Recomendaciones Generales

To remove the errors from the sifted key, the classical two-way error correction protocol CASCADE [116] was applied. The algorithm works by the principle of comparing pari- ties between blocks of key bits. This allows to detect blocks with odd numbers of errors. When such a block is found, a binary search inside the block is performed to reveal the position of an error. The protocol works in typically 4 or 5 passes, and each pass uses different block partitions, that is, different permutations of the raw bits. After each pass, each block contains an even number of errors, or no errors. If an error is found in one block in passi(which was overlooked in passes 1, ..., i−1), the algorithm tracks the bit back to its blocks in passes 1, ..., i−1. By correction of the bit, there will then be blocks with odd number of errors in passes 1, ..., i−1. Binary searches find these errors,

6.1 Key exchange with 4-channel Alice

possibly creating more blocks with odd number of errors. This is continued until no blocks have an odd number of errors. The key to good performance in the CASCADE protocol is the choice of block sizes in the individual passes. This choice depends on the bit error rate e. Starting from values in the literature [115, 186], block sizes were opti- mised for the expected error rates. For an error rate around 6%, 5 passes with block sizes

{14,28,64,128,256}were used. Instead of randomly permuting the raw bits before the error correction to ensure homogeneous distribution of errors, the raw bits were grouped into superblocks of 1024 bits length. The CASCADE algorithm was then performed for each superblock separately, which allows for the disposal of blocks containing sub- stantially more errors than on average. The criterion for discarding any one superblock was that the fraction of disclosed bits exceeded a value of 0.48 (corresponding to ∼8% QBER).

With these parameters, 25% of the superblocks were discarded because of their in- creased error rate. The remaining 209 kbit of raw key contained e = 5.85% errors, for the correction of which a total ofn_dis= 79 kbit (equivalent to 37.7% of the raw bits) were disclosed by the error correction algorithm. Hence, the CASCADE protocol exceeded the Shannon limit for perfect error correction only by a factor off(e) =n_dis/n_sifH₂(e) = 1.17, which is very close to values (1.16) reported in the literature for this error rate [186]. The last important step to a secure key is the privacy amplification of the corrected key in order to limit the maximum information of the perfect eavesdropper. If the reconciled key is shortened by a fraction τ (cf. equation (2.9))

nfin = (1−τ)nrec, where (6.1) τ := Δ + ndis n_rec + (1−Δ)H2 e 1−Δ , (6.2)

then Eve’s expected Shannon information is just one bit on the resulting final key [114]. In equation (6.2), the individual contributions to τ are easy to identify: apart from the fraction of tagged bits Δ, the second and the third terms account for the information revealed during error correction and for the potential information leakage due to the detected qubit error ratee, respectively. Substituting the experimental values Δ = 0.252 and n_dis/n_rec = 0.377, and neglecting statistical uncertainties for the moment, we obtain a fraction 1−τ = 0.075, resulting in a secure key of 15.7 kbit. This value corresponds to a secure key rate ofBexp = 15.8 bit/s and is valid in the asymptotic limit of infinitely

long keys.

However, the limited statistics due to the finite run time of the experiment caused an uncertainty in the determination of the parameters Δ and e, that are relevant for the security of the final key. For example, the error rate e_meas observed in the specific realisation of the experiment might — with some small probability p₁ — be smaller than the expected disturbance ¯e caused by some given eavesdropping strategy. It is therefore necessary to estimate the average error rate ¯e from the measured quantity e_meas. Using

a theorem by Hoeffding, one can give a bound [114] on the expected error rate ¯e from the observed quantitye_meas

¯

e < emax=emeas +δe (6.3)

with the confidence limit

(1−p₁)>1−exp−2n_rec(δe)2. (6.4)

Hoeffding’s inequality is applicable here, because e_meas can be written as the sum of the random variables e(measi) describing the error probability for each transmitted pulse.

Moreover, since we strive for security against the most general coherent attacks, correla- tions of the error probabilities e(measi) for the individual pulses are possible, which means

that the assumptions of a Gaussian probability distribution ofe_meas would not be justi- fied. Limiting the probability for the expected disturbance ¯e to be higher than e_max to

p₁ = 10−3_{, leads to δe= 0.004 for n}

rec = 209 kbit.

Next, we consider the uncertainty associated with the determination of the parameter Δ. Again, the measured gain valuesQ₀, Q_μ, andQ_μ allow only the computation of the

most likely value of Δ, but there is some finite probability p₂ that the expected ¯Δ is actually higher than Δ_meas for the attack chosen by Eve. In turn, this implies that the fraction of tagged bits (which are supposed to be known to the eavesdropper at no cost of induced errors), are underestimated with probabilityp₂. The statistical effect due to fluctuations of the count rates recorded by Bob were accounted for by Gaussian error propagation, see§2.6.3. Assuming Gaussian probability distributions is justified in this case, because an attack on the photon number degree-of-freedom is always an individual attack: The eavesdropper is assumed to learn the photon number of each transmitted pulse via quantum non-demolition measurements without disturbing the state anyway. Having full information on the photon number without the cost of induced perturbations, there is no advantage of doing this measurement coherently over many pulses.

Choosing a probability for ¯Δ to be larger than some Δ_max = Δ_meas+δΔ ofp₂ = 10−3_,

results in a confidence interval δΔ of 3.3 standard deviations. For a total number of

N ∼1·1010 transmitted pulses, we obtained δΔ = 0.0035. To account for the increased uncertainty for the security of the final key due to limited statistics, we substituted all occurrences of Δ by Δ +δΔ, and used e_max instead of e in the last term of the privacy amplification formula (6.2). Note that this has no impact on the error correction term of equation (6.2), since all corrected errors and disclosed bits are counted during the error correction phase. Therefore, there is no risk of underestimating the amount of bits revealed during error correction. For the specific choice of security parameters p₁, p₂, the privacy amplification parameter increased toτ = 1−0.03, reducing the key rate to 6.3 bit/s. Figure 6.5 summarises the entire process of key generation and illustrates the individual steps, that reduce the raw key to the final secure key.

6.2 Key exchange with 8-channel Alice