Abstract
In theory, quantum key distribution (QKD) offers information-theoretic security. In practice, however, it does not due to the discrepancies between the assumptions used in the security proofs and the behavior of the real apparatuses. Recent years have witnessed a tremendous effort to fill the gap, but the treatment of correlations among pulses has remained a major elusive problem. Here, we close this gap by introducing a simple yet general method to prove the security of QKD with arbitrarily long-range pulse correlations. Our method is compatible with those security proofs that accommodate all the other typical device imperfections, thus paving the way toward achieving implementation security in QKD with arbitrary flawed devices. Moreover, we introduce a new framework for security proofs, which we call the reference technique. This framework includes existing security proofs as special cases, and it can be widely applied to a number of QKD protocols.
INTRODUCTION
Quantum key distribution (QKD) allows two distant parties, Alice and Bob, to securely exchange cryptographic keys in the presence of an eavesdropper, Eve (1). Despite notable progress made in recent years, there is still a big gap between the information-theoretic security promised by the security proofs and the actual security offered by the practical implementations of QKD. The most pressing problem is the discrepancy between the idealized device models used in the security proofs and the functioning of the real devices used in the experiments. This is so because typical security proofs rely on assumptions to describe the behavior of these devices and ignore their inherent imperfections. In practice, any deviation from these theoretical models might open security loopholes that could lead to side-channel attacks, thus compromising the security of QKD. A possible solution to this problem is to construct more realistic security proofs that can take into account device flaws. Lately, there have been notable advances in this direction. This includes, e.g., the proposal of the decoy-state method (2–4), allowing the use of practical light sources while maintaining a high secret key rate. In addition, measurement device–independent QKD (MDI-QKD) (5) can effectively eliminate all detector side channels and is practical with the current technology (6–11). The missing step toward achieving implementation security in QKD is to better characterize and secure the parties’ sources.
Security loopholes in the source could emerge from three main causes: from state preparation flaws (SPFs) due to the finite precision of the modulation devices, from information leakage either due to side channels arising from mode dependencies or due to Trojan horse attacks (THAs) (12–16), or they could be caused by undesired classical correlations between the generated pulses. Mode dependencies of the emitted signals occur when the optical mode of a pulse depends on Alice’s setting choices. That is, Alice’s setting choices might be encoded in various degrees of freedom of the generated signals, not only on the desired one. Moreover, Eve can perform a THA by sending bright light into the source and then observing the back-reflected light to obtain partial information about Alice’s internal settings. Last, pulse correlations imply that the state of each pulse depends on the previous setting choices, such as bit and basis choices.
SPFs can be efficiently treated with the original loss-tolerant (LT) protocol (17). This is so because in this scheme, the resulting secret key rate is almost independent of the source’s flaws. Its main drawback is the requirement that the states of the pulses are described by qubit states, which is hard to guarantee in practice because of unavoidable potential side channels. To address this limitation, a generalization of the LT protocol was put forward recently (18). This latter protocol encompasses SPFs, mode dependencies, and THAs without requiring detailed information about the state of the side channels, which simplifies their experimental characterization. There are also other techniques that can deal with mode dependencies and THAs, such as the Gottesman-Lo-Lütkenhaus-Preskill (GLLP) type security proofs involving the quantum coin idea (19–21) (from now onward, we shall refer to them as GLLP type security proofs) or the numerical approaches introduced in (22–24).
The final piece toward guaranteeing implementation security is, thus, to consider pulse correlations among the emitted signals. These pulse correlations are purely classical, and they arise from the limitations of practical modulators. In general, due to memory effects of these modulation devices, the state of a pulse depends not only on the current modulation setting but also on the previous ones, meaning that the secret key information, i.e., the bit and the basis choices, is encoded not only into a single pulse but also between subsequent pulses. Theoretically, it is believed that this correlation is very hard to model because the dimensionality of the state space becomes very large. All existing security proofs circumvent this imperfection by simply neglecting it, which means that they cannot guarantee the security of practical implementations. We remark that a few recent works (25–27) have incorporated in their analysis certain pulse correlations between the emitted signals. However, all these works only consider restricted scenarios. In particular, the results in (25, 26) and in (27) only consider setting choice–independent pulse correlations and intensity correlations between neighboring pulses, respectively. Therefore, none of them can deal with pulse correlations in terms of the secret key information nor with long-range correlations. Another reason why these correlations have been ignored so far is because one expects that, in practice, they are small. However, a small imperfection does not necessarily mean a small impact on the secret key rate, as Eve could, in principle, enhance such imperfection by exploiting, say, channel loss, resulting in a poor secret key rate (19–21). Therefore, we note that pulse correlations could be a serious threat to the security of QKD.
Here, we present a general and simple framework to guarantee the security of QKD in the presence of arbitrary classical pulse correlations. The key idea is very easy yet very useful, that is, we regard the leaked information encoded into the correlations of subsequent pulses as a side channel for each of the pulses. The key features of our method include the following: (i) When combined with the generalized LT (GLT) protocol (18) or with the reference technique (RT) introduced in this work, it can analytically guarantee the security of QKD with practical devices that suffer from typical source imperfections, i.e., SPFs and side channels (including mode dependencies, THAs, and pulse correlations), even if the state of the side channels is totally unknown; (ii) due to its simplicity, our method is compatible with many other security proofs including those based on the inner product structure of the emitted pulses such as, for instance, the GLLP type security proofs (19–21) and the numerical techniques in (22–24); and (iii) our method can be applied to many QKD protocols such as, e.g., the BB84 scheme (28), the six-state protocol (29), the SARG04 protocol (30), distributed-phase-reference protocols (31–33), and MDI-QKD (5). Our results indicate the feasibility of secure QKD with arbitrary flawed devices, and therefore, they constitute an essential step toward closing the big gap between theory and practice in QKD.
In addition, a second contribution of this work is a new framework for security proofs, the RT, that can provide high performance in the presence of source imperfections. More precisely, this is a parameter estimation technique that includes existing security proofs as special cases (see the Supplementary Materials). The RT incorporates the original LT protocol and can reproduce the GLT protocol and the GLLP type security proofs. The key idea is to consider some reference states, which are close to the actual states prepared by the protocol of interest, and use them to simplify the estimation of the parameters needed to guarantee the security of the protocol. More precisely, by bounding the maximum deviation between the probabilities associated with the reference states and those associated with the actual states, one can obtain a relationship for the probabilities involving the actual states based on those of the reference states. In doing so, one can estimate the parameters needed to guarantee the security of the actual protocol from the estimation that uses the reference states. We remark that the freedom to choose the reference states is very useful when dealing with source imperfections. In particular, this freedom allows us to analytically prove the security of a QKD protocol without any information on the side-channel states. This is important for achieving implementation security since a full characterization of the side-channel states, which, in principle, could live in unknown physical modes, is certainly very challenging in practice. In this work, we consider three special cases of the RT and evaluate their secret key rate in the presence of pulse correlations and SPFs.
RESULTS
Pulse correlations occur, for instance, when the emitted signals depend on the previous values of the encoding device (e.g., a phase modulator). In other words, subsequent pulses leak information about Alice’s former encoding choices. The key idea of our work to evaluate this complex scenario is to interpret these correlations as a side channel. By realistically modeling the source, we can bound this passive leakage of information and ensure secure QKD after performing enough privacy amplification. In what follows, we first outline the assumptions used in our security analysis, which is presented afterwards.
Assumptions on Alice’s and Bob’s devices
For simplicity, we consider a three-state protocol in which modulation devices are used to encode the bit and the basis choices. We do not explicitly consider the use of the decoy-state method (2–4); however, we remark that our framework could be combined with that method and also incorporate the effect of correlated intensity modulators and other imperfections of the intensity modulators (15). Furthermore, we assume an asymptotic scenario where Alice sends Bob an infinite number of pulses. We note, however, that the work presented here also applies to other protocols that use more than three states, as discussed in the next section.
Additional assumptions might be required depending on the particular security proof technique that is combined with our method. For instance, if the RT based on the GLT protocol (18) or the RT based on the original LT protocol (17), which we will present below, are used, then one also needs to assume that certain information about the states prepared by Alice is known. To be precise, for a setting choice j ∈ {0Z,1Z,0X}, the state of the kth pulse is in general purified into systems CkBkE and expressed as
Here, we take aj as a non-negative number satisfying 0 ≤ aj ≤ 1, which is possible by appropriately choosing the global phase of the states. The subscript CkBkE stands for all the systems, which include not only the kth qubit (system Bk) that Alice sends to Bob over the quantum channel but also the system Ck, which is needed for purifying the state of system Bk, and E is a system that includes Eve’s system. System E includes the systems sent by Alice over the quantum channel, such as the back-reflected light from a possible THA and the ancilla systems kept in Eve’s laboratory. As we will discuss further later, in general, this system also includes Alice’s ancilla systems used in the virtual entanglement-based protocol, which is equivalent to the actual protocol. Some of the latter systems store the setting information for all the pulses sent before the kth pulse. This means, in particular, that ∣λ〉E could depend on the setting choices for all the previous pulses. If it is not possible to find such a state, then aj becomes simply zero. From construction, Eq. 1 is the most general state that can be prepared in a QKD protocol. In other words, Eq. 1 simply decomposes a state ∣ψj〉CkBkE in a given Hilbert space into two states, each of which belongs to an orthogonal space. Precisely, one of them is the qubit state ∣ϕj〉CkBk∣λ〉E (as the set of states {∣ϕj〉CkBk∣λ〉E}j constitutes a qubit space), with ∣λ〉E being a state independent of the kth setting choice, and the other is the setting-dependent side-channel state
The assumptions on Bob’s devices also depend on the security proof. For example, in the case of the RT based on the GLT protocol or based on the original LT protocol, one assumes that Bob measures the incoming pulses in the Z or the X basis. More precisely, Bob’s measurements are represented by the positive operator–valued measures (POVMs)
Security analysis in the presence of pulse correlations
In this section, we present the security analysis of QKD with pulse correlations. For this, we consider a security proof with the following properties. It uses an entanglement-based virtual protocol where Alice prepares pulses in an entangled state, and she (Bob) measures the local (incoming) systems to distill a secret key. In addition, it considers a particular detected pulse to estimate the phase error rate (or the phase error rate as a bound of the min-entropy). For simplicity, in what follows, we shall explicitly mention only the phase error rate, but it applies to both cases. Security against coherent attacks can then be guaranteed with the help of Azuma’s inequality (37), Kato’s inequality (38), or by applying the techniques in (39, 40). Moreover, we assume that the security proof can be generalized such that it applies to a particular pulse with a side channel. That is, it can be used to prove the security of QKD in the presence of active and/or passive information leakage. Thanks to the reduction technique presented below, a particular pulse affected by correlations can be regarded as a pulse with a side channel, and therefore, the security of QKD with pulse correlations is guaranteed. As an example, we now demonstrate that running a three-state protocol in the presence of nearest-neighbor pulse correlations can be regarded as a three-state protocol in which each of the pulses entails side channels. We emphasize, however, that it is straightforward to generalize this reduction technique to an m-state protocol, as discussed below, and to arbitrarily long-range correlations (see Materials and Methods for more details).
Nearest-neighbor pulse correlations. Let
Now, suppose that after Alice sends Bob system B, Bob obtains click events for some of the received signals. Then, Alice and Bob perform fictitious measurements on their systems to generate the raw data in the experiment in order. We are interested in the state of their kth systems only before the fictitious measurements, which resulted in a click at Bob’s detectors. To obtain this state, recall that any operations and measurements on system B, including the detection measurements on the pulses received by Bob, commute with Alice’s measurements. Hence, we can assume that Alice has already measured her first k − 1 ancillas before sending system B. Then, we have the resulting state as
By using the above two states, we can rewrite Eq. 3 as
As a reference, recall that if there were no pulse correlations in the three-state protocol, then the resulting state, instead of being in the form given by Eq. 6, would become
In the security proof for the three-state protocol without pulse correlations, one typically obtains the phase error rate by considering any attack on system Bk in
Note that our framework is also valid for the case where Alice emits mixed states instead of pure states. The emission of mixed states might happen because of imperfections in Alice’s devices or when the prepared pure states are entangled with Eve’s systems because of, say, a THA. To treat this latter scenario, the mixed states can be purified by introducing an ancilla system Ck, with k ∈ {1,2, ⋯, n}, which contains Alice’s and Eve’s systems. As a result, Eq. 6 becomes
Again, if a security proof for the three-state protocol without pulse correlations shows that one can estimate the phase error rate for Σjk∣jk〉Ak∣ψjk〉CkBk, then it follows that
Last, we remark that all the discussions in this section and also in the next one do not require jk to be chosen from only three possibilities, i.e., {0Z,1Z,0X}. That is, by only considering jk ∈ {1,2,3, ⋯, m}, our method applies for an m-state protocol.
Particular device model
Having stated the framework for the security proof in the presence of pulse correlations, we now consider a particular device model with only nearest-neighbor pulse correlations. The purpose of this section is to show how to obtain the parameters needed in Eq. 1 for a particular example of device model. Once this is achieved, one can directly apply the RT to guarantee the security of practical QKD implementations. We remark that for simplicity, below, we do not consider THAs or mode dependencies. However, they could readily be included by using the method in (18). In addition, we assume that a single-photon source is available, and as a concrete example for modeling pulse correlations, we select the following instance of nearest-neighbor pulse correlation
Below, we show how to derive the state in the form of Eq. 1 for this particular example starting from Eq. 10. For this, we follow the idea introduced in the previous section and obtain the states
Now, our formalism to deal with pulse correlations can be used directly with the RT since the states in Eq. 11 are in the form of Eq. 1. For the RT (described in the next section), we only require to know a lower bound on the coefficient 1 − ϵ and a full characterization of the state ∣ϕjk〉Bk. We remark, however, that this framework can also be applied to the numerical techniques in (22–24) if, in addition, the form of the state
Here, we restricted the discussion to the case of nearest-neighbor pulse correlations, but our analysis also applies to arbitrarily long-range correlations. For instance, these correlations could be characterized by
RT based on the original LT protocol
In this section, we introduce a new framework for security proofs, the RT, which results in a high secret key rate in the presence of source imperfections. In what follows, we outline the intuition behind the key idea of the RT by applying it to the original LT protocol (17). A full description of the RT, including the detailed security proof, is presented in Materials and Methods. To simplify the discussion, here, we shall assume collective attacks; however, our analysis can be generalized to coherent attacks (see Materials and Methods for more details). Only as an example, we consider a protocol with a single-photon source in the presence of side-channel information, such as pulse correlations, in which Alice prepares the following three states for each pulse emission
To prove the security of this protocol, we need to evaluate its phase error rate. The key idea of the RT is to consider the phase error rate estimation that we would obtain if we replace the actual set of states of the protocol,
As an example, we select the reference states to be
In the RT, we call Eq. 19 the reference formula since it is used as a reference to obtain a similar expression in terms of the actual states. Note that we cannot use the reference formula directly in the security proof because it entails probabilities associated with the reference states, rather than the actual states.
Fortunately, by evaluating the deviation between the reference and the actual states, we can obtain bounds on the probabilities associated with the actual states and, consequently, the phase error rate of the actual protocol. This part of the RT corresponds to the deviation evaluation part (see Materials and Methods for further details). By following the analysis in the Supplementary Materials, we have that this deviation is quantified by using
No measurement, including any measurement performed by Eve, can induce a larger deviation between the probabilities because Eq. 20 holds for any
Now, we apply Eq. 20 to the first three terms and the last line of Eq. 19 separately, thus converting Eq. 19 into an expression for the probability of a phase error in terms of the actual states. For instance, note that the last line can be expressed by
Simulation of the secret key rate
To show the performance of QKD in the presence of pulse correlations, we now present the simulation results. For simplicity of discussion, here, we apply our framework to two different cases of the RT: the RT based on the GLT protocol (18) and the RT described in the previous section. We remark that the GLLP type security proofs (19–21) are also regarded as a special case of the RT where we select the actual states as the reference states and skip the reference formula part (see the Supplementary Materials for the proof of this claim). However, they involve four states, rather than three states, and analytical or numerical optimization is required. The comparison between the RT based on the GLLP type security proofs and the RT based on the original LT protocol is presented in the Supplementary Materials.
The main difference between the RT based on the GLT protocol and the RT based on the original LT protocol is that, in the former, a different bound is used to estimate the probabilities associated with the actual states. More precisely, the RT based on the GLT protocol essentially uses an inequality involving eigenvalues, instead of Eq. 20, which has the form
Here,
For the simulations, we assume the asymptotic regime where the secret key rate formula for a single-photon source can be expressed as
In all graphs, the blue and red lines are associated with the RT-GLT and the RT-LT, respectively. The solid lines correspond to the nearest-neighbor pulse correlations ϵ1, while the dashed (dashed-dotted) lines correspond to second ϵ2 (tenth ϵ10) neighbor pulse correlations, as indicated in the legend. (A) When there are no SPFs and the parameter ϵ is high, the RT-GLT and the RT-LT provide similar secret key rates. (B) As the parameter ϵ decreases, both security proofs provide higher secret key rates, but the RT-LT clearly outperforms the RT-GLT. (C) In the presence of SPFs, the secret key rate is only slightly worse for all cases since the security proofs are based on the LT protocol. (D) For high SPFs and low ϵ, the RT-LT is still superior to the RT-GLT.
As expected, this figure shows that when the magnitude of pulse correlations characterized by ϵi increases, the secret key rate decreases. In addition, as the length of the correlations, taken into account, increases, the secret key rate drops. We note, however, that even when long-range correlations are considered, a secret key can still be obtained. Namely, Fig. 1 shows that for ϵ = 10−6, one can generate a secret key even when there are correlations between 10 subsequent pulses. For a smaller value of the parameter ϵi, longer correlations can be included. If ϵi is small enough, then one can consider a very long range of pulse correlations while guaranteeing the security of QKD.
We emphasize that the security proof selected highly affects the results obtained, and this is also illustrated in Fig. 1, where we apply our technique to two different cases of the RT. To compare the RT based on the GLT protocol and the RT based on the original LT protocol as a function of pulse correlations, one can examine panels (A) and (B) or (C) and (D) of Fig. 1. Noticeably, as the magnitude of the pulse correlation ϵi increases, the secret key rate deteriorates for both of them. However, the RT based on the LT protocol outperforms the RT based on the GLT protocol in all the parameter regimes investigated. In addition, by comparing panels (A) and (C) or (B) and (D) of Fig. 1, one can see the effect of SPFs. As expected, the RT based on the GLT protocol and the RT based on the LT protocol are barely affected by this imperfection since they inherit, from the GLT protocol and the original LT protocol, respectively, high tolerance against SPFs with channel loss. The big difference observed in Fig. 1 between these two cases of the RT arises because of the following reason. Recall that we need to evaluate the deviation between the probabilities associated with the reference states and those associated with the actual states. For this, the bound used in the RT based on the GLT protocol is obtained by calculating certain eigenvalues, and thus, they entail square root terms, which deteriorate the secret key rate. Note that in the trace distance argument (15), square root terms are also present, resulting in loose bounds. On the other hand, the RT based on the original LT provides a tighter estimation of the phase error rate thanks to the bound in Eq. 20. More precisely, the square root terms in Eq. 20 include detection probabilities, which decrease as the channel loss increases, while for the other two bounds, the square root terms are constant, and thus, the high performance is maintained by using the bound in Eq. 20. Last, we remark again that the RT framework is general and can be applied to other QKD protocols as well, as shown in the Supplementary Materials.
DISCUSSION
Security proofs of QKD have to consider source imperfections in the theoretical models. Fortunately, SPFs, THAs (12–16), and mode dependencies have been considered together very recently in (18). In this work, we have introduced a general framework to deal with pulse correlations, which are the last pieces required for securing the source. Our framework is compatible with those security proofs that incorporate other source imperfections, and therefore, it can be used to guarantee implementation security with flawed devices by combining it with MDI-QKD (5) and the results in (18). We remark that the decoy-state method (2–4) has not been considered in this work, and therefore, the imperfections of the intensity modulator have not been addressed. However, these imperfections could be straightforwardly included in our framework. The key idea for dealing with pulse correlations is interpreting the information encoded in the subsequent pulses as side-channel information. By doing so, we have shown that, as long as the magnitude of the correlations is small, a secret key can still be obtained even when there are correlations over a long range of pulses. Moreover, our framework can be directly applied in combination with existing security proofs such as the GLT protocol (18), the GLLP type security proofs involving the quantum coin idea (19–21), and the numerical techniques recently introduced in (22–24).
Furthermore, we have proposed a new framework for security proofs, which we call the RT. It uses reference states that are similar to the states sent in the actual protocol, thus allowing us to determine the parameters needed to prove the security of the latter. The RT is very general, and it can be applied to many QKD protocols. Moreover, it already includes the LT protocol, the GLT protocol, and the GLLP type security proofs as special cases. That is, we are able to reconstruct these security proofs by applying the RT, as shown in the Supplementary Materials. We have demonstrated that most of the source imperfections can be incorporated simultaneously into the RT, and therefore, this technique has been proven to be very useful for guaranteeing the security of practical QKD protocols. In particular, we have shown that for the RT based on the original LT, no information about the side-channel states is required, yet it is an analytical security proof, resulting in a much simpler characterization of the source. In addition, we emphasize that the RT can be applied together with analytical or numerical optimization to estimate an upper bound on the phase error rate, which could result in a higher performance. In this work, we have rigorously proven the security of the RT, and we have provided the sufficient conditions to apply this technique to other QKD protocols (see the Supplementary Materials). We remark that, for the security proof, we have not considered the probabilities to be conditional on the detection events, which is usually important for high performance in the finite-key scenario. Fortunately, thanks to the recently developed Kato’s inequality (38), this is not a problem anymore, and it does not affect the performance of the secret key rate even in the finite-key size regime.
In addition, in the Supplementary Materials, we have compared the RT based on the original LT protocol with the RT based on the GLLP type security proofs. We remark, however, that this comparison might be considered unfair because the RT based on the GLLP type security proofs requires four states and analytical or numerical optimization. Last, we note that if a better inequality to evaluate the deviation between the probabilities associated with the reference states and those associated with the actual states is available, then it could replace the inequality in Eq. 20, resulting in even higher secret key rates for the RT. In addition, our method could be applied to other problems in quantum information theory where one needs to estimate summed probabilities. In this sense, our work not only proves the security of practical QKD systems but also has a potential to contribute to quantum information theory in general.
MATERIALS AND METHODS
Reference technique
The RT is a new framework to prove the security of QKD protocols. It is general and can reproduce the GLLP type security proofs involving the quantum coin idea (19–21) and the original LT protocol (17). Moreover, it can be applied to many different protocols. To see this, we refer the reader to the Supplementary Materials where we demonstrate that the GLLP type security proofs can be reconstructed from the RT. In addition, we outline the sufficient conditions to use the RT and prove the security of an m-state protocol. In this section, however, we present the key idea of the RT and show that it can be seen as a generalization of the LT protocol. For concreteness of the explanation, we concentrate on a particular example, the three-state protocol considered in Results.
Usually, to prove the security of QKD protocols, a relationship among the probabilities associated with the actual states needs to be established. Quite often, it is not straightforward to construct such a relationship, and the RT could be very useful to overcome this difficulty. The key idea is to consider a set of states, which we call the reference states, instead of the actual states. These reference states can be chosen freely, but they should be selected such that it is easy to derive a relationship among the probabilities associated with them. For this, it may be convenient to select the reference states in a structured space, such as a qubit space, and importantly, it is preferential that the resulting relationship is resilient against some imperfections in the space, such as the SPFs. Note that this relationship is associated with the reference states, and, therefore, it cannot be used directly in the security proof. However, since the reference states are chosen to be similar to the actual states, we can obtain a relationship associated with the actual states by slightly modifying the relationship for the reference states. In summary, the RT consists mainly of two parts:
1) Reference formula part: Here, we construct a relationship among the probabilities associated with the reference states.
2) Deviation evaluation part: Here, we transform the relationship for the reference states into a relationship for the actual states by evaluating the deviation between the probabilities associated with the reference states and those associated with the actual states.
We emphasize that the reference states are purely a mathematical tool to construct the reference formula, and we do not need to consider or imagine their practical implementation. Below, we show how to apply the RT in practice by presenting a rigorous security proof against coherent attacks for the three-state protocol.
Security proof of the three-state protocol with side channels. Let us assume a three-state protocol where Alice chooses a normalized state ∣ψj〉B from the set {∣ψj〉B}j = 0Z,1Z,0X with probability pj for each pulse emission. For simplicity of discussion, we assume that
Now, we write the states sent by Alice in the form of Eq. 1. That is, we expand the states ∣ψj〉B by using an orthonormal basis, and in doing so, we select a qubit space that is common over the three states. This suggests that ∣ψj〉B can be, most generally, decomposed into
Having finished the description of the states, we move on to the security proof using the RT. We are interested in proving the security of the bit values generated from the Z-basis events. From Eve’s perspective, this instance is equivalent to the one in which Alice selects the Z basis, prepares systems A and B in the state
In the security proof, it is convenient to represent the actual protocol in terms of a virtual entanglement-based protocol. As explained above, in this virtual protocol, we consider replacing Alice’s and Bob’s bases with the X basis when both of them select the Z basis. From Eve’s viewpoint, the actual protocol with this replacement can be equivalently described by Alice and Bob fictitiously preparing the following entangled state
Reference formula part. As an example, we choose the reference states to be the qubit part of the actual states. For the actual states defined in Eq. 28, this corresponds to selecting the set
Note that Eq. 32 is analogous to Eq. 29, but the actual states have been replaced with their respective reference states. Then, we may imagine that Alice measures system A in the X basis and sends Bob the virtual states
Here,
Again, we emphasize that this entanglement-based protocol with the reference states is purely a mathematical tool for the security proof, and we do not need to consider or imagine its practical implementation. The reason why we have selected
We remark that, in Eq. 35, we have highly exploited the properties of a qubit space, i.e., even with a negative sign in front of the coefficient c,
We now consider the following quantity
Using Eq. 35, we can express Eq. 37 as
Here, we emphasize that Eq. 40 is derived on the basis of the idea of the LT protocol, and therefore, it entails the robustness against the SPFs in the qubit space. That is, if there are no side channels, i.e., ϵ = 0, then Eq. 40, which is exactly the expression that is used in the original LT protocol (17), results in a secret key rate that is LT against SPFs. Therefore, this shows that the RT includes the LT protocol in the reference formula part. Next, we transform the relationship for the reference states in Eq. 40 into a relationship for the actual states. That is, we enter the deviation evaluation part of the RT.
Deviation evaluation part. For the transformation of Eq. 40, we use the bound in Eq. 20. We rewrite it here for convenience
Note that −gL(x, y) and gU(x, y) are concave with respect to 0 ≤ x ≤ 1 for any fixed 0 ≤ y ≤ 1, and ∂y gL(x, y) ≥ 0 and ∂y gU(x, y) ≤ 0 hold. For more details on the derivation of Eq. 41, see the Supplementary Materials. Now, we consider the first three terms in Eq. 40, which are reexpressed as
Here, P(k)(q0z,0x∣Act) is the joint probability that Alice selects the setting 0Z, and Bob’s measurement outcome is 0X at the kth instance, conditional on the first k − 1 measurements by Alice and Bob in the entanglement-based protocol for the actual protocol. The other probabilities are defined in a similar manner. This finishes the transformation of the first three terms with respect to the probabilities associated with the actual protocol.
Next, we consider the last three terms in Eq. 40, which are reexpressed as
Here, we have used the fact that the state
As a result, we have transformed the last three terms in Eq. 40 into
Now, we combine Eqs. 40, 47, 53, and 54 to obtain a relationship for the kth pulse associated with the actual states
Last, we have to convert Eq. 55 into a relationship in terms of numbers rather than probabilities. The procedure for this step is quite standard (17, 18, 26, 47). For this, first, note that gU(x, y) and −gL(x, y) are concave functions with respect to 0 ≤ x ≤ 1 for any fixed 0 ≤ y ≤ 1. In addition, recall that the use of Azuma’s inequality (37) or Kato’s inequality (38) converts the summed probabilities into the corresponding number in the asymptotic limit of a large number of pulses sent. That is, for N → ∞,
This inequality involves only the number of events defined in the actual protocol, and by solving this with respect to N(ph∣Act), the security proof is done. We emphasize that our proof is valid for any coherent attack because Eqs. 55 and 56 hold for any
Arbitrarily long-range pulse correlations
In this section, we show how to extend our analysis to accommodate arbitrarily long-range correlations between the pulses. To simplify the discussion, we consider the three-state protocol, but this formalism can be easily extended to any number of states. Our starting point is the assumption in Eq. 13. We rewrite it here for convenience
To clarify, after Alice’s measurement, the state ∣Ψ〉AB in Eq. 59 becomes the state
Now, similar to our analysis for the nearest-neighbor pulse correlations, to see how the information jk is encoded in the state
Next, we obtain a lower bound on the coefficient
In the second equality, we use the result given by Eq. 58, and the inequality comes from Eq. 57.
SUPPLEMENTARY MATERIALS
Supplementary material for this article is available at http://advances.sciencemag.org/cgi/content/full/6/37/eaaz4487/DC1
This is an open-access article distributed under the terms of the Creative Commons Attribution-NonCommercial license, which permits use, distribution, and reproduction in any medium, so long as the resultant use is not for commercial advantage and provided the original work is properly cited.
REFERENCES AND NOTES
- Copyright © 2020 The Authors, some rights reserved; exclusive licensee American Association for the Advancement of Science. No claim to original U.S. Government Works. Distributed under a Creative Commons Attribution NonCommercial License 4.0 (CC BY-NC).