Modied BB84 quantum key distribution protocol robust to source imperfections Margarida Pereira1 2 3 4Guillermo Curr as-Lorenzo1 2 3 4 Alvaro Navarrete1 2 3 Akihiro Mizutani5Go Kato6Marcos Curty1 2 3and Kiyoshi Tamaki4

2025-05-06 0 0 926.85KB 26 页 10玖币
侵权投诉
Modified BB84 quantum key distribution protocol robust to source imperfections
Margarida Pereira,1, 2, 3, 4, Guillermo Curr´as-Lorenzo,1, 2, 3, 4 ´
Alvaro Navarrete,1, 2, 3
Akihiro Mizutani,5Go Kato,6Marcos Curty,1, 2, 3 and Kiyoshi Tamaki4
1Vigo Quantum Communication Center, University of Vigo, Vigo E-36315, Spain
2Escuela de Ingenier´ıa de Telecomunicaci´on, Department of Signal
Theory and Communications, University of Vigo, Vigo E-36310, Spain
3atlanTTic Research Center, University of Vigo, Vigo E-36310, Spain
4Faculty of Engineering, University of Toyama, Gofuku 3190, Toyama 930-8555, Japan
5Mitsubishi Electric Corporation, Information Technology R&D
Center, 5-1-1 Ofuna, Kamakura-shi, Kanagawa, 247-8501 Japan
6National Institute of Information and Communications Technology, Nukui-kita, Koganei, Tokyo 184-8795 Japan
The Bennett-Brassard 1984 (BB84) protocol is the most widely implemented quantum key distri-
bution (QKD) scheme. However, despite enormous theoretical and experimental efforts in the past
decades, the security of this protocol with imperfect sources has not yet been rigorously established.
In this work, we address this shortcoming and prove the security of the BB84 protocol in the pres-
ence of multiple source imperfections, including state preparation flaws and side channels, such as
Trojan-horse attacks, mode dependencies and classical correlations between the emitted pulses. To
do so, we consider a modified BB84 protocol that exploits the basis mismatched events, which are
often discarded in standard security analyses of this scheme; and employ the reference technique, a
powerful mathematical tool to accommodate source imperfections in the security analysis of QKD.
Moreover, we compare the achievable secret-key rate of the modified BB84 protocol with that of the
three-state loss-tolerant protocol, and show that the addition of a fourth state, while redundant in
ideal conditions, significantly improves the estimation of the leaked information in the presence of
source imperfections, resulting in a better performance. This work demonstrates the relevance of
the BB84 protocol in guaranteeing implementation security, taking us a step further towards closing
the existing gap between theory and practice of QKD.
I. INTRODUCTION
Quantum key distribution (QKD) enables two remote
users, Alice and Bob, to securely establish cryptographic
keys over an untrusted quantum channel [1–3]. Undoubt-
edly, the most widely used QKD scheme is the BB84 pro-
tocol, proposed by Bennett and Brassard in 1984 [4]. Al-
most four decades after its introduction, QKD has made
an enormous progress both in theory and practice. How-
ever, despite its rigorous mathematical security proof,
current physical implementations of QKD suffer from se-
curity loopholes due to inherent device imperfections and
leakages of secret-key information.
Recent years have witnessed large efforts to reduce
this discrepancy between theory and practice and guar-
antee the implementation security of QKD. A cru-
cial breakthrough in this direction was the proposal of
measurement-device-independent QKD (MDI-QKD) [5],
which effectively closes all security loopholes on the de-
tector side and is practical with existing hardware [6–
10]. Moreover, a variant of MDI-QKD, called twin-field
QKD [11], has been shown to provide a significant im-
provement on the achievable secret-key rate, allowing us
to reach longer distances than ever before in fiber-based
communications [12–14].
Having efficiently dealt with the measurement unit, the
focus is now on securing the source. Essentially, source
mpereira@com.uvigo.es
loopholes could arise from state preparation flaws (SPFs)
[15–20] and side channels, such as Trojan-horse attacks
(THAs) [20–25], mode dependencies [16, 17, 20, 26–28],
pulse correlations [29–34] and through changes in, for ex-
ample, electromagnetic and acoustic radiation. Previous
works have often looked at each of these imperfections in-
dividually, and developed experimental countermeasures
and theoretical tools to minimise their impact on the
secret-key rate and restore the security claim of QKD.
For instance, the BB84 protocol has been shown to be
secure in the presence of SPFs [18, 19] and THAs [23–
25, 35]. However, one can only guarantee the implemen-
tation security of the source if all loopholes are taken into
account simultaneously in the analysis, and thus the se-
curity of this protocol with imperfect sources has not yet
been rigorously established.
The importance of achieving this level of security for
the BB84 protocol cannot be overstated. In particular,
many existing experiments [36–38], field-test QKD net-
works [39–45] and satellite-based quantum communica-
tion systems [46, 47] employ the BB84 protocol. Hence,
it is crucial to ensure the practical security of their trans-
mitting units. Moreover, while in the absence of source
imperfections the achievable secret-key rate is exactly the
same when using three or four states [19], in the pres-
ence of imperfections the BB84 protocol may allow for a
better estimation of the leaked secret information. As a
consequence, this may lead to higher performances; a sig-
nificant step towards attaining implementation security
at an adequate level for practical QKD applications.
arXiv:2210.11754v1 [quant-ph] 21 Oct 2022
2
A recently proposed analytical tool for security proofs
of QKD, the reference technique (RT) [31], is particu-
larly well suited to address these issues, since it enables
us to estimate the leaked secret-key information in the
presence of multiple source imperfections. For this, one
considers some reference states that are similar to the
actual states emitted in the protocol, but whose sim-
pler structure facilitates the estimation of some inter-
mediate parameters. Then, since the two sets of states
are close to each other, one can bound the maximum
deviation between their detection probabilities using a
Cauchy-Schwarz’s type inequality (denoted in [31] as the
Gfunction), and estimate the final parameters needed to
guarantee the security of the actual protocol. The high
flexibility and the high tolerance to source imperfections
displayed by the RT with the Gfunction comes at a cost,
however, as it requires the QKD protocol to be run se-
quentially, i.e. Alice only emits a particular pulse after
Bob has measured the previous one [48]. Nonetheless,
unlike other security proof approaches, the RT allows us
to guarantee the security of QKD protocols with practi-
cal light sources against coherent attacks.
In this work, we employ the RT with the Gfunction to
prove the security of the BB84 protocol in the presence
of multiple source imperfections; including SPFs and side
channels, such as THAs, mode dependencies and classi-
cal pulse correlations. To do so, we consider a modified
BB84 protocol that exploits the basis mismatched events,
which are usually discarded in standard implementations
of the protocol. Our security proof only requires an up-
per bound on a few parameters that quantify the quality
of the source, i.e. no detailed information about the side-
channel states is needed, thus facilitating the work of ex-
perimentalists. Additionally, we compare the achievable
secret-key rate of this modified BB84 protocol with that
of the three-state loss-tolerant protocol [19], and show
that the emission of a fourth state, while redundant in
ideal conditions, offers a significant improvement on the
secret-key rate in the presence of source imperfections.
This suggests that the modified BB84 protocol provides
a clear performance advantage over the three-state pro-
tocol when dealing with imperfect sources.
II. DESCRIPTION OF THE EMITTED STATES
AND ASSUMPTIONS
In this section, we first describe in detail the state of
the emitted pulses in the modified BB84 protocol (see
Appendix A for a full protocol description), and then
list the assumptions imposed by our security proof on
Alice’s and Bob’s devices. The security analysis is pre-
sented afterwards, in Section III. For ease of discussion,
we consider a BB84 protocol with an imperfect single-
photon source. Nevertheless, our analysis could also be
combined with the decoy-state method [49–51] to deal
with phase-randomised coherent sources.
In particular, we assume that the form of Alice’s
emitted states is affected by certain setting-choice-
independent factors, such as temperature drifts or power
fluctuations, that commonly arise in practical imple-
mentations of QKD. These factors can be modelled
as a sequence of possibly-correlated random variables
G:=G1,...,GN, where Gkrepresents all the setting-
independent factors that affect the state emitted in the
kth round and Nis the total number of rounds. Since
these factors are independent of Alice’s encodings, for a
given sequence of setting choices j1, . . . , jN, the global
state emitted is mixed over the probability distribution
of G. However, as shown in Appendix B, as long as one
demonstrates that the protocol is secure for any particu-
lar outcome g:=g1, . . . , gNof G, which can be assumed
to have been fixed at the beginning of the protocol, then
it is also secure for the actual case in which Alice emits
mixed states. Thus, in the security proof, gcan essen-
tially be treated as a fixed parameter that affects the
form of all the emitted states. Since the latter is mathe-
matically equivalent to considering the mixed state case,
here, we take this view for simplicity of presentation.
In addition, we investigate two different scenarios for
the source. In the first one, the state of the emitted
pulse on a particular round konly depends on gkand
on Alice’s kth setting choice, i.e. it is independent of
all her other setting choices. This is known as setting-
independent pulse correlations and it was first modelled
in [29]. The source model considered in this work, how-
ever, goes beyond that presented in [29] even for this
scenario, as the single-mode assumption is removed and
the effect of side channels is incorporated. In the second
scenario, the state of the emitted pulse on round kmay
not only depend on gkand on Alice’s kth setting choice,
but also on Alice’s previous lcsetting choices, for some
known correlation length lc. This is often denoted as
setting-dependent pulse correlations, and could arise, for
instance, from memory effects in the electronic devices
inside the transmitting unit [32]. The source model con-
sidered for this latter case is similar to that introduced
in [31], but here we also take into account the depen-
dence of the emitted pulses on the setting-independent
factors described above, whose effect was disregarded in
[31]. In both scenarios, we assume that, given a particu-
lar sequence of setting choices j1, . . . , jN, the global state
emitted by Alice is a classical mixture of a tensor prod-
uct of Npure states. That is, we exclude the possibility
of quantum correlations in which the states emitted on
different rounds are entangled, which can hardly happen
in typical implementations of QKD [52].
In the setting-independent scenario, for each round kof
the protocol, Alice chooses a setting j∈ {0Z,1Z,0X,1X}
and emits a state to Bob. This state can be expressed as
|ψj,giBk,Ek=q1(k)
j,g|φj,giBk,Ek+q(k)
j,g|φ
j,giBk,Ek,
(1)
where Bkis a two-dimensional system and Ekincludes
any other systems that carry information about the kth
3
pulse, such as the back-reflected light from a THA (see
Appendix C for more details). Note that |ψj,giBk,Ekin
Eq. (1) is a uniquely determined pure state once jand
gkare fixed. However, here we write g, rather than gk,
because as explained above, in our security proof the pa-
rameter g, which contains gkfor any k, is fixed at the
beginning of the protocol.
From construction, Eq. (1) is the most general descrip-
tion of the transmitted states within the framework of
setting-independent correlations, since it is simply an ex-
pansion of the most general state |ψj,giBk,Ekin the basis
{|φj,giBk,Ek,|φ
j,giBk,Ek}[31, 53]. In Eq. (1) the param-
eter (k)
j,g[0,1] quantifies the deviation of |ψj,giBk,Ek
from the qubit state |φj,giBk,Ek:=|ωj,giBk|λgiEk,
where |ωj,giBkis the state that Alice would send to
Bob in the absence of side channels and |λgiEkis a
setting-independent state for the current round. Note
that the state |ωj,giBkincorporates any imperfections
in a qubit space, such as SPFs and phase fluctuations.
The side channels are represented in Eq. (1) by the state
|φ
j,giBk,Ek, which can live in a Hilbert space of arbitrary
dimension and is orthogonal to |φj,giBk,Ek. In other
words, the state |φ
j,giBk,Ekcorresponds to unwanted
and possibly unknown modes, and it can incorporate side
channels other than setting-dependent pulse correlations,
such as THAs and mode dependencies.
In the setting-dependent scenario, the emitted state
for each round kcan instead be expressed as,
ψj,g|jk1,...,jklcBk,Ek=q1(k)
j,g|jk1,...,jklc|φj,giBk,Ek
+q(k)
j,g|jk1,...,jklc|φ
j,g|jk1,...,jklciBk,Ek,(2)
where jk1, . . . , jklcrepresents the dependence of
the kth pulse on Alice’s previous lcsetting choices.
As before, Eq. (2) is simply an expansion of the
state |ψj,g|jk1,...,jklciBk,Ekin the basis {|φj,giBk,Ek,
|φ
j,g|jk1,...,jklciBk,Ek}, and within the framework of
classical pulse correlations, this is the most general de-
scription of the transmitted states. Note that the state
|φ
j,g|jk1,...,jklciBk,Ekin Eq. (2), besides incorporating
all the side channels in |φ
j,giBk,Ek, also takes into ac-
count setting-dependent pulse correlations.
Importantly, due to the form of Eqs. (1) and (2), one
can apply the RT to prove the security of the modified
BB84 protocol as long as the following assumptions hold.
A. Assumptions on Alice’s transmitting unit
(A1) For all rounds of the protocol, Alice chooses the
setting jwith a fixed probability pj, with p0Z=
p1Z.
Alice’s setting selection in a given round is inde-
pendent of those of other rounds, and Eve cannot
tamper with her selection probabilities.
(A2) As described above, we consider two different sce-
narios for the source, which result in two security
analyses with different assumptions:
a. The emitted states do not depend on Alice’s
previous setting choices – Eq. (1).
We assume that an upper bound U(k)
j,gis
known for all k,jand g. Note that, even in
this case, the states emitted in different rounds
of the protocol are not necessarily independent
and identically distributed (IID) because the
random variables G1,...,GNthat represent the
setting-independent factors may be correlated
between consecutive rounds. We show the secu-
rity analysis under this scenario in Section III A.
b. The emitted states depend on Alice’s previous
lcsetting choices – Eq. (2).
We assume that an upper bound 0U
(k)
j,g|jk1,...,jklcis known for all k,j,g, and
jk1, . . . , jklc. Moreover, we assume that the
state of the kth pulse is affected by gand Al-
ice’s previous lcsetting choices, and that lcis a
known parameter. The analysis under this sce-
nario is given in Section III B. As we shall see,
the data post-processing in this case must be
done differently. In particular, one needs to di-
vide the sifted key in (lc+ 1) groups, and then
perform the parameter estimation and privacy
amplification separately for each group (see Ap-
pendix A).
We emphasise that, while knowing the upper bound
U(0U) is a requirement to apply the RT, the char-
acterisation of the side-channel states |φ
j,giBk,Ek
(|φ
j,g|jk1,...,jklciBk,Ek) is not needed. In other
words, the inner products hφ
j,g|φ
j0,giBk,Ek
(hφ
j,g|jk1,...,jklc|φ
j0,g|jk1,...,jklciBk,Ek) and
hφj,g|φ
j0,giBk,Ek(hφj,g|φ
j0,g|jk1,...,jklciBk,Ek)
with j6=j0can be unknown. Importantly, this
is not a necessary assumption but a fortunate
consequence originating from the freedom to
choose the reference states in the RT when using
the particular inequality Gdefined in Eq. (12).
Since obtaining a full characterisation of the
side-channel states is very challenging in practice,
previous theoretical works [31, 53], as well as this
work, have exploited this advantage to consider
device models that require minimal experimental
characterisation. Nonetheless, it is important
to emphasise that if any information about the
side channels is available it can be incorporated
in the RT framework. This would most likely
lead to higher performances because a better
source characterisation tends to result in a more
accurate estimation of the phase-error rate. In
fact, this has been recently shown for a particular
time-dependent side channel in [28].
4
(A3) A partial characterisation of the qubit state
|ωj,giBkin Eqs. (1) and (2) can be obtained.
In the analysis presented in [31], for simplicity,
the qubit state |ωj,giBkin |φj,giBk,Ek:= |ωj,giBk
|λgiEkis assumed to be perfectly characterised and
stable in time. Here, we go a step further and allow
|ωj,giBkto vary slightly round by round, hence its
dependence on g. However, we assume that one can
at least partially characterise this state, such that
the upper bounds cU
α,j and p(vir)U
αXon certain quan-
tities that are defined later can be derived; see the
discussion between Eqs. (10) and (11) for more de-
tails, including the definition of these parameters.
In Section IV A we show for illustration purposes
that, for a typical phase-encoding setup in which
the qubit component |ωj,giBkof all the emitted
states is in a standard basis plane (such as the XZ
plane) and the exact encoded phase θ(k)
j,gfluctuates
over time, this requirement translates to being able
to determine the range of these fluctuations, i.e.
guaranteeing that θ(k)
j,g[θL
j, θU
j] for all k,jand g,
where {θL
j, θU
j}is known.
(A4) Alice only emits her kth pulse after Bob has per-
formed his k1th measurement [54].
This guarantees that the measurement operator
ˆ
M(k)
γXin Eq. (6) ( ˆ
D(k)
γXin Eq. (27)) satisfies 0
ˆ
M(k)
γXˆ
1(0 ˆ
D(k)
γXˆ
1) (see Appendices D
and E 2, respectively, for a proof of these state-
ments), which is needed to apply the RT with the
Gfunction defined in Eq. (12). We note that
this assumption is also required when using the
generalised entropy accumulation theorem [48] to
prove the security of prepare-and-measure proto-
cols against coherent attacks.
B. Assumptions on Bob’s measurement unit
(B1) For all rounds of the protocol, Bob chooses a mea-
surement basis β∈ {Z, X}with probabilities pZB
and pXB, respectively.
Bob’s basis selection in a given round is indepen-
dent of those of other rounds, and Eve cannot tam-
per with his selection probabilities.
(B2) Bob’s measurements satisfy the basis-independent-
efficiency condition.
We assume that Bob’s measurements can be rep-
resented by the positive operator-valued measures
(POVMs) {ˆm0β,ˆm1β,ˆmf}where ˆm0β( ˆm1β) corre-
sponds to Bob obtaining the bit value 0 (1) when
selecting the basis β, and ˆmfis associated with an
inconclusive outcome. That is, the detection effi-
ciency of Bob’s unit is independent of his measure-
ment basis choice β. This assumption is required
by many security proofs of QKD to remove detector
side-channel attacks exploiting channel loss [55, 56].
(B3) There are no side channels on Bob’s device.
All these assumptions on Bob’s device can be avoided
by considering a MDI-type protocol, which removes all
detector loopholes and to which our analysis could easily
be extended (see [53]).
III. SECURITY PROOF
Here, we show how the RT can be used to prove the
security of the modified BB84 protocol against coherent
attacks in the presence of multiple source imperfections.
In particular, we explain how to estimate the phase-error
rate, which bounds the amount of information leakage
to a potential eavesdropper, Eve, and determines the
amount of privacy amplification that is needed to guaran-
tee a secure final key. We do this for two different security
analyses that consider the two scenarios described previ-
ously for the transmitting unit. Namely, in Section III A,
the emitted states only depend on setting-independent
factors and in Section III B, in addition to these factors,
the emitted states also depend on Alice’s previous lcset-
ting choices. Their corresponding assumptions are (A2.a)
and (A2.b) in Section II A, respectively.
A. Scenario in which the emitted states do not
depend on Alice’s previous setting choices
In this scenario, for each pulse emission, Alice sends a
state |ψj,giBk,Ekgiven by Eq. (1) through the quantum
channel to Bob, who then performs his POVM measure-
ments. The secret key is distilled from the rounds in
which both Alice and Bob select the Zbasis. As a ba-
sic framework to prove the security of these events, we
use the complementarity approach [57, 58]. First, note
that from Eve’s perspective, the key generation rounds
are equivalently described by an entanglement-based sce-
nario in which, after selecting the Zbasis, Alice prepares
the following entangled state
|ΨZ
giAk,Bk,Ek=1
2X
α∈{0,1}|αZiAk|ψαZ,giBk,Ek,(3)
sends systems Bk, Ekto Bob while keeping system Akin
her laboratory, and then both Alice and Bob perform Z-
basis measurements on their local and received systems,
respectively.
To prove the security of these events, we consider the
number of phase errors that Alice and Bob would have
obtained if they had performed their measurements in
the Xbasis instead. This virtual scenario is equivalent
5
to Alice sending Bob the fictitious virtual states
|ψ(vir)
αX,giBk,Ek=|ψ0Z,giBk,Ek+ (1)α|ψ1Z,giBk,Ek
2r˜p(k,vir)
αX,g
pZA
,
(4)
where α∈ {0,1}, with probabilities
˜p(k,vir)
αX,g=1
2pZAh1+(1)αRe ψ0Z,gψ1Z,gBk,Eki,
(5)
who then performs X-basis measurements on the received
systems. In Eq. (5), ˜p(k,vir)
αX,grepresents the joint proba-
bility that Alice chooses the Zbasis (pZA) and prepares
the virtual state |ψ(vir)
αX,giBk,Ek.
A phase error occurs when Alice selects the virtual
state associated to 1X(0X) and Bob obtains the bit value
0 (1) in his X-basis measurement. In Appendix D, we
show that the probability of obtaining a phase error on
round k, conditioned on all the previous outcomes, can
be expressed as
P(k)
g(ph|Act) :=X
α,γ∈{0,1}
α6=γ
˜p(k,vir)
αX,gpZBTr˜σ(k,vir)
αX,gˆ
M(k)
γX,
(6)
where ˜σ(k,vir)
αX,g:=|ψ(vir)
αX,gihψ(vir)
αX,g|Bk,Ek, and ˆ
M(k)
γXwith γ
{0,1}is Bob’s effective POVM element for the kth pulse
after a coherent attack (see Eq. (D7) in Appendix D for
more details).
The detection probabilities Tr˜σ(k,vir)
αX,gˆ
M(k)
γXin Eq. (6)
are not directly observed in the experiment because
the virtual states are not actually emitted. Moreover,
estimating them using the data collected in the protocol
might be difficult due to the presence of multiple source
imperfections. However, thanks to the RT, we can
overcome this difficulty by estimating P(k)
g(ph|Act)
indirectly. For this, we first select some reference
states that are similar to the actual states emitted in
the protocol, and which allow an easy estimate of the
phase-error probability that would be observed if they
had been emitted: P(k)
g(ph|Ref). Then, by evaluating
the deviation between the reference and actual states,
we obtain P(k)
g(ph|Act) from P(k)
g(ph|Ref). Finally, by
applying concentration inequalities we derive an upper
bound on the phase-error rate.
Applying the reference technique
First, we define four reference states. Even though
our choice of states is unrestricted, higher secret-key
rates are achieved if they are close to the actual
states. Here, we pick the set of reference states to
be |φj,giBk,Ekj∈{0Z,1Z,0X,1X}, which are defined in
Eq. (1) as the qubit part of the actual states. Then, by
replacing the actual Z-basis states by their corresponding
reference states in Eq. (3), we define
|ΦZ
giAk,Bk,Ek=1
2X
α∈{0,1}|αZiAk|φαZ,giBk,Ek,(7)
analogous to |ΨZ
giAk,Bk,Ek. Similarly, we define the vir-
tual states |φ(vir)
αX,giBk,Ekand the probabilities p(k,vir)
αX,g,
which are analogous to |ψ(vir)
αX,giBk,Ekand ˜p(k,vir)
αX,g, respec-
tively. This allows us to define the quantity
P(k)
g(ph|Ref) :=X
α,γ∈{0,1}
α6=γ
p(k,vir)
αX,gpZBTrσ(k,vir)
αX,gˆ
M(k)
γX,
(8)
where σ(k,vir)
αX,g:= |φ(vir)
αX,gihφ(vir)
αX,g|Bk,Ek. Here,
P(k)
g(ph|Ref) could be interpreted as the probabil-
ity of a phase-error on the kth round when using the
reference states. We emphasise that these replacements
of actual states by their reference counterparts are
purely mathematical. The reference states are never
prepared nor sent in an actual implementation of the
protocol.
A convenient feature of Eq. (8) over Eq. (6) is that the
states σ(k,vir)
αX,glive in the same qubit space as the reference
states σ(k)
j,g:=|φj,gihφj,g|Bk,Ek, and therefore one can
employ the idea of the loss-tolerant protocol [19] to write
the former states as a linear function of the latter. For
simplicity, here we assume that these states all lie in the
XZ plane of the Bloch sphere; see Appendix B in [59]
for a more general treatment. Then, we have that
σ(k,vir)
αX,g=X
j
c(k)
α,j,gσ(k)
j,g,(9)
for j∈ {0Z,1Z,0X,1X}, where c(k)
α,j,gare real coefficients.
To find these coefficients, one has to solve two systems
of three linear equations with four unknowns. These sys-
tems have infinitely many solutions, and therefore one
can choose the solutions that provide the tightest bound
on the phase-error rate. This is the crucial difference with
respect to the three-state protocol, and the reason why
the modified BB84 protocol can provide higher secret-
key rates (see Section IV C). We note that, in the case of
the three-state protocol, the 1Xstate is not emitted and
thus c(k)
1,1X,g=c(k)
0,1X,g= 0. This results in two systems of
three linear equations with three unknowns, which have
a unique solution each.
After substituting Eq. (9) in Eq. (8), we obtain
P(k)
g(ph|Ref) = X
α,γ∈{0,1}
α6=γ
p(k,vir)
αX,gpZBX
j
c(k)
α,j,gTrσ(k)
j,gˆ
M(k)
γX,
(10)
where we have used the linearity of the trace operation.
Note that since the reference states σ(k)
j,gdepend on g,
摘要:

Modi edBB84quantumkeydistributionprotocolrobusttosourceimperfectionsMargaridaPereira,1,2,3,4,GuillermoCurras-Lorenzo,1,2,3,4AlvaroNavarrete,1,2,3AkihiroMizutani,5GoKato,6MarcosCurty,1,2,3andKiyoshiTamaki41VigoQuantumCommunicationCenter,UniversityofVigo,VigoE-36315,Spain2EscueladeIngenieradeTele...

展开>> 收起<<
Modied BB84 quantum key distribution protocol robust to source imperfections Margarida Pereira1 2 3 4Guillermo Curr as-Lorenzo1 2 3 4 Alvaro Navarrete1 2 3 Akihiro Mizutani5Go Kato6Marcos Curty1 2 3and Kiyoshi Tamaki4.pdf

共26页,预览5页

还剩页未读, 继续阅读

声明:本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知玖贝云文库,我们立即给予删除!

相关推荐

更多
立即下载
分类:图书资源 价格:10玖币 属性:26 页 大小:926.85KB 格式:PDF 时间:2025-05-06

开通VIP享超值会员特权

  • 多端同步记录
  • 高速下载文档
  • 免费文档工具
  • 分享文档赚钱
  • 每日登录抽奖
  • 优质衍生服务

作者详情

相关内容

更多

热门标签

人际关系 动力学连接体 力的合成 配电装置 高考理综 全宋诗作者索引 公务员考试
/ 26
评分 收藏
分享
立即下载
客服
关注