Entangled Quantum Key Distribution with a Biased Basis Choice

We investigate a quantum key distribution (QKD) scheme which utilizes a biased basis choice in order to increase the efficiency of the scheme. The optimal bias between the two measurement bases, a more refined error analysis, and finite key size effects are all studied in order to assure the security of the final key generated with the system. We then implement the scheme in a local entangled QKD system that uses polarization entangled photon pairs to securely distribute the key. A 50/50 non-polarizing beamsplitter with different optical attenuators is used to simulate a variable beamsplitter in order to allow us to study the operation of the system for different biases. Over 6 hours of continuous operation with a total bias of 0.9837/0.0163 (Z/X), we were able to generate 0.4567 secure key bits per raw key bit as compared to 0.2550 secure key bits per raw key bit for the unbiased case. This represents an increase in the efficiency of the key generation rate by 79%.


Introduction
Quantum key distribution (QKD) allows two distant parties, Alice and Bob, to create a random secret key even when the quantum channel they share is accessible to an eavesdropper, Eve, so long as they also have an authenticated public classical channel. The security of QKD is built on the fundamental laws of physics in contrast to existing classical public key cryptography whose security is based on unproven computational assumptions.
There are mainly two types of QKD schemes: prepare-and-measure schemes, the best known of which is the original BB84 protocol proposed by Bennett and Brassard [1] in 1984; and entanglement based schemes, the simplest of which is the BBM92 scheme developed by Bennett et al. [2] in 1992. The BBM92 scheme essentially symmetrizes the BB84 protocol by distributing entangled pairs of qubits to Alice and Bob and having them both measure their half of each pair in one of two complementary bases. For a more complete overview of both QKD theory and experiments, please refer to the recent review articles by Gisin et al. [3], Dusek et al. [4], and Scarani et al. [5].
A key feature of the BB84 protocol and many others is that the bases used are chosen randomly, independently, and uniformly. Most security proofs, including the seminal work by Shor and Preskill [6], rely heavily on the symmetry which uniformity of basis choice provides. For example, it allows the sifted data from both bases to be grouped together and a simple error correction algorithm to be performed on the grouped data producing a single error rate. However, uniformly chosen bases have the consequence that on average half of the raw data is rejected leading to an efficiency limited to at most 50%. This is the reason for the curious factor of 1 2 that appears in the key rates of many security proofs [7,8].
This symmetry requirement was removed by Lo et al. [9] in 2004 when they proposed a simple modification to the BB84 scheme that could in principle allow one to asymptotically approach an efficiency of 100%. Their scheme relies on two changes to the BB84 protocol: non-uniformity in the choice of bases, and a refined data analysis. The first change of non-uniformity allowed Alice and Bob to achieve much higher efficiencies with their raw data. In fact, Lo et al. showed that this efficiency could be made arbitrarily close to 100% in the long key limit. The second change of a refined data analysis allowed Alice and Bob to maintain the security of their system since a simple error analysis was no longer sufficient. Acín et al. [10] have also studied this protocol in 2006 using a CHSH test for security under the conditions of no-signalling eavesdroppers.
In this article, we detail the experimental implementation of the biased basis choice protocol with a simulated variable non-polarizing beamsplitter and a local entangled QKD system. We begin by first reviewing the theory for the biased protocol. We study the optimal bias ratio and the important parameters necessary to maintain security. We then follow with a description of the experimental setup for the implementation of the biased scheme. Lastly, we report on the results of the experiment and compare the efficiency of the biased protocol with those of an unbiased protocol.

Theory
Lo et al. [9] proposed their protocol as a modification to the original BB84 protocol which is a prepare-and-measure scheme. Here we make the simple extension to the entanglement based BBM92 scheme developed by Bennett et al. [2] in 1992. In the original scheme, a source of polarization entangled photon pairs in the singlet Bell state is placed in between Alice and Bob, and one photon from each pair is sent to Alice and Bob. Alice and Bob then randomly, independently, and uniformly choose to measure in either the rectilinear (H/V) basis or the diagonal (+45 • /−45 • ) basis. Now we extend this scheme to remove the uniformity in the basis choices just as Lo et al. did for the BB84 protocol. We are allowed to do so without violating the security of the scheme because the proof by Lo et al. already relies on expanding the BB84 scheme into an imagined entanglement based scheme. Thus, their proof of security holds for performing the actual biased entanglement based scheme as well as performing the biased BB84 scheme. Additionally, we use the recently developed squashing model [11,12,13] which allows us to assume that we are dealing with qubits so that the proof by Lo et al. holds (double clicks are assumed to be rare and ignored).
The biased basis scheme has two main changes: first, Alice and Bob now choose their measurement bases randomly and independently but now non-uniformly with substantially different probabilities. This allows for a much higher probability of Alice and Bob using the same basis and thus allows them to achieve much higher efficiencies with their raw data. With uniformity removed, the second change necessary is a refined error analysis since an eavesdropper could now easily break a system which performed a simple error analysis on the lumped data by eavesdropping primarily along the predominant basis. To ensure security, it is crucial for Alice and Bob to divide their data into two subsets according to the bases used and compute an error rate for each subset separately. It is only with this second addition that one can ensure the security of this biased scheme.
First we define the necessary quantities that we will use in our security analysis. Define e bx (δ px ) and e bz (δ pz ) to be the bit (phase) error rates in the X (diagonal) and Z (rectilinear) bases respectively, where an e is used to denote a measurable quantity and a δ is used to denote a quantity that has to be inferred. Note that the bit error rates, e bx and e bz , are known exactly by Alice and Bob once they perform error correction since they can count the number of errors found during error correction. However, the phase error rates, δ px and δ pz , need to be estimated from the bit error rates since they are not directly accessible from Alice and Bob's measurement data.
In order to estimate the phase error rates, we define the quantities p bx (p px ) and p bz (p pz ) to be the bit (phase) error probabilities in the X and Z bases respectively. Since a basis independent source is assumed, we know that Now in the long key limit e bx converges to p bx while δ pz converges to p pz . Using Eq. (1) now allows us to say that in the long key limit. Obviously for finite key lengths this equality will not hold exactly and we will have to consider statistical fluctuations. We will address the finite key size effects in a moment, but for now assume that Eq. (2) holds.
The key point of the security analysis rests in the privacy amplification part [14]. Privacy amplification is usually performed via the 2-universal hash functions discovered by Wegman and Carter [15] and that is what is done in the experimental implementation detailed in this paper. Alice and Bob need to take care of the bits exposed during error correction which they can directly count during the error correction process since an eavesdropper can learn this information listening in to the classical channel. They also need to estimate the phase error rates for the two bases in order to estimate the amount of an eavesdropper's information on the quantum signals that were distributed. Privacy amplification then needs to be applied to reduce the information of the eavesdropper from these two sources to an arbitrarily small amount. This leads to the following key generation rate according to [8], expressed in terms of secure bits per raw bit, using Eq.
where q is defined to be Alice's or Bob's bias probability of measuring in the Z basis and (1 − q) is their probability of measuring in the X basis, f (x) is the error correction inefficiency as a function of the error rate, normally f (x) ≥ 1 with f (x) = 1 at the Shannon limit, and is the binary entropy function. For this initial analysis, the key rate formula assumes that Alice and Bob each pick the same identical bias. We benefit from separating the key rate into contributions from the X and Z bases since the key rate can still be positive for an error rate higher than 11% in one basis so long as the other error rate is low enough. This can be seen in Fig. 2 of Ref. [16] since we use local operations and one way classical communication (1-LOCC) in our post-processing. Note that the cascade error correction algorithm, which we use, is considered 1-LOCC post-processing since the two way classical communication is not used to perform advantage distillation. Also note that in this treatment of cascade we assume that Eve learns both the positions of the errors and the revealed parity bits.
The last thing to take care of are the finite key size effects since these will be very important in determining how to balance the optimal biasing ratio. For this analysis we assume the main finite key size effect is due to the parameter estimation; namely, the statistical fluctuations in the phase error rates compared to what is estimated from the bit error rates. The other possible finite key size effects are authentication, the leakage of information during error correction (typically referred to as leak EC ), the probability of failure for error correction and error verification (typically referred to as ε EC ), and the probability of failure of privacy amplification (typically referred to as ε P A ) [17,18].
For our experiment the probability of failure for our parameter estimation is on the order of 10 −6 since, as will be discussed below, we choose a safety margin on our phase error estimates so that the probability that the actual phase error rates are outside of this range is less than 10 −6 . Also, we do not implement authentication on the classical channel, so we ignore its effect on our key rate. Note though that the resources required for authentication scale logarithmically in the length of the secret key generated by a QKD session [19]. The information being leaked during error correction does not contribute any finite key size effects since we directly count the number of bits revealed and take care of them in the privacy amplification step [20]. Thus, there are no fluctuations in this contribution since we know it exactly. The error correction and verification algorithm we implement is due to Sugimoto and Yamazaki [21] and allows us to bound the failure probability and thus set its value. For this experiment we implement the error correction algorithm so that its probability of failure is < 10 −10 . Lastly, the probability of failure for the privacy amplification step is assumed to be negligible since it depends on the privacy amplification algorithm used and we assume that its possible to make one with a sufficiently small failure probability. For a strict finite key analysis, one should follow Refs. [22,23,17,18].
We need to consider the statistical fluctuations in order to discuss the optimal bias between the two bases. As was stated above, both error rates e bx and δ pz converge to p bx = p pz in the long key limit. We use standard random sampling theory to determine the following formula given in [8] for the estimates of our phase error rates where n xx is the number of bits generated from Alice and Bob both measuring in the X basis, and z is a small deviation from the measured bit error rate. Eq. (4) allows us to put a bound on the probability that the phase error rate deviates from our measured bit error rate by more than z . For example, if Alice and Bob measure 10,000 qubits in the X basis (n xx = 10, 000), find an error rate of 5% (e bx = 0.05), and set their desired deviation to 1% ( z = 0.01), then Eq. (4) would allow them to say that the probability that their phase error rate (δ pz ) deviates by more than z is less than 0.52%. Or said another way, if we use δ pz = 0.06 in our key rate formula then we are confident that our key was generated securely with a probability of 99.48%. So our key rate formula has now become which is the same as before except for the addition of x and z which are now necessary to deal with the finite key statistics. We should note that the random sampling formula used in Eq. (4) is a good approximation in the long key limit. Now we can try to find the optimal bias between the two bases. Given estimates for e bx , e bz , and N (the total coincidence count), and picking P = P x + P z , one can optimize the bias q and the deviations x and z according to Eqs. (5) and (4). For example, with estimates of the parameters we expect to see in our system, we can graph the key rate (normalized in terms of secure key bits per raw key bit) versus the bias ratio q, shown in Figure 1. The inset shows the estimates for the parameters needed in order to find the optimum bias: N is the total number of entangled pairs sent to Alice and Bob over the course of the experiment, P is the confidence probability desired for our phase error statistics, e bx and e bz are the observed bit error rates in the X and Z bases over the course of the experiment, and f is the observed error correction efficiency. From Fig. 1 we can see that the key rate is maximized for a bias of q = 0.97. Once we have found the optimum bias we can then use it, along with Eq. 4, to figure out the optimum deviations x and z that will still allow us to achieve our desired confidence probability P . Examining Fig. 1 we see that a maximum also occurs around q = 0.03 though it is slightly lower than the one at q = 0.97. It is obvious that the efficiency curve should be symmetric about the middle point q = 0.5 since biasing the protocol towards the X basis should be just as good as biasing it towards the Z basis. However, the curve is not entirely symmetric because the error rates and error correction efficiencies are not identical in the two bases. The error correction efficiency plays the largest part in the overall rate since it costs a fraction of f (e)h(e) in the final key generation rate. Thus, since the error correction efficiency is lower in the X basis than the Z basis (f X > f Z ), the optimum rate is also lower when the bias is skewed towards the X basis.
It is important to understand how the biased protocol utilizes the optimum bias in order to make the most efficient use of the raw key data. The optimum bias, q, along with the optimum deviations, x and z , are chosen such that only the minimum number of measurements are made in the weak basis in order to achieve the desired confidence probability P . This has the consequence that privacy amplification of the measurement results from the strong basis has to be deferred until the end of the entangled photon distribution phase. It is only with the last distributed photon that Alice and Bob gain enough statistics in the weak basis to allow them to privacy amplify all the error corrected key generated in the strong basis over the course of the experiment. They will obtain small amounts of privacy amplified key from the weak basis over the course of the experiment, but the majority of the key that comes from the strong basis will not be available until after the distribution phase is completed.

Experimental Implementation
The purpose of this experiment was the experimental investigation of the biased basis QKD protocol and all of the practicalities associated with implementing the protocol; such as, choosing the proper bias, doing a more refined error analysis, and worrying about the finite key size effects. In order to focus on these issues, we did not involve the complications of a free-space link and instead chose for Alice and Bob to locally detect each of their halves of the photon pairs while sitting next to the source connected to it with a short optical fibre. Additionally, since we wanted to investigate many different biases we decided to simulate a variable non-polarizing beamsplitter since they do not exist to the best of the author's knowledge. Indeed, even fixed biased nonpolarizing beamsplitters are extremely expensive and difficult to manufacture; therefore, it is worthwhile to study the performance of the system for many different biases with a simulated variable biased beamsplitter first. The difficulties associated with biased beamsplitters might suggest one possible reason for employing an active basis selection scheme over a passive one since biasing might be done more easily. However, the active schemes would have their own complications for generating truly random, biased bit strings at a high enough rate for their polarization modulators. We are also currently investigating development of a variable non-polarizing beamsplitter to allow the flexible adjustment of the bias in our system without throwing away counts.
The experimental setup consists of a compact spontaneous parametric downconversion (SPDC) source, two compact passive polarization analysis modules, avalanche photodiode (APD) detectors, time-stampers, GPS time receivers, two laptop computers, and custom written software. The SPDC source is comprised of a 1 mm thick β-BBO crystal pumped with a 50 mW laser which produces entangled photon pairs at a degenerate wavelength of 815 nm. A β-BBO crystal 0.5 mm thick in each arm compensates for walk-off effects, which can ruin the entanglement. Typically, a total single photon count rate of 100,000 s −1 in each arm of the source and a coincident detection rate of 11,000 s −1 is measured locally. More details on the setup can be found in our earlier papers [24,25,26].
In order to implement the biased protocol we simulated a biased beamsplitter by placing the appropriate attenuators in the transmission arm of the original 50/50 beamsplitter (BS) used to perform the basis choice as shown in Fig. 2. The transmitted arm analyzes the photons in the diagonal basis. Also, in order to directly compare the efficiencies of experiments with different biases we used the appropriate attenuators ahead of the beamsplitter to make the rates of each experiment with a different bias equal. The attenuators are placed in the transmission arm (X, diagonal basis) so that the Z (rectilinear) basis is the one which Alice and Bob predominantly measure in. As was mentioned earlier, we make this choice because error correction costs a factor of f (e)h(e) (with f (e) > 1) while privacy amplification costs a factor of h(e) in our key generation rate. Thus, since the Z (rectilinear) basis has a much lower intrinsic error rate, we would like to make it the predominant basis since less error correction will be needed than if we chose the X (diagonal) basis to be the predominant one.
Our custom written software needed to be modified in order to analyze the error rates in both bases separately and defer the privacy amplification until the end of the entangled pair distribution phase. Error correction is first performed on the X basis measurements followed by the Z basis measurements, revealing the bit error rates e bx and e bz . The number of bits revealed during the error correction of the X and Z measurements are recorded. After the distribution phase, we use the actual experimental results for N , n xx , n zz , q, e bx , e bz , f (e bx ), and f (e bz ), along with the desired P x and P z to calculate the optimum x and z according to Eq. 4. This allows us to distill the maximum amount of key from our raw data. The appropriate privacy amplification factor, according to Eq. 5, is now calculated for each measurement set. Privacy amplification using a 2-universal hash function [27,14,15] then takes care of the bits revealed during error correction, the estimated phase error rates, and the additional safety margin needed for the finite key statistics to produce the final secure key.
For this experiment we improved our error correction algorithm since knowing the bit error rates e bx and e bz as precisely as possible is extremely important. To do this we improved the cascade error correction algorithm [28,29], which was initially used in a modified form in our system, to the optimized algorithm outlined by Sugimoto and Yamazaki [21]. In previous experiments with our original modified cascade algorithm we achieved a residual bit error rate of 1.92 × 10 −3 [26], which is clearly insufficient for realistic key sizes especially once finite key size effects have to be taken into account.
In order to be secure, it has been shown that privacy amplification needs to work with key lengths on the order of ∼ 10 7 bits [18]. Consequently, the probability of residual errors needs to be a least two orders of magnitude less than this in order for the privacy amplification to succeed with high probability. With the improved optimized cascade algorithm we are now able to set a parameter, s, which then determines the residual bit error rate according to P residual < 2 −s . For this experiment we chose s = 40 which should give us a maximum residual bit error rate of 9.09 × 10 −13 .

Results
On the day of the experiment, we measured visibilities of 99.6% and 92.4% are directly measured in the rectilinear and diagonal bases respectively. This corresponds to baseline error rates in the two bases of e bx = 0.038 and e bz = 0.002 due to the source. The limited visibility in the diagonal basis (high e bx ) is likely due to the broad spectral filtering (10 nm) in the polarization detector box which allows some unentangled photon pairs through the filters which still have a strong correlation in the rectilinear basis, but have almost no correlation in the diagonal basis. The limited visibility is also likely due to uncompensated transverse walk-off in the β-BBO crystal which is aggravated by the narrow pump beam spot.
We performed four different experiments with the varying biases shown in Table 1, each approximately six hours in duration in order to compare their efficiencies. While the appropriate attenuators were put into the transmission arms of both Alice's and Bob's detectors to simulate the desired bias, differences in coupling efficiencies within the polarization analysis modules produced slightly asymmetric biases between Alice and Bob for the Z basis choice. In order to figure out the optimum 's needed and the proper privacy amplification factor, the simple uniform bias analysis above had to be expanded into a more complex analysis that allowed Alice and Bob to have non-identical biases. Fig. 3 is the generalization of Fig. 1 and plots the key rate (R) versus Alice's bias (shown along the left axis) versus Bob's bias (shown along the right axis). Using this analysis we proceeded to find the optimum 's, calculate the privacy amplification factors, and complete the key generation process.  tabulated in Table 2. The increase in the QBER's from the baseline 3.8% and 0.2% to those observed is attributed to the typical leakage of the polarizing beamsplitters in the polarization analysis modules, the uncompensated birefringence in the singlemode fiber used to transport the photons between the source and the polarization analysis modules, and to accidental coincidences.   the course of each experiment. The statistics for each experiment are grouped by the same colour, the upper box holds the raw key rates, the middle box holds the sifted key rates, and the lower box holds the average final key rates for each experiment. Note that we can only show an average final key rate since privacy amplification has to be deferred until the end of the entangled photon distribution phase and error correction phase, and then is performed on the "entire" sifted key at once [30]. The results of each experiment are summarized in Tab. 2 along with their efficiencies compared to the first experiment which we take as the "unbiased" experiment. As is clearly shown in Table  2 the efficiency of each experiment increases with the bias reaching a value of 0.4567 secure key bits per raw bit for the final experiment which had a bias of 0.9837/0.0163. Thus, by implementing the biased QKD protocol we were able to increase the secure key generation rate by 79% over the unbiased case. Clearly, the use of a biased protocol for the generation of secure key bits results in a more efficient use of the distributed entangled photon pairs and allows Alice and Bob to distill more secret key from the same number of distributed pairs than what an unbiased protocol would allow. Additionally, as the number of entangled photon pairs is increased, the number of secure final key bits per raw key bit will approach 1.0 as was pointed out earlier.  . Plot of the raw, sifted, and average final key rates over the course of the experiment each experiment. The rates are grouped by colour with Experiment #1 in blue, Experiment #2 in green, Experiment #3 in red, and Experiment #4 in magenta. The upper box holds the raw key rates, the middle box holds the sifted key rates, and the lower box holds the average final key rates Since the error correction algorithms were greatly improved during this experiment, we include actual data for their operation during experiment #1. We use the error correction algorithm developed by Sugimoto and Yamazaki [21] as an optimization of the cascade error correction algorithm developed by Brassard et al. [29] which was first mentioned in an earlier form in [28]. Table 3 shows the average block sizes used during the error correction of the sifted X and Z keys.  new random shuffling of the bits to form blocks of the sizes above which are then error corrected with BINARY [29]. When an error is found, cascade then goes back through all previous sequences of shufflings of bits to correct errors that were missed beforehand. Table 5 shows the average numbers of errors corrected during the use of the BINARY and BICONF [29] primitives and the corresponding number of bits revealed. Additionally, it shows the average key block lengths and QBERs found during cascade. Knowing these allows the calculation of the error correction efficiencies for our algorithm by first calculating the number of bits which an error correction algorithm operating at the Shannon limit would have revealed via h 2 (QBER) × AvgKeyLength. These efficiencies are also shown in Table 5 relative to an error correction algorithm operating at the Shannon limit.  Table 4. Cascade stats -average number of errors corrected at each step in cascade.
As was discussed above, the new algorithm allows us to set the desired residual error rate via the parameter s which determines the rate according to P residual < 2 −s . However, as the residual error rate requirements grow more stringent the efficiency of the error correction algorithm relative to the Shannon limit, f (x), will begin to deteriorate. For all experiments there were no residual errors left in the error corrected key after error correction was performed.  Table 5. Cascade stats -average number of errors corrected, bits revealed, error correction efficiencies, key block lengths, and QBERs.

Conclusions
In conclusion, we have implemented the first experiment to utilize a biased (non-uniform) basis choice in order to increase the efficiency of the number of secure key bits generated from raw key bits. We investigated many of the issues associated with its implementation including choosing the optimal bias, doing a more refined error analysis, and taking care of finite size key effects. We simulated a biased non-polarizing beamsplitter in order to study different biases for the system and their resulting efficiencies. All other aspects of the experiment were implemented in their entirety so that our 50/50 beamsplitter can be easily exchanged with a new fixed non-polarizing beamsplitter with no other changes needed to the system. For the near optimal biases of 0.8804/0.1196 (Z/X) for Alice and 0.9062/0.0938 (Z/X) for Bob, we were able to generate 0.4567 secure key bits per raw key bit; whereas, the unbiased case generated 0.2550 secure key bits per raw key bit. This represents an increase in the efficiency of the key generation rate by 79% over the unbiased case. An improved error correction algorithm was also implemented and statistics for its operation on actual generated key material was discussed.