Decoy state quantum key distribution with finite resources

Physics Letters A 373 (2009) 2533–2536

Contents lists available at ScienceDirect

Physics Letters A www.elsevier.com/locate/pla

Decoy state quantum key distribution with finite resources Shi-Hai Sun ∗ , Lin-Mei Liang, Cheng-Zu Li Department of Physics, National University of Defense Technology, Changsha 410073, PR China

a r t i c l e

i n f o

Article history: Received 31 March 2009 Received in revised form 29 April 2009 Accepted 11 May 2009 Available online 15 May 2009 Communicated by P.R. Holland

a b s t r a c t We apply the finite key analysis to the decoy state quantum key distribution scheme and obtain a practical key rate. By simulating an practical experiment setups and the Vacuum + Weak decoy state method, we show that both the key rate and maximal secure distance are reduced when the finite key analysis is considered. © 2009 Elsevier B.V. All rights reserved.

PACS: 03.67.Dd 03.67.Hk Keywords: Decoy state Quantum key distribution Finite resources

1. Introduction Quantum key distribution (QKD) allows two remote parties, Alice and Bob, to distribute an unconditional secret key, which is ensured by the basic principle of quantum mechanics. Since the first protocol (BB84 [1]) was presented, the security proofs for an ideal QKD system has been proven in the past few years [2–4]. However, the real setups are not ideal, which will affect the security of QKD system and depress the key rate and the maximal secure communication distance. Luckily, the decoy state method, which is first presented by Hwang [5] and later developed by other researchers [6–10], can be introduced to improve the situation. So far, many experimental demonstrations of decoy state QKD have been reported [11–14]. But the key rate are obtained according to the GLLP’s asymptotic formula in most cases, whereas, the legitimate parties can only exchange finite bits in a practical communication so that the asymptotic formula is no longer valid and the unconditional security of the generative key is actually not guaranteed any more. Recently, the security with finite resource is studied in [15–19], but these results are limited: Ref. [15] just considers a restricted class of attacks. In Refs. [16–18], although the authors analyze the finite statistics with decoy state method, the notion of security is relaxed so that the generative key is not secure enough for practical applications. In a more recent work [19], the authors obtain

*

Corresponding author. Tel.: +86 731 4535574. E-mail address: [email protected] (S.-H. Sun).

0375-9601/$ – see front matter © 2009 Elsevier B.V. All rights reserved. doi:10.1016/j.physleta.2009.05.016

the key rate with finite key analysis by giving a strict security definition, but they only consider the perfect single photon source which is unavailable in the recent technology. In practical experiments, the weak coherent state is commonly used as the photon source, which is essentially a  mixture of the photon number state ∞ −μ μ/n!|nn| when the phase with the Poisson distribution n=0 e is totally randomized. It means that the results of Ref. [19] are not suitable for the practical application and we need to obtain the key rate with finite resources for the imperfect source. In this Letter, we reconsider the work of Ref. [19] and apply the finite key analysis to the decoy state scheme. In the following, we describe briefly the Vacuum + Weak decoy state QKD method with finite resources. Then we introduce the work of V. Scarani et al. [19] in brief and deduce the formula of key rate with finite resources for the practical source and compare our results with the asymptotic scenario finally. 2. Protocol In this section, we explain the Vacuum + Weak decoy state QKD scheme with finite resource. The legitimate parties fix the total length of exchanged bits N and use three kinds of sources to implement the QKD scheme. Except the signal state with intensity μ, two decoy states are used, one is the vacuum state and the other one is the weak coherent state with intensity ν = 0 (ν < μ). For each pulse, Alice randomly chooses one form of the three kinds of states and sends to Bob with the probability 2 p 0 , p 1 , p 2 respectively, which satisfy with the condition that i =0 p i = 1.

2534

S.-H. Sun et al. / Physics Letters A 373 (2009) 2533–2536

After all the processes of BB84 protocol, they estimate the yield and QBER of single photon state and obtain the secure key rate, according to the method proposed in Refs. [6–8]. In this part, all the bits coming from the decoy state can be used completely, but just part of bits coming from the signal state are useable. We assume the pulses of signal state are chosen as the raw key and as parameter estimation with probability p r and p e respectively, which satisfy p r + p e = 1. The length of the raw key and the sample size for parameter estimation are denoted as n and m respectively, which satisfy n = p r × p 0 × N and m = p e × p 0 × N. What is needed to be pointed out here is that, in asymptotic analysis, n can be chosen arbitrarily close to the infinite large N. Even m  N, it can also provide sufficiently accurate results. However, in non-asymptotic analysis, since N is finitely large, the sample size will decide obviously the precision of parameter estimation and the legitimate parties need to make a trade-off between n and m. But the precision of parameter estimation is not the only problem, other situations are also needed to be taken into account, for example, the effect of error correction with finite bits will be worse than the Shannon limit. 3. Deduction In this section, we reconsider the finite key analysis proposed by V. Scarani and R. Renner in Ref. [19] and apply it to the decoy state QKD scheme introduced in last section. When the source is a perfect single photon source, the key rate is given by [19]





r = (n/ N ) 1 − h(˜e 1 ) − (leakEC + Δ)/n ,

(1)

where e˜ 1 = e 1 + ξ(m, d) is the modified QBER of signal source, e 1 is computed directly by utilizing experimental results, ξ(m, d) means the statistical deviation of QBER by measurements of m samples according to POVM with d outcomes and d = 2 for BB84 protocol because the POVM has two outcomes; leakEC represents the transmitted number of bits over the public channel in process of error correction and leak EC /n = 1.22h(e 1 ) for real codes; Δ = 2 log2 1/[2(ε − ε − εEC )] + 7 n log2 (2/(ε − ε  )) is the security parameter of error correction and privacy amplification itself, in which ε is the security bound which can be interpreted equivalently as the maximum failure probability, εEC is the error probability of error correction, ε¯ and ε¯  are parameters that are needed to be optimized to maximize the key rate, h(x) is the binary entropy. It is obvious that Eq. (1) is just valid for single photon source and not useable for the practical application, since the practical source is a weak coherent state, which will generate, with nonzero probability, the multi-photon that is insecure for the PNS attack. In order to overcome this gap, we combine the finite key analysis with the decoy state scheme. For obtaining the valid key rate, we first analyze the imperfect source and the post-processing. In the practical QKD with imperfect source, there are two kinds of qubits that are needed to be discussed separately: one is the tagged bit which is not secure, the other one is the untagged bit which is secure and can be used to distill the final key. For BB84 with the weak coherent state, the untagged bit is from a single photon pulse, and the tagged bit is from the multi-photon pulse. Since, in principle, Eve can know the information coded in multi-photon pulses by some attacks, for example, photon-number splitting attacks. For BB84, the one-way post-processing contains two steps. One is the error correction. Alice and Bob correct the bit error by sacrificing a part of bit, which is represented by leakEC of Eq. (1). The total information leaking is from both the untagged bit and the tagged bit, since the tagged bit will reveal some information of the untagged bit in this process. After the error correction, Alice and Bob share high consistent bits and they can use the privacy am-

plification to depress the information known from the tagged bit by Eve. One can imagine executing privacy amplification on two different strings, the sifted bits arising from the tagged bits and the sifted bits arising from the untagged bits. Since only the untagged bit are secure and its security will not be affected by the security of the tagged bit, the secure key can be obtained from the tagged bits and untagged bits separately [21]. It means that if one bit coming from the untagged bit is secure, no matter whether the tagged bit is secure or not, it is still secure after the privacy amplification. Thus one just needs to consider the leakage of information of the untagged bits in the privacy amplification. It is needed to mention that, the idea, separating the imperfect source as two components and considering the post-processing for tagged bit and untagged bit respectively, comes from the security analysis of [21], the authors obtain the GLLP formula based on it. Even so, it is still wonderful and available for our analysis, because this characteristic is decided by the imperfect source and BB84 protocol which is independent of the length of exchanged bits. According to the analysis above and combining it with the Eq. (5) in [19], we can obtain the final key rate for practical coherent state confidently:





r  = Q 1 H ξ ( X | E ) − Δ1 − Q μ leakEC − Δ2 /n,

(2)

where H ξ ( X | E ) is the lower bound of the smooth min-entropy which is given by Lemma 2 of [19]. μ represents the intensity of signal states; Q μ is the total gain of the source coming from both the untagged bit and the tagged bit; Q 1 is the gain of the untagged bit; leakEC = 1.22h( E μ ) here depends on the total QBER caused  by tagged bits and untagged bits; and according to Ref. [19] Δ1 = 7 log2 (2/(ε − ε  ))/n Q 1 and Δ2 = 2 log2 (1/2(ε − ε − εEC )). Then according to [19], the lower bound of the smooth minentropy is given for BB84 protocol: H ξ ( X | E ) = 1 − h(e 1 ),

(3)

where e 1 is the QBER of the untagged bit. Note that the statistic deviation caused by finite bits is considered in the process of parameter estimation with the decoy state method. Therefore the final key rate is given by: r = q(n/ N )r 

    = q(n/ N ) Q 1 1 − h(e 1 ) − Δ1 − Δ2 /n − Q μ leakEC ,

(4)

where q = 1/2 for BB84 protocol; N is the number of transmitted pulses and n is the number of pulse chosen as the raw key by Alice. 4. Plot From the analysis above, we have obtained the key rate with finite resource for the practical source. Now, we compare our results with the asymptotic scenario. Since our goal is to analyze the gap between asymptotic scenario and non-asymptotic scenario induced by the finite resources, the source errors will not be taken into account. If the control of source is imperfect, the results of Refs. [22,23] can be combined with our formula directly and easily. In practical experiments, just finite number of decoy states can be used, which will introduce statistical fluctuation itself when N is finite large. So we first introduce the yield and QBER of single photon state for the protocol introduced in Section 2, the number of the signal pulse, the decoy pulse and the vacuum pulse is N μ = p 0 × N, N ν = p 1 × N, N 0 = p 2 × N, respectively. Using the same

S.-H. Sun et al. / Physics Letters A 373 (2009) 2533–2536

Fig. 1. The key rate vs. communication distance. The dashdotted line represents the asymptotic scenario with infinite decoy state, and the maximal distance is 142 km. The solid lines represent the asymptotic scenario with two decoy state, and (a), (b), (c) are obtained for N = 1011 , N = 1010 , N = 5 × 109 , respectively. The dashed lines represent the non-asymptotic scenario with two decoy state, and (d), (e), (f) are also plotted for N = 1011 , N = 1010 , N = 5 × 109 , respectively. The intensity of signal source is μ = 0.48 and ε = 10−9 , εEC = 10−10 . ν , N μ , N ν , N 0 , m, n, ε and ε  are optimal for each distance to maximize the key rate by numerical calculations. Other parameters are shown in Table 1.

Fig. 2. The relative deviation of key rate for asymptotic scenario and non-asymptotic scenario. The solid line is obtained for N = 1011 ; the dashed line is plotted for N = 1010 ; the dashdotted line is drawn for N = 5 × 109 . Other parameters are same with Fig. 1.

Next, in order to describe the gap of the key rate between two scenarios, we define the relative deviation which is given by

γ= Table 1 The key parameters for QKD experiment Experiment

α (dB/km)

e detector

Y0

ηBob

GYS [20]

0.21

0.033

1.7 × 10−6

0.045

method in [6–9], we can obtain the lower bound of the yield of single photon pulse Y 1L





Y 1L =

2 μ μ2 − ν 2 L U μν Q νL e ν − Q μ e − Y0 , 2 ν (μ − ν ) μ μ2

(5)

and upper bound of the QBER of single photon pulse e 1U e 1U =

Q νU E νU e ν − e 0 Y 0L Y 1L ν

R asy − R nonasy R asy

,

(7)

where R asy is the key rate for the asymptotic scenario, R nonasy is the key rate for the nonasymptotic scenario with finite resource which is given by Eq. (4). The relative deviation is shown clearly in Fig. 2. From Fig. 2 we can see clearly that the relative deviation of key rate for two scenario increases quickly with the communication distance. For the typical value γ = 0.5, the distance is 117 km, 89 km, 78 km for N = 1011 , N = 1010 , N = 5 × 109 , respectively. It means that the influence of finite resource on the key rate is not ignored, especially, when the communication distance is long and the number of exchanged bits is small. 5. Conclusion

(6)

,

where Q ν = Q ν (1 − rν ), Q ν = Q ν (1 + rν ), Q μ = Q μ (1 + rμ ), Q ν E νU = Q ν E ν (1 + re ), Y 0L = Y 0 (1 − r0 ), Y 0U = Y 0 (1 + r0 ). Y 0 is the dark count rate. r x (x = 0, ν , μ, e ) represent the statistical fluctuation of each parameter induced by finite large N. It has been shown that if we estimate each parameter within 10 standard deviations, the statistical fluctuation will be less than 25 10−√ [6,7]. So it isconfident to replace √ r0 , rμ , rν , r√e by r0 = 10/ N 0 Y 0 , rμ = 10/ N μ Q μ , rν = 10/ m Q ν , re = 10/ N ν Q ν E ν . The experiment parameters of GYS are listed in Table 1. Substitute these formulas into Eq. (4), we can obtain the key rate for non-asymptotic scenario. The key rate can also be obtained for asymptotic scenario with the method in [6–11]. The results are shown clearly in Fig. 1. From Fig. 1 we can see clearly that when the finite resource is taken into account, the key rate will be lower than the results of asymptotic scenario which is obtained from GLLP’s formula. The maximal communication distance is 131 km, 121 km, 116 km for the asymptotic scenario and 124 km, 105 km, 96 km for the nonasymptotic scenario, when N = 1011 , N = 1010 , N = 5 × 109 , respectively. Moreover, the difference of maximal distance for two kinds of scenario increases with the decrease of N, from 6 km to 19 km. L

2535

U

U

In summary, we reconsider the finite key analysis proposed by V. Scarani and R. Renner and apply it to the decoy state QKD scheme. We simulate an experiment setup by consider the Vacuum + Weak decoy state QKD scheme. The simulation results show that both the key rate and maximal communication distance are lower than the results of the asymptotic scenario when the finite key analysis is taken into account. It is needed to note that in this Letter we only analyze the effect induced by the finite resources and the imperfect single photon source, but not consider the effect induced by other imperfection, for example, the source fluctuation. If the control of source is imperfect, the results of Refs. [22,23] can be combined with our formula directly and easily. Furthermore, we assumed the phase in the weak coherent is totally randomized. It means the source is a mixture of the photon number state with the Poisson distribution. In addition, it is needed to mention that after we finished this Letter, we find there is an independent work proposed by R.Y.Q. Cai and V. Scarani [24]. Although the authors also obtain the key rate with finite resource, there are at least two differences from our work. One is the treatment of the tagged and untagged signals. Comparing Eq. (4) of our Letter with Eq. (29) of [24], we see that Δ1 is multiplied by Q 1 here, while it is not in [24]. R.Y.Q. Cai and V. Scarani are therefore more conservative, but our bound is better

2536

S.-H. Sun et al. / Physics Letters A 373 (2009) 2533–2536

and more accurate, because we noticed that Δ1 is the correction to the min-entropy of the untagged signals only. The other one is the statistical analysis in the part of the parameter estimation. Strictly, the analysis of R.Y.Q. Cai and V. Scarani is more rigorous than our analysis in this Letter, since their analysis is based on a general law of large number, while the standard error analysis used in our Letter, which is first used by Ma et al. [6,7], is based on the Gaussian statistics assumption. However, the accuracy is enough for our analysis, because the statistical fluctuation will be less than 10−25 . Acknowledgements The authors thank X.-F. Ma for his helpful advice. References [1] C.H. Bennett, G. Brassard, in: Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing, IEEE, New York, 1984, pp. 175– 179. [2] D. Mayers, quant-ph/9802025. [3] H.-K. Lo, H.F. Chau, Science 283 (1999) 2050.

[4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24]

P.W. Shor, J. Preskill, Phys. Rev. Lett. 85 (2000) 441. W.-Y. Hwang, Phys. Rev. Lett. 91 (2003) 057901. H.-K. Lo, X.-F. Ma, K. Chen, Phys. Rev. Lett. 94 (2005) 230504. X.-F. Ma, B. Qi, Y. Zhao, H.-K. Lo, Phys. Rev. A 72 (2005) 012326. X.-B. Wang, Phys. Rev. Lett. 94 (2005) 230503. Q.-Y. Cai, Y.-G. Tan, Phys. Rev. A 73 (2006) 032305. S.-H. Sun, M. Gao, et al., Chin. Phys. Lett. 25 (2008) 2358. Y. Zhao, B. Qi, X.-F. Ma, H.-K. Lo, L. Qian, Phys. Rev. Lett. 96 (2006) 070502. D. Rosenberg, et al., Phys. Rev. Lett. 98 (2007) 010503. T. Schmitt-Manderbach, et al., Phys. Rev. Lett. 98 (2007) 010504. C.-Z. Peng, et al., Phys. Rev. Lett. 98 (2007) 010505. T. Meyer, H. Kampermann, M. Kleinmann, D. Bruß, Phys. Rev. A 74 (2006) 042340. M. Hayashi, Phys. Rev. A 76 (2007) 012329. J. Hasegawa, M. Hayashi, T. Hiroshima, A. Tomita, quant-ph/0707.3541v1. J. Hasegawa, M. Hayashi, T. Hiroshima, A. Tomita, quant-ph/0705.3081v1. V. Scarani, R. Renner, Phys. Rev. Lett. 100 (2008) 200501. C. Gobby, Z.L. Yuan, A.J. Shields, Appl. Phys. Lett. 84 (2004) 3762. D. Gottesman, H.-K. Lo, N. Ltkenhaus, J. Preskill, Quant. Inf. Comput. 4 (2004) 325. X.-B. Wang, C.-Z. Peng, J. Zhang, L. Yang, J.-W. Pan, Phys. Rev. A 77 (2008) 042311. X.-B. Wang, C.-Z. Peng, J.-W. Pan, Appl. Phys. Lett. 90 (2007) 031110. R.Y.Q. Cai, V. Scarani, quant-ph/0811.2628.