Key generation rates

In order to compute expected key generation rates for different protocols, it is necessary to make assumptions on certain experimental parameters.

It is common to assume a linear model for the quantum channel, which means, that the absorption probabilities for different photons are statistically independent. In other words, for pulses of mean photon numberμ, the probability for the detection ofnphotons at the end of the quantum channel with transmittance η becomes

P_μ,η(n) = (μη)

n

n! e

−μη_{. (2.18)}

Here it should be noted, that this may not be exactly the case in reality, in particular with free-space quantum channels (see §3.4.5). However, a deviation affects only predictions

0 10 20 30 40 50 10-1 10-2 10-3 10-4 10-5 10-6 Key generation efficiency R 0.2 0.4 0.6 0.8 1 D Channel lossh(dB) Perfect single photon source Decoy asymptotic BB84,µ=µopt Ddecoy estimate Dworst-case estimate Dno eavesdropper

dark count fraction

Figure 2.3: Upper graph: Asymptotic key generation rate for the BB84 protocol with ideal single photon source, BB84 with attenuated laser pulses, and the asymptotic decoy state protocol, depending on the transmission of the quantum channel. Without the decoy state extension, attenuated pulses allow secure communication only up to about 20 dB channel loss, for experimental parametersY₀ = 6·10−6_,e

tech= 2%. Lower graph: Influence of multi-photon pulses in dependence of the attenuation. The actual fraction of tagged bits (solid red) is upper bounded by a worst-case estimate (dotted blue) in the case of simple BB84, and by a much tighter approximation in the decoy protocol (dashed green). The lower graph is plotted for a fixed mean photon numberμ= 0.4.

of the expected key generation rates and of verified values of Δ. It does not endanger the security of the decoy state method, because Eve is always assumed to possess full control over the quantum channel, which includes, in particular, to change the channel transmission at will and for each pulse, according to the result of a photon-number quantum non-demolition measurement. As a good approximation, the quantum channel

2.6 Decoy-state protocol extension

shall still be characterised in the following solely by its transmittance η.

Thedark count probability is a property mainly of Bob’s detector, but also of the level of stray light, that inevitably enters Bob’s apparatus. As the dominant noise source at large transmission distances, the dark count probability governs the maximum distance over which secure QKD is possible.

The technical error is due to imperfections of the optical components and alignment and is accounted for by the constant e_tech contributing to the overall QBER.

For the following plots, realistic parameters similar to the values found in the inter- island experiment are assumed: Dark count probability Y₀ = 6·10−6, technical error

e_tech = 2%, efficiency of error correction f(e) = 1.22 (weakly dependent on the overall QBER, see §2.7.1).

The most important parameter of a real-life QKD system is, of course, the secure key rate B, measured in exchanged key bits per second, between Alice and Bob:

B =νR, (2.19)

where ν is the repetition frequency of Alice’s source and R is the secure key generation efficiency, which is normalised to the number of emitted pulses.

The upper graph of Figure 2.3 compares the asymptotic secure key generation effi- ciency of the decoy state method with the pure BB84 protocol, using either a true single photon source (dashed red curve), or weak coherent pulses with mean photon number

μ = μ_opt (dotted blue curve), according to equations 2.15, 2.7, and 2.6, respectively. The ideal single photon source constitutes an upper limit to the secure key rate taking into account the above mentioned background probability and alignment errors. The performance curve of a practical QKD system utilising attenuated pulses and the stan- dard BB84 protocol exhibits the knownO(η2_{) dependency, which puts severe limits both}

to key rate and achievable distance. Employing the ideal decoy state method with an infinite number of decoy states allows precise calculation of Δ and e₁, and results in a key rate that scales equally to the case of the single photon source, as well as in a much higher distance for unconditionally secure QKD. The lower graph of Figure 2.3 illus- trates the role of multi-photon signals (computed for fixed μ= 0.4) as a function of the channel attenuation. Plotted in red is the fraction of tagged bits arriving at Bob when no eavesdropper is present. The drop at very large attenuation is due to the increasing influence of background events, which are shown in purple for comparison. Without the decoy method, one has to assume the worst-case scenario (dotted blue curve), that is, Eve blocks as many single-photon pulses as possible, and lets the tagged photons pass. This leads to the fast drop of the secure key rate proportional to η2_{. Utilising}

the decoy method, one obtains a much better upper bound for Δ, that reaches the true value in the limit of infinitely many decoy states. The dashed green trace represents the estimate derived from using only 3 different intensities. For a wide transmission region, this estimate is roughly constant and thus enables a key generation rate similar to the single photon case.

10-6 10-5 10-4 10-3 10-2 Key generation efficiency

R _{3-intensity, asymp.}Decoy asymptotic

3-intensity,N=107 10 20 30 40 0.2 0.4 0.6 0.8 1 0 Channel lossh(dB) Destim. total Destim. asymptotic

Destim. error margin

Dark count fraction

D

Figure 2.4: Upper graph: Key generation rates for decoy state protocols with infinitely many decoy states (dashed green), and 3 different intensities (μ, μ,0), if both signal and decoy states are used for key generation (solid red). For a real key exchange of limited length, the achievable key rate is decreased due to statistical effects (dotted blue, plotted forN = 1·107). Lower graph: Estimate of the fraction of tagged bits Δ as a function of channel attenuation. To account for limited counting statistics, the asymptotic estimate is increased by an error margin of 4.4 standard deviations according to the chosen security parameters.

Figure 2.4 compares the performance of different decoy state protocols. The asymp- totic limit of optimal performance for this class of protocols (dashed green line) is reached in the limit of infinitely many decoy states. However, the protocol described in §2.6.2 with just 3 different intensities (one of which is effectively the vacuum state) performs close to the optimum, if both signal and decoy states are used for key generation (solid red curve). Assuming a fixed number of transmitted pulses of N = 1·107 in a real ex-