On the secrecy of a simple and effective implementation of BB84 quantum cryptography protocol

To date, a large number of quantum cryptography protocols and their experimental implementations have been proposed. The most commonly used protocol is BB84 [1]. The main requirement for quantum cryptography systems is provable or unconditional secrecy of distributed keys, which should be based only on the fundamental limitations of quantum theory. Evidence claiming unconditional secrecy of keys should not be based on demonstrating the secrecy of keys regarding specific attacks, but on demonstrating secrecy regarding all attacks. For the case of a strictly single-photon source of quantum states, the proofs that guarantee unconditional secrecy of keys are based on the fundamental entropy uncertainty relations. These ratios take into account all sorts of attacks and allow us to estimate the upper limit for information leaks to the eavesdropper without going through various attacks. However, not for all protocols of quantum key distribution, even in the single-photon case, is it possible to use the entropy uncertainty relations.

The use of entropic uncertainty relations implicitly implies the possibility of reducing the protocol to the so-called EPR (Einstein–Podolsky–Rosen) version (see, for example, [2]), which is not possible for all protocols.

In a real world, quantum states are quasi-single photon ones, or more precisely, strongly attenuated coherent states of laser light. In the case of coherent states, the reduction of the protocol to the EPR version turns out to be impossible. In this case, in the presence of inevitable losses in the communication channel and using not a strict single-photon source, a number of attacks occur, which were absent in the single-photon case. Such attacks are PNS attacks (photon number splitting) [3], which uses Poisson statistics on the number of photons in measuring coherent states, and attacks with UM measurements (unambiguous measurements, often called the USD attack—unambiguous states discrimination). This attack uses the fact of linear independence of coherent information states.

Protocols have been proposed that would be robust with respect to the attacks mentioned. These are protocols DPS [4], COW [5], decoy state method [6, 7], and protocol with a reference state [8], which were supposed to ensure the secrecy of keys in the presence of large losses in the channel.

However, for a number of protocols, due to the distributed coding method, it has not yet been possible to find proof of unconditional secrecy even in the single-photon case, since these protocols cannot be reduced to the EPR version.

The most commonly used is the so-called decoy state method for detecting a portion of the attacks mentioned. However, as was shown in [9], this method is also not universal, since it is not sensitive to the BS (beam split) attack, which limits the transmission distance of secret keys compared to PNS attacks. Note that the BS attack is applicable to all protocols using attenuated coherent states.

The decoy state method, which is reduced to random modulation of the intensity of coherent states, is used in a number of protocols. The secrecy of the keys is 'recruited' from the fraction of the single-photon component in coherent states, the value of which is estimated from the change in the statistics of samples on the receiving side for states with different average number of photons. Parcels with multi-photon components are considered known to the eavesdropper and do not contribute to the secret key.

Thus, in order to prove the secrecy of keys, it is necessary to have an exact proof of unconditional secrecy for single-photon states, which is based on fundamental principles—on the entropy uncertainty relations. The lack of evidence of unconditional secrecy reduces the value of the protocol.

The next important condition is the simplicity of the technical implementation of the protocol. Communication channels use standard single-mode fiber, which does not maintain polarization. Almost all systems use phase coding, in which Mach–Zander or Michelson interferometers are inevitably present on the receiving side. The use of active elements on the receiving side, such as phase modulators that are polarization sensitive, leads to the fact that one needs to adjust the polarization state at the output of the communication channel.

In paper [10], implementations of the QKD system were proposed in which the interferometer was made with Faraday mirrors and in which there are no polarization-sensitive phase modulators, therefore, no adjustment of the polarization state [10] at the output of the communication channel is required.

However, the 'price' for the lack of adjustment of the polarization state and phase modulators is a reduced version of the BB84 protocol. Such a reduced version of the BB84 protocol exploits three states instead of four, as it was suggested in the original version of BB84. Namely, two states are informational, and one state is control one [10]¹.

For a reduced version of the BB84 protocol with three, instead of four states in two bases, it is impossible to use the entropy uncertainty relations, so the secrecy of keys in the single-photon case has to be proved by explicitly constructing specific attacks [2]. Building explicit attacks does not guarantee the absolute secrecy of the protocol, since one can never be sure that there are no other attacks even in the single-photon case, which allows the eavesdropper to get more information with the same observed error.

The next requirement for the protocol is that the estimation of the length of the secret key should not explicitly include such system parameters as quantum efficiency and dark counts from avalanche detectors. The secret key length should depend only on the observed parameters—i.e. from the total number of counts and the number of erroneous counts measured in each basis. Of course, the number of erroneous and correct counts depends on the parameters of the detectors, but obviously the parameters themselves should not be included in the formula for the secret key length, and even more so, the counts due to dark counts cannot be subtracted from the total number of counts.

This paper proposes a simple and effective implementation of the BB84-based protocol, which does not require the following.

• (1)  
  Adjustment the state of polarization at the exit of the communication channel.
• (2)  
  Does not use active elements (phase modulators, polarization controllers) at the receiving side.
• (3)  
  Implements the complete, but not reduced version of the BB84 protocol.
• (4)  
  It is fundamentally important that the protocol, when proving secrecy in a single-photon case, can be reduced to the EPR version, which makes it possible to use the fundamental entropy uncertainty relations, which guarantees unconditional secrecy regarding any attacks.
• (5)  
  As a consequence of the using the entropy uncertainty relations, the estimate of the length of the secret key includes only the observed parameters of the classical Alice–Bob channel, which takes place after the measurements of Bob. Estimation of the the secret key length automatically takes into account the fact that avalanche detectors have different parameters—quantum efficiencies and dark counts rate, and explicitly these parameters are not included in the length of the key.

To prove the secrecy of a protocol using entropy uncertainty relations, it is necessary to use the EPR version of the protocol. In this version, the information states are obtained by measuring over the EPR pair. Alice is preparing an ESR pair. Alice retains her subsystem, and sends the second subsystem to Bob through a quantum communication channel. This subsystem is available to attack the eavesdropper. Next, Alice performs measurements in one of two bases, which are chosen randomly and equiprobably. As a result of measurements, the subsystems of Alice and Bob are in the same states. One of the two states depends on the choice of the basis of measurements. The basis of measurements on the receiving side is chosen by Bob irrespective of the choice of basis by Alice. Alice's measurement basis is reported to Bob only after his measurements. Reduction of the protocol to the EPR version is an exclusively formal technique that allows us to use the entropy uncertainty relations. The EPR version of the protocol is equivalent to the version with preparation and sending of states by Alice to Bob. However, not every protocol can be reduced to the EPR version, and then the entropy uncertainty relations can be used. The protocol must have two bases, the states in which can be obtained from a single EPR pair.

The representation of the same EPR state of a pair in different bases is

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ1} & |\Psi\rangle_{AB}= \frac{1}{\sqrt{2}} \left(|1\rangle_1^A \otimes |1\rangle_1^B + |1\rangle_2^A \otimes |1\rangle_2^B \right)\nonumber \\ &= \frac{1}{\sqrt{2}} \left(|0^+\rangle_A \otimes |0^+\rangle_B + |1^+\rangle_A \otimes |1^+\rangle_B \right)\nonumber \\& = \frac{1}{\sqrt{2}} \left(|0^{\times}\rangle_A \otimes |0^{\times}\rangle_B + |1^{\times}\rangle_A \otimes |1^{\times}\rangle_B \right) .\nonumber \end{align} \tag{ 1 }$$

Two measurement bases are used. Information states in the two bases  +  and $\times$ are

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ2} + \left\{\begin{array}{@{}c@{}} |0^+\rangle_{A,B}=\frac{1}{\sqrt{2}}\left(|1\rangle_1^{A,B}+ |1\rangle_2^{A,B} \right) \nonumber \\ |1^+\rangle_{A,B}=\frac{1}{\sqrt{2}}\left(|1\rangle_1^{A,B}- |1\rangle_2^{A,B} \right) \nonumber \\ \end{array} \right. , \quad \times \left\{\begin{array}{@{}c@{}} |0^{\times}\rangle_{A,B}= |1\rangle_1^{A,B} \nonumber \\ |1^{\times}\rangle_{A,B}=|1\rangle_2^{A,B} \nonumber \\ \end{array} \right. , \nonumber \end{align} \tag{ 2 }$$

here we have introduced the notation $| 1 \rangle_1^{A, B}$ and $| 1 \rangle_2^{A, B}$ Fock single-photon states localized in time windows 1 and 2 (see figure 1(a)). As can be seen from (2), the states within each basis are orthogonal, the states between the bases are pairwise nonorthogonal.

Zoom In Zoom Out Reset image size

Eve is only available subsystem B. After Eve's attack, the state (1) becomes equal

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ3} |\Psi\rangle_{ABE}= (U_{BE}\otimes I_A) |\Psi\rangle_{AB} , \quad \rho_{ABE}= |\Psi\rangle_{ABE}{}_{ABE}\langle \Psi| . \nonumber \end{align} \tag{ 3 }$$

Here we emphasize that, precisely, this choice of information states provides a simple and effective experimental implementation of the quantum key distribution protocol, which does not require active elements on the receiving side and does not require adjustment of the polarization state at the output of the communication channel (see figure 1(a)).

The measurements are given by the identity resolution in one of two bases. Thus we have

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle& \label{equ4} I_{X^+}=P^A_{0^+}+P^A_{1^+} , \quad I_{X^{\times}}=P^A_{0^{\times}}+P^A_{1^{\times}} , \nonumber \\ & P^A_{1,0^{+,\times}}= |1,0^{+\times}\rangle_{A}{}_A\langle 1,0^{+\times}| . \nonumber \end{align} \tag{ 4 }$$

The measurements (4) of Alice over the density matrix (3) in the bases (2) lead to a reduced density matrix. So one can find

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ5}& \rho_{X^+BE}= \sum_{x^+=0,1} P^A_{x^+} \rho_{ABE} P^A_{x^+} = \sum_{x^+=0,1}\nonumber \\ & P_{X^+}(x^+) |x^+\rangle_{X^+}{}_{X^+}\langle x^+|\otimes \rho_{x^+BE} , \nonumber \end{align} \tag{ 5 }$$

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ6}& \rho_{X^{\times}BE}= \sum_{x^{\times}=0,1} P^A_{x^{\times}} \rho_{ABE} P^A_{x^{\times}} = \sum_{x^{\times}=0,1} \nonumber \\ &P_{X^{\times}}(x^{\times}) |x^{\times}\rangle_{X^{\times}}{}_{X^{\times}}\langle x^{\times}|\otimes \rho_{x^{\times}BE} , \nonumber \end{align} \tag{ 6 }$$

where

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ7} \rho_{X^+BE}=& \frac {{}_{X^+}\langle x^+|\rho_{ABE}|x^+\rangle_{X^+} } {{{\rm Tr}}_{BE} \{{}_{X^+}\langle x^+|\rho_{ABE}|x^+\rangle_{X^+} \} } ,\nonumber \\ &\quad \rho_{x^{\times}BE}= \frac {{}_{X^{\times}}\langle x^{\times} |\rho_{ABE}|x^{\times}\rangle_{X^{\times}} } {{{\rm Tr}}_{BE} \{{}_{X^{\times}}\langle x^{\times} |\rho_{ABE}|x^{\times}\rangle_{X^{\times}} \} } \nonumber \end{align} \tag{ 7 }$$

in formulas (5)–(7) the following notation is entered

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ8} &P_{X^{+}}(x^{+}) = {{\rm Tr}}_{BE} \{{}_{X^+}\langle x^+|\rho_{ABE}|x^+\rangle_{X^+} \} ,\nonumber \\ &\qquad \quad P_{X^{\times}}(x^{\times}) = {{\rm Tr}}_{BE} \{{}_{X^{\times}}\langle x^{\times} |\rho_{ABE}|x^{\times}\rangle_{X^{\times}} \} .\nonumber \end{align} \tag{ 8 }$$

Expressions (8) have the meaning of a priori probabilities at the entrance to the quantum communication channel for symbols 0 and 1 in the corresponding bases.

Before the Bob measurement at the receiving side, the input states are transformed on the Mach–Zander interferometer (although this interferometer is often called the Michelson interferometer), made using Faraday mirrors. It was previously shown that in such an interferometer interference is provided without adjusting the polarization state at the output of the communication channel (see details of the calculation of the optical receiving part in [11]).

After the input states are transformed, detection occurs by gating the detectors in a specific time slot, depending on the choice of basis by Bob (see figure 1(b)) and an explanation for it).

The Bob measurements lead to the following density matrices in the  +  basis

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ9} &\qquad \qquad \rho_{X^+Y^+E}\nonumber \\ &= \sum_{y^+=0,1} \sum_{x^+=0,1} P_{X^{\times}}(x^+) P_{X^{+}|Y^{+ }}(X^+=x^{+ }\nonumber \\ &|y^{+ }) |x^+\rangle_{X^+}{}_{X^+}\langle x^+ | \otimes |y^+\rangle_{Y^+}{}_{Y^+}\langle y^+ | \otimes \rho_{x^+ y^+E} ,\nonumber \end{align} \tag{ 9 }$$

similarly in basis $\times$

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ10} & \rho_{X^{\times}Y^{\times}E}\nonumber \\ &= \sum_{y^{\times}=0,1} \sum_{x^{\times}=0,1} P_{X^{\times }} (x^{\times}) P_{X^{\times}|Y^{+ }}(X^{\times }=x^{\times }| y^{\times })\nonumber \\& |x^{\times}\rangle_{X^{\times}}{}_{X^{\times}}\langle x^{\times} | \otimes |y^{\times}\rangle_{Y^{\times}}{}_{Y^{\times}}\langle y^{\times} | \otimes \rho_{x^{\times} y^{\times}E} ,\nonumber \end{align} \tag{ 10 }$$

in formulas (9) and (10) we introduced the following notation

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ11} \rho_{x^{+} y^{+}E} &= \frac {{}_{y^+} \langle y^+ | \rho_{x^{+} BE}|y^+\rangle_{y^+} } {{{\rm Tr}}_{E} \{{}_{y^+} \langle y^+ | \rho_{x^{+} BE}|y^+\rangle_{y^+} \} } ,\nonumber \\ &\qquad \rho_{x^{\times} y^{\times}E} = \frac {{}_{y^{\times}} \langle y^{\times} | \rho_{x^{{\times}} BE}|y^+\rangle_{y^{\times}} } {{{\rm Tr}}_{E} \{{}_{y^{\times}} \langle y^{\times} | \rho_{x^{{\times}} BE}|y^{\times}\rangle_{y^{\times}} \} } .\nonumber \end{align} \tag{ 11 }$$

After measurements on the receiving side, Alice and Bob are connected by a binary, generally asymmetrical, classical communication channel (see figure 2) with transition probabilities

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ12} P_{X^+|Y^+}(X^+=x^+| y^+) = {{\rm Tr}}_{E} \{{}_{y^+} \langle y^+ | \rho_{x^{+} BE}|y^+\rangle_{y^+} \} , \nonumber \end{align} \tag{ 12 }$$

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ13} P_{X^{\times}|Y^{\times}}(X^{\times}=x^{\times}|y^{\times}) = {{\rm Tr}}_{E} \{{}_{y^{\times}} \langle y^{\times} | \rho_{x^{{\times}} BE}|y^{\times}\rangle_{y^{\times}} \} . \nonumber \end{align} \tag{ 13 }$$

Zoom In Zoom Out Reset image size

The asymmetry of the Alice–Bob communication channel arises, among other things, due to the different characteristics of avalanche single-photon detectors.

Finally, for density matrices in different bases, we find

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ14} & \rho_{X^{+}Y^{+ }}\nonumber \\ &= \sum_{x^{+}=0,1} \sum_{y^{+ }=0,1} P_{X^{+ }} (x^{+}) P_{X^{+ }|Y^{+ }}(X^{+ }=x^{+ }| y^{+ }) \nonumber \\ & |x^{+}\rangle_{X^{+ }}{}_{X^{+ }}\langle x^{+ }| \otimes |y^{+ }\rangle_{Y^{+ }}{}_{Y^{+ }}\langle y^{+ } | ,\nonumber \end{align} \tag{ 14 }$$

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ15} &\qquad \qquad \rho_{X^{\times}Y^{\times}}\nonumber \\ &= \sum_{x^{\times}=0,1} \sum_{y^{\times}=0,1} P_{X^{\times}}(x^+) P_{X^{\times}|Y^{\times}}(X^{\times}=x^{\times}| y^{\times})\nonumber \\ & |x^{\times}\rangle_{X^{\times}}{}_{X^{\times}}\langle x^{\times} | \otimes |y^{\times}\rangle_{Y^{\times}}{}_{Y^{\times}}\langle y^{\times} | .\nonumber \end{align} \tag{ 15 }$$

Transition probabilities in f-las (12)–(15) are expressed through the observed errors in the Alice–Bob communication channel (see figure 2)

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ16} &\qquad P_{X^{+ }|Y^{+ }}(X^{+ }=0^{+ }| 0^{+ })=1-Q_0^+ , \quad P_{X^{+ }|Y^{+ }}(X^{+ }=1^{+ }| 1^{+ })=1-Q_1^+ ,\nonumber \\ &P_{X^{\times }|Y^{\times }}(X^{\times }=0^{\times }| 0^{\times })=1-Q_0^{\times} , \quad P_{X^{{\times }}|Y^{{\times } }}(X^{{\times } }=1^{{\times } }| 1^{{\times } })=1-Q_1^{\times } .\nonumber \end{align} \tag{ 16 }$$

The summation rule for conditional (transitional) probabilities is

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ17} \sum_{y^+=0,1} P_{X^+ |Y^+} (X^+ = x^+ | y^+)=1 , \quad \sum_{y^+=0,1} P_{X^{\times }|Y^{\times } } (X^{\times }= x^{\times }| y^{\times})=1 . \nonumber \end{align} \tag{ 17 }$$

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ18} \sum_{x^+=0,1} P_{X^+ |Y^+} (x^+ | Y^+ = y^+)=1 , \quad \sum_{x^+=0,1} P_{X^{\times }|Y^{\times } } (x^{\times }| Y^{\times }= y^{\times})=1 . \nonumber \end{align} \tag{ 18 }$$

The entropy uncertainty relations link the conditional entropies of Alice–Eve and Alice–Bob in different bases. In the asymptotic limit of long sequences, the parameters of the classical Alice–Bob channel are known exactly, therefore the conditional Shannon entropies of Alice–Bob after the measurements of Bob are also known precisely. We have (see details in [12])

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ19} H(\rho_{X^{\times}E}|\rho_{E^{\times}}) + H(\rho_{X^+B}|\rho_{B^+}) \geqslant c , \nonumber \end{align} \tag{ 19 }$$

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ20} &H(\rho_{X^+E}|\rho_{E^{+}}) + H(\rho_{X^{\times}B }|\rho_{B^{\times}}) \geqslant c ,\nonumber \\ &\qquad \qquad c= - \max_{x^+,x^{\times}} \log|{}_{X^+}\langle x^+| x^{\times}\rangle_{X^{\times}}|^2=1 .\nonumber \end{align} \tag{ 20 }$$

As usual

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ21} H(\rho_{X^{+,\times}E}|\rho_{E^{+,\times}}) = H(\rho_{X^{+,\times}E}) - H(\rho_{E^{+,\times}}) , \nonumber \end{align} \tag{ 21 }$$

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ22} H(\rho_{X^{+,\times}B}|\rho_{B^{+,\times}}) = H(\rho_{X^{+,\times}B}) - H(\rho_{B^{+,\times}}) , \nonumber \end{align} \tag{ 22 }$$

$H(\rho) = -{{\rm Tr}}\{\rho \log \rho \}$—,

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ23} \rho_{X^{+,\times}E}={{\rm Tr}}_B \{\rho_{X^{+,\times}BE} \} , \quad \rho_{E^{+,\times}}={{\rm Tr}}_{X^{+,\times}B}\{\rho_{X^{+,\times}BE} \} \nonumber \end{align} \tag{ 23 }$$

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ24} \rho_{X^{+,\times}B}={{\rm Tr}}_E\{\rho_{X^{+,\times}BE} \} , \quad \rho_{B^{+,\times}}={{\rm Tr}}_{X^{+,\times}E}\{\rho_{X^{+,\times}BE} \} . \nonumber \end{align} \tag{ 24 }$$

We write the expression for estimating the key length in the basis of  +, taking into account (19) and (20), we have (see details in [13])

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ25} & \lim_{n\rightarrow \infty} \left(\frac{\ell^+}{n} \right)= H(\rho_{X^{+}E}|\rho_{E^{+}}) - H(\rho_{X^{+}B}|\rho_{B^{+}}) \geqslant 1\nonumber \\ & - H(\rho_{X^{\times}Y^{\times}}|\rho_{Y^{\times}}) - H(\rho_{X^{+}Y^{+}}|\rho_{Y^{+}}) ,\nonumber \end{align} \tag{ 25 }$$

where n is the number of registered parcels in the basis of  +. A similar expression holds for the key length $R ^ {\times}$ in the basis $\times$

It is important to note that in (25) it is implicitly implied that the number of registered n parcels in each basis is the same. Note that in the formula (25) inequality was used

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ26} H(\rho_{X^{+,\times}B}|\rho_{B^{+,\times}}) \leqslant H(\rho_{X^{+,\times}Y^{+,\times}}|\rho_{Y^{+,\times}}) . \nonumber \end{align} \tag{ 26 }$$

The length of the secret key in the asymptotic limit turns out to be the same in both bases  +  and $\times$. Informally, $H(\rho_{X^{+, \times} B} | \rho_{B^{+, \times}})$ in (25) has the meaning of a lack of information in the bits of Bob's Alice bit string, provided that Bob has at his disposal a quantum system correlated with Alice's string.

Errors can be different in different bases, and the channel, in general, within a single basis is asymmetric with respect to 0 and 1 (figure 2).

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ27} &H(\rho_{X^+Y^+}|\rho_{Y^+}) = \frac{1}{2} \left(\overline{h}(Q^+_0) + \overline{h}(Q^{+}_1) \right) ,\nonumber \\ &\qquad \quad H(\rho_{X^{\times}Y^{\times}}|\rho_{Y^{\times}}) = \frac{1}{2} \left(\overline{h}(Q^{\times}_0) + \overline{h}(Q^{\times}_1) \right) .\nonumber \end{align} \tag{ 27 }$$

Finally, to estimate the total length of the secret key in two bases in terms of each registered package, we get

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ28} R^{+\times} = &~R^{+} + R^{\times} = 1 - \frac{1}{2} \left(\overline{h}(Q^{\times}_0) + \overline{h}(Q^{\times}_1)\right.\nonumber \\ &\left. +\, \overline{h}(Q^+_0) + \overline{h}(Q^{+}_1) \right) , \nonumber \end{align} \tag{ 28 }$$

where notation is entered

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ29} h(x)= - x\log(x)-(1-x)\log(1-x) , \nonumber \end{align} \tag{ 29 }$$

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ30} &\overline{h}(Q^{+,\times}_0) = h (Q^{+,\times}_0) + (1-Q^{+,\times}_0 + Q^{+,\times}_1)\nonumber \\& \log(1- Q^{+,\times}_0 + Q^{+,\times}_1) , \nonumber \end{align} \tag{ 30 }$$

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ31} &\overline{h}(Q^{+,\times}_1) = h (Q^{+,\times}_1) + (1-Q^{+,\times}_1 + Q^{+,\times}_0)\nonumber \\ & \log(1- Q^{+,\times}_1 + Q^{+,\times}_0) , \nonumber \end{align} \tag{ 31 }$$

in the case of a binary symmetric classical communication channel Alice–Bob, $Q = Q^{\times} _0 = Q^{\times}_1 = Q^+_0 = Q^+_1$, the estimate for the secret key length is reduced to the known formula

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ32} R = R^{+} + R^{\times} = 1- 2 h(Q) . \nonumber \end{align} \tag{ 32 }$$

Note that in formulas (28) and (32) it is assumed that the number of registered n packages in different bases is the same. If the number of registered parcels is different, then as n you need to take the smallest value.

An example of the dependences of the length of the secret key as a function of the error is shown in figure 3.

Zoom In Zoom Out Reset image size

It is interesting to estimate at what value of the average number of photons in the coherent state the critical error ($Q_c\approx 11\%$) in the symmetric case ($Q^+=Q^{\times}$) is achieved. The error on receiving side $\newcommand{\e}{{\rm e}} Q(\mu,L)=\frac{p_d}{2p_d+ \mu\cdot \eta \cdot T(L)}$, where $\mu$—for a single-photon component, the typical quantum efficiency of the detector is $\newcommand{\e}{{\rm e}} \eta=0.1$, and the probability of dark counts per strobe is $p_d=5\cdot 10^{-6}$, $T(L)=10^{-\frac{\delta L}{10}}$—single-mode fiber channel transmission, typical single-mode fiber loss factor $\delta=0.2$ dB km⁻¹, L—the length of the communication channel. Under a channel length of L  =  100 km the critical error value is reached when $\mu\approx 0.04$, $Q_c(0.04,100)\approx 11\%$.

According to [13], the key secrecy criterion is formulated in terms of the trace distance. Let n the length of the raw key be the length of the bit sequence after matching the bases.

It was previously shown [13] that the trace distance is limited from above

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ33} ||\rho^{(\ell)}_{XE}- \rho^{(\ell)}_U\otimes \rho^{(\ell)}_{E}||_1\leqslant 2^{-\frac{1}{2}\left(H_{2}(\rho^{(n)}_{XE}|\rho^{(n)}_{E}C)- \ell \right) } , \nonumber \end{align} \tag{ 33 }$$

where C is the totality of classical information used in error correction, $H_{2} (\rho^{(n)}_{XE} | \rho^{(n)}_{E} C)$—second-order Renyi entropy [13], $\rho^{(n)}_{E}$ is the density matrix of Eve's quantum system before error correction.

Formula (33) implies that the density matrix $\rho^{(n)}_{XE}$ is known exactly. For legitimate users, the only value from which the density matrix can be estimated is the observed number of errors $\overline{Q}$. Based on the observed number of errors, it is possible to estimate the density matrix with only some variation. By these words, it is actually understood that the accuracy of determining the density matrices is fixed by some set of them. All that can be guaranteed is that the observed number of errors occurred from the measurement of density matrices from a given set with a probability of at least $1-\varepsilon_1$. The required probability (accuracy) of $1- \varepsilon_1$ is given by legitimate users.

The min entropy contains all the information about the attacks of Eve, by definition [13], we have

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ34} H_{min}^{\varepsilon_1}(\rho^{(n)}_{XE}|\rho^{(n)}_{E})= {{\rm sup}}_{\{\overline{\rho}^{(n)}_{XE}\in {{\mathcal B}}^{\varepsilon_1}(\rho^{(n)}_{XE}) \} } H_{min}(\overline{\rho}^{(n)}_{XE}| \overline{\rho}^{(n)}_{E}) . \nonumber \end{align} \tag{ 34 }$$

Here, $\overline{\rho}^{(n)}_{XE}$ is a set of density matrices that ensure that an observable number of errors occur in their measurement with a probability of at least $1- \varepsilon_1$.

Smooth max entropy is directly related to the number of errors on the receiving side, and gives the minimum number of bits that are required to correct errors with a probability of success of at least $1- \varepsilon_1$. By definition [13]

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ35} H_{max}^{\varepsilon_1}(\rho^{(n)}_{XE}|\rho^{(n)}_{E})= {{\rm inf}}_{\{\overline{\rho}^{(n)}_{XE}\in {{\mathcal B}}^{\varepsilon_1}(\rho^{(n)}_{XE}) \} } H_{max}(\overline{\rho}^{(n)}_{XE} | \overline{\rho}^{(n)}_{E}) , \nonumber \end{align} \tag{ 35 }$$

where the upper and lower faces are taken from the $\varepsilon_1$ density matrices—close in the sense of trace distance, $\overline{\rho}^{(n)}_{XE}\in {{\mathcal B}}^{\varepsilon_1}(\rho^{(n)}_{XE})$, $|| \rho^{(n)}_{XE}- \overline{\rho}^{(n)}_{XE}||_1<\varepsilon_1$.

Further, in view of (34), using a chain of inequalities [13], we have

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ36} H_{2}(\rho^{(n)}_{XE}|\rho^{(n)}_{E}C) \geqslant H_{min}^{\varepsilon_1}(\rho^{(n)}_{XE}|\rho^{(n)}_{E}C) \geqslant H_{min}^{\varepsilon_1}(\rho^{(n)}_{XE}|\rho^{(n)}_{E}) - leak_n . \nonumber \end{align} \tag{ 36 }$$

In fact, this means that a maximum is reached on the density matrix $\rho^{(n)}_{XE}$, since the space is finite-dimensional and compact, then $H_{min}^{\varepsilon_1}(\rho^{(n)}_{XE}|\rho^{(n)}_{E})=H_{min}(\rho^{(n)}_{XE}|\rho^{(n)}_{E})$. Further, C is the entire set of classical information used in error correction, where $leak_n = \log | C |$ is information in bits output through the open channel during error correction. If you include information in the leak, information to verify the identity of Alice's and Bob's cleaned keys, leak_n is replaced by $leak_n = \log | C | + \log (2^M) = \log | C | + M$, where M is the number of bits output by Alice and Bob through an open communication channel when verifying the identity of cleared keys.

Taking (36) into account, one can pass from the second-order Renyi entropy to the minimum entropy (see details in [13] section 5.6), we have

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ37} ||\rho^{(\ell)}_{XE}- \rho^{(\ell)}_U\otimes \rho^{(\ell)}_{E}||_1\leqslant \varepsilon= \varepsilon_1+ 2^{-\frac{1}{2}\left(H_{min}^{\varepsilon_1}(\rho^{(n)}_{XE}|\rho^{(n)}_{E})-leak_n - \ell \right) } . \nonumber \end{align} \tag{ 37 }$$

If the length of the secret key $\newcommand{\e}{{\rm e}} \ell$ is

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ38} \ell \leqslant H_{min}^{\varepsilon_1}(\rho^{(n)}_{XE}|\rho^{(n)}_{E})-leak_n-\log\left(\frac{1}{\varepsilon_1} \right) , \quad \varepsilon_1=\frac{\varepsilon}{2} . \nonumber \end{align} \tag{ 38 }$$

This fulfills the secrecy criteria (33). Keys that satisfying condition (33) are usually called $\varepsilon$—secret².

The entropy uncertainty relations for smooth entropies eliminate the finding of the optimal eavesdropper attack, but do not eliminate the need to know the density matrix itself. $\rho^{(n)}_{XE}$. Evaluation of information leakage to Eve is made through the evaluation of the smooth conditional classical max entropy Alice–Bob, which is estimated from the observed number of errors. The lower bound for $H_{min}^{\varepsilon_1} (\rho^{(n)}_{XE} | \rho^{(n)}_{E})$ can be obtained only from the number of errors at the receiving using the entropy uncertainty relations [14], we have

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ39} H_{min}^{\varepsilon_1}(\rho^{(n)}_{X^+E}|\rho^{(n)}_{E^+})+ H_{max}^{\varepsilon_1}(\rho^{(n)}_{X^{\times}B}|\rho^{(n)}_{B^{\times}}) \geqslant c\cdot n , \nonumber \end{align} \tag{ 39 }$$

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ40} &H_{min}^{\varepsilon_1}(\rho^{(n)}_{X^{\times}E}|\rho^{(n)}_{E^{\times}})+ H_{max}^{\varepsilon_1}(\rho^{(n)}_{X^{+}B}|\rho^{(n)}_{B^{+}}) \geqslant c\cdot n ,\nonumber \\ &\qquad \qquad c= - \max_{x^+,x^{\times}} \log|{}_{X^+}\langle x^+| x^{\times}\rangle_{X^{\times}}|^2=1 ,\nonumber \end{align} \tag{ 40 }$$

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ41} \rho^{(n)}_{X^{+,\times}B} = {{\rm Tr}}_E\{\rho^{(n)}_{X^{+,\times}BE} \} , \quad \rho^{(n)}_{B^{+,\times}} = {{\rm Tr}}_{X^{+,\times}E}\{\rho^{(n)}_{X^{+,\times}BE} \} , \nonumber \end{align} \tag{ 41 }$$

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ42} \rho^{(n)}_{X^{+,\times}Y^{+,\times}} = {{\rm Tr}}_E\{\rho^{(n)}_{X^{+,\times}Y^{+,\times}E} \} , \quad \rho^{(n)}_{Y^{+,\times}} = {{\rm Tr}}_{X^{+,\times}E}\{\rho^{(n)}_{X^{+,\times}Y^{+,\times}E} \} , \nonumber \end{align} \tag{ 42 }$$

where $\rho^{(n)}_{X^{+,\times}BE}$—the joint density matrix Alice–Bob–Eve in the corresponding basis before the measurements of Bob, and $\rho^{(n)}_{X^{+, \times} Y^{+, \times}}$—the density matrix Alice–Bobs after Bob's measurement. The bob bit string containing errors $y^{+, \times} \in {{\mathcal Y}} = \{0,1 \}^n$ in the corresponding basis. In the same way as in (19) and (20) there are inequalities

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ43} & H_{min}^{\varepsilon_1}(\rho^{(n)}_{X^+E}|\rho^{(n)}_{E^+}) \geqslant n - H_{max}^{\varepsilon_1}(\rho^{(n)}_{X^{\times}B}|\rho^{(n)}_{B^{\times}}) \nonumber \\ &\geqslant n - H_{max}^{\varepsilon_1}(\rho^{(n)}_{X^{\times}Y^{\times}}|\rho^{(n)}_{Y^{\times}}) ,\nonumber \\ &H_{min}^{\varepsilon_1}(\rho^{(n)}_{X^{\times}E}|\rho^{(n)}_{E^{\times}}) \geqslant n - H_{max}^{\varepsilon_1}(\rho^{(n)}_{X^{+}B}|\rho^{(n)}_{B^{+}}) \nonumber \\ &\geqslant n - H_{max}^{\varepsilon_1}(\rho^{(n)}_{X^{+}Y^{+}}|\rho^{(n)}_{Y^{+}}) .\nonumber \end{align} \tag{ 43 }$$

Once again, we note that the number of registered packages n in (43) is assumed to be the same in different bases.

Usually, to estimate the probability of error, a part of the registered sequence is disclosed and the observed number of errors is calculated in the opened part, from which an estimate is made about the true probability of errors. Further, according to this estimate of the error probability, the smooth max entropy is estimated.

We will follow a slightly different logic on estimating the probability of error. Adaptive error correction procedures based on LDPC codes [15, 16] allow you to immediately begin error correction without first estimating the error probability, i.e. without actually disclosing part of the registered parcels.

Alice sends the states corresponding to 0 and 1 in different bases with equal probability. Due to the different quantum efficiency of two avalanche detectors, different numbers of 0 and 1 can be registered. We denote these numbers as $n^+_0$, $n^+_1$, $n^{\times}_0$, $n^{\times}_1$, inside each basis. At the same time, the uncertainty ratios (39), (40) and (43) include the same number of recorded parcels in different bases, so it is inevitable that the number of registered parcels must be equalized.

The alignment procedure is as follows. After the transmission of a series of states, Bob informs Alice of the position of the parcels, where he registered the counts and which measurement basis he chose. The values of the bits in each position are kept secret. Further, knowing the number of registered positions in each basis for 0 and 1 $\{n^+_0, n^+_1, n^{\times}_0, n^{\times}_1 \}$, Alice determines the number of positions $n = 2 \overline{n}$ to be used to get the key $\overline{n} = \min{\{n^+_0, n^+_1, n^{\times}_0, n^{\times}_1 \}}$.

Extra positions are randomly discarded by Alice during the alignment, and the numbers of the positions being discarded are reported to Bob. After this stage, the number of packages in each basis is the same. After that, Alice and Bob correct the errors. As a result, the sequence length remains $n = 2 \overline{n}$ in each basis, namely, this sequence length appears in the formulas below.

After error correction, a procedure is performed to verify the identity of the cleared keys between Alice and Bob. For example, the M multiplication rounds of the cleared key with the public random common bit string of Alice and Bob, which is transmitted through the open classical communication channel, and the subsequent calculation of the parity bit in each round, guarantee that the parity bits match if the cleared keys match $1-\frac{1}{2^M}=1-\varepsilon_M$.

After error correction, Bob knows the number of corrected positions, as well as the number of corrections $0 \rightarrow 1$ and the number of corrections $1 \rightarrow 0$ in each of the bases. Knowing the number of corrections, Bob can get an estimate of transition probabilities in the Alice–Bob channel, which allows him to get an estimate of the parameters of the Alice–Bob channel $\overline{Q}^{+, \times}_{0,1}$ (see figure 2).

Under the approach used, the observed number of errors $\overline{Q}^{+, \times}_{0,1}$ on the receiving side allows Alice and Bob to obtain an estimate of the parameter $Q^{+, \times}_{0, 1}$, which appears in the entropy uncertainty relations (39), (40) and (43).

Let uss keep the designation for the number of registered parcels in each basis after alignment: $n^{+,\times}_{0,1}$—the number of registered packages on the receiving side, for example, $n^{+}_{0}$ is the number of registered packages by Bob on the basis of  +, when Alice sent the states 0⁺ . After the error correction stage, Bob knows the total number of registered packages $n^{+, \times}_{0,1}$ for each bit, respectively, knows the number of corrected positions in each sequence $n^{+, \times}_{0,1}$ parcels, i.e. can find an estimate of the magnitude of the error $Q^{+, \times}_{0,1}$ in each sequence. This information is enough for Bob to get an estimate of the error probability $Q^{+, \times}_{0,1}$ with an accuracy of the width of the confidence interval $Q^{+,\times}_{0,1}\in [\overline{Q}^{+,\times}_{0,1}-\delta, \overline{Q}^{+,\times}_{0,1}+\delta]$. The width of the confidence interval $\delta$ is chosen by Alice and Bob.

Fixing the width of the confidence interval $\delta$ ensures that the probability of an event $\overline{Q}^{+, \times}_{0,1} \in [Q^{+, \times}_{0,1} - \delta, Q^{+, \times}_{0,1} + \delta]$ not less than $1- \varepsilon_{\delta, n^{+, \times}_{0,1}}$. Accordingly, the probability of occurrence of a larger (or smaller) number of errors will be no more than $\varepsilon_{\delta, n}$, when calculating the conditional probability for a given parameter $\overline{Q}^{+, \times}_{0,1}$ used inequality [17], we find,

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ44} &{{\rm Pr}}\{|\overline{Q}^{+,\times}_{0,1}-Q^{+,\times }_{0,1}| \leqslant \delta | \overline{Q}^{+,\times}_{0,1} \} {{\rm Pr}}\{\overline{Q}^{+,\times}_{0,1} \} \nonumber \\ &\geqslant (1-\varepsilon_{\delta, n^{+,\times }_{0,1}}) (1-\varepsilon_M) ,\nonumber \\ & \varepsilon_{\delta, n^{+,\times}_{0,1},M} = \varepsilon_{M} + \varepsilon_{\delta, n^{+,\times}_{0,1}} , \nonumber \\ & \varepsilon_{\delta, n^{+,\times}_{0,1}} = 2\exp{(-2\delta^2 n^{+,\times}_{0,1}) } ,\nonumber \end{align} \tag{ 44 }$$

${{\rm Pr}} \{{{\rm Observed~Errors}}=\overline{Q}^{+,\times}_{0,1} \}= {{\rm Pr}} \{\overline{Q}^{+,\times}_{0,1} \} = 1-\varepsilon_M$—the probability that the observed number of errors in Bob's error correction is $\overline{Q}^{+, \times}_{0,1}$ really coincides with the true number of errors. Since the correction code may not completely correct the errors, but the identity verification procedure will not notice this with a probability of no more than $\frac{1}{2^M} = \varepsilon_M$. Do not confuse the observed number of errors in Bob $\overline{Q}^{+, \times}_{0,1}$ with the true number of errors in this series, as well as with true parameters of the channel Alice and Bob $Q^{+,\times}_{0,1}$.

Then $n^+_0$, $n^+_1$, $n^{\times}_0$, $n ^ {\times}_1$—registered sequences 0 and 1 in different bases, $Q^{+, \times}_{0,1}$ true values of Alice–Bob channel parameters, and $\overline{Q}^{+, \times}_{0,1}$ are the observed parameters of the Alice–Bob channel (figure 2) that Bob receives after error correction, and $n=n^+_0 + n^+_1$, $n=n^{\times}_0 + n^{\times}_1$, $n^+_0\approx n^+_1$, $n^{\times}_0 \approx n^{\times}_1$.

The estimation of the error probability in the Alice–Bob channel (figure 2) is performed separately in each basis and separately for each sequence of bits from 0 and 1.

Knowing the error probability estimate makes it possible to calculate the lower bound for smooth max entropy,

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ45} & H^{\varepsilon_{\delta,n,M}}_{max}\left(\rho_{X^{+,\times}Y^{+,\times}}^{(n)} (Q^{+,\times}_{0,1}) |\rho_{Y^{+,\times}}^{(n)}(Q^{+,\times}_{0,1}) \right)\nonumber \\ &= {{\rm inf}}_{\{\overline{\rho}_{X^{+,\times}Y^{+,\times}}^{(n)}(Q^{+,\times}_{0,1}) : |Q^{+,\times}_{0,1}-\overline{Q}^{+,\times}_{0,1}| \leqslant \delta\} } \nonumber \\ &H_{max}(\overline{\rho}_{X^{+,\times}Y^{+,\times}}^{(n)}(Q^{+,\times}_{0,1}) |\overline{\rho}_{Y^{+,\times}}^{(n)}(Q^{+,\times}_{0,1})) .\nonumber \end{align} \tag{ 45 }$$

We use the statistical interpretation (44) as applied to density matrices. Calculation of max entropy in (45) implies minimization of density matrices, which give the observed number of errors on the receiving side $\overline{Q}^{+, \times}_{0,1} \in [Q^{+, \times}_{0,1} - \delta, Q^{+, \times}_{0,1} + \delta]$ with a probability of at least $1- \varepsilon_ {\delta, n^{+, \times}_{0,1}, M}$. Accordingly, the likelihood that the observed number of errors will come from $\overline{Q}^{+, \times}_{0,1} \overline{\in} [Q^{+, \times}_{0,1} - \delta, Q^{+, \times}_{0,1} + \delta]$, no more than $\varepsilon_{\delta, n^{+, \times}_{0,1}, M}$.

In fact, this means that any density matrix with the $Q^{+, \times}_{0,1}$ parameter from the confidence interval will give the observed number of errors $\overline{Q}^{+, \times}_{0,1} \in [Q^{+, \times}_{0,1} - \delta, Q^{+, \times}_{0,1} + \delta]$ with probability at least $1- \varepsilon_{\delta, n, M}$. At this point, a homogeneous estimate of the parameter $Q^{+, \times}_{0,1}$ is important—the independence of the probability from the observed number of errors $\overline{Q}^{+, \times}_{0,1}$. Accordingly, in the opposite direction, the homogeneity of the assessment ensures that the probability the appearance of $\overline{Q}^{+, \times}_{0,1}$ errors from the interval $\overline{Q}^{+, \times}_{0,1} \in [Q^{+ , \times}_{0,1} - \delta, Q^{+, \times}_{0,1} + \delta]$ depends only on its width.

It was previously shown [18] that equality in entropy uncertainty relations in the asymptotic limit is achieved on density matrices that have the structure of a tensor product. An eavesdropping attack was also clearly built, respectively, the density matrix, on which the lower limit of the uncertainty relations is reached. There is a Bernoulli test scheme between Alice and Bob with parameters $Q^{+,\times}_{0,1}\in [\overline{Q}^{+,\times}_{0,1} - \delta, \overline{Q}^{+,\times}_{0,1}+\delta]$ in the corresponding branches of the Alice–Bob channel. In this case, the calculation of max entropy on density matrices having the structure of a tensor product makes it possible to obtain more accurate estimates. When calculating the min entropy in (45) and (48), you can use the immediate estimate for the smooth max entropy. Conservatively, we assume that the parameter $Q^{+, \times}_{0,1}$ lies on the upper boundary of the confidence interval $Q^{+, \times}_{0,1} = \overline{Q}^{+, \times}_{0,1} + \delta$. Since the density matrices from this set have the structure of a tensor product, (see, details in [18])

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ46} & \rho_{X^{+,\times} Y^{+,\times}}(Q^{+,\times}_{0,1})= \frac{1}{2} |0^{+,\times}\rangle_{X^{+,\times}}{}_{X^{+,\times}}\langle 0^{+,\times}| \nonumber \\ &\left\{(1-Q^{+,\times}_0) |0^{+,\times}\rangle_{Y^{+,\times}}{}_{Y^{+,\times}}\langle 0^{+,\times} | + Q^{+,\times}_0 |1^{+,\times}\rangle_{Y^{+,\times}}{}_{Y^{+,\times}}\langle 1^{+,\times} | \right\}\nonumber \\ &+ \frac{1}{2} |1^{+,\times}\rangle_{X^{+,\times}}{}_{X^{+,\times}}\langle 1^{+,\times}| \left\{(1-Q^{+,\times}_1) |1^{+,\times}\rangle_{Y^{+,\times}}{}_{Y^{+,\times}}\langle 1^{+,\times} | + Q^{+,\times}_1 |0^{+,\times}\rangle_{Y^{+,\times}}{}_{Y^{+,\times}}\langle 0^{+,\times} | \right\} . \nonumber \end{align} \tag{ 46 }$$

The reduced Bob's density matrix

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ47} &\qquad \qquad \qquad \rho_{Y^{+,\times}}(Q^{+,\times}_{0,1})\nonumber \\ &= \frac{1}{2} \left\{(1-Q^{+,\times}_0+ Q^{+,\times}_1) |0^{+,\times}\rangle_{Y^{+,\times}}{}_{Y^{+,\times}}\langle 0^{+,\times} | + (1-Q^{+,\times}_1+ Q^{+,\times}_0) |1^{+,\times}\rangle_{Y^{+,\times}}{}_{Y^{+,\times}}\langle 1^{+,\times} | \right\} .\nonumber \end{align} \tag{ 47 }$$

Conditional smooth max entropy is classic one

$$\begin{align*} \newcommand{\e}{{\rm e}} \displaystyle H^{\varepsilon_{\delta,n,M+,\times }}_{max}(\rho_{X^{+,\times}Y^{+,\times}}^{\otimes n} (Q^{+,\times}_{0,1}) | \rho_{Y^{+,\times}}^{\otimes n}(Q^{+,\times}_{0,1})) = H^{\varepsilon_{\delta,n,M,+,\times}}_{max} (P_{X^{+,\times}Y^{+,\times}}^{n} | P_{Y^{+,\times}}^{n}) , \nonumber \end{align*}$$

where distrubutions $P_{X^{+,\times}Y^{+,\times}}^{n} P_{Y^{+,\times}}^{n}$—of sequences $(x^n, y^n) \,=$ $((x_{i_1}y_{i_1}), (x_{i_2}, y_{i_2}),.(x_{i_n}, y_{i_n})) y^n =(y_{i_1}, y_{i_2},...y_{i_n})$.

For calculations, it is more convenient to use the equivalent definition of smooth max entropy [19]

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ48} &H^{\varepsilon_{\delta,n,M,+,\times}}_{max} (P_{X^{+,\times}Y^{+,\times}}^{n} | P_{Y^{+,\times}}^{n})\nonumber \\ &\qquad = -\min_{\Omega^{+\times}} \max_{y^n} \log | x^n : P_{X^{+,\times}|Y^{+,\times}}^{n} (x^n|Y^n=y^n)>0 | ,\nonumber \end{align} \tag{ 48 }$$

where the probability of the event is ${{\rm Pr}} [\Omega]> 1 \,-$ $\varepsilon_ {\delta, n, M, +, \times}$. The $\Omega$ event is itself the intersection of events. $\Omega = \Omega_M \cap \Omega_{0^{+, \times}} \cap \Omega_{1^{+, \times}}$, where $\Omega_M$ is an event that passed the test for verifying the identity of the cleared keys.

Event probability ${{\rm Pr}} [\Omega_M]> 1 - \varepsilon_{M}$—passing the test means that the observed error rates $\overline{Q}^{+, \times}_{0,1}$ is really equal to the number of errors in Bob, i.e. all errors are fixed.

The events $\Omega_{0^{+, \times}}$ and $\Omega_{1^{+, \times}}$ mean that the distributions with parameters from the confidence interval around the error rate $\overline{Q}^{+, \times}_{0,1}$ will give the number of errors not more than $n (\overline{Q}^{+, \times}_{0,1} + \delta)$ with probability at least ${{\rm Pr}} [\Omega_{0^{+, \times}, 1^{+, \times}}]> 1- \varepsilon^{+, \times}_{0,1}$. As a result, the probability of an event $\Omega$ ${{\rm Pr}}[\Omega]>1 - \varepsilon_M-\varepsilon_{0^{+,\times}}-\varepsilon_{1^{+,\times}} = 1-\varepsilon_{\delta,n,M,+,\times}$.

The value (48) is the logarithm of the number of sequences, which with probability at least $1- \varepsilon_{\delta, n, M, +, \times}$ give the observed error rate in sequences 0 and 1 in the bases  +  and $\times$.

In fact, the smoothing procedure is reduced to discarding unlikely events—sequences that can give a greater number of observed errors with a probability of no more than $\varepsilon_{\delta,n,M,+,\times}$.

As a result, for smooth conditional max entropy, we obtain (see also [13])

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ49} &H^{\varepsilon_{\delta,n,M}}_{max}(\rho_{X^{+,\times}Y^{+,\times}}^{\otimes n} (Q^{+,\times}_{0,1}) | \rho_{Y^{+,\times}}^{\otimes n}(Q^{+,\times}_{0,1})) \nonumber \\ &\quad \leqslant n \left(\frac {\overline{h}(Q^{+,\times}_0) + \overline{h}(Q^{+,\times}_1) } {2} + \log(5) \sqrt{\frac{\log \left(\frac{1}{\varepsilon_{\delta,n,M,+,\times} } \right) } {n } } \right) .\nonumber \end{align} \tag{ 49 }$$

In view of (43) we find

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ50} &H^{\varepsilon_{\delta,n}}_{min}(\rho_{X^{+,\times}E}^{\otimes n} (Q^{+,\times}_{0,1}) | \rho_E^{\otimes n}(Q^{+,\times}_{0,1}))\nonumber \\ &\qquad \geqslant n \left(1- H^{\varepsilon_{\delta,n,M}}_{max}(\rho_{X^{+,\times}Y^{+,\times}}^{\otimes n} (Q^{+,\times}_{0,1}) | \rho_{Y^{+,\times}}^{\otimes n}(Q^{+,\times}_{0,1})) \right) .\nonumber \end{align} \tag{ 50 }$$

All functions in (49) and (50) are expressed in terms of the observed number of errors. $\overline{Q}^{+, \times}_{0,1}$ and the value of the confidence interval $\delta$, which is selected by legitimate users and the secrecy parameter is determined $\varepsilon_{\delta,n,M}$.

Taking into account (29)–(31), (49) and (50), we obtain an estimate for the total length of the secret key in both bases ($l^{+ \times}$)

$$\begin{align} \newcommand{\e}{{\rm e}} \displaystyle \label{equ51} & \ell^{+\times}= \ell^+ + \ell^{\times}= 2 n \left(1- \frac{1}{4} \left(\overline{h}(Q^+_{0}) + \overline{h}(Q^+_{1}) + \overline{h}(Q^{\times}_{0}) + \overline{h}(Q^{\times}_{1}) \right) \right.\nonumber \\ &\left. - leak^{\times}_n - leak^{+}_n - 2\log(5) \sqrt{\frac{\log \left(\frac{1}{\varepsilon_{\delta,n,M,+ } } \right) } {n } } \right) ,\nonumber \end{align} \tag{ 51 }$$

where $leak^{+, \times}_n$ is the actual number of bits opened through the classical communication channel between Alice and Bob with error correction in the  +  and $\times$ bases.

In conclusion, we note one important feature of the implementation of this protocol. Since the measurement of states in the $\times$ basis is not related to interference (see figure 1), there is no error in the measurement in this basis, which can occur due to inaccurate balancing of the interferometer. The error in this basis in the absence of an eavesdropper is associated only with dark counts of the detectors. For this reason, an error in this basis may exceed a critical value in $11 \%$, which occurs in the symmetric case. For example, if the error is $Q^+\approx 11 \%$ in the basis of  +  (which corresponds to the visibility of the interferometer only $V = 1- 2Q^+ \approx 78 \%$), and if there is an error in the basis $\times$ in $Q^{\times} \approx 7 \%$, it is still possible to get the secret key that the protocol does more sustainable when implemented.

We thank our colleagues from the Academy of Cryptography of the Russian Federation for discussions and support. The author also thanks I M Arbekov, K A Balygin, S P Kulik and A N Klimov for numerous discussions. The work was supported by a grant from the the RSF (no. 16-12-00015; continuation).