0608:quant-ph0608001/SecurityAnalysis13.tex

1: \documentclass[journal,letterpaper, preprint]{IEEEtran}

2:

3: % the package

4: \usepackage[dvips]{graphicx} % for figures

5: \usepackage{amsfonts}

6: \usepackage{amscd}

7: \usepackage{amsmath}    % need for subequations

8:

9:

10:

11: \begin{document}

12:

13: % title

14: \title{Unconditional security at a low cost}

15: % author

16: \author{Xiongfeng Ma \\

17: %\email{xima@physics.utoronto.ca}

18: %\affiliation{%

19: %\authorblockA{%

20: Center for Quantum Information and Quantum Control,\\

21: Department of Physics, University of Toronto, Toronto, Ontario, Canada\\

22: }

23:

24:

25:

26:

27: \maketitle

28:

29: %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

30: % Abstract

31: %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

32: \begin{abstract}

33: By simulating four quantum key distribution (QKD) experiments and

34: analyzing one decoy-state QKD experiment, we compare two data

35: post-processing schemes based on security against individual attack

36: by L\"{u}tkenhaus, and unconditional security analysis by

37: Gottesman-Lo-L\"{u}tkenhaus-Preskill. Our results show that these

38: two schemes yield close performances. Since the Holy Grail of QKD is

39: its unconditional security, we conclude that one is better off

40: considering unconditional security, rather than restricting to

41: individual attacks.

42: \end{abstract}

43:

44:

45:

46:

47:

48: %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

49: % Introduction

50: \section{Introduction}

51: Quantum key distribution (QKD) \cite{BB_84,Ekert_91} allows two

52: parties, a transmitter Alice and a receiver Bob, to create a random

53: secret key even when the channel is accessible to an eavesdropper,

54: Eve. The security of QKD is built on the fundamental laws of physics

55: in contrast to existing classical public key encryption schemes that

56: are based on unproven computational assumptions. The unconditional

57: security of the idealized QKD system has been proven in the past

58: decade \cite{Mayers_01,LoChauQKD_99,ShorPreskill_00,GRTZ_02}.

59:

60: In Shor-Preskill's proof \cite{ShorPreskill_00}, two steps of data

61: post-processing, error correction and privacy amplification, need to

62: be performed in order to distill a secret key. Error correction

63: ensures that Alice and Bob share an identical key, while privacy

64: amplification removes Eve's information about the final key. Alice

65: and Bob can simply estimate the quantum bit error rate (QBER) by

66: error testing and then perform error correction. Privacy

67: amplification, on the other hand, requires the phase error rate

68: which cannot be measured directly without a quantum computer. When

69: an idealized QKD system is used, due to the symmetry of BB84, one

70: can assume the phase error rate to be the same as the QBER

71: \cite{ShorPreskill_00}. However, any real QKD setup is not ideal but

72: with imperfect sources, noisy channels and inefficient detectors,

73: which will affect the security. To do security analysis, we should

74: take these effects into consideration.

75:

76: A few theoretical works have been done to deal with the imperfect

77: devices, such as

78: \cite{MayersYao_98,IndividualAttack_00,BLMS_00,FGSZ_01,ILM_01,KoashiPreskill_03,GLLP_04}.

79: We will compare L\"{u}tkenhaus' analysis \cite{IndividualAttack_00}

80: which deals with individual attacks and

81: Gottesman-Lo-L\"{u}tkenhaus-Preskill (GLLP) \cite{GLLP_04}

82: unconditional security proof. For convenience, we name the data

83: post-procesing schemes, based on these two security analyses, after

84: L\"{u}tkenhaus and GLLP.

85:

86: %Decoy sates QKD has theoretically \cite{Hwang_03,Decoy_05} and

87: %experimentally \cite{ZQMKQ_06} been shown to be able to

88: %substantially improve the performance of QKD with a coherent light

89: %source. A few practical decoy states protocols have been proposed

90: %\cite{Wang_05,Wang2_05,Practical_05,HEHN_05,CT_06}. We will give a

91: %data post-processing scheme for decoy state QKD.

92:

93: Meanwhile, many QKD experiments

94: \cite{BBBSS_92,Townsend_98,RGGGZ_98,BGKHJTLS_99,GYS_04} have been

95: performed in the past decade. Experimentalists sometimes use the

96: QBER as the only criterion for the security of QKD.

97: %This may be due to

98: %the fact that many security proof papers use tolerable QBERs as

99: %security criteria. These security proofs always underly that

100: %idealized QKD setups are used.

101: However, after taking the imperfections into consideration, this

102: kind of security analysis is incomplete. In fact, due to

103: photon-number splitting (PNS) attacks

104: \cite{HIGM_95,BLMS_00,LutkenhausJahma_02}, Eve can successfully

105: break down the security even when the QBER is 0\%.

106:

107: Decoy states have been proposed as a useful method for substantially

108: improving the performance of QKD with coherent sources

109: \cite{Hwang_03}. The security proof of decoy-state QKD is given in

110: Ref.~\cite{Decoy_05}. Afterwards, some practical decoy-state

111: protocols are proposed \cite{Wang_05,HEHN_05,Practical_05}.

112: Recently, a few decoy-state QKD experiments have been performed

113: \cite{ZQMKQ_06,ZQMKQ60km_06,PanDecoy_06,LosAlamosTES_06}. In this

114: paper, we will consider both decoy-state and non-decoy-state cases.

115:

116: %On the other hand, if Alice and Bob carefully analyze the background

117: %counts, it is possible to get a secure key when decoy states are

118: %employed even when the QBER is higher than 25\% \cite{BBL_05}.

119:

120: %Bennett-Brassard-84 (BB84) is a most widely used QKD protocol. The

121: %following discussions will focus on this type of QKD. We remark that

122: %the arguments apply to other protocols, such as six-state QKD

123: %\cite{sixstate_98}.

124:

125: The goal of this paper is to compare the two standard security proof

126: results---L\"utkenhaus and GLLP. We find that for realistic

127: experimental parameters, with or without decoy states, the two

128: security proof results give similar key generation rate and secure

129: distance. Since unconditional security is the Holy Grail of QKD and

130: GLLP (but not L\"utkenhaus) gives unconditional security, our

131: conclusion is that one should use GLLP as the standard criterion for

132: security.

133:

134:

135: %Our aim of this paper is to give a clear data post-processing for

136: %QKD experiments. Data post-processing is a procedure to extract a

137: %secure key from the raw key generated by QKD transmission. For each

138: %data post-processing scheme, there underlies a certain QKD protocol

139: %and a security analysis. So Alice and Bob need to select a security

140: %analysis scheme for the data post-processing. In this sense, SARG04

141: %\cite{SARG_04,TamakiLo_06} only differs from BB84 in data

142: %post-processing.

143:

144: %By simulating four QKD experiments, we compare L\"{u}tkenhaus

145: %\cite{IndividualAttack_00} and GLLP \cite{GLLP_04} data

146: %post-processing, we find that the performance of two schemes are

147: %close. Furthermore, we analyze a decoy-state QKD experiment and find

148: %that the key rate generated by L\"{u}tkenhaus is only 10\% higher

149: %than GLLP. Since L\"{u}tkenhaus only deals with individual attacks

150: %while GLLP deals with general attacks, we conclude that one is

151: %better off using GLLP for data post-processing instead of

152: %restricting to individual attacks.

153:

154: In Section \ref{Model} we review a widely used QKD model to real

155: experiments. In Section \ref{PostPro}, we will compare two data

156: post-processing schems, L\"utkenhaus and GLLP for non-decoy and

157: decoy-state QKD.

158:

159: %data post-processing schemes with different security analyses for

160: %non-decoy and decoy state QKD. We will compare two schemes based on

161: %L\"utkenhaus and GLLP security analyses.

162: %compare two security analyses, L\"utkenhaus vs.~GLLP. Then we will

163: %introduce a data post-processing scheme for decoy state QKD in

164: %Section \ref{Decoy}. Finally, in Section \ref{DecoyExp} we will

165: %apply the data post-processing scheme to a decoy state QKD

166: %experiment.

167:

168:

169:

170: %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

171: % bridge model

172: \section{Preliminaries} \label{Model}

173: Here we use a QKD model following \cite{IndividualAttack_00}, see

174: also \cite{Practical_05}. We do not repeat the details of the model

175: here. To reproduce the simulation results, one may need to refer to

176: Section II of \cite{Practical_05}.

177:

178: The procedure of a QKD experiment, using BB84 protocol with coherent

179: state, is as follows:

180: \begin{enumerate}

181: \item In total, Alice sends Bob $N$ pulses for QKD,

182: containing $N_\mu$ pulses for key transmission (signal states) and

183: $N-N_\mu$ pulses for error testing or decoy states. In the $N_\mu$

184: signal pulses, Alice and Bob have $N_\mu^s$ pulses using same bases

185: (after basis reconciliation).

186: \item Within the $N_\mu^s$ pulses, Bob gets a sifted key with a length of

187: $K_\mu^s$, where they measure the same bases and Bob gets

188: detections.

189: \item Alice and Bob choose a security analysis and perform a data post-processing scheme.

190: %We will focus on this step in the following sections.

191: \end{enumerate}

192:

193: %Notes 1:

194:

195: Here we assume Alice uses a weak coherent state for key

196: transmission.

197: %and she can choose the intensity of the pulse.

198: Define the expected photon number (intensity) of the weak coherent

199: state as $\mu$.

200: %In the case of phase encoding system, people normally value $\mu$ as

201: %twice as the intensity of signal pulses. Strictly speaking, $\mu$

202: %should be conservatively valued as the sum of the intensities of

203: %signal and reference pulses. A relative issue is discussed in

204: %\cite{Koashi_04}.

205:

206: Define $q=N_\mu^s/N$. In BB84 scheme, $q=1/2$ when

207: $N\rightarrow\infty$. Here subscript $\mu$ is the expected photon

208: number of the coherent light used for key transmission as defined

209: above.

210: %In general $N\ge N_\mu$, this is because Alice and Bob may not use

211: %all $N$ pulses for key transmission but for other employments, such

212: %as decoy states and error testing.

213: %For a finite large $N$, $q$ follows a normal distribution $q\sim

214: %Normal(1/2,1/{2N})$ with a mean $1/2$ and a variance $1/{2N}$.

215:

216: Define the gain $Q_\mu=K_\mu^s/N_\mu^s$, the probability for Bob to

217: get a detection in a pulse that Alice and Bob use the same basis.

218:

219: Define the QBER $E_\mu=K_\mu^{err}/K_\mu^s$, the probability for Bob

220: to get a wrong detection in a pulse that Alice and Bob use the same

221: basis. Here $K_\mu^{err}$ is the number of erroneous bits in the

222: sifted key.

223:

224: %There is a subtlety in the calculation of the observed QBER coming

225: %from the fact that Eve may send strong signals to Bob. Eve's attack

226: %will be successful when she chooses the right basis. However, when

227: %she chooses the wrong basis, strong signals will unavoidably lead to

228: %double click events, in which two detectors click simultaneously.

229: %Thus, Bob are not allowed to discard these double clicks. Instead,

230: %he should assign them with random outcomes. Therefore double clicks

231: %will lead to an increased error rate

232: %\cite{Lutkenhaus_99DoubleClick}.

233:

234: Alice knows what $N$ and $\mu$ she uses for the key transmission.

235: $N_\mu^s$ and $K_\mu^s$ can be directly counted from the data after

236: the key transmission. Alice and Bob can estimate QBER from error

237: testing, or they can count $K_\mu^{err}$ after error correction. In

238: fact, even without knowing the real QBER, they can directly apply a

239: error correction scheme (e.g., the Cascade scheme

240: \cite{BrassardSalvail_93}). If the error correction is successful,

241: then it automatically provides the QBER, otherwise they restart the

242: QKD. Thus, in a real QKD system, Alice and Bob may skip the error

243: testing part.

244:

245: Assuming that the phase of each pulse is totally randomized, the

246: photon number of each pulse follows a Poisson distribution with a

247: parameter $\mu$ as its expected photon number. We remark that the

248: phase randomization procedure is crucial for the security of QKD

249: \cite{LoPreskill_05}. The density matrix of the state emitted by

250: Alice is given by

251: \begin{equation}\label{Model:AliceState}

252: \rho_A=\sum^{\infty}_{i=0}\frac{\mu^i}{i!}\,e^{-\mu}\,

253: |i\rangle\langle i|,

254: \end{equation}

255: where $|0\rangle\langle 0|$ is the \textit{vacuum state} and

256: $|i\rangle\langle i|$ is the $i$-photon state for $i=1,2\cdots$. The

257: states with only one photon ($i=1$) are called \emph{single photon

258: states}. The states with more than one photon ($i\ge2$) are called

259: \textit{multi photon states}. %Here, we assume Eve receives all the

260: %pulses sent by Alice. And then Eve performs some arbitrary

261: %operations and sends either a vacuum or a qubit to Bob. This is the

262: %squash operation introduced in GLLP \cite{GLLP_04}.

263: %% Eve measures the photon number of each pulse sent by Alice

264: %Consequently, we denote the qubits coming from these three states as

265: %{vacuum qubits}, {single photon qubits} and {multi photon qubits}.

266:

267: Define $Y_i$ to be the \emph{yield} of an $i$-photon state, i.e.,

268: the conditional probability of a detection event at Bob's detector

269: given that Alice sends out an $i$-photon state. Note that $Y_0$ is

270: the background rate including detector dark counts and other

271: background contributions such as the stray light in the fiber.

272: Consequently, define the \emph{error rate} of $i$-photon state to be

273: $e_i$. The \emph{gain} of $i$-photon states $Q_i$ is given by

274: \begin{equation}\label{Model:Qi}

275: \begin{aligned}

276: Q_i &= Y_i\frac{\mu^i}{i!}e^{-\mu}.

277: \end{aligned}

278: \end{equation}

279: %The gain $Q_i$ is the product of the probability of Alice sending

280: %out an $i$-photon state (follows Poisson distribution) and the

281: %conditional probability of Alice's $i$-photon state (and background)

282: %that will lead to a detection event in Bob's detector.

283: When $i=1$, $Q_1$ and $e_1$ are the gain and error rate of single

284: photon states. Note that Eve has the ability to change $\{Y_i\}$ and

285: $\{e_i\}$ as she wishes, but she cannot change $\mu$, which is set

286: by Alice. Decoy states allow Alice and Bob to estimate channel

287: transmittance and error rate accurately, which will restrict the

288: Eve's freedom to adjust $\{Y_i\}$ and $\{e_i\}$. This is the key

289: reason why decoy states are useful for QKD \cite{Decoy_05}.

290:

291:

292:

293: %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

294: % Data post-processing schemes

295: \section{Data post-processing schemes} \label{PostPro}

296: In this section, we will compare two data post-processing schemes,

297: L\"utkenhaus versus GLLP. During the comparison, we will apply two

298: data post-processing schemes to both non-decoy and decoy state QKD.

299:

300: \subsection{L\"utkenhaus versus GLLP} \label{Compare}

301: Here we compare data post-processing schemes based on two security

302: analyses, L\"utkenhaus \cite{IndividualAttack_00} and GLLP

303: \cite{GLLP_04}. L\"utkenhaus scheme focuses on security against

304: individual attacks, while GLLP scheme proves unconditional security.

305:

306: In the GLLP \cite{GLLP_04}, there are so called tagged qubits in the

307: discussion. The basis information of tagged qubits is somehow

308: revealed to Eve. Thus tagged qubits are insecure for QKD. The idea

309: is that Alice and Bob can (in principle) separate the qubits into

310: two groups, tagged and untagged qubits, hence they only need to

311: perform privacy amplification to the untagged qubits. The reason is

312: as follows. The final key will be bitwise $XOR$ of keys that could

313: be obtained from the tagged and untagged qubits. If the key from

314: untagged qubits is private and random, then it doesn't matter if Eve

315: knows everything about tagged qubits --- the sum is still private

316: and random.

317:

318: Based on the tagged qubit idea, the procedure of the data

319: post-processing is as follows. First, Alice and Bob perform the

320: error correction, and if it is successfully done, they share an

321: identical key. And then they calculate how much privacy

322: amplification they should do (according to certain security

323: analysis, which we will discuss soon). Finally they use random

324: hashing (or other privacy amplification procedure) to get a final

325: secure key.

326:

327: Due to PNS attack, we can regard qubits single photon states as

328: untagged qubits and those from other (vacuum and multi photon)

329: states as tagged qubits. Then we can compare the results of

330: L\"{u}tkenhaus and GLLP schemes.  We can rewrite the formula of the

331: key generation rate by L\"{u}tkenhaus scheme

332: \begin{equation}\label{TwoSch:Lutkenhaus}

333: \begin{aligned}

334: R\geq q\{-Q_\mu H_2(E_\mu)+Q_1[1-\log_2(1+4e_1-4e_1^2)]\}.

335: \end{aligned}

336: \end{equation}

337: Similarly, as given in Eq.~(11) in \cite{Decoy_05}, we rewrite the

338: key rate formula of GLLP

339: \begin{equation}\label{TwoSch:GLLP}

340: \begin{aligned}

341: R\geq q\{-Q_\mu H_2(E_\mu)+Q_1[1-H_2(e_1)]\}

342: \end{aligned}

343: \end{equation}

344: where $Q_1$ and $e_1$ are the gain and error rate of single photon

345: states, and $H_2(x)=-x\log_2(x)-(1-x)\log_2(1-x)$ is the binary

346: entropy function. Alice and Bob need to estimate $Q_1$ and $e_1$

347: given the data from QKD experiments.

348:

349:

350: %Notes 2:

351:

352: In both Eqs.~\eqref{TwoSch:Lutkenhaus} and \eqref{TwoSch:GLLP}, the

353: first term in the bracket is for error correction and the second one

354: is for privacy amplification. The privacy amplification is only

355: performed on the single photon part.  In this manner, L\"utkenhaus

356: \cite{IndividualAttack_00} has already applied the tagged qubits

357: idea.

358:

359: Here due to PNS attacks \cite{HIGM_95,BLMS_00,LutkenhausJahma_02},

360: both L\"utkenhaus and GLLP assume that the single photon states are

361: the only source of untagged qubits for BB84. This may not true for

362: other protocols. For example, in SARG04 \cite{SARG_04,TamakiLo_06},

363: two-photon states can be used to extract secure keys.

364:

365: Here is the key point of the whole paper. The difference between the

366: L\"utkenhaus and GLLP results appears in the privacy amplification

367: part. We compare $H_2(e)$ with $\log_2(1+4e_1-4e_1^2)$ in

368: Fig.~\ref{TwoSch:fig:ComPri}. We can see that the difference of two

369: functions are quite small. For this reason, in fact, L\"utkenhaus

370: and GLLP give very similar result in the key generation rate and

371: distance of secure QKD. In what follows, we will illustrate this

372: crucial point with examples of experimental parameters from previous

373: QKD experiments. Our conclusion holds with and without using decoy

374: states.

375:

376: \begin{figure}[hbt]

377: \centering \resizebox{8cm}{!}{\includegraphics{CompPrif.eps}}

378: \caption{GLLP vs.~L\"utkenhaus. The maximal deviation of two curves

379: is 15.36\% when the error rate is 3.85\%.} \label{TwoSch:fig:ComPri}

380: \end{figure}

381:

382:

383:

384: \subsection{Non-decoy-state QKD} \label{nondecoy}

385: Without decoy states, Alice and Bob have to pessimistically assume

386: that all losses and errors come from single photon states. Thus

387: \begin{equation}\label{TwoSch:PessAssum}

388: \begin{aligned}

389: Q_1 &= Q_\mu-p_M \\

390: e_1 &= \frac{Q_\mu E_\mu}{Q_1}

391: \end{aligned}

392: \end{equation}

393: where $p_M=1-(1+\mu)\exp(-\mu)$ is the probability that Alice sends

394: out a multi photon state. We can recover Eq.~(15) in

395: \cite{IndividualAttack_00} by substituting

396: Eq.~\eqref{TwoSch:PessAssum} into Eq.~\eqref{TwoSch:Lutkenhaus}. Let

397: $\Delta=p_M/Q_\mu$, we can recover Eq.~(50) in \cite{GLLP_04} by

398: substituting Eq.~\eqref{TwoSch:PessAssum} into

399: Eq.~\eqref{TwoSch:GLLP}.

400:

401: We compare the key generation rate of two data post-processing

402: schemes based on L\"utkenhaus and GLLP by simulating four experiment

403: setups \cite{Townsend_98,RGGGZ_98,BGKHJTLS_99,GYS_04}. The key

404: parameters are listed in TABLE \ref{TwoSch:Table:exdata}.

405:

406: \begin{table}[h]\center

407: %\newcounter{Table}

408: \begin{tabular}{|c|c|c|c|c|}

409: \hline

410: & T8\cite{Townsend_98} & G13\cite{RGGGZ_98} & KTH\cite{BGKHJTLS_99} & GYS\cite{GYS_04}\\

411: \hline

412: $\lambda$ [nm] & 830 & 1300 & 1550 & 1550 \\

413: \hline

414: $\alpha$ [dB/km] & 2.5 & 0.32 & 0.2 & 0.21 \\

415: \hline

416: $e_{d}$ [\%]& 1 & 0.14 & 1 & 3.3 \\

417: \hline

418: $Y_0$ [/pulse] & $10^{-7}$ & $1.64\times10^{-4}$ & $4\times10^{-4}$ & $1.7\times10^{-6}$ \\

419: \hline

420: $\eta_{Bob}$ [\%]& 7.92 & 8.14 & 14.30 & 4.5 \\

421: \hline

422: \end{tabular}

423: \caption{\normalfont{Key parameters from four QKD experiment

424: setups.}} \label{TwoSch:Table:exdata}

425: \end{table}

426:

427: Fig.~\ref{TwoSch:fig:LutGLLP} shows the relationship between key

428: generation rate and the transmission distance, comparing two data

429: post-processing schemes, L\"{u}tkenhaus and GLLP. For both schemes,

430: we consider non-decoy state QKD. From Fig.~\ref{TwoSch:fig:LutGLLP},

431: we can see that the key generation rate of GLLP is only slightly

432: lower than that of L\"{u}tkenhaus. Here we emphasize that GLLP deals

433: with the general attack, while L\"{u}tkenhaus is restricted to

434: individual attack.

435:

436: \begin{figure}[hbt]

437: \centering \resizebox{8cm}{!}{\includegraphics{NoDecoy.eps}}

438: \caption{shows the relationship between key generation rate and the

439: transmission distance, comparing two data post-processing schemes

440: based on L\"{u}tkenhaus and GLLP security analyses. The key

441: parameters are listed in TABLE~\ref{TwoSch:Table:exdata}. Here we

442: consider non-decoy case and use the optimal expected photon number

443: $\mu=\eta$ \cite{IndividualAttack_00}. Using Cascade protocol

444: \cite{BrassardSalvail_93}, the error correction efficiency is 1.16.

445: Details of the QKD simulation model appear in \cite{Practical_05}.}

446: \label{TwoSch:fig:LutGLLP}

447: \end{figure}

448:

449: We remark that the QBERs ($E_\mu$'s) of four GLLP curves at maximal

450: distances in Fig.~\ref{TwoSch:fig:LutGLLP} are $4.57\%$, $4.80\%$,

451: $4.80\%$ and $4.34\%$. Clearly it is far away from $11\%$, the

452: tolerable QBER given in \cite{ShorPreskill_00}. This is due to the

453: fact that the QKD source is weak coherent state, while the security

454: proof given in \cite{ShorPreskill_00} is based on single photon

455: source.

456:

457: Many of QKD experiments used $\mu=0.1$ as for key transmission. If

458: using $\mu=0.1$ for GYS \cite{GYS_04} setup, we find that

459: $Q_\mu<p_M$ for all transmission distances. That is, for BB84, Eve

460: can successfully perform PNS attacks

461: \cite{HIGM_95,BLMS_00,LutkenhausJahma_02} and obtain all the

462: information about the key even when the QBER is 0\%!

463:

464: %According to Eq.~\eqref{TwoSch:PessAssum}, it is impossible to get a

465: %secure key from this setup by applying GLLP directly even when the

466: %QBER is 0\%! Here, we emphasize that the QBER is not the only

467: %criterion for QKD security.

468:

469:

470: %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

471: % Decoy

472: \subsection{Decoy-state QKD} \label{Decoy}

473: Here, we will give a data post-processing scheme following the

474: security analysis of decoy state QKD \cite{Decoy_05}.

475:

476: In Eqs.~\eqref{TwoSch:Lutkenhaus} and \eqref{TwoSch:GLLP}, $q$ and

477: $Q_\mu$ can be directly counted from Bob's detection events. The

478: QBER $E_\mu$ can be obtained from error testing or after error

479: correction step. Alice and Bob can estimate $Q_1$ and $e_1$ with

480: decoy states. Definitions of these variables are in Section

481: \ref{Model}.

482:

483: As for Vacuum+Weak decoy state scheme \cite{Practical_05}, besides

484: $Q_\mu$ and $E_\mu$ discussed in Section \ref{Model}, Alice and Bob

485: will use $Q_{vac}$ (from the vacuum decoy), $Q_\nu$ and $E_\nu$

486: (from the weak decoy). The definitions are similar as $Q_\mu$ and

487: $E_\mu$ in Section \ref{Model}. The intensity of weak decoy state is

488: $\nu$. Alice and Bob can publicly compare all weak decoy states to

489: get $Q_\nu$ and $E_\nu$. They can estimate the background count rate

490: by vacuum decoy states $Y_0=Q_{vac}$. Then, they apply the formulas,

491: Eq.~(35) and Eq.~(37) in \cite{Practical_05}, for the estimations of

492: $Q_1$ and $e_1$

493: \begin{equation}\label{TwoSch:V+W}

494: \begin{aligned}

495: Q_1 &\ge \frac{\mu^2e^{-\mu}}{\mu\nu-\nu^2}(Q_\nu e^{\nu}-Q_\mu

496: e^\mu\frac{\nu^2}{\mu^2}-\frac{\mu^2-\nu^2}{\mu^2}Y_0) \\

497: e_1 &\le \frac{E_\nu Q_\nu e^{\nu}-e_0Y_0}{Q_1e^{\mu}\nu/\mu},

498: \end{aligned}

499: \end{equation}

500: where $e_0=1/2$ is the error rate of vacuum decoy states.

501:

502: In summary, the data post-processing for decoy state QKD is

503: \begin{enumerate}

504: \item Alice announces to Bob which pulses are used for decoy states.

505: They publicly compare all values of decoy states, and then calculate

506: $Q_{vac}$, $Q_\nu$ and $E_\nu$.

507: \item They sacrifice $f(E_\mu) H(E_\mu)$ part of the sifted key to do the

508: error correction. Here $f(E_\mu)$ is the error correction

509: efficiency.

510: \item Alice and Bob estimate the gain $Q_1$ and error rate $e_1$

511: of single photon states, using Eq.~\eqref{TwoSch:V+W} with

512: $Y_0=Q_{vac}$, $Q_\nu$ and $E_\nu$.

513: \item They calculate the final key rate $R$ by Eq.~\eqref{TwoSch:Lutkenhaus} or

514: \eqref{TwoSch:GLLP}. According to $R$, they perform privacy

515: amplification (say, random hashing) to get a final secure key with

516: length of $NR$, where $N$ the total number of pulses sent by Alice

517: defined in Section \ref{Model}.

518: %They randomly select parities of the rest part of key bits until they

519: %get a final key with a length of $NR$

520: \end{enumerate}

521:

522: We remark that in principle Alice and Bob can use decoy states to

523: generate keys, but in practice it is more efficient if Alice and Bob

524: compare all bit values of decoy states to minimize the statistical

525: fluctuation. In other words, there always exists one optimal

526: intensity for QKD and we use it for signal states. Suppose some of

527: the decoy state pulses are used for key generation; it will be more

528: efficient to transmit these pulses using the signal (optimal)

529: intensity. Thus, only the signal pulses are used for key generation.

530: %Asymptotically, the ratio of decoy states will approach 0.

531:

532: Note that for a finite length QKD, Alice and Bob need to consider

533: statistical fluctuations. A similar procedure will still be

534: applicable. The only difference will be the formulas for estimations

535: of $Q_1$ and $e_1$. Statistical fluctuations are discussed in

536: \cite{Wang_05,Practical_05}. As mentioned in \cite{Practical_05}, a

537: rough way to estimate the statistical fluctuations is assuming

538: Gaussian distribution of $Q_\nu$, $E_\nu$ and $Y_0$. Take the lower

539: bound of $Q_\nu$ and $Y_0$ and the upper bound of $E_\nu$ to

540: estimate $Q_1$ and $e_1$. Other procedures are the same as used

541: above. For simplicity, here we skip the statistical fluctuations.

542:

543: Note that the efficiency of error correction and privacy

544: amplification can also be included into

545: Eq.~\eqref{TwoSch:Lutkenhaus} and \eqref{TwoSch:GLLP}. In our

546: simulations, we only consider the efficiency of error correction.

547:

548: The comparison of L\"{u}tkenhaus and GLLP for decoy-state QKD is

549: shown in Fig.~\ref{TwoSch:fig:decoy}. From the figure, we can see

550: that the performance of two schemes are very close when decoy states

551: are used.

552:

553: \begin{figure}[hbt]

554: \centering \resizebox{8cm}{!}{\includegraphics{Decoy.eps}}

555: \caption{shows the relationship between key generation rate and the

556: transmission distance for decoy state QKD, comparing L\"{u}tkenhaus

557: and GLLP. The key parameters are listed in

558: TABLE~\ref{TwoSch:Table:exdata}. Using the Cascade protocol

559: \cite{BrassardSalvail_93}, the error correction efficiency is 1.16.

560: Here we assume the efficiency of privacy amplification is 1. Details

561: of QKD simulations can be seen in \cite{Practical_05}.}

562: \label{TwoSch:fig:decoy}

563: \end{figure}

564:

565: For comparison, we list the QBERs of four GLLP curves at maximal

566: distance in Fig.~\ref{TwoSch:fig:decoy} are $5.19\%$, $4.21\%$,

567: $5.11\%$ and $6.8\%$. We can see that these four values are close to

568: those given by Fig.~\ref{TwoSch:fig:LutGLLP} of non-decoy state QKD.

569: This is because stronger signals are allowed to use when decoy

570: states are implemented, and then the QBER drops down, which cancels

571: out the increase of QBER by higher channel loss.

572:

573: Based on the simulation results of four QKD setups, we find that

574: %the performance of the two schemes are rather close (see FIG.

575: %\ref{TwoSch:fig:LutGLLP}). Thus, we conclude that one is better off

576: %considering on general the security analysis---GLLP. Our result

577: %shows that

578: there is little to gain by restricting the security analysis to

579: individual attacks, given that the two schemes---L\"{u}tkenhaus

580: vs.~GLLP---provide very close performances. In other words, our view

581: is that one is better off considering unconditional security, rather

582: than restricting to individual attacks.

583: % Note that the key generation rate $R$ of GYS with GLLP

584: %will strictly hit 0 at distance $l=34km$.

585:

586: %However, when the background rate is high, decoy state QKD can

587: %tolerate QBER even higher than 25\% \cite{BBL_05}. Suppose we

588:

589:

590:

591: %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

592: % Our own decoy experiment

593: \subsection{One example} \label{DecoyExp}

594: Decoy state QKD experiments has recently been performed

595: \cite{ZQMKQ_06,ZQMKQ60km_06,PanDecoy_06,LosAlamosTES_06}. We analyze

596: a decoy state QKD experiment over 60km fiber experiment

597: \cite{ZQMKQ60km_06} as an example here. All raw experiment data are

598: listed in TABLE~\ref{TwoSch:Table:Ourdata}.

599:

600: \begin{table}[h]\center

601: %\newcounter{Table}

602: \begin{tabular}{|c|c|c|c|c|c|c|c|c|c|c|c|}

603: \hline

604: Distance & $\lambda$ & $N$ & $N_{vac}$ & $K_{vac}$  \\

605: \hline

606: $60km$ & $1550nm$ & $104.8Mb$ & $16.63Mb$ & $1033b$ \\

607: \hline

608: $\mu$ & $N_\mu$ & $N_\mu^s$ & $K_\mu^s$ & $K_\mu^{err}$ \\

609: \hline

610: $0.55$ & $66.86Mb$ & $33.40Mb$ & $60.50kb$ & $1845b$ \\

611: \hline

612: $\nu$ & $N_\nu$ & $N_\nu^s$ & $K_\nu^s$ & $K_\nu^{err}$ \\

613: \hline

614: $0.152$ & $21.34Mb$ & $10.69Mb$ & $5397b$ & $455b$ \\

615: \hline

616: %\hline

617: %Distance & $N$ & $\mu$ & $N_\mu$ & $N_\mu^s$ & $K_\mu^s$ & $K_\mu^{err}$ \\

618: %\hline

619: %$60km$ & $104.8Mb$ & $0.55$ & $66.86Mb$ & $33.40Mb$ & $60.50kb$ & $1845b$ \\

620: %\hline

621: %$N_{vac}$ & $K_{vac}$ & $\nu$ & $N_\nu$ & $N_\nu^s$ & $K_\nu^s$ & $K_\nu^{err}$ \\

622: %\hline

623: %$16.63Mb$ & $1033b$ & $0.152$ & $21.34Mb$ & $10.69Mb$ & $5397b$ & $455b$ \\

624: %\hline

625: \end{tabular}

626: \caption{\normalfont{Raw QKD experiment parameters from

627: \cite{ZQMKQ60km_06}. The unit $b$ stands for bit.}}

628: \label{TwoSch:Table:Ourdata}

629: \end{table}

630:

631: From TABLE~\ref{TwoSch:Table:Ourdata}, we can calculate the key

632: parameters for security analysis, listed in

633: TABLE~\ref{TwoSch:Table:Para}. The definitions are given in Section

634: \ref{Model}.

635: \begin{table}[h]\center

636: %\newcounter{Table}

637: \begin{tabular}{|c|c|c|c|c|c|c|c|c|c|c|c|}

638: \hline $q$ & $Q_\mu$ & $E_\mu$ & $Y_0=Q_{vac}$ & $Q_\nu$ \\ % & $E_\nu$

639: \hline

640: $0.319$ & $1.81\times10^{-3}$ & $3.05\%$ & $1.11\times10^{-4}$ & $5.47\times10^{-4}$ \\ % & $7.78\%$

641: \hline

642: \end{tabular}

643: \caption{\normalfont{Key parameters for the security analysis of

644: \cite{ZQMKQ60km_06} derived from TABLE~\ref{TwoSch:Table:Ourdata}.}}

645: \label{TwoSch:Table:Para}

646: \end{table}

647:

648: Now, we can apply the data post-processing for decoy state QKD. We

649: can estimate $Q_1$ by Eq.~\eqref{TwoSch:V+W}. For $e_1$ we use a

650: different formula

651: \begin{equation}\label{TwoSch:e1}

652: \begin{aligned}

653: e_1 &\le \frac{E_\mu Q_\mu e^{\mu}-e_0Y_0}{Q_1e^{\mu}}.

654: \end{aligned}

655: \end{equation}

656: The reason is that in the real experiment \cite{ZQMKQ60km_06}, $e_1$

657: of decoy states deviates largely from that of signal states. The

658: deviation is caused by the imperfections of attenuators. Thus, we

659: use the QBER of signal states $E_\mu$ to estimate $e_1$. It reminds

660: us the key assumption of decoy state QKD: all $Y_i$ and $e_i$ are

661: the same in the signal states and in the decoy states

662: \cite{Decoy_05}. %This requires the transmission in QKD experiment to

663: %be independent of signal intensity. Thus, for decoy state QKD, we

664: %need a stable attenuator.

665:

666: Substituting parameters of TABLE~\ref{TwoSch:Table:Para} into

667: Eqs.~\eqref{TwoSch:V+W} and \eqref{TwoSch:e1}, we get

668: $Q_1\ge8.50\times10^{-4}$ and $e_1\le2.73\%$. Then we apply the

669: Cascade error correction scheme \cite{BrassardSalvail_93},

670: sacrificing a fraction of $1.16 H_2(E_\mu)=0.486$ of the sifted key,

671: where $1.16$ is the error correction efficiency. Then from

672: Eqs.~\eqref{TwoSch:Lutkenhaus} and \eqref{TwoSch:GLLP}, we get the

673: key generation rate $R_{Lutkenhaus}=9.98\times10^{-5}$ and

674: $R_{GLLP}=9.04\times10^{-5}$ . We randomly choose parities and

675: obtain a final key with length of

676: $K_{Lutkenhaus}=NR_{Lutkenhaus}=10.5kbit$ and

677: $K_{GLLP}=NR_{GLLP}=9.47kbit$ . We can see the difference between

678: the key lengths of GLLP and L\"utkenhaus is within 10\%.

679: %This result is slightly different from what given in

680: %\cite{ZQMKQ60km_06} because in \cite{ZQMKQ60km_06}, we consider the

681: %statistical fluctuation effects.

682: For the case of considering statistical fluctuations, one can refer

683: to \cite{ZQMKQ60km_06}.

684:

685:

686: %\subsection{Double clicks}

687: %As mentioned in Section \ref{Model}, Bob has to assign random bits

688: %for double clicks, which will lead to an increased error rate

689: %\cite{Lutkenhaus_99DoubleClick}.

690: %

691: %In the data post-processing, since Alice and Bob already know the

692: %locations of double clicks, they can exclude these events from error

693: %correction. The key generation rate formula given in

694: %Eq.~\eqref{TwoSch:GLLP} can be improved by this double click

695: %location information

696: %\begin{equation}\label{Security:Double}

697: %\begin{aligned}

698: %R &\ge  -Q_{\mu}[(1-p_d)H_2(E^r_{\mu})+p_dH_2(E^d_{\mu})]

699: %+Q_1[1-H_2(e_1)] \\

700: %&= -Q_{\mu}[(1-p_d)H_2(E^r_{\mu})+p_d] +Q_1[1-H_2(e_1)]

701: %\end{aligned}

702: %\end{equation}

703: %where $p_d$ is the conditional probability to get a double click

704: %given a detection, $E^d_{\mu}=1/2$ is the QBER of double clicks, and

705: %$E^r_{\mu}$ is the left over QBER in the signal states.

706: %

707: %In the example of Subsection \ref{DecoyExp}, the total number of

708: %double clicks is only $35$, which means $p_d=5.79\times10^{-4}$. It

709: %is negligible.

710:

711:

712:

713:

714: %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

715: % Conclusion

716: \section{Conclusion}

717: In this paper, we compare the security analysis of L\"{u}tkenhaus,

718: against individual attack, and Gottesman-Lo-L\"{u}tkenhaus-Preskill,

719: general security analysis. Our simulation results show that these

720: two schemes provide close performances. Thus, we conclude that one

721: is better off considering unconditional security, rather than

722: restricting to individual attacks. In the security analysis, we

723: emphasize that the QBER is not the only criterion of security due to

724: the imperfections of QKD setups. %We explicitly give a data

725: %post-processing procedure by analyzing a real experiment.

726:

727:

728:

729: %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

730: % Acknowledgments

731: \section{Acknowledgments}

732: This work is mostly from Xiongfeng Ma's Master Thesis (see ArXiv:

733: quant-ph/0503057) under the supervision of Hoi-Kwong Lo at

734: University of Toronto. We thank Chi-Hang Fred Fung,

735: N.~L\"{u}tkenhaus, Bing Qi and Yi Zhao for enlightening discussions.

736: Financial support from University of Toronto, CFI, CIAR, CIPI,

737: Connaught, CRC, NSERC, OIT, PREA and Chinese Government Award for

738: Outstanding Self-financed Students Abroad is gratefully

739: acknowledged.

740:

741:

742:

743:

744:

745:

746:

747:

748:

749:

750: %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

751: % choose a style

752: \bibliographystyle{ieeetr}

753: %\bibliographystyle{unsrt}

754: %\bibliographystyle{apsrev}

755: %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

756:

757:

758: %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

759: % choose a .bib file

760: \bibliography{Bibli}

761: %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

762:

763: %\nocite{*}

764:

765:

766:

767: \end{document}

768: