Hνmin(X(t)AX(nt)A|E(t)′E(nt)′)−2log212¯¯¯ν⌋, (31)

where and are the raw key extracted from the triggered and nontriggered events respectively, and are the information that Eve gathers on and , respectively, up to the error verification step. In the following, we will show how to estimate a lower bound of the left term in Eq.(31).

By Lemma 1, we have that

 Hνmin(X(t)AX(nt)A|E(t)′E(nt)′)⩾Hν2min(X(t)A|X(nt)AE(t)′E(nt)′)+Hν3min(X(nt)A|E(t)′E(nt)′)−f(ν1)=Hν2min(X(t)A|E(t)′)+Hν3min(X(nt)A|E(nt)′)−f(ν1), (32)

where

 f(ν1)=log2(2/ν21),ν=ν1+2ν2+ν3,Hν2min(X(t)A|E(t)′)⩾Hν2min(X(t)A|E(t))−λ(t)EC−log2(2/εcor),Hν3min(X(nt)A|E(nt)′)⩾Hν3min(X(nt)A|E(nt))−λ(nt)EC−log2(2/εcor). (33)

In the above equations, and denote the remaining quantum information that Eve has on and , respectively, after the error correction and error verification steps. According to the analysis of Ref. (37), the terms and in Eq.(33) can be lower bounded by the generalized chain-rule result (Lemma 1 (41)) and the uncertainty relation for smooth entropies (35). Precisely, they are given by

 Hν2min(X(t)A|E(t))⩾n(t)0+n(t)1(1−h(e(t)p))−log22(α2α3)2,Hν3min(X(nt)A|E(nt))⩾n(nt)0+n(nt)1(1−h(e(nt)p))−log22(α5α6)2, (34)

where and .

Combing Eqs.(31-34), the final secret key from both the triggered and nontriggered events is said to be -secret if its length is chosen by

 ℓB⩾n(t)0+n(nt)0+n(t)1(1−h(e(t)p))+n(nt)1(1−h(e(nt)p))−λ(t)EC−λ(nt)EC−log22ν21−log24α2p, (35)

with

 εsec=ν+¯¯¯ν+ϵpe=ν1+2(2α1+α2+α3)+2α4+α5+α6+¯¯¯ν+ϵpe,αp=α2α3α5α6εcor¯¯¯ν, (36)

where is the failure probability of estimating the single-photon yield and error rate.

For evaluation, we set each error term in Eq.(38) to a common value and let . Therefore, the secrecy for the key obtained from both the triggered events and nontriggered events is . Then, considering the bounds of single-photon yield and error rate given in the previous subsections, can be obtained as the following

 ℓB=minx{N(1−ppe)Q(nt)[(δ0x+x−χ0Q(nt))+(δ1ζ(x)−χ1Q(nt))(1−h(e(t)p))+ζ(x)(1−h(e(nt)p))]}−N(1−ppe)Q(t)fECh(E(t))−N(1−ppe)Q(nt)fECh(E(nt))−2log215εsec−1−10log215εsec−log24εcor, (37)

where

 χi=√δipiln(15/εsec)2Nppewithi=0or1,e(t)p=g(Wt(x)),e(nt)p=g(Wnt(x)). (38)

In Eqs.(37) and (38), the minimum is numerically taken over the range (48).

To conclude, the length of the final secret key can be given as .

## V numerical simulation

In this section, by assuming a fiber-based channel model, we numerically show the performance of our protocol with finite-length key. Let being the fiber transmission with dB/km the attenuation coefficient, the quantum efficiency of Bob’s detectors and . For better comparison, we borrow experimental parameters from Ref. (37), which assumes that Bob uses an active measurement setup with two single-photon detectors with total detection efficiency and dark-count probability . On the sender’s side, we assume Alice uses a SPDCS and a typical silicon avalanche photodiode as threshold detector with and . The numerical parameters used are listed in Table I.

For the average overall gain and , also the average quantum bit error rate (QBER) and , they can be directly measured in the experiment. In this paper, for simulation purpose, we neglect the finite size effect in the calculation of the average overall gain and QBER. Then, according to the channel model, it is given that

 Q(t)=∞∑n=0pnγn[1−(1−η)n(1−pd)2],Q(nt)=∞∑n=0pn(1−γn)[1−(1−η)n(1−pd)2],E(t)=12Q(t)∞∑n=0pnγn{1−(1−η)n(1−pd)2−(1−pd)[(1−ηed)n−(1−η+ηed)n]},E(nt)=12Q(nt)∞∑n=0pn(1−γn){1−(1−η)n(1−pd)2−(1−pd)[(1−ηed)n−(1−η+ηed)n]}, (39)

with and