Semi-device-independent quantum money with coherent states
Mathieu Bozzio, Eleni Diamanti, Fr\'ed\'eric Grosshans

TL;DR
This paper presents a security proof for semi-device-independent quantum money using coherent states, accounting for practical imperfections and analyzing protocol security over time with quantum memory.
Contribution
It provides a novel security analysis for quantum money protocols with classical verification in realistic settings using semidefinite programming.
Findings
Secure regimes identified in fixed and randomized phase settings.
Protocol security evolution analyzed with decohering quantum memory.
Secure credit card lifetimes determined for specific configurations.
Abstract
The no-cloning property of quantum mechanics allows unforgeability of quantum banknotes and credit cards. Quantum credit card protocols involve a bank, a client and a payment terminal, and their practical implementation typically relies on encoding information on weak coherent states of light. Here, we provide a security proof in this practical setting for semi-device-independent quantum money with classical verification, involving an honest bank, a dishonest client and a potentially untrusted terminal. Our analysis uses semidefinite programming in the coherent state framework and aims at simultaneously optimizing over the noise and losses introduced by a dishonest party. We discuss secure regimes of operation in both fixed and randomized phase settings, taking into account experimental imperfections. Finally, we study the evolution of protocol security in the presence of a decohering…
Click any figure to enlarge with its caption.
Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8| Mint | Client | Terminal | Bank | Parameter | |
|---|---|---|---|---|---|
| (i) | H | H | H | H | correctness c |
| (ii) | H | D | H | H | error rate |
| (iii) | H | D/H | D | H | error rate |
| (iv) | D | D/H | D | H | N/A |
| (v) | D | D/H | D/H | D | N/A |
| 0.01 | 0.02 | 0.05 | 0.10 | |||
|---|---|---|---|---|---|---|
| 0.01 | 0.05 | 0.10 | 0.50 | 1.00 | 2.00 |
| , trusted | , untrusted | ||
| Non phase-randomized, | |||
| 0.05 | 0.1% | 0.1% | 95.1% |
| 0.10 | 0.3% | 0.1% | 90.5% |
| 0.15 | 0.4% | 0.1% | 86.1% |
| 0.25 | 0.5% | 0 % | 77.9% |
| 0.55 | 0.7% | 0 % | 57.7% |
| Phase-randomized, | |||
| 0.50 | 2.2% | 1.1% | 60.1% |
| 0.75 | 2.6% | 1.3% | 47.2% |
| 1.00 | 2.7% | 1.3% | 36.8% |
| 1.25 | 2.6% | 1.3% | 28.7% |
| 1.50 | 2.4% | 1.2% | 22.3% |
| Phase-randomized, | |||
| 0.40 | 1.1% | 0.2% | 72.6% |
| 0.60 | 1.4% | 0.2% | 61.9% |
| 0.80 | 1.5% | 0.2% | 52.7% |
| 1.00 | 1.5% | 0.1% | 44.9% |
| 1.20 | 1.5% | 0.1% | 38.3% |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Semi-device-independent quantum money with coherent states
Mathieu Bozzio
LIP6, CNRS, Sorbonne Université, 75005 Paris, France
LTCI, Télécom ParisTech, Université Paris-Saclay, 75013 Paris, France
Eleni Diamanti
LIP6, CNRS, Sorbonne Université, 75005 Paris, France
Frédéric Grosshans
Laboratoire Aimé Cotton, CNRS, Université Paris-Sud, ENS Cachan, Université Paris-Saclay, 91405 Orsay Cedex, France
LIP6, CNRS, Sorbonne Université, 75005 Paris, France
Abstract
The no-cloning property of quantum mechanics allows unforgeability of quantum banknotes and credit cards. Quantum credit card protocols involve a bank, a client and a payment terminal, and their practical implementation typically relies on encoding information on weak coherent states of light. Here, we provide a security proof in this practical setting for semi-device-independent quantum money with classical verification, involving an honest bank, a dishonest client and a potentially untrusted terminal. Our analysis uses semidefinite programming in the coherent state framework and aims at simultaneously optimizing over the noise and losses introduced by a dishonest party. We discuss secure regimes of operation in both fixed and randomized phase settings, taking into account experimental imperfections. Finally, we study the evolution of protocol security in the presence of a decohering optical quantum memory and identify secure credit card lifetimes for a specific configuration.
In contrast to classical physics, quantum mechanical systems have a no-cloning property Wooters and Zurek (1982): it is impossible to make a perfect copy of a quantum object in an unknown state. This property was used by Wiesner in his proposal to mint unforgeable quantum money Wiesner (1983), giving birth to the field of quantum cryptography Bennett and Brassard (1984); Gisin et al. (2002); Scarani et al. (2009). The original idea involved a bank encoding a secret classical key into a sequence of two-level quantum states (qubits) stored in a quantum memory and handed to a client. The secret key specifies the basis in which each qubit is encoded, ensuring that a forger ignoring the basis in which to measure it will destroy information. This will then trigger incorrect measurement outcomes when the bank will verify the validity of the banknote. Such a scheme may be impractical over long distances due to a potentially lossy and noisy transmission of the quantum states between the client and the bank. It was also shown to be vulnerable to adaptive attacks, where a counterfeiter can use the same banknote several times Brodutch et al. (2016). An alternative protocol with verification using classical communication was first proposed in Gavinski (2012) and extended to practical, noise-tolerant schemes in Pastawski et al. (2012); Georgiou and Kerenidis (2015); Amiri and Arrazola (2017).
Although quantum key distribution protocols have been widely studied and implemented Diamanti et al. (2016), quantum money has not yet seen the same experimental progress, essentially because of the difficulty in implementing efficient quantum storage devices Heshami et al. (2016). However, the experimental interest in quantum money has grown recently, with demonstration of forgery of quantum banknotes Bartkiewicz et al. (2017) and implementation of weak coherent state- based quantum credit card schemes, secure in a trusted terminal scenario Bozzio et al. (2018); Guan et al. (2018), in the prospect of near-future implementations with a quantum memory. These require new security proofs tackling the optimal cloning of coherent states, differing from qubit-based quantum money and also quantum key distribution proofs.
In quantum cryptography, semi-device-independent frameworks have been developed in order to limit the needed assumptions to ensure security. While not as stringent as full device independence Acin et al. (2007), this approach allows for practical security and performance while making fewer assumptions on the implementation than usual security proofs. This includes assumptions on the detectors Ma and Lütkenhaus (2012); Branciard et al. (2012); Lo et al. (2012); Braunstein and Pirandola (2012), the dimensionality of the quantum states Liang et al. (2011); Pawłowski and Brunner (2011); Gittsovich and Moroder (2013) and other parameters Van Himbeeck et al. (2017). For quantum money, semi-device-independence relates to scenarios where one does not trust the terminal, as in this work and Horodecki and Stankiewicz (2018); Jiráková et al. (2018), along with scenarios where the state preparation Horodecki and Stankiewicz (2018) or the terminal is trusted but imperfectly characterized.
In this work, we derive a quantum money security proof which incorporates semi-device-independence to deal with both trusted and untrusted payment terminals in the presence of experimental imperfections. We do so by extending the semidefinite programming (SDP) techniques from Molina et al. (2013); Watrous (2011); Vandenberghe and Boyd (1996) to the coherent state framework and using the squashing model from Beaudry et al. (2008); Gittsovich et al. (2014). We also adapt our proof to study the effect of a decohering quantum memory. We remark that recent and concurrent work by Horodecki and Stankiewicz Horodecki and Stankiewicz (2018) also studies semi-device-independent quantum money, in a stronger threat model than here (scenario (iv) of Table 1), but without our focus on realistic implementations.
I I. Protocol and correctness
We consider the qubit scheme introduced by Wiesner Wiesner (1983) in the classical verification setting of Gavinski (2012); Pastawski et al. (2012); Georgiou and Kerenidis (2015); Amiri and Arrazola (2017). In this three-party quantum money scheme, the mint generates a random secret classical key and encodes it according to a secret classical basis key . The quantum credit card state associated to public serial number is then written as , where . More specifically, bit is encoded in the basis when , and in the basis when .
The mint stores in a quantum memory and hands it to a client. When a transaction must be performed, the merchant’s honest terminal measures each of the qubits of in a basis dictated by a challenge question randomly chosen by the bank. For a single qubit state, the challenge (resp. ) reads: Give the correct measurement outcome if the qubit is encoded in the (resp. ) basis, and provide any outcome if the qubit is encoded in the (resp. ) basis. The terminal measures the qubit in the basis associated with the given challenge, which provides the honest success probability or correctness . The answers corresponding to the measurement results are sent in the form of a classical bit string to the bank, which compares it with and accepts the credit card only if all the measurement outcomes coincide with .
We now consider the same honest protocol in which qubit states are mapped onto two-mode weak coherent states as:
[TABLE]
where is the coherent state amplitude and denotes the vacuum state. Such a mapping is typically used for polarization or time-bin encoding, where the component is mapped onto the first mode and the component is mapped onto the second Lo and Preskill (2007). When dealing with polarization, the honest terminal measures each of the credit card states in the basis which answers either or by typically rotating a half or quarter waveplate. It then outputs measurement outcomes, where represents the honest losses assuming a weak coherent light source with average photon number per pulse , unit channel transmission efficiency, and threshold single-photon detectors with quantum efficiency . When no detection occurs, the terminal reports a flag, denoted by . For large sample sizes, the -state challenge is then satisfied only if the total number of no-detection reports is equal to . The multi-photon component of coherent states may also trigger clicks on both detectors at the same time. An adversary may actually exploit this property to boost his cheating probability. Following the methods used in Beaudry et al. (2008), clicks on both detectors are randomly mapped to a single click as either a [math] or . This allows to use a squashing model to securely map the infinite-dimensional threshold detection POVMs to a finite dimensional Hilbert space.
II II. Security
II.1 A. Principle and proof outline
Table 1 shows the possible security scenarios for quantum money schemes. A successful forging attack consists in answering two challenges correctly at the same time, corresponding to extracting twice the original amount of money in one’s possession. As the last four states from Eq. (1) are identical on the first mode, we may reduce our security analysis to the single state with , before extending it to states. In scenario (ii), an attack is materialized by the creation of two copies of the quantum credit card state, both being accepted by the bank when measured by two separate trusted terminals. In scenario (iii), an attack is materialized by the communication of two classical strings by two untrusted terminals to the bank, which accepts both of them. In a coherent state implementation, the adversary may modify one or both of the following parameters: losses (probability of a projection onto the vacuum state), and error rate . The bank may detect an attack when or when the measured error rate upon verification is larger than expected. Given average photon number , we use SDP techniques Watrous (2011); Vandenberghe and Boyd (1996) to first minimize the losses that the adversary must introduce in (ii) or declare in (iii) to succeed with probability . We can then identify the range of for which . We will use Choi’s theorem (see Appendix A.1 for details) to optimize over the best adversarial linear cloning map. For (ii), the figure of merit for the optimization is based on the measurements of the two trusted terminals. For (iii), the figure of merit becomes the acceptance of classical data by the bank. We then show how this single state analysis gives a bound for the -state proof. We also note the following useful property from Molina et al. (2013), proven in Appendix A.2: given , , and Choi–Jamiołkowski operator associated to map , we have
[TABLE]
where the overline denotes complex conjugation.
II.2 B. Trusted terminal
We shall first study the trusted terminal scenario (ii). In the single qubit case, the minimum adversarial error probability is the same as in Wiesner’s original quantum verification scheme, namely Wiesner (1983); Molina et al. (2013). When dealing with the coherent states from Eq. (1), we use the existence of a squashing model for our threshold detector measurement setup, originally proven for coherent implementations of BB84 Beaudry et al. (2008). By imposing a condition on the terminal’s postprocessing, consisting of assigning a random measurement outcome to any double click, this model allows to express the infinite-dimensional measurement operators in a 3-dimensional space spanned by , which greatly simplifies the security analysis. Let be the optimal adversarial map which produces two copies (living in ) of the original quantum credit card state (living in ). The state may be expressed in a -dimensional orthonormal basis corresponding to , as shown in Appendix B.1. The probability that a trusted terminal declares an incorrect measurement outcome for credit card (resp. ) is given by the trace of , (resp. of , where is the squashed qubit associated with the original state , i.e. , , , , and is its orthogonal qubit state. The factor indicates that each is equally likely to occur, while accounts for the trusted terminal’s random measurement basis choice. Using Eq. (2), we may then rewrite these expressions as and , where and are the error operators,
[TABLE]
and is the average photon number in a pulse. Following a similar method, the probability that terminal 1 (resp. 2) registers a no-detection event on credit card (resp. ) reads (resp. ), where and are the loss operators, which contain the projection onto the state :
[TABLE]
We now search for the optimal cloning map that minimizes the losses that the adversary must introduce on both credit cards for a given error rate . We cast this problem in the following SDP for a card with a single state,
[TABLE]
The first constraint imposes that is trace-preserving, the second imposes error when card is measured by terminal , the third and fourth impose that the error and losses on card are at least equal to those on card , and the fifth imposes that is completely positive. Solving (5) numerically provides the results in Fig. 1(a): it is impossible for an adversary to succeed with zero error () without introducing any excess losses () when . The protocol may therefore be implemented securely in this range of , since the excess losses will allow the bank to detect an attack. Secure regions of operation for other values of error are also displayed in Fig. 1(a).
In Appendix C, we extend problem (5) to states and provide numerical evidence that the optimal solution does not change in this case, namely the adversary cannot decrease by correlating the states.
II.3 C. Untrusted terminal
In the untrusted terminal scenario (iii), the adversary aims to provide two classical outcome strings from two different untrusted terminals which are both accepted by the bank. The minimum error in the qubit case yields Molina et al. (2013) (attained with the strategy provided in Appendix D). In the coherent state framework, we recast (5) with newly defined error and loss operators:
[TABLE]
and similarly for and . We use braket notation to denote the correct classical answer to challenge , given state . These vectors are all orthogonal to one another, and live in a 3-dimensional space spanned by classical answers , where the last vector corresponds to a classical no-detection flag. We label the orthogonal (wrong) answer as . Figure 1(b) displays the optimal solutions as a function of : an errorless protocol is impossible without increasing the fraction of declared no-detection flags with respect to the honest fraction , although this increase is extremely small compared to the trusted terminal setting (see figure inset).
III III. Parameter analysis
The small adversarial losses and tight noise tolerance observed in Fig. 1(b) may be increased by replacing the pure states (given in Appendix B.1) with phase-randomized states (expressions given in Appendix B.2). Phase randomization is commonly used in quantum key distribution implementations to increase the security and obtain higher key rates Lo and Preskill (2005); Zhao et al. (2007); Yuan et al. (2014). Numerical solutions to (5) for such states are displayed in Figs. 1(c) and 1(d) for trusted and untrusted terminals respectively. We observe that the range of for which security can be shown in practice is considerably extended in this case.
It is also interesting to analyze our results in this phase-randomized setting for finite detection efficiency . Figures 1(e) and 1(f) show that security may be achieved in the trusted terminal scenario using state-of-the-art single-photon detectors Hadfield (2009); Lita et al. (2008), depending also on the target error rate, while the untrusted scenario puts much more stringent constraints on the required devices.
We also remark that in Appendix E, we provide an alternative SDP to (5) which allows to derive given a fixed and detection efficiency .
IV IV. Decohering quantum memory
In our security analysis, we have considered up till now fixed losses. However, in a quantum money implementation with a quantum memory used to store the credit card states, it will be necessary to take into account the time-dependent losses due to the decoherence of the memory. Here, the mint hands the stored quantum state to the client at time . When , the retrieval efficiency decreases with time, thus increasing the losses to . The initial retrieval efficiency of the quantum memory limits the fraction of the states a dishonest client can retrieve to . He may however have access to an ideal quantum memory to transfer the state at , before starts to decrease. This opens the door to powerful loss dependent attacks whose success increases as a function of time. As an illustration, we consider the cold atomic ensemble setup described in Vernaz-Gris et al. (2018), with losses that are dominated by the dephasing of the collective atomic magnetic excitation with a lifetime due to weak residual magnetic fields. The retrieval efficiency decreases as , where for this setup. Using this expression, we solve (5) with phase-randomized states and derive secure credit card lifetimes of a few , as shown in Fig. 2 for and .
V Conclusion
By establishing an optimization framework in the coherent state setting, we have derived secure regions of operation for quantum credit card schemes in both trusted and untrusted terminal scenarios. With phase-randomized states, we have shown that the former case can be secure using a setup with detection efficiency and noise tolerance around , while the latter case requires tighter parameters: and noise tolerance lower than . Using the duality of semidefinite programs, we have provided numerical evidence that the adversary cannot increase his/her cheating probability by correlating the states in the credit card. In such a setting, the uncertainty on the tolerated number of incorrect outcomes and excess losses scales as . We have finally provided a method to derive secure credit card lifetimes in the presence of a decohering quantum memory. This work encourages the future implementation of quantum credit card schemes with state-of-the-art quantum storage devices, as it provides a simple framework to derive practical security parameters in a semi-device-independent setting.
VI Acknowledgments
We thank Félix Hoffet and Julien Laurat for useful discussions about the modeling of the quantum memory, as well as Anthony Leverrier for his helpful comments on the manuscript. We acknowledge support from the European Union through the project ERC-2017-STG-758911 QUSCO, from the ANR through the project ANR-17-CE39-0005 quBIC, from BPI France through the project 143024 RISQ, and from Université Paris-Saclay through the Initiative de Recherche Interdisciplinaire.
Appendix A : Choi–Jamiołkowski operator and semidefinite programming.
A.1 : Choi’s theorem on completely positive maps
Let us consider a tensor product of two -dimensional Hilbert spaces , and then define the maximally entangled state on as
[TABLE]
We introduce a completely positive linear map , and define the Choi–Jamiołkowski operator as the operator which applies to the first half of the maximally entangled state :
[TABLE]
Choi’s theorem then states that is completely positive if and only iff is positive semidefinite. We also have that is a trace-preserving map if and only if Molina et al. (2013); Watrous (2011); Vandenberghe and Boyd (1996). These properties are implemented as constraints in the optimization problem from (5).
A.2 : Proof of Equation (2)
For a completely positive trace-preserving linear map and its associated Choi–Jamiołkowski operator , and , , we can write
[TABLE]
where we have defined the scalar .
Appendix B : Non phase-randomized and phase-randomized coherent state expressions.
B.1 : Non phase-randomized states
We may write the coherent states from in a four-dimensional orthonormal basis as
[TABLE]
where
[TABLE]
B.2 : Phase-randomized states
We may express the four states in our protocol as:
[TABLE]
with global phase and relative phase . This implies that an adversary must access to unveil the information encoded in the states. Phase randomization scrambles the global phase reference by allowing to take values from uniformly at random instead of a single value. By considering the state and integrating over all possible values of , the adversary sees a classical mixture of Fock states given by Lo and Preskill (2005):
[TABLE]
where is the average photon number, and are the photon number states. As the coherent superpositions of number states vanish, the security proof may simply proceed according to the result of quantum non demolition (QND) photon number measurements. If there is no photon in the state, then there is no information. If there is photon, then the qubit security proof may be applied. If there are more than photons in the pulse, perfect cheating is possible, since one photon can be sent to a terminal 1 and another to terminal 2. For our protocol, this allows us to express the phase randomized states in a -dimensional orthonormal basis , where is the vacuum state, and span a qubit space, and constitute the four orthogonal outcomes which materialize the four perfectly distinguishable states in the multiphoton subspace. Our four phase-randomized coherent states may then be written as the following density matrices :
[TABLE]
where ,, , are the usual and eigenstates in the qubit space spanned by and the Poisson distribution coefficients are given by
[TABLE]
Appendix C : Extension of SDP (5) to parallel repetitions.
Semidefinite programming presents a dual structure, which associates a dual maximization problem to each primal minimization problem Watrous (2011); Vandenberghe and Boyd (1996). The optimal value of the primal problem then upper bounds the optimal value of the dual problem, and the optimal value of the dual problem lower bounds that of the primal problem. This property is known as weak duality. We also note that a single problem may admit several feasible solutions, i.e., operators which satisfy all the constraints. The optimal solution is the feasible solution which optimizes the objective function (the quantity we aim to minimize or maximize). In our setting, SDP (5) may be labelled as the primal problem. The aim of this section is to extend SDP (5) to a credit card containing states, and to derive its corresponding dual problem. In order to show that the adversary does not gain any advantage in correlating the states to better succeed, we will first show that a tensor product of optimal solutions of (5) is a feasible solution to this new primal SDP. We then have to show that there also exists a feasible solution for the associated dual problem which yields the same optimal value as that of the primal. Such a feature is known as strong duality, and implies that these feasible solutions are both the optimal solutions to the primal and dual problem, respectively. We failed to prove this strong duality analytically, but as shown below, numerical evidence indicate it should hold.
To generalize the loss and error operators to the parallel repetition case, we introduce the projector which, given a collection of quantum states living in Hilbert space , projects onto elements of and the orthogonal subspace of the other elements. More formally, this operator is defined as
[TABLE]
where is the -th quantum state of and is the -th element of a binary string of length which contains zeros. The summation then runs over all possible strings. Considering a new adversarial cloning map from the original -state credit card living in to a duplicated credit card space , the new loss operators may then be written as:
[TABLE]
where . The factors ensure that the total sum is normalized, as we are dealing with probabilities and not events. The new error operators read:
[TABLE]
where . For a credit card containing states, problem (5) may then be recast as:
[TABLE]
To derive the dual problem associated with (7), we first note that we can replace all inequalities by equalities (except the last semidefinite positive constraint) without loss of generality. This is due to the fact that the adversary can always symmetrize the probabilities by increasing the error rate or losses on card 2 to make them equal to those on card 1. The right hand side elements of the constraints from (7) may then be gathered in a -dimensional column vector . The first three elements read , and correspond to the value of , and , respectively. The other elements, corresponding to the first, trace-preserving constraint of (7), may be written as the vector representation of the identity over space . The vector representation of an operator is obtained through the following isomorphism D’Ariano et al. (2017) :
[TABLE]
The dual problem then maximizes the overlap of variable with constraint vector as:
[TABLE]
where is a matrix containing the elements to arranged in order left to right, top to bottom. The objective function reads . We note that a tensor product of optimal solutions represents a feasible solution to primal problem (7), as it satisfies all the constraints. We label the associated primal objective function value as , and remark that for all . We then search for a feasible solution to the dual problem (9) which allows to achieve , where is the dual objective function value. While we were not able to find a generic analytical solution to this problem, we have always found a numerical solution for a representative set of parameters and (specified in Table 2), satisfying
[TABLE]
and presenting a duality gap of order . Furthermore, adding the last condition as constraint to the SDP does not change the optimal value (within error, due to the fact the the value of is a numerical primal optimal value which is rounded up when added as a constraint in the dual problem). The conditions on enforce the following expression of the dual constraint:
[TABLE]
Since the error and loss operators are all positive semidefinite, then it follows that the sum of the first four terms in (11) is a negative semidefinite operator. Numerically, it appears to be possible to satisfy (11) by choosing appropriately the diagonal elements of , and we conjecture it is always possible.
In conclusion, we have found two feasible solutions such that , and strong duality holds for problems (7) and (9), at least up to numerical precision. The optimal solution to the primal problem for states can therefore be written as a tensor product of optimal solutions to the primal problem for state. This implies that the adversary does not gain any advantage in correlating the states in the card when performing an attack against a trusted terminal without phase randomization. A similar approach works to prove strong duality for the untrusted terminal case, and we conjecture that this method also works for both scenarios with phase-randomized states.
Appendix D : Optimal adversarial strategy with qubits in an untrusted terminal scenario.
A simple strategy corresponding to the error rate for a state encoded in the basis is :
Adopt the honest strategy and duplicate the classical outcome.
Success probability:
Pick a basis (or ) at random, measure the state in this basis, and send the classical outcome to answer challenge (or ). Send a random measurement outcome to the other challenge (or ). If the correct basis was picked, then the adversary succeeds with probability . If the wrong basis was picked, then the success probability is .
Success probability : = .
Since the bank will ask each of these challenge combinations with probability , then we have a total success probability , which yields .
Appendix E : Optimal error rate
If one wishes to minimize the error rate given a fixed honest loss rate, then one may cast the following SDP, which has a similar structure to (5) :
[TABLE]
The first constraint imposes that is trace-preserving, the second imposes that the error on card is greater or equal to that on card , the third and fourth impose that the losses on each card are smaller or equal to the honest expected losses , and the fifth imposes that is completely positive. Tables 3 give optimal numerical solutions to (12) for different scenarios, varying the phase-randomization, detection efficiencies, terminal trust, losses and average photon number .
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1Wooters and Zurek (1982) W. K. Wooters and W. H. Zurek, Nature 299 , 802 (1982) . · doi ↗
- 2Wiesner (1983) S. Wiesner, ACM Sigact News 15 , 78 (1983) . · doi ↗
- 3Bennett and Brassard (1984) C. H. Bennett and G. Brassard, in Proc. IEEE International Conference on Computers, Systems and Signal Processing , Vol. 1 (Bangalore, India, 1984) pp. 175–179.
- 4Gisin et al. (2002) N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, Rev. Mod. Phys. 74 , 145 (2002) , ar Xiv:quant-ph/0101098 . · doi ↗
- 5Scarani et al. (2009) V. Scarani, H. Bechmann-Pasquinucci, N. Cerf, M. Dušek, N. Lütkenhaus, and M. Peev, Rev. Mod. Phys. 81 , 1301 (2009) , ar Xiv:0802.4155 . · doi ↗
- 6Brodutch et al. (2016) A. Brodutch, D. Nagaj, O. Sattath, and D. Unruh, Quantum Information & Computation 16 , 1048 (2016) , ar Xiv:1404.1507 . · doi ↗
- 7Gavinski (2012) D. Gavinski, in Proc. IEEE 27th Annual Conference on Computational Complexity (CCC) (IEEE, 2012) pp. 42–52, ar Xiv:1109.0372 . · doi ↗
- 8Pastawski et al. (2012) F. Pastawski, N. Y. Yao, L. Jiang, M. D. Lukin, and J. I. Cirac, PNAS 109 , 16079 (2012) , ar Xiv:1112.5456 . · doi ↗
