Modied BB84 quantum key distribution protocol robust to source imperfections Margarida Pereira1 2 3 4Guillermo Curr as-Lorenzo1 2 3 4 Alvaro Navarrete1 2 3 Akihiro Mizutani5Go Kato6Marcos Curty1 2 3and Kiyoshi Tamaki4

2025-05-06 0 0 926.85KB 26 页 10玖币

侵权投诉

Modiﬁed BB84 quantum key distribution protocol robust to source imperfections

Margarida Pereira,1, 2, 3, 4, ∗Guillermo Curr´as-Lorenzo,1, 2, 3, 4 ´

Alvaro Navarrete,1, 2, 3

Akihiro Mizutani,5Go Kato,6Marcos Curty,1, 2, 3 and Kiyoshi Tamaki4

1Vigo Quantum Communication Center, University of Vigo, Vigo E-36315, Spain

2Escuela de Ingenier´ıa de Telecomunicaci´on, Department of Signal

Theory and Communications, University of Vigo, Vigo E-36310, Spain

3atlanTTic Research Center, University of Vigo, Vigo E-36310, Spain

4Faculty of Engineering, University of Toyama, Gofuku 3190, Toyama 930-8555, Japan

5Mitsubishi Electric Corporation, Information Technology R&D

Center, 5-1-1 Ofuna, Kamakura-shi, Kanagawa, 247-8501 Japan

6National Institute of Information and Communications Technology, Nukui-kita, Koganei, Tokyo 184-8795 Japan

The Bennett-Brassard 1984 (BB84) protocol is the most widely implemented quantum key distri-

bution (QKD) scheme. However, despite enormous theoretical and experimental eﬀorts in the past

decades, the security of this protocol with imperfect sources has not yet been rigorously established.

In this work, we address this shortcoming and prove the security of the BB84 protocol in the pres-

ence of multiple source imperfections, including state preparation ﬂaws and side channels, such as

Trojan-horse attacks, mode dependencies and classical correlations between the emitted pulses. To

do so, we consider a modiﬁed BB84 protocol that exploits the basis mismatched events, which are

often discarded in standard security analyses of this scheme; and employ the reference technique, a

powerful mathematical tool to accommodate source imperfections in the security analysis of QKD.

Moreover, we compare the achievable secret-key rate of the modiﬁed BB84 protocol with that of the

three-state loss-tolerant protocol, and show that the addition of a fourth state, while redundant in

ideal conditions, signiﬁcantly improves the estimation of the leaked information in the presence of

source imperfections, resulting in a better performance. This work demonstrates the relevance of

the BB84 protocol in guaranteeing implementation security, taking us a step further towards closing

the existing gap between theory and practice of QKD.

I. INTRODUCTION

Quantum key distribution (QKD) enables two remote

users, Alice and Bob, to securely establish cryptographic

keys over an untrusted quantum channel [1–3]. Undoubt-

edly, the most widely used QKD scheme is the BB84 pro-

tocol, proposed by Bennett and Brassard in 1984 [4]. Al-

most four decades after its introduction, QKD has made

an enormous progress both in theory and practice. How-

ever, despite its rigorous mathematical security proof,

current physical implementations of QKD suﬀer from se-

curity loopholes due to inherent device imperfections and

leakages of secret-key information.

Recent years have witnessed large eﬀorts to reduce

this discrepancy between theory and practice and guar-

antee the implementation security of QKD. A cru-

cial breakthrough in this direction was the proposal of

measurement-device-independent QKD (MDI-QKD) [5],

which eﬀectively closes all security loopholes on the de-

tector side and is practical with existing hardware [6–

10]. Moreover, a variant of MDI-QKD, called twin-ﬁeld

QKD [11], has been shown to provide a signiﬁcant im-

provement on the achievable secret-key rate, allowing us

to reach longer distances than ever before in ﬁber-based

communications [12–14].

Having eﬃciently dealt with the measurement unit, the

focus is now on securing the source. Essentially, source

∗mpereira@com.uvigo.es

loopholes could arise from state preparation ﬂaws (SPFs)

[15–20] and side channels, such as Trojan-horse attacks

(THAs) [20–25], mode dependencies [16, 17, 20, 26–28],

pulse correlations [29–34] and through changes in, for ex-

ample, electromagnetic and acoustic radiation. Previous

works have often looked at each of these imperfections in-

dividually, and developed experimental countermeasures

and theoretical tools to minimise their impact on the

secret-key rate and restore the security claim of QKD.

For instance, the BB84 protocol has been shown to be

secure in the presence of SPFs [18, 19] and THAs [23–

25, 35]. However, one can only guarantee the implemen-

tation security of the source if all loopholes are taken into

account simultaneously in the analysis, and thus the se-

curity of this protocol with imperfect sources has not yet

been rigorously established.

The importance of achieving this level of security for

the BB84 protocol cannot be overstated. In particular,

many existing experiments [36–38], ﬁeld-test QKD net-

works [39–45] and satellite-based quantum communica-

tion systems [46, 47] employ the BB84 protocol. Hence,

it is crucial to ensure the practical security of their trans-

mitting units. Moreover, while in the absence of source

imperfections the achievable secret-key rate is exactly the

same when using three or four states [19], in the pres-

ence of imperfections the BB84 protocol may allow for a

better estimation of the leaked secret information. As a

consequence, this may lead to higher performances; a sig-

niﬁcant step towards attaining implementation security

at an adequate level for practical QKD applications.

arXiv:2210.11754v1 [quant-ph] 21 Oct 2022

A recently proposed analytical tool for security proofs

of QKD, the reference technique (RT) [31], is particu-

larly well suited to address these issues, since it enables

us to estimate the leaked secret-key information in the

presence of multiple source imperfections. For this, one

considers some reference states that are similar to the

actual states emitted in the protocol, but whose sim-

pler structure facilitates the estimation of some inter-

mediate parameters. Then, since the two sets of states

are close to each other, one can bound the maximum

deviation between their detection probabilities using a

Cauchy-Schwarz’s type inequality (denoted in [31] as the

Gfunction), and estimate the ﬁnal parameters needed to

guarantee the security of the actual protocol. The high

ﬂexibility and the high tolerance to source imperfections

displayed by the RT with the Gfunction comes at a cost,

however, as it requires the QKD protocol to be run se-

quentially, i.e. Alice only emits a particular pulse after

Bob has measured the previous one [48]. Nonetheless,

unlike other security proof approaches, the RT allows us

to guarantee the security of QKD protocols with practi-

cal light sources against coherent attacks.

In this work, we employ the RT with the Gfunction to

prove the security of the BB84 protocol in the presence

of multiple source imperfections; including SPFs and side

channels, such as THAs, mode dependencies and classi-

cal pulse correlations. To do so, we consider a modiﬁed

BB84 protocol that exploits the basis mismatched events,

which are usually discarded in standard implementations

of the protocol. Our security proof only requires an up-

per bound on a few parameters that quantify the quality

of the source, i.e. no detailed information about the side-

channel states is needed, thus facilitating the work of ex-

perimentalists. Additionally, we compare the achievable

secret-key rate of this modiﬁed BB84 protocol with that

of the three-state loss-tolerant protocol [19], and show

that the emission of a fourth state, while redundant in

ideal conditions, oﬀers a signiﬁcant improvement on the

secret-key rate in the presence of source imperfections.

This suggests that the modiﬁed BB84 protocol provides

a clear performance advantage over the three-state pro-

tocol when dealing with imperfect sources.

II. DESCRIPTION OF THE EMITTED STATES

AND ASSUMPTIONS

In this section, we ﬁrst describe in detail the state of

the emitted pulses in the modiﬁed BB84 protocol (see

Appendix A for a full protocol description), and then

list the assumptions imposed by our security proof on

Alice’s and Bob’s devices. The security analysis is pre-

sented afterwards, in Section III. For ease of discussion,

we consider a BB84 protocol with an imperfect single-

photon source. Nevertheless, our analysis could also be

combined with the decoy-state method [49–51] to deal

with phase-randomised coherent sources.

In particular, we assume that the form of Alice’s

emitted states is aﬀected by certain setting-choice-

independent factors, such as temperature drifts or power

ﬂuctuations, that commonly arise in practical imple-

mentations of QKD. These factors can be modelled

as a sequence of possibly-correlated random variables

G:=G1,...,GN, where Gkrepresents all the setting-

independent factors that aﬀect the state emitted in the

kth round and Nis the total number of rounds. Since

these factors are independent of Alice’s encodings, for a

given sequence of setting choices j1, . . . , jN, the global

state emitted is mixed over the probability distribution

of G. However, as shown in Appendix B, as long as one

demonstrates that the protocol is secure for any particu-

lar outcome g:=g1, . . . , gNof G, which can be assumed

to have been ﬁxed at the beginning of the protocol, then

it is also secure for the actual case in which Alice emits

mixed states. Thus, in the security proof, gcan essen-

tially be treated as a ﬁxed parameter that aﬀects the

form of all the emitted states. Since the latter is mathe-

matically equivalent to considering the mixed state case,

here, we take this view for simplicity of presentation.

In addition, we investigate two diﬀerent scenarios for

the source. In the ﬁrst one, the state of the emitted

pulse on a particular round konly depends on gkand

on Alice’s kth setting choice, i.e. it is independent of

all her other setting choices. This is known as setting-

independent pulse correlations and it was ﬁrst modelled

in [29]. The source model considered in this work, how-

ever, goes beyond that presented in [29] even for this

scenario, as the single-mode assumption is removed and

the eﬀect of side channels is incorporated. In the second

scenario, the state of the emitted pulse on round kmay

not only depend on gkand on Alice’s kth setting choice,

but also on Alice’s previous lcsetting choices, for some

known correlation length lc. This is often denoted as

setting-dependent pulse correlations, and could arise, for

instance, from memory eﬀects in the electronic devices

inside the transmitting unit [32]. The source model con-

sidered for this latter case is similar to that introduced

in [31], but here we also take into account the depen-

dence of the emitted pulses on the setting-independent

factors described above, whose eﬀect was disregarded in

[31]. In both scenarios, we assume that, given a particu-

lar sequence of setting choices j1, . . . , jN, the global state

emitted by Alice is a classical mixture of a tensor prod-

uct of Npure states. That is, we exclude the possibility

of quantum correlations in which the states emitted on

diﬀerent rounds are entangled, which can hardly happen

in typical implementations of QKD [52].

In the setting-independent scenario, for each round kof

the protocol, Alice chooses a setting j∈ {0Z,1Z,0X,1X}

and emits a state to Bob. This state can be expressed as

|ψj,giBk,Ek=q1−(k)

j,g|φj,giBk,Ek+q(k)

j,g|φ⊥

j,giBk,Ek,

(1)

where Bkis a two-dimensional system and Ekincludes

any other systems that carry information about the kth

pulse, such as the back-reﬂected light from a THA (see

Appendix C for more details). Note that |ψj,giBk,Ekin

Eq. (1) is a uniquely determined pure state once jand

gkare ﬁxed. However, here we write g, rather than gk,

because as explained above, in our security proof the pa-

rameter g, which contains gkfor any k, is ﬁxed at the

beginning of the protocol.

From construction, Eq. (1) is the most general descrip-

tion of the transmitted states within the framework of

setting-independent correlations, since it is simply an ex-

pansion of the most general state |ψj,giBk,Ekin the basis

{|φj,giBk,Ek,|φ⊥

j,giBk,Ek}[31, 53]. In Eq. (1) the param-

eter (k)

j,g∈[0,1] quantiﬁes the deviation of |ψj,giBk,Ek

from the qubit state |φj,giBk,Ek:=|ωj,giBk|λgiEk,

where |ωj,giBkis the state that Alice would send to

Bob in the absence of side channels and |λgiEkis a

setting-independent state for the current round. Note

that the state |ωj,giBkincorporates any imperfections

in a qubit space, such as SPFs and phase ﬂuctuations.

The side channels are represented in Eq. (1) by the state

|φ⊥

j,giBk,Ek, which can live in a Hilbert space of arbitrary

dimension and is orthogonal to |φj,giBk,Ek. In other

words, the state |φ⊥

j,giBk,Ekcorresponds to unwanted

and possibly unknown modes, and it can incorporate side

channels other than setting-dependent pulse correlations,

such as THAs and mode dependencies.

In the setting-dependent scenario, the emitted state

for each round kcan instead be expressed as,

ψj,g|jk−1,...,jk−lcBk,Ek=q1−(k)

j,g|jk−1,...,jk−lc|φj,giBk,Ek

+q(k)

j,g|jk−1,...,jk−lc|φ⊥

j,g|jk−1,...,jk−lciBk,Ek,(2)

where jk−1, . . . , jk−lcrepresents the dependence of

the kth pulse on Alice’s previous lcsetting choices.

As before, Eq. (2) is simply an expansion of the

state |ψj,g|jk−1,...,jk−lciBk,Ekin the basis {|φj,giBk,Ek,

|φ⊥

j,g|jk−1,...,jk−lciBk,Ek}, and within the framework of

classical pulse correlations, this is the most general de-

scription of the transmitted states. Note that the state

|φ⊥

j,g|jk−1,...,jk−lciBk,Ekin Eq. (2), besides incorporating

all the side channels in |φ⊥

j,giBk,Ek, also takes into ac-

count setting-dependent pulse correlations.

Importantly, due to the form of Eqs. (1) and (2), one

can apply the RT to prove the security of the modiﬁed

BB84 protocol as long as the following assumptions hold.

A. Assumptions on Alice’s transmitting unit

(A1) For all rounds of the protocol, Alice chooses the

setting jwith a ﬁxed probability pj, with p0Z=

p1Z.

Alice’s setting selection in a given round is inde-

pendent of those of other rounds, and Eve cannot

tamper with her selection probabilities.

(A2) As described above, we consider two diﬀerent sce-

narios for the source, which result in two security

analyses with diﬀerent assumptions:

a. The emitted states do not depend on Alice’s

previous setting choices – Eq. (1).

We assume that an upper bound U≥(k)

j,gis

known for all k,jand g. Note that, even in

this case, the states emitted in diﬀerent rounds

of the protocol are not necessarily independent

and identically distributed (IID) because the

random variables G1,...,GNthat represent the

setting-independent factors may be correlated

between consecutive rounds. We show the secu-

rity analysis under this scenario in Section III A.

b. The emitted states depend on Alice’s previous

lcsetting choices – Eq. (2).

We assume that an upper bound 0U≥

(k)

j,g|jk−1,...,jk−lcis known for all k,j,g, and

jk−1, . . . , jk−lc. Moreover, we assume that the

state of the kth pulse is aﬀected by gand Al-

ice’s previous lcsetting choices, and that lcis a

known parameter. The analysis under this sce-

nario is given in Section III B. As we shall see,

the data post-processing in this case must be

done diﬀerently. In particular, one needs to di-

vide the sifted key in (lc+ 1) groups, and then

perform the parameter estimation and privacy

ampliﬁcation separately for each group (see Ap-

pendix A).

We emphasise that, while knowing the upper bound

U(0U) is a requirement to apply the RT, the char-

acterisation of the side-channel states |φ⊥

j,giBk,Ek

(|φ⊥

j,g|jk−1,...,jk−lciBk,Ek) is not needed. In other

words, the inner products hφ⊥

j,g|φ⊥

j0,giBk,Ek

(hφ⊥

j,g|jk−1,...,jk−lc|φ⊥

j0,g|jk−1,...,jk−lciBk,Ek) and

hφj,g|φ⊥

j0,giBk,Ek(hφj,g|φ⊥

j0,g|jk−1,...,jk−lciBk,Ek)

with j6=j0can be unknown. Importantly, this

is not a necessary assumption but a fortunate

consequence originating from the freedom to

choose the reference states in the RT when using

the particular inequality Gdeﬁned in Eq. (12).

Since obtaining a full characterisation of the

side-channel states is very challenging in practice,

previous theoretical works [31, 53], as well as this

work, have exploited this advantage to consider

device models that require minimal experimental

characterisation. Nonetheless, it is important

to emphasise that if any information about the

side channels is available it can be incorporated

in the RT framework. This would most likely

lead to higher performances because a better

source characterisation tends to result in a more

accurate estimation of the phase-error rate. In

fact, this has been recently shown for a particular

time-dependent side channel in [28].

(A3) A partial characterisation of the qubit state

|ωj,giBkin Eqs. (1) and (2) can be obtained.

In the analysis presented in [31], for simplicity,

the qubit state |ωj,giBkin |φj,giBk,Ek:= |ωj,giBk

|λgiEkis assumed to be perfectly characterised and

stable in time. Here, we go a step further and allow

|ωj,giBkto vary slightly round by round, hence its

dependence on g. However, we assume that one can

at least partially characterise this state, such that

the upper bounds cU

α,j and p(vir)U

αXon certain quan-

tities that are deﬁned later can be derived; see the

discussion between Eqs. (10) and (11) for more de-

tails, including the deﬁnition of these parameters.

In Section IV A we show for illustration purposes

that, for a typical phase-encoding setup in which

the qubit component |ωj,giBkof all the emitted

states is in a standard basis plane (such as the XZ

plane) and the exact encoded phase θ(k)

j,gﬂuctuates

over time, this requirement translates to being able

to determine the range of these ﬂuctuations, i.e.

guaranteeing that θ(k)

j,g∈[θL

j, θU

j] for all k,jand g,

where {θL

j, θU

j}is known.

(A4) Alice only emits her kth pulse after Bob has per-

formed his k−1th measurement [54].

This guarantees that the measurement operator

M(k)

γXin Eq. (6) ( ˆ

D(k)

γXin Eq. (27)) satisﬁes 0 ≤

M(k)

γX≤ˆ

1(0 ≤ˆ

D(k)

γX≤ˆ

1) (see Appendices D

and E 2, respectively, for a proof of these state-

ments), which is needed to apply the RT with the

Gfunction deﬁned in Eq. (12). We note that

this assumption is also required when using the

generalised entropy accumulation theorem [48] to

prove the security of prepare-and-measure proto-

cols against coherent attacks.

B. Assumptions on Bob’s measurement unit

(B1) For all rounds of the protocol, Bob chooses a mea-

surement basis β∈ {Z, X}with probabilities pZB

and pXB, respectively.

Bob’s basis selection in a given round is indepen-

dent of those of other rounds, and Eve cannot tam-

per with his selection probabilities.

(B2) Bob’s measurements satisfy the basis-independent-

eﬃciency condition.

We assume that Bob’s measurements can be rep-

resented by the positive operator-valued measures

(POVMs) {ˆm0β,ˆm1β,ˆmf}where ˆm0β( ˆm1β) corre-

sponds to Bob obtaining the bit value 0 (1) when

selecting the basis β, and ˆmfis associated with an

inconclusive outcome. That is, the detection eﬃ-

ciency of Bob’s unit is independent of his measure-

ment basis choice β. This assumption is required

by many security proofs of QKD to remove detector

side-channel attacks exploiting channel loss [55, 56].

(B3) There are no side channels on Bob’s device.

All these assumptions on Bob’s device can be avoided

by considering a MDI-type protocol, which removes all

detector loopholes and to which our analysis could easily

be extended (see [53]).

III. SECURITY PROOF

Here, we show how the RT can be used to prove the

security of the modiﬁed BB84 protocol against coherent

attacks in the presence of multiple source imperfections.

In particular, we explain how to estimate the phase-error

rate, which bounds the amount of information leakage

to a potential eavesdropper, Eve, and determines the

amount of privacy ampliﬁcation that is needed to guaran-

tee a secure ﬁnal key. We do this for two diﬀerent security

analyses that consider the two scenarios described previ-

ously for the transmitting unit. Namely, in Section III A,

the emitted states only depend on setting-independent

factors and in Section III B, in addition to these factors,

the emitted states also depend on Alice’s previous lcset-

ting choices. Their corresponding assumptions are (A2.a)

and (A2.b) in Section II A, respectively.

A. Scenario in which the emitted states do not

depend on Alice’s previous setting choices

In this scenario, for each pulse emission, Alice sends a

state |ψj,giBk,Ekgiven by Eq. (1) through the quantum

channel to Bob, who then performs his POVM measure-

ments. The secret key is distilled from the rounds in

which both Alice and Bob select the Zbasis. As a ba-

sic framework to prove the security of these events, we

use the complementarity approach [57, 58]. First, note

that from Eve’s perspective, the key generation rounds

are equivalently described by an entanglement-based sce-

nario in which, after selecting the Zbasis, Alice prepares

the following entangled state

|ΨZ

giAk,Bk,Ek=1

√2X

α∈{0,1}|αZiAk|ψαZ,giBk,Ek,(3)

sends systems Bk, Ekto Bob while keeping system Akin

her laboratory, and then both Alice and Bob perform Z-

basis measurements on their local and received systems,

respectively.

To prove the security of these events, we consider the

number of phase errors that Alice and Bob would have

obtained if they had performed their measurements in

the Xbasis instead. This virtual scenario is equivalent

to Alice sending Bob the ﬁctitious virtual states

|ψ(vir)

αX,giBk,Ek=|ψ0Z,giBk,Ek+ (−1)α|ψ1Z,giBk,Ek

2r˜p(k,vir)

αX,g

pZA

(4)

where α∈ {0,1}, with probabilities

˜p(k,vir)

αX,g=1

2pZAh1+(−1)αRe ψ0Z,gψ1Z,gBk,Eki,

(5)

who then performs X-basis measurements on the received

systems. In Eq. (5), ˜p(k,vir)

αX,grepresents the joint proba-

bility that Alice chooses the Zbasis (pZA) and prepares

the virtual state |ψ(vir)

αX,giBk,Ek.

A phase error occurs when Alice selects the virtual

state associated to 1X(0X) and Bob obtains the bit value

0 (1) in his X-basis measurement. In Appendix D, we

show that the probability of obtaining a phase error on

round k, conditioned on all the previous outcomes, can

be expressed as

P(k)

g(ph|Act) :=X

α,γ∈{0,1}

α6=γ

˜p(k,vir)

αX,gpZBTr˜σ(k,vir)

αX,gˆ

M(k)

γX,

(6)

where ˜σ(k,vir)

αX,g:=|ψ(vir)

αX,gihψ(vir)

αX,g|Bk,Ek, and ˆ

M(k)

γXwith γ∈

{0,1}is Bob’s eﬀective POVM element for the kth pulse

after a coherent attack (see Eq. (D7) in Appendix D for

more details).

The detection probabilities Tr˜σ(k,vir)

αX,gˆ

M(k)

γXin Eq. (6)

are not directly observed in the experiment because

the virtual states are not actually emitted. Moreover,

estimating them using the data collected in the protocol

might be diﬃcult due to the presence of multiple source

imperfections. However, thanks to the RT, we can

overcome this diﬃculty by estimating P(k)

g(ph|Act)

indirectly. For this, we ﬁrst select some reference

states that are similar to the actual states emitted in

the protocol, and which allow an easy estimate of the

phase-error probability that would be observed if they

had been emitted: P(k)

g(ph|Ref). Then, by evaluating

the deviation between the reference and actual states,

we obtain P(k)

g(ph|Act) from P(k)

g(ph|Ref). Finally, by

applying concentration inequalities we derive an upper

bound on the phase-error rate.

Applying the reference technique

First, we deﬁne four reference states. Even though

our choice of states is unrestricted, higher secret-key

rates are achieved if they are close to the actual

states. Here, we pick the set of reference states to

be |φj,giBk,Ekj∈{0Z,1Z,0X,1X}, which are deﬁned in

Eq. (1) as the qubit part of the actual states. Then, by

replacing the actual Z-basis states by their corresponding

reference states in Eq. (3), we deﬁne

|ΦZ

giAk,Bk,Ek=1

√2X

α∈{0,1}|αZiAk|φαZ,giBk,Ek,(7)

analogous to |ΨZ

giAk,Bk,Ek. Similarly, we deﬁne the vir-

tual states |φ(vir)

αX,giBk,Ekand the probabilities p(k,vir)

αX,g,

which are analogous to |ψ(vir)

αX,giBk,Ekand ˜p(k,vir)

αX,g, respec-

tively. This allows us to deﬁne the quantity

P(k)

g(ph|Ref) :=X

α,γ∈{0,1}

α6=γ

p(k,vir)

αX,gpZBTrσ(k,vir)

αX,gˆ

M(k)

γX,

(8)

where σ(k,vir)

αX,g:= |φ(vir)

αX,gihφ(vir)

αX,g|Bk,Ek. Here,

P(k)

g(ph|Ref) could be interpreted as the probabil-

ity of a phase-error on the kth round when using the

reference states. We emphasise that these replacements

of actual states by their reference counterparts are

purely mathematical. The reference states are never

prepared nor sent in an actual implementation of the

protocol.

A convenient feature of Eq. (8) over Eq. (6) is that the

states σ(k,vir)

αX,glive in the same qubit space as the reference

states σ(k)

j,g:=|φj,gihφj,g|Bk,Ek, and therefore one can

employ the idea of the loss-tolerant protocol [19] to write

the former states as a linear function of the latter. For

simplicity, here we assume that these states all lie in the

XZ plane of the Bloch sphere; see Appendix B in [59]

for a more general treatment. Then, we have that

σ(k,vir)

αX,g=X

c(k)

α,j,gσ(k)

j,g,(9)

for j∈ {0Z,1Z,0X,1X}, where c(k)

α,j,gare real coeﬃcients.

To ﬁnd these coeﬃcients, one has to solve two systems

of three linear equations with four unknowns. These sys-

tems have inﬁnitely many solutions, and therefore one

can choose the solutions that provide the tightest bound

on the phase-error rate. This is the crucial diﬀerence with

respect to the three-state protocol, and the reason why

the modiﬁed BB84 protocol can provide higher secret-

key rates (see Section IV C). We note that, in the case of

the three-state protocol, the 1Xstate is not emitted and

thus c(k)

1,1X,g=c(k)

0,1X,g= 0. This results in two systems of

three linear equations with three unknowns, which have

a unique solution each.

After substituting Eq. (9) in Eq. (8), we obtain

P(k)

g(ph|Ref) = X

α,γ∈{0,1}

α6=γ

p(k,vir)

αX,gpZBX

c(k)

α,j,gTrσ(k)

j,gˆ

M(k)

γX,

(10)

where we have used the linearity of the trace operation.

Note that since the reference states σ(k)

j,gdepend on g,

文档加载中……请稍候！
如果长时间未打开，您也可以点击刷新试试。

下载文档到电脑，查找使用更方便

10 玖币 0人已下载

立即下载

摘要：

ModiedBB84quantumkeydistributionprotocolrobusttosourceimperfectionsMargaridaPereira,1,2,3,4,GuillermoCurras-Lorenzo,1,2,3,4AlvaroNavarrete,1,2,3AkihiroMizutani,5GoKato,6MarcosCurty,1,2,3andKiyoshiTamaki41VigoQuantumCommunicationCenter,UniversityofVigo,VigoE-36315,Spain2EscueladeIngenieradeTele...

展开>> 收起<<

Modied BB84 quantum key distribution protocol robust to source imperfections Margarida Pereira1 2 3 4Guillermo Curr as-Lorenzo1 2 3 4 Alvaro Navarrete1 2 3 Akihiro Mizutani5Go Kato6Marcos Curty1 2 3and Kiyoshi Tamaki4.pdf

共26页,预览5页

还剩页未读，继续阅读

声明：本站为文档C2C交易模式，即用户上传的文档直接被用户下载，本站只是中间服务平台，本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间，仅对用户上传内容的表现方式做保护处理，对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私，请立即通知玖贝云文库，我们立即给予删除！

Modied BB84 quantum key distribution protocol robust to source imperfections Margarida Pereira1 2 3 4Guillermo Curr as-Lorenzo1 2 3 4 Alvaro Navarrete1 2 3 Akihiro Mizutani5Go Kato6Marcos Curty1 2 3and Kiyoshi Tamaki4

相关推荐

开通VIP享超值会员特权

作者详情

相关内容

热门标签

举报选择: