Home
Search
Collections
Journals
About
Contact us
My IOPscience
Concise and tight security analysis of the Bennett–Brassard 1984 protocol with finite key
lengths
This content has been downloaded from IOPscience. Please scroll down to see the full text.
2012 New J. Phys. 14 093014
(http://iopscience.iop.org/1367-2630/14/9/093014)
View the table of contents for this issue, or go to the journal homepage for more
Download details:
IP Address: 54.160.66.19
This content was downloaded on 28/03/2017 at 04:05
Please note that terms and conditions apply.
You may also be interested in:
Security analysis of the decoy method with the Bennett–Brassard 1984 protocol for finite key
lengths
Masahito Hayashi and Ryota Nakayama
Finite-key security analysis of quantum key distribution with imperfect light sources
Akihiro Mizutani, Marcos Curty, Charles Ci Wen Lim et al.
Entangled quantum key distribution with a biased basis choice
Chris Erven, Xiongfeng Ma, Raymond Laflamme et al.
Simple security proof of quantum key distribution based on complementarity
M Koashi
Finite-key analysis for practical implementations of quantum key distribution
Raymond Y Q Cai and Valerio Scarani
Security of biased BB84 quantum key distribution with finite resource
Zhao Liang-Yuan, Li Hong-Wei, Yin Zhen-Qiang et al.
Reliability of CSS codes and security of quantum key distribution
Mitsuru Hamada
Multi-partite squash operation and its application to device-independent quantum key distribution
Toyohiro Tsurumaru and Tsubasa Ichikawa
Finite-key security against coherent attacks in quantum key distribution
Lana Sheridan, Thinh Phuc Le and Valerio Scarani
New Journal of Physics
The open–access journal for physics
Concise and tight security analysis of the
Bennett–Brassard 1984 protocol with finite key
lengths
Masahito Hayashi1,2 and Toyohiro Tsurumaru3,4
1
Graduate School of Mathematics, Nagoya University, Furocho, Chikusa-ku,
Nagoya 464-860, Japan
2
Centre for Quantum Technologies, National University of Singapore,
3 Science Drive 2, Singapore 117542, Singapore
3
Mitsubishi Electric Corporation, Information Technology R&D Center,
5-1-1 Ofuna, Kamakura-shi, Kanagawa 247-8501, Japan
E-mail: Tsurumaru.Toyohiro@da.MitsubishiElectric.co.jp
New Journal of Physics 14 (2012) 093014 (39pp)
Received 31 May 2012
Published 11 September 2012
Online at http://www.njp.org/
doi:10.1088/1367-2630/14/9/093014
Abstract. We present a tight security analysis of the Bennett–Brassard 1984
protocol taking into account the finite-size effect of key distillation and achieving
unconditional security. We begin by presenting a concise analysis utilizing the
normal approximation of the hypergeometric function. Next we show that a
similar tight bound can also be obtained by a rigorous argument without relying
on any approximation. In particular, for the convenience of experimentalists
who wish to evaluate the security of their quantum key distribution systems,
we also give the explicit procedures of our key distillation and show how to
calculate the secret key rate and the security parameter from a given set of
experimental parameters. In addition to the exact values of key rates and security
parameters, we also describe how to obtain their rough estimates using the
normal approximation.
4
Author to whom any correspondence should be addressed.
Content from this work may be used under the terms of the Creative Commons Attribution-NonCommercialShareAlike 3.0 licence. Any further distribution of this work must maintain attribution to the author(s) and the title
of the work, journal citation and DOI.
New Journal of Physics 14 (2012) 093014
1367-2630/12/093014+39$33.00
© IOP Publishing Ltd and Deutsche Physikalische Gesellschaft
2
Contents
1. Introduction
2. Description of our quantum key distribution (QKD) protocol
2.1. Generation of a sifted key and sample bits . . . . . . . . . . . . . . . . . . . .
2.2. Bit error correction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3. Estimation of the number of phase errors in the channel . . . . . . . . . . . . .
2.4. Privacy amplification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3. Security criteria of the Bennett–Brassard (1984) protocol in the finite case
3.1. The security of QKD with universal composability . . . . . . . . . . . . . . .
3.2. Decoding error probability of the virtual phase error correction . . . . . . . . .
3.3. Conditional quantum mutual information . . . . . . . . . . . . . . . . . . . .
3.4. Conditional decoding error probability given k . . . . . . . . . . . . . . . . . .
4. Upper confidence limit on the phase error rate psft (k, c)
5. Upper bounds on the decoding error probability Pph
5.1. The straightforward upper bounds . . . . . . . . . . . . . . . . . . . . . . . .
5.2. The upper bounds by the Gaussian integration . . . . . . . . . . . . . . . . . .
5.3. Second order asymptotics . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6. How to use the above formulae to evaluate the security of one’s QKD system
6.1. Summary of our results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.2. How to use the straightforward upper bounds . . . . . . . . . . . . . . . . . .
6.3. How to use the upper bounds by the Gaussian integration (how to use theorems
2 and 3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.4. Rough estimate of the key rate and the security parameter . . . . . . . . . . . .
7. Numerical results
7.1. Case 1: basis choice with probability q = 21 . . . . . . . . . . . . . . . . . . .
7.2. Case 2: optimized basis choice with variable probability q . . . . . . . . . . .
7.3. Exact bounds versus approximate bounds . . . . . . . . . . . . . . . . . . . .
8. Summary
Acknowledgments
Appendix A. Justification for restricting the argument to the generalized Pauli
channel
Appendix B. Proof of lemma 1
Appendix C. Proof of theorem 1
Appendix D. Proof of theorem 3
Appendix E. Proof of theorem 4
References
2
4
4
5
5
6
7
7
8
9
10
12
14
14
17
20
20
20
21
22
23
24
24
26
27
28
29
29
30
33
35
37
38
1. Introduction
The finite-size effect is an important issue in practical quantum key distribution (QKD) systems.
Firstly, Mayers [1] bounded the security parameter roughly for general coherent attacks in
the finite-size case. Next, using the normal approximation, Hayashi [2] analyzed it in depth
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
3
for general coherent attacks in the finite-size case. Later, Scarani and Renner [3] gave a
simple analysis based on the quantum de Finetti theorem, but their results are valid only
against collective attacks. Matsumoto and Uyematsu also gave a simple analysis [4], but again,
essentially valid only for collective attacks. Later, Tomamichel et al [5] gave a tighter bound
with unconditional security by using the uncertainty relations (see, e.g., [6, 7]).
In this paper, we present a concise analysis of the Bennett–Brassard 1984 (BB84)
protocol [8] that takes into account the finite key effect and yields better key generation rates,
with and without relying on the normal approximation. Our analysis is valid for general coherent
attacks and thus our results guarantee the unconditional security. For the sake of simplicity, we
consider the case when the sender, Alice, has a perfect single photon source, and the receiver,
Bob, has photon number resolving detectors. However, it should be noted here that our analysis
can be applied without any change to the more practical cases when threshold detectors are
used, by using the existence of squash operation proved in [9]. (On the other hand, if one wishes
to remove the restriction on the photon source and use weak coherent pulses, our analysis has
to be modified by taking into account decoy pulses [30]; this remains a topic for a future work.)
We also assume that Alice and Bob calculate an upper bound on the phase error rate of a sifted
key, from that of the corresponding sample bits; hence, the key generation rate can vary each
time Alice and Bob run the protocol.
Throughout this paper we use the security criteria with universal composability; the same
criteria as those used by many researchers, particularly by Renner and his coworkers [10, 11].
Hence, our main goal is to show that the trace distance between the actual and the ideal states can
be bounded from above. However, in the mathematical analysis for obtaining upper bounds on
the trace distance, we do not use Renner’s approach based on the smooth minimum entropy [10].
Instead, we bound the trace distance using the argument of Shor and Preskill [12], as well as
its modification by Hayashi [2]. In section 3, by using these formalisms, we show that the trace
distance can be bounded by using the decoding error probability Pph of the virtual phase error
correction; in other words, the universally composable security can be guaranteed by bounding
Pph . To the best of our knowledge, our argument here is the first rigorous treatment of the
universally composable security based on the Shor–Preskill formalism, applicable to linear
universal hash functions with variable final key lengths.
As we shall discuss at the end of section 3, in order to achieve high key generation rates
and strong bounds on Pph simultaneously, it is crucial to estimate the phase error rate psft of the
sifted key with a high accuracy. Note here that the quantity psft cannot be measured directly in
the BB84 protocol. Hence in section 4, we solve an interval estimation problem on psft using
the hypergeometric distribution Phg . Then by using the obtained result, we give explicit bounds
on Pph in section 5. In particular, in order to clarify the argument, we present two versions of
analysis: we first derive a simple bound that we call the straightforward bounds (propositions 1
and 2); and next we give a more complicated bound called the Gaussian bounds (theorems 2
and 3), which yield a better final key rate if the raw key is sufficiently large. For both types
of bounds, we first present a simple analysis based on the normal approximation of the
hypergeometric function (proposition 1 and theorem 2), and then show that a similar tight
bound can also be obtained by a rigorous argument without relying on any approximation
(proposition 2 and theorem 3).
Since this paper is aimed not only at theorists, but also at experimentalists who wish
to evaluate the security of their QKD systems, we include explicit procedures of security
evaluation. We begin in section 2 by explaining the explicit procedures of our key distillation.
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
4
Then after theoretical arguments of the security, we demonstrate in section 6 how to use our
theorems to calculate the secret key rate and the security parameter (i.e. an upper bound on the
trace distance) from a given set of experimental parameters. In addition to the exact values of
key rates and security parameters, we also describe how to obtain their rough estimates using
the normal approximation.
In order to show that our rates are indeed better than those in the existing literature,
e.g. [3, 5], we draw in section 7 example curves of key generation rates (figures 1 and 2).
There are several reasons for this improvement. Firstly, our upper bounds are close to the
approximated value of the hypergeometric distribution obtained by the normal approximation,
while the existing results [3, 5] did not discuss the closeness to the normal approximation.
Secondly, in our method, the adversary’s information is estimated in terms of the Shannon
entropy, whereas in [3, 5] they use the minimum entropy, which is a lower bound on the Shannon
entropy. Finally, we use an error margin that depends on the measured error rate of sample bits,
while in [3, 5] the authors use a constant margin that corresponds to the worst value of the error
rate; hence, our analysis gives better key rates on average.
We also treat the sacrifice bit length with the second-order coding rate, which has drawn
the attention of the information theory community [13–15]. The conventional asymptotic
theory treats the coding length with the first-order coefficient. It is impossible to treat the
approximation value of the best error probability with the first-order coefficient of the coding
length. However, it becomes possible if we consider the coding length up to the second-order
coefficient. In this paper, we derive an asymptotic approximation value of the upper bound of
the universally
√ composable security criterion when the sacrifice bit length is given as the form
nh( psmp ) + ng( psmp ) with the measured phase error rate, where a function g( psmp ) of psmp will
be given with a concrete form in section 4 (theorem 4).
The differences from our previous papers are as follows. In [2], Hayashi simply approximated the hypergeometric distribution by the normal distribution having the same variance,
without showing its validity. In this paper, we present a rigorous analysis without relying
on any approximation (proposition 2 and theorem 3), by using upper bounds on the hypergeometric distribution obtained from Stirling’s formula and inequalities proved in [16, 17].
As mentioned above, we included the first rigorous treatment of the universally composable
security based on the Shor–Preskill formalism, applicable to linear universal hash functions
with variable final key lengths.
2. Description of our quantum key distribution (QKD) protocol
We consider the following types of the BB84 protocol. This protocol differs from existing
versions (e.g. [2–4]) only in the phase estimation and the privacy amplification (PA) steps.
2.1. Generation of a sifted key and sample bits
Alice and Bob start the protocol with a quantum communication and obtain a sifted key of n
bits and sample bits of l bits. Here we assume that raw key bits are chosen from the uniform
distribution. The sample bits must be selected randomly, and a sifted key and the sample bits
must be measured in different bases.
For example, suppose that Alice and Bob exchange N qubits, choosing the x basis with
probability q and the z basis with 1 − q. Then, on average, N q 2 bits coincide in the x basis, and
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
5
N (1 − q)2 in the z basis. By assigning the x basis for a sifted key and the z basis for sample
bits, they have n = N q 2 , l = N (1 − q)2 .5
2.2. Bit error correction
Bob corrects bit errors in his sifted key using a linear error correcting code. For example,
as in Shor–Preskill’s case [12], Alice may announce a random bit string XORed with her
sifted key; or alternatively, as in Koashi’s case [18], she may send a syndrome of her sifted
key encrypted with a previously shared secret key. In either case, Alice and Bob end up with
n(1 − f h( pbit )) bits of reconciled key krec , with the bit error rate pbit of a sifted key. Here h(x) is
the binary entropy function defined as h(x) := −x log2 x − (1 − x) log2 (1 − x), and the value f
corresponds to the efficiency of the error correcting code used. For practical codes, f ' 1.1. It
should be noted that here the sizes of bit error correcting codes are independent of the security,
and thus Alice and Bob may perform bit error correction by dividing a sifted key ksif of n bits
into arbitrarily smaller blocks.
In many cases, one needs to guarantee the correctness of the shared keys, that is, one has to
minimize the probability cor that Alice’s and Bob’s secret keys do not match and the protocol
does not abort. One way of minimizing cor is that Alice calculates an r -bit hash value of her
reconciled key krec using universal2 hash functions. Then she encrypts it with the one-time pad,
using a previously shared secret key, and sends it to Bob. Bob also calculates his own hash value,
and if it does not match Alice’s, they abort the protocol6 . By doing this, we have cor 6 2−r .
2.3. Estimation of the number of phase errors in the channel
In order to use PA properly and guarantee the security of a secret key, Alice and Bob need to
know an upper bound on the number of phase errors occurring in the channel. It should be noted
here that the phase error is a completely different concept from the bit error mentioned above
(for details, see section 3). Since the phase error rate cannot be measured directly in practical
QKD systems, we estimate its upper bound from the measured error rate of samples.
We denote the number of bit errors occurring in a sample by c, and the corresponding bit
error rate by psmp (c) := c/l. We also call the union of a sifted key and the sample bits as total
bits, and denote the number of their bit errors by k. Hence the error rate of total bits is given
by p(k) := k/(n + l) and that of a sifted key by psft (k, c) = (k − c)/n. Note here that measuring
c corresponds to randomly sampling phase errors in the total bits, because a sifted key and the
samples are measured in different bases. Due to this fact, the measured value of psmp (c) is used
to estimate an upper bound on psft (k, c). In the asymptotic limit n, l → ∞, Alice and Bob may
assume that psft (k, c) = psmp (c). In practical QKD systems however, the two values differ in
general due to statistical fluctuations. Thus they obtain a statistically estimated upper bound of
psft (k, c) as a function of the measured value c, which we denote by p̂sft (c). Throughout this
paper, we make it a rule to denote an estimated upper bound of a random variable v by v̂. The
explicit functional form of p̂sft,ε (c) is discussed later, and is given in equation (28).
5
In general, however, Alice and Bob may choose bases with different probabilities, and a sifted key and sample
bits may be chosen with arbitrary proportions from the two bases.
6
Another possibility is to continue the protocol by exchanging supplementary information, such as an additional
syndrome, over the public channel, and try bit error correction again. In such a case, the supplementary information
also needs to be encrypted with a formerly shared key.
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
6
2.4. Privacy amplification
The estimated phase error rate p̂sft (c) can be used to obtain an upper bound on the amount of
information that is leaked to Eve. In order to cancel Eve’s information, Alice and Bob perform
classical data processing called PA on the reconciled key krec to generate the secret key ksec ;
roughly speaking, PA randomizes and shrinks krec so that Eve’s information is canceled by the
remaining fraction that is unknown to Eve. The number of bits to be reduced in this process
(sacrifice bits) is determined from p̂sft (c) in the following manner.
We set two limits cmin and cmax (cmin 6 cmax ) on the sample bit error c, depending on which
Alice and Bob change their procedures:
• If cmax < c, Alice and Bob abort the protocol.
• If cmin 6 c 6 cmax , Alice and Bob generate a secret key as the hash value of their sifted key
by using linear and surjective universal2 hash functions. The number α(c) of sacrifice bits,
i.e. the number of bits reduced in PA, is given by
α(c) = ndh p̂sft,ε (c + 2) e + D.
Here dxe denotes the smallest integer larger than or equal to x. Hence,
as a result, they
obtain a secret key ksec of G = n [1 − f h( pbit )] − dnh p̂sft,ε (c + 2) e − D bits7 .
• If c < cmin , Alice and Bob generate a secret key in the same way as above, except that they
sacrifice α(c) = dnh p̂sft,ε (cmin + 2) e + D bits forPA. As a result, they obtain a secret key
ksec of G = n [1 − f h( pbit )] − dnh p̂sft,ε (cmin + 2) e − D bits.
Alternatively, we can combine these three cases as follows: define the sacrificed bit length α(c)
to be
α(c) = dnh p̂sft,ε (max[c, cmin ] + 2) e + D.
(1)
If c 6 cmax , Alice and Bob sacrifice α(c) bits for PA and obtain the final key of length
G(c) = n [1 − f h( pbit )] − α(c).
(2)
If c > cmax , they abort the protocol.
In practice, the most efficient implementation of PA is to use the Toeplitz matrices: Alice
and Bob select a bit-valued Toeplitz matrix M randomly by communicating over the public
channel, multiply it with a reconciled key krec modulo 2 and obtain the secret key ksec = Mkrec
(for details, see, e.g., [10, 19, 20]).
In this paper, we additionally require the surjectivity for all hash functions. To the best of
our knowledge, the most efficient implementation of linear and surjective universal2 functions
is by using the modified Toeplitz matrix, introduced in [2, 19]; in this case, we replace M above
by a concatenation M 0 = (I, T ) of the (square) identity matrix I and a Toeplitz matrix T . Note
that this modification M 0 is slightly more efficient than M above. Also note that unlike M 0 , the
normal Toeplitz matrix M gives a non-surjective map with a very small but non-zero probability;
e.g. for M being an all-zero or all-one matrix.
7
Note that key length G of (2) differs from the asymptotic case (l, n → ∞) essentially only in the definition of
phase error rate p̂sft,ε (c + 2). Hence, the estimation of p̂sft,ε (c + 2) is the key point of our finite-size analysis.
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
7
It should be noted here that, unlike in bit error correction, one is not allowed to
perform PA by dividing krec and ksec into smaller blocks, because doing so will destroy the
universal2 property of the (modified) Toeplitz matrix. Also note here that both the key lengths,
|krec | = n[1 − f h( pbit )] and |ksec | = G, are of order O(n). If one applies a naive multiplication
algorithm, the computational complexity (i.e. the processing time) increases as O(n 2 ) (i.e. O(n)
per key) and thus becomes a severe bottleneck of the key distillation. This is in fact the most
explicit impact of the finite-size effect on practical QKD systems.
One way around this problem is to use an efficient multiplication algorithm for a Toeplitz
matrix and a vector exploiting the fast Fourier transform algorithm (see, e.g., [21]). The
complexity of this efficient algorithm scales as O(n log n), or O(log n) per bit, which can be
regarded as a constant in practice. An actual implementation shows that the throughput exceeds
1 Mbps for |krec | = 106 on software, as demonstrated, e.g., in [20].
3. Security criteria of the Bennett–Brassard (1984) protocol in the finite case
3.1. The security of QKD with universal composability
We employ the definition of the security of QKD with universal composability in the variable
length case [22]. In order to guarantee the security for our protocol, we need to evaluate the
security criteria with universal composability after the PA [11]. In this paper, we apply the
above definition with the variable length case to the final state after the PA [23].
For this purpose, we describe all public information by y, including the choice of a hash
function (which corresponds, e.g., to ‘ f ’ of [11]) and the length of the final key (e.g. ‘m’
of [22]). However, here we do not restrict ourselves to those two cases; it may contain other
public information, e.g. the choice of a code for bit error correction. Hence the length m of the
final key is of course a function of y. We denote the probabilistic distribution of y in the actual
protocol by Ppub (y).
Then we consider the Hilbert space H A ⊗ H E ⊗ H X , consisting of Alice’s final key
H A , Eve’s system H E and the public information H X . We define H A = (C2 ) M with M
sufficiently large, so that when m(y) < M, Alice uses the (preassigned) subspace of H A . Also,
following [10], we define the composite system of E and X to be E 0 , i.e. H E 0 = H E ⊗ H X .
We denote by ρ A,E|y the state of Alice and Eve after
P PA, conditioned on public information y.
Hence, the state after PA takes the form ρ A,E 0 = y Ppub (y)ρ A,E|y ⊗ |yihy|.
In this notation, we consider conditional probabilities with respect to length m of
the final key.
P The actual protocol generates the final key of m bits with probability
Plen (m) := y:m(y)=m Ppub (y). The public information y obeys the conditional distribution
Ppub (y)
P(y|m) := Plen
; hence, the conditional actual state given m is a density matrix ρ A,E 0 |m :=
(m)
P
y:m(y)=m Ppub (y|m)ρ A,E|y ⊗ |yihy|. The corresponding ideal state given m is defined to be
mix
ρIdeal|m := ρ mix
A|m ⊗ ρ E 0 |m , where ρ A|m is the completely mixed state in the m-qubit subsystem
of H A , and ρ E 0 |m := Tr A ρ A,E 0 |m . Thus, under the condition that the final key length is m, the
universal composable security can be guaranteed by bounding the trace distance of these two
states, i.e. kρ A,E 0 |m − ρIdeal|m k1 [11].
The parameter m is a random variable in our protocol; hence, following
P [22], we define the
universally composable security by bounding the averageP
trace distance m Plen (m)kρ A,E 0 |m −
ρIdeal|m k1 . In this case, it is convenient to define ρIdeal := m Plen (m)ρIdeal|m . Then the average
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
8
trace distance can be rewritten as
X
ρ A,E 0 − ρIdeal 1 =
Plen (m) ρ A,E 0 |m − ρ mix
A|m ⊗ ρ E 0 |m
1
m
=
X
Ppub (y) ρ A,E|y − ρ mix
A|m(y) ⊗ ρ E|y
1
(3)
y
6
X
Ppub (y) ρ A,E|y − ρ A|y ⊗ ρ E|y
1
(4)
y
+
X
Ppub (y) ρ A|y − ρ mix
A|m(y)
1
,
(5)
y
where ρ A|y := Tr E ρ A,E|y . Hence one may P
instead bound the sum of thePsecond and the third
lines. Here we used the fact that ρ A,E 0 = y Ppub (y)ρ A,E|y ⊗ |yihy| = m Plen (m)ρ A,E 0 |m for
P
the first equality, and ρ E 0 |m = y:m(y)=m Ppub (y|m)ρ E|y ⊗ |yihy| for the second equality. The
quantity of (5) measures the non-uniformity of Alice’s final key; i.e. it gives the averaged
distance between Alice’s partial state ρ A|y and the ideally mixed state ρ mix
A|m(y) . Note that these
two states are equal when Alice and Bob choose a surjective hash function, because we assume
that Alice’s raw key obeys the uniform distribution. In particular, if Alice and Bob use a hash
function family which consists only of surjective functions (such as the modified Toeplitz
matrices [2, 19] mentioned in the previous section), it suffices to bound (4) only.
3.2. Decoding error probability of the virtual phase error correction
We believe that the above definition of security based on the trace distance is the same as that
used by Renner and others [10, 11]. Throughout this paper we employ this definition of security.
However, in the remaining part where we actually obtain upper bounds on the trace distance, we
do not use Renner’s approach based on the smooth minimum entropy [10]. Instead, we bound
the trace distance k ρ A,E|y − ρ A|y ⊗ ρ E|y k1 appearing in (4) using the well-known argument of
Shor and Preskill [12] as well as its modification by Hayashi [2]. As we shall see shortly, in these
formalisms, the trace distance is bounded from above by using the decoding error probability of
the (virtual) phase error correction8 , which can be identified with the PA in the actual protocol.
The first step of the proof is to consider a virtual protocol where Alice and Bob correct bit errors
as well as phase errors occurring in the quantum channel (under Eve’s influence) by using the
Calderbank–Shor–Steane (CSS) code. By correcting these two types of errors, Alice and Bob
can guarantee that their virtual channel (obtained as a result of quantum error correction) is
noiseless and decoupled from Eve; thus the key they exchange there is unconditionally secure.
The second step of the proof is to note that, from Eve’s viewpoint, this virtual protocol is
completely indistinguishable from the actual protocol. By using this indistinguishability, the
security of the actual protocol follows automatically from that of the virtual protocol.
In these formalisms, phase error correction in the virtual protocol is transformed to
simple classical data processing in the actual protocol. That is, Alice and Bob do not need to
perform phase error correction in the actual protocol; instead it suffices to perform a projection
C1 → C1 /C2 , where C1 , C2 are the classical CSS code. The projection C1 → C1 /C2 is often
8
The probability that the (virtual) decoding algorithm fails to give a correct answer.
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
9
called PA. That is why we often identify PA with the virtual phase error correction in this paper9 .
(In [19], we have shown that the projection C1 → C1 /C2 can be replaced by an ε-almost dual
universal2 hash function family.)
The original argument of Shor and Preskill was later improved in [24, 25], where it was
shown that the virtual phase error correction and the bit error correction can be discussed
separately. In fact, the virtual phase error correction is essential for guaranteeing security, while
the bit error correction is necessary only for equalizing Alice’s and Bob’s final keys. As a result
of this observation, the trace distance k ρ A,E|y − ρ A|y ⊗ ρ E|y k1 of (4) can be bounded as [2]
√ p
(6)
ρ A,E|y − ρ A|y ⊗ ρ E|y 1 6 2 2 Pph|y ,
where Pph|y denotes the conditional decoding error probability of the virtual phase error
correction, given public information
y. By taking the average of (6) with respect to y and by
√
noting that the function a 7→ a is concave, we have
X
√ sX
√ p
√ p
(7)
Ppub (y)2 2 Pph|y 6 2 2
P(y)pub Pph|y = 2 2 Pph ,
y
y
where Pph denotes the decoding error probability of the virtual phase error correction.
As to the non-uniformity of the final key given in (5), recall that we assumed that Alice’s
random variable obeys the uniform distribution. Then the leftover hash lemma [26, 27] yields
X
X
α(y)
Ppub (y)kρ A|y − ρ mix
k
6
Ppub (y)2− 2 ,
(8)
1
A|m(y)
y
y
where α(y) is the number of sacrifice bits in the PA.
Hence, combining (3)–(5), (7) and (8) we obtain
X
√ p
α(y)
Ppub (y)2− 2 .
ρ A,E 0 − ρIdeal 1 6 2 2 Pph +
(9)
y
In other words, in order to guarantee the security with universal composability, it suffices to
bound the quantity on the right-hand side (rhs) of (9). In particular, as we have noted below (5),
the second term on the rhs of (9) is exactly zero when all of the hash functions are surjective; in
this case the above inequality is replaced by
√ p
kρ A,E 0 − ρIdeal k1 6 2 2 Pph .
(10)
Hence, in order to guarantee the universally composable security, it suffices to bound Pph .
3.3. Conditional quantum mutual information
Next, we focus on the conditional quantum mutual information criterion, which upper bounds
the classical mutual information between Alice and Eve, which is widely accepted in the
community of the classical information theory [33–35] in the fixed-length case. Now, we
consider the relation between the conditional quantum mutual information criterion and the
9
However, the actual protocol does not necessarily have a counterpart for any operation in the virtual protocol.
For example, the actual protocol has no operation corresponding to the measurement of the syndrome in the virtual
protocol.
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
10
decoding error probability of the virtual phase error correction Pph . The conditional quantum
mutual information is given as follows:
X
X
Plen (m)I (A : E 0 |m) =
Plen (m)Iρ A,E 0 |m (A : E 0 ).
(11)
m
m
For a simple analysis, we assume that all of the hash functions are surjective and the channel
is Pauli. Now, we consider the reference system for the input system with the condition that
the final key length is m and the bit error x occurs. That is, we consider the purification
of ρ A|m with the above condition. In this case, the phase error z occurs with the probability
PZ |X =x (z) = PZ |X (z|x), and Alice’s information is independent of x. Here, we denote the
random variables concerning the phase error and bit error by Z and X . Thus,
X
X
X
Plen (m)Iρ A,E 0 |m (A : E 0 ) =
Plen (m)
PX |m (x)Iρ A,E 0 |m (A : E 0 |X = x)
m
m
=
X
Plen (m)
X
m
6
X
x
PX |m (x)H (ρ E 0 |m,x ) −
X
x
Plen (m)
X
m
P(a|m)H (ρ E 0 |a,m,x )
a
PX |m (x)H (ρ E 0 |m,x ).
(12)
x
In the above discussion, note that the distribution describing the channel with the code C1 /C2
depends on the choice of m. The entropy H (ρ E 0 |m,x ) of Eve’s system is the same as that of the
composite system of the reference system and Bob’s system when m and x are fixed. This is
because the state of the total system of the former and the latter is pure when m and x are fixed.
In this case, the entropy of the latter system is equal to the entropy of the conditional distribution
PZ |X =x,m . Thus, H (ρ E 0 |m,x ) = H (PZ |X =x,m ). Therefore, we obtain
X
X
X
X
Plen (m)
PX (x)H (ρ E 0 |m,x ) =
Plen (m)
PX (x)H (PZ |X =x,m )
m
x
m
x
!
6
X
Plen (m)H
m
X
PX (x)PZ |X =x,m =
x
X
Plen (m)H (PZ |m ).
(13)
m
Since H (PZ |m ) is smaller than h(Pph|m ) + m Pph|m , combining (12) and (13) we obtain
X
X
X
Plen (m)I (A : E 0 |m) 6
Plen (m)
PX (x)H (ρ E 0 |m,x )
m
m
x
!
6
X
Plen (m)h(Pph|m ) + m Pph|m 6 h
m
= h(Pph ) +
X
Plen (m)Pph|m +
m
X
X
Plen (m)m Pph|m
m
Plen (m)m Pph|m 6 h(Pph ) + Pph max m.
m
m
Hence, in order to guarantee the conditional mutual information, it suffices to bound Pph .
3.4. Conditional decoding error probability given k
In this subsection we show that, in order to bound the decoding error probability Pph of the
virtual phase error correction, it is sufficient to bound Pph|k for all k, where Pph|k denotes the
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
11
corresponding conditional probability given k. We also show that a bound on Pph|k can be given
in a concise form using the hypergeometric distribution Phg (c|k) and binary entropies.
First note that, without loss of generality, Eve’s eavesdropping strategy can be described by the probability distribution Q EveP
(k) of k, which is the number of errors in the total bits
10
n + l. Then Pph can be rewritten as Pph = k Q Eve (k)Pph|k , where Pph|k denotes the conditional
decoding error probability given k.
Next, we consider the conditional probability Phg (c|k) of c given k, i.e. the probability that
c bits of errors are found in sample bits when there are k errors in the total bits. Since sample
bits are sampled without replacement, c obeys the hypergeometric distribution for a fixed value
of k:
l
n
Phg (c|k) :=
k−c c
n+l
k
,
(14)
with the average c̄ and the deviation σ given by
c̄(k) :=
lk
,
n +l
σn,l (k)2 :=
knl(n + l − k)
.
(n + l)2 (n + l − 1)
(15)
In the following, σn,l (k)2 is simplified to σ (k)2 . Hence values of k, c occur with probability
Q Eve (k)Phg (c|k). (Here sample bits are sampled without replacement simply because one cannot
measure both the phase and the bit values of a qubit simultaneously, and thus Alice and
Bob cannot reuse the sample bits as a sifted key. If one could somehow sample them with
replacements, the hypergeometric distribution here would of course be replaced by the binomial
distribution, which is much simpler.)
Finally, we consider the conditional decoding error probability Pph|k,c for fixed values of k
and c. In this case, the number of phase error patterns of total bits is bounded from above by
2nh((k−c)/n) (see, e.g., lemma 4.2.2; [31]). Due to the construction of the protocol, the number
of the sacrificed bits α(c) is fixed. As we have shown in [19], if Alice and Bob use a linear
universal2 hash function family for PA in the actual protocol, it can be considered as the situation
in the virtual protocol where they use a two-almost universal2 linear code family for phase error
correction (i.e. a linear two-almost universal2 hash function family is used as the syndrome
function for correcting phase errors). Then the decoding error probability Pph|k,c of the virtual
phase error correction can be bounded as
−
−
Pph|k,c 6 Spa (k, c) := 2 · 2[g(k,c)] = 2[g(k,c)]
+1
,
(16)
g(k, c) : = nh ((k − c)/n) − α(c)
= nh ((k − c)/n) − nh p̂sft (c + 2) − D
= nh ( psfc (k, c)) − nh p̂sft (c + 2) − D,
(17)
where [x]− := min(x, 0). It is easy to see that inequality (16) holds when the completely random
matrices (a type of universal2 hash function) are used for PA, as in Koashi’s case [18]. It is also
shown to hold when the Toeplitz matrices (another universal2 hash function family) are used
for PA, by using the fact that dual matrices of the Toeplitz matrices generate universal2 hash
10
In the general setting, Eve is allowed to use the superposition among different integers k. In order to treat such a
case, we introduce the distribution Q Eve (k) here.
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
12
functions [2]. More generally, in [19], we have further shown that inequality (16) is valid when
an arbitrary family of universal2 functions is used for PA.
Hence, to summarize, under Eve’s strategy Q Eve (k), error numbers k, c are distributed
by Q Eve (k)Phg (c|k). For fixed values of k, c, the virtual phase error correction fails with a
probability less than Spa (k, c) given in (16). Combining these probabilities, we see that the
decoding error probability Pph of the virtual phase correction can be bounded as
X
XX
Pph =
(18)
Q Eve (k)Pph|k 6
Q Eve (k)Phg (c|k)Spa (k, c)
k
=
c
k
X
Q Eve (k)Sav (k) 6 max Sav (k),
k
k
(19)
where Sav (k) is defined by
Sav (k) :=
cmax
X
Phg (c|k)Spa (k, c).
(20)
c=0
Since Eve’s strategy Q Eve (k) can be arbitrary, Pph can be bounded if and only if maxk Sav (k) is
bounded. Hence in what follows, we will concentrate on obtaining upper bounds on maxk Sav (k).
As one can see from the definition of Spa (k, c) in (16), (17), a straightforward way of
minimizing maxk Sav (k) is to define the function p̂sft (c) so that it always gives a large value;
this corresponds to the situation where, looking at c, Alice and Bob always give a pessimistic
estimate p̂sft (c) that is much larger than the actual value psft (k, c). However, as one can see from
the definition of α(c) in (1) and the final key length G given in the previous section, a large
p̂sft (c) results in a poor key generation rate. Rather, in order to achieve high key generation rates
and the high-level security simultaneously, one needs to minimize maxk Sav (k) by considering
the contributions of the two factors, Phg (k|c) and Spa (k, c). Hence we define p̂sft (c) so that it
becomes as close as possible to (and larger than) the actual value psft (k, c), in the regions of k, c
where Phg (c|k) is not negligible. This is equivalent to the estimation problem of an upper bound
of psft (k, c):
(i) For a given c, we give a suitable choice of the estimated value p̂sft (c) for the phase error
rate of a sifted key. Alice and Bob use this value to calculate the value of α(c) of (1), and
obtain the final key length G. This will be done in section 4.
(ii) With the suitable choice of p̂sft (c), we obtain a universal upper bound on the rhs of (20)
that is independent of k and thus an upper bound of Pph 11 . This will be done in section 5.
4. Upper confidence limit on the phase error rate psft (k, c)
Now let us turn to the definition of p̂sft (c). As mentioned above, since the length l of sample
bits is finite in practical QKD systems, the phase error rate of a sifted key psft (k, c) deviates
from that of sample bits, psmp (c), due to statistical fluctuations. Hence, in order to guarantee
the security by PA, instead of psmp (c), one needs to use the estimated upper bound p̂sft (c) of
psft (k, c), defined with the statistical effect taken into account.
A similar analysis was given by Fung et al [28]. However, they seem to evaluate Phg (c|k)Spa (k, c) without the
summation. This corresponds to the probability that a certain set of values k and c occur and then the virtual phase
error correction by Alice and Bob fails.
11
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
13
As long as psft (k, c) is estimated larger than the actual value, i.e. p̂sft (c) > psft (k, c), there
is no loss of security, because then, more information is erased by the PA than is actually leaked
to Eve. On the other hand, however, one needs to avoid a situation where psft (k, c) is estimated
smaller as p̂sft (c) 6 psft (k, c). In such a case, the PA of the previous section does not work since
[g(k, c)]− = 0. Hence, at least as a necessary condition, the function p̂sft needs to satisfy that
Prk c p̂sft (c) > psft (k, c) > 1 − ε for ∀k,
(21)
where Prk {c|Q} denotes the probability that c occurs satisfying a condition Q, under the
hypergeometric distribution Phg (c|k). In order to maximize the key generation rate for fixed
values of l, n, we wish to minimize p̂sft (c) as small as possible. In statistics, this corresponds
to an interval estimation problem. That is, finding the p̂sft (c) satisfying (21) is to obtain an
upper confidence limit on psft (k, c) from an observed value of c, with significance level ε (see,
e.g., [29]).
In the following, we derive the minimum estimate p̂sft,ε (c) = p̂sft (c) satisfying the
condition (21) under the normal approximation of Phg (c|k) by employing interval estimation of
k. Although there is a standard procedure found in every textbook for this analysis (e.g. [29]),
we reproduce it below for the sake of explanation. Firstly, we define the normal distribution
function by
Z ∞
1
8(x) := √
exp(−y 2 /2) dy,
(22)
2π x
and s(ε) as the deviation corresponding to ε, e.g.,
s(ε) = 8−1 (ε)
(23)
such that ε = 8(s(ε)). In what follows, we often abbreviate s(ε) to s. Then, applying the normal
approximation to Phg (c|k), we have the relation
Prk { c | c > c̄(k) − s(ε)σ (k) } > 1 − ε
(24)
for any integer k; that is, c > c̄(k) − s(ε)σ (k) holds at least with probability 1 − ε for any integer
k. Note that this condition is equivalent to (c − c̄(k))2 6 s(ε)2 σ (k)2 or c > c̄(k). We rewrite this
condition further as
2
(25)
psmp − p 6 4γ p(1 − p), or psmp > p,
where p = k/(n + l), psmp (c) = c/l and
γ :=
s(ε)2 n
.
4l(n + l − 1)
(26)
Condition (25) is equivalent to p 6 p̂ε (c), where p̂ε (c) is a solution of ( psmp − p̂ε )2 =
4γ p̂ε (1 − p̂ε ) given by
q
1
p̂ε (c) :=
psmp + 2γ + 2 γ psmp 1 − psmp + γ .
(27)
1 + 4γ
That is, k/(n + l) = p 6 p̂ε (c) holds at least with probability 1 − ε for any integer k. In other
words, the rate p̂ε (c) gives the upper bound of one-sided interval estimation of p = k/(n + l).
Using this estimate, we define another function
p̂sft,ε (c) := ( p̂ε (c)(n + l) − c)/n =
(n + l) p̂ε (c) − lpsmp (c)
.
n
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
(28)
14
Then, again, the inequality p̂sft,ε (c) > psft (k, c) = (k − c)/n holds at least with probability 1 − ε
for any integer k. As a result, by choosing p̂sft (c) as p̂sft,ε (c), we can satisfy the condition (21).
Throughout this paper, we will use these definitions of p̂ε (c) and p̂sft,ε (c) in calculating α(c).
Now two remarks are in order. First, if there are sufficiently many samples (i.e. with l large
and thus γ sufficiently small), the error number c has roughly the same distribution, irrespective
of whether the samples are picked up with or without replacement. In such a case, as we
mentioned under equation (15), the hypergeometric distribution Phg (c|k) can be approximated
√
by the binomial distribution. Indeed, to the first order of γ , the estimated value p̂ε (c) of
equation (27) can be approximated as
s
p̂ε (c) ' psmp (c) +
l
r
n
σbin (c)
n +l −1
s
= psmp (c) +
l
r
p
n
lpsmp (c)(1 − psmp (c)),
n +l −1
p
where σbin (c) := lpsmp (c)(1 − psmp (c)) denotes the deviation of the binomial distribution with
the error rate
q of the sample bits being psmp (c) = c/l. Furthermore, by using the inequality
n
psmp (c) + sl n+l−1
σbin (c) 6 psmp (c) + sl σbin (c), and by noting that the larger p̂ε (c) always gives
a better security bound, we can instead use a simpler approximation given by
s
p̂ε (c) ' psmp (c) + σbin (c).
(29)
l
The approximated upper bound of (29) can also be obtained by an argument similar to the above,
with the hypergeometric distribution replaced by the binomial distribution. This means that, for
l sufficiently large, one can conclude that the phase error rate p(k, c) of the total bits can be
bounded from above by p̂ε (c) of (29), which is simply the measured error rate psmp (c) of the
samples, plus s times its standard deviation sl σbin . The actual value deviates this bound only with
a probability less than 8(s); or in other words, this estimation fails only with a probability less
than 8(s).
5. Upper bounds on the decoding error probability Pph
Throughout the paper, we assume that Alice and Bob perform the protocol specified in section 2,
using the estimated upper bound p̂sft,ε (c) of (27) and (28), obtained in the previous section. That
is, here we substitute p̂sft,ε (c) for p̂sft (c) in (1), and as a result of that, Alice and Bob use sacrifice
bits of α(c) = h( p̂sft,ε (max[c, cmin ])) + D in the PA step. In this setting, we evaluate the decoding
error probability Pph and obtain several upper bounds.
5.1. The straightforward upper bounds
In section 3.4, we showed that, in order to bound Pph , it suffices to bound Sav (k) of (20) for all
values of k. In this subsection, we first present a simple evaluation of Pph , where we divide the
summation Sav (k), given in (20), into two regions of c. This method is similar to those used in
the preceding literature [3, 4], and we call it here the straightforward method.
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
15
For each value of k, we set the boundary value cbnd (k) := bc̄(k) − sσ (k)c, and divide the
summation of (20) as
cmax
X
Sav (k) =
Phg (c|k)Spa (k, c)
(30)
c=0
bc̄(k)−sσ (k)c
6
X
Phg (c|k) +
cmax
X
Phg (c|k)Spa (k, c)
(31)
c=bc̄(k)−sσ (k)c+1
c=0
bc̄(k)−sσ (k)c
6
X
c=0
Phg (c|k) +
max
c∈[c̄(k)−sσ (k),cmax ]
Spa (k, c).
(32)
(In what follows, we often write c̄, σ , s instead of c̄(k), σ (k), s(ε).) Then, by using the properties
of p̂sft,ε (c) given in the preceding section, the two terms of (32) can be evaluated as follows.
(i) The first summation of (32) is the probability Prk { c | c < c̄(k) − s(ε)σ (k) }. As we have
shown in the preceding section, this term is less than ε (see (24)) if one applies the normal
approximation to Phg (c|k). To put it more explicitly, apply the normal approximation of the
form
Z ζb
b
X
1
Phg (c|k) ' √
e−x/2 dx
(33)
2π
ζ
a
c=a
with ζc := (c − c̄(k))/σ (k). Then it follows that the first term of (32) is less than 8(s(ε)) =
ε, where 8(s) is the normal distribution function given in (22).
−
(ii) In the second term of (32), the function Spa (k, c) = 2[g(k,c)] +1 is maximized at c = c̄(k) −
sσ (k), because g(k, c), defined in (17), is decreasing with c. Also note that
p̂sft,ε (c̄(k) − sσ (k)) = psft (k, c̄(k) − sσ (k))
holds by the definition of p̂sft,ε (c), given in (27) and (28)12 . Thus, from (17), we have
g (k, c̄(k) − sσ (k)) = nh ( psft (k, c̄(k) − sσ (k))) − α (c̄(k) − sσ (k))
6 nh ( psft (k, c̄(k) − sσ (k))) − nh p̂sft,ε (c̄(k) − sσ (k)) − D = −D.
For the inequality of the second line, we used the fact that α(c) = h( p̂sft,ε
× (max[c, cmin ] + 2)) > h( p̂sft,ε (c)). This means that the second summation of (32) can be
bounded by 2−D+1 . We remark that, unlike the first term of (32), this upper bound is valid
without relying on the normal approximation.
Note here that both the bounds are valid for all values of k. Hence, by combining these two
upper bounds, we obtain the following proposition.
In fact, this is exactly the way we planned when we defined p̂sft,ε (c): as mentioned in the sentences below (49),
the function p̂ε (c) is defined so that the condition p̂ε (c̄(k) − sσ (k)) = p(k) is satisfied for all k. This condition is
equivalent to p̂sft,ε (c̄(k) − sσ (k)) = psft (k, c̄(k) − sσ (k)), due to definitions of p̂sft,ε (c) and psft (k, c) given in (28)
and in table 1.
12
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
16
Table 1. Notations of the key lengths, total bits and sample bits. Functions p̂ε (c)
and p̂sft,ε (c) denote the estimated upper bounds of p(k) and psft (k, c), under the
condition that there are c errors in sample bits. The parameter ε denotes the
probability that the estimation fails. See section 4 for details.
Number of bits
Number of errors
Error rate
Estimate of error rate
with error probability ε
Total bits
Sifted key
Sample bits
n +l
k
p(k) =
n
k −c
psft (k, c) =
l
c
psmp (c) =
p̂ε (c)
k
n+l
k−c
n
c
l
p̂sft,ε (c)
Proposition 1. For a given ε (and the corresponding s(ε) = 8−1 (ε)), suppose that cmin 6 cmax ,
and that Alice and Bob perform the QKD protocol specified in section 2. Then by applying the
normal approximation to Phg (c|k), Pph can be bounded as
Pph 6 max Sav (k) 6 ε + 2−D+1 .
k
(34)
If one wishes to bound Pph by a certain value, say Pmax , a convenient choice of parameters
is
ε = 2−D+1 = 21 Pmax , or equivalently, D = 2 − log2 Pmax and s = 8−1 (ε) = 8−1 21 Pmax .13 Then
√ √
inequality (10) guarantees that the trace distance is bounded as kρ A,E 0 − ρIdeal k1 6 2 2 Pmax ,
if Alice and Bob use a universal2 hash function family that consists of linear and surjective
functions.
Further, if parameters l and n are sufficiently large, we can also obtain a tight bound on the
first term of (32) without relying on the normal approximation of Phg (c|k).
Lemma 1. If 54 s(ε)2 6 l 6 n, 1 6 k, and cmax 6 0.12l, we have
r
r
min(bc̄−sσ c,cmax )
X
n + l s(ε)2 + 2π µ
Phg (c|k) 6
e ε,
n
2
c=0
(35)
where µ := 1/(6n) + 1/(12). Note that this bound holds rigorously, without relying on the
normal approximation of Phg (c|k).
This lemma will be proved in B.3.
Now recall that the upper bound 2−D+1 , obtained above for the second term of (32), does
not rely on any approximation either. Hence, besides proposition 1, we can obtain another bound
on Pph that is similarly tight, and is valid rigorously without relying on any approximation:
Proposition 2. Suppose that 54 s(ε)2 6 l 6 n, and cmax 6 0.12l are satisfied for a given ε (i.e.
with 8(s) = ε). Also assume that Alice and Bob perform the QKD protocol specified in
section 2. Then without using the normal approximation of Phg (c|k), we have
r
r
s(ε)2 + 2π n + l µ
Pph 6 max Sav (k) 6
e ε + 2−D+1 .
(36)
k
2
n
Of course, the optimal choice is to let ε = a Pmax and 2−D+1 = (1 − a)Pmax and then find the optimal 0 < a < 1
that yields the highest key generation rate. However, we do not pursue this optimality in the rest of this paper, since
varying a contributes very little to the key rate in typical situations.
13
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
17
5.2. The upper bounds by the Gaussian integration
In the above analysis of the straightforward bounds, if one wishes to bound Pph by a certain
value, say Pmax , it is necessary to let D > 1 − log2 Pmax . Hence, if one chooses a very small Pmax
in order to achieve high-level security, this D can decrease the final key length severely through
the sacrificed bit length (1).
In this subsection, we derive improved bounds that hold with D = 1. We term them here
the Gaussian bounds for the following reason. The first step of the analysis is similar to that
of the previous section; i.e. we divide the summation of Sav (k) as in (31) and obtain upper
bounds for each term. For the first term of (31), we use the normal approximation (33) again
and bound it by ε. However, for the second term of (31), we employ quite a different strategy: we
approximate Phg (k|c) by using (33) and also upper bound Spa (k, c) by an exponential function of
a simple linear function of c (specified below in (38)). By using this simple form, we evaluate
the summation over c as a Gaussian integral. As a result of this integration, instead of 2−D+1
appearing in the previous subsection, we obtain an upper bound δε on the second term, with δ
being small for large l, n.
In order for this strategy using the Gaussian integration to work properly, parameter k must
be confined to a specific region. Thus, as a preparation, we consider the following three cases
depending on the value of k:
(i) If k is too small (i.e. 0 6 k 6 ncmin /l), it can be shown that Spa (k, c) is always bounded by
ε, by using the properties of g(k, c). Thus Sav (k) 6 ε.
(ii) For the intermediate domain where ncmin /l 6 k 6 (n + l) p̂sft,ε (cmax ), the function g(k, c)
−
(used for Spa (k, c) = 2[g(k,c)] +1 ) can be bounded from above by a simple function, i.e. a
constant or a linear function of c.
(iii) If k is too large (i.e. (n + l) p̂sft,ε (cmax ) 6 k), we can also show that Sav (k) is less than
Pc̄−sσ
c=0 Phg (c|k).
A more precise argument will be given in appendix C, and we have the following theorem.
Theorem 1. Let D = 1. If cmin 6 cmax and 2 6 s(ε), then Sav (k) is bounded from above as
follows:
• Case 1. If 0 6 k 6 ncmin /l,
Sav (k) 6 ε.
(37)
• Case 2. If ncmin /l < k 6 (n + l) p̂sft,ε (cmax ), for an arbitrary possible outcome c, we have
Spa (k, c) 6 min 2−β(c−(c̄−sσ +1)) , 1 ,
(38)
where
β :=
1 n +l 0
h ( p̂sft,ε (cmax )).
1 + 4γ l
(39)
Thus
min(bc̄−sσ c,cmax )
Sav (k) 6
X
Phg (c|k) +
c=0
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
cmax
X
c=bc̄−sσ c+1
Phg (c|k)2−β(c−(c̄−sσ )+1) .
(40)
18
• Case 3. If (n + l) p̂sft,ε (cmax ) 6 k, then cmax 6 c̄ − sσ holds by the definition of p̂sft,ε (c).
Hence
bc̄−sσ c
cmax
X
X
Sav (k) 6
Phg (c|k) 6
Phg (c|k).
(41)
c=0
c=0
(For the proof of this theorem, see appendix C.) We stress that the normal approximation
to Phg (c|k) is not yet applied, and thus all inequalities are rigorous at this stage14 .
Then in the rest of this subsection, we will show that the rhs of each inequality of theorem 1
can be bounded from above by (1 + δ)ε, with δ being smaller than 1 for sufficiently large l, n.
In other words, we obtain an upper bound on Sav (k) that is valid for all k; thus an upper bound
on Pph (recall the argument of section 3.4) can be bounded from above by (1 + δ)ε. Let us first
discuss the easier cases, namely Cases 1 and 3. As mentioned above, for these two cases, Sav (k)
can be easily shown to be less than ε: for Case 1, it is already proved in theorem 1. For
Case 3, if one applies the normal approximation to Phg (c|k), Sav (k) is bounded by ε, as can be
seen from the same argument in the previous section (see the paragraph of (33)).
Hence, there remains to be evaluated Case 2, where parameter k is restricted as ncmin /l <
k 6 (n + l) p̂sft,ε (cmax ). As mentioned above, we here show that Sav (k) can be rewritten as the
Gaussian integration in this case. In inequality (40), the first term on the rhs can be bounded
by ε, with the approximation applied to Phg (c|k). For the second term, which is a summation
over c, we replace Phg (c|k) by the normal approximation. In addition to that, we replace
Spa (k, c) appearing in the same summation by the rhs of (38). Then the summation can be
rewritten as a Gaussian integral:
cmax
X
Phg (c|k)2−β(c−(c̄−sσ )+1)
c=bc̄−sσ c
1
'√
2π
Z
1
6√
2π
Z
(cmax −c̄)/σ
−s
∞
−s
2
x
exp − − s (x + s) ξε (k) dx.
2
1
=e
√
2π
=: I2 (ξε (k)) ,
1
2
2 ξε (ξε −2)s
2
x
exp − − s (x + s) ξε (k) dx.
2
Z
∞
e−x
2 /2
(42)
(43)
dx
(ξε −1)s
(44)
where
ξε (k) := (ln 2)βσ (k)/s(ε).
Further, in order to bound I2 (ξε (k)) using ε, we introduce the inequalities
√
√
2
2 −x 2 /2
2
e−x /2 6 8(x) 6
e
,
√
x
x 2 + 2π
(45)
It is true that we used the normal approximation in deriving p̂sft,ε (c) in (28) and (27), and that p̂sft,ε (c) is used in
the statement of theorem 1. However, in the proof of theorem 1 we use no approximation; thus the theorem holds
rigorously, without any approximation.
14
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
19
where 8(x) is the normal distribution function given in (22). (Inequalities (45) will also be
proved in appendix C.) By using (45), the integral I2 (ξε (k)) can be further evaluated as
√
√
1 + 2π s −2
1 + 2π s −2
I2 (ξε (k)) 6
8(s(ε)) =
ε.
(46)
ξε (k) − 1
ξε (k) − 1
Note here that σ (k) is an increasing function of k, because ξε (k) is. Thus the final term of (46)
is maximized at the lower boundary k = ncmin /l, and we finally obtain
√
1 + 2π s −2
ε
I2 (ξε (k)) 6
(47)
ξmin,ε − 1
with ξmin,ε := ξε (ncmin /l). We now have the following theorem.
Theorem 2. For a given ε, suppose that cmin 6 cmax , 2 6 s(ε) and 1 < ξmin,ε with
ξmin,ε := ξε (ncmin /l)
(n + l) ln 2 0
=
h p̂sft,ε (cmax ) σ (ncmin /l).
s(ε)l(1 + 4γ )
(48)
Here p̂sft,ε (c) is defined in equation (28), σ in equation (15) and h 0 (x) = log2 1−x
. Also assume
x
that Alice and Bob perform the QKD protocol specified in section 2. Then with the normal
approximation applied to Phg (c|k), Pph can be bounded as
Pph 6 max Sav (k) 6 (1 + δ)ε,
(49)
k
where
p
δ :=
1 + 2π s(ε)−2
.
ξmin,ε − 1
(50)
Note here that none of cmin , p̂sft,ε (cmax ) or γ depends on k or c, which can vary for each run
of the protocol; thus ξmin,ε can be calculated as a fixed value specified by the protocol. (In other
words, ξmin,ε is the constant and thus calculated at the preparation stage prior to the protocol.)
Further, as we have done in the previous subsection, if parameters l and n are sufficiently
large, we can also obtain a similarly good bound without relying on the normal approximation
of Phg (c|k) (in equation (33)). By using exact upper bounds on Phg (c|k) including lemma 1, we
obtain the following theorem:
Theorem 3. Suppose that 1 6 l 6 n, s 2 6 cmin 6 cmax 6 0.12l, and 1 < ξmin are satisfied for a
given ε. Also assume that Alice and Bob perform the QKD protocol specified in section 2. Then
without using the normal approximation of Phg (c|k), we have
Pph 6 max Sav (k) 6 Pph,ε (cmin , ξmin,ε ),
(51)
k
where
r
Pph,ε (cmin , ξmin,ε ) :=
s(ε)2
+ 2π
2
r
p
n +l µ
e ε+
n
1 + 2πs(ε)−2
ξmin,ε − 1
where µ = 1/(6n) + 1/12, ν = 1/(12l) + 1/(2(n + l − 1)).
The proof of this theorem is given in appendix D.
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
e
q
µ+ν
1−
s(ε)
√
cmin
+ ε ε,
(52)
20
5.3. Second order asymptotics
Now, we roughly estimate the relation between the sacrifice bit length and the upper bound
maxk Sav (k) of the phase error. For this purpose, we focus on the asymptotic expansion
for the sacrifice bit. In the protocol discussed in the above, the sacrifice bit length
(n+l) p̂ε (c)−lpsmp (c)
1
α(c) is dnh p̂sft,ε (c + 1) e + 2 with p̂sft,ε (c) =
and p̂ε (c) := 1+4γ
( psmp + 2γ +
n
p
2 γ { psmp (1 − psmp ) + γ }). When the ratio l/n is t, we obtain the asymptotic expansion:
√
√
dnh p̂sft,ε (c + 1) e + 2 = nh psmp (cmin ) + ngt ( psmp (cmin )) + o( n),
(53)
q
where gt (x) := h 0 (x) x(1−x)(1+t)
s(ε). When we use only the first term in the above expansion,
4t
the upper bound maxk Sav (k) for the phase error converges to zero or one. The limit value zero
or one cannot be used for the approximation for the upper bound maxk Sav (k) because the real
value of the upper bound maxk Sav (k) takes a value between zero and one, which is different
from zero or one.
√
However, when we use up to the second order n in the asymptotic expansion of α(c),
the upper bound maxk Sav (k) converges to a value between zero and one. In this case, we can
use the limit for the approximation for the upper bound maxk Sav (k). That is, by using the above
asymptotic expansion, the virtual phase error can be bounded in the following way.
Theorem 4. For a given ε, pmin and pmax , we choose cmin and cmax as pminl and pmaxl, and
assume that l/n = t. Also suppose that Alice and Bob perform the QKD protocol
specified in
√
section 2, except that the sacrifice bit length α(c) is less than nh psmp (cmin ) + ngt ( psmp (cmin ))
for c ∈ [cmin , cmax ]. Then, the maximum Pph,n,l of Sav (k) with given n and t can be asymptotically
characterized as
lim max Pph,n,l 6 ε.
n→∞ l:l>tn
(54)
The proof will be given in appendix E.
6. How to use the above formulae to evaluate the security of one’s QKD system
In this section we summarize what we have proved so far and then explain how one can use
proposition 1 or 2 or theorem 2 or 3 to evaluate the security of one’s QKD system.
6.1. Summary of our results
As discussed in section 3, the standard quantitative measure of the security of QKD is the
trace distance ρ A,E 0 − ρIdeal 1 between the actual state ρ A,E 0 and the ideal state ρIdeal , given in
(3). Inequalities (9) and (10) claim that this trace distance can be bounded from above by the
averaged decoding error probability Pph of the virtual phase error correction. Throughout this
paper, we are interested in bounding Pph by using Shor–Preskill’s formalism. Also in section 3,
we have shown that in order to bound Pph under an arbitrary attack by Eve, it suffices to bound
the probability maxk Sav (k), with Sav (k) defined in (20) (or equivalently, for all k, one needs
to bound Sav (k) by a certain value). Here the function Sav (k) gives an upper bound on the
failure probability Spa (k, c) of the virtual phase error correction, averaged with respect to the
hypergeometric distribution Phg (c|k). Our analyses of sections 4 and 5 are devoted to obtaining
an upper bound on maxk Sav (k).
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
21
In section 4, we determined the suitable functional form of the upper bound p̂sft (c) on the
phase error rate p̂sft (k, c) of the sifted key, such that we can achieve high key generation rates
and high-level security simultaneously. The function p̂sft (c) is used for calculating the sacrifice
bit length α(c) of equation (1), i.e. the number of bits that needs to be erased in PA. This
problem can be reduced to determining an upper bound on parameter k, or equivalently, that on
the phase error rate psft (k, c) of a sifted key. For this purpose, we derived an upper bound p̂sft,ε (c)
of equations (27) and (28) on psft (k, c), as a function of the measured error rate psmp (c) = c/l
of sample bits. We used here the standard method of interval estimation, and the upper bound
p̂sft,ε (c) is defined so that, for any value of k, the undesired case psft (k, c) > p̂sft,ε (c) occurs with
a probability 6 ε (see equations (21) and (24)).
Then, in section 5, by using this p̂sft,ε (c) and the corresponding sacrificed bit length α(c)
given in (1), we obtained the upper bounds on Sav (k) that hold for all k. By the argument of
the paragraph of (20), this means that we have given upper bounds on Pph . For the sake of
simplicity, we first gave straightforward bounds in proposition 1 (with the approximated values
of the hypergeometric distribution Phg (c|k)) and proposition 2 (without any approximation).
Next we gave the other bounds exploiting the properties of the Gaussian integration, which yield
a larger final key length G for sufficiently large l, n; namely, theorem 2 (with the approximated
Phg (c|k)) and theorem 3 (without any approximation).
6.2. How to use the straightforward upper bounds
6.2.1. The straightforward upper bound with the normal approximation (how to use
proposition 1). Here we present how to calculate the secret key length of one’s QKD system
using the straightforward upper bound on Pph obtained in proposition 1.
• Preparation steps:
(i) Determine one’s desired upper bound Tmax on trace distance.
(ii) Calculate the corresponding upper bound on the phase error rate by Pmax = 81 (Tmax )2 .
(iii) Let the confidence limit be ε = 12 Pmax . Then calculate parameter s = 8−1 (ε), as the
inverse value of the normal distribution function 8(x) (see the definitions of 8(x)
and s(ε) given in (22) and (23)).
(iv) Let D = d2 − log2 Pmax e.
(v) Determine cmin and cmax .
(vi) Parameter check. No parameter check is necessary for proposition 1.
Under this setting of parameters, one can guarantee that Pph 6 ε + 2−D+1 6 Pmax , by applying the
normal approximation to Phg (c|k) and by using proposition
1. Then inequality (10) guarantees
√ √
that the trace distance is bounded as kρ A,E 0 − ρIdeal k1 6 2 2 Pmax = Tmax . (As specified below,
we here assume that Alice and Bob use a universal2 hash function family that consists of linear
and surjective functions.)
• For each run of the protocol:
(vii) Perform the protocol as specified in section 2. In particular, in the PA step, for the
calculation of the length α(c) of (1), use p̂sft,ε (c) defined in equations (27) and (28),
as well as parameters s and D obtained in the preparation steps above15 . Then use
15
Throughout this section, we neglect the deviation of l, n from their averages when the bases x, z are chosen with
a constant probability, and assume that they are constant.
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
22
a universal2 hash function family that consists of linear and surjective functions, to
convert the reconciled key to the secret key.
As noted in section 2, as a result of this protocol, Alice and Bob obtain the final key of length
G = n rec − α(c) with α(c) given in (1) and n rec being the reconciled key length. If an error
correcting code with efficiency f is used, we have n rec = n(1 − f h( pbit )), with pbit being the bit
error rate of the sifted key. Thus Alice and Bob obtain the final key of length G, given in (2).
6.2.2. The straightforward upper bound without any approximation (how to use proposition 2).
By using proposition 2, an exact upper bound on Pph can be obtained, without relying on the
normal approximation of Phg (c|k). In this case all the steps are the same as those given in
section 6.2.1, except for steps (iii) and (vi):
(iii0 ) Choose the parameter s such that
r
r
n + l s 2 + 2π µ
1
e 8(s) 6 Pmax
n
2
2
is satisfied, where µ = 1/(6n) + 1/12.
(vi ) Parameter check. Check that 54 s 2 6 l 6 n and cmax 6 0.12l are satisfied. If not, set Tmax
smaller and restart from step (i).
0
As a result of step (iii0 ), we have ε = 8(s(ε)) 6 s −1 × 12 Pmax . This means that, for a fixed
value of Pmax , one needs to choose ε = 8(s(ε)) to be smaller than that obtained in section 6.2.1,
by a factor of s −1 . As a result, s also turns out to be larger; one ends up with a smaller final key
length. Note, however, that such an increment of s is negligible for sufficiently large s (e.g., for
1 2
s > 10), because 8(s) scales as e− 2 s and thus a very small increment of s compensates for the
factor of s −1 in front of 21 Pmax . Hence the decrement in the final key length is very small. We
will demonstrate this fact in the next section by a numerical calculation in section 7.3.
6.3. How to use the upper bounds by the Gaussian integration (how to use theorems 2 and 3)
As mentioned in section 5.2, if parameters l and n are sufficiently large, we can set D = 1 and
still obtain similarly tight bounds on Pph as given in theorems 2 and 3; thereby we can improve
the final key length G. For these cases too, we summarize how to calculate the secret key length
of one’s QKD system.
6.3.1. The Gaussian bound with the normal approximation (how to use the bound of theorem 2).
For theorem 2, the preparation steps are modified as follows.
• Preparation steps:
(i) Determine one’s desired upper bound on trace distance Tmax .
(ii) Calculate the corresponding upper bound on the phase error rate by Pmax = 81 (Tmax )2 .
(iii) Set the confidence limit ε to be slightly smaller than Pmax . (For example, if l, n
are sufficiently large, ε = 0.9Pph is usually sufficient.) Then calculate parameter s =
8−1 (ε), as the inverse value of the normal distribution function 8(x) given in (22).
(iv) Let D = 1.
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
23
(v) Determine cmin and cmax , such that the conditions in the first sentence of theorem 2 are
all satisfied.
(vi) Parameter check. Check if δ is small enough so that inequality (49) is satisfied. If not,
go back to step (iii) and set ε smaller.
After these preparation steps, Alice and Bob run the protocol as in the previous sections.
That is, they run the protocol as specified in step (vii) of section 6.2.1.
6.3.2. The Gaussian bound without the normal approximation (how to use the bound of
theorem 3). As we have done for the case of the straightforward bounds, we also obtained
in theorem 3 the exact version of the Gaussian bound that does not rely on the normal
approximation of Phg (c|k). This theorem was derived using essentially the same idea as
theorem 2 and achieves a similarly tight bound, but does not rely on any approximation.
For theorem 3, the preparation steps are the same as theorem 2 (i.e. the same as in
section 6.3.1), except for steps (v) and (vi):
(v00 ) Determine cmin and cmax , such that the conditions in the first sentence of theorem 3 are
all satisfied.
(vi00 ) Parameter check. Check if δ 0 is small enough so that inequality (52) is satisfied. If not,
go back to step (iii) and set ε smaller.
After these preparation steps, Alice and Bob run the protocol as in the previous sections.
That is, they run the protocol as specified in step (vii) of section 6.2.1.
6.4. Rough estimate of the key rate and the security parameter
We note here that if l, n are sufficiently large, parameters γ and δ become sufficiently small,
and the approximate evaluation of the key length G of (2) can be greatly simplified.
As one can see from steps (i) and (ii) of section 6.3, bounding Pph is enough for the security.
If δ is sufficiently small, then according to theorem 2 (or step (iii) of section 6.3), Pph can
be bounded approximately by ε, which determines the value of p̂sft,ε (c) via equations (27)
and (28). Then as we discussed in the paragraph of equation (29), if γ is sufficiently small,
p̂sft,ε (c) = n+l
p̂ε (c) − nl ( p)smp (c) can be approximated by using p̂ε (c) ' psmp (c) + sl σbin (c).
n
As a result, if the conditions of the first sentence of theorem 2 are satisfied for a given set
of experimental parameters, and if γ and δ are sufficiently small, one has the following rough
estimates. The trace distance is approximately bounded by the square root of ε as
√ p
||ρ A,E − ρIdeal || 6 2 2 Pph ,
Pph 6 (1 + δ)ε ' ε.
The parameter s is chosen to be the deviation of the standard deviation, i.e. s = 8−1 (ε). Then
this s determines the final key length G as
G ' n 1 − f h( pbit ) − h p̂sft,ε (c) ,
n +l
l
p̂ε (c) − psmp (c),
n
n
psmp (c) = c/l,
p̂sft,ε (c) =
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
24
s
p̂ε (c) ' psmp (c) + σbin (c)
l
sp
= psmp (c) +
lpsmp (c)(1 − psmp (c)).
l
We expect that these relations will be useful for experimentalists and theorists who wish to
obtain a rough estimate of the key length with the finite-size effect taken into account.
7. Numerical results
We demonstrate the tightness of our bound with numerical results. We consider a quantum
channel in the absence of an eavesdropper and assume that it can be described as a binary
symmetric channel with quantum bit error rate (QBER).
7.1. Case 1: basis choice with probability q =
1
2
First, as a comparison to the previous literature [3, 5], we plot the key rates for the case when
Alice and Bob choose the x and the z bases with equal probability. We present two types of
evaluations given in section 6; one is the analysis of section 6.2.2 using the straightforward
bound of proposition 2 and the other is that of section 6.3.2 using the Gaussian bound of
theorem 3. Note that both these bounds are derived without using the normal approximation;
thus all the key generation rates obtained in this subsection are rigorous.
We assume that Alice and Bob choose both the phase basis and the bit basis with probability
q = 1/2, and thus n = l = N /4. We also assume that Alice and Bob consume r = 40 bits
of a previously shared secret key for exchanging the hash value, in order to guarantee that
cor 6 10−12 (in the following, these r = 40 bits will be subtracted from the final key length
G). Then we choose Pmax to be 0.98 × 81 × 10−20 , so that the trace distance kρ A,E 0 − ρIdeal k1 is
√
guaranteed to be less than Tmax = 2 2Pmax = 0.99 × 10−10 . By these choices of parameters, we
can guarantee that Tmax + cor 6 10−10 , which is the same condition as that used in [5].
Because r = 40 bits are consumed for guaranteeing that Alice’s and Bob’s final keys are
equal, the effective final key length is G(c) − r , with G(c) defined in (2). Hence in this section,
we define the final key rate to be
G(c) − r
n
1
=
n (1 − f h(c/l)) − nh p̂sft,ε (max{c, cmin } + 2) − (D + r ) .
n
R(c) :=
(55)
The efficiency of bit error correction is chosen to be f = 1.1.
7.1.1. The straightforward bound. With the above choices of parameters, we perform the
analysis of section 6.2.2, and obtain the corresponding final key rate R. Here we restrict
ourselves to the case when parameters l, n satisfy 125 6 l = n. Parameters Pmax and Tmax are
already specified above. As to parameter s, we follow step (iii0 ) and let s = 9.9, so that
r
r
√
n + l s 2 + 2π µ
1
e 8(s) 6 s 2 + 2π e1/4 8(s) 6 1.1 × 10−22 6 Pmax .
n
2
2
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
25
R
1.0
QBER=1%
0.8
QBER=2.5%
0.6
QBER=5%
0.4
0.2
1000
104
105
106
107
n l
Figure 1. Key generation rate R = (G − r )/n versus n + l, which is the sum of
lengths of a sifted key and sample bits. Here we assume that x and the z bases
are chosen with equal probability, i.e. q = 21 . The typical QBER are chosen to
be 1% (red), 2.5% (blue) and 5% (black). As to the security, we set r = 40
and Pmax < 0.98 × 18 × 10−20 , so that Tmax + corr 6 10−10 . That is, the sum of the
trace distance and cor is less than 10−10 . We have used two types of analysis to
achieve this value of Pmax : the bold curves represent the key rates based on the
straightforward bound given in proposition 2 and section 6.2.2. The thin curves
are based on the Gaussian bound given in theorem 3 and section 6.3.2. We stress
that these curves are obtained without using the normal approximation. Dots of
the same color are the rates obtained in figure 2 of [5].
According to step (iv), we choose D = d2 − log2 Pmax e = 79; next, according to step (v),
cmin = 0.01l and cmax = 0.12l. It is easy to verify that all these parameters are compatible with
the parameter checks of step (vi0 ).
Then we assume that Alice and Bob perform the BB84 protocol (i.e. step (vii)), in the
quantum channels with QBER = 1, 2.5 and 5%. The corresponding key rates R(c) (with
c = l × QBER) are shown by bold curves in figure 1, versus n + l.
7.1.2. The Gaussian bound. For the same choice of parameters q, r, Pmax , D and for the same
ratio of cmax = 0.12l with respect to l, we perform the analysis of section 6.3.2. The remaining
parameters to be fixed are s and cmin ; hence, we here numerically calculate the pairs of s and cmin
that give the best key rate R(c). That is, we first fix l and n and then search for the pair of s and
cmin that is compatible with the parameter check and gives the largest R(c). (This corresponds
to repeating steps (iii) through (vi0 ) of section 6.3.2, by letting ε be smaller each time, until the
largest key length G(c) is obtained.) The results are shown by thin curves in figure 1.
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
26
F
1.0
0.8
QBER=1%
0.6
0.4
QBER=2.5%
0.2
QBER=5%
104
1000
105
106
107
N
Figure 2. Secret fraction F = (G − r )/N versus raw key length N . Here
we assume that Alice and Bob choose the x and the z bases with varying
probabilities q, 1 − q. The probability q and the minimum errors cmin are also
optimized to give maximum F. The typical QBER are chosen to be 1% (red),
2.5% (blue) and 5% (black). Parameters Pph , cor are chosen to be the same as
those in figure 1, so that Tmax + corr 6 10−10 is satisfied.
As one can see from figure 1, if QBER = 5%, the Gaussian bound gives a better key rate
than the straightforward bound for all l, n. In contrast, for smaller QBER (1 and 2.5%), the
straightforward bound becomes better for l, n ' 5000.
The dots in figure 1 represent the key rates obtained by Tomamichel et al [5] under the
same condition. It can be clearly seen that our key rates R are better in all parameter regions.
For example, figure 1 gives R = 0.19 for QBER = 5% and n + l = 104 , while Tomamichel et al
[5] gave R = 0 in this region. As n + l becomes larger, R converge very fast to the asymptotic
values; all three curves reach more than 80% of the asymptotic values at n + l = 2 × 105 .
In particular, as the key size becomes larger, R converge very fast to the asymptotic values,
more than 80% of the asymptotic values at n + l = 2 × 105 . As we have noted in section 2, key
distillation is quite practical even in this region. That is, the sizes of bit error correcting codes are
independent of security, and thus Alice and Bob may perform bit error correction by dividing a
sifted key of n bits to arbitrarily smaller blocks. As to PA, one can use the efficient algorithm
for the multiplication of the (modified) Toeplitz matrix and a vector.
7.2. Case 2: optimized basis choice with variable probability q
Next, as a more practical setting, we consider the case when Alice and Bob choose the x and the
z bases with varying probabilities q, 1 − q (thus, l = q 2 N , n = (1 − q)2 N ). Then we maximize
the secret fraction F, defined by
G(c) − r
N
1
=
n (1 − f h(c/l)) − nh p̂sft,ε (max{c, cmin } + 2) − (D + r )
N
F(c) =
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
(56)
27
R
1.0
0.8
0.6
0.4
0.2
1000
104
105
106
107
n l
Figure 3. Solid curve: the same curve as the solid curve in figure 1 with QBER =
1%. This curve is obtained by using proposition 2 without any approximation.
Dashed curve: the final key rate R(c) obtained for the same values of QBER,
Pmax , r, l, n, using the straightforward bounds of proposition 1; hence, this curve
is obtained using the normal approximation. Note that the two curves are almost
identical.
with respect to a fixed raw key length N , where G denotes the final key length. We
use the analysis of section 6.3.2 based on the Gaussian bound of theorem 3 (without any
approximation); hence again, all the final key rates obtained in this subsection are rigorous.
We choose parameters Pmax , cor to be the same as those in the previous subsection. According
to step (iii), we let s(ε) = 10.5 so that ε = 4.32 × 10−26 Pmax . The channel error rates are
chosen to be QBER = 1, 2.5 and 5%, respectively.
Under these settings, for each fixed value of N , we performed numerical simulations to
select the optimal values of q and cmin that give the maximum value of F(c). That is, we first fix
N and then search for the pair of q and cmin that is compatible with the parameter check of step
(vi00 ) and gives the largest F(c). The results are shown in figure 2.
7.3. Exact bounds versus approximate bounds
All the key rates of the previous two subsections are rigorous, in the sense that they are obtained
without using any approximation. In this final subsection, we demonstrate that, for practical
parameter regions, the key rates are almost the same, whether one uses the analysis based on the
normal approximation (i.e. proposition 1 and theorem 2) or those without any approximation
(i.e. proposition 2 and theorem 3).
In figure 3, the solid curve shows R(c) obtained in section 7.1.1 with QBER = 1%. On the
other hand, the dashed curve in the same figure is the key rate R(c) obtained for the same values
of QBER and Pmax , r, l, n by the procedure of section 6.2.1; hence this curve is obtained by
using proposition 1 and thus relies on the normal approximation of Phg . Similarly in figure 4, the
solid curve shows F(c) obtained in section 7.1.2 with QBER = 5%, whereas the dashed curve
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
28
1.0
R
0.8
0.6
0.4
0.2
1000
104
105
106
107
n l
Figure 4. Solid curve: the same curve as the thin curve in figure 1 with QBER =
5%. This curve is obtained by using theorem 3 without using any approximation.
Dashed curve: the final key rate R(c) obtained for the same values of QBER,
Pmax , r, l, n, using the straightforward bounds of theorem 2; hence, this curve
is obtained using the normal approximation. Note again that the two curves are
almost identical.
is obtained by using theorem 2, which relies on the normal approximation (here we performed
the optimization of s and cmin ).
Note that for both these cases, the exact key rate and the approximate key rate are almost
identical. These results suggest that the simple analysis using the normal approximation (i.e.
proposition 1 or theorem 2) can be justified for the security evaluations of practical QKD
systems.
8. Summary
In this paper, we have presented a concise analysis of the BB84 protocol that takes the finite
key effect into account and yields better key generation rates, with and without relying on the
normal approximation. Our results are indeed an improvement on the preceding literature; as
we have shown in figure 1, our analysis give better key generation rates R in practical settings
than those in [3, 5].
For the convenience of experimentalists who wish to evaluate the security of their QKD
systems, we included explicit procedures of security evaluation in sections 3 and 6. In particular,
in addition to presenting the exact values of key rates and security parameters, we also presented
how to obtain their rough estimates using the normal approximation.
For the sake of simplicity, we restricted ourselves to the simple case when Alice has a
perfect single photon source. On the other hand, in order to achieve a long communication
distance by a practical QKD system using a weak coherent light source, decoy pulses are
necessary [30]. This situation was analyzed by one of the authors [2], relying on the normal
approximation. A thorough and exact analysis in this direction without any approximation
remains the topic for a future work.
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
29
Acknowledgments
The authors thank Ryutaroh Matsumoto for valuable comments. MH is partially supported by
MEXT Grant-in-Aid for Young Scientists (A) no. 20686026 and Grant-in-Aid for Scientific
Research (A) no. 23246071. The Center for Quantum Technologies is funded by the Singapore
Ministry of Education and the National Research Foundation as part of the Research Centres of
Excellence program. MH and TT are partially supported by the National Institute of Information
and Communication Technology (NICT), Japan.
Appendix A. Justification for restricting the argument to the generalized Pauli channel
The generalized Pauli channel is defined to be a channel where the phase error and the bit
errors occur stochastically (i.e. with a classical probability). It is easy to see that, in this setting,
the virtual phase error probability Pph after the PA, mentioned in the main text, can clearly be
defined. In [2], it is shown that the trace distance can be bounded from above by using Pph .
Here we demonstrate that, without loss of generality, this argument can be extended to
the case when the quantum channel 3 between Alice and Bob is arbitrary and general. First,
we consider the discrete twirling. For n-bit sequences x = (x1 , . . . , xn ) and z = (x1 , . . . , z n ),
define the unitary matrix U (x, z) := (X x1 ⊗ X x2 ⊗ · · · ⊗ X xn )(Z z1 ⊗ Z z2 ⊗ · · · ⊗ Z zn ), where X
is the bitP
flip operator and Z the phase flip operator. Then, the discrete twirling of 3 is defined
as 3 := z 2−2n 3z , where z = (x, z) and 3x,z (ρ) := U (x, z)3(U (x, z)ρU (x, z)† )U (x, z)† . In
this paper, we treat the phase error and the bit error of the channel 3 for the following reason.
Now, we denote the final state and the ideal state with the public information y by
0
ρ A,E |y (3) and
P ρIdeal|y (3) when the channel between Alice and Bob is 3. Hence, our security
criterion is y Ppub (y)kρ A,E 0 |y (3) − ρIdeal|y (3)k1 . Indeed, the distribution Ppub (y) depends on
the channel 3 in general; however, it does not change even if the channel is replaced by
3z because the initial random variable is uniform and the hash function and error correction
are linear. Also for the same
reason, we have k ρ A,E 0 |y (3)
ρIdeal|y (3) k1 =k ρ A,E 0 |y (3z ) −
P −2n
P − −2n
ρIdeal|y (3z ) k1 . The states z 2 ρ A,E 0 |y (3z ) ⊗ |zihz| and z 2 ρIdeal|y (3z ) ⊗ |zihz| can be
regarded as the states ρ A,E 0 |y (3) and ρIdeal|y (3) because the classical information z can be treated
as a part of Eve’s system with the channel 3. Hence,
X
Ppub (y)kρ A,E 0 |y (3) − ρIdeal|y (3)k1
y
=k
X
=k
X
z
y
=
X
2−2n
X
Ppub (y)kρ A,E 0 |y (3z ) ⊗ |zihz| − ρIdeal|y (3z ) ⊗ |zihz|k1
y
Ppub (y)k
X
2−2n ρ A,E 0 |y (3z ) ⊗ |zihz| −
z
X
2−2n ρIdeal|y (3z ) ⊗ |zihz|k1
z
Ppub (y)kρ A,E 0 |y (3) − ρIdeal|y (3)k1 .
y
Therefore, it is enough to consider the case when the channel is 3 even if the channel 3 used is
not a Pauli channel.
P
Now, we define ρ A,E 0 ,Z|m (3) := z 2−2n ρ A,E 0 |m (3z ) ⊗ |zihz|. Since the average of the
output state of the channel 3z coincides with that of the channel 3, the composite system
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
30
E 0 and Z of the state ρ A,E 0 ,Z|m (3) is included in the system E 0 of the state ρ A,E 0 |m (3). This fact
implies that Iρ A,E 0 ,Z|m (3) (A : E 0 , Z) 6 Iρ A,E 0 |m (3) (A : E 0 ). Using these relations, we obtain
X
X
X
Plen (m)Iρ A,E 0 |m (3) (A : E 0 ) =
2−2n
Plen (m)Iρ A,E 0 |m (3z ) (A : E 0 )
z
m
m
=
X
6
X
Plen (m)Iρ A,E 0 ,Z|m (3) (A : E 0 , Z)
m
Plen (m)Iρ A,E 0 |m (3) (A : E 0 ).
m
Therefore, again, it is enough to consider the case when the channel is 3 even if the used channel
3 is not a Pauli channel.
Appendix B. Proof of lemma 1
In order to prove this lemma, we introduce several new lemmas. In the first part, i.e., section B.1,
we derive exact upper bounds on Phg (c|k) given in terms of l or s(ε). Then in section B.2 we
show that those upper bounds can also be bounded by ε = 8−1 (s(ε)). Finally, in section B.3,
using the obtained results, we prove lemma 1.
B.1. Upper bounds on sums of Phg (c|k)
Lemma 2. If l 6 n and
c
X
1
n+l
6
k
n+l
6 12 ,
Phg (i|k) 6 Dn,l,k (c),
(B.1)
i=0
where
s
Dn,l,k (c) :=
µ :=
n(n + l − k)k
k−c
k
c
eµ 2nh ( n )−(n+l)h ( n+l )+lh ( l ) ,
(n + l)(n − k + c)(k − c)
1
1
+ .
6n 12
Proof. By using Stirling’s formula
n n
√
1
1
n! = 2π n
eλn with
< λn <
,
e
12n + 1
12n
we have
s
n
n(n + l − k)k
k−c
k
0
k−c
eµ 2nh ( n )−(n+l)h ( n+l )
=
n+l
(n + l)(n − k + c)(k − c)
k
where
µ0 := λn − λn−k+c − λk−c − λn+l + λn+l−k + λk
1
1
< λn + λn+l−k + λk <
+
6n 12
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
(B.2)
(B.3)
(B.4)
(B.5)
31
1
k
for n+l
6 n+l
6 21 and l 6 n. Combining (B.5) with
of [31]), we obtain (B.1).
Pc
l
i=0 i
6 2lh ( l ) (see, e.g., lemma 4.2.2
c
k
< 21
Lemma 3. For l 6 n, c 6 c̄(k) and n+l
c
k −c
k
1
c − c̄(k) 2
nh
− (n + l)h
+ lh
6−
.
n
n +l
l
2 ln 2
σ (k)
t
u
(B.6)
Proof. Since h 000 (x) decreases monotonically, we have
1
1
h(x) 6 h(x0 ) + h 0 (x0 )(x − x0 ) + h 00 (x0 )(x − x0 )2 + h 000 (x0 )(x − x0 )3 .
2
6
(B.7)
(Let h̃(x) be the lhs minus the rhs. It is easy to verify that h̃(x0 ) = h̃ 0 (x0 ) = h̃ 00 (x0 ) = h̃ 000 (x0 ) = 0
and that h̃ 000 (x) = h 000 (x) − h 000 (x0 ) is a decreasing function. Then by integrating h̃ 000 (x) three
k
and x = k−c
, and
times, one can show that h̃(x) 6 0.) Applying inequality (B.7) for x0 = n+l
n
c
also for x = l , we have
c 1 k n + l
k −c
k
− (n + l)h
+ lh
nh
6 h 00
(c − c̄(k))2
n
n +l
l
2
n +l
nl
1
k
1
1
+ h 000
− 2 (c̄(k) − c)3 .
(B.8)
2
6
n +l
n
l
k
Since h 000 n+l
, c̄(k) − c, and n − l are all non-negative by the conditions stated in the lemma,
the second term on the rhs is non-positive. Then by noting
k
1
n +l
1
n + l 00
=−
h
6−
,
2
nl
n +l
(ln 2)σ (k) n + l − 1
(ln 2)σ (k)2
we have inequality (B.6).
Lemma 4. If c 6 c̄(k), we have
s
r
n(n + l − k)k
n +l
6
.
(n + l)(n − k + c)(k − c)
n
t
u
(B.9)
Proof. Let
n 2 (n + l − k)k
C(n, l, k, c) :=
.
(n + l)2 (n − k + c)(k − c)
Then it suffices to show that C 6 1 for 0 6 c 6 c̄(k).
The function f (k, c) := (n − k + c)(k − c) inside the square root is a concave parabola
with its vertex at c = k − n2 . This means that f (k, c) > min { f (k, c̄(k)), f (k, 0)}, and thus
C(n, l, k, c) 6 max{C(n, l, k, c̄(k)), C(n, l, k, 0)}. Then it is straightforward to verify that
C(n, l, k, c̄(k)) = 1 and C(n, l, k, 0) 6 1.
t
u
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
32
k
Lemma 5. If l 6 n, 1 6 k, c 6 c̄(k) and n+l
6 12 , we have
"
r
2 #
c
X
n
+
l
c
−
c̄(k)
1
Phg (i|k) 6 eµ
.
exp −
n
2
σ (k)
i=0
(B.10)
t
u
Proof. Combine lemmas 2–4.
Lemma 6. If 0 6 t, c̄(k) − lt 6 l/2 and
c̄(k)−lt
X
c=0
k
n+l
6 12 ,
lt 2 00
k
.
Phg (c|k) 6 exp
h
2
n +l
(B.11)
Proof. According to [17],
c̄(k)−lt
X
Phg (i|k) 6
i=0
where p =
c̄(k)
l
=
p
p−t
k
.
n+l
p−t
1− p
1 − ( p − t)
1−( p−t) !l
= 2l[h( p−t)−h( p)+th ( p)] ,
0
(B.12)
Since h 00 (x) increases monotonically for p − t 6 x 6 p 6 1/2, we have
h( p − t) 6 h( p) + (−t)h 0 ( p) +
(−t)2 00
h ( p).
2
That is,
l[h( p − t) − h( p) + th 0 ( p)] 6
lt 2 00
h ( p).
2
t
u
B.2. Upper and lower bounds on 8(x)
Lemma 7. The normal distribution function, defined in (22), is bounded as
√
√
2
2 −x 2 /2
2
e−x /2 6 8(x) 6
e
.
√
2
x
x + 2π
(B.13)
Proof. According to [16], the function 8(x) satisfies
g̃π (x)e−x
where
2 /2
6 8(x) 6 g̃4 (x)e−x
2 /2
,
(B.14)
√
g̃k (x) :=
2k
.
√
(k − 1)x + x 2 + 2k
Then it is straightforward to show that for k, x > 0,
√
√
2
2
6 g̃k (x) 6
.
√
x
x 2 + 2k
Combining (B.14) and (B.16), we obtain the lemma.
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
(B.15)
(B.16)
t
u
33
Lemma 8. If ε = 8(s), and 2 6 s,
ε
2
e−s 6 .
2
(B.17)
Proof. From lemma 7,
√
−s 2
e
Then by noting
−s 2 /2
6e
(s 2 +2π)e−s
2
2
1
4
6
s 2 + 2π
8(s) =
√
2
s
(s 2 + 2π)e−s 2
ε.
2
for 2 6 s, we obtain the lemma.
t
u
B.3. Proof of lemma 1
If k/(n + l) 6 12 , by combining lemmas 5 and 7, we obtain
r
r
bc̄−sσ c
X
n + l s 2 + 2π µ
e ε.
Phg (i|k) 6
n
2
c=0
On the other hand, if k/(n + l) > 21 , by lemma 6, we have
cmax
X
Phg (c|k) 6
c=0
cmax
X
Phg (c|(n + l)/2)
c=0
(1/2 − 0.12)2l 00
h (1/2)
6 exp
2
s2
2
6 e− 5 l 6 e− 2 .
(B.18)
Then by using lemma 7, we have
cmax
X
r
− 21 s 2
Phg (i|k) < e
c=0
6
s 2 + 2π
ε.
2
Appendix C. Proof of theorem 1
C.1. Proof of Case 1
= psmp (cmin ), we have for arbitrary c ∈ [0, l],
g(k, c) = nh ( psft (k, c)) − nh p̂sft,ε (max{c + 2, cmin }) − D
6 nh psmp (cmin ) − nh p̂sft,ε (cmin ) − D.
Since psft (k, c) =
k−c
n
6
k
n
6
cmin
l
Further, from the concavity of h(x) and from the monotonicity of h 0 (x),
g(k, c) 6 nh 0 ( p̂sft,ε (cmin )) psmp (cmin ) − p̂sft,ε (cmin )
6 nh 0 ( p̂sft,ε (cmax )) psmp (cmin ) − p̂sft,ε (cmin ) .
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
(B.19)
34
2
Then by using equation (28) and by noting that psmp − p̂ε = 4γ p̂ε (1 − p̂ε ) (see below
equation (26)),
g(k, c) 6 − (n + l)h 0 ( p̂sft,ε (cmax )) p̂ε (cmin ) − psmp (cmin ) − D
p p
= − (n + l)h 0 ( p̂sft,ε (cmax )) 4γ p̂ε (cmin )(1 − p̂ε (cmin )) − D
= − (1 + 4γ )s(ε)βσ (n + l) p̂ε (cmin ) − D
ξmin,ε s(ε)2
− D.
6−
ln 2
The last inequality follows by noting that ncmin /l 6 (n + l) p̂ε (cmin ) 6 (n + l) p̂ε (cmax ), and thus
−σ ((n + l) p̂ε (cmax )) 6 −σ (ncmin /l). Then by using lemma 8, we have for 1 < ξmin,ε and D = 1,
− +1
Spa (k, c) 6 2[g(k,c)]
2
6 2 e−ξmin,ε s(ε) < ε.
t
u
C.2. Proof of Case 2
This part is immediate from the following lemma.
Lemma 9. Suppose that 1 6 l 6 n, 4γ 6 1. Then, for any integer k, any real number ε > 0 and
any c ∈ [ c̄(k) − s(ε)σ (k), cmax ], we have
g(k, c) 6 −β (c − (c̄(k) − s(ε)σ (k)) + 1) − D,
(C.1)
with β defined in (39).
Proof. With h(x) being concave, and with p̂sft,ε (c) increasing monotonically,
g(k, c) 6 − nh 0 ( p̂sft,ε (c + 2)) p̂sft,ε (c + 2) − psft (k, c) − D
6 − nh 0 ( p̂sft,ε (cmax + 2)) p̂sft,ε (c + 2) − psft (k, c) − D.
The quantity p̂sft,ε (c + 2) − psft (k, c) on the rhs can be bounded as follows. First note that
p̂sft,ε (c̄ − sσ ) − psft (k, c̄ − sσ ) = 0 by the definition of p̂sft,ε (c), given in (27) and (28). Also
psft
1 n+l
by the definition of p̂sft,ε (c), we have that d p̂dcsft,ε > 1+4γ
− n1 , and that ∂∂c
= − n1 by the
nl
1 n+l
definition of psft (k, c); hence ∂c∂ ( p̂sft,ε − psft ) > 1+4γ
. Thus p̂sft,ε (c̄ − sσ + 2) − psft (k, c̄ −
nl
2 n+l
sσ + 2) > 1+4γ nl . Then for c̄(k) − s(ε)σ (k) 6 c, we have
p̂sft,ε (c + 2) − psft (k, c)
= ( p̂sft,ε (c + 2) − psft (k, c + 2)) + ( psft (k, c + 2) − psft (k, c))
(C.2)
(C.3)
>
1 n +l
2
(c − (c̄ − sσ ) + 2) −
1 + 4γ nl
n
(C.4)
>
1 n +l
(c − (c̄ − sσ ) + 1) .
1 + 4γ nl
(C.5)
t
u
Plugging this upper bound on g(k, c) (for D = 1) into Spa (k, c) (given in (16) and (17)),
we obtain Case 2 of theorem 1.
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
35
Appendix D. Proof of theorem 3
Next we prove theorem 3 starting from theorem 1. In the following, s(ε) is simplified to s.
Under the conditions of Case 1 of theorem 1, inequality (37) holds independently of the
normal approximation, and thus we readily see that (52) holds.
k
n+l
6 1/2, we have
"
#
eµ+ν
1 c − c̄(k) 2
Phg (c|k) 6 √
,
exp −
2
σ (k)
2π σ ((n + l)c/l)
Lemma 10. If 1 6 l 6 n, 1 6 k, c 6 c̄(k) and
(D.1)
with µ defined in (B.3), and
ν :=
1
1
+
.
12l 2(n + l − 1)
(D.2)
Proof. By using Stirling’s formula (B.4), we have
r
n
1
0
l
6
eν 2lh(c/l) ,
√
c
n + l − 1 2πσ ((n + l)c/l)
(D.3)
where
ν 0 = λl − λl−c − λc 6 λl <
1
.
12l
(D.4)
Then, by combining inequality (D.3) with (B.5) and (B.6) and by using lemma 4, we obtain
"
#
1
1 c − c̄(k) 2
Phg (c|k) 6 √
1+
exp −
.
n +l −1
2
σ (k)
2π σ ((n + l)c/l)
eµ+ 12l
1
r
Then by noting
r
1
1+
6
n +l −1
s
1
1
= exp
,
exp
n +l −1
2(n + l − 1)
t
u
we obtain the lemma.
Lemma 11. If l 6 n, 1 6 cmin , ncmin /l 6 k, c̄(k) − sσ (k) 6 c 6 c̄(k) and
Phg (c|k) 6 q
eµ+ν
1 − √csmin
1
"
1
exp −
√
2
2πσ (k)
with µ, ν defined in (B.3), (D.2).
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
c − c̄(k)
σ (k)
2 #
k
n+l
,
6 1/2, we have
(D.5)
36
Proof. From the definition of σ (k), we have
σ (k)
1
6√
.
σ (k(1 − sσ (k)/c̄(k)))
1 − sσ (k)/c̄(k)
By noting that ncmin /l 6 k, we have
σ (k)
=
c̄(k)
s
n
l(n + l − 1)
n +l
−1
k
s
n
l(n + l − 1)
l(n + l)
−1
ncmin
s
n
l(n + l − 1)
l(n + l) − ncmin
ncmin
s
n
l(n + l − 1)
l(n + l − 1)
ncmin
6
=
6
6√
1
.
cmin
(k)
Hence 1 − sσc̄(k)
> 1 − √csmin . The assumption yields that (n + l)c/l > k(1 − sσ (k)/c̄(k)), which
implies that
σ (k)
σ (k)
1
6
6q
.
σ ((n + l)c/l) σ (k(1 − sσ (k)/c̄(k)))
1 − √csmin
Combining this inequality with lemma 10, we obtain lemma 11.
t
u
D.1. Proof of Case 2
k
If n+l
> 21 , this case can be proved by exactly the same argument as in B.3 (Note here that the
condition s 2 6 cmin 6 cmax 6 0.12l, appearing in theorem 3, implies that 54 s 2 6 l.) Hence in this
k
subsection, we assume that n+l
< 12 . We also assume that 1 6 k, because the case k = 0 is already
considered in Case 1 of theorem 1.
First we divide the rhs of (40) into three parts,
cmax
X
bc̄(k)−sσ (k)c
Phg (c|k)Spa (k, c) 6
c=0
X
bc̄(k)c−1
Phg (c|k) +
c=0
+
cmax
X
X
Phg (c|k)Spa (k, c)
c=bc̄(k)−sσ (k)c+1
Phg (c|k)Spa (k, c).
c=bc̄(k)c
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
(D.6)
37
The first term on the rhs can be bounded from above by lemma 1. The second term can be
bounded as
bc̄(k)c−1
X
Phg (c|k)Spa (k, c)
c=bc̄(k)−sσ (k)c+1
bc̄(k)c−1
Phg (c|k)2−β(c−(c̄(k)−sσ (k))+1)
X
6
c=bc̄(k)−sσ (k)c+1
6q
6q
6q
eµ+ν
1−
√s
cmin
eµ+ν
1−
√s
cmin
eµ+ν
1 − √csmin
bc̄(k)c−1
"
1
exp −
√
2
2π σ (k) c=bc̄(k)−sσ (k)c+1
1
1
√
2π
X
Z
∞
dx e−x
2 /2
c − c̄(k)
σ (k)
2 #
2−β(c−(c̄(k)−sσ (k))+1)
2−βσ (k)(x+s)
−s
I2 (ξε (k)) .
Then I2 (ξε (k)) appearing in the last line can be bounded by inequality (47). (Note that the
argument in the paragraph of inequality (47) does not rely on the normal approximation.)
The third summation on the rhs of (D.6) can be bounded as
cX
max +1
Phg (c|k)2
−β(c−(c̄(k)−sσ (k))+1)
6
c=bc̄(k)c
cX
max +1
Phg (c|k)2−β(c−(c̄(k)−sσ (k))+1)
c=bc̄(k)c
6 2−βσ (k)s 6 e−ξε (k)s 6 εξε (k) 6 ε2 .
2
Appendix E. Proof of theorem 4
First, we fix arbitrary ε 0 > ε. Since the function h(x) and its derivative h 0 (x) are uniformly
continuous in the range [ pmin , pmax ],
there exists an integer N such that dnh( p̂sft,ε0 (c + 1))e +
√ 0
q psmp (c)(1− psmp (c))(1+t)
1 6 dnh psmp (c) + nh psmp (c)
s(ε)e for n > N and l > tn. Using
4t
Rζ
theorem 1 of [32], we can choose constants C1 and C2 such that Phg (c|k) 6 √12π ζcc+1 e−x/2 dx +
C1 (1+ζc2 )
σn,l (k)
exp(−C2 ζc2 ). Here note that the constants C1 and C2 are different from those defined in
theorem 1 of [32].R
∞
Using C3 := −∞ C1 (1 + x 2 ) exp(−C2 x 2 ), we obtain
npmax
X C1 (1 + ζ 2 )
C3
c
exp(−C2 ζc2 ) min 2−β(c−(c̄−s(ε)σ )) , 1 6
.
σn,l (k)
σn,l (k)
c=0
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
(E.1)
38
Hence, theorem 2 yields that
Pph,n,l 6 (1 + δn0 )ε 0 +
C3
mink:npmin 6k6(n+l)( p̂sft,ε0 (lpmax +1)) σn,l (k)
,
(E.2)
where δn0 is the maximum of δ given in theorem 2 with the condition l > tn.
Since minl:l>tn mink:npmin 6k6(n+l)( p̂sft,ε0 (lpmax +1)) σn,l (k) → ∞ as n → ∞, we obtain
C3
limn→∞ maxl:l>tn min
= 0. Also we can show that δn0 → 0. Thus,
σ (k)
k:npmin 6k6(n+l)( p̂sft,ε0 (lpmax +1)) n,l
we obtain limn→∞ maxl:l>tn Pph,n,l 6 ε 0 . Since ε0 is an arbitrary real number satisfying that
ε0 > ε. Hence, limn→∞ maxl:l>tn Pph,n,l 6 ε.
t
u
References
[1] Mayers D 2001 J. ACM 48 351
[2] Hayashi M 2007 Phys. Rev. A 76 012329
Hayashi M 2009 Phys. Rev. A 79 019901
[3] Scarani V and Renner R 2008 Phys. Rev. Lett. 100 200501
[4] Sano Y, Matsumoto R and Uyematsu T 2010 J. Phys. A: Math. Theor. 43 495302
[5] Tomamichel M, Lim C C W, Gisin N and Renner R 2011 arXiv:1103.4130v1
[6] Maassen H and Uffink J B M 1988 Phys. Rev. Lett. 60 1103
[7] Renes J M and Boileau J-C 2009 Phys. Rev. Lett. 103 020402
[8] Bennett C H and Brassard G 1984 Proc. IEEE Int. Conf. on Computers Systems and Signal Processing
(Bangalore, India) (New York: IEEE) pp 175–9
[9] Tsurumaru T and Tamaki K 2008 Phys. Rev. A 78 032302
Beaudry N, Moroder T and Lütkenhaus N 2008 Phys. Rev. Lett. 101 093601
[10] Renner R 2005 Security of quantum key distribution PhD Thesis Dipl. Phys. ETH Switzerland (arXiv:quantph/0512258)
[11] Renner R and König R 2005 Universally composable privacy amplification against quantum adversaries TCC:
Theory of Cryptography: 2nd Theory of Cryptography Conference, Lecture Notes in Computer Science
vol 3378 ed J Kilian (Berlin: Springer) pp 407–25
[12] Lo H-K and Chau H F 1999 Science 283 2050
Shor P W and Preskill J 2000 Phys. Rev. Lett. 85 441
[13] Strassen V 1962 Asymptotische Abschätzugen in Shannon’s Informationstheorie Trans. 3rd Prague Conf. on
Information Theory etc (Prague: Czechoslovak Academy of Sciences) pp 689–723
[14] Hayashi M 2009 Information spectrum approach to second-order coding rate in channel coding IEEE Trans.
Inform. Theory 55 4947–66
[15] Polyanskiy Y, Poor H V and Verdú S 2010 Channel coding rate in the finite blocklength regime IEEE Trans.
Inform. Theory 56 2307–59
[16] Ruskai M B and Werner E 1997 eprint arXiv:math/9711207
[17] Chvátal V 1979 Discrete Math. 25 285
[18] Koashi M 2009 New J. Phys. 11 045018 (arXiv:quant-ph/0505108)
[19] Tsurumaru T and Hayashi M 2011 arXiv:1101.0064v3 [quant-ph]
[20] Asai T and Tsurumaru T 2011 Efficient privacy amplification algorithms for quantum key distribution IEICE
Technical Report ISEC2010-121 (in Japanese)
[21] Golub G H and Van Loan C F 1996 Matrix Computation 3rd edn (Baltimore, MD: Johns Hopkins University
Press)
[22] Ben-Or M, Horodecki M, Leung D W, Mayers D and Oppenheim J 2005 The universal composable security of
quantum key distribution Theory of Cryptography: 2nd Theory of Cryptography Conf., TCC 2005 (Lecture
Notes in Computer Science vol 3378) ed J Kilian (Berlin: Springer) pp 386–406
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)
39
[23]
[24]
[25]
[26]
[27]
[28]
[29]
[30]
[31]
[32]
[33]
[34]
[35]
Watanabe S, Matsumoto R, Uyematsu T and Kawano Y 2007 Phys. Rev. A 76 032312
Hayashi M 2006 Phys. Rev. A 74 022307
Watanabe S, Matsumoto R and Uyematsu T 2006 Int. J. Quantum Inform. 4 935–46
Håstad J, Impagliazzo R, Levin L A and Luby M 1999 A pseudorandom generator from any one-way function
SIAM J. Comput. 28 1364
Bennett C H, Brassard G, Crepeau C and Maurer U M 1995 Generalized privacy amplification IEEE Trans.
Inform. Theory 41 1915–23
Fung C-H F, Ma X and Chau H F 2010 Phys. Rev. A 81 012318
Hoel P G 1969 Elementary Statistics 4th edn (New York: Wiley)
Hwang W-Y 2003 Phys. Rev. Lett. 91 057901
Lo H-K, Ma X and Chen K 2005 Phys. Rev. Lett. 94 230504
Wang X-B 2005 Phys. Rev. Lett. 94 230503
Justesen J and Hoholdt T 2004 Course in Error Correcting Codes (Zurich: European Mathematical Society)
Lahiri S N, Chatterjee A and Maiti T 2007 Normal approximation to the hypergeometric distribution in
nonstandard cases and a sub-Gaussian Berry–Esseen theorem J. Stat. Plan. Inference 137 3570–90
Wyner A D 1975 The wire-tap channel Bell. Sys. Tech. J. 54 1355–87
Csiszár I and Körner J 1979 Broadcast channels with confidential messages IEEE Trans. Inform. Theory
24 339–48
Csiszár I 1996 Almost independence and secrecy capacity Problems Inform. Transm. 32 40–7
New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)