1: 

2: 

3: \documentclass[twocolumn,showpacs,preprintnumbers,amsmath,amssymb]{revtex4}

4: %\usepackage{acrofont}%NOTE: Comment out this line for the release version!

5: \usepackage{dcolumn}% Align table columns on decimal point

6: \usepackage{bm}% bold math

7: %\usepackage[colorlinks=true,linkcolor=blue]{hyperref}%

8: %\nofiles

9: \expandafter\ifx\csname package@font\endcsname\relax\else

10:  \expandafter\expandafter

11:  \expandafter\usepackage

12:  \expandafter\expandafter

13:  \expandafter{\csname package@font\endcsname}%

14: \fi

15: 

16: 

17: \usepackage{graphicx}   % need for figures

18: \usepackage{amsmath}    % need for subequations

19: 

20: 

21: % define some new commands

22: \newcommand{\bra}[1]{\mbox{$\langle #1 |$}}

23: \newcommand{\ket}[1]{\mbox{$| #1 \rangle$}}

24: 

25: \begin{document}

26: 

27: \title{Nonorthogonal decoy-state Quantum Key Distribution }% Force line breaks with \\

28: 

29: \author{Jing-Bo Li, and Xi-Ming Fang\footnote{corresponding author: Email: fxm601@yahoo.com.cn}}

30: 

31: \affiliation{%

32: Department of Physics, Hunan Normal University, Changsha 410081, People's Republic of China\\

33: }%

34: 

35: \date{\today}% It is always \today, today,

36:              %  but any date may be explicitly specified

37: 

38: 

39: \begin{abstract}

40: In practical quantum key distribution (QKD), weak coherent states

41: as the photon source have a limit in secure key rate and

42: transmission distance because of the existence of multiphoton

43: pulses and heavy loss in transmission line. The decoy-state method

44: and the nonorthogonal encoding protocol are two important weapons

45: to combat these effects. Here, we combine these two methods and

46: propose an efficient method that can substantially improve the

47: performance of QKD. We find a 78 km increase over the prior record

48: using the decoy-state method and a 123 km increase over the result

49: of the SARG04 protocol in transmission distance.

50: \end{abstract}

51: 

52: \pacs{03.67.Dd}% PACS, the Physics and Astronomy

53:                              % Classification Scheme.

54: %\keywords{Suggested keywords}%Use showkeys class option if keyword

55:                               %display desired

56: \maketitle

57: 

58: %\section*{Background}

59: Quantum key distribution (QKD)\cite{gisin,bene} allows two users,

60: Alice and Bob, to communicate in absolute security in the presence

61: of an eavesdropper, Eve. Unlike conventional cryptography, the

62: security of QKD is based on the uncertainty principle and the

63: noncloning theorem \cite{wz}. In other words, the measurement of

64: an unknown quantum state modifies the state itself. Thus, Eve

65: cannot gain any information on the key without introducing any

66: error in the correlations between Alice and Bob. However, in

67: practical implementations, an attenuated laser pulse (a weak

68: coherent state)is often used as the source. The existence of

69: multiple photon pulses, even though very rare, poses a serious

70: problem for the security of the protocol, especially in high lossy

71: channel. An eavesdropper (Eve) can in principle have the full

72: information of Bob's sifted key by using the

73: photon-number-splitting (PNS)attack \cite{higm,luken,lukenetc}:

74: Eve blocks all single-photon pulses and part of multi-photon

75: pulses and separates each of the remained multi-photon pulses into

76: two parts therefore each part contains at least one photon. She

77: keeps one part and sends the other part to Bob, through a lossless

78: channel.

79: 

80: Recently, two important methods have been proposed to overcome PNS

81: attacks. One is the decoy-state method firstly proposed by Hwang

82: \cite{Hwang}, and further studied by Wang \cite{Wang}, and also Lo

83: and co-workers \cite{lmc,mqzl}. Particularly, by combining the

84: idea of the entanglement distillation approach by Gottesman, Lo,

85: Lutkenhaus, and Preskill (GLLP) \cite{GLLP} with the decoy state

86: method, they achieved a formula for secure key generation rate

87: \cite{lmc}:

88: \begin{equation} \label{practicalkeyrate}

89:      S \geq q  \{-Q_{\mu}f(E_{\mu})H_2(E_{\mu})+Q_1[1-H_2(e_1)]\},

90: \end{equation}

91: where $q$ is the sifting efficiency depending on the

92: implementation (1/2 for the BB84 protocol, because half the time

93: Alice and Bob bases are not compatible), $Q_{\mu}$ and $E_{\mu}$

94: are the gain (i.e., counting rate \cite{Wang}) and quantum bit

95: error rate (QBER) of the signal state respectively, and can be

96: measured directly, $Q_1$ and $e_1$ are the gain and QBER of

97: single-photon states respectively, and can be estimated by using

98: decoy state method, $f(E_{\mu})$ is the error correction

99: efficiency \cite{cascade}, and $H_2$ is the binary Shannon

100: entropy, given by:

101: \begin{equation} \label{entropy}

102: H_2(x) =  -x\log_2(x)-(1-x)\log_2(1-x).

103: \end{equation}

104: The other is the nonorthogonal states encoding protocol proposed

105: by Scarani, Acin, Ribordy and Gisin (SARG04) \cite{SARG04}, which

106: uses exactly the same four states as in BB84 \cite{bene}, and only

107: the classical sifting procedure is different from BB84: instead of

108: revealing the basis, Alice announces publicly a pair of

109: nonorthogonal states. Thus, Eve needs at least three photons to

110: obtain full information. This means one can utilize the two-photon

111: part to generate a secure key. However, either the decoy state

112: method or the nonorthogonal states encode protocol has no further

113: security analysis on it.

114: 

115: In this paper, we first present a simple method that can study the

116: secure key generation rate when single-photon and two-photon

117: pulses are employed to generate secure key. The structure of the

118: paper is as follows. First, we derive a formula for secure key

119: generation rate, where two-photon part is included. Next we

120: present a simple method that will give a tight bound to $Q_0$,

121: $Q_1$, $e_1$, $Q_2$ (the gain of two-photon states)and $e_2$ (the

122: error rate of two-photon states) respectively. Then we present the

123: advantage of this new protocol at secure key generation rate and

124: transmission distance by comparing with the results in \cite{lmc}.

125: Finally, we discuss and conclude.

126: 

127: 

128: 

129: {\em Our new GLLP formula.} The secure generation rate must

130: include the two-photon part when we use SARG04 protocol. So we

131: need to modify Eq. \eqref{practicalkeyrate} to satisfy our

132: purpose.

133: 

134: {\bf Theorem} The key generation of an nonorthogonal encoding

135: scheme is given by:

136: \begin{equation}\label{newkeyrate}

137:  S \geq q  \{-Q_{\mu}H_2(E_{\mu})+Q_0+Q_1[ 1- H_2(e_1)]+Q_2[ 1-

138: H_2(e_2)]\},

139: \end{equation}

140: where $q$ is 1/4 for SARG04, and $Q_0$ is the gain of the vacuum

141: signals.

142: 

143: Now, let us prove it. According to the Csisz\'ar-K\"orner theorem

144: \cite{cktheorem}: if the mutual information Alice-Bob is larger

145: than either the mutual information Alice-Eve or Bob-Eve, then

146: Alice and Bob can distil a secret key. The secure key generation

147: in QKD satisfies

148: \begin{equation}\label{s}

149:   S \geq I(A:B)-I(B:E),

150: \end{equation}

151: where $I(A:B)$ and $I(B:E)$ are  mutual information of Alice-Bob

152: and Bob-Eve respectively, and are given by:

153: \begin{eqnarray}\label{mutualinf}

154:    I(A:B) &=& qQ_{\mu}(1-H_2(E_{\mu}))\\

155:    I(B:E) &=& q\{Q_1H_2(e_1) + Q_2H_2(e_2) + \sum_{n\geq 3}Q_n\},

156: \end{eqnarray}

157: where $Q_n$ is the gain of n-photon states, and q is 1/4 for

158: SARG04. The vacuum signals do not contribute to it at all because

159: of the mutual information of vacuum being zero. Here, we take the

160: most conservative assumption that Eve has all the information on

161: all tagged pulses (the parts for photon number $n \geq 3$) and

162: obtains full information stemming from the QBERs $e_1$ and $e_2$.

163: Combining Eq. \eqref{s} and $Q_{\mu}=\sum_{n\geq 0}Q_n$, we get

164: the result of our theorem. In fact Eq. \eqref{newkeyrate} can be

165: generalized from Lo's theorem \cite{lovacumm} directly if only

166: adding the secure generation rate of the two-photon part. As

167: discussed in \cite{lmc}, practical error correction protocols are

168: generally inefficient. Thus, the secure key generation rate for

169: practical protocols is given by:

170: \begin{eqnarray}\label{newrealkeyrate}

171:  S \geq q  \{-Q_{\mu}f(E_{\mu})H_2(E_{\mu})+Q_0+Q_1[ 1- H_2(e_1)]\nonumber \\

172:  +Q_2[ 1-H_2(e_2)]\}.

173: \end{eqnarray}

174: 

175: 

176: {\em The optimal secure key generation rate without decoy states.}

177: Although we have obtained the Eq. \eqref{newrealkeyrate} that can

178: calculate the  secure key generation rate for the SARG04 protocol,

179: we have to discard the it due to the presence of Eve. In this

180: case, Eve can block all single-photon pulses or all two-photon

181: pulses, she can get more information, so the worst secure key

182: generation rate is given by

183: \begin{equation}\label{worst}

184:  S_{worst} = \frac{1}{4}(-Q_{\mu}f(E_{\mu})H_2(E_{\mu})+Q_0+ \Omega Q_{\mu}[ 1-

185:  H_2(\frac{e}{\Omega})]),

186: \end{equation}

187: where $f(E_{\mu})=1$ for convenience, and $\Omega$, the fraction

188: of untagged photons, satisfies

189: \begin{equation}\label{upper}

190:  \Omega=1- \frac{(1+\mu+\mu^2/2)e^{-\mu}}{Q_{\mu}}.

191: \end{equation}

192: $S_{worst}$ is optimised if we choose $\mu=\mu_{optimal}$, which

193: fulfills

194: \begin{eqnarray}\label{optimalmu}

195:  \eta e^{-\eta \mu_{optimal}} = \frac{1}{2}\mu_{optimal}^2

196: e^{-\mu_{optimal}}.

197: \end{eqnarray}

198: Since for realistic setup we expect that $\eta\ll 1$, we find

199: $\mu_{optimal} \approx \sqrt{2\eta}$.

200: 

201: 

202: 

203: {\em The lower bound of the secure key generation rate with decoy

204: states.} A verified lower bound of secure key generation rate can

205: be obtained by using decoy-state method. This method is dependent

206: on the real-world QKD protocols deeply. In practical

207: implementations, a weak coherent state (i.e., a dephased coherent

208: state) is a mixed state of

209: \begin{equation}\label{density}

210: \rho=\int\frac{d\theta}{2\pi}\ket{\sqrt{\mu}

211: e^{i\theta}}\bra{\sqrt{\mu} e^{i\theta}}=\sum_nP_n(\mu)\ket{\mu}

212: \bra{\mu},

213: \end{equation}

214: where $P_n(\mu)=\frac{\mu^ne^{-\mu}}{n!}$ and $\mu$ is the mean

215: photon number. The gain, $Q_{\mu}$, and QBER, $E_{\mu}$, are given

216: by

217: \begin{eqnarray} \label{Decoy:QSingal}

218: Q_{\mu} &=& \sum_{n \geq 0}Q_n\\

219: Q_{\mu}E_{\mu} &=&  \sum_{n \geq 0}Q_ne_n

220: \end{eqnarray}

221: and $Q_n=Y_nP_n(\mu)$, where $e_n$ and $Y_n$ are respectively the

222: error rate and yield of the n-photon state. In the normal case

223: that there is no eavesdropper, $Q_{\mu}$ and $E_{\mu}$ are given

224: by \cite{mqzl}:

225: \begin{eqnarray} \label{normalqe}

226: Q_{\mu} &=& Y_0 + 1 - e^{-\eta\mu},\\

227: Q_{\mu}E_{\mu} &=&  e_0Y_0 + e_{det}(1-e^{-\eta\mu}),

228: \end{eqnarray}

229: where $e_{det}$ is the probability that a photon hit the erroneous

230: detector, $\eta$ is the overall transmission probability of a

231: photon.

232: 

233: In the presence of an eavesdropper, Eve, we can use the

234: decoy-state method to detect Eve's attacks. The essence of decoy

235: state idea is that Eve cannot distinguish the decoy state from the

236: signal state. So the signal state and the decoy state have the

237: same values for the yield, $Y_n$, and QBER, $e_n$. In order to

238: achieve the unconditional security of QKD with the key generation

239: rate given by Eq. \eqref{newrealkeyrate}, we must consider now how

240: to use the decoy state idea to estimate $Q_0$, $Q_1$, $e_1$, $Q_2$

241: and $e_2$. A similar problem for orthogonal encoding protocols has

242: been analyzed explicitly by Lo and his co-workers in \cite{mqzl}.

243: Here we exploit their method to solve the question in

244: nonorthogonal protocols.

245: 

246: For simplicity, we propose a specific protocol that uses only four

247: decoy states: vacuum and three weak decoy states. The vacuum can

248: be used to estimate the background rate,

249: \begin{eqnarray} \label{y0e0}

250: Y_0=Q_{vacuum}, \nonumber\\

251: e_0=E_{vacuum}=\frac{1}{2}.

252: \end{eqnarray}

253: The dark counts occur randomly; thus the error rate of the the

254: dark count is $1/2$. The signal and three decoy states with

255: expected numbers $\mu$, $\nu_1$, $\nu_2$ and $\nu_3$ satisfy

256: \begin{eqnarray} \label{munv}

257: 0<\nu_3<\nu_2\leq \frac{2}{3}\mu<\nu_1\leq \frac{3}{4} \mu, \nonumber\\

258: \nu_1+\nu_2>\mu,\nonumber\\

259: \nu_2+\nu_3<\mu.

260: \end{eqnarray}

261: Alice and Bob will get the following gains and QBERs for signal

262: state and these three decoy states:

263: \begin{equation}\label{Decoy:SigDecoym}

264: \begin{aligned}

265: Q_{\mu}e^{\mu} &= Y_0+Y_1\mu+\frac{Y_2\mu^2}{2}+\sum_{i=3}^{\infty} Y_i\frac{\mu^i}{i!}, \\

266: E_{\mu}Q_{\mu}e^{\mu} &= e_0Y_0+e_1Y_1\mu+\frac{e_2Y_2\mu^2}{2}+\sum_{i=3}^{\infty} e_iY_i\frac{\mu^i}{i!}, \\

267: Q_{\nu_1}e^{\nu_1} &= Y_0+Y_1\nu_1+\frac{Y_2\nu_1^2}{2}+\sum_{i=3}^{\infty}Y_i\frac{\nu_1^i}{i!},  \\

268: E_{\nu_1} Q_{\nu_1} e^{\nu_1} &= e_0Y_0+e_1Y_1\nu_1+\frac{e_2Y_2\nu_1^2}{2}+\sum_{i=3}^{\infty}e_iY_i\frac{\nu_1^i}{i!}, \\

269: Q_{\nu_2}e^{\nu_2} &= Y_0+Y_1\nu_2+\frac{Y_2\nu_2^2}{2}+\sum_{i=3}^{\infty}Y_i\frac{\nu_2^i}{i!},  \\

270: E_{\nu_2} Q_{\nu_2} e^{\nu_2} &= e_0Y_0+e_1Y_1\nu_2+\frac{e_2Y_2\nu_2^2}{2}+\sum_{i=3}^{\infty}e_iY_i\frac{\nu_2^i}{i!}, \\

271: Q_{\nu_3}e^{\nu_3} &= Y_0+Y_1\nu_3+\frac{Y_2\nu_3^2}{2}+\sum_{i=3}^{\infty}Y_i\frac{\nu_3^i}{i!},  \\

272: E_{\nu_3} Q_{\nu_3} e^{\nu_3} &=

273: e_0Y_0+e_1Y_1\nu_3+\frac{e_2Y_2\nu_3^2}{2}+\sum_{i=3}^{\infty}e_iY_i\frac{\nu_3^i}{i!}.

274: \end{aligned}

275: \end{equation}

276: 

277: Alice and Bob can estimate the lower bound of $Y_1$ and the upper

278: bound of $e_1$ from Eq. \eqref{Decoy:SigDecoym} by using  decoy

279: states $\nu_2$ and $\nu_3$ . The lower bound of $Y_1$ is given by

280: \begin{eqnarray} \label{y1}

281: &Q_{\nu_2}e^{\nu_2}-Q_{\nu_3}e^{\nu_3}= Y_1(\nu_2-\nu_3)+\sum_{i\geq 2}\frac{Y_i}{i!}(\nu_2^i-\nu_3^i)\nonumber\\

282: &\leq Y_1(\nu_2-\nu_3)+\frac{\nu_2^2-\nu_3^2}{\mu^2}\sum_{i\geq 2}\frac{Y_i\mu^i}{i!}\nonumber\\

283: &=Y_1(\nu_2-\nu_3)+\frac{\nu_2^2-\nu_3^2}{\mu^2}(Q_{\mu}e^{\mu}-Y_0-Y_1\mu).

284: \end{eqnarray}

285: Here,in order to prove the inequality in Eq. \eqref{y1}, we have

286: made use of the inequality that $a^i-b^i\leq a^2-b^2$ whenever

287: $0<b<a\leq \frac{2}{3}$, and $i\geq 2$. The last equality sign

288: holds in the in Eq. \eqref{y1} if and only if Eve raises the yield

289: of two-photon states and blocks all the states with photon number

290: greater than $2$. In fact Eve will not take this tactics because

291: she cannot achieve full information on two-photon state. The upper

292: bound of $e_1$ is given by

293: \begin{eqnarray} \label{e1}

294: &E_{\nu_3} Q_{\nu_3} e^{\nu_3} = e_0Y_0+e_1Y_1\nu_3+\sum_{i=2}^{\infty}e_iY_i\frac{\nu_3^i}{i!} \nonumber\\

295: &\geq e_0Y_0+e_1Y_1\nu_3.

296: \end{eqnarray}

297: By solving Eq. \eqref{y1} and Eq. \eqref{e1}, the lower bound of

298: $Y_1$ and upper bound of $e_1$ are given by

299: \begin{eqnarray} \label{lowery1}

300: Y_1 &\geq &  Y_1^{L}

301: \nonumber\\

302: &=&\frac{\mu^2(Q_{\nu_2}e^{\nu_2}-Q_{\nu_3}e^{\nu_3})-(\nu_2^2-\nu_3^2)(Q_{\mu}e^{\mu}-Y_0)}{\mu^2(\nu_2-\nu_3)(\mu-\nu_2-\nu_3)},\nonumber\\

303: e_1&\leq & e_1^U=\frac{E_{\nu_3} Q_{\nu_3}

304: e^{\nu_3}-e_0Y_0}{Y_1^{L}\nu_3}.

305: \end{eqnarray}

306: Then, according $Q_1=Y_1P_1(\mu)$, the gain of single-photon

307: states is given by

308: \begin{eqnarray} \label{lowerq1}

309: Q_1&\geq & Q_1^L=Y_1^L\mu e^{-\mu}.

310: \end{eqnarray}

311: 

312: Next, Alice and Bob can estimate the lower bounds of $Y_2$ and the

313: upper bound of $e_2$ respectively by using  decoy states $\nu_1$,

314: $\nu_2$ and $\nu_3$ from Eq. \eqref{Decoy:SigDecoym} under

315: conditions Eq. \eqref{munv}. The lower bound of $Y_2$ is given by

316: \begin{eqnarray} \label{y2}

317: &Q_{\nu_1}e^{\nu_1}-Q_{\nu_2}e^{\nu_2}\nonumber\\

318: &= Y_1(\nu_1-\nu_2)+\frac{Y_2}{2}(\nu_1^2-\nu_2^2)+\sum_{i\geq 3}\frac{Y_i}{i!}(\nu_1^i-\nu_2^i)\nonumber\\

319: &\leq Y_1(\nu_1-\nu_2)+\frac{Y_2}{2}(\nu_1^2-\nu_2^2)+\frac{\nu_1^3-\nu_2^3}{\mu^3}\sum_{i\geq 3}\frac{Y_i\mu^i}{i!}\nonumber\\

320: &=Y_1(\nu_1-\nu_2)+\frac{Y_2}{2}(\nu_1^2-\nu_2^2)\nonumber\\

321: &+\frac{\nu_1^3-\nu_2^3}{\mu^3}\sum_{i\geq 3}(Q_{\mu}e^{\mu}-Y_0-Y_1\mu-\frac{Y_2\mu^2}{2})\nonumber\\

322: &=\frac{Y_2}{2}(\nu_1^2-\nu_2^2)+\frac{\nu_1^3-\nu_2^3}{\mu^3}\sum_{i\geq

323: 3}(Q_{\mu}e^{\mu}-Y_0-\frac{Y_2\mu^2}{2}).

324: \end{eqnarray}

325: In order to prove the inequality in Eq. \eqref{y2}, we have made

326: use of the inequality that $a^i-b^i\leq a^2-b^2$ whenever

327: $0<b<a\leq \frac{3}{4}$, and $i\geq 3$. The last equality sign

328: holds in Eq. \eqref{y2} if and only if Eve raises the yield of

329: three-photon states and blocks all the states with photon number

330: greater than $3$. In addition, to obtain the last sign equality in

331: Eq. \eqref{y2}, we have let $\nu_1$ and $\nu_2$ satisfying

332: \begin{equation}\label{nu12}

333: \nu_1-\nu_2-\frac{\nu_1^3-\nu_1^3}{\mu^2}=0.

334: \end{equation}

335: The upper bound of $e_2$ is given by

336: \begin{eqnarray} \label{e2}

337: &E_{\nu_3} Q_{\nu_3} e^{\nu_3} = e_0Y_0+e_1Y_1\nu_3+\frac{e_2Y_2\nu_3^2}{2}+\sum_{i=3}^{\infty}e_iY_i\frac{\nu_3^i}{i!} \nonumber\\

338: &\geq e_0Y_0+\frac{e_2Y_2\nu_3^2}{2}.

339: \end{eqnarray}

340: By solving Eq. \eqref{y2} and Eq. \eqref{e2}, the lower bound of

341: $Y_2$ and $Q_2$ and upper bound of $e_2$ are given by

342: \begin{eqnarray} \label{lowery2}

343: Y_2 &\geq &  Y_2^{L}

344: \nonumber\\

345: &=&\frac{2\mu(Q_{\nu_1}e^{\nu_1}-Q_{\nu_2}e^{\nu_2})-2(\nu_1-\nu_2)(Q_{\mu}e^{\mu}-Y_0)}{\mu(\nu_1-\nu_2)(\nu_1+\nu_2-\mu)},\nonumber\\

346: Q_2 &\geq & Q_2^{L}=\frac{Y_2^{L}\mu^2 e^{-\mu}}{2} ,\nonumber\\

347: e_2&\leq & e_2^U=\frac{2E_{\nu_3} Q_{\nu_3}

348: e^{\nu_3}-2e_0Y_0}{Y_2^{L}\nu_3^2}.

349: \end{eqnarray}

350: 

351: Now, the lower bound of the secure key generation rate, according

352: to Eq. \eqref{newrealkeyrate}, is given by:

353: \begin{eqnarray}\label{lowerRate}

354:  S^L = q  \{-Q_{\mu}f(E_{\mu})H_2(E_{\mu})+Q_0+Q_1^L[ 1- H_2(e_1^U)]\nonumber \\

355:  +Q_2^L[ 1-H_2(e_2^U)]\},

356: \end{eqnarray}

357: where $Q_0=Y_0e^{-\mu}=Q_{vacuum}e^{-\mu}$. Comparing our result

358: (given in Eq. \eqref{newrealkeyrate}) with the prior result in

359: \cite{mqzl}(given in Eq. \eqref{practicalkeyrate}), we see that

360: the main difference is that in our result, two additional terms,

361: $Q_0$ and $Q_2^L[ 1-H_2(e_2^U)]$, can also generate secure keys.

362: To fix the ideas, we will compare our protocol with the SARG04

363: protocol and BB84 protocol according Eqs. \eqref{newrealkeyrate}

364: \eqref{worst} and \eqref{practicalkeyrate} respectively in the

365: following paragraph.

366: 

367: 

368: \begin{figure}%[hbt]

369: \centering \resizebox{8cm}{!}{\includegraphics{decoy.eps}}

370: \caption{(a)The optimal secure generation rate for SARG04 protocol

371: without decoy states, (b)The optimal secure generation rate for

372: BB84 protocol with decoy states ($\mu=0.48$), (c) The secure

373: generation rate for our protocol by using the formula

374: \eqref{lowerRate}($\mu=0.48$), (d) The secure generation rate for

375: our protocol by using the formula \eqref{lowerRate} ($\mu=0.30$).

376: The parameters is given according to experiment GYS \cite{GYS}:

377: $\alpha=0.21dB/km$, $e_{det}=3.3\%$, $Y_0=1.7\times 10^{-6}$, and

378: the detection efficiency of Bob's setup $\eta_Bob=0.045$.

379: $f(E_{\mu})=1.22$.} \label{fig1}

380: \end{figure}

381: 

382: For simplicity, We only consider the asymptotic case (i.e. omit

383: statical fluctuations of $Q_n$ and $e_n$). By using the GYS

384: \cite{GYS} experiment as an example, the result shows in Fig.~1.

385: The curve (a) is the optimal secure generation rate for SARG04

386: protocol without decoy states achieved by using Eq. \eqref{worst}.

387: The curve (b) is a simple repeat of Ref. \cite{lmc} for BB84

388: protocol with decoy states. We note that our protocol is better

389: than both SARG04 protocol without decoy states and Lo's protocol

390: at any distance. The maximal distances of the three protocols are

391: 220, 142, and 97 km respectively. Theoretically, we can achieve a

392: longer transmission distance with our method when we decrease the

393: value of $\mu$. In these cases, however, the weak decoy state

394: method cannot work efficiently due to the statical fluctuations.

395: 

396: In summary, we have proposed an efficient and feasible

397: nonorthogonal decoy-state protocol to do QKD over very lossy

398: channel. we have clearly demonstrated how to estimate the lower

399: bound of the secure key generation rate in this new protocol. Our

400: result shows that, the combination of decoy state method and

401: nonorthogonal states encoding protocol can make great progress at

402: the secure key generation rate. Our protocol can be realized

403: easily because it is the same as Lo's protocol in operation.

404: 

405: 

406: %\section *{Acknowledgements}

407: J.-B.Li thanks Xiongfeng Ma for his kind help with numerical

408: calculations. This work is supported by Scientific Research Fund

409: of Hunan Provincial Education Department No. 03c213.

410: 

411: \begin{thebibliography}{99}

412: 

413: \bibitem{gisin} N. Gisin, G. Ribordy, W. Tittel, \& H. Zbinden,

414: %Quantum Cryptography,

415:  Rev. Mod. Phys. {\bf 74}, 145 (2002).

416: 

417: \bibitem{bene} C. H. Bennett, \& G. Brassard,

418: %Quantum cryptography: Public key distribution and coin tossing,

419: {\it Proceedings of IEEE International Conference on Computers,

420: Systems, and Signal Processing},  IEEE, 1984, pp. 175-179.

421: 

422: \bibitem{wz} W. K. Wootters and W. Zurek, Nature (London) {\bf 299}, 802

423: %A single quantum cannot be cloned,

424: ( 1982).

425: 

426: \bibitem{higm} B. Huttner, N. Imoto, N. Gisin, and T.Mor, Phys. Rev. A {\bf

427: 51}, 1863 (1995).

428: 

429: \bibitem{luken} N. L\"{u}tkenhaus,  Phys. Rev. A {\bf 61}, 052304,

430: (2000).

431: 

432: \bibitem{lukenetc} G. Brassard, N. L\"{u}tkenhaus, T. Mor, and B. C. Sanders,

433: Phys. Rev. Lett. {\bf 85}, 1330 (2000); N. L\"{u}tkenhaus, and M.

434: Jahma, New. J. Phys. {\bf 4}, 44 (2002).

435: 

436: \bibitem{Hwang} W.-Y. Hwang,

437: %Quantum Key Distribution with High Loss: Toward Global Secure Communication,

438: Phys. Rev. Lett. {\bf 91}, 057901 (2003).

439: 

440: \bibitem{Wang} X.-B. Wang, Phys. Rev. Lett. {\bf 94}, 230503

441: (2005); X.-B. Wang, Phys. Rev. A {\bf 72}, 012322 (2005).

442: 

443: \bibitem{lmc} H.-K. Lo, X.-F. Ma, and K. Chen, Phys. Rev. Lett. {\bf

444: 94}, 230504 (2005).

445: 

446: \bibitem{mqzl} X.-F. Ma, B. Qi, Y. Zhao, and H.-K. Lo, Phys. Rev.

447: A {\bf 72}, 012326 (2005).

448: 

449: \bibitem{GLLP} D. Gottesman, H.-K. Lo, N. L\"{u}tkenhaus, \& J. Preskill,

450: %Security of quantum key distribution with imperfect Devices,

451:  Quantum Info. and Comp. {\bf 4}, No.5 (2004) 325-360.

452: 

453: \bibitem{cascade} G. Brassard, \& L. Salvail,

454: {\it Advances in Cryptology, Eurocrypt' 93 Proceedings} (1993),

455: pp. 410-423.

456: 

457: \bibitem{SARG04} V. Scarani, A. Ac\'in, G. Ribordy, and N. Gisin,  Phys. Rev. Lett. {\bf

458: 92}, 057901 (2004).

459: 

460: \bibitem{cktheorem} I. Csisz\'ar and J. K\"orner, IEEE Trans.Inf. Theory {\bf

461: IT-24}, 339 (1978).

462: 

463: \bibitem{lovacumm} H.-K. Lo, quant-ph/0503004.

464: 

465: \bibitem{GYS} C. Gobby, Z. L. Yuan, \& A. J. Shields,

466: %Quantum key distribution over 122 km of standard telecom fiber,

467: Appl. Phys. Lett. {\bf 84}, 3762 (2004).

468: 

469: 

470: \end{thebibliography}

471: 

472: %\pagebreak

473: 

474: \end{document}

475: