Security proof of practical quantum key distribution with detection-efficiency mismatch Yanbao Zhang NTT Research Center for Theoretical Quantum Physics NTT Basic Research Lab, Japan Based on the joint work arXiv:2004.04383 with Patrick J. Coles, Adam Winick, Jie Lin, and Norbert Lütkenhaus
Why detection-efficiency mismatch matters ? Detection-efficiency mismatch due to manufacturing and setup ● 𝜃 2 𝜃 1 Polarized photons PBS It is difficult to build two detectors with identical efficiency. *Detectors considered in this work are threshold detectors. Detection-efficiency mismatch induced by Eve ● 𝜃 2 𝜃 1 Polarized photons PBS spatial-mode-dependent temporal-mode-dependent Rau et al ., IEEE J. Quantum Electron. 21, 6600905 (2014) Sajeed et al ., Phys. Rev. A 91, 062301 (2015) Zhao et al ., Phys. Rev. A 78, 042333 (2008) Chaiwongkhot et al ., Phys. Rev. A 99, 062315 (2019) 1
Problems caused by efficiency mismatch Efficiency mismatch helps Eve to attack QKD systems. ● Lydersen et al ., Nat. Photon. 4, 686 (2010) Gerhardt et al ., Nat. Commun. 2, 349 (2011) Efficiency mismatch can cause fake violations of an entanglement ● witness. In the presence of efficiency mismatch, the detection events are not fair samples. If only detection events are used, a Bell inequality can be violated even using classical light [Gerhardt et al ., Phys. Rev. Lett. 107, 170404 (2011)]. 2
Protocol analyzed in this work Prepare & Measure BB84 [ Bennett and Brassard ( 1984)] x ∈ 0,1,2,3 • Assumption : Alice’s and Bob’s labs are Random number x ۧ { 𝑞 𝑦 = 1/4, 𝜒 𝑦 secure and trusted. 𝜒 𝑦 ∈ {H,V, D,A} • Use of the entanglement-based Single-photon Alice source scheme for security analysis. 𝐵 ′ sent to Bob 1) 𝜍 𝐵𝐵 ′ 𝜍 𝐵𝐶 . 2) Alice’s measurements are ideal. 𝐵 Warning : System 𝐵 ′ is two-dimensional, • POVM 𝐵 ′ sent 𝐵 = ۧ {𝑁 𝑦 |𝜒 𝑦 ൻ𝜒 𝑦 | } but the system 𝐶 arriving at Bob can be to Bob infinite-dimensional. Entanglement Alice source • Detection-efficiency mismatch exists in | ۧ 𝛺 𝐵𝐵 ′ = (| ۧ H 𝐵 | ۧ H 𝐵 ′ + | ۧ V 𝐵 | ۧ V 𝐵 ′ )/ 2 Bob’s measurement setup. Source-replacement description [Bennett, Brassard, Mermin, PRL 68, 557 (1992); Curty, Lewenstein, Lütkenhaus, PRL 92, 217903 (2004); Ferenczi, Lütkenhaus, PRA 85, 052310 (2012)] 3
Bob’s measurements & efficiency mismatch H PR – Polarization Rotator PBS – Polarizing Beam Splitter 50/50 BS – 50/50 Beam Splitter V PBS H/V V/A Random bit b D Mode 1 Mode 1 H/D 2 A Mode 2 PR 3 PBS 50/50 BS PBS D/A 4 Active Detection Passive Detection Efficiency mismatch model considered Efficiency mismatch model considered Mode H V D A Mode H/D V/A 1 𝜃 1 𝜃 2 𝜃 2 𝜃 2 2 𝜃 2 𝜃 1 𝜃 2 𝜃 2 1 𝜃 1 𝜃 2 𝜃 2 𝜃 2 𝜃 1 𝜃 2 3 2 𝜃 2 𝜃 1 𝜃 2 𝜃 2 𝜃 2 𝜃 1 4 * Our method works for arbitrary, characterized efficiency mismatch. 4
Obstacle to proving security with efficiency mismatch • Without efficiency mismatch, the squashing model exists. A qubit-based security proof still applies. Mutiphoton state Squashing Single-photon state [Beaudry, Moroder, Lütkenhaus, Phys. Rev. Lett. 101, 093601 (2008); Tsurumaru and Tamaki, Phys. Rev. A 78, 032302 (2008)] • With efficiency mismatch, the above squashing model doesn’t work. • Previous security proofs with efficiency mismatch assume that the system arriving at Bob contains at most one photon. [Fung et al ., Quantum Inf. Comput. 9, 131 (2009); Lydersen and Skaar, Quant. Inf. Comp. 10, 0060 (2010); Bochkov and Trushechkin, Phys. Rev. A 99, 032308 (2019); Ma et al ., Phys. Rev. A 99, 062325 (2019)] Our contribution : We develop a method to handle the infinite-dimensional system received by Bob. *In parallel with us, Trushechkin recently developed an alternative method [arXiv:2004.07809]. 5
Brief introduction to a numerical approach for security proof 𝜍 𝐵𝐶 Key rate: 𝐿 = 𝛽 − 𝐼 𝐵 𝐶 , where 𝛽 for Alice Bob privacy amplification and 𝐼 𝐵 𝐶 for e rror correction. *Collective attacks are considered, 𝐵 } 𝐶 } and the key is defined by Alice. Measurement {𝑁 𝑦 Measurement {𝑁 𝑧 Announcement Announcement 𝛽 = min 𝜍 𝐵𝐶 𝐸 𝜍 𝐵𝐶 ||𝒶( 𝜍 𝐵𝐶 ) Sifting Sifting 𝜍 𝐵𝐶 ≥ 0, Tr 𝜍 𝐵𝐶 = 1 ൝ 𝐵 ⊗ 𝑁 𝑧 𝐶 𝜍 𝐵𝐶 )= 𝑞 𝐵𝐶 𝑦, 𝑧 Key map Tr ( 𝑁 𝑦 Key map QKD protocol Key-rate calculation 𝐶 } (measurements), Kraus operator 𝐵 ⊗ 𝑁 𝑧 1. A protocol can be described by a set of POVMs {𝑁 𝑦 (announcements and sifting), and Key map 𝒶 (forming key). The state 𝜍 𝐵𝐶 is constrained by observations 𝑞 𝐵𝐶 𝑦, 𝑧 --- the expectation values of POVMs. 2. Once description is given, the key rate (privacy amplification part) takes the form of min 𝑔(𝜍 𝐵𝐶 ) , where one needs to minimize 𝑔 depending on 𝜍 𝐵𝐶 ( Eve’s attack). 3. As 𝑔 is a convex function, we can calculate both a lower bound and an upper bound on min𝑔(𝜍) . Coles, Metodiev, Lütkenhaus, Nat. Commun. 7 , 11712 (2016) Winick, Lütkenhaus, Coles, Quantum 2, 77 (2018) 6
Dimension reduction by flag-state squasher • 𝐶 , 𝑧 ∈ 1,2, … , 𝐾 , is block-diagonal with respect Key observation : Each POVM element 𝑁 𝑧 to various photon-number subspaces. • For a photon-number cutoff 𝑙 ( 𝑜 ≤ 𝑙 )- and ( 𝑜 > 𝑙 )-photon subspaces Original POVM: Squashed POVM: 𝐶 𝐶 𝐶 = 𝑁 𝑧,𝑜≤𝑙 𝐶 = 𝑁 𝑧,𝑜≤𝑙 0 0 ෨ ෩ 𝑁 𝑧 𝑁 𝑧 𝐶 | ۧ 𝑧ۦ𝑧| 0 0 𝑁 𝑧,𝑜>𝑙 H 𝑜≤𝑙 H 𝑜≤𝑙 Squasher 𝜧 Infinite Finite ⊕ ⊕ Bob Bob r dimensional dimensional H 𝑜>𝑙 𝐶 H 𝐾 𝑁 𝑧,𝑜>𝑙 | ۧ 𝑧ۦ𝑧| ෩ 𝑪 𝝇 𝑪 ) = Tr ( ෩ 𝑪 𝜧(𝝇 𝑪 )), ∀ 𝒛. For an arbitrary input state 𝝇 𝑪 , Tr ( 𝑵 𝒛 𝑵 𝒛 Two equivalent descriptions of the measurement process. The description using the squasher Λ is pessimistic, as it allows Eve to completely learn Bob’s outcome when 𝑜 > 𝑙 . A lower bound on 𝑞 𝑜≤𝑙 is required when using the squasher Λ. 7
Overview of our method Step 1: Reducing the dimension H 𝑜≤𝑙 H 𝑜≤𝑙 H 𝑜≤𝑙 Infinite Squasher 𝜧 Finite Bob ⊕ Bob ⊕ r dimensional dimensional H 𝐾 H 𝑜>𝑙 𝐶 | ۧ 𝑧ۦ𝑧| 𝑁 𝑧,𝑜>𝑙 Step 2: Bounding the photon-number distribution Accordingly, we need only to solve a finite-dimensional convex optimization problem, and so we can obtain non-trivial lower bounds of the secret key rate. min 𝐸 𝜍 𝐵 ෨ 𝐶 ||𝒶( 𝜍 𝐵 ෨ 𝐶 ) * 𝜍 𝐵 ෨ 𝐶 is finite-dimensional; 𝜍 𝐵෩ 𝐶 𝐶 depend 𝜍 𝐵 ෨ 𝐶 ≥ 0, Tr 𝜍 𝐵 ෨ 𝐶 = 1 ෨ * The operators ෩ 𝑁 𝑧 𝐵 ⊗ ෩ 𝐶 𝜍 𝐵 ෨ ෨ ൞ Tr ( 𝑁 𝑦 𝑁 𝑧 𝐶 )= 𝑞 𝐵𝐶 𝑦, 𝑧 on efficiency mismatch. Tr(Π ≤𝑙 𝜍 𝐵 ෨ 𝐶 ) ≥ 𝑐 𝑙 * Π ≤𝑙 is the projector onto the ( ≤ - 𝑙 )-photon subspace. Our key-rate calculation 8
Photon-number distribution bounds • Let 𝑈 be an observable that depends on both the photon number 𝑜 and the efficiency mismatch (e.g., double click or cross click). 𝑜 . 𝑈 is block-diagonal. WLOG 𝜍 𝐵𝐶 is block-diagonal, i.e., 𝜍 𝐵𝐶 = σ 𝑜=0 ∞ • 𝑞 𝑜 𝜍 𝐵𝐶 𝑞 𝑜 --- the probability that the system arriving at Bob has 𝑜 photons. If we can find 𝑜 -dependent bounds min 𝑜 𝑈 ) ≥ ቐ 𝑢 obs, 𝑜≤𝑙 , ∀𝑜 ≤ 𝑙, 𝑢 obs,𝑜 = Tr ( 𝜍 𝐵𝐶 min 𝑢 obs, 𝑜>𝑙 , ∀𝑜 > 𝑙, then we have 𝑜 𝑈 ≥ 𝑞 𝑜≤𝑙 𝑢 obs, 𝑜≤𝑙 ∞ min min 𝑢 obs = σ 𝑜=0 𝑞 𝑜 Tr 𝜍 𝐵𝐶 + 1 − 𝑞 𝑜≤𝑙 𝑢 obs, 𝑜>𝑙 . min 𝑢 obs, 𝑜>𝑙 − 𝑢 obs 𝑞 𝑜≤𝑙 ≥ . min min 𝑢 obs, 𝑜≤𝑙 is less than 𝑢 obs, 𝑜>𝑙 min min 𝑢 obs, 𝑜>𝑙 − 𝑢 obs, 𝑜≤𝑙 *Similar bounds have been used for security proofs of QKD without efficiency mismatch, see [Lütkenhaus, PRA 59, 3301 (1999) and Koashi et al ., arXiv:0804.0891]. *We use the bounds established in [Y Z and N. Lütkenhaus, PRA 95, 042319 (2017)] for entanglement verification with efficiency mismatch. An alternative bound for active detection with efficiency mismatch was recently derived by Trushechkin, arXiv:2004.07809. 9
𝑞 𝑜≤𝑙 for active detection Mode H/D V/A V/A Random bit b 𝜃 1 =1 𝜃 2 = 𝜃 1 𝜃 2 = 𝜃 𝜃 1 =1 2 H/D PBS Efficiency mismatch model considered PR The observable 𝑈 can be the double-click operator 𝐸 or the effective-error operator. 2 2−𝑜 , 𝑜 is even; 𝜃 2 1 − 𝑜 𝐸 ) ≥ ቐ 𝑒 obs,𝑜 = Tr ( 𝜍 𝐵𝐶 2 1−𝑜 , 𝑜 is odd. 𝜃 2 1 − * The numerical results are obtained by solving SDPs [Y Z and N. Lütkenhaus, PRA 95, 042319 (2017)]. 𝑒 obs,𝑜 *The analytical bounds are motivated and improve min 𝜃 =1, numerical the results in [Trushechkin, arXiv:2004.07809]. 𝜃 =0.2, numerical 𝜃 =1, analytical 𝜃 =0.2, analytical min , Due to the monotonic behavior of 𝑒 obs, 𝑜 min 𝑒 obs, 𝑙+1 − 𝑒 obs 𝑞 𝑜≤𝑙 ≥ , ∀𝑙. min 𝑒 obs, 𝑙+1 Photon number 𝑜 * Our method works for arbitrary, characterized efficiency mismatch. 10
Recommend
More recommend
