当前位置:首页 >> >>

Security of Quantum Key Distribution with Realistic Devices

Security of Quantum Key Distribution with Realistic Devices
arXiv:quant-ph/0503057v1 5 Mar 2005

Xiongfeng Ma
A report submitted in conformity with the requirements for Master of Science Department of Physics University of Toronto Supervisor: Hoi-Kwong Lo

February 1, 2008


We simulate quantum key distribution (QKD) experimental setups and give out some improvement for QKD procedures. A new data post-processing protocol is introduced, mainly including error correction and privacy ampli?cation. This protocol combines the ideas of GLLP and the decoy states, which essentially only requires to turn up and down the source power. We propose a practical way to perform the decoy state method, which mainly follows the idea of Lo’s decoy state. A new data post-processing protocol is then developed for the QKD scheme with the decoy state. We ?rst study the optimal expected photon number ? of the source for the improved QKD scheme. We get the new optimal ? = O(1) comparing with former ? = O(η), where η is the overall transmission e?ciency. With this protocol, we can then improve the key generation rate from quadratic of transmission e?ciency O(η 2) to O(η). Based on the recent experimental setup, we obtain the maximum secure transmission distance of over 140 km.


Quantum key distribution (QKD) [1, 2] allows two parties, commonly called Alice, the transmitter and Bob, the receiver, to create a random secret key with the channel revealed to the eavesdropper, Eve. The security of QKD is built on the fundamental laws of physics in contrast to existing key distribution schemes that are based on unproven computational assumptions. The best-known QKD scheme was proposed by Bennett and Brassard in 1984 (commonly called BB84 protocol) [1]. Alice uses a quantum channel, which is governed by quantum mechanics to transit single photons, each in one of four polarizations: horizontal (0? ), vertical (90? ), 45? , 135? . Bob randomly chooses one of two bases: rectangular (+) or diagonal (×) to measure the arrived signals, and keeps the result privately. Consequently, Alice and Bob compare the bases they use and discard those in di?erent bases. At last, Alice and Bob perform the local operations and classical communications (LOCC) to do the data post-processing, which is mainly composed of error correction and privacy ampli?cation [3, 4, 5]. Our report will improve the procedure of BB84 with decoy state [6], [7] and apply the idea of GLLP [8] to develop a new post-processing protocol. The security of the idealized QKD system has been proven in the past few years [9, 4, 5]. Now let us turn our attention to the experiment. Real setup is no longer ideal, but with imperfect sources, noisy channels and ine?cient detectors, which will a?ect the security of the QKD system. A weak coherent state is commonly used as the photon source, which is essentially a mixture of states with Poisson distribution of photon number. Thus, there is a nonzero probability to get a state with more than one photon. Then Eve may suppress the quantum state and keep one photon of the state that has more than one photon (commonly called multi photon, correspondingly, single photon denotes the state with only one photon). Moreover, Eve may block the single photon state, split the multi photon state and improve the transmission e?ciency with her superior technologies to compensate the loss of blocking single photon. Without the technology to identify

1. Introduction


the photon numbers, Alice and Bob have to pessimistically assume all the states lost in the transmission and detection are single photons. In this way, the secure expected photon number ? of the signal state is roughly given by, ? = O(η), which implies that the key generation rate R = O(η 2 ), details can be found in section 4 and Appendix A. The ine?ciency of the detector will also a?ect the security of the QKD system. There exists a so-called dark count in the realistic detectors, which will increase the error rate of detection especially when the transmission e?ciency is low. The dark count of a detector denotes the probability to get detection events when there is no input to the detector. Eve may use this imperfection to cover the error she introduces from her measurement of the single photon state. In the recent paper GYS [10], the authors conducted an experiment in which the single photon was transmitted over 120 km. The question is whether the QKD experiment reported in GYS is secure or not? Unfortunately, based on the prior art of post-processing scheme, it is insecure. GYS uses the expected photon number ? = 0.1 as the source, which will be defeated by so-called photon number splitting attack in long distance. All in all, there exists a gap between the theory and experiment. Here, we are attempting to bridge the theory and experiment. The key problem here is that Bob does not know whether his detection events come from: single photon, multi photon, or dark count. To solve this problem, we apply the idea of decoy state to learn the performance of single photon states. The decoy state here acts as a “scope” telling Alice and Bob which state comes from single photon, multi photon or dark count. Our result is signi?cant because it is a bridge between the theory and experiment of QKD. we extend the secure distance of the QKD system, increase the key generation rate substantially and maintain the major advantage of QKD — unconditional security. We improve the key generation rate from O(η 2) to O(η). Notice that such a key generation rate is the highest order that any QKD system can achieve. Our improvement is mainly based on an advanced theory. We do not require any enhancement of equipment but only turning up and down the source power, which is easy to implement with current technology. We notice that Koashi [11] has also proposed a method to extend the distance of secure QKD. It will be interesting to compare the power and limitations of our approach with that of Koashi.

1. Introduction


The outline of this report is as follows. In section 2 we will recall to the proof of the security of an idealized QKD system with entanglement distillation protocol (EDP). In section 3, we shall review a couple of widely used QKD setups and simulates them following [12]. In section 4, we shall investigate the former post-processing schemes with the simulation and point out the limitation of prior art. We ?nd out that the key generation rate R is O(η 2), where η is the overall transmission e?ciency. In section 5, we combine the idea of GLLP [8] and decoy state [6, 7], and improve the key generation rate from O(η 2 ) to O(η). In Appendix A, we discuss the choosing of the optimal expected photon number ?, which maximizes the key generation rate. In Appendix B, we introduce a practical way to perform weak decoy state, which is a key step of the decoy state method.


In this section we will recall the security proof of the idealized QKD with EDP [13, 3, 14, 4]. The security of BB84 scheme can be reduced to the security of the Entanglement Distillation Protocol (EDP) schemes [5]. In the EDP protocol, Alice creates n + m pairs of qubits, each in the state 1 |ψ = √ (|00 + |11 ), 2 the eigenstate with eigenvalue 1 of the two commuting operators X where X= 0 1 1 0 ,Z = 1 0 0 ?1 X and Z Z,

are the Pauli operators. Then she sends half of each pair to Bob. Alice and Bob sacri?ce m randomly selected pairs to test the error rates in the X and Z bases by measuring X X and Z Z. If the error rate is too high, they abort the protocol. Otherwise, they conduct the EDP, extracting k high-?delity pairs from the n noisy pairs. Finally, Alice and Bob both measure Z on each of these pairs, producing a k-bit shared random key about which Eve has negligible information. The protocol is secure because the EDP removes Eve’s entanglement with the pairs, leaving her negligible knowledge about the outcome of the measurements by Alice and Bob. A QKD protocol based on a CSS-like EDP can be reduced to a “prepare-andmeasure” protocol [5]. CSS code [15] conducts error correction to the bit error and the phase error separately. That is to say, CSS-like EDP deals with the error correction and privacy ampli?cation separately, which can be further improved by two-way communication [16]. Thus the residue of this data post-processing protocol is the so-called CSS rate,
CSS ηpost = 1 ? H2 (δb ) ? H2 (δp )


where δb and δp are the bit ?ip error rate and the phase ?ip error rate, and H2 (x) is binary Shannon information function, H2 (x) = ?x log2 (x) ? (1 ? x) log2 (1 ? x).

2. EDP schemes for QKD


In summary, there are two main parts of EDP, bit ?ip error correction (for error correction) and phase ?ip error correction (for privacy ampli?cation). These two steps can be understood as follows. First Alice and Bob apply bi-direction error correction, after which they share the same key strings but Eve may still keep some information about the key. Alice and Bob then perform the privacy ampli?cation to expunge Eve’s information from the key. The ?nal key will be secure if the privacy ampli?cation is successfully done in principle. That is Alice and Bob do not need to actually do the privacy ampli?cation but only ensure that this can be done. In practice, Alice and Bob can calculate the residue of the privacy ampli?cation and perform random hashing to get the ?nal key with high security.


To simulate a real-life QKD system, we need to model the source, channel and detector. In this section, we ?rst review the real experimental setup, and then simulate the QKD system following [12], at last verify the simulation with real experimental data.

3.1 QKD setup
Let us recall the principle of the so-called p&p auto-compensating setup [17, 18], where the key is encoded in the phase between two pulses trading from Bob to Alice and back (see Fig. 3.1). A strong laser pulse emitted from Bob is separated by a ?rst 50/50 beam splitter (BS). The two pulses impinge on the input ports of a polarization beam splitter (PBS), after having traveled through a short arm and a long arm, including a phase modulator (P MB ) and a delay line (DL), respectively. All ?bers and optical elements at Bob are polarization maintaining. The linear polarization is rotated by 90? in the short arm, therefore the two pulses exit Bob’s setup by the same port of the PBS. The pulses travel down to Alice, are re?ected on a Faraday mirror, attenuated, and come back orthogonally polarized. In turn, both pulses now take the other path at Bob and arrive at the same time at the BS where they interfere. Then, they are detected either in D1 , or after passing through the circulator (C) in D2 . Since the two pulses take the same path, inside Bob in reversed order, this interferometer is auto-compensated.[18] To implement the BB84 protocol, Alice applies a phase shift of 0 or π and π/2 or 3π/2 on the second pulse with P MA . Bob chooses the measurement basis by applying a 0 or π/2 shift on the ?rst pulse on its way back.[18] As for the free-space QKD system, the setup is easier. There are only encoded signals which come from Alice’s side to Bob’s, comparing with the p&p setup, the pulses traveling from Bob to Alice and back. In this sense, the free-space setup is closer to the original BB84 schemes. More details of this kind of QKD setup can be

3. Simulations for experiments


Fig. 3.1: Schematic of the p&p prototype. This ?gure comes from [18]

found in [19, 20, 21].

3.2 Modeling the real-life QKD system
Following prior papers such as [12], we simulate the p&p QKD system. The ?rst important parameter for the real-life QKD system is the key bit rate B between Alice and Bob. More explicitly, B is the number of exchanged key bits per second, given by B = νR, (3.1)

where ν is the repetition frequency in Alice’s side, and R is the key generation rate, i.e. the number of exchange bits per pulse, given by R = qpD ηpost , (3.2)

where q depends on the implementation (1/2 for the BB84 protocol, because half the time Alice and Bob disagree with the bases, and if one uses the e?cient BB84 protocol [22], one can have q ≈ 1), pD is the average number of signals per pulse detected by error correction and privacy ampli?cation, which is also discussed in section 2 Eq. (2.1). We will study pD in the following and discuss ηpost in the section 4 and 5. For optical ?bers, the losses in the quantum channel can be derived from the loss coe?cient α measured in dB/km and the length of the ?ber l in km. The channel transmission tAB can be expressed as tAB = 10? 10 . Let ηBob denote for the internal transmission tBob and detection e?ciency ηD in Bob’s side, given by ηBob = tBob ηD .

Bob, and ηpost denotes for the residue of data post-processing, i.e. the e?ciency of

3. Simulations for experiments


Then the overall transmission and detection e?ciency between Alice and Bob η is given by η = tAB ηBob . Bob to get a signal from his detector pD , is given by pD = pSignal + pdark ? pSignal pdark ? pSignal + pdark , = (3.4) (3.3) The average number of signals per pulse detected by Bob, i.e. the probability for

where we assume that the dark counts are independent of the signal photon detection. pdark and pSignal are the probabilities to get a dark count and to detect a photon originally emitted by Alice respectively. The dark count depends on the characteristics of the photon detectors. The e?ect of dark count will be signi?cant when η? is small which implies pSignal is small. It is necessary to point out that pdark is the overall dark count throughout the QKD system. Here we consider the p&p QKD setup, pdark is twice as large as dB because there are two sources of dark count, i.e. two detectors in the QKD system. Then the pdark is given by pdark = 2dB , where dB denotes the dark count of one detector. Normally, a weak coherent state is used as the signal source. Assuming that the phase of this signal is totally randomized, the number of photons of the signal state follows a Poisson distribution with a parameter ? as its expected photon number. In appendix B, we will discuss the optimal value of expected photon number ? which optimizes the key generation rate R. pSignal is given by

pSignal =

ηi ·

?i exp(??), i!


where ηi is the transmission e?ciency of i-photon state in a normal channel. It is reasonable to assume independence between the behaviors of the i photons. Therefore the transmission e?ciency of i-photon state ηi is given by ηi = 1 ? (1 ? η)i . Substitute (3.6) into (3.5), we have,


pSignal =

[1 ? (1 ? η)i ] ·

?i exp(??) i!


= 1 ? exp(?η?).

3. Simulations for experiments


We can divide pSignal into two parts pS and pM , which are the probabilities of single photon and multi photon states emitted from Alice’s side that are detected by Bob. Then (3.4) is given by, pD = pdark + pS + pM = pdark + 1 ? e?η? . (3.8)

The overall quantum bit error rate (QBER, denoted by δ) is an important parameter for error correction and privacy ampli?cation ηpost . QBER is equivalent to the ratio of the probability of getting a false detection to the total probability of detection per pulse. It comes from three parts: dark count, single photon and multi photon, δ=
1 p 2 dark

+ δS pS + δM pM , pD


where δS and δM denote the error rate of single and multi photon detection, respec1 tively. The dark counts occur randomly, thus the error rate of dark count is 2 .

Due to the high loss in the channel, the multi photon states arriving at Bob’s side always has only one photon left. Thus, we have the similar probability of erroneous detection for single photon and multi photon. The bit error rate δS and δM are given by, δM ? δS = edetector , = (3.10)

where edetector is the probability that a photon hit the erroneous detector. edetector characterizes the quality of the optical alignment of the polarization maintaining components and the stability of the ?ber link [18]. It can be measured with strong pulses, by always applying the same phases and measuring the ratio of the count rates at the two detectors. In our discussion, we neglect edetector ’s dependence of the ?ber length because the change of alignment during the transmission of a signal is very small. Substituting (3.10) into (3.9), QBER is given by, δ=
1 p 2 dark

+ edetector pSignal . pD


There is another important parameter for privacy ampli?cation, the ratio of single photon detection in overall detection events f1 which is de?ned by, f1 = pS . pD (3.12)

roughly gives the upper bound of the key generation rate.

Only the key extracted from the single photon state can be secure. Thus, f1 · pD

3. Simulations for experiments


3.3 Verify the simulation by QBER
Here we would like to verify the equations (3.11) by comparing the experimental result and our simulation. The parameters of the experimental setup are listed in Tab. 3.1. T8[23] Wavelength [nm] α [dB/km] tB [dB] edetector [%] dB [per slot] ηD [%] 830 2.5 8 1 5 × 10 50

G13[24] 1300 0.32 3.2 0.14 8.2 × 10 17

KTH[25] 1550 0.2 1 1 2 × 10 18

GYS[10] 1550 0.21 5* 3.3 8.5 × 10?7 12*

Tab. 3.1: Key parameters for p&p QKD experiment setup. * GYS gives out that ηBob = 0.045.

Fig. 3.2 shows QBER as a function of expected photon number ?. For ? valuing in the range 10?1 ? 10?4 , the QBER has a constant value of about 1% that is dominated by depolarization-induced errors edetector . These errors arise from dynamic depolarization that results from the ?nite extinction ratios of the various polarizing components in the system [23]. For ? < 10?4 the QBER rises as the dark counts falling within the detectors start to become the dominant contribution to the noise.
QBER as a function of expected photon number ?

0.1 0.09 Quantum Bit Error Rate 0.08 0.07 0.06 0.05 0.04 0.03 0.02 0.01 0 ?5 10
?4 ?3 ?2 ?1 0

Data come from T8 Fiber loss: 3dB Receiver connector loss: 8dB Detector efficiency: 50%


10 10 Expected photon number ?



Fig. 3.2: shows QBER as a function of input expected photon number using Eq. (3.11), reproducing T8’s Fig 3. The key parameters are, according to T8 [23], listed in Tab. 3.1, and the ?ber loss is 3dB (? 1.5km).

3. Simulations for experiments


Fig. 3.3 shows QBER as a function of transmission distance using Eq. (3.11). In the long distance (l > 100km, say), the QBER rises as the dark counts become the dominant contribution to the noise. Note the exponential dependence is due to the loss of photons in the propagation, referring to pSignal of Eq. (3.7). If stronger source (say, ? = 0.5) is used, QBER will be lower, especially in the long distance region.
QBER as a function of Transmission Distance 0.45 0.4 0.35 Quantum Bit Error Rate 0.3 0.25 0.2 0.15 0.1 0.05 0 Data come from GYS ?=0.1

3.3% 0 50 100 Transmission Distance [km] 150 200

Fig. 3.3: shows QBER as a function of the transmission distance, using the Eq. (3.11). This is a reproduction of FIG.3 in GYS’ paper [10]. The key parameters are, according to GYS [10], listed in Tab. 3.1. The expected photon number ? is 0.1.

From these veri?cations, we can see that the Eq. (3.11) ?ts the experiment well, so the simulation is accurate.


Now, we begin to examine the relationship between key generation rate R and the transmission distance with prior QKD data post-processing schemes. Two ideas in L¨ tkenhaus’ paper [12] and GLLP’s paper [8] are compared. Note that it is our new u work to calculate the key generation rate R with the experimental simulation using the idea of GLLP [8]. In both papers, the authors are going on the assumption that all of the photons that fail to arrive were emitted as single photons. Later, we will improve this point by introducing the decoy states scheme. Assuming that, p M = SM , (4.1)

where SM is the probability of emitting a multi photon state from Alice’s side, which is dependent on attribute of the source. Based on the Poisson distribution of the number of photons of the signal states, SM = 1 ? (1 + ?) exp(??). Another assumption used here is that all the error (QBER) comes from the single photon state. Then the error rate of single photon is given by, δS = δ . f1 (4.2)

For individual attacks, the residue of error correction and privacy ampli?cation can be given by [12], ηpost = max{f1 (1 ? log2 [1 + ? f (δ)H2 (δ), 0}, QBER given in equation (3.11), f1 is de?ned in (3.12). where f (δ) ≥ 1 is the e?ciency of error correction [26] listed in Tab. 4.1, δ is the We would like to explain the idea of GLLP’s [8] tagged state brie?y here. Notice the idea of tagged state is (perhaps implicitly) introduced by [27]. In principle, one 4δ δ ? 4( )2 ]) f1 f1 (4.3)

4. Our comparison of Prior Art Results



0.01 0.05



f(δ) 1.16 1.16 1.22 1.35
Tab. 4.1: The data come from [12]. The author used used the upper bounds for I(4) provided in [26].

can separate the tagged and untagged states, i.e. one can do random hashing for the privacy ampli?cation on the tagged state and untagged state separately. Therefore, the data post-processing can be performed as following. First, apply error correction to the overall states, sacri?cing a fraction H2 (δb ) of the key, which is represented in the ?rst term of formula (4.4). After correcting errors in the sifted key string, one can imagine executing privacy ampli?cation on two di?erent strings, the sifted key bits stagged arising from the tagged qubits and the sifted key bits suntagged arising from the untagged qubits. Since the privacy ampli?cation [8] is linear (the private key can be computed by applying the C2 parity check matrix to the sifted key after error correction), the key obtained is the bitwise XOR suntagged ⊕ stagged of keys that could be obtained from the tagged and untagged bits separately. If suntagged is private and random, then it doesn’t matter if Eve knows everything about stagged — the sum is still private and random. Therefore we ask if privacy ampli?cation is successful applied to the untagged bits alone. Thus, the residue after error correction and privacy ampli?cation can be expressed as, ηpost = max{?f (δ)H2 (δ) ? f1 (1 ? H2 ( δ )), 0}. f1 (4.4)

Here the single photon state is regarded as the untagged state and its error rate (δb = δp ) is given by (4.2). Based on (3.2), (4.3) and (4.4), according to Appendix B, the optimal expected photon number ?, which maximizes the key generation rate, is roughly given by, ? ≈ η, rate is given by, R = O(η?) = O(η 2). (4.6) (4.5)

where η is the overall transmission, de?ned in the (3.3). Therefore, the key generation

4. Our comparison of Prior Art Results


Now, use (4.5) as the expected photon number to calculate the key generation rate of two di?erent schemes by equation (4.3) and (4.4) with L¨ tkenhaus’ and GLLP’s u post-processing protocols. Fig. 4.1 shows the relationship between key generation rate and the transmission distance by one-way LOCC, comparing L¨ tkenhaus’ individual attack and GLLP’s u general attack case. From the Fig. 4.1, we can see that GLLP is only slightly worse than L¨ tkenhaus’, but GLLP deal with the general attack while L¨ tkenhaus’ result u u is restricted in individual attack. Our result shows that there seems to be little to be gained in restricting security analysis to individual attacks, given that the two papers—L¨ tkenhaus vs GLLP—gave very similar results. In other words, our view u is that one is better o? in considering unconditional security, rather than restricting one’s attention to a restricted class of attacks (such as individual attacks). Note that the key generation rate R of GYS with GLLP will strictly hit 0 at distance l = 34km.

The key generation rate as a function of distance Solid Line: GLLP Dashed: Lutkenhaus expected photon number: ?=η



10 Key generate rate




G13 10




T8 10







15 20 25 Transmission distance [km]




Fig. 4.1: shows the relationship between key generation rate and the transmission distance, comparing L¨tkenhaus’ individual attack and GLLP’s general attack case. The u key parameters are listed in Tab. 3.1. It is our new work to calculate the key generation rate R with the experiment simulation using the idea of GLLP [8].


So far as discussed, the prior art gives Eve many ideal advantages such as she can make the tagged state no error and no loss in the channel, however, this is not necessary. We can control Eve’s performance on tagged states by adding decoy states. “Control” does not mean limit the quantum or classical computation ability of Eve, but means we can detect Eve if she uses some eavesdropping strategies to enforce the tagged states.

5.1 The idea of decoy state
The decoy state method is proposed by Hwang [6] and further studied by [7]. The idea is that, by adding some decoy states, one can estimate the behavior of vacua, single photon states, and multi photon states individually. The key point is that, with the decoy state, Alice and Bob can gain photon number information which cannot be derived by today’s technologies directly. They can use this extra information to “detect” the behavior of states with di?erent photon numbers. Eve cannot distinguish whether the photon comes from signal state or decoy (δS , δM ) in the signal state will be the same as those in decoy state, ηi (Signal) = ηi (Decoy) δS (Signal) = δS (Decoy) δM (Signal) = δM (Decoy), where i = 1, 2, 3 · · · . state. Thus, the transmission e?ciency {ηi }, detection probabilities and error rates

Our decoy state method is quite di?erent from Hwang’s original one. Hwang uses

strong pulse as decoy state. We mainly follow [7]’s decoy idea, using vacua and very weak state as decoy states.

5. Decoy state method


5.2 Simulation with new assumption
With the decoy states, we can drop the “pessimistic” assumption (4.1). According to Poisson distribution of photon source, the single photon and multi photon detection probabilities are given by pS = η? exp(??)

(5.1) ?i ?? e i!

pM =

[1 ? (1 ? η)i ]


where ? is the expected photon number and η is the overall transmission and detection e?ciency, de?ned in (3.3). The transmission e?ciency of an i-photon state ηi is given by (3.6). We remark that the Eqs. (5.1) and (5.2) do not consider dark count contributions. In real-life, dark count contributions must be included. Therefore, following Eq. (3.4), we write down the total contribution (true signals plus dark counts) as follows, pdark = pdark e?? ? pS = pS + pdark ?e?? ? pM = pM + pdark [1 ? (1 + ?)e?? ] ?
1 and the error rate of dark count is still 2 , for single photon and multi photon, 1 pdark + edetector pS ? δS = 2 pdark + pS 1 pdark + edetector pM ? δM = 2 . pdark + pM

= 1 ? e?η? ? η?e?? ,



5.3 A way to perform decoy state
Here we would like to introduce a speci?c method to perform decoy state, which is proposed by [7]. There are three kind of signals Alice and Bob should perform. First, Alice and Bob can study the dark counts by using vacua as decoy states. Here we reasonably assume that the density matrix of dark counts is the identity matrix. Thus, in theory, they will detect the probability to get a signal pvacua and the D overall error rate δ vacua , pvacua = pdark = 2dB D 1 δ vacua = . 2 (5.5)

5. Decoy state method


They can measure pvacua and δ vacua via experimental methods and then compare D with the Eq.(5.5). If the experimental results match the Eq.(5.5), then keep going. Otherwise, they need to check out the QKD system setup, especially the detectors. Secondly, Alice and Bob can get the transmission and the bit ?ip error rate of the single photon state by using very weak coherent states as decoy states. With weak decoy state, according to (3.8) and (3.11), pweak and δ weak are given by, D pweak = pdark + pweak + pweak S M D δ


1 p 2 dark

+ δS pweak + δM pweak S M , weak pD


where the superscript weak denotes the value comes from weak decoy state. In appendix B, we will discuss the how to choose ?weak in practice. If the decoy state is weak enough, i.e. ?weak ? 1, at which value pweak M = O(?weak ) ? 1, pweak S we can neglect the multi photon terms in Eq.(5.6). After that we have pweak = pweak ? pdark , S D and substitute this formula into (5.3), (5.4), pweak = pweak ? pdark (1 ? ?weak e?? ?S D ? pweak ? pdark e??weak = D δweak pweak D ? = δS ?
weak 1 ? 2 pdark e?? pweak S weak


) (5.8)

where pdark can be derived from the Eq.(5.5), and pweak , δweak can be obtained from D the experiment. Thirdly, Alice and Bob perform the signal state, where the ?nal key is drawn from. The detection probability pD and QBER δ are given by (3.8) and (3.11).

5.4 Data post-processing
Here, we would like to discuss the data post-processing for QKD with the decoy state, mainly based on [8]. We can further extend the GLLP’s idea [8], as discussed in section 4, to more than one kind of tagged states case, i.e. several kinds of states with ?ag g. The procedure

5. Decoy state method


of data post-processing is similar, do the overall error correction ?rst and then apply the privacy ampli?cation to each case. At last the residue of error correction and privacy ampli?cation is given by, ηpost = max{?f (δb )H2 (δb ) +
g g pg [1 ? H2 (δp )], 0}


where one need to sum over all cases with ?ag g, pg is the probability of the case with
g ?ag g and δp is the phase ?ip error rate of the state with ?ag g

In order to combine the ideas of GLLP and Decoy, we should ?nd out all parameters for Eq. (5.9). There are three kind of states in the discussion, dark count, single photon, and multi photon. The multi photon state emitting out of the source can mixture of |00 + |11 and |00 ? |11 with the same probability. Thus the phase ?ip the bit ?ip error rate δb and phase ?ip error rate δp for dark count, single photon and multi photon in Tab. 5.1. Dark count δb δp
1 2 1 2

be expressed by |000 + |111 . After Eve gets the extra photon, the state will be a

error rate for multi photon will be 1 . In addition to the discussion in 5.2, we can list 2

Single Photon ? δS ? δS

Multi Photon ? δM
1 2

Tab. 5.1: Bit ?ip error rate and phase ?ip error rate for di?erent kinds of photon state.

Apply above idea, Eq. (5.9), to decoy states scheme with the parameters listed in Tab. 5.1. We get the formula for post-processing residue, ηpost = max{?f (δb )H2 (δb ) + pS ? ? [1 ? H2 (δS )], 0} pD (5.10)

? where pS and δS are given by (5.3), (5.4). Note that the dark count and multi photon ?
1 state have no contribution to the ?nal key with phase ?ip error rate δp = 2 . The ? reason why we use pS and δS here is that Bob cannot distinguish the detection event ?

from real signal or dark count. And substitute (5.10) into the equation (3.2), if the key generation rate is R > 0, 1 ? ? R = {?pD f (δ)H2 (δ) + pS [1 ? H2 (δS )]} 2 where δ is the overall QBER given in (3.11). (5.11)

5. Decoy state method


Through the analysis in Appendix B, we have, for the KTH [25] experimental setup,?Optimal ≈ 0.8 and for GYS [10], ?Optimal ≈ 0.5. Therefore, the key generation rate is given by, R = O(η?) = O(η) The result is shown in Fig.5.1.
10 10 10 Key generation rate 10 10 10 10 10 10


The key generation rate as a function of distance


GYS Upper bound using ?=1 Asymptotic line ignore the effect of dark count






GLLP without decoy state using ?=η

GLLP+Decoy using ?=0.5 Further improved by two?way LOCC






60 80 100 120 140 Transmission distance [km]




Fig. 5.1: shows the key generation rate as a function of the transmission distance, GLLP+Decoy Eq. (5.11). The key parameters are listed in Tab. 3.1 and f(e) is given by Tab. 4.1. We use linear regression for f(e).

Remarks for the ?gure: 1. The dashed line is the upper bound of the key generation rate. The key generation rate here is derived from the photon detection events of Bob that occur when Alice sends single photon signals. It is to say, Bob can distinguish dark count, single photon, and multi photon. In this way the upper bound of key generation rate is given by, Rmax = Q1 (1 ? H2 (edetector )). It is obvious that the optimal expected photon number for the upper bound is ? = 1. The gap between the upper bound and the decoy curve shows how much room is left for improvements of data post-processing. 2. The dotted line is the asymptotic line that neglects the in?uence of dark count,

5. Decoy state method


which is given by, RAsym = ? pD f (edetector )H2 (edetector ) + pS [1 ? H2 (edetector )] pD =1 ? exp(η?), 3. The “decoy” and “without decoy” line will hit zero at some points. This can be seen from the formula (5.11), R = 0 when, ? QSignal f (ESignal )H2 (ESignal ) + Q1 [1 ? H2 (δS )] ≤ 0. From the program (as shown in ?gure), when l = 144km for GLLP+Decoy, and l = 34km for GLLP, R will hit 0. 4. One can further improve the data post-processing protocol with two-way LOCC [16]. As shown in Fig.5.1, dashed curve outside of decoy curve, two-way LOCC improve the maximum distance by about 20 km. Compare the curves with and without decoy, we can ?nd that the advantages of decoy state are obvious, 1. The initial key generation rate (at zero distance) is substantially higher with decoy state than without. It is because a stronger source (higher ?) is used in the decoy state scheme. 2. At short distances, the key generation rate decreases with distance exponentially mainly due to exponential losses in the channel. The two curves, with and without decoy state behave like straight lines. Note that the initial slope without decoy is twice of that with decoy state. This is because without decoy state, R = O(η 2 ), while with decoy state, R = O(η) according to (4.6) and (5.12). 3. Suppose 10?6 is the cut-o? point for key generation rate. The two curves intercept the cut-o? point at rather di?erent locations (with decoy: 139 km, and without decoy: 31 km). For GYS, the distance is over 100km. It is comparable to the distance between ampli?ers in optical metropolitan area networks (MANs).

5. Decoy state method


Here, we would like to discuss the key bit rate B, which is di?erent from behavior with key generation rate R only with a constant, repetition frequency, according to Eq. (3.1). It is necessary to point out that there are two repetition frequencies in reallife setups: the source frequency νA , which is the limitation of signal source repetition at Alice’s side and the detection rate νB , which is the limitation of detector’s count rate in Bob’s side. There are two cases we should consider. First, when the overall transmission loss is not too large, the detection frequency νB limits the ?nal key bit rate, because we can complement the loss in the transmission through increasing the source frequency νA until reaches νA ’s maxima. In this case, B is simply given by, B = νB . Secondly, when the overall transmission loss is large, B is determined by the source rate νA . Then the key bit rate B is given by (3.1), B = νA R. We remark that the decoy state idea can also be used for free-space QKD setup [28]. The simulation of the setup will be similar.


In this report, we have presented a security proof of quantum cryptography against the general attack with real-life devices. We have formulated a method for estimating the key generation rate in the presence of realistic devices by combining the idea of decoy state and GLLP. The model has been applied to various real-life experimental setups. Based on recent experiment results, secure transmission distance of the QKD system can be up to 140 km. We have improved the key generation rate substantially. The main reason for this improvement is that with decoy state we can choose the expected photon number ? of source in the order of O(1), while without decoy state, ? = O(η). With the decoy state, a new data post-processing protocol is developed, which essentially comes from the idea of GLLP. We have also proposed a pratical way to ful?lls the ideal of decoy state as discussed in section 5.3 and Appendix B. In this sense, it can help to design the QKD procedure. Through the simulation, it is clearly shown that, in order to improve the transmission distance, one should reduce the dark count and ?ber loss in the channel; as for the aim of higher key bit rate, we should increase the detection repetition or reduce the errors in the transmission.


First I would like to thank Professor Hoi-Kwong Lo’s patient supervision. His direction is highly insightful and supportive. In the beginning, I modeled the experimental setup following the simulation of [12]. The discussion with Norbert L¨ tkenhaus is reu ally helpful. Then I compared GLLP and L¨ tkenhaus’s results with this simulation. u I was dissatis?ed with the poor maximum distance for the QKD system. I was struggling to “control” Eve’s behavior until Hoi-Kwong gave me his paper [7] about the decoy states. After I got this paper, I found that decoy state was the right way to “control” Eve’s behavior. More strictly, decoy state is a good way to “detect” behavior of state with di?erent photon numbers through the channel. All the ?gures are produced by the programs written in MatLab. I highly appreciate that Kai Chen reproduced all my programs and checked many versions of my report. I discussed with Bing Qi about the experimental data and setup and asked the authors of experiment [10] directly. I discussed about two-way LOCC with Daniel Gottesman. All of the above researchers are very supportive to my work. I thank helpful discussions with various colleagues including, Kai Chen, Daniel Gottesman, Norbert L¨ tkenhaus, and u Bing Qi. Finally, I would like to thank Ryan Bolen for his proof reading of this report. This report has been merged with [7] into a new paper [29].


In this section, we will discuss the choosing of the expected photon number ? for di?erent error correction and privacy ampli?cation schemes in section 4, 5. We will discuss the optimal ? generally and then work out reasonable value for each scheme. We would like to start with generic discussion. On one hand, we need to maximize the probability of single photon detection, which is the only source for the ?nal key. To achieve this point, we should maximize the single photon sources since transmission e?ciency is ?xed. Considering the real photon sources, according to Poisson distribution of the photon number, the single photon source reaches its maximum when ? = 1. On the other hand, we have to control the probability of multi photon detection to ensure the security of the system. On this side, we should keep the ? ≤ 1, because based on both points, the case of ? > 1 is always worse than the tagged states ratio (1 ? f1 ) small, which requires ? not too large. It follows that

case of ? = 1, And another parameter should be considered is the QBER δ, which is decrease when ? increases, according to the formulas (3.11). Therefore, intuitively we have that, ? ∈ (0, 1].

6.1 Without decoy state
Here, we would like to consider the case without decoy state, i.e. GLLP and L¨ tkenhaus’s u cases. A similar discussion is given in [12]. We desire to get an optimal value of ? that maximizes the key generation rate R with other parameters ?xed. The key parameters here are the overall transmission and detection e?ciency η, dark count dB , and the probability of erroneous detection edetector , which are speci?ed by various setups. In the R-distance ?gures, such as Fig. 4.1 and 5.1, the key generation rate drops roughly exponentially with the transmission distance before it starts to drop faster due to the increasing in?uence of the dark counts. The initial behavior is mainly due to the multi-photon component of the signals while the in?uence of the error-correction

6. Appendix A


part is small. In this regime we can bound the gain by the approximation 1 R ≤ (pSignal ? pM ) 2 1 = [(1 + ?) exp(??) ? exp(?η?)] 2 with the pessimistic assumption (4.1). This expression is optimized if we choose ? = ?Optimal , which ful?lls ?? exp(??) + η exp(?η?) = 0. Since for a realistic setup we expect that η? ? 1, we ?nd ηOptimal ≈ η. (6.1)

Now, we can use the numerical analysis to verify the formula (6.1). When we keep all parameters ?xed and vary the expected photon number ? of the signal, then we can use dichotomy method to ?nd out the ?Optimal , which maximizes the key generation rate by the formula (3.2) and (4.4). If we ?x the dark count dB and the probability of erroneous detection edetector , and vary the transmission e?ciency η we can draw the relationship between the optimal ?Optimal and η. The result is shown in Fig. 6.1, from which we can clearly see that the formula (6.1) is a good approximation.
The optimal ? as a function of η 0.2 0.18 The optimal expected photon number ? 0.16 0.14 0.12 0.1 0.08 0.06 0.04 0.02 0 0 0.02 0.04 0.06 0.08 0.1 0.12 0.14 0.16 The overall transmission efficiency η 0.18 0.2 y=x

Fig. 6.1: Optimal expected photon number ? as a function of transmission e?ciency η, with the parameters listed in Tab. 3.1, T8 [23]. Here, we use dichotomy method to search the region to get the optimal ? that maximizes the key generation rate (3.2) and (4.4).

6. Appendix A


6.2 With decoy state
In principle, with the decoy state, we can control the performance of tagged states. So ?Optimal should maximize the untagged states ratio f1 , as de?ned in (3.12). Thus, ?Optimal should be greater than (6.1). If we keep all parameters ?xed and vary the expected photon number of the signal, we can obtain a key generation rate curve with a clear maximum. The key generation rate is given by (5.11). We would like to start with numerical analysis on (5.11) directly. For each distance we ?nd out the optimal ? that maximizes the key generation rate. The result is shown in Fig. 6.2. The strange behavior of the curve around l = 125km is due to the linear regression of error correction e?ciency f(e) given in Tab. 4.1. Without f(e), the curve will be smooth. We can see that the optimal ? for GYS is around 0.5.
The optimal ? as a function of distance 0.505 0.5 The optimal expected photon number ? 0.495 0.49 0.485 0.48 0.475 0.47 0.465 0.46 0.455 0 10 20 30 40 50 60 70 80 90 100 110 120 130 140 150 Transmission Distance GYS using GLLP+Decoy to calculate the key rate for each distance point find out the optimal Mu

Fig. 6.2: Using numerical analysis to obtain the optimal key generation rate by the formula (5.11) and use the data GYS in Tab. 3.1, with parameters listed in Tab. 3.1.

Now, we would like to do analytical discussion under some approximation. We f (e) = 1. Then (5.3), (5.4), (3.8), (3.11) will be reduced to, pS ? pS = η?e?? ? = ? = δS ? δS = edetector pD ? pSignal = 1 ? e?η? = δ ? edetector = neglect the dark count, regard η ? 1, and consider the ideal error correction e?ciency

6. Appendix A


Substitute these formulas into Eq. (5.11), the key generation rate is given by, 1 R ≈ {?η?H2 (edetector ) + η?e?? [1 ? H2 (edetector )]} 2 The expression is optimized if we choose ? = ?Optimal which ful?lls, (1 ? ?) exp(??) = H2 (edetector ) . 1 ? H2 (edetector )

Then we can solve this equation and obtain that, ?KT H ≈ 0.8 Optimal ?GY S ≈ 0.5 Optimal where for KTH setup edetector = 1%, and for GYS edetector = 3.3%. Comparing two results we can see that numerical and analytical analysis are compatible.


In section 5.3 we use a weak decoy state. Here we would like to discuss how to perform decoy state method in practice. In decoy method, we require the weak decoy state to be “weak enough” i.e. its expected photon number ? ? 1. We can then neglect the multi photon term by considering the relationship (5.7). However, it is not practical for real experiment ? ? 1. since it will take a long time to get enough information from weak decoy state if Here we propose one possible solution for weak decoy state, using several (say m)

weak decoy states with expected photon number ?1 , ?2 , · · ·?m , instead of one. As

discussed in (5.5), one can estimate the dark count and its error rate accurately. Let us turn our attention to m weak decoy states. With the same argument of (5.6), we have,

pDj = pdark +


ηi ·

?i ??j j ·e i!


where j = 1, 2, · · ·, m denotes for the j-th weak decoy state. To solve Eq. (7.1), we are reduced to,

can neglect the high order (> m) terms which are of O(?m+1 ), and then Eq. (7.1)

p?1 D

i=0 m

ηi · ηi ·

?i ??1 1 ·e i! ?i ??2 2 ·e i!

p?2 = D


··· p?m D =



ηi ·

?i m · e??m i!

Now, one can solve m equations for {ηi }, i = 1, 2, 3, · · ·, m. The subsequent procedure ? is the same as the 5.3. One can use η = η1 to calculate pS and δS by (5.3) and (5.4). ? At last substitute the parameters into (5.11) to calculate the key generation rate.

7. Appendix B


How many decoy states should be applied, i.e. m =?, depends on how low expected photon number ?weak one can tolerate. Here, we would like to give out a couple of examples. Given that η = 10?4 , suppose that all m decoy states are in the same order. a) If one chooses ?weak = O(10?3) and m = 2, then the terms neglected are of O(10?9) and pS is in the term of O(η?) = O(10?7). Then it is reasonable to neglect the multi photon terms. b) If one chooses ?weak = O(10?2) and m = 3, then the high order terms neglected are of O(10?8) and pS is in the term of O(η?) = O(10?6). Then, one obtains pS and δS with precision of around 1%.


[1] C. H. Bennett and G. Brassard,“Quantum cryptography: public key distribution and coin tossing”, in Proceedings of IEEE International Conference on Computers, Systems, and Signal Processing, IEEE press, 1984, p. 175. [2] A. K. Ekert, “Quantum cryptography based on Bell’s theorem”, Phys. Rev. Lett. vol. 67, p. 661, 1991. [3] D. Deutsch, A. Ekert, R. Jozsa, C. Macchiavello, S. Popescu, and A. Sanpera, “Quantum privacy ampli?cation and the security of quantum cryptography over noisy channels”, Phys. Rev. Lett., vol. 77, p. 2818, 1996. Also, [Online] Available: http://xxx.lanl.gov/abs/quant-ph/9604039. Erratum Phys. Rev. Lett. 80, 2022 (1998). [4] H.-K. Lo and H. F. Chau, “Unconditional security of quantum key distribution over arbitrarily long distances”, Science 283, 2050-2056 (1999). Also, [Online] Available: http://xxx.lanl.gov/abs/quant-ph/9803006. [5] P. W. Shor and J. Preskill, “Simple proof of security of the BB84 quantum key distribution protocol”, Phys. Rev. Lett., vol. 85, p. 441, 2000. Also, [*Online] Available: http://xxx.lanl.gov/abs/quant-ph/0003004. [6] W.-Y. Hwang, “Quantum Key Distribution with High Loss: Toward Global Secure Communication”, Phys. Rev. Lett. 91, 057901 (2003) [7] Hoi-Kwong Lo, “Quantum Key Distribution with Vacua or Dim Pulses as Decoy States”, unpublished manuscript and presentation at IEEE ISIT 2004. [8] D. Gottesman, H.-K. Lo, Norbert L¨ tkenhaus, and John Preskill,“Security of u quantum key distribution with imperfect devices”, quant-ph/0212066 (2004). [9] D. Mayers, “Unconditional security in Quantum Cryptography”, Issue 3, Jour-

nal of ACM, vol. 48,

p. 351-406. Also [Online] Available:



http://xxx.lanl.gov/abs/quant-ph/9802025.A preliminary version is D. Mayers, “Quantum key distribution and string oblivious transfer in noisy channels”, Advances in Cryptology-Proceedings of Crypto’ 96 (Springer-Verlag, New York, 1996), p. 343. [10] C. Gobby, Z. L. Yuan, and A. J. Shields, “Quantum key distribution over 122 km of standard telecom ?ber”, Applied Physics Letters, Volume 84, Issue 19, pp. 3762-3764, (2004) [11] M. Koashi, “Unconditional with strong security of coherent-state pulse, quantum on-line key at




http://xxx.lanl.gov/abs/quant-ph/0403131 [12] Norbert L¨ tkenhaus, “Security against individual attacks for realistic quantum u key distribution”, quant-ph/9910093 (2004) [13] C. H. Bennett, G. Brassard, S. Popescu, B. Schumacher, J. A. Smolin, and W. K. Wootters, “Puri?cation of noisy entanglement and faithful teleportation via noisy channels”, Phys. Rev. Lett. 76, 722-725 (1996), arXiv:quantph/9511027. Erratum: Phys. Rev. Lett. 78, 2031 (1997). [14] C. H. Bennett, D. P. DiVincenzo, J. A. Smolin, and W. K. Wootters, “Mixed state entanglement and quantum error correction”, Phys. Rev., vol. A54, 3824, 1996. [15] A. R. Calderbank and P. W. Shor, “Good quantum error correcting codes exist”, Phys. Rev. A, vol. 54, pp. 10981105, 1996. A. M. Steane, “Multiple particle interference and quantum error correction”, Proc. Roy. Soc. Lond. A, vol. 452, pp. 25512577, 1996. [16] D. Gottesman and H.-K. Lo, “Proof of security of quantum key distribution with two-way classical communications”, quant-ph/0105121 (2001). [17] Muller A, Herzog T, Huttner B, Tittel W, Zbinden H and Gisin N 1997 “Plug&play systems for quantum cryptography”, Appl. Phys. Lett. 70 793-5 [18] D Stucki, N Gisin, O Guinnard, G Ribordy and H Zbinden, “Quantum key distribution over 67 km with a plug&play system”, New Journal of Physics 4 (2002)



[19] W. T. Buttler, R. J. Hughes, P. G. Kwiat, G. G. Luther, G. L. Morgan, J. E. Nordholt, C. G. Peterson, and C. M. Simmons, “Free-space quantum key distribution”, quant-ph/9801006 (2004) [20] W.T. Buttler, R.J. Hughes, S.K. Lamoreaux, G.L. Morgan, J.E. Nordholt and C.G. Peterson, “Daylight quantum key distribution over 1.6 km”, Phys. Rev. Lett. 84, 24, (2000) [21] Kurtsiefer, C.; Zarda, P.; Halder, M.; Weinfurter, H.; Gorman, P. M.; Tapster, P. R.; Rarity, J. G., “A step towards global key distributin”, Nature 419, 450 (2002) [22] H.-K. Lo, H. F. Chau, and M. Ardehali, “E?cient Quantum Key Distribution Scheme And Proof of Its Unconditional Security”, available at http://arxiv.org/abs/quant-ph/0011056. [23] P. D. Townsend, IEEE Photonics Technology Letters 10, 1048 (1998). [24] G. Ribordy, J.-D. Gautier, N. Gisin, O. Guinnard, and H. Zbinden, preprint quant-ph/9905056. [25] M. Bourennane, F. Gibson, A. Karlsson, A. Hening, P.Jonsson, T. Tsegaye, D. Ljunggren, and E. Sundberg, Opt. Express 4, 383 (1999). [26] G. Brassard and L. Salvail, in Advances in Cryptology EUROCRYPT ’93, Vol. 765 of Lecture Notes in Computer Science, edited by T. Helleseth (Springer, Berlin, 1994), pp. 410-423. [27] H. Inamori, of N. L¨ tkenhaus, u Quantum and D. Mayers, “Unconditional available Seat





http://arxiv.org/abs/quant-ph/0107017 [28] Kurtsiefer, C.; Zarda, P.; Halder, M.; Weinfurter, H.; Gorman, P. M.; Tapster, P. R.; Rarity, J. G., “A step towards global key distributin”, Nature 419, 450 (2002) [29] Hoi-Kwong Lo, Xiongfeng Ma, Kai Chen “Decoy State Quantum Key Distribution”, to be published.


量子卫星 quantum satellite
(experiment on high-speed quantum key distribution from space to earth) 广域量子通信网络实验 (wide-area quantum communications network experiment) 星地量子...
Chau, H.F. :Unconditional Security of Quantum Key Distribution over Arbitarily Long Distances. Science.1999 V61283, 2050-2056 [8] Hughes, R.J., ...
[9] GOTTESMAN D,Lo H K,L TKENHAUS N,et al. Security of quantum key distribution with imperfect devices[J]. Quan- quantum cryptography network [J]....

All rights reserved Powered by 甜梦文库 9512.net

copyright ©right 2010-2021。