Home Search Collections Journals About Contact us My IOPscience Concise and tight security analysis of the Bennett–Brassard 1984 protocol with finite key lengths This content has been downloaded from IOPscience. Please scroll down to see the full text. 2012 New J. Phys. 14 093014 (http://iopscience.iop.org/1367-2630/14/9/093014) View the table of contents for this issue, or go to the journal homepage for more Download details: IP Address: 54.160.66.19 This content was downloaded on 28/03/2017 at 04:05 Please note that terms and conditions apply. You may also be interested in: Security analysis of the decoy method with the Bennett–Brassard 1984 protocol for finite key lengths Masahito Hayashi and Ryota Nakayama Finite-key security analysis of quantum key distribution with imperfect light sources Akihiro Mizutani, Marcos Curty, Charles Ci Wen Lim et al. Entangled quantum key distribution with a biased basis choice Chris Erven, Xiongfeng Ma, Raymond Laflamme et al. Simple security proof of quantum key distribution based on complementarity M Koashi Finite-key analysis for practical implementations of quantum key distribution Raymond Y Q Cai and Valerio Scarani Security of biased BB84 quantum key distribution with finite resource Zhao Liang-Yuan, Li Hong-Wei, Yin Zhen-Qiang et al. Reliability of CSS codes and security of quantum key distribution Mitsuru Hamada Multi-partite squash operation and its application to device-independent quantum key distribution Toyohiro Tsurumaru and Tsubasa Ichikawa Finite-key security against coherent attacks in quantum key distribution Lana Sheridan, Thinh Phuc Le and Valerio Scarani New Journal of Physics The open–access journal for physics Concise and tight security analysis of the Bennett–Brassard 1984 protocol with finite key lengths Masahito Hayashi1,2 and Toyohiro Tsurumaru3,4 1 Graduate School of Mathematics, Nagoya University, Furocho, Chikusa-ku, Nagoya 464-860, Japan 2 Centre for Quantum Technologies, National University of Singapore, 3 Science Drive 2, Singapore 117542, Singapore 3 Mitsubishi Electric Corporation, Information Technology R&D Center, 5-1-1 Ofuna, Kamakura-shi, Kanagawa 247-8501, Japan E-mail: Tsurumaru.Toyohiro@da.MitsubishiElectric.co.jp New Journal of Physics 14 (2012) 093014 (39pp) Received 31 May 2012 Published 11 September 2012 Online at http://www.njp.org/ doi:10.1088/1367-2630/14/9/093014 Abstract. We present a tight security analysis of the Bennett–Brassard 1984 protocol taking into account the finite-size effect of key distillation and achieving unconditional security. We begin by presenting a concise analysis utilizing the normal approximation of the hypergeometric function. Next we show that a similar tight bound can also be obtained by a rigorous argument without relying on any approximation. In particular, for the convenience of experimentalists who wish to evaluate the security of their quantum key distribution systems, we also give the explicit procedures of our key distillation and show how to calculate the secret key rate and the security parameter from a given set of experimental parameters. In addition to the exact values of key rates and security parameters, we also describe how to obtain their rough estimates using the normal approximation. 4 Author to whom any correspondence should be addressed. Content from this work may be used under the terms of the Creative Commons Attribution-NonCommercialShareAlike 3.0 licence. Any further distribution of this work must maintain attribution to the author(s) and the title of the work, journal citation and DOI. New Journal of Physics 14 (2012) 093014 1367-2630/12/093014+39$33.00 © IOP Publishing Ltd and Deutsche Physikalische Gesellschaft 2 Contents 1. Introduction 2. Description of our quantum key distribution (QKD) protocol 2.1. Generation of a sifted key and sample bits . . . . . . . . . . . . . . . . . . . . 2.2. Bit error correction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3. Estimation of the number of phase errors in the channel . . . . . . . . . . . . . 2.4. Privacy amplification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3. Security criteria of the Bennett–Brassard (1984) protocol in the finite case 3.1. The security of QKD with universal composability . . . . . . . . . . . . . . . 3.2. Decoding error probability of the virtual phase error correction . . . . . . . . . 3.3. Conditional quantum mutual information . . . . . . . . . . . . . . . . . . . . 3.4. Conditional decoding error probability given k . . . . . . . . . . . . . . . . . . 4. Upper confidence limit on the phase error rate psft (k, c) 5. Upper bounds on the decoding error probability Pph 5.1. The straightforward upper bounds . . . . . . . . . . . . . . . . . . . . . . . . 5.2. The upper bounds by the Gaussian integration . . . . . . . . . . . . . . . . . . 5.3. Second order asymptotics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6. How to use the above formulae to evaluate the security of one’s QKD system 6.1. Summary of our results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.2. How to use the straightforward upper bounds . . . . . . . . . . . . . . . . . . 6.3. How to use the upper bounds by the Gaussian integration (how to use theorems 2 and 3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.4. Rough estimate of the key rate and the security parameter . . . . . . . . . . . . 7. Numerical results 7.1. Case 1: basis choice with probability q = 21 . . . . . . . . . . . . . . . . . . . 7.2. Case 2: optimized basis choice with variable probability q . . . . . . . . . . . 7.3. Exact bounds versus approximate bounds . . . . . . . . . . . . . . . . . . . . 8. Summary Acknowledgments Appendix A. Justification for restricting the argument to the generalized Pauli channel Appendix B. Proof of lemma 1 Appendix C. Proof of theorem 1 Appendix D. Proof of theorem 3 Appendix E. Proof of theorem 4 References 2 4 4 5 5 6 7 7 8 9 10 12 14 14 17 20 20 20 21 22 23 24 24 26 27 28 29 29 30 33 35 37 38 1. Introduction The finite-size effect is an important issue in practical quantum key distribution (QKD) systems. Firstly, Mayers [1] bounded the security parameter roughly for general coherent attacks in the finite-size case. Next, using the normal approximation, Hayashi [2] analyzed it in depth New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) 3 for general coherent attacks in the finite-size case. Later, Scarani and Renner [3] gave a simple analysis based on the quantum de Finetti theorem, but their results are valid only against collective attacks. Matsumoto and Uyematsu also gave a simple analysis [4], but again, essentially valid only for collective attacks. Later, Tomamichel et al [5] gave a tighter bound with unconditional security by using the uncertainty relations (see, e.g., [6, 7]). In this paper, we present a concise analysis of the Bennett–Brassard 1984 (BB84) protocol [8] that takes into account the finite key effect and yields better key generation rates, with and without relying on the normal approximation. Our analysis is valid for general coherent attacks and thus our results guarantee the unconditional security. For the sake of simplicity, we consider the case when the sender, Alice, has a perfect single photon source, and the receiver, Bob, has photon number resolving detectors. However, it should be noted here that our analysis can be applied without any change to the more practical cases when threshold detectors are used, by using the existence of squash operation proved in [9]. (On the other hand, if one wishes to remove the restriction on the photon source and use weak coherent pulses, our analysis has to be modified by taking into account decoy pulses [30]; this remains a topic for a future work.) We also assume that Alice and Bob calculate an upper bound on the phase error rate of a sifted key, from that of the corresponding sample bits; hence, the key generation rate can vary each time Alice and Bob run the protocol. Throughout this paper we use the security criteria with universal composability; the same criteria as those used by many researchers, particularly by Renner and his coworkers [10, 11]. Hence, our main goal is to show that the trace distance between the actual and the ideal states can be bounded from above. However, in the mathematical analysis for obtaining upper bounds on the trace distance, we do not use Renner’s approach based on the smooth minimum entropy [10]. Instead, we bound the trace distance using the argument of Shor and Preskill [12], as well as its modification by Hayashi [2]. In section 3, by using these formalisms, we show that the trace distance can be bounded by using the decoding error probability Pph of the virtual phase error correction; in other words, the universally composable security can be guaranteed by bounding Pph . To the best of our knowledge, our argument here is the first rigorous treatment of the universally composable security based on the Shor–Preskill formalism, applicable to linear universal hash functions with variable final key lengths. As we shall discuss at the end of section 3, in order to achieve high key generation rates and strong bounds on Pph simultaneously, it is crucial to estimate the phase error rate psft of the sifted key with a high accuracy. Note here that the quantity psft cannot be measured directly in the BB84 protocol. Hence in section 4, we solve an interval estimation problem on psft using the hypergeometric distribution Phg . Then by using the obtained result, we give explicit bounds on Pph in section 5. In particular, in order to clarify the argument, we present two versions of analysis: we first derive a simple bound that we call the straightforward bounds (propositions 1 and 2); and next we give a more complicated bound called the Gaussian bounds (theorems 2 and 3), which yield a better final key rate if the raw key is sufficiently large. For both types of bounds, we first present a simple analysis based on the normal approximation of the hypergeometric function (proposition 1 and theorem 2), and then show that a similar tight bound can also be obtained by a rigorous argument without relying on any approximation (proposition 2 and theorem 3). Since this paper is aimed not only at theorists, but also at experimentalists who wish to evaluate the security of their QKD systems, we include explicit procedures of security evaluation. We begin in section 2 by explaining the explicit procedures of our key distillation. New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) 4 Then after theoretical arguments of the security, we demonstrate in section 6 how to use our theorems to calculate the secret key rate and the security parameter (i.e. an upper bound on the trace distance) from a given set of experimental parameters. In addition to the exact values of key rates and security parameters, we also describe how to obtain their rough estimates using the normal approximation. In order to show that our rates are indeed better than those in the existing literature, e.g. [3, 5], we draw in section 7 example curves of key generation rates (figures 1 and 2). There are several reasons for this improvement. Firstly, our upper bounds are close to the approximated value of the hypergeometric distribution obtained by the normal approximation, while the existing results [3, 5] did not discuss the closeness to the normal approximation. Secondly, in our method, the adversary’s information is estimated in terms of the Shannon entropy, whereas in [3, 5] they use the minimum entropy, which is a lower bound on the Shannon entropy. Finally, we use an error margin that depends on the measured error rate of sample bits, while in [3, 5] the authors use a constant margin that corresponds to the worst value of the error rate; hence, our analysis gives better key rates on average. We also treat the sacrifice bit length with the second-order coding rate, which has drawn the attention of the information theory community [13–15]. The conventional asymptotic theory treats the coding length with the first-order coefficient. It is impossible to treat the approximation value of the best error probability with the first-order coefficient of the coding length. However, it becomes possible if we consider the coding length up to the second-order coefficient. In this paper, we derive an asymptotic approximation value of the upper bound of the universally √ composable security criterion when the sacrifice bit length is given as the form nh( psmp ) + ng( psmp ) with the measured phase error rate, where a function g( psmp ) of psmp will be given with a concrete form in section 4 (theorem 4). The differences from our previous papers are as follows. In [2], Hayashi simply approximated the hypergeometric distribution by the normal distribution having the same variance, without showing its validity. In this paper, we present a rigorous analysis without relying on any approximation (proposition 2 and theorem 3), by using upper bounds on the hypergeometric distribution obtained from Stirling’s formula and inequalities proved in [16, 17]. As mentioned above, we included the first rigorous treatment of the universally composable security based on the Shor–Preskill formalism, applicable to linear universal hash functions with variable final key lengths. 2. Description of our quantum key distribution (QKD) protocol We consider the following types of the BB84 protocol. This protocol differs from existing versions (e.g. [2–4]) only in the phase estimation and the privacy amplification (PA) steps. 2.1. Generation of a sifted key and sample bits Alice and Bob start the protocol with a quantum communication and obtain a sifted key of n bits and sample bits of l bits. Here we assume that raw key bits are chosen from the uniform distribution. The sample bits must be selected randomly, and a sifted key and the sample bits must be measured in different bases. For example, suppose that Alice and Bob exchange N qubits, choosing the x basis with probability q and the z basis with 1 − q. Then, on average, N q 2 bits coincide in the x basis, and New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) 5 N (1 − q)2 in the z basis. By assigning the x basis for a sifted key and the z basis for sample bits, they have n = N q 2 , l = N (1 − q)2 .5 2.2. Bit error correction Bob corrects bit errors in his sifted key using a linear error correcting code. For example, as in Shor–Preskill’s case [12], Alice may announce a random bit string XORed with her sifted key; or alternatively, as in Koashi’s case [18], she may send a syndrome of her sifted key encrypted with a previously shared secret key. In either case, Alice and Bob end up with n(1 − f h( pbit )) bits of reconciled key krec , with the bit error rate pbit of a sifted key. Here h(x) is the binary entropy function defined as h(x) := −x log2 x − (1 − x) log2 (1 − x), and the value f corresponds to the efficiency of the error correcting code used. For practical codes, f ' 1.1. It should be noted that here the sizes of bit error correcting codes are independent of the security, and thus Alice and Bob may perform bit error correction by dividing a sifted key ksif of n bits into arbitrarily smaller blocks. In many cases, one needs to guarantee the correctness of the shared keys, that is, one has to minimize the probability cor that Alice’s and Bob’s secret keys do not match and the protocol does not abort. One way of minimizing cor is that Alice calculates an r -bit hash value of her reconciled key krec using universal2 hash functions. Then she encrypts it with the one-time pad, using a previously shared secret key, and sends it to Bob. Bob also calculates his own hash value, and if it does not match Alice’s, they abort the protocol6 . By doing this, we have cor 6 2−r . 2.3. Estimation of the number of phase errors in the channel In order to use PA properly and guarantee the security of a secret key, Alice and Bob need to know an upper bound on the number of phase errors occurring in the channel. It should be noted here that the phase error is a completely different concept from the bit error mentioned above (for details, see section 3). Since the phase error rate cannot be measured directly in practical QKD systems, we estimate its upper bound from the measured error rate of samples. We denote the number of bit errors occurring in a sample by c, and the corresponding bit error rate by psmp (c) := c/l. We also call the union of a sifted key and the sample bits as total bits, and denote the number of their bit errors by k. Hence the error rate of total bits is given by p(k) := k/(n + l) and that of a sifted key by psft (k, c) = (k − c)/n. Note here that measuring c corresponds to randomly sampling phase errors in the total bits, because a sifted key and the samples are measured in different bases. Due to this fact, the measured value of psmp (c) is used to estimate an upper bound on psft (k, c). In the asymptotic limit n, l → ∞, Alice and Bob may assume that psft (k, c) = psmp (c). In practical QKD systems however, the two values differ in general due to statistical fluctuations. Thus they obtain a statistically estimated upper bound of psft (k, c) as a function of the measured value c, which we denote by p̂sft (c). Throughout this paper, we make it a rule to denote an estimated upper bound of a random variable v by v̂. The explicit functional form of p̂sft,ε (c) is discussed later, and is given in equation (28). 5 In general, however, Alice and Bob may choose bases with different probabilities, and a sifted key and sample bits may be chosen with arbitrary proportions from the two bases. 6 Another possibility is to continue the protocol by exchanging supplementary information, such as an additional syndrome, over the public channel, and try bit error correction again. In such a case, the supplementary information also needs to be encrypted with a formerly shared key. New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) 6 2.4. Privacy amplification The estimated phase error rate p̂sft (c) can be used to obtain an upper bound on the amount of information that is leaked to Eve. In order to cancel Eve’s information, Alice and Bob perform classical data processing called PA on the reconciled key krec to generate the secret key ksec ; roughly speaking, PA randomizes and shrinks krec so that Eve’s information is canceled by the remaining fraction that is unknown to Eve. The number of bits to be reduced in this process (sacrifice bits) is determined from p̂sft (c) in the following manner. We set two limits cmin and cmax (cmin 6 cmax ) on the sample bit error c, depending on which Alice and Bob change their procedures: • If cmax < c, Alice and Bob abort the protocol. • If cmin 6 c 6 cmax , Alice and Bob generate a secret key as the hash value of their sifted key by using linear and surjective universal2 hash functions. The number α(c) of sacrifice bits, i.e. the number of bits reduced in PA, is given by
α(c) = ndh p̂sft,ε (c + 2) e + D. Here dxe denotes the smallest integer larger than or equal to x. Hence, as a result, they
obtain a secret key ksec of G = n [1 − f h( pbit )] − dnh p̂sft,ε (c + 2) e − D bits7 . • If c < cmin , Alice and Bob generate a
secret key in the same way as above, except that they sacrifice α(c) = dnh p̂sft,ε (cmin + 2) e + D bits for
PA. As a result, they obtain a secret key ksec of G = n [1 − f h( pbit )] − dnh p̂sft,ε (cmin + 2) e − D bits. Alternatively, we can combine these three cases as follows: define the sacrificed bit length α(c) to be
α(c) = dnh p̂sft,ε (max[c, cmin ] + 2) e + D. (1) If c 6 cmax , Alice and Bob sacrifice α(c) bits for PA and obtain the final key of length G(c) = n [1 − f h( pbit )] − α(c). (2) If c > cmax , they abort the protocol. In practice, the most efficient implementation of PA is to use the Toeplitz matrices: Alice and Bob select a bit-valued Toeplitz matrix M randomly by communicating over the public channel, multiply it with a reconciled key krec modulo 2 and obtain the secret key ksec = Mkrec (for details, see, e.g., [10, 19, 20]). In this paper, we additionally require the surjectivity for all hash functions. To the best of our knowledge, the most efficient implementation of linear and surjective universal2 functions is by using the modified Toeplitz matrix, introduced in [2, 19]; in this case, we replace M above by a concatenation M 0 = (I, T ) of the (square) identity matrix I and a Toeplitz matrix T . Note that this modification M 0 is slightly more efficient than M above. Also note that unlike M 0 , the normal Toeplitz matrix M gives a non-surjective map with a very small but non-zero probability; e.g. for M being an all-zero or all-one matrix. 7 Note that key length G of (2) differs from the asymptotic case (l, n → ∞) essentially only in the definition of phase error rate p̂sft,ε (c + 2). Hence, the estimation of p̂sft,ε (c + 2) is the key point of our finite-size analysis. New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) 7 It should be noted here that, unlike in bit error correction, one is not allowed to perform PA by dividing krec and ksec into smaller blocks, because doing so will destroy the universal2 property of the (modified) Toeplitz matrix. Also note here that both the key lengths, |krec | = n[1 − f h( pbit )] and |ksec | = G, are of order O(n). If one applies a naive multiplication algorithm, the computational complexity (i.e. the processing time) increases as O(n 2 ) (i.e. O(n) per key) and thus becomes a severe bottleneck of the key distillation. This is in fact the most explicit impact of the finite-size effect on practical QKD systems. One way around this problem is to use an efficient multiplication algorithm for a Toeplitz matrix and a vector exploiting the fast Fourier transform algorithm (see, e.g., [21]). The complexity of this efficient algorithm scales as O(n log n), or O(log n) per bit, which can be regarded as a constant in practice. An actual implementation shows that the throughput exceeds 1 Mbps for |krec | = 106 on software, as demonstrated, e.g., in [20]. 3. Security criteria of the Bennett–Brassard (1984) protocol in the finite case 3.1. The security of QKD with universal composability We employ the definition of the security of QKD with universal composability in the variable length case [22]. In order to guarantee the security for our protocol, we need to evaluate the security criteria with universal composability after the PA [11]. In this paper, we apply the above definition with the variable length case to the final state after the PA [23]. For this purpose, we describe all public information by y, including the choice of a hash function (which corresponds, e.g., to ‘ f ’ of [11]) and the length of the final key (e.g. ‘m’ of [22]). However, here we do not restrict ourselves to those two cases; it may contain other public information, e.g. the choice of a code for bit error correction. Hence the length m of the final key is of course a function of y. We denote the probabilistic distribution of y in the actual protocol by Ppub (y). Then we consider the Hilbert space H A ⊗ H E ⊗ H X , consisting of Alice’s final key H A , Eve’s system H E and the public information H X . We define H A = (C2 ) M with M sufficiently large, so that when m(y) < M, Alice uses the (preassigned) subspace of H A . Also, following [10], we define the composite system of E and X to be E 0 , i.e. H E 0 = H E ⊗ H X . We denote by ρ A,E|y the state of Alice and Eve after P PA, conditioned on public information y. Hence, the state after PA takes the form ρ A,E 0 = y Ppub (y)ρ A,E|y ⊗ |yihy|. In this notation, we consider conditional probabilities with respect to length m of the final key. P The actual protocol generates the final key of m bits with probability Plen (m) := y:m(y)=m Ppub (y). The public information y obeys the conditional distribution Ppub (y) P(y|m) := Plen ; hence, the conditional actual state given m is a density matrix ρ A,E 0 |m := (m) P y:m(y)=m Ppub (y|m)ρ A,E|y ⊗ |yihy|. The corresponding ideal state given m is defined to be mix ρIdeal|m := ρ mix A|m ⊗ ρ E 0 |m , where ρ A|m is the completely mixed state in the m-qubit subsystem of H A , and ρ E 0 |m := Tr A ρ A,E 0 |m . Thus, under the condition that the final key length is m, the universal composable security can be guaranteed by bounding the trace distance of these two states, i.e. kρ A,E 0 |m − ρIdeal|m k1 [11]. The parameter m is a random variable in our protocol; hence, following P [22], we define the universally composable security by bounding the averageP trace distance m Plen (m)kρ A,E 0 |m − ρIdeal|m k1 . In this case, it is convenient to define ρIdeal := m Plen (m)ρIdeal|m . Then the average New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) 8 trace distance can be rewritten as X ρ A,E 0 − ρIdeal 1 = Plen (m) ρ A,E 0 |m − ρ mix A|m ⊗ ρ E 0 |m 1 m = X Ppub (y) ρ A,E|y − ρ mix A|m(y) ⊗ ρ E|y 1 (3) y 6 X Ppub (y) ρ A,E|y − ρ A|y ⊗ ρ E|y 1 (4) y + X Ppub (y) ρ A|y − ρ mix A|m(y) 1 , (5) y where ρ A|y := Tr E ρ A,E|y . Hence one may P instead bound the sum of thePsecond and the third lines. Here we used the fact that ρ A,E 0 = y Ppub (y)ρ A,E|y ⊗ |yihy| = m Plen (m)ρ A,E 0 |m for P the first equality, and ρ E 0 |m = y:m(y)=m Ppub (y|m)ρ E|y ⊗ |yihy| for the second equality. The quantity of (5) measures the non-uniformity of Alice’s final key; i.e. it gives the averaged distance between Alice’s partial state ρ A|y and the ideally mixed state ρ mix A|m(y) . Note that these two states are equal when Alice and Bob choose a surjective hash function, because we assume that Alice’s raw key obeys the uniform distribution. In particular, if Alice and Bob use a hash function family which consists only of surjective functions (such as the modified Toeplitz matrices [2, 19] mentioned in the previous section), it suffices to bound (4) only. 3.2. Decoding error probability of the virtual phase error correction We believe that the above definition of security based on the trace distance is the same as that used by Renner and others [10, 11]. Throughout this paper we employ this definition of security. However, in the remaining part where we actually obtain upper bounds on the trace distance, we do not use Renner’s approach based on the smooth minimum entropy [10]. Instead, we bound the trace distance k ρ A,E|y − ρ A|y ⊗ ρ E|y k1 appearing in (4) using the well-known argument of Shor and Preskill [12] as well as its modification by Hayashi [2]. As we shall see shortly, in these formalisms, the trace distance is bounded from above by using the decoding error probability of the (virtual) phase error correction8 , which can be identified with the PA in the actual protocol. The first step of the proof is to consider a virtual protocol where Alice and Bob correct bit errors as well as phase errors occurring in the quantum channel (under Eve’s influence) by using the Calderbank–Shor–Steane (CSS) code. By correcting these two types of errors, Alice and Bob can guarantee that their virtual channel (obtained as a result of quantum error correction) is noiseless and decoupled from Eve; thus the key they exchange there is unconditionally secure. The second step of the proof is to note that, from Eve’s viewpoint, this virtual protocol is completely indistinguishable from the actual protocol. By using this indistinguishability, the security of the actual protocol follows automatically from that of the virtual protocol. In these formalisms, phase error correction in the virtual protocol is transformed to simple classical data processing in the actual protocol. That is, Alice and Bob do not need to perform phase error correction in the actual protocol; instead it suffices to perform a projection C1 → C1 /C2 , where C1 , C2 are the classical CSS code. The projection C1 → C1 /C2 is often 8 The probability that the (virtual) decoding algorithm fails to give a correct answer. New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) 9 called PA. That is why we often identify PA with the virtual phase error correction in this paper9 . (In [19], we have shown that the projection C1 → C1 /C2 can be replaced by an ε-almost dual universal2 hash function family.) The original argument of Shor and Preskill was later improved in [24, 25], where it was shown that the virtual phase error correction and the bit error correction can be discussed separately. In fact, the virtual phase error correction is essential for guaranteeing security, while the bit error correction is necessary only for equalizing Alice’s and Bob’s final keys. As a result of this observation, the trace distance k ρ A,E|y − ρ A|y ⊗ ρ E|y k1 of (4) can be bounded as [2] √ p (6) ρ A,E|y − ρ A|y ⊗ ρ E|y 1 6 2 2 Pph|y , where Pph|y denotes the conditional decoding error probability of the virtual phase error correction, given public information y. By taking the average of (6) with respect to y and by √ noting that the function a 7→ a is concave, we have X √ sX √ p √ p (7) Ppub (y)2 2 Pph|y 6 2 2 P(y)pub Pph|y = 2 2 Pph , y y where Pph denotes the decoding error probability of the virtual phase error correction. As to the non-uniformity of the final key given in (5), recall that we assumed that Alice’s random variable obeys the uniform distribution. Then the leftover hash lemma [26, 27] yields X X α(y) Ppub (y)kρ A|y − ρ mix k 6 Ppub (y)2− 2 , (8) 1 A|m(y) y y where α(y) is the number of sacrifice bits in the PA. Hence, combining (3)–(5), (7) and (8) we obtain X √ p α(y) Ppub (y)2− 2 . ρ A,E 0 − ρIdeal 1 6 2 2 Pph + (9) y In other words, in order to guarantee the security with universal composability, it suffices to bound the quantity on the right-hand side (rhs) of (9). In particular, as we have noted below (5), the second term on the rhs of (9) is exactly zero when all of the hash functions are surjective; in this case the above inequality is replaced by √ p kρ A,E 0 − ρIdeal k1 6 2 2 Pph . (10) Hence, in order to guarantee the universally composable security, it suffices to bound Pph . 3.3. Conditional quantum mutual information Next, we focus on the conditional quantum mutual information criterion, which upper bounds the classical mutual information between Alice and Eve, which is widely accepted in the community of the classical information theory [33–35] in the fixed-length case. Now, we consider the relation between the conditional quantum mutual information criterion and the 9 However, the actual protocol does not necessarily have a counterpart for any operation in the virtual protocol. For example, the actual protocol has no operation corresponding to the measurement of the syndrome in the virtual protocol. New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) 10 decoding error probability of the virtual phase error correction Pph . The conditional quantum mutual information is given as follows: X X Plen (m)I (A : E 0 |m) = Plen (m)Iρ A,E 0 |m (A : E 0 ). (11) m m For a simple analysis, we assume that all of the hash functions are surjective and the channel is Pauli. Now, we consider the reference system for the input system with the condition that the final key length is m and the bit error x occurs. That is, we consider the purification of ρ A|m with the above condition. In this case, the phase error z occurs with the probability PZ |X =x (z) = PZ |X (z|x), and Alice’s information is independent of x. Here, we denote the random variables concerning the phase error and bit error by Z and X . Thus, X X X Plen (m)Iρ A,E 0 |m (A : E 0 ) = Plen (m) PX |m (x)Iρ A,E 0 |m (A : E 0 |X = x) m m = X Plen (m) X m 6 X x PX |m (x)H (ρ E 0 |m,x ) − X x Plen (m) X m P(a|m)H (ρ E 0 |a,m,x ) a PX |m (x)H (ρ E 0 |m,x ). (12) x In the above discussion, note that the distribution describing the channel with the code C1 /C2 depends on the choice of m. The entropy H (ρ E 0 |m,x ) of Eve’s system is the same as that of the composite system of the reference system and Bob’s system when m and x are fixed. This is because the state of the total system of the former and the latter is pure when m and x are fixed. In this case, the entropy of the latter system is equal to the entropy of the conditional distribution PZ |X =x,m . Thus, H (ρ E 0 |m,x ) = H (PZ |X =x,m ). Therefore, we obtain X X X X Plen (m) PX (x)H (ρ E 0 |m,x ) = Plen (m) PX (x)H (PZ |X =x,m ) m x m x ! 6 X Plen (m)H m X PX (x)PZ |X =x,m = x X Plen (m)H (PZ |m ). (13) m Since H (PZ |m ) is smaller than h(Pph|m ) + m Pph|m , combining (12) and (13) we obtain X X X Plen (m)I (A : E 0 |m) 6 Plen (m) PX (x)H (ρ E 0 |m,x ) m m x ! 6 X Plen (m)h(Pph|m ) + m Pph|m 6 h m = h(Pph ) + X Plen (m)Pph|m + m X X Plen (m)m Pph|m m Plen (m)m Pph|m 6 h(Pph ) + Pph max m. m m Hence, in order to guarantee the conditional mutual information, it suffices to bound Pph . 3.4. Conditional decoding error probability given k In this subsection we show that, in order to bound the decoding error probability Pph of the virtual phase error correction, it is sufficient to bound Pph|k for all k, where Pph|k denotes the New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) 11 corresponding conditional probability given k. We also show that a bound on Pph|k can be given in a concise form using the hypergeometric distribution Phg (c|k) and binary entropies. First note that, without loss of generality, Eve’s eavesdropping strategy can be described by the probability distribution Q EveP (k) of k, which is the number of errors in the total bits 10 n + l. Then Pph can be rewritten as Pph = k Q Eve (k)Pph|k , where Pph|k denotes the conditional decoding error probability given k. Next, we consider the conditional probability Phg (c|k) of c given k, i.e. the probability that c bits of errors are found in sample bits when there are k errors in the total bits. Since sample bits are sampled without replacement, c obeys the hypergeometric distribution for a fixed value of k:
l
n Phg (c|k) := k−c c
n+l k , (14) with the average c̄ and the deviation σ given by c̄(k) := lk , n +l σn,l (k)2 := knl(n + l − k) . (n + l)2 (n + l − 1) (15) In the following, σn,l (k)2 is simplified to σ (k)2 . Hence values of k, c occur with probability Q Eve (k)Phg (c|k). (Here sample bits are sampled without replacement simply because one cannot measure both the phase and the bit values of a qubit simultaneously, and thus Alice and Bob cannot reuse the sample bits as a sifted key. If one could somehow sample them with replacements, the hypergeometric distribution here would of course be replaced by the binomial distribution, which is much simpler.) Finally, we consider the conditional decoding error probability Pph|k,c for fixed values of k and c. In this case, the number of phase error patterns of total bits is bounded from above by 2nh((k−c)/n) (see, e.g., lemma 4.2.2; [31]). Due to the construction of the protocol, the number of the sacrificed bits α(c) is fixed. As we have shown in [19], if Alice and Bob use a linear universal2 hash function family for PA in the actual protocol, it can be considered as the situation in the virtual protocol where they use a two-almost universal2 linear code family for phase error correction (i.e. a linear two-almost universal2 hash function family is used as the syndrome function for correcting phase errors). Then the decoding error probability Pph|k,c of the virtual phase error correction can be bounded as − − Pph|k,c 6 Spa (k, c) := 2 · 2[g(k,c)] = 2[g(k,c)] +1 , (16) g(k, c) : = nh ((k − c)/n) − α(c)
= nh ((k − c)/n) − nh p̂sft (c + 2) − D
= nh ( psfc (k, c)) − nh p̂sft (c + 2) − D, (17) where [x]− := min(x, 0). It is easy to see that inequality (16) holds when the completely random matrices (a type of universal2 hash function) are used for PA, as in Koashi’s case [18]. It is also shown to hold when the Toeplitz matrices (another universal2 hash function family) are used for PA, by using the fact that dual matrices of the Toeplitz matrices generate universal2 hash 10 In the general setting, Eve is allowed to use the superposition among different integers k. In order to treat such a case, we introduce the distribution Q Eve (k) here. New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) 12 functions [2]. More generally, in [19], we have further shown that inequality (16) is valid when an arbitrary family of universal2 functions is used for PA. Hence, to summarize, under Eve’s strategy Q Eve (k), error numbers k, c are distributed by Q Eve (k)Phg (c|k). For fixed values of k, c, the virtual phase error correction fails with a probability less than Spa (k, c) given in (16). Combining these probabilities, we see that the decoding error probability Pph of the virtual phase correction can be bounded as X XX Pph = (18) Q Eve (k)Pph|k 6 Q Eve (k)Phg (c|k)Spa (k, c) k = c k X Q Eve (k)Sav (k) 6 max Sav (k), k k (19) where Sav (k) is defined by Sav (k) := cmax X Phg (c|k)Spa (k, c). (20) c=0 Since Eve’s strategy Q Eve (k) can be arbitrary, Pph can be bounded if and only if maxk Sav (k) is bounded. Hence in what follows, we will concentrate on obtaining upper bounds on maxk Sav (k). As one can see from the definition of Spa (k, c) in (16), (17), a straightforward way of minimizing maxk Sav (k) is to define the function p̂sft (c) so that it always gives a large value; this corresponds to the situation where, looking at c, Alice and Bob always give a pessimistic estimate p̂sft (c) that is much larger than the actual value psft (k, c). However, as one can see from the definition of α(c) in (1) and the final key length G given in the previous section, a large p̂sft (c) results in a poor key generation rate. Rather, in order to achieve high key generation rates and the high-level security simultaneously, one needs to minimize maxk Sav (k) by considering the contributions of the two factors, Phg (k|c) and Spa (k, c). Hence we define p̂sft (c) so that it becomes as close as possible to (and larger than) the actual value psft (k, c), in the regions of k, c where Phg (c|k) is not negligible. This is equivalent to the estimation problem of an upper bound of psft (k, c): (i) For a given c, we give a suitable choice of the estimated value p̂sft (c) for the phase error rate of a sifted key. Alice and Bob use this value to calculate the value of α(c) of (1), and obtain the final key length G. This will be done in section 4. (ii) With the suitable choice of p̂sft (c), we obtain a universal upper bound on the rhs of (20) that is independent of k and thus an upper bound of Pph 11 . This will be done in section 5. 4. Upper confidence limit on the phase error rate psft (k, c) Now let us turn to the definition of p̂sft (c). As mentioned above, since the length l of sample bits is finite in practical QKD systems, the phase error rate of a sifted key psft (k, c) deviates from that of sample bits, psmp (c), due to statistical fluctuations. Hence, in order to guarantee the security by PA, instead of psmp (c), one needs to use the estimated upper bound p̂sft (c) of psft (k, c), defined with the statistical effect taken into account. A similar analysis was given by Fung et al [28]. However, they seem to evaluate Phg (c|k)Spa (k, c) without the summation. This corresponds to the probability that a certain set of values k and c occur and then the virtual phase error correction by Alice and Bob fails. 11 New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) 13 As long as psft (k, c) is estimated larger than the actual value, i.e. p̂sft (c) > psft (k, c), there is no loss of security, because then, more information is erased by the PA than is actually leaked to Eve. On the other hand, however, one needs to avoid a situation where psft (k, c) is estimated smaller as p̂sft (c) 6 psft (k, c). In such a case, the PA of the previous section does not work since [g(k, c)]− = 0. Hence, at least as a necessary condition, the function p̂sft needs to satisfy that  Prk c p̂sft (c) > psft (k, c) > 1 − ε for ∀k, (21) where Prk {c|Q} denotes the probability that c occurs satisfying a condition Q, under the hypergeometric distribution Phg (c|k). In order to maximize the key generation rate for fixed values of l, n, we wish to minimize p̂sft (c) as small as possible. In statistics, this corresponds to an interval estimation problem. That is, finding the p̂sft (c) satisfying (21) is to obtain an upper confidence limit on psft (k, c) from an observed value of c, with significance level ε (see, e.g., [29]). In the following, we derive the minimum estimate p̂sft,ε (c) = p̂sft (c) satisfying the condition (21) under the normal approximation of Phg (c|k) by employing interval estimation of k. Although there is a standard procedure found in every textbook for this analysis (e.g. [29]), we reproduce it below for the sake of explanation. Firstly, we define the normal distribution function by Z ∞ 1 8(x) := √ exp(−y 2 /2) dy, (22) 2π x and s(ε) as the deviation corresponding to ε, e.g., s(ε) = 8−1 (ε) (23) such that ε = 8(s(ε)). In what follows, we often abbreviate s(ε) to s. Then, applying the normal approximation to Phg (c|k), we have the relation Prk { c | c > c̄(k) − s(ε)σ (k) } > 1 − ε (24) for any integer k; that is, c > c̄(k) − s(ε)σ (k) holds at least with probability 1 − ε for any integer k. Note that this condition is equivalent to (c − c̄(k))2 6 s(ε)2 σ (k)2 or c > c̄(k). We rewrite this condition further as
2 (25) psmp − p 6 4γ p(1 − p), or psmp > p, where p = k/(n + l), psmp (c) = c/l and γ := s(ε)2 n . 4l(n + l − 1) (26) Condition (25) is equivalent to p 6 p̂ε (c), where p̂ε (c) is a solution of ( psmp − p̂ε )2 = 4γ p̂ε (1 − p̂ε ) given by   q 
1 p̂ε (c) := psmp + 2γ + 2 γ psmp 1 − psmp + γ . (27) 1 + 4γ That is, k/(n + l) = p 6 p̂ε (c) holds at least with probability 1 − ε for any integer k. In other words, the rate p̂ε (c) gives the upper bound of one-sided interval estimation of p = k/(n + l). Using this estimate, we define another function p̂sft,ε (c) := ( p̂ε (c)(n + l) − c)/n = (n + l) p̂ε (c) − lpsmp (c) . n New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) (28) 14 Then, again, the inequality p̂sft,ε (c) > psft (k, c) = (k − c)/n holds at least with probability 1 − ε for any integer k. As a result, by choosing p̂sft (c) as p̂sft,ε (c), we can satisfy the condition (21). Throughout this paper, we will use these definitions of p̂ε (c) and p̂sft,ε (c) in calculating α(c). Now two remarks are in order. First, if there are sufficiently many samples (i.e. with l large and thus γ sufficiently small), the error number c has roughly the same distribution, irrespective of whether the samples are picked up with or without replacement. In such a case, as we mentioned under equation (15), the hypergeometric distribution Phg (c|k) can be approximated √ by the binomial distribution. Indeed, to the first order of γ , the estimated value p̂ε (c) of equation (27) can be approximated as s p̂ε (c) ' psmp (c) + l r n σbin (c) n +l −1 s = psmp (c) + l r p n lpsmp (c)(1 − psmp (c)), n +l −1 p where σbin (c) := lpsmp (c)(1 − psmp (c)) denotes the deviation of the binomial distribution with the error rate q of the sample bits being psmp (c) = c/l. Furthermore, by using the inequality n psmp (c) + sl n+l−1 σbin (c) 6 psmp (c) + sl σbin (c), and by noting that the larger p̂ε (c) always gives a better security bound, we can instead use a simpler approximation given by s p̂ε (c) ' psmp (c) + σbin (c). (29) l The approximated upper bound of (29) can also be obtained by an argument similar to the above, with the hypergeometric distribution replaced by the binomial distribution. This means that, for l sufficiently large, one can conclude that the phase error rate p(k, c) of the total bits can be bounded from above by p̂ε (c) of (29), which is simply the measured error rate psmp (c) of the samples, plus s times its standard deviation sl σbin . The actual value deviates this bound only with a probability less than 8(s); or in other words, this estimation fails only with a probability less than 8(s). 5. Upper bounds on the decoding error probability Pph Throughout the paper, we assume that Alice and Bob perform the protocol specified in section 2, using the estimated upper bound p̂sft,ε (c) of (27) and (28), obtained in the previous section. That is, here we substitute p̂sft,ε (c) for p̂sft (c) in (1), and as a result of that, Alice and Bob use sacrifice bits of α(c) = h( p̂sft,ε (max[c, cmin ])) + D in the PA step. In this setting, we evaluate the decoding error probability Pph and obtain several upper bounds. 5.1. The straightforward upper bounds In section 3.4, we showed that, in order to bound Pph , it suffices to bound Sav (k) of (20) for all values of k. In this subsection, we first present a simple evaluation of Pph , where we divide the summation Sav (k), given in (20), into two regions of c. This method is similar to those used in the preceding literature [3, 4], and we call it here the straightforward method. New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) 15 For each value of k, we set the boundary value cbnd (k) := bc̄(k) − sσ (k)c, and divide the summation of (20) as cmax X Sav (k) = Phg (c|k)Spa (k, c) (30) c=0 bc̄(k)−sσ (k)c 6 X Phg (c|k) + cmax X Phg (c|k)Spa (k, c) (31) c=bc̄(k)−sσ (k)c+1 c=0 bc̄(k)−sσ (k)c 6 X c=0 Phg (c|k) + max c∈[c̄(k)−sσ (k),cmax ] Spa (k, c). (32) (In what follows, we often write c̄, σ , s instead of c̄(k), σ (k), s(ε).) Then, by using the properties of p̂sft,ε (c) given in the preceding section, the two terms of (32) can be evaluated as follows. (i) The first summation of (32) is the probability Prk { c | c < c̄(k) − s(ε)σ (k) }. As we have shown in the preceding section, this term is less than ε (see (24)) if one applies the normal approximation to Phg (c|k). To put it more explicitly, apply the normal approximation of the form Z ζb b X 1 Phg (c|k) ' √ e−x/2 dx (33) 2π ζ a c=a with ζc := (c − c̄(k))/σ (k). Then it follows that the first term of (32) is less than 8(s(ε)) = ε, where 8(s) is the normal distribution function given in (22). − (ii) In the second term of (32), the function Spa (k, c) = 2[g(k,c)] +1 is maximized at c = c̄(k) − sσ (k), because g(k, c), defined in (17), is decreasing with c. Also note that p̂sft,ε (c̄(k) − sσ (k)) = psft (k, c̄(k) − sσ (k)) holds by the definition of p̂sft,ε (c), given in (27) and (28)12 . Thus, from (17), we have g (k, c̄(k) − sσ (k)) = nh ( psft (k, c̄(k) − sσ (k))) − α (c̄(k) − sσ (k))
6 nh ( psft (k, c̄(k) − sσ (k))) − nh p̂sft,ε (c̄(k) − sσ (k)) − D = −D. For the inequality of the second line, we used the fact that α(c) = h( p̂sft,ε × (max[c, cmin ] + 2)) > h( p̂sft,ε (c)). This means that the second summation of (32) can be bounded by 2−D+1 . We remark that, unlike the first term of (32), this upper bound is valid without relying on the normal approximation. Note here that both the bounds are valid for all values of k. Hence, by combining these two upper bounds, we obtain the following proposition. In fact, this is exactly the way we planned when we defined p̂sft,ε (c): as mentioned in the sentences below (49), the function p̂ε (c) is defined so that the condition p̂ε (c̄(k) − sσ (k)) = p(k) is satisfied for all k. This condition is equivalent to p̂sft,ε (c̄(k) − sσ (k)) = psft (k, c̄(k) − sσ (k)), due to definitions of p̂sft,ε (c) and psft (k, c) given in (28) and in table 1. 12 New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) 16 Table 1. Notations of the key lengths, total bits and sample bits. Functions p̂ε (c) and p̂sft,ε (c) denote the estimated upper bounds of p(k) and psft (k, c), under the condition that there are c errors in sample bits. The parameter ε denotes the probability that the estimation fails. See section 4 for details. Number of bits Number of errors Error rate Estimate of error rate with error probability ε Total bits Sifted key Sample bits n +l k p(k) = n k −c psft (k, c) = l c psmp (c) = p̂ε (c) k n+l k−c n c l p̂sft,ε (c) Proposition 1. For a given ε (and the corresponding s(ε) = 8−1 (ε)), suppose that cmin 6 cmax , and that Alice and Bob perform the QKD protocol specified in section 2. Then by applying the normal approximation to Phg (c|k), Pph can be bounded as Pph 6 max Sav (k) 6 ε + 2−D+1 . k (34) If one wishes to bound Pph by a certain value, say Pmax , a convenient choice of parameters is
ε = 2−D+1 = 21 Pmax , or equivalently, D = 2 − log2 Pmax and s = 8−1 (ε) = 8−1 21 Pmax .13 Then √ √ inequality (10) guarantees that the trace distance is bounded as kρ A,E 0 − ρIdeal k1 6 2 2 Pmax , if Alice and Bob use a universal2 hash function family that consists of linear and surjective functions. Further, if parameters l and n are sufficiently large, we can also obtain a tight bound on the first term of (32) without relying on the normal approximation of Phg (c|k). Lemma 1. If 54 s(ε)2 6 l 6 n, 1 6 k, and cmax 6 0.12l, we have r r min(bc̄−sσ c,cmax ) X n + l s(ε)2 + 2π µ Phg (c|k) 6 e ε, n 2 c=0 (35) where µ := 1/(6n) + 1/(12). Note that this bound holds rigorously, without relying on the normal approximation of Phg (c|k). This lemma will be proved in B.3. Now recall that the upper bound 2−D+1 , obtained above for the second term of (32), does not rely on any approximation either. Hence, besides proposition 1, we can obtain another bound on Pph that is similarly tight, and is valid rigorously without relying on any approximation: Proposition 2. Suppose that 54 s(ε)2 6 l 6 n, and cmax 6 0.12l are satisfied for a given ε (i.e. with 8(s) = ε). Also assume that Alice and Bob perform the QKD protocol specified in section 2. Then without using the normal approximation of Phg (c|k), we have r r s(ε)2 + 2π n + l µ Pph 6 max Sav (k) 6 e ε + 2−D+1 . (36) k 2 n Of course, the optimal choice is to let ε = a Pmax and 2−D+1 = (1 − a)Pmax and then find the optimal 0 < a < 1 that yields the highest key generation rate. However, we do not pursue this optimality in the rest of this paper, since varying a contributes very little to the key rate in typical situations. 13 New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) 17 5.2. The upper bounds by the Gaussian integration In the above analysis of the straightforward bounds, if one wishes to bound Pph by a certain value, say Pmax , it is necessary to let D > 1 − log2 Pmax . Hence, if one chooses a very small Pmax in order to achieve high-level security, this D can decrease the final key length severely through the sacrificed bit length (1). In this subsection, we derive improved bounds that hold with D = 1. We term them here the Gaussian bounds for the following reason. The first step of the analysis is similar to that of the previous section; i.e. we divide the summation of Sav (k) as in (31) and obtain upper bounds for each term. For the first term of (31), we use the normal approximation (33) again and bound it by ε. However, for the second term of (31), we employ quite a different strategy: we approximate Phg (k|c) by using (33) and also upper bound Spa (k, c) by an exponential function of a simple linear function of c (specified below in (38)). By using this simple form, we evaluate the summation over c as a Gaussian integral. As a result of this integration, instead of 2−D+1 appearing in the previous subsection, we obtain an upper bound δε on the second term, with δ being small for large l, n. In order for this strategy using the Gaussian integration to work properly, parameter k must be confined to a specific region. Thus, as a preparation, we consider the following three cases depending on the value of k: (i) If k is too small (i.e. 0 6 k 6 ncmin /l), it can be shown that Spa (k, c) is always bounded by ε, by using the properties of g(k, c). Thus Sav (k) 6 ε. (ii) For the intermediate domain where ncmin /l 6 k 6 (n + l) p̂sft,ε (cmax ), the function g(k, c) − (used for Spa (k, c) = 2[g(k,c)] +1 ) can be bounded from above by a simple function, i.e. a constant or a linear function of c. (iii) If k is too large (i.e. (n + l) p̂sft,ε (cmax ) 6 k), we can also show that Sav (k) is less than Pc̄−sσ c=0 Phg (c|k). A more precise argument will be given in appendix C, and we have the following theorem. Theorem 1. Let D = 1. If cmin 6 cmax and 2 6 s(ε), then Sav (k) is bounded from above as follows: • Case 1. If 0 6 k 6 ncmin /l, Sav (k) 6 ε. (37) • Case 2. If ncmin /l < k 6 (n + l) p̂sft,ε (cmax ), for an arbitrary possible outcome c, we have
Spa (k, c) 6 min 2−β(c−(c̄−sσ +1)) , 1 , (38) where β := 1 n +l 0 h ( p̂sft,ε (cmax )). 1 + 4γ l (39) Thus min(bc̄−sσ c,cmax ) Sav (k) 6 X Phg (c|k) + c=0 New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) cmax X c=bc̄−sσ c+1 Phg (c|k)2−β(c−(c̄−sσ )+1) . (40) 18 • Case 3. If (n + l) p̂sft,ε (cmax ) 6 k, then cmax 6 c̄ − sσ holds by the definition of p̂sft,ε (c). Hence bc̄−sσ c cmax X X Sav (k) 6 Phg (c|k) 6 Phg (c|k). (41) c=0 c=0 (For the proof of this theorem, see appendix C.) We stress that the normal approximation to Phg (c|k) is not yet applied, and thus all inequalities are rigorous at this stage14 . Then in the rest of this subsection, we will show that the rhs of each inequality of theorem 1 can be bounded from above by (1 + δ)ε, with δ being smaller than 1 for sufficiently large l, n. In other words, we obtain an upper bound on Sav (k) that is valid for all k; thus an upper bound on Pph (recall the argument of section 3.4) can be bounded from above by (1 + δ)ε. Let us first discuss the easier cases, namely Cases 1 and 3. As mentioned above, for these two cases, Sav (k) can be easily shown to be less than ε: for Case 1, it is already proved in theorem 1. For Case 3, if one applies the normal approximation to Phg (c|k), Sav (k) is bounded by ε, as can be seen from the same argument in the previous section (see the paragraph of (33)). Hence, there remains to be evaluated Case 2, where parameter k is restricted as ncmin /l < k 6 (n + l) p̂sft,ε (cmax ). As mentioned above, we here show that Sav (k) can be rewritten as the Gaussian integration in this case. In inequality (40), the first term on the rhs can be bounded by ε, with the approximation applied to Phg (c|k). For the second term, which is a summation over c, we replace Phg (c|k) by the normal approximation. In addition to that, we replace Spa (k, c) appearing in the same summation by the rhs of (38). Then the summation can be rewritten as a Gaussian integral: cmax X Phg (c|k)2−β(c−(c̄−sσ )+1) c=bc̄−sσ c 1 '√ 2π Z 1 6√ 2π Z (cmax −c̄)/σ −s ∞ −s  2  x exp − − s (x + s) ξε (k) dx. 2 1 =e √ 2π =: I2 (ξε (k)) , 1 2 2 ξε (ξε −2)s  2  x exp − − s (x + s) ξε (k) dx. 2 Z ∞ e−x 2 /2 (42) (43) dx (ξε −1)s (44) where ξε (k) := (ln 2)βσ (k)/s(ε). Further, in order to bound I2 (ξε (k)) using ε, we introduce the inequalities √ √ 2 2 −x 2 /2 2 e−x /2 6 8(x) 6 e , √ x x 2 + 2π (45) It is true that we used the normal approximation in deriving p̂sft,ε (c) in (28) and (27), and that p̂sft,ε (c) is used in the statement of theorem 1. However, in the proof of theorem 1 we use no approximation; thus the theorem holds rigorously, without any approximation. 14 New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) 19 where 8(x) is the normal distribution function given in (22). (Inequalities (45) will also be proved in appendix C.) By using (45), the integral I2 (ξε (k)) can be further evaluated as √ √ 1 + 2π s −2 1 + 2π s −2 I2 (ξε (k)) 6 8(s(ε)) = ε. (46) ξε (k) − 1 ξε (k) − 1 Note here that σ (k) is an increasing function of k, because ξε (k) is. Thus the final term of (46) is maximized at the lower boundary k = ncmin /l, and we finally obtain √ 1 + 2π s −2 ε I2 (ξε (k)) 6 (47) ξmin,ε − 1 with ξmin,ε := ξε (ncmin /l). We now have the following theorem. Theorem 2. For a given ε, suppose that cmin 6 cmax , 2 6 s(ε) and 1 < ξmin,ε with ξmin,ε := ξε (ncmin /l)
(n + l) ln 2 0 = h p̂sft,ε (cmax ) σ (ncmin /l). s(ε)l(1 + 4γ ) (48)
Here p̂sft,ε (c) is defined in equation (28), σ in equation (15) and h 0 (x) = log2 1−x . Also assume x that Alice and Bob perform the QKD protocol specified in section 2. Then with the normal approximation applied to Phg (c|k), Pph can be bounded as Pph 6 max Sav (k) 6 (1 + δ)ε, (49) k where p δ := 1 + 2π s(ε)−2 . ξmin,ε − 1 (50) Note here that none of cmin , p̂sft,ε (cmax ) or γ depends on k or c, which can vary for each run of the protocol; thus ξmin,ε can be calculated as a fixed value specified by the protocol. (In other words, ξmin,ε is the constant and thus calculated at the preparation stage prior to the protocol.) Further, as we have done in the previous subsection, if parameters l and n are sufficiently large, we can also obtain a similarly good bound without relying on the normal approximation of Phg (c|k) (in equation (33)). By using exact upper bounds on Phg (c|k) including lemma 1, we obtain the following theorem: Theorem 3. Suppose that 1 6 l 6 n, s 2 6 cmin 6 cmax 6 0.12l, and 1 < ξmin are satisfied for a given ε. Also assume that Alice and Bob perform the QKD protocol specified in section 2. Then without using the normal approximation of Phg (c|k), we have Pph 6 max Sav (k) 6 Pph,ε (cmin , ξmin,ε ), (51) k where r Pph,ε (cmin , ξmin,ε ) := s(ε)2 + 2π 2 r p n +l µ  e ε+ n 1 + 2πs(ε)−2 ξmin,ε − 1 where µ = 1/(6n) + 1/12, ν = 1/(12l) + 1/(2(n + l − 1)). The proof of this theorem is given in appendix D. New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) e q µ+ν 1− s(ε) √ cmin  + ε ε, (52) 20 5.3. Second order asymptotics Now, we roughly estimate the relation between the sacrifice bit length and the upper bound maxk Sav (k) of the phase error. For this purpose, we focus on the asymptotic expansion for the sacrifice bit. In the protocol discussed in the above, the sacrifice bit length
(n+l) p̂ε (c)−lpsmp (c) 1 α(c) is dnh p̂sft,ε (c + 1) e + 2 with p̂sft,ε (c) = and p̂ε (c) := 1+4γ ( psmp + 2γ + n p 2 γ { psmp (1 − psmp ) + γ }). When the ratio l/n is t, we obtain the asymptotic expansion:

√ √ dnh p̂sft,ε (c + 1) e + 2 = nh psmp (cmin ) + ngt ( psmp (cmin )) + o( n), (53) q where gt (x) := h 0 (x) x(1−x)(1+t) s(ε). When we use only the first term in the above expansion, 4t the upper bound maxk Sav (k) for the phase error converges to zero or one. The limit value zero or one cannot be used for the approximation for the upper bound maxk Sav (k) because the real value of the upper bound maxk Sav (k) takes a value between zero and one, which is different from zero or one. √ However, when we use up to the second order n in the asymptotic expansion of α(c), the upper bound maxk Sav (k) converges to a value between zero and one. In this case, we can use the limit for the approximation for the upper bound maxk Sav (k). That is, by using the above asymptotic expansion, the virtual phase error can be bounded in the following way. Theorem 4. For a given ε, pmin and pmax , we choose cmin and cmax as pminl and pmaxl, and assume that l/n = t. Also suppose that Alice and Bob perform the QKD
protocol specified in √ section 2, except that the sacrifice bit length α(c) is less than nh psmp (cmin ) + ngt ( psmp (cmin )) for c ∈ [cmin , cmax ]. Then, the maximum Pph,n,l of Sav (k) with given n and t can be asymptotically characterized as lim max Pph,n,l 6 ε. n→∞ l:l>tn (54) The proof will be given in appendix E. 6. How to use the above formulae to evaluate the security of one’s QKD system In this section we summarize what we have proved so far and then explain how one can use proposition 1 or 2 or theorem 2 or 3 to evaluate the security of one’s QKD system. 6.1. Summary of our results As discussed in section 3, the standard quantitative measure of the security of QKD is the trace distance ρ A,E 0 − ρIdeal 1 between the actual state ρ A,E 0 and the ideal state ρIdeal , given in (3). Inequalities (9) and (10) claim that this trace distance can be bounded from above by the averaged decoding error probability Pph of the virtual phase error correction. Throughout this paper, we are interested in bounding Pph by using Shor–Preskill’s formalism. Also in section 3, we have shown that in order to bound Pph under an arbitrary attack by Eve, it suffices to bound the probability maxk Sav (k), with Sav (k) defined in (20) (or equivalently, for all k, one needs to bound Sav (k) by a certain value). Here the function Sav (k) gives an upper bound on the failure probability Spa (k, c) of the virtual phase error correction, averaged with respect to the hypergeometric distribution Phg (c|k). Our analyses of sections 4 and 5 are devoted to obtaining an upper bound on maxk Sav (k). New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) 21 In section 4, we determined the suitable functional form of the upper bound p̂sft (c) on the phase error rate p̂sft (k, c) of the sifted key, such that we can achieve high key generation rates and high-level security simultaneously. The function p̂sft (c) is used for calculating the sacrifice bit length α(c) of equation (1), i.e. the number of bits that needs to be erased in PA. This problem can be reduced to determining an upper bound on parameter k, or equivalently, that on the phase error rate psft (k, c) of a sifted key. For this purpose, we derived an upper bound p̂sft,ε (c) of equations (27) and (28) on psft (k, c), as a function of the measured error rate psmp (c) = c/l of sample bits. We used here the standard method of interval estimation, and the upper bound p̂sft,ε (c) is defined so that, for any value of k, the undesired case psft (k, c) > p̂sft,ε (c) occurs with a probability 6 ε (see equations (21) and (24)). Then, in section 5, by using this p̂sft,ε (c) and the corresponding sacrificed bit length α(c) given in (1), we obtained the upper bounds on Sav (k) that hold for all k. By the argument of the paragraph of (20), this means that we have given upper bounds on Pph . For the sake of simplicity, we first gave straightforward bounds in proposition 1 (with the approximated values of the hypergeometric distribution Phg (c|k)) and proposition 2 (without any approximation). Next we gave the other bounds exploiting the properties of the Gaussian integration, which yield a larger final key length G for sufficiently large l, n; namely, theorem 2 (with the approximated Phg (c|k)) and theorem 3 (without any approximation). 6.2. How to use the straightforward upper bounds 6.2.1. The straightforward upper bound with the normal approximation (how to use proposition 1). Here we present how to calculate the secret key length of one’s QKD system using the straightforward upper bound on Pph obtained in proposition 1. • Preparation steps: (i) Determine one’s desired upper bound Tmax on trace distance. (ii) Calculate the corresponding upper bound on the phase error rate by Pmax = 81 (Tmax )2 . (iii) Let the confidence limit be ε = 12 Pmax . Then calculate parameter s = 8−1 (ε), as the inverse value of the normal distribution function 8(x) (see the definitions of 8(x) and s(ε) given in (22) and (23)). (iv) Let D = d2 − log2 Pmax e. (v) Determine cmin and cmax . (vi) Parameter check. No parameter check is necessary for proposition 1. Under this setting of parameters, one can guarantee that Pph 6 ε + 2−D+1 6 Pmax , by applying the normal approximation to Phg (c|k) and by using proposition 1. Then inequality (10) guarantees √ √ that the trace distance is bounded as kρ A,E 0 − ρIdeal k1 6 2 2 Pmax = Tmax . (As specified below, we here assume that Alice and Bob use a universal2 hash function family that consists of linear and surjective functions.) • For each run of the protocol: (vii) Perform the protocol as specified in section 2. In particular, in the PA step, for the calculation of the length α(c) of (1), use p̂sft,ε (c) defined in equations (27) and (28), as well as parameters s and D obtained in the preparation steps above15 . Then use 15 Throughout this section, we neglect the deviation of l, n from their averages when the bases x, z are chosen with a constant probability, and assume that they are constant. New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) 22 a universal2 hash function family that consists of linear and surjective functions, to convert the reconciled key to the secret key. As noted in section 2, as a result of this protocol, Alice and Bob obtain the final key of length G = n rec − α(c) with α(c) given in (1) and n rec being the reconciled key length. If an error correcting code with efficiency f is used, we have n rec = n(1 − f h( pbit )), with pbit being the bit error rate of the sifted key. Thus Alice and Bob obtain the final key of length G, given in (2). 6.2.2. The straightforward upper bound without any approximation (how to use proposition 2). By using proposition 2, an exact upper bound on Pph can be obtained, without relying on the normal approximation of Phg (c|k). In this case all the steps are the same as those given in section 6.2.1, except for steps (iii) and (vi): (iii0 ) Choose the parameter s such that r r n + l s 2 + 2π µ 1 e 8(s) 6 Pmax n 2 2 is satisfied, where µ = 1/(6n) + 1/12. (vi ) Parameter check. Check that 54 s 2 6 l 6 n and cmax 6 0.12l are satisfied. If not, set Tmax smaller and restart from step (i). 0 As a result of step (iii0 ), we have ε = 8(s(ε)) 6 s −1 × 12 Pmax . This means that, for a fixed value of Pmax , one needs to choose ε = 8(s(ε)) to be smaller than that obtained in section 6.2.1, by a factor of s −1 . As a result, s also turns out to be larger; one ends up with a smaller final key length. Note, however, that such an increment of s is negligible for sufficiently large s (e.g., for 1 2 s > 10), because 8(s) scales as e− 2 s and thus a very small increment of s compensates for the factor of s −1 in front of 21 Pmax . Hence the decrement in the final key length is very small. We will demonstrate this fact in the next section by a numerical calculation in section 7.3. 6.3. How to use the upper bounds by the Gaussian integration (how to use theorems 2 and 3) As mentioned in section 5.2, if parameters l and n are sufficiently large, we can set D = 1 and still obtain similarly tight bounds on Pph as given in theorems 2 and 3; thereby we can improve the final key length G. For these cases too, we summarize how to calculate the secret key length of one’s QKD system. 6.3.1. The Gaussian bound with the normal approximation (how to use the bound of theorem 2). For theorem 2, the preparation steps are modified as follows. • Preparation steps: (i) Determine one’s desired upper bound on trace distance Tmax . (ii) Calculate the corresponding upper bound on the phase error rate by Pmax = 81 (Tmax )2 . (iii) Set the confidence limit ε to be slightly smaller than Pmax . (For example, if l, n are sufficiently large, ε = 0.9Pph is usually sufficient.) Then calculate parameter s = 8−1 (ε), as the inverse value of the normal distribution function 8(x) given in (22). (iv) Let D = 1. New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) 23 (v) Determine cmin and cmax , such that the conditions in the first sentence of theorem 2 are all satisfied. (vi) Parameter check. Check if δ is small enough so that inequality (49) is satisfied. If not, go back to step (iii) and set ε smaller. After these preparation steps, Alice and Bob run the protocol as in the previous sections. That is, they run the protocol as specified in step (vii) of section 6.2.1. 6.3.2. The Gaussian bound without the normal approximation (how to use the bound of theorem 3). As we have done for the case of the straightforward bounds, we also obtained in theorem 3 the exact version of the Gaussian bound that does not rely on the normal approximation of Phg (c|k). This theorem was derived using essentially the same idea as theorem 2 and achieves a similarly tight bound, but does not rely on any approximation. For theorem 3, the preparation steps are the same as theorem 2 (i.e. the same as in section 6.3.1), except for steps (v) and (vi): (v00 ) Determine cmin and cmax , such that the conditions in the first sentence of theorem 3 are all satisfied. (vi00 ) Parameter check. Check if δ 0 is small enough so that inequality (52) is satisfied. If not, go back to step (iii) and set ε smaller. After these preparation steps, Alice and Bob run the protocol as in the previous sections. That is, they run the protocol as specified in step (vii) of section 6.2.1. 6.4. Rough estimate of the key rate and the security parameter We note here that if l, n are sufficiently large, parameters γ and δ become sufficiently small, and the approximate evaluation of the key length G of (2) can be greatly simplified. As one can see from steps (i) and (ii) of section 6.3, bounding Pph is enough for the security. If δ is sufficiently small, then according to theorem 2 (or step (iii) of section 6.3), Pph can be bounded approximately by ε, which determines the value of p̂sft,ε (c) via equations (27) and (28). Then as we discussed in the paragraph of equation (29), if γ is sufficiently small, p̂sft,ε (c) = n+l p̂ε (c) − nl ( p)smp (c) can be approximated by using p̂ε (c) ' psmp (c) + sl σbin (c). n As a result, if the conditions of the first sentence of theorem 2 are satisfied for a given set of experimental parameters, and if γ and δ are sufficiently small, one has the following rough estimates. The trace distance is approximately bounded by the square root of ε as √ p ||ρ A,E − ρIdeal || 6 2 2 Pph , Pph 6 (1 + δ)ε ' ε. The parameter s is chosen to be the deviation of the standard deviation, i.e. s = 8−1 (ε). Then this s determines the final key length G as 
 G ' n 1 − f h( pbit ) − h p̂sft,ε (c) , n +l l p̂ε (c) − psmp (c), n n psmp (c) = c/l, p̂sft,ε (c) = New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) 24 s p̂ε (c) ' psmp (c) + σbin (c) l sp = psmp (c) + lpsmp (c)(1 − psmp (c)). l We expect that these relations will be useful for experimentalists and theorists who wish to obtain a rough estimate of the key length with the finite-size effect taken into account. 7. Numerical results We demonstrate the tightness of our bound with numerical results. We consider a quantum channel in the absence of an eavesdropper and assume that it can be described as a binary symmetric channel with quantum bit error rate (QBER). 7.1. Case 1: basis choice with probability q = 1 2 First, as a comparison to the previous literature [3, 5], we plot the key rates for the case when Alice and Bob choose the x and the z bases with equal probability. We present two types of evaluations given in section 6; one is the analysis of section 6.2.2 using the straightforward bound of proposition 2 and the other is that of section 6.3.2 using the Gaussian bound of theorem 3. Note that both these bounds are derived without using the normal approximation; thus all the key generation rates obtained in this subsection are rigorous. We assume that Alice and Bob choose both the phase basis and the bit basis with probability q = 1/2, and thus n = l = N /4. We also assume that Alice and Bob consume r = 40 bits of a previously shared secret key for exchanging the hash value, in order to guarantee that cor 6 10−12 (in the following, these r = 40 bits will be subtracted from the final key length G). Then we choose Pmax to be 0.98 × 81 × 10−20 , so that the trace distance kρ A,E 0 − ρIdeal k1 is √ guaranteed to be less than Tmax = 2 2Pmax = 0.99 × 10−10 . By these choices of parameters, we can guarantee that Tmax + cor 6 10−10 , which is the same condition as that used in [5]. Because r = 40 bits are consumed for guaranteeing that Alice’s and Bob’s final keys are equal, the effective final key length is G(c) − r , with G(c) defined in (2). Hence in this section, we define the final key rate to be G(c) − r n 
  1 = n (1 − f h(c/l)) − nh p̂sft,ε (max{c, cmin } + 2) − (D + r ) . n R(c) := (55) The efficiency of bit error correction is chosen to be f = 1.1. 7.1.1. The straightforward bound. With the above choices of parameters, we perform the analysis of section 6.2.2, and obtain the corresponding final key rate R. Here we restrict ourselves to the case when parameters l, n satisfy 125 6 l = n. Parameters Pmax and Tmax are already specified above. As to parameter s, we follow step (iii0 ) and let s = 9.9, so that r r √ n + l s 2 + 2π µ 1 e 8(s) 6 s 2 + 2π e1/4 8(s) 6 1.1 × 10−22 6 Pmax . n 2 2 New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) 25 R 1.0 QBER=1% 0.8 QBER=2.5% 0.6 QBER=5% 0.4 0.2 1000 104 105 106 107 n l Figure 1. Key generation rate R = (G − r )/n versus n + l, which is the sum of lengths of a sifted key and sample bits. Here we assume that x and the z bases are chosen with equal probability, i.e. q = 21 . The typical QBER are chosen to be 1% (red), 2.5% (blue) and 5% (black). As to the security, we set r = 40 and Pmax < 0.98 × 18 × 10−20 , so that Tmax + corr 6 10−10 . That is, the sum of the trace distance and cor is less than 10−10 . We have used two types of analysis to achieve this value of Pmax : the bold curves represent the key rates based on the straightforward bound given in proposition 2 and section 6.2.2. The thin curves are based on the Gaussian bound given in theorem 3 and section 6.3.2. We stress that these curves are obtained without using the normal approximation. Dots of the same color are the rates obtained in figure 2 of [5]. According to step (iv), we choose D = d2 − log2 Pmax e = 79; next, according to step (v), cmin = 0.01l and cmax = 0.12l. It is easy to verify that all these parameters are compatible with the parameter checks of step (vi0 ). Then we assume that Alice and Bob perform the BB84 protocol (i.e. step (vii)), in the quantum channels with QBER = 1, 2.5 and 5%. The corresponding key rates R(c) (with c = l × QBER) are shown by bold curves in figure 1, versus n + l. 7.1.2. The Gaussian bound. For the same choice of parameters q, r, Pmax , D and for the same ratio of cmax = 0.12l with respect to l, we perform the analysis of section 6.3.2. The remaining parameters to be fixed are s and cmin ; hence, we here numerically calculate the pairs of s and cmin that give the best key rate R(c). That is, we first fix l and n and then search for the pair of s and cmin that is compatible with the parameter check and gives the largest R(c). (This corresponds to repeating steps (iii) through (vi0 ) of section 6.3.2, by letting ε be smaller each time, until the largest key length G(c) is obtained.) The results are shown by thin curves in figure 1. New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) 26 F 1.0 0.8 QBER=1% 0.6 0.4 QBER=2.5% 0.2 QBER=5% 104 1000 105 106 107 N Figure 2. Secret fraction F = (G − r )/N versus raw key length N . Here we assume that Alice and Bob choose the x and the z bases with varying probabilities q, 1 − q. The probability q and the minimum errors cmin are also optimized to give maximum F. The typical QBER are chosen to be 1% (red), 2.5% (blue) and 5% (black). Parameters Pph , cor are chosen to be the same as those in figure 1, so that Tmax + corr 6 10−10 is satisfied. As one can see from figure 1, if QBER = 5%, the Gaussian bound gives a better key rate than the straightforward bound for all l, n. In contrast, for smaller QBER (1 and 2.5%), the straightforward bound becomes better for l, n ' 5000. The dots in figure 1 represent the key rates obtained by Tomamichel et al [5] under the same condition. It can be clearly seen that our key rates R are better in all parameter regions. For example, figure 1 gives R = 0.19 for QBER = 5% and n + l = 104 , while Tomamichel et al [5] gave R = 0 in this region. As n + l becomes larger, R converge very fast to the asymptotic values; all three curves reach more than 80% of the asymptotic values at n + l = 2 × 105 . In particular, as the key size becomes larger, R converge very fast to the asymptotic values, more than 80% of the asymptotic values at n + l = 2 × 105 . As we have noted in section 2, key distillation is quite practical even in this region. That is, the sizes of bit error correcting codes are independent of security, and thus Alice and Bob may perform bit error correction by dividing a sifted key of n bits to arbitrarily smaller blocks. As to PA, one can use the efficient algorithm for the multiplication of the (modified) Toeplitz matrix and a vector. 7.2. Case 2: optimized basis choice with variable probability q Next, as a more practical setting, we consider the case when Alice and Bob choose the x and the z bases with varying probabilities q, 1 − q (thus, l = q 2 N , n = (1 − q)2 N ). Then we maximize the secret fraction F, defined by G(c) − r N 
  1  = n (1 − f h(c/l)) − nh p̂sft,ε (max{c, cmin } + 2) − (D + r ) N F(c) = New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) (56) 27 R 1.0 0.8 0.6 0.4 0.2 1000 104 105 106 107 n l Figure 3. Solid curve: the same curve as the solid curve in figure 1 with QBER = 1%. This curve is obtained by using proposition 2 without any approximation. Dashed curve: the final key rate R(c) obtained for the same values of QBER, Pmax , r, l, n, using the straightforward bounds of proposition 1; hence, this curve is obtained using the normal approximation. Note that the two curves are almost identical. with respect to a fixed raw key length N , where G denotes the final key length. We use the analysis of section 6.3.2 based on the Gaussian bound of theorem 3 (without any approximation); hence again, all the final key rates obtained in this subsection are rigorous. We choose parameters Pmax , cor to be the same as those in the previous subsection. According to step (iii), we let s(ε) = 10.5 so that ε = 4.32 × 10−26  Pmax . The channel error rates are chosen to be QBER = 1, 2.5 and 5%, respectively. Under these settings, for each fixed value of N , we performed numerical simulations to select the optimal values of q and cmin that give the maximum value of F(c). That is, we first fix N and then search for the pair of q and cmin that is compatible with the parameter check of step (vi00 ) and gives the largest F(c). The results are shown in figure 2. 7.3. Exact bounds versus approximate bounds All the key rates of the previous two subsections are rigorous, in the sense that they are obtained without using any approximation. In this final subsection, we demonstrate that, for practical parameter regions, the key rates are almost the same, whether one uses the analysis based on the normal approximation (i.e. proposition 1 and theorem 2) or those without any approximation (i.e. proposition 2 and theorem 3). In figure 3, the solid curve shows R(c) obtained in section 7.1.1 with QBER = 1%. On the other hand, the dashed curve in the same figure is the key rate R(c) obtained for the same values of QBER and Pmax , r, l, n by the procedure of section 6.2.1; hence this curve is obtained by using proposition 1 and thus relies on the normal approximation of Phg . Similarly in figure 4, the solid curve shows F(c) obtained in section 7.1.2 with QBER = 5%, whereas the dashed curve New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) 28 1.0 R 0.8 0.6 0.4 0.2 1000 104 105 106 107 n l Figure 4. Solid curve: the same curve as the thin curve in figure 1 with QBER = 5%. This curve is obtained by using theorem 3 without using any approximation. Dashed curve: the final key rate R(c) obtained for the same values of QBER, Pmax , r, l, n, using the straightforward bounds of theorem 2; hence, this curve is obtained using the normal approximation. Note again that the two curves are almost identical. is obtained by using theorem 2, which relies on the normal approximation (here we performed the optimization of s and cmin ). Note that for both these cases, the exact key rate and the approximate key rate are almost identical. These results suggest that the simple analysis using the normal approximation (i.e. proposition 1 or theorem 2) can be justified for the security evaluations of practical QKD systems. 8. Summary In this paper, we have presented a concise analysis of the BB84 protocol that takes the finite key effect into account and yields better key generation rates, with and without relying on the normal approximation. Our results are indeed an improvement on the preceding literature; as we have shown in figure 1, our analysis give better key generation rates R in practical settings than those in [3, 5]. For the convenience of experimentalists who wish to evaluate the security of their QKD systems, we included explicit procedures of security evaluation in sections 3 and 6. In particular, in addition to presenting the exact values of key rates and security parameters, we also presented how to obtain their rough estimates using the normal approximation. For the sake of simplicity, we restricted ourselves to the simple case when Alice has a perfect single photon source. On the other hand, in order to achieve a long communication distance by a practical QKD system using a weak coherent light source, decoy pulses are necessary [30]. This situation was analyzed by one of the authors [2], relying on the normal approximation. A thorough and exact analysis in this direction without any approximation remains the topic for a future work. New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) 29 Acknowledgments The authors thank Ryutaroh Matsumoto for valuable comments. MH is partially supported by MEXT Grant-in-Aid for Young Scientists (A) no. 20686026 and Grant-in-Aid for Scientific Research (A) no. 23246071. The Center for Quantum Technologies is funded by the Singapore Ministry of Education and the National Research Foundation as part of the Research Centres of Excellence program. MH and TT are partially supported by the National Institute of Information and Communication Technology (NICT), Japan. Appendix A. Justification for restricting the argument to the generalized Pauli channel The generalized Pauli channel is defined to be a channel where the phase error and the bit errors occur stochastically (i.e. with a classical probability). It is easy to see that, in this setting, the virtual phase error probability Pph after the PA, mentioned in the main text, can clearly be defined. In [2], it is shown that the trace distance can be bounded from above by using Pph . Here we demonstrate that, without loss of generality, this argument can be extended to the case when the quantum channel 3 between Alice and Bob is arbitrary and general. First, we consider the discrete twirling. For n-bit sequences x = (x1 , . . . , xn ) and z = (x1 , . . . , z n ), define the unitary matrix U (x, z) := (X x1 ⊗ X x2 ⊗ · · · ⊗ X xn )(Z z1 ⊗ Z z2 ⊗ · · · ⊗ Z zn ), where X is the bitP flip operator and Z the phase flip operator. Then, the discrete twirling of 3 is defined as 3 := z 2−2n 3z , where z = (x, z) and 3x,z (ρ) := U (x, z)3(U (x, z)ρU (x, z)† )U (x, z)† . In this paper, we treat the phase error and the bit error of the channel 3 for the following reason. Now, we denote the final state and the ideal state with the public information y by 0 ρ A,E |y (3) and P ρIdeal|y (3) when the channel between Alice and Bob is 3. Hence, our security criterion is y Ppub (y)kρ A,E 0 |y (3) − ρIdeal|y (3)k1 . Indeed, the distribution Ppub (y) depends on the channel 3 in general; however, it does not change even if the channel is replaced by 3z because the initial random variable is uniform and the hash function and error correction are linear. Also for the same reason, we have k ρ A,E 0 |y (3) ρIdeal|y (3) k1 =k ρ A,E 0 |y (3z ) − P −2n P − −2n ρIdeal|y (3z ) k1 . The states z 2 ρ A,E 0 |y (3z ) ⊗ |zihz| and z 2 ρIdeal|y (3z ) ⊗ |zihz| can be regarded as the states ρ A,E 0 |y (3) and ρIdeal|y (3) because the classical information z can be treated as a part of Eve’s system with the channel 3. Hence, X Ppub (y)kρ A,E 0 |y (3) − ρIdeal|y (3)k1 y =k X =k X z y = X 2−2n X Ppub (y)kρ A,E 0 |y (3z ) ⊗ |zihz| − ρIdeal|y (3z ) ⊗ |zihz|k1 y Ppub (y)k X 2−2n ρ A,E 0 |y (3z ) ⊗ |zihz| − z X 2−2n ρIdeal|y (3z ) ⊗ |zihz|k1 z Ppub (y)kρ A,E 0 |y (3) − ρIdeal|y (3)k1 . y Therefore, it is enough to consider the case when the channel is 3 even if the channel 3 used is not a Pauli channel. P Now, we define ρ A,E 0 ,Z|m (3) := z 2−2n ρ A,E 0 |m (3z ) ⊗ |zihz|. Since the average of the output state of the channel 3z coincides with that of the channel 3, the composite system New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) 30 E 0 and Z of the state ρ A,E 0 ,Z|m (3) is included in the system E 0 of the state ρ A,E 0 |m (3). This fact implies that Iρ A,E 0 ,Z|m (3) (A : E 0 , Z) 6 Iρ A,E 0 |m (3) (A : E 0 ). Using these relations, we obtain X X X Plen (m)Iρ A,E 0 |m (3) (A : E 0 ) = 2−2n Plen (m)Iρ A,E 0 |m (3z ) (A : E 0 ) z m m = X 6 X Plen (m)Iρ A,E 0 ,Z|m (3) (A : E 0 , Z) m Plen (m)Iρ A,E 0 |m (3) (A : E 0 ). m Therefore, again, it is enough to consider the case when the channel is 3 even if the used channel 3 is not a Pauli channel. Appendix B. Proof of lemma 1 In order to prove this lemma, we introduce several new lemmas. In the first part, i.e., section B.1, we derive exact upper bounds on Phg (c|k) given in terms of l or s(ε). Then in section B.2 we show that those upper bounds can also be bounded by ε = 8−1 (s(ε)). Finally, in section B.3, using the obtained results, we prove lemma 1. B.1. Upper bounds on sums of Phg (c|k) Lemma 2. If l 6 n and c X 1 n+l 6 k n+l 6 12 , Phg (i|k) 6 Dn,l,k (c), (B.1) i=0 where s Dn,l,k (c) := µ := n(n + l − k)k k−c k c eµ 2nh ( n )−(n+l)h ( n+l )+lh ( l ) , (n + l)(n − k + c)(k − c) 1 1 + . 6n 12 Proof. By using Stirling’s formula  n n √ 1 1 n! = 2π n eλn with < λn < , e 12n + 1 12n we have
s n n(n + l − k)k k−c k 0 k−c eµ 2nh ( n )−(n+l)h ( n+l )
= n+l (n + l)(n − k + c)(k − c) k where µ0 := λn − λn−k+c − λk−c − λn+l + λn+l−k + λk 1 1 < λn + λn+l−k + λk < + 6n 12 New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) (B.2) (B.3) (B.4) (B.5) 31 1 k for n+l 6 n+l 6 21 and l 6 n. Combining (B.5) with of [31]), we obtain (B.1). Pc l i=0 i
6 2lh ( l ) (see, e.g., lemma 4.2.2 c k < 21 Lemma 3. For l 6 n, c 6 c̄(k) and n+l       c k −c k 1 c − c̄(k) 2 nh − (n + l)h + lh 6− . n n +l l 2 ln 2 σ (k) t u (B.6) Proof. Since h 000 (x) decreases monotonically, we have 1 1 h(x) 6 h(x0 ) + h 0 (x0 )(x − x0 ) + h 00 (x0 )(x − x0 )2 + h 000 (x0 )(x − x0 )3 . 2 6 (B.7) (Let h̃(x) be the lhs minus the rhs. It is easy to verify that h̃(x0 ) = h̃ 0 (x0 ) = h̃ 00 (x0 ) = h̃ 000 (x0 ) = 0 and that h̃ 000 (x) = h 000 (x) − h 000 (x0 ) is a decreasing function. Then by integrating h̃ 000 (x) three k and x = k−c , and times, one can show that h̃(x) 6 0.) Applying inequality (B.7) for x0 = n+l n c also for x = l , we have     c 1  k  n + l k −c k − (n + l)h + lh nh 6 h 00 (c − c̄(k))2 n n +l l 2 n +l nl    1 k 1 1 + h 000 − 2 (c̄(k) − c)3 . (B.8) 2 6 n +l n l
k Since h 000 n+l , c̄(k) − c, and n − l are all non-negative by the conditions stated in the lemma, the second term on the rhs is non-positive. Then by noting   k 1 n +l 1 n + l 00 =− h 6− , 2 nl n +l (ln 2)σ (k) n + l − 1 (ln 2)σ (k)2 we have inequality (B.6). Lemma 4. If c 6 c̄(k), we have s r n(n + l − k)k n +l 6 . (n + l)(n − k + c)(k − c) n t u (B.9) Proof. Let n 2 (n + l − k)k C(n, l, k, c) := . (n + l)2 (n − k + c)(k − c) Then it suffices to show that C 6 1 for 0 6 c 6 c̄(k). The function f (k, c) := (n − k + c)(k − c) inside the square root is a concave parabola with its vertex at c = k − n2 . This means that f (k, c) > min { f (k, c̄(k)), f (k, 0)}, and thus C(n, l, k, c) 6 max{C(n, l, k, c̄(k)), C(n, l, k, 0)}. Then it is straightforward to verify that C(n, l, k, c̄(k)) = 1 and C(n, l, k, 0) 6 1. t u New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) 32 k Lemma 5. If l 6 n, 1 6 k, c 6 c̄(k) and n+l 6 12 , we have " r  2 # c X n + l c − c̄(k) 1 Phg (i|k) 6 eµ . exp − n 2 σ (k) i=0 (B.10) t u Proof. Combine lemmas 2–4. Lemma 6. If 0 6 t, c̄(k) − lt 6 l/2 and c̄(k)−lt X c=0 k n+l 6 12 ,   lt 2 00 k . Phg (c|k) 6 exp h 2 n +l  (B.11) Proof. According to [17], c̄(k)−lt X Phg (i|k) 6 i=0 where p = c̄(k) l =  p p−t k . n+l  p−t  1− p 1 − ( p − t) 1−( p−t) !l = 2l[h( p−t)−h( p)+th ( p)] , 0 (B.12) Since h 00 (x) increases monotonically for p − t 6 x 6 p 6 1/2, we have h( p − t) 6 h( p) + (−t)h 0 ( p) + (−t)2 00 h ( p). 2 That is, l[h( p − t) − h( p) + th 0 ( p)] 6 lt 2 00 h ( p). 2 t u B.2. Upper and lower bounds on 8(x) Lemma 7. The normal distribution function, defined in (22), is bounded as √ √ 2 2 −x 2 /2 2 e−x /2 6 8(x) 6 e . √ 2 x x + 2π (B.13) Proof. According to [16], the function 8(x) satisfies g̃π (x)e−x where 2 /2 6 8(x) 6 g̃4 (x)e−x 2 /2 , (B.14) √ g̃k (x) := 2k . √ (k − 1)x + x 2 + 2k Then it is straightforward to show that for k, x > 0, √ √ 2 2 6 g̃k (x) 6 . √ x x 2 + 2k Combining (B.14) and (B.16), we obtain the lemma. New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) (B.15) (B.16) t u 33 Lemma 8. If ε = 8(s), and 2 6 s, ε 2 e−s 6 . 2 (B.17) Proof. From lemma 7, √ −s 2 e Then by noting −s 2 /2 6e (s 2 +2π)e−s 2 2 1 4 6 s 2 + 2π 8(s) = √ 2 s (s 2 + 2π)e−s 2 ε. 2 for 2 6 s, we obtain the lemma. t u B.3. Proof of lemma 1 If k/(n + l) 6 12 , by combining lemmas 5 and 7, we obtain r r bc̄−sσ c X n + l s 2 + 2π µ e ε. Phg (i|k) 6 n 2 c=0 On the other hand, if k/(n + l) > 21 , by lemma 6, we have cmax X Phg (c|k) 6 c=0 cmax X Phg (c|(n + l)/2) c=0 (1/2 − 0.12)2l 00 h (1/2) 6 exp 2   s2 2 6 e− 5 l 6 e− 2 . (B.18) Then by using lemma 7, we have cmax X r − 21 s 2 Phg (i|k) < e c=0 6 s 2 + 2π ε. 2 Appendix C. Proof of theorem 1 C.1. Proof of Case 1 = psmp (cmin ), we have for arbitrary c ∈ [0, l],
g(k, c) = nh ( psft (k, c)) − nh p̂sft,ε (max{c + 2, cmin }) − D

6 nh psmp (cmin ) − nh p̂sft,ε (cmin ) − D. Since psft (k, c) = k−c n 6 k n 6 cmin l Further, from the concavity of h(x) and from the monotonicity of h 0 (x),   g(k, c) 6 nh 0 ( p̂sft,ε (cmin )) psmp (cmin ) − p̂sft,ε (cmin )   6 nh 0 ( p̂sft,ε (cmax )) psmp (cmin ) − p̂sft,ε (cmin ) . New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) (B.19) 34
2 Then by using equation (28) and by noting that psmp − p̂ε = 4γ p̂ε (1 − p̂ε ) (see below equation (26)),   g(k, c) 6 − (n + l)h 0 ( p̂sft,ε (cmax )) p̂ε (cmin ) − psmp (cmin ) − D p p = − (n + l)h 0 ( p̂sft,ε (cmax )) 4γ p̂ε (cmin )(1 − p̂ε (cmin )) − D
= − (1 + 4γ )s(ε)βσ (n + l) p̂ε (cmin ) − D ξmin,ε s(ε)2 − D. 6− ln 2 The last inequality follows by noting that ncmin /l 6 (n + l) p̂ε (cmin ) 6 (n + l) p̂ε (cmax ), and thus −σ ((n + l) p̂ε (cmax )) 6 −σ (ncmin /l). Then by using lemma 8, we have for 1 < ξmin,ε and D = 1, − +1 Spa (k, c) 6 2[g(k,c)] 2 6 2 e−ξmin,ε s(ε) < ε. t u C.2. Proof of Case 2 This part is immediate from the following lemma. Lemma 9. Suppose that 1 6 l 6 n, 4γ 6 1. Then, for any integer k, any real number ε > 0 and any c ∈ [ c̄(k) − s(ε)σ (k), cmax ], we have g(k, c) 6 −β (c − (c̄(k) − s(ε)σ (k)) + 1) − D, (C.1) with β defined in (39). Proof. With h(x) being concave, and with p̂sft,ε (c) increasing monotonically,
g(k, c) 6 − nh 0 ( p̂sft,ε (c + 2)) p̂sft,ε (c + 2) − psft (k, c) − D
6 − nh 0 ( p̂sft,ε (cmax + 2)) p̂sft,ε (c + 2) − psft (k, c) − D. The quantity p̂sft,ε (c + 2) − psft (k, c) on the rhs can be bounded as follows. First note that p̂sft,ε (c̄ − sσ ) − psft (k, c̄ − sσ ) = 0 by the definition of p̂sft,ε (c), given in (27) and (28). Also psft 1 n+l by the definition of p̂sft,ε (c), we have that d p̂dcsft,ε > 1+4γ − n1 , and that ∂∂c = − n1 by the nl 1 n+l definition of psft (k, c); hence ∂c∂ ( p̂sft,ε − psft ) > 1+4γ . Thus p̂sft,ε (c̄ − sσ + 2) − psft (k, c̄ − nl 2 n+l sσ + 2) > 1+4γ nl . Then for c̄(k) − s(ε)σ (k) 6 c, we have p̂sft,ε (c + 2) − psft (k, c) = ( p̂sft,ε (c + 2) − psft (k, c + 2)) + ( psft (k, c + 2) − psft (k, c)) (C.2) (C.3) > 1 n +l 2 (c − (c̄ − sσ ) + 2) − 1 + 4γ nl n (C.4) > 1 n +l (c − (c̄ − sσ ) + 1) . 1 + 4γ nl (C.5) t u Plugging this upper bound on g(k, c) (for D = 1) into Spa (k, c) (given in (16) and (17)), we obtain Case 2 of theorem 1. New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) 35 Appendix D. Proof of theorem 3 Next we prove theorem 3 starting from theorem 1. In the following, s(ε) is simplified to s. Under the conditions of Case 1 of theorem 1, inequality (37) holds independently of the normal approximation, and thus we readily see that (52) holds. k n+l 6 1/2, we have "  # eµ+ν 1 c − c̄(k) 2 Phg (c|k) 6 √ , exp − 2 σ (k) 2π σ ((n + l)c/l) Lemma 10. If 1 6 l 6 n, 1 6 k, c 6 c̄(k) and (D.1) with µ defined in (B.3), and ν := 1 1 + . 12l 2(n + l − 1) (D.2) Proof. By using Stirling’s formula (B.4), we have   r n 1 0 l 6 eν 2lh(c/l) , √ c n + l − 1 2πσ ((n + l)c/l) (D.3) where ν 0 = λl − λl−c − λc 6 λl < 1 . 12l (D.4) Then, by combining inequality (D.3) with (B.5) and (B.6) and by using lemma 4, we obtain "  # 1 1 c − c̄(k) 2 Phg (c|k) 6 √ 1+ exp − . n +l −1 2 σ (k) 2π σ ((n + l)c/l) eµ+ 12l 1 r Then by noting r 1 1+ 6 n +l −1 s     1 1 = exp , exp n +l −1 2(n + l − 1) t u we obtain the lemma. Lemma 11. If l 6 n, 1 6 cmin , ncmin /l 6 k, c̄(k) − sσ (k) 6 c 6 c̄(k) and Phg (c|k) 6 q eµ+ν 1 − √csmin 1 " 1 exp − √ 2 2πσ (k) with µ, ν defined in (B.3), (D.2). New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)  c − c̄(k) σ (k) 2 # k n+l , 6 1/2, we have (D.5) 36 Proof. From the definition of σ (k), we have σ (k) 1 6√ . σ (k(1 − sσ (k)/c̄(k))) 1 − sσ (k)/c̄(k) By noting that ncmin /l 6 k, we have σ (k) = c̄(k) s n l(n + l − 1)   n +l −1 k s n l(n + l − 1)  l(n + l) −1 ncmin s n l(n + l − 1)  l(n + l) − ncmin ncmin s n l(n + l − 1)  l(n + l − 1) ncmin 6 = 6 6√    1 . cmin (k) Hence 1 − sσc̄(k) > 1 − √csmin . The assumption yields that (n + l)c/l > k(1 − sσ (k)/c̄(k)), which implies that σ (k) σ (k) 1 6 6q . σ ((n + l)c/l) σ (k(1 − sσ (k)/c̄(k))) 1 − √csmin Combining this inequality with lemma 10, we obtain lemma 11. t u D.1. Proof of Case 2 k If n+l > 21 , this case can be proved by exactly the same argument as in B.3 (Note here that the condition s 2 6 cmin 6 cmax 6 0.12l, appearing in theorem 3, implies that 54 s 2 6 l.) Hence in this k subsection, we assume that n+l < 12 . We also assume that 1 6 k, because the case k = 0 is already considered in Case 1 of theorem 1. First we divide the rhs of (40) into three parts, cmax X bc̄(k)−sσ (k)c Phg (c|k)Spa (k, c) 6 c=0 X bc̄(k)c−1 Phg (c|k) + c=0 + cmax X X Phg (c|k)Spa (k, c) c=bc̄(k)−sσ (k)c+1 Phg (c|k)Spa (k, c). c=bc̄(k)c New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) (D.6) 37 The first term on the rhs can be bounded from above by lemma 1. The second term can be bounded as bc̄(k)c−1 X Phg (c|k)Spa (k, c) c=bc̄(k)−sσ (k)c+1 bc̄(k)c−1 Phg (c|k)2−β(c−(c̄(k)−sσ (k))+1) X 6 c=bc̄(k)−sσ (k)c+1 6q 6q 6q eµ+ν 1− √s cmin eµ+ν 1− √s cmin eµ+ν 1 − √csmin bc̄(k)c−1 " 1 exp − √ 2 2π σ (k) c=bc̄(k)−sσ (k)c+1 1 1 √ 2π X Z ∞ dx e−x 2 /2  c − c̄(k) σ (k) 2 # 2−β(c−(c̄(k)−sσ (k))+1) 2−βσ (k)(x+s) −s I2 (ξε (k)) . Then I2 (ξε (k)) appearing in the last line can be bounded by inequality (47). (Note that the argument in the paragraph of inequality (47) does not rely on the normal approximation.) The third summation on the rhs of (D.6) can be bounded as cX max +1 Phg (c|k)2 −β(c−(c̄(k)−sσ (k))+1) 6 c=bc̄(k)c cX max +1 Phg (c|k)2−β(c−(c̄(k)−sσ (k))+1) c=bc̄(k)c 6 2−βσ (k)s 6 e−ξε (k)s 6 εξε (k) 6 ε2 . 2 Appendix E. Proof of theorem 4 First, we fix arbitrary ε 0 > ε. Since the function h(x) and its derivative h 0 (x) are uniformly continuous in the range [ pmin , pmax ], there exists an integer N such that dnh( p̂sft,ε0 (c + 1))e +
√ 0
q psmp (c)(1− psmp (c))(1+t) 1 6 dnh psmp (c) + nh psmp (c) s(ε)e for n > N and l > tn. Using 4t Rζ theorem 1 of [32], we can choose constants C1 and C2 such that Phg (c|k) 6 √12π ζcc+1 e−x/2 dx + C1 (1+ζc2 ) σn,l (k) exp(−C2 ζc2 ). Here note that the constants C1 and C2 are different from those defined in theorem 1 of [32].R ∞ Using C3 := −∞ C1 (1 + x 2 ) exp(−C2 x 2 ), we obtain npmax X C1 (1 + ζ 2 )  C3 c exp(−C2 ζc2 ) min 2−β(c−(c̄−s(ε)σ )) , 1 6 . σn,l (k) σn,l (k) c=0 New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) (E.1) 38 Hence, theorem 2 yields that Pph,n,l 6 (1 + δn0 )ε 0 + C3 mink:npmin 6k6(n+l)( p̂sft,ε0 (lpmax +1)) σn,l (k) , (E.2) where δn0 is the maximum of δ given in theorem 2 with the condition l > tn. Since minl:l>tn mink:npmin 6k6(n+l)( p̂sft,ε0 (lpmax +1)) σn,l (k) → ∞ as n → ∞, we obtain C3 limn→∞ maxl:l>tn min = 0. Also we can show that δn0 → 0. Thus, σ (k) k:npmin 6k6(n+l)( p̂sft,ε0 (lpmax +1)) n,l we obtain limn→∞ maxl:l>tn Pph,n,l 6 ε 0 . Since ε0 is an arbitrary real number satisfying that ε0 > ε. Hence, limn→∞ maxl:l>tn Pph,n,l 6 ε. t u References [1] Mayers D 2001 J. ACM 48 351 [2] Hayashi M 2007 Phys. Rev. A 76 012329 Hayashi M 2009 Phys. Rev. A 79 019901 [3] Scarani V and Renner R 2008 Phys. Rev. Lett. 100 200501 [4] Sano Y, Matsumoto R and Uyematsu T 2010 J. Phys. A: Math. Theor. 43 495302 [5] Tomamichel M, Lim C C W, Gisin N and Renner R 2011 arXiv:1103.4130v1 [6] Maassen H and Uffink J B M 1988 Phys. Rev. Lett. 60 1103 [7] Renes J M and Boileau J-C 2009 Phys. Rev. Lett. 103 020402 [8] Bennett C H and Brassard G 1984 Proc. IEEE Int. Conf. on Computers Systems and Signal Processing (Bangalore, India) (New York: IEEE) pp 175–9 [9] Tsurumaru T and Tamaki K 2008 Phys. Rev. A 78 032302 Beaudry N, Moroder T and Lütkenhaus N 2008 Phys. Rev. Lett. 101 093601 [10] Renner R 2005 Security of quantum key distribution PhD Thesis Dipl. Phys. ETH Switzerland (arXiv:quantph/0512258) [11] Renner R and König R 2005 Universally composable privacy amplification against quantum adversaries TCC: Theory of Cryptography: 2nd Theory of Cryptography Conference, Lecture Notes in Computer Science vol 3378 ed J Kilian (Berlin: Springer) pp 407–25 [12] Lo H-K and Chau H F 1999 Science 283 2050 Shor P W and Preskill J 2000 Phys. Rev. Lett. 85 441 [13] Strassen V 1962 Asymptotische Abschätzugen in Shannon’s Informationstheorie Trans. 3rd Prague Conf. on Information Theory etc (Prague: Czechoslovak Academy of Sciences) pp 689–723 [14] Hayashi M 2009 Information spectrum approach to second-order coding rate in channel coding IEEE Trans. Inform. Theory 55 4947–66 [15] Polyanskiy Y, Poor H V and Verdú S 2010 Channel coding rate in the finite blocklength regime IEEE Trans. Inform. Theory 56 2307–59 [16] Ruskai M B and Werner E 1997 eprint arXiv:math/9711207 [17] Chvátal V 1979 Discrete Math. 25 285 [18] Koashi M 2009 New J. Phys. 11 045018 (arXiv:quant-ph/0505108) [19] Tsurumaru T and Hayashi M 2011 arXiv:1101.0064v3 [quant-ph] [20] Asai T and Tsurumaru T 2011 Efficient privacy amplification algorithms for quantum key distribution IEICE Technical Report ISEC2010-121 (in Japanese) [21] Golub G H and Van Loan C F 1996 Matrix Computation 3rd edn (Baltimore, MD: Johns Hopkins University Press) [22] Ben-Or M, Horodecki M, Leung D W, Mayers D and Oppenheim J 2005 The universal composable security of quantum key distribution Theory of Cryptography: 2nd Theory of Cryptography Conf., TCC 2005 (Lecture Notes in Computer Science vol 3378) ed J Kilian (Berlin: Springer) pp 386–406 New Journal of Physics 14 (2012) 093014 (http://www.njp.org/) 39 [23] [24] [25] [26] [27] [28] [29] [30] [31] [32] [33] [34] [35] Watanabe S, Matsumoto R, Uyematsu T and Kawano Y 2007 Phys. Rev. A 76 032312 Hayashi M 2006 Phys. Rev. A 74 022307 Watanabe S, Matsumoto R and Uyematsu T 2006 Int. J. Quantum Inform. 4 935–46 Håstad J, Impagliazzo R, Levin L A and Luby M 1999 A pseudorandom generator from any one-way function SIAM J. Comput. 28 1364 Bennett C H, Brassard G, Crepeau C and Maurer U M 1995 Generalized privacy amplification IEEE Trans. Inform. Theory 41 1915–23 Fung C-H F, Ma X and Chau H F 2010 Phys. Rev. A 81 012318 Hoel P G 1969 Elementary Statistics 4th edn (New York: Wiley) Hwang W-Y 2003 Phys. Rev. Lett. 91 057901 Lo H-K, Ma X and Chen K 2005 Phys. Rev. Lett. 94 230504 Wang X-B 2005 Phys. Rev. Lett. 94 230503 Justesen J and Hoholdt T 2004 Course in Error Correcting Codes (Zurich: European Mathematical Society) Lahiri S N, Chatterjee A and Maiti T 2007 Normal approximation to the hypergeometric distribution in nonstandard cases and a sub-Gaussian Berry–Esseen theorem J. Stat. Plan. Inference 137 3570–90 Wyner A D 1975 The wire-tap channel Bell. Sys. Tech. J. 54 1355–87 Csiszár I and Körner J 1979 Broadcast channels with confidential messages IEEE Trans. Inform. Theory 24 339–48 Csiszár I 1996 Almost independence and secrecy capacity Problems Inform. Transm. 32 40–7 New Journal of Physics 14 (2012) 093014 (http://www.njp.org/)