Quantum key distribution with simply characterized light sources
Akihiro Mizutani, Toshihiko Sasaki, Yuki Takeuchi, Kiyoshi Tamaki,, Masato Koashi

TL;DR
This paper presents a security proof for quantum key distribution that requires minimal assumptions on light sources, simplifying device verification and enhancing practical security.
Contribution
It introduces a QKD security proof that relaxes many assumptions on light sources, relying only on basic independence and photon number bounds.
Findings
Security proof with minimal source assumptions
No need for detailed phase modulation characterization
Enhanced practical security verification
Abstract
To guarantee the security of quantum key distribution (QKD), several assumptions on light sources must be satisfied. For example, each random bit information is precisely encoded on an optical pulse and the photon-number probability distribution of the pulse is exactly known. Unfortunately, however, it is hard to check if all the assumptions are really met in practice, and it is preferable that we have minimal number of device assumptions. In this paper, we adopt the differential-phase-shift (DPS) QKD protocol and drastically mitigate the requirements on light sources. Specifically, we only assume the independence among emitted pulses, the independence of the vacuum emission probability from a chosen bit, and upper bounds on the tail distribution function of the total photon number in a single block of pulses for single, two and three photons. Remarkably, no other detailed…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Quantum key distribution with simply characterized light sources
Akihiro Mizutani*∗*
Mitsubishi Electric Corporation, Information Technology R&D Center, 5-1-1 Ofuna, Kamakura-shi, Kanagawa, 247-8501 Japan
Toshihiko Sasaki
Photon Science Center, Graduate School of Engineering, The University of Tokyo, Bunkyo-ku, Tokyo 113-8656, Japan
Yuki Takeuchi
NTT Communication Science Laboratories, NTT Corporation, 3-1 Morinosato Wakamiya, Atsugi-shi, Kanagawa 243-0198, Japan
Kiyoshi Tamaki
Graduate School of Science and Engineering for Research, University of Toyama, Gofuku 3190, Toyama, 930-8555, Japan
Masato Koashi
Photon Science Center, Graduate School of Engineering, The University of Tokyo, Bunkyo-ku, Tokyo 113-8656, Japan
Abstract
To guarantee the security of quantum key distribution (QKD), several assumptions on light sources must be satisfied. For example, each random bit information is precisely encoded on an optical pulse and the photon-number probability distribution of the pulse is exactly known. Unfortunately, however, it is hard to check if all the assumptions are really met in practice, and it is preferable that we have minimal number of device assumptions. In this paper, we adopt the differential-phase-shift (DPS) QKD protocol and drastically mitigate the requirements on light sources. Specifically, we only assume the independence among emitted pulses, the independence of the vacuum emission probability from a chosen bit, and upper bounds on the tail distribution function of the total photon number in a single block of pulses for single, two and three photons. Remarkably, no other detailed characterizations, such as the amount of phase modulation, are required. Our security proof significantly relaxes demands for light sources, which paves a route to guarantee implementation security with simple verification of the devices.
**Introduction
**Quantum key distribution (QKD) holds promise for information-theoretically secure communication between two distant parties, Alice and Bob LoNphoto2014 . Since QKD is a physical cryptography in which security is based on a mathematical model of the devices, several assumptions on Alice’s light source and Bob’s measurement unit have to be satisfied to guarantee the security. Any discrepancies between the device model and properties of the actual devices could be exploited to hack the implemented QKD systems. In fact, several experiments to crack implementation of QKD systems have been reported PhysRevA.91.032326 ; PhysRevA.92.022304 ; Lydersen2010 ; Gerhardt2011 , which is a crucial threat for security of QKD, and therefore it is important to close the gap between theory and practice.
So far, tremendous efforts have been made to relax the demands for light sources (see e.g. a review article Diamanti16 ). One possible approach to close the gap is to use device-independent (DI) QKD (see e.g. Rotem18 and references therein). However, to share an almost maximally entangled state between distant Alice and Bob in order to violate the Bell inequality is not practical with current technology, which renders DI protocols impractical at present. On the other hand, as for the device-dependent QKD, the BB84 protocol bb84 is one of the most investigated protocols, and its security assuming an ideal single-photon source PhysRevLett.85.441 ; Tomamichel12 ; Tomamichel2017 and an ideal phase randomized coherent-light source PhysRevA.89.022307 were proved. The security proofs were generalized to accommodate dominant imperfections of the devices. For example, perfect phase randomization is relaxed to discrete phase randomization 1367-2630-17-5-053014 , inter-pulse intensity correlations between neighboring pulses have been accommodated qcrypt2017tomita , and a perfectly symmetric encoding of random bit information is relaxed to asymmetric encoding with the loss-tolerant protocol PhysRevA.90.052314 ; AkihiroSCIC2018 . Another promising protocol is the round-robin differential phase shift (RRDPS) protocol Sasaki2014 . Its implementation security proof has been studied PhysRevA.92.060303 , which shows that the RRDPS protocol is robust against source flaws. However, the variable-delay interferometer used in this protocol is an obstacle to simple implementation.
In this paper, we adopt the differential-phase-shift (DPS) protocol dps2003 and drastically mitigate the demands for light sources, which is useful for simple characterization of the devices with quantified security. Our characterizations of light sources are based on the photon-number statistics of emitted pulses. Specifically, we suppose that the vacuum emission probability of each pulse is independent of a chosen bit, and an upper bound (for ) on the probability that each block of pulses contains or more photons. Here, these probabilities are the ones that would be obtained if we performed a photon number measurement, and we do not assume that the state is a classical mixture of Fock states. Remarkably, detailed characterizations of the source devices that were needed in previous security proofs of DPS protocol Kiyoshi2012dps ; Akihiro2017QSTDPS and the original DPS protocol dps2003 , such as the precise control of phase modulations, complete knowledge of the photon-number probability distribution, block-wise phase randomization, and a single-mode assumption on the emitted pulse are not necessary.
**Results
Assumptions on the devices.** Before describing the protocol, we summarize the assumptions we make on the source and the receiver. First, we list up the assumptions on Alice’s source as follows. In this paper, for simplicity of the security analysis, we consider the case where Alice employs three pulses contained in a single-block.
- (A1)
Alice chooses a random three-bit sequence , and is encoded only on the pulse in system . Depending on the chosen , Alice prepares a following three-pulse state in system :
[TABLE]
Here, denotes a density operator of the pulse when is chosen. We suppose that each system that purifies each of the state is possessed by Alice, and Eve does not have access to system . 2. (A2)
The vacuum emission probability of the pulse is independent of the chosen bit . That is, we require that the following equality holds for any :
[TABLE]
where is the vacuum state. 3. (A3)
For any chosen bit sequence , the probability that a single-block of pulses contains (with or more photons is upper-bounded by . That is,
[TABLE]
where denotes the number of photons contained in a single-block 111Note that is the sum of the number of photons in all the optical modes. . By using a calibration method based on a conventional Hanbury-Brown-Twiss setup with threshold photon detectors Kumazawa2017 , Alice can verify before running the protocol. If are estimated from such an off-line test, we need to assume that these bounds do not change during the on-line experiment.
We emphasize that for the security proof, we do not make any assumptions on phase modulations. That is, the precise control over the phase modulation and its characterization are not needed. We also emphasize that we do not make the single-mode assumption on the pulses, and the optical mode of the emitted pulse can depend on the bit . This includes, for example, the case where the state of the pulse when (1) is horizontal (vertical) polarization state. Our framework covers the original DPS protocol dps2003 using coherent states . In this case, in Eq. (3) is obtained through a priori Poissonian assumption. We note that the previous security proofs Kiyoshi2012dps ; Akihiro2017QSTDPS of the DPS protocol have assumed ideally phase modulated single-mode coherent states with block-wise phase randomization, which is removed in our analysis.
Next, we list up the assumptions on Bob’s measurement as follows.
- (B1)
Bob uses a one-bit delay Mach-Zehnder interferometer with two 50:50 beam splitters (BSs) and with its delay being equal to the interval of the neighboring emitted pulses. 2. (B2)
After the interferometer, the pulses are detected by two photon-number-resolving (PNR) detectors, which can discriminate the vacuum, a single-photon, and two or more photons of a specific optical mode. A click event of each detector corresponds to bit values of 0 and 1, respectively. We suppose that the quantum efficiencies and dark countings are the same for both detectors.
In Bob’s measurement, the () time slot is defined as an expected detection time at Bob’s detectors from the superposition of the and incoming pulses. Also, the () time slot is defined as an expected detection time at Bob’s detectors from the superposition of the 1st () incoming pulse and the incoming pulse in the previous block (1st incoming pulse in the next block).
Protocol.
The protocol runs as follows. In its description, denotes the length of a bit sequence . Fig. 1 depicts a protocol with a coherent laser source, which is one possible implementation within our security framework.
- (P1)
Alice chooses a random three-bit sequence and sends three pulses in a state to Bob via a quantum channel. 2. (P2)
Bob receives an incoming three pulses and puts them into the Mach-Zehnder interferometer followed by photon detection by using the PNR detectors. We call the event detected if Bob detects exactly one photon in total among the and time slots. The detection event at the () time slot determines the raw key bit . If Bob does not obtain the detected event, Alice and Bob skip steps (P3) and (P4) below. 3. (P3)
Bob announces the detected time slot over an authenticated public channel. 4. (P4)
Alice calculates her raw key bit . 5. (P5)
Alice and Bob repeat (P1)-(P4) times. 6. (P6)
Alice randomly selects a small portion of her raw key for random sampling. Over the authenticated public channel, Alice and Bob compare the bit values for random sampling and obtain the bit error rate among the sampled bits. This gives the estimate of the bit error rate in the remaining portion. 7. (P7)
Alice and Bob respectively define their sifted keys and by concatenating their remaining raw keys. 8. (P8)
Bob corrects the bit errors in to make it coincide with by sacrificing bits of encrypted public communication from Alice by consuming the same length of a pre-shared secret key. 9. (P9)
Alice and Bob conduct privacy amplification by shortening their keys by to obtain the final keys.
In this paper, we only consider the secret key rate in the asymptotic limit of an infinite sifted key length. We consider the limit of while the following observed parameters are fixed:
[TABLE]
Security proof. Here, we summarize the security proof of the actual protocol described above and determine the fraction of privacy amplification in the asymptotic limit. The proof is detailed in Methods section. Our proof is based on the security proof Akihiro2017QSTDPS of the DPS protocol with block-wise phase randomization that employs complementarity Koashi2009 . A major difference between our proof and the previous proof Akihiro2017QSTDPS is that we do not assume block-wise phase randomization. If block-wise phase randomization is performed, the state of each single-block can be seen as a classical mixture of the total photon number state. This phase randomization simplifies the security proof because the amount of privacy amplification can be estimated separately for each photon number emission. However, under our assumptions (A1)-(A3), a phase coherence generally exists among blocks, and the state of each single-block cannot be regarded as a classical mixture of photon number states. Therefore, we need to take into account this phase coherence in proving the security. In our security proof, the central task is to derive the information increase due to this phase coherence among the blocks.
For the security proof with complementarity, we consider alternative procedures for Alice’s state preparation in step (P1) and the calculation of her raw key bit in step (P4). We can employ these alternative procedures to prove the security of the actual protocol because Alice’s procedure of sending optical pulses, and producing the final key is identical to the actual protocol. Also, Bob’s procedure of receiving the pulses and making his public announcement (for each round) in the actual protocol is identical to the corresponding procedure in the alternative protocol.
As for Alice’s state preparation in step (P1), she alternatively prepares three auxiliary qubits in system , which remain at Alice’s site during the whole protocol, and the three pulses (system ) to be sent, in the following state:
[TABLE]
Here, is the Hadamard operator, and is a purification of , namely, . Note from the assumption (A1) that system is assumed to be possessed by Alice.
As for the calculation of the raw key bit in step (P4), this bit can be alternatively extracted by applying the controlled-not (CNOT) gate on the and auxiliary qubits with the one being the control and the one being the target followed by measuring the auxiliary qubit in the -basis. Here, we define the -basis states for the auxiliary qubit as , and the CNOT gate is defined on this basis by with . Also, the -basis states are defined as with .
In order to discuss the security of the key , we consider a virtual scenario of how well Alice can predict the outcome of the measurement complementary to the one to obtain . In particular, we take the -basis measurement as the complementary basis, and we need to quantify how well Alice can predict its outcome on the auxiliary qubit. To enhance the accuracy of her estimation, Alice measures the auxiliary qubit in the -basis after performing on the and auxiliary qubits. As for Bob, instead of aiming at learning , he tries to guess the complementary observable to help Alice’s prediction. More specifically, Bob performs a virual measurement to learn which of the or half pulse has a single-photon, whose information is sent to Alice. We define the occurrence of phase error to be the case where Alice fails her prediction of the complementary measurement outcome (see Eq. (20) for the explicit formula of the POVM element of obtaining a phase error). Let denote the number of phase errors, namely, the number of wrong predictions of among trials. Suppose that the upper bound on the number of phase errors is estimated as a function of which denotes all the experimentally available parameters , in Eq. (4) and in Eq. (3). In the asymptotic limit considered here, a sufficient amount of privacy amplification is given by Koashi2009
[TABLE]
where is defined as for and for . Then, the secret key rate (per pulse) is given by
[TABLE]
The quantity in Eq. (7) is the upper bound on the phase error rate . Our main result, Theorem 1, derives with experimentally available parameters , and (see Methods section for the proof).
Theorem 1
In the asymptotic limit of large key length , the upper bound on the phase error rate is given by
[TABLE]
with .
From this theorem and Eq. (7), the scaling of the key rate with respect to the channel transmission is estimated. If the protocol is implemented by a weak coherent laser pulse as a light source with its mean photon number , the detection rate is in the order of and both and are in the order of . To obtain a positive secret key rate, the upper bound on the phase error rate must be smaller than 0.5:
[TABLE]
To maximize the key rate under this constraint, is decreased in proportion to . Therefore, we find that the scaling of the key rate is in the order of .
Simulation of secure key rates.
We show the simulation results of asymptotic key rate per pulse given by Eq. (7) as a function of the overall channel transmission (including detector efficiency). For simplicity of the simulation, we assume that each emitted pulse is a coherent pulse from a conventional laser with mean photon number . In this setting, in Eq. (3) is given by
[TABLE]
We adopt and suppose the detection rate as , where in the simulation we omit the cost of random sampling as its cost is negligible in the asymptotic limit. In Fig. 2, we plot the key rates for , and (from top to bottom). The key rates are optimized over for each value of . The optimized values of when is about (with ) and about (with ). From these lines, we see that all the key rates are proportional to . If we consider the overall channel transmission as (with denoting the distance between Alice and Bob) and laser diodes operating at 1 GHz repetition rate, we can generate a secure key at a rate of 170 bits s*-1* for a channel length of 50km and a bit error rate of 1%.
**Discussion
In this paper, we have provided the information-theoretic security proof of the DPS protocol based on simple source characterizations. Once one admits the commonly used assumption (A1) to be physically reasonable, our proof only requires the independence of the vacuum emission probability from a chosen bit, and the upper bounds on the probabilities that a single-block contains at least photons. Even with these experimentally simple assumptions, we demonstrated that we can generate a secret key at the rate of about 100 bits s-1 for inner-city QKD ( km) given realistic bit error rate of .
We end with some open questions. As for Alice’s side, it is interesting to extend our security proof by relaxing the assumption (A2) to the case where the vacuum emission probability is different , and Alice only knows the bounds on and . As for Bob’s measurement unit, it is important to relax the assumption (B2) to allow the use of threshold detectors.
**Methods
Outline**. Here we prove our main result, Theorem 1. First, we introduce notations that we use in the following discussions. Second, we introduce the POVM (positive operator valued measure) elements corresponding to a bit and phase error. Third, we explain the relation between the -basis measurement outcome () on the auxiliary qubit system and the number of photons contained in the emitted pulse. Finally, we prove Theorem 1 by using two lemmas, Lemmas 1 and 2. We leave the proofs of Lemmas 1 and 2 to Appendixes A and B, respectively.
Notations. We first summarize the notations that we use in the following discussions:
[TABLE]
for a vector that is not necessarily normalized, and the Kronecker delta
[TABLE]
Furthermore, we introduce the -basis states of Alice’s auxiliary qubit system as
[TABLE]
with and , and denotes the Hamming weight of a bit string . Let us define the projectors (with ), and as
[TABLE]
POVM element for a detected event. We introduce POVM elements for Bob’s procedure of determining the detected time slot and the bit value . Based on the following procedure, Bob can determine whether the event is detected or not prior to determining and . Bob sends the first pulse to the first BS in Fig. 1, and after the first pulse is split, one of the pulses goes to the long arm of the Mach-Zehnder interferometer, and we call it first half pulse. Bob keeps the second pulse as it is, and sends the third pulse to the first BS. After the third pulse is split at the first BS, one of the pulses goes to the short arm of the Mach-Zehnder interferometer (we call it the third half pulse). Bob then performs the quantum nondemolition (QND) measurement of the total photon number among the first half pulse, the third half pulse and the second pulse. The detected event is equivalent to an event where the QND measurement reveals exactly one photon. If the detected event occurs, the state of the three pulses after the QND measurement is in the subspace spanned by the orthonormal basis with representing the position of the single-photon (at the half pulse when and at the original pulse when ). Given the detection, the POVM elements for detecting the bit at the time slot () is given by
[TABLE]
with
[TABLE]
where and .
Bit- and phase-error POVM elements. Here, we construct the bit- and phase-error POVM elements and , respectively. Alice and Bob measure their systems and just after the QND measurement reveals exactly one photon to learn whether a bit error or phase error exists. Importantly, these POVM elements are defined only on Alice’s auxiliary qubit system and Bob’s system , and the assumptions on the encoded states in system do not come into their description. Therefore, even if the assumptions on Alice’s emitted states are different from those in the security proof Akihiro2017QSTDPS of the DPS protocol with block-wise phase randomization, the same formulas of the bit- and phase-error POVM elements in Akihiro2017QSTDPS can be used. Here, we only provide brief explanations of how to construct and , and refer details to Ref. Akihiro2017QSTDPS .
First, we introduce the POVM element corresponding to announcing the time slot and the occurrence of a bit error. As a bit error occurs when (Alice’s -basis measurement outcome of the auxiliary qubit after performing on the and ones) and Bob’s measurement outcome are different, is given by
[TABLE]
Here and henceforth, we omit identity operators on subsystems, such as those for Alice’s irrelevant auxiliary qubits in the above equation. Eq. (17) is re-expressed as
[TABLE]
This equation shows that there are no cross terms between even parity terms ( with is even) and odd parity terms ( with is odd). Therefore, we have
[TABLE]
This equation can be derived more intuitively. The parity of can be determined by measuring the auxiliary qubits in the -basis except for the one after performing on the and qubits. This implies that the measurement and commute, and hence we obtain Eq. (19). Eq. (19) plays an important role in proving Theorem 1.
Second, we introduce the POVM element corresponding to announcing the time slot and the occurrence of a phase error. A phase error event is defined as an event where Alice fails her prediction of the -basis measurement outcome on the auxiliary qubit. To enhance the accuracy of her estimation, she measures the auxiliary qubit in the basis (with denoting its result) after performing , and Bob measures system to learn which of the or pulse has a single-photon. With the help of information of and Bob’s information, Alice adopts the following strategy for predicting . As for the case of , if Bob reveals that the [] pulse has a single-photon, Alice predicts []. On the other hand, if , Alice predicts regardless of Bob’s information. The phase error event is defined as an instance of a wrong prediction of , and the POVM element corresponding to announcing the time slot and the occurrence of a phase error is represented by
[TABLE]
Since is diagonal in the basis , we have
[TABLE]
Then, by taking the sum over all the time slots, we obtain the bit and phase error operators as
[TABLE]
It follows that the probability of having a bit error is given by , and the one of having a phase error is . Here, denotes a state of Alice and Bob’s systems and just after the QND measurement reveals exactly one photon.
Relation between and . Here, we derive the relation between and . For this, we first derive the number of photons () contained in system when . Recall that the assumption (A2) guarantees that . From this assumption, by expanding the orthonormal basis of with the photon number states, (a purification of ) and (a purification of ) can be written as
[TABLE]
Here, and are normalized vectors of system , and . Since a purification has a freedom of choosing a unitary operator on system , the following state is also a purification of :
[TABLE]
In the following discussions, is chosen such that holds. Note from Eq. (5) that if , the state can be written as , where is an appropriate normalization constant. Using Eqs. (23) and (25) gives the vacuum emission probability of as
[TABLE]
This equation means that if , the state in system contains at least one photon. That is,
[TABLE]
Therefore, we obtain
[TABLE]
and from Eq. (3), the following inequality holds
[TABLE]
Proof of Theorem 1. Here, we prove Theorem 1 in the main text. For this, we first find an upper-bound on the phase error probability in terms of the bit error probability , which holds for any state . According to Eq. (20), since is diagonalized in the basis and , we have
[TABLE]
To upper-bound with experimentally available data, we employ the following Lemmas 1 and 2 (see Appendixes A and B for their proofs).
Lemma 1
[TABLE]
with .
Lemma 2
For any density operator ,
[TABLE]
Applying Lemmas 1 and 2 to Eq. (30) leads to
[TABLE]
With the relation between the bit and phase error probabilities, the next step is to derive an upper bound on the number of phase errors with experimentally available data. For this, we use Azuma’s inequality Azuma1967 to achieve this goal. Suppose that there are detected systems , and Alice and Bob sequentially measure each detected state in order. Let us consider the following specific way for choosing the sampled bits among the detected events; Alice probabilistically associates each detected event with a sample pair with probability or a code pair with probability , where . The sample pairs are employed for random sampling to obtain whereas the code pairs are for distilling secret key. For each code (sample) pair, Alice and Bob measure their systems to learn whether a phase (bit) error occurs or not. If a code (sample) pair entails a phase (bit) error, we call such an event “ph” (“bit”), otherwise we call “” (“”). Also, for each code pair, Alice measures her system in the -basis to obtain the outcome . Such simulataneous measurements are allowed because holds for any (). In this stochastic trial, the set of the measurement outcomes for each detected event is given by , and let denote the measurement outcome with .
Next, let us introduce various parameters that are needed in later discussions. The phase error rate in the code pair and the bit error rate in the sample pair are defined as
[TABLE]
where and respectively denote the number of code and sample pairs. We define the number of events that take among trials as
[TABLE]
and the sum of probabilities of obtaining at the trial conditioned on the previous outcomes with being constant as
[TABLE]
We can show that the sequence of random variables (with ), which are defined as
[TABLE]
and , satisfies the Martingale condition with respect to random variables , that is , . Here, denotes the expectation of conditioned on . Also, satisfies a bounded difference condition, namely, , . Once Martingale and the bounded difference conditions are satisfied, we can apply Azuma’s inequality; it follows that and
[TABLE]
Since Eq. (33) holds for any , by using Cauchy-Schwarz inequality: , we have
[TABLE]
where and .
By employing the consequence of Azuma’s inequality in Eq. (40) to each of all the five sums of conditional probabilities in Eq. (41), we obtain
[TABLE]
where and . When gets larger with any fixed , the probability of violating Eq. (42) decreases exponentially. Here and henceforth, we consider the limit of large and neglect . In this asymptotic limit, as and in Eq. (34), we obtain
[TABLE]
The last task for deriving the upper bound on is to upper-bound with experimentally available data. In so doing, in addition to the detected instances, we assume that Alice and Bob randomly associate each of the non-detected instances with a code instance with probability or a sample instance with probability . Then, we have that the the number of obtaining the outcome among the detected instances can never be larger than the one among the emitted code blocks. Since the probability of obtaining a code pair and the outcome when Alice emits the block is upper-bounded by according to Eq. (29), we can imagine independent trials with probability . Therefore, we can use Chernoff bound and obtain
[TABLE]
When the number of emitted blocks gets larger for any fixed , the probability of violating this inequality decreases exponentially. In the condition of asymptotic limit of , we neglect in the following discussions. By substituting Eq. (44) to Eq. (43), we finally obtain
[TABLE]
This ends the proof of Theorem 1.
Data availability. No datasets were generated or analyzed during the current study.
Acknowledgements. T.S. thanks the support from JSPS KAKENHI Grant Number JP18K13469. K.T. thanks the support from JSPS KAKENHI Grant Numbers JP18H05237 and JST-CREST JPMJCR 1671. This work was in part supported by Cross-ministerial Strategic Innovation Promotion Program (SIP) (Council for Science, Technology and Innovation (CSTI)).
Competing interests. The authors declare no competing interests.
Appendix A Proof of Lemma 1
In this Appendix, we prove Lemma 1 in the main text. We first explicitly describe and by respectively using Eqs. (18) and (20) as
[TABLE]
[TABLE]
In Eq. (46), it is straightforward to show that
[TABLE]
[TABLE]
To upper-bound by using , we remove the four projectors in that are orthogonal to the range of , which results in
[TABLE]
Moreover, we apply the following inequality that holds for any normalized vectors and with 222Note that Eq. (50) holds because the smallest eigenvalue of the following Hermitian operator:
(49)
is zero. ,
[TABLE]
with , to the last two projectors of the rhs in Eq. (48) and obtain
[TABLE]
This ends the proof of Lemma 1.
Appendix B Proof of Lemma 2
In this Appendix, we prove Lemma 2 in the main text. From Eq. (19), for any state we have
[TABLE]
which leads to
[TABLE]
Since 333 The last equality comes from the fact that holds for any square matrix . , we derive an upper bound on . From the expression of the POVM element given by Eq. (18), we have
[TABLE]
As and , we obtain
[TABLE]
This inequality implies that the operator norm of is upper-bounded by 1:
[TABLE]
where . Next, we define
[TABLE]
Its trace norm is written by using a unitary operator and is calculated as
[TABLE]
where we use the definition of Hilbert-Schmidt inner product in the second equality and use Schwarz inequality in the first inequality. Finally, using Hölder’s inequality, Eqs. (56) and (58) gives
[TABLE]
Therefore, we obtain
[TABLE]
Finally, by using Eqs. (53) and (60), we conclude that
[TABLE]
This ends the proof of Lemma 2.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1(1) H.-K. Lo, M. Curty, and K. Tamaki, Nature Photonics 8 , 595 (2014).
- 2(2) S. Sajeed, I. Radchenko, S. Kaiser, J.-P. Bourgoin, A. Pappa, L. Monat, M. Legré, and V. Makarov, Phys. Rev. A 91 , 032326 (2015).
- 3(3) S.-H. Sun, F. Xu, M.-S. Jiang, X.-C. Ma, H.-K. Lo, and L.-M. Liang, Phys. Rev. A 92 , 022304 (2015).
- 4(4) L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, Nature Photonics 4 , 686 (2010).
- 5(5) I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, C. Kurtsiefer, and V. Makarov, Nature Communications 2 , 349 (2011).
- 6(6) E. Diamanti, H.-K. Lo, B. Qi, and Z. Yuan, npj Quantum Information 2 , 16025 (2016).
- 7(7) R. Arnon-Friedman, F. Dupuis, O. Fawzi, R. Renner, and T. Vidick, Nature Communications 9 , 459 (2018).
- 8(8) C. H. Bennett and G. Brassard, In Proc. IEEE Int. Conference on Computers, Systems and Signal Processing 175-179 (IEEE, New York, NY, Bangalore,1984).
