General sending-or-not-sending twin field protocol for quantum key distribution with asymmetric source parameters
Xiao-Long Hu, Cong Jiang, Zong-Wen Yu, and Xiang-Bin Wang

TL;DR
This paper introduces a generalized twin-field quantum key distribution protocol that accommodates asymmetric source parameters, enhancing performance in asymmetric channels and providing a security proof for this broader approach.
Contribution
The paper presents a new SNS protocol for TFQKD with asymmetric source parameters, extending the original protocol's applicability and security proof.
Findings
Improved key rate in asymmetric channels
Security proof for the generalized protocol
Enhanced robustness against misalignment errors
Abstract
The sending-or-not-sending (SNS) protocol of the twin-field quantum key distribution (TFQKD) can tolerant large misalignment error and its key rate can exceed the bound of repeaterless QKD. But the original SNS protocol requires the two users to use the same source parameters. Here we propose a general protocol with asymmetric source parameters and give the security proof of this protocol. Our general protocol has a much better performance than that of the original SNS protocol when the channel of the system is asymmetric.
| 5% | 50% | 1.1 | 0.2dB/km |
| (km) | (km) | general SNS | modified SNS | original SNS |
|---|---|---|---|---|
| 0 | 50 | |||
| 150 | 200 | |||
| 250 | 300 | |||
| 0 | 100 | |||
| 100 | 200 | |||
| 200 | 300 |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
General sending-or-not-sending twin field protocol for quantum key distribution with asymmetric source parameters
Xiao-Long Hu1, Cong Jiang1, Zong-Wen Yu2, and Xiang-Bin Wang1,3,4,5111Email Address: [email protected]
1State Key Laboratory of Low Dimensional Quantum Physics, Department of Physics,
Tsinghua University, Beijing 100084, People s Republic of China
2Data Communication Science and Technology Research Institute, Beijing 100191, China
3 Synergetic Innovation Center of Quantum Information and Quantum Physics, University of Science and Technology of China
Hefei, Anhui 230026, China
4 Jinan Institute of Quantum technology, SAICT, Jinan 250101, People s Republic of China
5 Shenzhen Institute for Quantum Science and Engineering, and Physics Department,
Southern University of Science and Technology, Shenzhen 518055, China
Abstract
The sending-or-not-sending (SNS) protocol of the twin-field quantum key distribution (TFQKD) can tolerant large misalignment error and its key rate can exceed the linear bound of repeaterless QKD. But the original SNS protocol requires the two users to use the same source parameters. Here we propose a general protocol with asymmetric source parameters and give the security proof of this protocol. Our general protocol has a much better performance than that of the original SNS protocol when the channel is asymmetric.
pacs:
03.67.Dd, 42.81.Gs, 03.67.Hk
I Introduction
Quantum key distribution provides a method for unconditionally secure communication BENNETT (1984); Lo and Chau (1999); Shor and Preskill (2000); Mayers (2001); Gisin et al. (2002); Gisin and Thew (2007); Renner (2008); Scarani et al. (2009); Koashi (2009) between two parties, Alice and Bob. Combined with the decoy-state method Inamori et al. (2007); Gottesman et al. (2004); Hwang (2003); Wang (2005); Lo et al. (2005); Adachi et al. (2007) and measurement-device-independent QKD (MDIQKD) protocol Lo et al. (2012); Braunstein and Pirandola (2012), QKD can overcome the security loophole from the nonideal single-photon sources Huttner et al. (1995); Yuen (1996); Brassard et al. (2000) and imperfect detection devices Lydersen et al. (2010); Gerhardt et al. (2011) and has developed rapidly both in theory Wang et al. (2007); Hayashi (2007); Wang (2013); Sasaki et al. (2014); Curty et al. (2014); Xu et al. (2013, 2014); Song et al. (2012); Zhou et al. (2014); Yu et al. (2015); Zhou et al. (2016); Jiang et al. (2016, 2017); Zhou et al. (2017); Huang et al. (2018); Chau (2018); Hu et al. (2018); Wang et al. (2018a) and experiment Rosenberg et al. (2007); Schmitt-Manderbach et al. (2007); Peng et al. (2007); Boaron et al. (2018); Yuan et al. (2007); Wang et al. (2008); Peev et al. (2009); Dixon et al. (2010); Sasaki et al. (2011); Fröhlich et al. (2013); Rubenok et al. (2013); Liu et al. (2013); da Silva et al. (2013); Chan et al. (2014); Tang et al. (2014a, b); Takesue et al. (2015); Wang et al. (2015); Pirandola et al. (2015); Comandar et al. (2016); Wang et al. (2017); Liao et al. (2017, 2018). The maximum distance of decoy-state MDIQKD has been experimentally increased to 404 kilometers Yin et al. (2016). But the key rate of BB84, MDIQKD protocol, or any modified version of these protocols cannot exceed the linear bounds of repeaterless QKD, such as the TGW bound Takeoka et al. (2014) and the PLOB bound Pirandola et al. (2017).
Recently, a new protocol named twin-field quantum key distribution (TFQKD) was proposed Lucamarini et al. (2018) whose key rate dependence on the channel transmittance is . Following this protocol, many variants of TFQKD were proposed Wang et al. (2018b); Tamaki et al. (2018); Ma et al. (2018); Lin and Lütkenhaus (2018); Cui et al. (2019); Curty et al. (2018); Lu et al. (2019); Grasselli and Curty (2019); Xu et al. (2019); Zhang et al. (2019); Zhou et al. (2019); Maeda et al. (2019) and some experiments of TFQKD were demonstrated Minder et al. (2019); Liu et al. (2019); Wang et al. (2019); Zhong et al. (2019). Among those protocols, one efficient protocol named the sending-or-not-sending (SNS) protocol Wang et al. (2018b) has the advantages of unconditionally security under coherent attacks and it can tolerant large misalignment error. And the SNS protocol with finite data size has been studied Yu et al. (2019); Jiang et al. (2019). However, the security proof of the SNS protocol requires the condition that the two users, Alice and Bob, use the same source parameters, such as the intensities of signal and decoy sources and the probability for sending coherent pulses in the windows.
Here we propose a general SNS protocol where Alice and Bob are not required to use the same source parameters. We give a security proof for this general protocol. Then we apply our general protocol to the case of asymmetric channels, i.e., the channel between Alice and Charlie (we will call it “Alice’s channel” for simplicity in this paper) and that between Bob and Charlie (we will call it “Bob’s channel” for simplicity in this paper) are not the same. The numerical results show that in this case the key rate of our general protocol is much higher than that of the original SNS protocol.
This paper is arranged as follows. In Sec. II, we present the procedures of our general SNS protocol with asymmetric source parameters. In Sec. III, we give a security proof of our protocol through three virtual protocols and their reductions. We show the results of numerical simulation of the general SNS protocol compared with the original SNS protocol in Sec. IV. The article ends with some concluding remarks in Sec. V. We give the formulas for key rate calculation in the appendix.
II General SNS protocol with asymmetric source parameters
A schematic of our general SNS protocol is shown in Figure 1. The two legitimate users, Alice and Bob, independently send coherent pulses and vacuum pulses to an untrusted third party (UTP), Charlie. Charlie takes compensation to the pulses, measures them, and announces the measurement results. Then Alice and Bob distill the final key from a set of the pulses according to the announced data. The details of the protocol are shown as follows.
Step 1. In each time window , they (Alice and Bob) independently decide whether this is a decoy window or a signal window. In her (his) decoy window, she (he) randomly chooses one of a few states (), for , to send out a decoy pulse to Charlie where are the vacuum states and (), , are coherent states (). (In this paper, we denote the imaginary unit as .) In her (his) signal window, she (he) decides to send out to Charlie a signal pulse in the state () and puts down a bit value 1 (0) by probability (), or decides not to send it out and puts down a bit value 0 (1) by probability (). Here, , , , and are random phase. The global phases and can be any reference phase and known by anyone. The private phase () is a random phase taken by Alice (Bob) secretly. Besides, we request the following mathematical constraint for source parameters:
[TABLE]
for each .
As the major result of this work, this constraint guarantees the security of the general SNS protocol with asymmetric source parameters for Alice and Bob. The real protocol here is actually same with that in ref. Wang et al. (2018b) except for this mathematical constraint and the virtual protocols for security proof will use different types of entangled states.
For ease of presentation, we will omit the subscript if it doesn’t cause any confusion. But keep in mind that all , , , and are chosen differently in different time windows.
Step 2. Charlie is supposed to measure all twin fields with a beam splitter after taking phase compensation and announce the measurement outcome.
Note: Charlie is expected to remove the phase and by phase compensation. His action only affects the key rate, but has not influence on the security of the protocol.
Step 3. They announce each one’s decoy windows and signal windows. And they announce the intensities of the decoy pulses and the private phases and in each decoy window.
*Definition: *We define a -window when both of them determine signal windows and an -window when both of them determine decoy windows. We define an effective event when one and only one Charlie’s detector clicks, and the corresponding window is called an effective window.
Given that () is randomized, whenever Alice (Bob) sends a coherent state with intensity (), it can be equivalently regarded as a density matrix (), which is a classical mixture of different photon number states only. Hence among all -windows, we can define a set of -windows, in which one and only one of them decides to send and she (he) actually sends a single-photon state. They don’t know which time window is a -window, but they can calculate the number of -windows in an experiment.
Among all -windows, we define a set of -windows, in which they choose the intensities and with the same and the phase shifts and satisfy the restriction
[TABLE]
Here the values and are some values determined by Alice and Bob according to the result of channel test and calibration in the experiment to obtain a satisfactory key rate and the value of can be different from time to time. In this paper, we will set for presentation simplicity, i.e.
[TABLE]
but this doesn’t affect the validity of the security proof if we use Eq.(2) for the post selection. They keep the data of the effective events and discard all the others.
Step 4. They randomly choose some events from the effective -windows to do the error test. A bit-flip error occurs when Alice’s bit value is different from Bob’s in a -window. They discard the test bits, and the remaining events from effective -windows will be distilled for the final key.
Step 5. Based on the measurement outcome in effective -windows, they calculate , the number of effective events in -windows. Based on the measurement outcome and the announced values of and in effective -windows, they calculate , the phase-flip error rate of effective events in -windows.
Note: In effective -windows, an error occurs when
(1)the left detector clicks and
(2)the right detector clicks and .
Given this definition, they can observe the error rates in -windows for each intensities of input light. With this, they can estimate through the decoy state analysis which requests them to observe the counting rates of various intensities of input light. As proved in ref. Wang et al. (2018b), decoy state method can applied to our protocol as if the phases and were not announced. In the asymptotic case that there are decoy states with infinite different intensities, they can obtain the exact value of . In the case that there are decoy states with finite different intensities, they can obtain the upper bound of .
Note: The Appendix shows the four-intensity method of this protocol. In this case, the formulas for and are given in Eqs.(37)-(40).
Step 6. They perform the post-processing and obtain the final key with length
[TABLE]
where is the correction efficiency, is the number of effective -windows, and is the bit-flip error rate in effective -windows. Details for calculating the length of the final key (or the key rate) with four-intensity decoy-state method are presented in the Appendix.
Note: If we set and , this protocol is actually the same as the original SNS protocol in ref. Wang et al. (2018b).
III Security proof with virtual protocols and reduction
III.1 Introduction of the ancillary photons and the extended states
Similarly to the security proof in Ref. Wang et al. (2018b), we use the idea of entanglement distillation with ancillary photons to proof the security of our protocol.
Image that in a -window, if Alice (Bob) decides to send a coherent state () to Charlie, she (he) puts down a local ancillary qubit in the state (), and if Alice (Bob) decides not to send, she (he) puts down a local ancillary qubit in the state (). To Alice (Bob), the state corresponds to the bit value 1 (0), and the state corresponds to the bit value 0 (1). We define subspace for the subspace of the sent-out states and for the subspace of the local ancillary states. Therefore, the extended state in the complex space in the -window can be written as
[TABLE]
Here both symbols and are for a tensor product, and is the tensor product inside , and is the tensor product between and . The states on the left side of are in and we name them real-photon states. The states on the right side of are in and we name them ancillary-photon states. Since the private phases and in -windows are kept secret all the time, the coherent states and are actually phase-randomized coherent states, whose density matrices are
[TABLE]
with and
[TABLE]
So the extended state in the -window can be written in another form:
[TABLE]
and
[TABLE]
where and are some normalization factors. With the condition in Eq. (1), , the target state we used to prove the security, can be written as
[TABLE]
with
[TABLE]
In -windows, the two-mode states sent by them are
[TABLE]
where
[TABLE]
In our protocol, the states in the -windows are actually classical mixtures of , , , and . In the security proof, we first show the security of the protocol with only the state and then show the security of the protocol with by the tagged model Inamori et al. (2007); Gottesman et al. (2004).
III.2 Virtual Protocol 1
Definition: We have define an effective event in the protocol. An effective ancillary photon is an ancillary photon corresponding to an effective event.
III.2.1 Preparation stage
For each time window , they preshare the classical information about whether this time window is an -window or -window. They preshare an extended state
[TABLE]
where
[TABLE]
and and are announced publicly. (Remind that and vary in different time windows.)
In the time window which is a -window, through discussion by a secret channel, Alice chooses a random phase and Bob chooses a random phase , which satisfy the restriction Eq.(3). Then they take phase shifts and to their own real photons, respectively. In the time window which is a -window, they take random and independent phase shifts and to their own real photons, respectively. After the phase shifts, the extended state changes into
[TABLE]
and
[TABLE]
Among all -windows, we define a set of -windows, in which the phase shifts and satisfy the restriction Eq.(3). The states in -windows are not identical to those in -windows, but they are identical to those in -windows.
Besides, we define real-photon states and for any time window:
[TABLE]
or
[TABLE]
III.2.2 Protocol
**V1-1: **At any -window (-window), they send the real photons of () defined in Eq. (16) to Charlie and keep the ancillary photons locally.
**V1-2: **Charlie measures the real photons from Alice and Bob with a beam splitter after taking phase compensation according to the strong reference lights with phases and . He announces his measurement outcome and then they announce the values of and of all -windows. With the preshared information of - and -windows, the measurement outcome, and the announced values of and , they can obtain effective -windows and effective -windows. The data of other time windows will be discarded.
*Definition: *After Step V1-2, the remaining effective events can be divided into eight subsets according to the window information (-window or -window), the clicking detector (the left or the right ) and the sign of (positive or negative ). These subsets is labeled as where , , and . For example, the subset is the set of effective -windows when the right detector clicks and . Correspondingly, the effective ancillary photons can be divide into eight subsets labeled as .
**V1-3: **They check the phase-flip error rate of the set , where and . Since the effective -windows are identical to the effective -windows, the phase-flip error rate of should be the same as that of (asymptotically).
*Note: *The state in Eq.(17) can be written in another form:
[TABLE]
or
[TABLE]
where are two-mode states of ancillary photons:
[TABLE]
To obtain the phase-flip error rate of the set , each ancillary photon of this set is measured in the basis and there are outcomes of and outcomes of . The phase-flip error rate of is define as:
[TABLE]
where is the number of the ancillary photons in .
**V1-4: **With the estimated value of , they can purify the ancillary photons in with separately. After purification, they obtain ancillary photons in (almost 100%) pure single-photon entangled states (or ). Then they perform local measurement on their own ancillary photons and obtain the final key. Alice (Bob) puts down a bit value 0 (1) or 1 (0) when her (his) measurement outcome is or .
*Note 1-Security: *The security of the final key is based on the faithfulness of the purification. If they estimate the error rate of a set of ancillary photons exactly, they can purify these ancillary photons to get pure entangled photons. Although Charlie measured the real photons and they selected the set of ancillary photons based on his announced measurement outcomes, they check the phase-flip error rate of these photons by themselves. Since the extended states of effective -windows are identical to those of effective -windows, the phase-flip error rate of is exactly the same as that of statistically. They can obtain the phase-flip error rate in by testing the ancillary photon in and then perform the purification to . As a result, the security of the key doesn’t rely on Charlie’s honesty.
*Note 2-Estimation of the phase-flip error rate: *According to the definition of in Eq.(23), they have to measure the ancillary photons in the basis . It’s easy to prove that they can perform local measurement in the basis and check the parity of the outcome instead of measuring in the basis . Explicitly, their outcome with even parity ( or ) corresponds to the outcome and that with odd parity ( or ) corresponds to the outcome .
*Note 3-Reduction of the preshare states in -windows: *Since measurement in the basis is a local operation on the ancillary photons, it makes no difference whether they measure their ancillary photons after sending the real photons or before that. So they can measure the ancillary photons before the protocol starts, and label this time window an -window if the outcome is even parity, or label it an -window if the outcome is odd parity. Then they prepare and send the real photon in the state
[TABLE]
in an -window, or prepare and send that in the state
[TABLE]
in an -window.
Alternatively, they can start with the information of -windows and -windows and the states in Eqs. (24)(25). They prepare and send real photons in the state in -windows or in the state in -windows. In this way, the ancillary photons in -windows in the above virtual protocol are not necessary, and the formula of phase-flip error rate should be changed correspondingly. We introduce a symbol for the set of effective time windows, which satisfy the restriction in Eq.(3), with joint events , , where
Event (): the sign of .
Event (): this times window is an -window.
Event (): the -detector clicks and the other doesn’t click.
And we also introduce for the number of time windows in the set . Therefore, we have
[TABLE]
and
[TABLE]
This reduction of -windows leads to the Virtual Protocol 2.
III.3 Virtual Protocol 2
III.3.1 Preparation stage
For each time window , they preshare the classical information about whether this time window is an -window, an -window or a -window.
They preshare an extended state in Eq.(16) for -windows, an real-photon state for -windows and an real state for -windows.
III.3.2 Protocol
**V2-1: **At any -window, they send out the real photons of to Charlie and keep the ancillary photons locally. At any -window (-window), they send () to Charlie.
**V2-2: **Charlie measures the real photons from Alice and Bob with a beam splitter after taking phase compensation according to the strong reference lights with phases and . He announces his measurement outcome and then they announce the values of and of all -windows.
**V2-3: **They check the phase-flip error rate by the set and , where and .
**V2-4: **They purify the ancillary photons in with separately with the estimated value of . Then they perform local measurement on their own ancillary photons and obtain the final key.
Note: Reduction of preshared states in -windows.
*Reduction 1: *The real-photon states with () in -windows are actually identical to those with () in -windows, e.g.
[TABLE]
So we can conclude that , where stands for the opposite sign of . This means that all the values in the phase-flip error rate in Eq.(27) can be replaced by so that -windows are not necessary. They can just use the data from -windows to estimate the phase-flip error rate, and no one else will find any difference. Therefore, they use only -windows and send only the state in -windows. The number of effective events from the state and the joint events , (with ) is denoted as . The formula of the phase-flip error rate should be changed into:
[TABLE]
where the formula for should be changed into .
*Reduction 2: *All the effective ancillary photons in -windows can be purified in one batch. The phase-flip error rate is
[TABLE]
where is the total number of effective events in -windows. Using the relations that and , the phase-flip error rate can be bounded by
[TABLE]
In this formula for the phase-flip error rate, we only need the total number of effective events in -windows and the number of these two kinds of effective events:
-
the left detector clicks and ;
-
the right detector clicks and .
Therefore, we can define these two kinds of effective events as error events and the corresponding time windows are defined as error windows. If they set the value of small enough and Charlie perform the compensation honestly, they may get few error events so that the phase-flip error rate will be quite low and the key rate will be high.
*Reduction 3: *The density matrix in Eq.(12) with randomized and can be written as the classical mixture of a set of states :
[TABLE]
with
[TABLE]
where are some normalization factors and is exactly when the condition in Eq.(1) is satisfied. So they don’t need to preshare the state . They can send the phase-randomized coherent state and to Charlie in -windows, and then use the decoy-state method to estimate the bound of the phase-flip error rate of , .
Note: If some decoy states with intensities and are not used to estimate , these intensities don’t have to satisfy the constrain in Eq.(1).
III.4 Virtual Protocol 3
III.4.1 Preparation stage
For each time window , they preshare the classical information about whether this time window is an window or a -window.
They preshare an extended state in Eq.(16) for -windows.
III.4.2 Protocol
**V3-1: **At any -window, they send out the real photons of to Charlie and keep the ancillary photons locally. At any -window, Alice (Bob) sends a coherent state () with random and ( and ) to Charlie.
**V3-2: **Charlie measures the real photons from Alice and Bob with a beam splitter after taking phase compensation according to the strong reference lights with phases and . He announces his measurement outcome and then they announce the values of and of all -windows.
**V3-3: **They apply decoy-state method with the data of the effective -windows to estimate the phase-flip error rate .
**V3-4: **They purify the ancillary photons in the effective -windows with the estimated value of . Then they perform local measurement on their own ancillary photons and obtain the final key.
Note 1: Reduction of preshared states in -windows.
*Reduction 1: *The state with the restriction Eq.(3) is identical to without the restriction Eq.(3). If we regard all -windows as a whole, the condition in Eq.(3) can be loosen, which means that the phase shifts and to the real photons can be randomized in the range independently. In this way, they don’t need any mutual information about the phase shifts and .
*Reduction 2: *The process that they purify the effective ancillary photons in -windows and then perform local measurement on them is equivalent to the process that they measure these ancillary photons in the photon-number basis and then do classical distillation to the classical data, which is called quasipurification Shor and Preskill (2000). In the latter process, the state in -window is
[TABLE]
which is equivalent to the state in Eq.(10). This means that the protocol can just start with the state and apply the tagged model to distill the final key from the effective events using the state . The length of the final key should be
[TABLE]
where is the number of effective events with state estimated by decoy-state method, is the number of effective events in -windows, and is the bit-flip error rate of . A bit-flip error occurs when Alice’s bit value is different from Bob’s in a -window.
Note 2:Reduction of preshared information of time windows.
Alice (Bob) determines a signal window by probability () and determines a decoy window with intensity () by probability (), where (). A -window is defined when both of them determine signal windows and an -window is defined when both of them determine decoy windows. Other time windows are regarded as mismatch windows and they will be discarded. In this way, they don’t need to preshare any information of time windows, and the states in -windows and -windows are and , respectively.
With the reductions above, the virtual protocol is equivalent to our asymmetric SNS protocol.
IV Numerical Simulation With Asymmetric Channels
Here we present the results of numerical simulation of different SNS protocols in the case that the channels are asymmetric, i.e., Alice’ channel and Bob’s channel are different, e.g., they have different channel losses.
The original SNS with the asymmetric channels can be modified a little to fit the asymmetric channels, which we call “the modified SNS protocol” in the following. Consider the case that the original SNS protocol is applied to the asymmetric channels, when they use the same source, the intensities of the pulses interfering at the beam-splitter will differ a lot due to different channel transmittances, which will cause a high error rate in -windows and therefore enhance the phase-flip error rate of single-photon, . In the modified SNS protocol, they still use the same source parameters, but Charlie add an extra loss to one of the channels to make the transmittances of two channels the same. Explicitly, if the transmittance of Alice’s channel, , is larger than that of Bob’s channel, , Charlie adds an extra loss to Alice’s channel. On the contrary, if , Charlie adds an extra loss to Bob’s channel. Since Charlie’s action doesn’t affect the security, the security of the modified SNS protocol is guaranteed automatically.
We show the numerical results of the optimal key rate of the original, the modified, and the general SNS protocols with the asymmetric channels. The effect of the finite data size has been considered in our calculation. The device parameters used in the simulation are listed in Table 1.
In Figure 2 and Figure 3, we show the optimal key rates of three protocols with the difference in length between the two channels () fixed at 50 km and 100 km, respectively.
In the figures, we have also compared our results with the linear bound of the repeaterless QKD. There are excellent theoretical linear bounds for key rate of a repeaterless QKD, such as the famous TGW bound Takeoka et al. (2014) and the PLOB bound Pirandola et al. (2017). Also, we show some details of the optimal key rates with different SNS protocols in Table 2.
It’s easy to find that in the asymmetric channels, the performance of our general SNS protocol is much better than that of the other two protocols, especially when the difference in length between Alice’s and Bob’s channels is large.
V Conclusion
In this paper, we propose a general SNS protocol with asymmetric source parameters and give a security proof of this protocol. The intensities and the probabilities for sending at Alice’s and Bob’s sides should satisfy the condition given in Eq.(1) to guarantee the security in the asymmetric case. We present the numerical results of different SNS protocols to show that our general SNS protocol gives much high key rate than the other SNS protocols when Alice’s and Bob’s channels are different. When the difference in length between Alice’s and Bob’s channels is 100 km, the key rate of the general SNS protocol is tens to hundreds of times higher than that of the original SNS protocol. Our general SNS protocol can be applied directly to the SNS experiments with asymmetric channels.
If we use the method of two-way classical communication Xu et al. (2019) on our protocol, the key rate of our general protocol can be improved further. We shall report this elsewhere.
Appendix: Formulas For Key Rate Calculation
V.1 Four-Intensity Decoy-State Method and Parameter Estimation
In order to make our protocol easy to demonstrate in the experiment, we give the four-intensity decoy-state method for our protocol. “Four-intensity” means that Alice (Bob) uses four different intensities, () in signal windows and [math], (), () in decoy windows. All measurement results in effective -windows are used to estimate the bound of . Only measurement results in effective -windows when Alice uses the intensity and Bob uses the intensity are used to estimate the bound of .
The formula for the length of the final key in Eq.(4) can be written in the form of key rate per time window:
[TABLE]
where is the counting rate in -windows, and is the counting rate of -windows. If there are effective windows in a set of time windows, the counting rate of is defined as .
So we need to estimate the bound of and by the four-intensity decoy-state method. Here stands for the expected value of a variable. Similarly to the methods in Ref.Yu et al. (2019), the lower bound of is given by:
[TABLE]
where is lower bound of the expected value of the counting rate of the state with
[TABLE]
and is lower bound of the expected value of the counting rate of the state with
[TABLE]
Here is the expected value of the counting rate of the time windows when Alice and Bob send the decoy pulses with intensities and , respectively. If the data size is infinite, these expected values are exactly the values observed in the experiments. If the data size is finite, we should use the Chernoff Bound introduced in the next section to estimate the bound of the expected values from the observed values. The upper bound of is given by:
[TABLE]
where is the expected value of the error counting rate of -windows, when Alice and Bob send the decoy pulses with intensities and , respectively. If there are error windows in a set of time windows, the error counting rate of is defined as .
V.2 Chernoff Bound
In the asymptotic case where the data size is infinite, the observed values are the same as the expected values. But in the nonasymptotic case where the data size is finite, the observed values are different from the expected values. So we need the Chernoff bound Chernoff et al. (1952) to estimate the range of expected values from the observed values and use the worst case to ensure that the final key is secure.
Let be random variables whose observed values are either 0 or 1, be their sum , and be the expected value of . We have the lower and the upper bound of :
[TABLE]
[TABLE]
where and are the solutions of the following equations:
[TABLE]
[TABLE]
where is the failure probability. With the above equations, we have
[TABLE]
Here is the observed value of the counting rate.
Then in Eq.(36) we need the real values of and in a specific experiment. So Eqs.(41)-(45) can be written in another form to estimate the upper and the lower bound of real values from expected values:
[TABLE]
[TABLE]
where and are the solutions of the following equations:
[TABLE]
[TABLE]
With the above equations, we have
[TABLE]
where is the number of single-photon state in the windows when one and only one of them decides to send and is the total number of time windows.
V.3 Finite Key Size Effect
Similarly to the analysis of the effect of the finite key size in ref. Jiang et al. (2019), we give the key rate formula with the effect of the finite key size of our general SNS protocol in the universally composable framework Müller-Quade and Renner (2009).
If the length of the final key satisfies
[TABLE]
the protocol is -secret with , and the total security coefficient of the protocol is . Here is the probability that the error correction fails, is the probability that the real value of isn’t in the range that we estimate, is the failure probability of the privacy amplification, and is the probability that the real value of isn’t in the range that we estimate. According to Eqs.(37)-(50), we have and . If we set in our numerical simulation, the total security coefficient of our protocol is .
Also, Eq.(51) can be written in the form of key rate per time window with some source parameters:
[TABLE]
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1BENNETT (1984) C. BENNETT, in Proceedings of the IEEE International Conference on Computers, Systems, and Signal Processing (1984), pp. 175–179.
- 2Lo and Chau (1999) H.-K. Lo and H. F. Chau, science 283 , 2050 (1999).
- 3Shor and Preskill (2000) P. W. Shor and J. Preskill, Physical Review Letters 85 , 441 (2000).
- 4Mayers (2001) D. Mayers, Journal of the ACM (JACM) 48 , 351 (2001).
- 5Gisin et al. (2002) N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, Reviews of modern physics 74 , 145 (2002).
- 6Gisin and Thew (2007) N. Gisin and R. Thew, Nature photonics 1 , 165 (2007).
- 7Renner (2008) R. Renner, International Journal of Quantum Information 6 , 1 (2008).
- 8Scarani et al. (2009) V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dušek, N. Lütkenhaus, and M. Peev, Reviews of modern physics 81 , 1301 (2009).
