Refined security proof of the round-robin differential phase shift quantum key distribution and its improved performance in the finite-sized case
Takaya Matsuura, Toshihiko Sasaki, and Masato Koashi

TL;DR
This paper refines the security proof of the RRDPS quantum key distribution protocol in finite-sized regimes, leading to improved key rates without altering experimental setups.
Contribution
The authors provide a tighter security proof for RRDPS in finite-sized scenarios, enhancing key rates while maintaining the protocol's original features.
Findings
Achieved a tighter estimation of information leakage.
Improved key rates in asymptotic and finite-sized cases.
Maintained the protocol's original experimental features.
Abstract
Among many quantum key distribution (QKD) protocols, the round-robin differential phase shift (RRDPS) protocol is unique in that it can upper-bound the amount of the information leakage without monitoring the signal disturbance. To expedite implementation of the protocol, however, the number of pulses forming a single block should be kept small, which significantly decreases the key rates in the original security proof. In the present paper, we refine the security proof of the RRDPS protocol in the finite-sized regime and achieve a tighter estimation for the information leakage without changing the original experimental setups. As a consequence, we obtain better key rates in both asymptotic and finite-sized cases while keeping the preferable features of the protocol, such as omission of phase randomization.
Click any figure to enlarge with its caption.
Figure 1
Figure 2
Figure 3
Figure 4
Figure 5Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Refined security proof of the round-robin differential phase shift quantum key distribution and its improved performance in the finite-sized case
Takaya Matsuura
Department of Applied Physics, Graduate School of Engineering, The University of Tokyo, 7-3-1 Hongo, Bunkyo-ku, Tokyo 113-8656, Japan
Toshihiko Sasaki
Department of Applied Physics, Graduate School of Engineering, The University of Tokyo, 7-3-1 Hongo, Bunkyo-ku, Tokyo 113-8656, Japan
Photon Science Center, Graduate School of Engineering, The University of Tokyo, 7-3-1 Hongo, Bunkyo-ku, Tokyo 113-8656, Japan
Masato Koashi
Department of Applied Physics, Graduate School of Engineering, The University of Tokyo, 7-3-1 Hongo, Bunkyo-ku, Tokyo 113-8656, Japan
Photon Science Center, Graduate School of Engineering, The University of Tokyo, 7-3-1 Hongo, Bunkyo-ku, Tokyo 113-8656, Japan
Abstract
Among many quantum key distribution (QKD) protocols, the round-robin differential phase shift (RRDPS) protocol is unique in that it can upper-bound the amount of the information leakage without monitoring the signal disturbance. To expedite implementation of the protocol, however, the number of pulses forming a single block should be kept small, which significantly decreases the key rates in the original security proof. In the present paper, we refine the security proof of the RRDPS protocol in the finite-sized regime and achieve a tighter estimation for the information leakage without changing the original experimental setups. As a consequence, we obtain better key rates in both asymptotic and finite-sized cases while keeping the preferable features of the protocol, such as omission of phase randomization.
I Introduction
One of the most important implications of the quantum information theory is that information-theoretically secure communication is possible by the quantum key distribution (QKD). After the first proposal of the BB84 protocol [1], many researches have been made in the field. In recent years, the real world implementation of the QKD is attracting much attention. For the real world implementation, we need careful consideration about the finite-sized effect of the key and the imperfections of the experimental devices because communications in the real world are often done in limited time and with imperfect devices. The finite-sized key rate of the QKD protocol is especially important when we consider the communication between the ground and the satellite [2, 3] for which the communication time is limited and therefore only a small number of bits can be sent at a time.
The round-robin differential phase shift (RRDPS) protocol [4] is a QKD protocol which has a special property that the required amount of privacy amplification is determined only by the protocol parameters and independent of the bit error rates. Due to this property, the protocol is expected to be able to generate the key even when the number of communication rounds is small, because it does not suffer from the convoluted statistical estimation of the information leakage. The protocol can be implemented with a light source producing a coherent laser pulse train at the sender, and a variable-delay interferometer followed by photon detection at the receiver. A number of experimental demonstrations have already been made [5, 6, 7, 8]. Especially, the apparatus for the sender can be made very simple with only binary phase modulation, and the security can be proved without phase randomization of the optical pulses. Fewer assumptions on the light source in the RRDPS protocol also lead to the robustness against the source imperfection [9].
On the other hand, the RRDPS protocol also has a few undesirable features. The protocol assumes a variable delay interferometer which should be switched among different delays actively or passively for each pulse block. Implementing such an interferometer is costly especially for large . Furthermore, the asymptotic key rate of the RRDPS protocol even with relatively large block size () is about one-tenth of that of the decoy BB84 protocol [10], which is a widely used and the most studied practical QKD protocol. The key rate gets even worse when we decrease to simplify the implementation. Therefore, it is desired to improve the key rate of the RRDPS protocol especially for relatively small . There have been intensive researches to mitigate or to get over these problems both in theory [11, 12, 13, 14, 15, 16, 17, 18] and experiment [7, 19].
Very recently, Yin et al. shows that by directly evaluating Eve’s collective attacks, one can improve the key rate of the RRDPS protocol with block-wise phase randomization without any change in the protocol [18]. It also implies that we can decrease to achieve the same key rate. Unfortunately, the analysis in [18] cannot directly be extended to the finite-sized case, and thus its usage is limited.
In this paper, we refine the security proof of the RRDPS protocol with a different approach and obtain better key rates in both asymptotic and finite-sized case without block-wise phase randomization. The main idea of our analysis is to utilize the information disregarded in the original security proof, which leads to a tighter estimation for the amount of the information leakage without the aid of the block-wise phase randomization. Our analysis developed here is based on the technique used in the security proof of the differential quadrature phase shift protocol [20], and it may be applicable to other high dimensional QKD protocols including other DPS-type protocols. The obtained key rate in the asymptotic limit with our analysis is almost the same as that in [18], but we do not require the block-wise phase randomization, and we can also explicitly give the key rate formula in the finite-sized case. Furthermore, we show that the RRDPS protocol outperforms decoy BB84 protocol when the number of communication rounds is small.
The paper is organized as follows. In Section 2, we develop the refined security proof of the RRDPS protocol, which is the main part of this paper. We give the definition of the protocol and subsequently construct a compatible virtual protocol which includes a crucial difference from the original one. We further introduce another auxiliary protocol which reproduces the statistics of the phase errors in the virtual protocol, and by analyzing it, we derive the main theorem, which gives the required amount of the privacy amplification. In Section 3, we numerically simulate the key rates of the RRDPS protocol with our refined analysis in both asymptotic and finite-sized case, illustrating how we determine the parameters which appear in the key rate formula. Finally, in Section 4, we wrap up our analysis, discuss the comparison between the techniques developed here and the existing ones, and refer to some remaining problems.
II Security proof
In what follows, denotes binary entropy function, denotes the conditional entropy with the joint probability distribution , and denotes the Kullback-Leibler divergence. denotes the expectation value of when the random variable obeys the probability distribution . is the trace norm distance and is the fidelity between the density matrices and . We call as the bit basis of the qubit, and as the phase basis. The controlled-NOT (CNOT) operation between control qubit 1 and target qubit 2 is defined as , where is the identity operator, , and . denotes identity matrix, and denotes the summation modulo . The base of the logarithm is taken to be .
II.1 The definition of the protocol
We first give the actual procedure of the RRDPS protocol [4] and the assumptions for the analysis in this paper.
Setups and assumptions: The sender Alice has a phase modulator and an i.i.d. source of weak coherent optical pulses. The quantum state of each optical pulse is represented by a density operator , which has no correlation with any other system. The probability that the source emits odd numbers of photons is upper-bounded by a known parameter (e.g. ). Bob has a variable delay interferometer whose delay can be switched according to randomly generated numbers. The photon detector can distinguish zero, one, and two or more photons. The inefficiency and the dark counting of the photon detectors can be included in the channel loss. They share a public channel for announcement as well as a quantum channel. The eavesdropper Eve can perform arbitrary attacks allowed in the law of quantum mechanics on the quantum channel and listen to all the announcements of Alice and Bob made over the public channel.
Protocol 1 (actual protocol):
Before the commencement of the protocol, Alice and Bob agree on constants and as well as a function and probabilities over full-rank binary matrices .
- (i)
Alice and Bob repeat the following procedures for rounds.
- •
Alice generates a sequence of random bits , and encode them to optical pulses by modulating the optical phase of the -th pulse with (). She sends Bob the optical pulses through the quantum channel.
- •
Bob randomly selects the delay and feeds the received pulses to the delayed interferometer as shown in Figure 1. He detects photons with the two detectors at time bins through .
- –
If Bob detects only one photon from the -th to the -th time bin, and observes no detection at the other bins, he records a sifted key bit according to which photon detector has reported the detection. He also records the unordered pair , which are the positions of the pulse pair arriving at the detected time bin (). He announces “success”, and Alice records her random bit sequence . [Success round]
- –
If the above condition is not satisfied, Bob announces “failure” and Alice discards her random bits. [Failure round] 2. (ii)
Let be the number of the success rounds. By proper indexing, Alice’s records are represented by , and Bob’s sifted key by and his unordered pairs by . 3. (iii)
Bob announces the sequence of the unordered pairs . 4. (iv)
Alice defines her sifted key by for . 5. (v)
(Bit error correction) Alice chooses and announces a bit error correcting code. She calculates the -bit syndrome for and encrypts it by consuming bits of the pre-shared secret key before she sends it to Bob. With the syndrome, Bob performs bit error correction on his sifted key and obtains the reconciled key of bits. 6. (vi)
(Privacy amplification) Let . Alice draws a full-rank binary matrix with the probability and announces it. Alice and Bob computes the final keys as and , respectively.
For simplicity, we omitted the bit error sampling rounds in the above protocol. In order to estimate an upper-bound on the bit error rate , Alice randomly inserts sampling rounds among rounds, and according to , she decides whether she aborts the protocol or not. Here we assume that is negligibly small compared to . The required amount of the error syndrome Alice sends to Bob in the bit error correction, , depends on the error correction method; here we assume , where is an error correction efficiency to satisfy the required correctness. The net key gain per pulse of the protocol is therefore given by .
We evaluate the secrecy of Protocol 1 by the -secrecy condition for Alice’s final key defined as
[TABLE]
Here is the probability of obtaining , where aborting the protocol is interpreted as . The density operator represents the state of Alice’s final key and Eve’s quantum system, which takes the form of
[TABLE]
The ideal state is defined as
[TABLE]
II.2 The reduction of the protocol
We prove the secrecy condition (1) of the protocol based on complementarity [21]. In this way of the security proof, we introduce a virtual protocol (Protocol 2) in which Alice’s -bit final key is obtained by a bit basis measurement on register qubits. Protocol 2 should be related to Protocol 1 such that for every attack on Protocol 1, there exists an attack on Protocol 2 resulting in the same final state ( and ). While the original proof [4] followed the same technique, our construction of Protocol 2 below (see also Figure 2) includes a modification (shown in bold fonts) which is crucial to an improvement of the key rate.
Protocol 2 (virtual protocol):
Before the commencement of the protocol, Alice and Bob agree on constants and as well as functions , , and probabilities over full-rank binary matrices .
- (i)
Alice and Bob repeat the following procedures for rounds.
- •
Alice prepares an -qubit register , a reference , and optical pulses (system ) in the following state:
[TABLE]
where , and is the photon number operator for the -th pulse. She sends Bob the optical pulses through the quantum channel.
- •
Bob measures the photon number of each of the received pulses. He also generates a uniformly random binary number .
- –
If Bob detects only one photon in the block and the generated random number is [math], he announces “success” and Alice keeps her register qubits . Let be the position of the pulse with the detection. Bob randomly selects and records the ordered pair . [Success round]
- –
If the above condition is not satisfied, Bob announces “failure” and Alice discards her qubits. [Failure round] 2. (ii)
Let be the number of the success rounds. By proper indexing, Alice’s qubit registers are represented by and Bob’s records of ordered pairs are represented by . 3. (iii)
Bob announces the sequence of unordered pairs . He additionally announces the ordered pairs . 4. (iv)
According to the ordered pairs , Alice applies a CNOT operation between qubits and with being control and being target. She stores qubit as the th sifted key qubit, which she renames as . She then measures qubit in the phase basis to obtain a binary outcome . She also performs phase-basis measurement on each of the qubits to count the number of the qubits with outcome . Alice records . At the end, she has sifted key qubits , and the sequence . 5. (v)
Alice chooses and announces a bit error correcting code. 6. (vi)
Let . Alice draws a full-rank binary matrix with the probability and announces matrix . She acts a unitary on her sifted key qubits, and performs phase basis measurement on the subsystem to obtain -bit sequence . Using and , Alice computes and acts a unitary on the remaining qubits (final key qubits), where is the matrix . 7. (vii)
She performs bit basis measurement on the final key qubits and obtains the final key .
We choose the parameters in Protocol 2 according to those of Protocol 1 as follows. The constants and and the function are the same as those of Protocol 1. The probability is chosen to satisfy
[TABLE]
If Alice performed bit basis measurement on her register qubits of (4), she obtains the random bit sequence with the same probability and the optical pulses in the same state as those in Protocol 1. In addition, all the quantum operations of Alice in Protocol 2, which are composed of permutations of the bit basis, are equivalent to the classical information processing in Protocol 1. (Note that dose not change the bit basis of the qubits.) Furthermore, as shown in the original paper [4], Bob announces unordered pairs in Protocol 2 with the same probability as in Protocol 1. Therefore, for every attack of Eve in Protocol 1, we can define a corresponding attack in Protocol 2 by letting Eve ignore the ordered pairs . Then, by setting the parameters as mentioned above and with the attack by Eve as defined above, we can conclude that the final state of Alice and Eve at the end of (vii) in Protocol 2 is equal to in Protocol 1.
On the other hand, let be the quantum state on the Alice’s final key qubits and Eve’s system at the end of (vi) in Protocol 2. If satisfies
[TABLE]
where and , and Eve performs the attack as defined above, the left-hand side of (1) is proved to satisfy
[TABLE]
and thus Protocol 1 is -secret [21, 22].
The fidelity in the left-hand side of (6) is equal to the probability that Alice obtains -bit sequence when she measures in the phase basis. We therefore consider the alternative procedure (vii)’ after (vi) in Protocol 2 as follows:
- (vii)’
She performs phase basis measurement on the final key qubits and obtains the final-phase key .
Using , the fidelity in (6) is given by
[TABLE]
In order to evaluate the right-hand side, we introduce a third protocol which faithfully simulates the statistics of as follows.
Protocol 3 (estimation protocol):
- (i)
Alice and Bob follow the step (i) of Protocol 2 except that Alice measures the qubits in the phase basis immediately after its preparation, and obtains a bit sequence . She records for every round. In the success rounds, Alice records the sequence . Let be the number of rounds with , where .
- (ii)
By proper indexing, Alice has the bit sequences . Bob has the sequence of ordered pairs, .
- (iii)
Bob announces the sequence of unordered pairs . He additionally announces the ordered pairs .
- (iv)
With the ordered pairs , Alice computes the following variables for .
[TABLE]
At the end, she has a sifted-phase key and the sequence as well as the sequences and .
- (vi)
She draws a full-rank binary matrix with probability . She computes , , and . Using and , she computes and obtains the final-phase key .
Since all the quantum operations of Alice in Protocol 2 are composed of permutations of the phase basis states, Alice’s procedures of determining in Protocol 2 with (vii)’ and those in Protocol 3 are equivalent. (We used the property of CNOT operation to derive (9) and (13).) It is clear in Protocol 3 that the following inequality always holds:
[TABLE]
With (8), the left-hand side of the above inequality is identified as the left-hand side of (6). Therefore, if we can ensure
[TABLE]
the condition (6) is satisfied. The parameter in (16) can be regarded as an upper-bound on the probability that Alice misidentifies the sequence (phase error patterns) and computes the wrong sequence when given the sequence and the syndrome .
The bound can be further related to the number of candidates of , given and . Suppose that a family of sets satisfies
[TABLE]
Suppose further that for a function which depends only on ,
[TABLE]
holds, where \bigl{|}T(N,y^{N})\bigr{|} is the cardinality of . We assume that the selection of with probability in Protocol 3 is equivalent to hashing, i.e.
[TABLE]
which amounts to require in Protocol 1 to be dual hashing [23]. Then, by setting
[TABLE]
we obtain, from the union bound,
[TABLE]
because learning eliminates all the wrong candidates in except probability no more than . Then, from (6), (7), (21), and by identifying , Protocol 1 is -secret.
The conclusion of this subsection is as follows. If we can define which satisfies
[TABLE]
in Protocol 3 and
[TABLE]
for a function which depends only on , then by setting
[TABLE]
Protocol 1 can be made -secret.
II.3 The origin of the improvement
Here we give a crude explanation of why we expect an improvement of the key rate from the introduction of additional information collected by Alice in Protocol 2. In the asymptotic limit, the ratio is given by , where is the fraction for the shortening in privacy amplification, representing an upper-bound on the amount of leaked information. In the original security proof, for the implementation without phase randomization, it is simply given by , where is the average phase error probability of a sifted key qubit. In this framework, the best strategy by Eve is to make as high as possible. It is simply achieved by her measuring all the photon number parities , followed by choosing the index such that , as illustrated in Figure 3, (i) and (ii). Since the index is chosen randomly, phase error occurs (like (i)) with probability for a round, resulting in . Hence, Eve will only have to choose rounds with higher values of .
The introduction of drastically changes Eve’s strategy. In this case, the asymptotic fraction will be given by a conditional entropy as , where is the phase error probability conditioned on . As seen in Figure 3, case (i) and case (ii) have distinct values of , and thus no longer contributes to . In order to increase the conditional entropy, Eve must mix the case with the same values of , such as cases (iii) and (iv). Due to the randomness of index , these inevitably lead to occurrence of other cases like (v) and (vi), and this continues. Notice that these cases involve different values of . Hence simply choosing higher values of no longer works for Eve, and she must find an appropriate balance over the values of to make the conditional entropy higher.
We emphasize here that the above constraint for Eve is quite natural once we notice that her true objective is not to increase the phase error probability but to learn the optical phase difference between the pair of pulses. The value of is encoded on the relative phase of superposition states of (i) and (iii), and on that of (ii) and (iv), for example. In this sense, the introduction of can be interpreted as providing more precise evaluation of Eve’s ability to learn Alice’s sifted key bits. The reduction to Protocol 3 in the previous subsection is essentially regarded as reducing that evaluation to a problem on classical random variables possessed by Alice alone. It is nonetheless convoluted and involves many variables and constraints, but it will be efficiently solved by introducing Lagrange multipliers in the next subsection.
II.4 The estimation of the number of phase error patterns
In this subsection, we give an explicit construction of , the set of likely phase error patterns. The construction has free parameters and served as Lagrange multipliers, which will be defined later. While any proper choice of the parameters makes Protocol 1 secure, the key length will depend on the choice.
In what follows, we adopt the following notations. For a finite set , we define as the set of all the probability mass functions on . When a set is associated with uniquely by a function , we denote the distribution on induced from by , which satisfies
[TABLE]
for . For a finite set , the type for is defined by
[TABLE]
for .
Let and be the set of all the possible values of and in Protocol 3, respectively. Let be the finite set defined as follows:
[TABLE]
Let , , and be the projections from the Cartesian product restricted on . Let be the function defined by
[TABLE]
In Protocol 3, and are related to by
[TABLE]
and hence is uniquely determined once sequences , , and are given. We denote the binomial distribution with trials by , where
[TABLE]
When Eve’s attack is fixed in Protocol 3, the joint probability distribution of and , denoted by , is determined. In what follows, denotes the probability under . Regardless of Eve’s attacks, the following three conditions hold for .
The variable obeys multinomial distribution
[TABLE]
with satisfying
[TABLE]
This property can be confirmed if we rewrite the initial state of Protocol 3, given by (4), as
[TABLE]
where is the projection operator onto the even (odd) photon number states. The probability of obtaining when measuring the -th qubit of (33) in phase basis, denoted by , is given by
[TABLE]
Hence the number follows the probability . Since is equal to the probability of emitting odd number of photons in a pulse, (32) holds by definition. 2. 2.
For the type of the random variable ,
[TABLE]
holds, which is obvious from the definition of the type. 3. 3.
Since Bob randomly chooses out of in each success round, the probability of obtaining in the th success round given and is . Therefore,
[TABLE]
holds for , where
[TABLE]
Let be the set of real non-negative constants which satisfy for all . Let be the set of the probability mass functions defined by
[TABLE]
From the conditions 1 and 2 of , the type in Protocol 3 belongs to with a high probability. More precisely, we have the following proposition with its proof given in Appendix A.
Proposition 1**.**
Let be the set of non-negative constants which satisfy for all . Suppose that and satisfy
[TABLE]
where the convex set is defined as
[TABLE]
When the random variables satisfy (31) and (35), the following inequality holds:
[TABLE]
Let be the set of real constants satisfying \bigl{|}\xi_{M,U}\bigr{|}\leq 1. Let be the set of the probability mass functions defined as
[TABLE]
Since the right-hand side of the inequality is a concave function with respect to , is a convex subset of . From the condition 3 of , the type in Protocol 3 belongs to with a high probability. More precisely, we have the following proposition with its proof given in Appendix B.
Proposition 2**.**
Let be the set of real constants which satisfy \bigl{|}\xi_{M,U}\bigr{|}\leq 1. Suppose that and satisfy
[TABLE]
When the random variables satisfy the condition (36), the following inequality holds:
[TABLE]
We define the following convex set of probability mass functions over ,
[TABLE]
which satisfies
[TABLE]
if and satisfy (39) and (43), respectively (union bound). With , we define the set of likely phase error patterns as follows:
[TABLE]
If , by setting , we have , and thus . Therefore, from (46), we also have
[TABLE]
Here, the upper-bound of \bigl{|}T(N,y^{N})\bigr{|} is obtained by using the following lemma.
Lemma 1** (The upper bound on the number of distinct patterns compatible to a joint probability distribution).**
Let be a finite set, and be a closed convex subset of . Let and be sets associated with by functions and . For , define the set
[TABLE]
Then the cardinality of the set satisfies
[TABLE]
Although we have assumed specific choices of and , we can generally prove Lemma 1 without such specification, as shown in Appendix C. Since what we need is a bound on \bigl{|}T(N,y^{N})\bigr{|} independent of as in (23), we use Lemma 1 with and take the maximum with all the possible sequence as follows:
[TABLE]
Combining Proposition 1 and 2, (45), (47), (48), and (51), we arrive at the following theorem.
Theorem 1** (The main result).**
Let be the set of non-negative constants which satisfy . Let be the set of real constants which satisfy \bigl{|}\xi_{M,U}\bigr{|}\leq 1. Let and be non-negative numbers which satisfy
[TABLE]
where . Let and be non-negative numbers which satisfy
[TABLE]
Let be a function of which satisfies
[TABLE]
where is given in (45). Then, if the three conditions (31), (35), and (36) are satisfied, there exists which satisfies
[TABLE]
in Protocol 3, and
[TABLE]
Combining this and the conclusion of the section II.2, we conclude that Protocol 1 can be made -secret by setting as in (24).
III Numerical simulations
We numerically simulate the net key gain per pulse of the RRDPS protocol using Theorem 1. We set
[TABLE]
where denotes the ceiling function. Since the conditional entropy function is concave with respect to the joint probability distribution , what we need is to solve the following constrained convex optimization problem:
[TABLE]
with a proper choice of the constants and .
First, we consider the asymptotic limit while the block detection rate remains constant. In this case, we can neglect and , and the optimization problem (58) is reduced to the following simple form:
[TABLE]
Here the equality of the second constraint comes from the fact that can be both positive and negative. Finding the best bound on by adjusting and is equivalent to solving the following convex optimization problem with the affine constraints:
[TABLE]
Since the problem is convex, if we can find and that satisfy the following Karush-Kuhn-Tucker (KKT) condition, the maximum of in the problem (60) is achieved at .
[TABLE]
The asymptotic limit of the amount of privacy amplification is then given by
[TABLE]
For the numerical simulation of the key rate, we assume that the block detection rate is given by
[TABLE]
where is an overall transmission rate of the channel and is the mean photon number of each pulse from the source. (This rate is equal to the probability of detecting single photon in a block with efficiency [4].) We neglect the dark count rate. In addition, we assume that the photon number distribution of each pulse is Poissonian with mean . From (34), in this case is given by
[TABLE]
We set . The error correction efficiency is set to . We numerically solved (61) and always found solution. Figure 4 shows the key rates vs. transmission rates by our new analysis and by the original analysis with the key rate of the decoy BB84 protocol with time-bin implementation when . One can see that our new analysis improves the key rates of the RRDPS protocol for all compared to the original one. Moreover, we obtain an improvement of more than one order of magnitude in the key rate with relatively small , which may improve the practicality of the protocol. The improved key rates with our analysis are comparable to that obtained in [18], but our analysis does not require the optical phase randomization.
Next we simulated the key rates in the finite-sized case by solving (58) with a heuristic choice of and . Regardless of , we used and , which are obtained as the solutions of (61), to define
[TABLE]
where is defined as
[TABLE]
This heuristic choice of and becomes optimal when , i.e. in the asymptotic limit. We set the required correctness and the required secrecy to . We assumed that the bit error correction efficiency . Furthermore, for simplicity, we set
[TABLE]
in order to satisfy . We determined the values of and by numerically solving
[TABLE]
where . When we solved the optimization problem, we used the “minimize” function of the scipy library in Python with the “SLSQP” method. Figure 5 shows the key rates vs. the total emitted pulses of the RRDPS protocol with our analysis and with the original analysis, and of the decoy BB84 protocol. (The number of total emitted pulses is given by in the case of the RRDPS protocol.) Since the sampling cost is negligible only when we allow a margin for the estimation of , we expect that the actual bit error rate should be lower than . For this reason, we have also plotted the rate with for the decoy BB84 protocol. Comparison of these rates shows that the improvement of the key rates over the original proof survives up to fairly small number of total emitted pulses at which the decoy BB84 protocol fails to produce a key.
IV Discussion
In this paper, we proposed a refined security proof of the RRDPS protocol, which improves the key generation rate without any change in the protocol itself. The crux of the improvement is an observation that the estimation of the phase error pattern in the virtual protocol can be aided by additional information , which was ignored in the original security analysis. The pair of parameters are related to the parity of the number of emitted photons in each of the pulses forming the -th block (see (9)-(14)). The parameter is associated with the pulse pair from which the sifted key bit is extracted, while the parameter is with the rest of pulses. It is interesting that not only but also contributes to the improvement of the key rate.
The use of additional information related to the emitted numbers may look similar to the tagging technique [25] used for the (decoy) BB84 protocols with a practical source, where the latter uses the information whether the each pulse contains multiple photons (tagged) or not (untagged). There are, however, a couple of differences. One is the conceptual difference arising from the timing at which the tag is defined. In the case of the BB84 protocols, a tag is defined when the optical phase randomization is applied to the pulse before it leaves the sender. As a result, we can easily analyze the statistical properties of the tags without regard to the Eve’s attack. In contrast, in our case should be dubbed an ex post facto tag, because it is defined only after the positions of the pair of pulses are announced by Bob. The analysis on the statistical properties of the ex post facto tags are not straightforward and often requires special techniques to extract a property that is independent of Eve’s attack [20]. In our case, it is solved by introducing a third protocol (Protocol 3) solely for this purpose. From the viewpoint of implementation, the ex post facto tag has an advantage that it does not require optical phase randomization.
Another difference is a rather technical one that becomes significant in analyzing the finite-sized case. In contrast to the tag for the BB84 protocols which takes two values (multiple photons or not) or three values (multiple photons, single photons, or vacuum), our tag takes \bigl{|}{\cal Y}\bigr{|}=2(L-1) values. As a result, the number of rounds with a specific value of tag, , is much smaller than . In addition, the constraint (36) essentially dictates connection between the events whose tags take different values. In such a case, it is not wise to derive a statistical bound separately for each value of and then to combine those bounds by using the union bound. Instead, here we introduced Lagrange multipliers and derived an inequality for a combined property directly, as in Proposition 1 and 2. For counting the number of phase error patterns, the bound in Lemma 1 that is independent of the size \bigl{|}{\cal Y}\bigr{|} will be quite useful for mitigating finite-sized effects.
Although the above strategy succeeded in showing that the improvement persists up to a relatively small total number of emitted pulses, we see in Figure 5 that the rate is eventually surpassed by the original analysis when the total number is further decreased. We may ascribe it to either or both of the following two reasons. One is the fact that we did not optimized the values of the Lagrange multipliers and substituted the values in the asymptotic limit instead. The other is the use of a Bernstein’s inequality in the proof of Proposition 2, which affects the key rate through the definition of in (42). It remains to be open whether we can replace it with a tighter bound while keeping the convexity of .
We emphasize here that our focus in the present paper was on the simplest implementation of the sender’s apparatus, namely, the use of the protocol without block-wise phase randomization in the original proposal, as it is. A natural question is that how the situation changes if we combine block-wise phase randomization with our analysis. On one hand, the aid of block-wise phase randomization does not seem to change the key rate so much considering that the key rate with our analysis is comparable to that with [18] in which the block-wise phase randomization is used. On the other hand, may be significantly narrowed by the additional photon number constraint which is the consequence of the block-wise phase randomization. We leave it for the future research.
Acknowledgements.
This work was funded in part by ImPACT Program of Council for Science, Technology and Innovation (Cabinet Office, Government of Japan), Photon Frontier Network Program (Ministry of Education, Culture, Sports, Science and Technology), CREST (Japan Science and Technology Agency), and JSPS KAKENHI Grant Number JP18K13469.
Appendix A Proof of Proposition 1
Let be defined as . From the condition (31) and the fact that is a convex set, we can apply the special case of the Sanov’s theorem [26, 27] to as follows:
[TABLE]
Let be the constant given by
[TABLE]
Let be the probability mass function which is defined as
[TABLE]
which is well-defined since holds for all , and . We define the stochastic map as follows:
[TABLE]
where
[TABLE]
It is easy to observe that
[TABLE]
Furthermore, since (i) and for all , and (ii) for all , we have
[TABLE]
Therefore, from the definition of in (40), we have
[TABLE]
Combining (75) and (77) with the monotonicity property of the Kullback-Leibler divergence under the stochastic map [28], we have
[TABLE]
[TABLE]
On the other hand, since the random variables obey (35) and are non-negative, we have
[TABLE]
and hence
[TABLE]
Combining (81) with the definition of , we have
[TABLE]
where the first inequality follows from (81). Combining this with (79), we have
[TABLE]
Appendix B Proof of Proposition 2
We use one of the Bernstein’s inequalities [29], which is stated as follows. Let be independent zero-mean random variables. Suppose that \bigl{|}X_{k}\bigr{|}\leq 1 for all . Then, for all non-negative ,
[TABLE]
holds.
For fixed values of , the condition (36) determines the conditional statistics of variables , where . They are independent and zero-mean. Furthermore, since \bigl{|}\xi(m_{k},u_{k})\bigr{|}\leq 1 and , \bigl{|}X_{k}\bigr{|}\leq 1 holds for all . Thus, (84) holds if we interpret and as the conditional probability and the conditional mean. Using the definition of the type, we can rewrite the sums over index as
[TABLE]
and
[TABLE]
We choose to be
[TABLE]
which satisfies
[TABLE]
Substituting (85), (86), (87) to (84), we obtain the following:
[TABLE]
Appendix C Proof of Lemma 1
For , define a set
[TABLE]
Since is a closed convex set, is also a closed convex set. Using the set, we can rewrite as
[TABLE]
Consider a probability mass function given by
[TABLE]
Then we have
[TABLE]
Let
[TABLE]
Then, we have (Pythagorean theorem [28])
[TABLE]
For with , we have
[TABLE]
and hence
[TABLE]
Combined with (93), we have
[TABLE]
On the other hand, for ,
[TABLE]
and hence
[TABLE]
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1Bennett and Brassard [1984] C. H. Bennett and G. Brassard, Quantum cryptography: Public key distribution and coin tossing, in Proceedings of IEEE International Conference on Computers, Systems, and Signal Processing (India, 1984) p. 175.
- 2Vallone et al. [2015] G. Vallone, D. Bacco, D. Dequal, S. Gaiarin, V. Luceri, G. Bianco, and P. Villoresi, Experimental satellite quantum communications, Phys. Rev. Lett. 115 , 040502 (2015).
- 3Liao et al. [2017] S.-K. Liao, W.-Q. Cai, W.-Y. Liu, L. Zhang, Y. Li, J.-G. Ren, J. Yin, Q. Shen, Y. Cao, and Z.-P. Li, Satellite-to-ground quantum key distribution, Nature 549 , 43 (2017).
- 4Sasaki et al. [2014] T. Sasaki, Y. Yamamoto, and M. Koashi, Practical quantum key distribution protocol without monitoring signal disturbance, Nature 509 , 475 (2014).
- 5Takesue et al. [2015] H. Takesue, T. Sasaki, K. Tamaki, and M. Koashi, Experimental quantum key distribution without monitoring signal disturbance, Nature Photonics 9 , 827 (2015).
- 6Wang et al. [2015] S. Wang, Z.-Q. Yin, W. Chen, D.-Y. He, X.-T. Song, H.-W. Li, L.-J. Zhang, Z. Zhou, G.-C. Guo, and Z.-F. Han, Experimental demonstration of a quantum key distribution without signal disturbance monitoring, Nature Photonics 9 , 832 (2015).
- 7Guan et al. [2015] J.-Y. Guan, Z. Cao, Y. Liu, G.-L. Shen-Tu, J. S. Pelc, M. M. Fejer, C.-Z. Peng, X. Ma, Q. Zhang, and J.-W. Pan, Experimental passive round-robin differential phase-shift quantum key distribution, Phys. Rev. Lett. 114 , 180502 (2015).
- 8Li et al. [2016] Y.-H. Li, Y. Cao, H. Dai, J. Lin, Z. Zhang, W. Chen, Y. Xu, J.-Y. Guan, S.-K. Liao, J. Yin, Q. Zhang, X. Ma, C.-Z. Peng, and J.-W. Pan, Experimental round-robin differential phase-shift quantum key distribution, Phys. Rev. A 93 , 030302 (2016) . · doi ↗
