Security of six-state quantum key distribution protocol with threshold detectors

The security of quantum key distribution (QKD) is established by a security proof, and the security proof puts some assumptions on the devices consisting of a QKD system. Among such assumptions, security proofs of the six-state protocol assume the use of photon number resolving (PNR) detector, and as a result the bit error rate threshold for secure key generation for the six-state protocol is higher than that for the BB84 protocol. Unfortunately, however, this type of detector is demanding in terms of technological level compared to the standard threshold detector, and removing the necessity of such a detector enhances the feasibility of the implementation of the six-state protocol. Here, we develop the security proof for the six-state protocol and show that we can use the threshold detector for the six-state protocol. Importantly, the bit error rate threshold for the key generation for the six-state protocol (12.611%) remains almost the same as the one (12.619%) that is derived from the existing security proofs assuming the use of PNR detectors. This clearly demonstrates feasibility of the six-state protocol with practical devices.

Quantum key distribution (QKD) allows legitimated users to securely communicate, and the security of QKD, especially qubit-based QKD, has been well studied so far [1].Since we have to assume any possible attack when we consider the security, the assumption of qubit-detection must be confirmed or at least its fraction must be estimated with the use of photon number resolving detectors, detector decoy idea [2], or estimation method via monitoring the double click event [3], all of which require some modifications to QKD protocols.
Another approach for the security proof of QKD with threshold detectors is to consider the so-called squash operator [4] which squashes an optical mode down to a qubit state.This approach only requires to assign the double-click event (detectors "0" and "1" simultaneously click) to a random bit value, which is reasonable [5].The existence of the squash operator for BB84-type measurement has been proven [6,7], i.e., the statistics of the outcomes of the BB84 measurement can be interpreted as if it stemmed from the BB84 measurement on qubits whatever optical signal Bob actually receives.
One might think that the squash operator should exist for any measurement with two outcomes, including the measurement of the six-state protocol [8], where we perform measurements along a basis, Y basis, in addition to X and Z bases in BB84.In the case of the qubit-based six-state protocol, the measurement along the extra basis lets us learn more about Eve's information gain, resulting in a higher bit error rate threshold than that of BB84, which is a main advantage of the qubit-based six-state protocol over BB84.Unfortunately, it turns out that the squash operator for the six-state protocol is proven not to exist [7], and it is unknown whether the advantage still holds with the use of threshold detectors.
Intuitively, sending more than one-photon is not useful for the eavesdropping since it may only increase the bit error rate, and it is hard to imagine that the advantage of the qubit-based six-state protocol suddenly vanishes once we lose information about which signal is a singlephoton.In other words, to consider the security of the six-state protocol with threshold detectors is to consider the robustness of a qubit-based QKD protocol even if there is no squash operator.This is indeed one of the essential features that any practical qubit-based QKD must possess, and this issue must be seriously taken into account for the design of a qubit-based QKD protocol.
In this letter, we prove the robustness of the six-state protocol by showing the bit error rate threshold remains almost the same (12.611%)compared to the one of the qubit-based six-state protocol (12.619%).This result shows that sending multiple photons hardly helps Eve, which confirms the intuition mentioned above.The rate is clearly larger than the rate of BB84 with threshold detectors (11.002%) [6,7], and this demonstrates the advantage of using two additional states in the practical situation.We remark that our work assumes the use of a single-photon as the information carrier, but we can trivially accommodate the use of an attenuated laser source by GLLP idea [4].
This letter is organized as follows.We start with a brief description of how the protocol works, and then we move on to relatively long outlining the proof, and we devote the rest of the paper to a more detailed explanation.Finally, we summarize this letter.
Since polarization state of a single-photon and the 1 2spin state are mathematically equivalent, we use 1  2 -spin notation for the explanation in this letter.In the sixstate protocol, Alice first generates a random bit value b = −1, 1 and choose one basis α randomly out of three bases X, Y , and Z.Then, she sends over a quantum channel a qubit with state being |α b that is the eigen state of α basis of 1  2 -spin whose eigen value is b/2.Bob randomly chooses one basis randomly out of the three bases, and he measures the spin along the chosen di-rection.Alice and Bob compare over a public channel the bases they used, and keep the bit value if the bases match, othrewise discard it.Alice and Bob repeat this step many times, and they apply bit error correction [9] and privacy amplification [9] to the resulting bit string (sifted key), and they share the key.
Next, we outline our proof.Our proof employs the security proof based on complementarity scenario proposed by Koashi [10].In this proof, we consider two protocols, one is the actual protocol which Alice and Bob actually conduct, and the other one is a virtual protocol.Let us assume that Alice has a qubit state, which may be fictitious, and let Z basis be Alice's key generating qubit basis.The goal of the actual protocol is that Bob agrees on Alice's bit values along Z basis.On the other hand, the goal of the virtual protocol is to create an eigen state of an observable X, which is conjugate to Z, with the help of Alice and Bob's arbitrary quantum operations that commute with Alice's key generating measurement.It is proven that if Alice and Bob are free to choose which protocol to execute after the actual classical and quantum communication and if they can accomplish its goal whichever choice they have made, then unconditionally secure key can be distilled.
In order to define Alice's qubit in the six-state protocol, suppose that Alice first prepares a qubit pair in the state [11] (we choose this singlet state to fully make use of its symmetry later), measures one of the qubit by X, Y , or Z-basis, and sends the other qubit to Bob.Since this process outputs the exactly the same state as the one of the actual protocol, we are allowed to work on this scenario without losing any generality.In the case that we consider the security of the key generated along Z basis, and once Alice and Bob can generate |X 1 state in Alice's side in the virtual protocol then we are done since the agreement on the bit value in the actual protocol can be trivially made via classical error correction over a public channel (the syndrome is either encrypted [12] or not [13]).
For the generation of |X 1 state, an important quantity is the so-called phase error rate, which is the ratio that Bob's estimation of Alice's bit string in X-basis results in erroneous, and if the estimation of the phase error rate is exponentially reliable then Alice can generate |X 1 by random hashing along X-basis [12][13][14].More precisely, the key generation rate G, assuming a perfect bit error correcting code, can be expressed as Here, n sif is the empirical probability of having the sifted key, H(X) is Shannon entropy of the bit error, and H(Z|X) is Shannon entropy of the phase error conditional on the bit error pattern.In other words, n sif H(X) is the number of the hashing along Z-basis needed for the agreement of the bit values in the actual protocol and n sif H(Z|X) is the one along X-basis needed for the generation of the X-basis eigen state in the virtual protocol [10].Hence, the key for the improvement in the key generation rate is how to minimize the conditional entropy H(Z|X).
For the estimation, we assume without loss of generality that states received by Bob are classical mixtures of photon number eigen states, and let P N be the probability of receiving a state having N photons [15].Since we have no direct access to P N , we have to assume the worst case scenario where Eve maximizes the induced phase error rate by classically mixing up each photon number state and sending them to Bob.As we will see later, it can be proven that states with photon number being greater than 3 induces too much bit errors and we can neglect those states for the analysis.Hence, we can concentrate only on N = 1, 2, 3 cases, and especially we want to derive the corresponding mutual information between the bit and phase errors.
To compute the mutual information, we introduce Bob's qubit by employing the BB84 squash operator, and we have to estimate what statistics we would have obtained if we had performed the measurement along Ỹ basis onto the resulting qubit (here, "tilde" means that this is about a qubit space and fictitous).In general, the actual Bob's measurement along Y basis does not coincide with the measurement along Ỹ basis, however they do only when N = 1, 2 thanks to the existence of the squash operator for the six-state protocol [7].This gives the same mutual information for N = 1, 2 as the one of the qubit-based six-state protocol.We note that to employ BB84 squash, we have to randomly pick up two bases (for the explanation, we assume that we have chosen X and Z bases) out of the three bases in the actual protocol.This random choice does not change the actual protocol at all.The reason is that we can always split the basis choice into two steps: the first one is the choice of two bases out of the three and then one basis is chosen from the two.Moreover, we assume in the actual protocol that Alice and Bob perform joint random bit-flip operation to make the analysis simpler.
To analyze N = 3 case, we use the symmetry of the density operator.As a result, we can estimate the mutual information.Finally, by mixing up the photon number state N = 1, 2, 3 based on the worst case scenario, we show that the bit error rate threshold for the six-state protocol with threshold detectors is 12.611%.This is the end of outlining the proof, and we explain why N ≥ 3 can be neglected and the derivation of the bit error rate threshold in what follows, in which we take the asymptotic limit such that the number of the pulses is infinite and we neglect statistical fluctuations.
Our goal is to minimize H(Z|X), and observe that this quantity can be rewritten as the convex combination of the conditional Shannon entropy H(Z|X) = ∞ N =1 P N H(Z|X) (N ) , where H(Z|X) (N ) is the conditional Shannon entropy that is derived from N -photon detection event by Bob.Imagine that we make a twodimensional (2D) plot of H(Z|X) (N ) as a function of the bit error rate e b .The convex combination suggests that we have to consider a convex hull, each of whose extreme points corresponds to e b , H(Z|X) (N ) in the 2D plane.Thanks to the existence of the squash operator ) and H(Z|X) (1,2) .We can neglect any point in the gray-filled regime for the security.
for the six-state protocol [7], the plot of H(Z|X) (1,2) ≡ H(Z|X) (N ) for N = 1, 2 is the same as the one of the qubit-based six-state protocol [8], which is expressed as Here, h(x , and H(Z|X) (1,2) is depicted in Fig. 1  Note that H(Z|X) (N ) for any N ≥ 3 can never be larger than h(e b ) (dotted line) as we use the squash operator for BB84.Also note that the dotted and dashed lines are concave, and an achievable point can be generated by the convex combination of a point along the dashed line and a point below the dotted line such that the average bit error rate coincides with the observed error rate.Suppose that we take convex combination of a point along the dashed line whose bit error rate is lower than the bit error rate of B (12.619..%) and a point in the gray-filled region.Since this convex combination only decreases the mutual information, it follows that we neglect any photon number state whose minimum bit error rate is larger than the bit error rate of C (25.677...%).According to analysis in [16], it turns out that the minimum bit error rate is strictly larger than 25.677...% for N ≥ 4 (note that the minimum bit error rate is not zero for N ≥ 2 since only the singlet state (N = 1) has the symmetry that has the zero bit error rate).Thus, we are left with working only on N = 3 case.
For the derivation of H(Z|X) (3) , we first consider symmetrization of the state ρ that is generated by {R α } where R α is π/2 rotation along α-basis (α = X, Y, Z) of a qubit state.Also note that any rotation of the state on H ⊥ , which is an orthogonal complement to H being spanned by {|α b ⊗4 }, does not change the measurement outcomes since the state on H ⊥ always induces double-click (one can also check this with POVM to be mentioned).Thus, we are allowed to work on the symmetrized density matrix ρ A bit tedious calculation with Shur's lemma gives us ρ [16], where r m ≥ 0 (m = 0, 1, 2, 3), and P 0,1,2 is a projector Here, the first (second) index in each ket represents Z component of Alice's (Bob's) 1  2 -spin (3 1 2 -spins with total angular momentum being 3/2) with eigen values being 1/2 and −1/2 (3/2, 1/2, −1/2, and −3/2).
To calculate the mutual information, we consider what error rate (e ỹ ) we would have obtained if we had performed the measurement along Ỹ basis onto Alice and Bob's qubit, in which Bob's qubit is defined through the BB84 squash operator.Bob's POVM {M , and what we have to do is to derive e ỹ as a function of e b and to maximize H(Z|X) (3) .In the equation of e b and e ỹ , we erase the parameter r 3 by using the condition Trρ sym reads r 0 , r 1 , r 2 ≥ 0 and 3r 0 + 3r 1 + 2r 2 ≤ 1.By introducing a parameter set {t, s, u} with 0 ≤ t, u ≤ 1 and −1 ≤ s ≤ 1, we can express r 0 = ut(1 + s)/6, r 1 = ut(1 − s)/6, and r 2 = u(1 − t)/2, and we use this parameterization to derive the regime {e b , e ỹ} that ρ that coincides with H(Z|X) (1,2) when e b = e ỹ, and we note that the tangent in Fig. 1 crosses the shadow regime in Fig. 2 so that the bit error rate threshold should degrade.By considering the convex hull of H(Z|X) (N ) for N = 1, 2, 3, the upper bound of H(Z|X), which we express as H(Z|X), is given by (1,2)  in case 0.115... > e b (2.82...) e b + 0.0976... in case 1  4 ≥ e b ≥ 0.115...This is also shown in Fig. 2. From this expression, we can derive the bit error rate threshold of 12.6112...% by solving H(Z|X) = 1 − h (e b ) with respect to e b .Remarks: For the first sight, our analysis assumes that Alice and Bob's pair states are identically and independently distributed.A way to treat unconditional security is to use the argument based on quantum de Finetti theorem [17] or Azuma's inequality [18,19].In the latter argument, we consider an arbitrary whole Alice and Bob's state, not just a pair state, and we consider to perform the Bell basis measurement from the first qubit pair in order.ρ sym is now interpreted as the state of a particular qubit pair conditional on arbitrary Bell basis measurement outcomes.It follows that e ỹ and e b are probability also being conditional on the outcomes, which is a property required in applying Azuma's inequality, and most importantly the relation between them are linear as we have already mentioned (for 4 ≤ N case, it is given by 0 ≤ e ỹ ≤ 1 and 0.25677... ≤ e b ).Thus, we can convert our analysis into the analysis of the unconditional security proof by using exactly the same argument as [19].
To summarize, we prove the unconditional security of the six-state protocol with threshold detectors.For the proof, we propose a technique to determine which photon number states are important, and we employ the squash operator for BB84 and the estimation of the mutual information that can be obtained via Y basis fictitious measurement on the resulting qubit state.In this letter we consider one-way quantum communication protocol, and our analysis may apply to two-way quantum communication protocol such as BBM92 type QKD [20], which we leave for the future study.Security proof of other protocols with threshold detectors are also another future works.
as the dashed line, in which h(e b ) (dotted line), 1 − h(e b ) (dot-dashed line), and a tangent (solid line) are also plotted.The bit error rate of the intersection (A) of the dotted line and the dot-dashed line represents the bit error rate threshold of BB84, and the one (B) of the dot-dashed line and the dashed line represents the bit error rate threshold of the six-state protocol up to N = 2. C is the intersection of the dotted line and the tangent whose tangent point is B.