Simulation

In this section we use system parameters taken from Ref. [121] to estimate the number of states that Bob and Charlie need to transmit over a 50 km quantum channel in order to securely sign a 1-bit message over 50 km. We stress that the analyses performed in this example have not been optimised. Instead, it is meant to

illustrate the protocol and to provide approximate signing rates/signature lengths.

Experimental parameters

The experiment uses a 1 GHz source capable of transmitting at three different in- tensities (u1, u2, u3) = (0.425, 0.0435, 0.0022). The intensities are chosen with prob-

abilities pu1 = 0.25, pu2 = 0.4 and pu3 = 0.35. Independently, the encoding bases are chosen with probabilities pX = 0.5 and pZ = 0.5.7 The signals are transmitted

via optical fibre at 1550 nm achieving a channel attenuation of 0.2 dB/km. The receiver loss at Alice is 2.8 dB and her detectors have efficiency ηdet = 20.4%. The

dark count rate, pd, is the rate at which the detectors register counts in the absence

of any incident light. Here we set pd = 2.1 × 10−5. Lastly, there is a biased optical

bit error rate of QX = 1.38% in the X basis and QZ = 0.76% in the Z basis.

Source and channel estimates

Over 50km, the signal attenuation due to the combined channel and receiver loss is ηch = 0.0525. The parameter η represents the overall system transmission, where

η = ηdetηch = 0.0107. The detection rates, Rui, for signals with intensity ui can be modelled as [124]

Rui = 1 − (1 − 2pd)e

−ηui_{. (6.32)}

The X basis bit error rates, eX,ui, for signals with intensity ui can be modelled as

eX,ui =

(1 − e−ηui_)Q

X + e−ηuipd

Rui

, (6.33)

and similarly for the Z basis bit error rates.

Protocol parameters and security

A USS scheme is called δ-correct and δ-secure if the probabilities of honest failure, forging, non-transferability and repudiation are all less than δ (see Chapter 4). In what follows we set δ = 10−4. The choice of security level is arbitrary but is chosen to match with the existing quantum USS literature. The security and correctness of the AWKA protocol is described by Eqs. (6.23), (6.25) and (6.29). To evaluate these expressions, we must first set the value of the internal parameters sa and sv. From

the security proofs above, sa and sv must be chosen such that e+X < sa < sv < p∗E.

If this is not possible, the protocol aborts following the distribution stage.

7_{For longer messages, it would be more efficient to bias these probabilities so that P}

X > 1/2

The quantity e+_X,I, with I ∈ {B, C}, is an upper bound on the X basis error rate found from parameter estimation in the KGP performed by Alice and recipient I (see Eq. (6.21)). For this example the Alice-Bob and the Alice-Charlie channels are the same, and as such the recipient subscript is unnecessary. In practice, it is likely that the channels will differ, in which case we set e+_X := max{e+_X,B, e+_X,C}, i.e. we choose the worst case (maximum) of the error rates found in the Alice-Bob and Alice-Charlie KGPs.

Similarly, the quantity p∗_E,I, with I ∈ {B, C}, is a lower bound on the error rate an eavesdropper is able to achieve when dishonestly declaring a signature. The quantity derives from the channel noise estimates and is found using Eq. (6.17). Again, since the Alice-Bob channel could in principle differ from the Alice-Charlie channel, the achievable eavesdropper error rates can also differ. Here, and in all that follows, we set p∗_E := min{p∗_E,B, p∗_E,C}, i.e. we choose the worst case (minimum) of the achievable error rates.

Suppose that each recipient (we focus on Bob, but Charlie will do exactly the same) transmits T = 6.09 × 108states in total8. From losses due to the experimental parameters listed, we expect the raw key to contain 2.09 × 105 _{bit values resulting}

from successful X basis measurements. Of these, Bob will randomly choose n = L/2 = 9.94 × 104 to be B₁m and another L/2 will be chosen as B₂m. The remaining k = 9.94 × 103 _{bits make up V}

B and will be used to estimate the correlation between

Alice’s and Bob’s X basis measurement outcomes.

For the given intensity probabilities, error rates and detection rates, we expect to observe an X basis bit error rate of 2.87%. Since the overall security level we require is 10−4, we choose P E = 10−6 meaning ˜P E ≤ 1.1×10−5(see Appendix A.1).

Eq. (6.21) then provides an upper bound on the true error rate as e+_X = 5.37%. Finding p∗_E is slightly more involved. The parameters sX,0, sX,1and φX,1are esti-

mated using the observed number of errors and counts in different bases/intensities (see Appendix A.1 or Appendix B of [114]). Setting  = 10−6, Eq. (6.2) allows us to estimate the min-entropy as

H_min (X|E)ρ= 4.12 × 104. (6.34)

Together with Eq. (6.17), this gives p∗_E = 8.36%. Note that both e+_X and p∗_E are found in the distribution stage, and the parameters sa and sv are also set in the

distribution stage.

8_{This number, though currently obscure, is chosen to provide the required security level of 10}−4_,

The aim is to choose the internal parameters sa and sv so as to maximise

the security level for a given signature length. It is important to minimise both the signature length, 2L, and the number of signals required to generate the signature, T . Reducing L is desirable as it reduces the communication overhead imposed by appending the signature to a message. Reducing T is desirable as it increases the rate at which signatures can be generated. Here we set

sa = e+X + p∗_E − e+ X 4 = 0.0612, sv = e + X + 3(p∗_E − e+ X) 4 = 0.0761. (6.35)

This choice seems reasonable and is in line with previous quantum signature exper- iments [1]. However, we do not show it is optimal and better choices may exist. Given these parameters, we find

P(Honest failure) ≤ 2.97 × 10−5, (6.36)

P(Forge) ≤ 1.20 × 10−5, (6.37)

P(Repudiation) ≤ 2.98 × 10−5. (6.38)

Results

Overall, the above analysis shows that to sign a 1-bit message to a security level of 10−4, the AWKA protocol requires a signature length of 2L = 1.99 × 105_{. This}

requires the recipients (Bob and Charlie) to transmit 6.09 × 108 states per possible message. For a 1-bit message there are two possibilities, meaning the senders must each transmit 1.22 × 109 _{states in total. With a 1GHz source, this translates to}

being able to sign a 1-bit message once every 1.2 seconds9.