Finite-key security against coherent attacks in quantum key distribution

The work by Christandl, K\"onig and Renner [Phys. Rev. Lett. 102, 020504 (2009)] provides in particular the possibility of studying unconditional security in the finite-key regime for all discrete-variable protocols. We spell out this bound from their general formalism. Then we apply it to the study of a recently proposed protocol [Laing et al., Phys. Rev. A 82, 012304 (2010)]. This protocol is meaningful when the alignment of Alice's and Bob's reference frames is not monitored and may vary with time. In this scenario, the notion of asymptotic key rate has hardly any operational meaning, because if one waits too long time, the average correlations are smeared out and no security can be inferred. Therefore, finite-key analysis is necessary to find the maximal achievable secret key rate and the corresponding optimal number of signals.


I. INTRODUCTION
Quantum key distribution (QKD) provides a way of distributing secret keys for use in secure communication [1,2]. Started by Bennett and Brassard in 1984 (BB84, [3]) and by Ekert in 1991 [4], QKD has posed several challenges, both theoretical and experimental, which have been met to a large extent. One of those challenges has been the derivation of security bounds that take into account the finite number N of exchanged quantum signals, i.e. the finite size of the keys one has to work with. The tools for such a study were remarkably anticipated by Mayers in his very first unconditional security proof [5], but for several reasons the full solution was delayed by more than 10 years. Hayashi's formalism [6] was tailored for the BB84 protocol. The approach by Renner and one of us [7][8][9] is in principle more flexible but is limited to collective attacks in general: unconditional security could be claimed only for BB84 and those other few protocols, in which the bound for collective attacks is known to coincide with the one for the most general attacks [10]. Recently, Christandl, König and Renner developed some very general mathematical tools [11], one of whose applications is the derivation of finite-key bounds for any discrete-variable protocol (for the status of the question in continuous-variable protocols see [12]).
In this paper, we spell out explicitly the method to compute the finite-key QKD bound described in [11]. This new tool can be used to compute unconditional security bounds in the finite-key regime for protocols like Bennett 1992 (B92 [13]), Scarani-Acín-Ribordy-Gisin 2004 (SARG04 [14,15]) or protocols based on the violation of Bell's inequalities [16,17]. As an application, we have rather chosen the reference frame independent protocol proposed by Laing et al. [18]. This protocol is useful in situations, in which the alignment of reference frames between Alice and Bob is not monitored and may vary in time. In this study we consider the finite key analysis of this protocol, in light of the fact that the reference frames relations in these scenarios will not only be unknown, but may also be fluctuating over the course of the protocol. Under these assumptions, one must find that optimal secret key rates are reached for a finite number of signals: if Alice and Bob wait too long time, their correlations will be smeared due to the misalignment of the frames.
The paper is arranged as follows. In Section II we present the new method for finite key analysis against coherent attacks. In Section III, we use this method to analyze the reference frame independent protocol for two cases of drifting phase references: firstly, one frame rotating at constant speed relative to the other; secondly, the angle between the frames fluctuating according to a random walk. Lastly, in Section IV the implications of the results are considered.

II. FINITE KEY ANALYSIS METHOD
We start by summarizing the notations and the bound for collective attacks, as discussed in detail in previous works [7][8][9]17]. Then we present the new bound extracted from [11]. Let N be the number of signals sent by Alice that are received by Bob. In addition to the error rate in the raw key, denoted Q, the protocol uses n PE parameters V = {v 1 , ..., v nPE } to bound Eve's information. For simplicity, we consider asymmetric protocols [19], in which n signals are used to create the raw key, while other signals are used to estimate the other parameters (the secret key rate for the symmetric protocol is larger by n PE + 1 at most and becomes the same in the asymptotic limit). The number of signals devoted to estimating v j is written m j .
Let now ε P A be the probability that privacy amplification fails, and ε PE the probability that the real value of a parameter lies outside of the chosen fluctuation range. There is a third error probability, denotedε, which measures the accuracy of estimation of the smooth min-entropy. Finally, there is a probability ε EC that error correction fails, which is determined by the choice of the error correction code. Because of the composability of the bound, in the worst case, the probability ε col that the quantum key distribution protocol fails does not exceed the sum of the probabilities of failure in different phases of the protocol: The user can choose ε col and ε EC ; the other parameters can be optimized under the constraint (1). If the key alphabet is made by d-valued symbols, the secret key fraction against collective attacks is given by where we are assuming that the yield of the error correction protocol is perfect, to reach the Shannon limit, H(A|B).

B. Beyond collective attacks
Previous works [7][8][9] used the bound above to claim unconditional security for the BB84 and the six-state protocols, as well as for their natural high-dimensional generalizations, because for those protocols the bound for collective attacks coincides with the one for coherent attacks [10]. But, for protocols using a less symmetric encoding, there is no guarantee that this is the case. The most general attacks are impossible to parametrize. Therefore, the generic recipe for unconditional security consists, in a nutshell, in bounding the possible advantage of coherent attacks over the collective ones, then computing the bound for collective attacks with the suitable overhead terms.
The first such approach used the exponential de Finetti theorem [20,21]. This theorem bounds the distance between any state ρ (n) AB that leads to permutationally invariant statistics for Alice and Bob, and n-fold product states σ ⊗n AB (or mixtures thereof), i.e. exactly the states that a collective attack would produce. The overhead obtained by this theorem turns out to be very heavy, so much so that it would make finite-key bounds unrealistically pessimistic ( Figure 2). This fact was stressed already in [7], but the explicit expressions and results were not given, so we present them in Appendix A.
The de Finetti theorem is tight if one wants to compare the attacks at the level of the states. Christandl, König and Renner [11] noticed that, for the sake of QKD and other quantum information processing tasks, a much less refined comparison is actually sufficient.
They found that it suffices to consider the distance between two permutation invariant maps and how this distance changes when acting on states that result from a general attack rather than on states from resulting from a collective attack. The maps are the one describing the QKD protocol being implemented and an idealized scheme which takes any quantum state as an input and distributes two classical perfectly correlated random strings to Alice and Bob. See Figure 1.
In summary: let us fix ε coh as the tolerable failure probability of the secret key against coherent attacks. Then, the resulting expression for the secret key rate is Consider the distance, ∆, between the permutation invariant maps E, implementing the QKD protocol, and F = S • E, where the map S is a hypothetical process that takes an imperfect key to a perfect one. This distance can be found when the maps act on the de-Finetti-Hilbert-Schmidt state, which describes the case for collective attacks, and the increase in ∆ can be bounded when the same two maps act on an arbitrary state, the case for coherent attacks. This model is from [11].
where the bound for collective attacks (2) is computed under the constraint (1) for the security parameter The improvement that this technique gives over the use of the exponential de Finetti theorem is illustrated in Figure 2. For the BB84 protocol the optimal coherent attack is a collective attack and therefore the line (a) is the best bound for security. However, if that were not known to be the case, the post-selection technique gives a bound close to the optimal one; whereas the bound obtained using the de Finetti is substantially worse and would imply the practical impossibility of obtaining a key in QKD.

A. Review of the Protocol
We briefly describe the reference frame independent protocol [18]. In the prepare and measure scenario, Alice sends to Bob a qubit prepared in an eigenstate of three mutually unbiased bases {X A , Y A , Z A } chosen at random but not necessarily with the same probability. Bob then receives a qubit which may be tampered by Eve and measures in his own basis chosen among a possibly different set of mutually unbiased bases {X B , Y B , Z B }. The equivalent entanglement based version is that Alice and Bob receive a pair of entangled qubits in a state ρ AB which is |Φ + in the ideal case, and perform the local measurements defined by the above-mentioned bases on them. The measurements can be described by a vector in the Bloch sphere which we will refer to by direction. Unlike usual protocols, where the reference frames orientations are actively monitored using the classical channel, this protocol requires one well defined direction Z A = Z B while the other two directions are related by an unknown transformation At the end of the signal exchange phase, they reveal their bases. This protocol is intrinsically asymmetric, in that the different bases play different roles. The raw key consists of the cases where both have measured in the Z basis, and is characterized by the quantum bit error rate Eve's information is quantified by the parameter where C = 2 guarantees maximal entanglement. Note that four measurements are needed to estimate C, so the actual parameters that are measured are The expression (7) has been chosen because it is independent of β: it retains its value even if Alice's and Bob's frames are misaligned. In the asymptotic limit, the information that Eve can gain from coherent attacks is upper bounded by where and h(x) is the binary entropy. This result holds in the range 0 ≤ Q 15.9%, which is perfectly reasonable for the quality of optical lines.
Obviously, this protocol becomes of interest if β varies in time: if the frames are possibly misaligned but are guaranteed to be fixed in time, one would just align them once and for all. However, it takes time to collect enough data to estimate the four average values that enter the expression of C: the misalignment of the frames during this time leads to a smearing of the correlations and the consequent decrease of C. In particular, if one waits to accumulate a very large number of signals, C will ultimately drop so much that no security can be inferred: in other words, the asymptotic rate (9) somehow assumes not only that infinitely many signals can be collected, but also that β is fixed. In all meaningful situations, not only the realistic secret key rate, but also the optimal one must be determined by finite-key analysis. This is the object of what follows.

B. Computing the finite-key bound
Let us particularize the parameters that enter the finite-key bound (3) to the protocol under study. We denote by p Z the probability that Alice and Bob choose the key basis Z; we assume that the other two bases are chosen with equal probability p X = p Y = 1 − 2p Z ≡ p. So the raw key consists of n = N p 2 Z signals, while each of the correlators v j is estimated using m = N p 2 signals.
The quantity min E|V±∆V(εPE) H(A|E) is given by 1−I E (Q , C ) where Q and C would be the perfect estimates, which are related to the observed values (Q, C) by assuming the worst case fluctuations, i.e. by increasing the error Q and reducing the correlations v j . Specifically, As in previous works we us the the Law of Large Numbers as presented in Cover and Thomas, Theorem 11.2.1 [22]. Other estimates have been studied [23]. Finally, H(A|B) = h(Q) where the expression is a function of the observed Q and not Q : the EC code must correct only the errors that have actually happened. At present, we have everything: one just has to choose the desired security level ε coh , give the values of N , ε EC , Q and C, then maximize r N over the other parameters under the constraints (1) and (4). As anticipated, we are going to study the effects of the time variations of β.

C. Dynamics of C for varying β
The real evolution of β during the protocol is, by definition, unknown: its monitoring would provide the information needed to align the frames. But in order to design a protocol and choose the suitable parameters, one must make a guess of how this evolution will be. This prior guessing is not proper to this protocol: it is a general necessity when one wants to make estimates before running the experiment (for a full discussion, see paragraph 2.3 in [8]).
Let us start by rewriting (5) and (8) as These are the "instantaneous values", i.e. the correlations that one would observe by freezing the frames at time t. Now, for simplicity we assume that the N signals one is going to collect are equally spaced in time with an interval τ . Then the observed correlations over the time T N required to collect the N signals will be given bȳ k=0 v j (kτ ). In other words, denoting thev j (T N ) are just the v j (t) with cos β(t) replaced byc N and sin β(t) replaced bys N . It is also easy to verify that the observed value of C will be the quality of the initial correlations is captured by C(0) and is factored out from the smearing due to the variations of β. Let us particularize now for two possible dynamics: • The frames drift apart at a constant angular velocity θ(t) = ωt. Then This leads in particular to As θ → 0, the continuous sampling limit is recovered of C(T N ) = C(0) 2(1−cos(θN )) • The relative angle is following a random walk behavior: β changes by ±θ randomly in the time τ . One is led to compute the average value of the sine and cosine of a random walk, i.e.
where P N (d) = In both cases, of course, C(T N ) goes to zero for large N . The effect of this smearing on the finite-key secret key rate is shown in Figure 3.

IV. CONCLUSION
We have studied the application of the post-selection technique of [11] to QKD protocols in finite-key scenarios to extend security bounds for collective attacks to bounds for coherent attacks. We have compared it explicitly to the bounds recovered for finite keys using the de Finetti theorem. We demonstrate how to compute this new bound by applying it to the reference frame independent protocol of [18]. In addition, we have considered two physically plausible scenarios for the case of unaligned reference frames: that one frame may be rotating relative to the other, or that one frame may be executing a random-walk-type drift relative to the other.
The most prominent feature in these two cases is that the asymptotic limit does not give the best key fraction. This can be seen in Figure 3. The reason is that the longer we collect the signals, the lower the value of the security parameter C becomes. For a fixed ω or θ, there exists an optimal block of size N to obtain the best secret key fraction. If more key is required, the protocol should be terminated and restarted after each block. Hence any practical application of the reference frame independent protocol should aim for this optimal number of signals to be exchanged in a run of key distribution.
it is not yet secure, this is the raw key.
Let the stateρ |θ n be the permutationally invariant output of a quantum key distribution protocol. Because the stateρ |θ n is in general not exactly of product form, for any |θ , it is a pure state of the symmetric subspace of H ⊗n such thatρ |θ n = π |θ ⊗n−t ⊗ |φ t , where the sum is over all permutations, π, for some t such that 0 ≤ t ≤ m/2.
In some sense, t can be thought of as quantifying the distance that the stateρ |θ n is from the perfect pure n-fold product state.
So we can now introduce an error, ε deF , that parameterizes t: where t = Ns k 2 ln(2/ε deF ) + d 4 ln(k) [20]. The maximum error in the parameter estimation, assuming m samples, is now: where k is optimized over. We see then that if k is larger, t can be smaller (the form of the raw key state can constrain Eve to collective attacks more closely), however, this reduces the size or the raw key, so there is a trade-off. The term giving the privacy amplification correction is also modified [20], so that the final rate is given by These expressions can be used in equation (2) to get a bound for coherent attacks.
Appendix B: Derivation of Eqs. (3) and (4) from Ref. [11] General coherent attacks can be bounded in terms of collective attacks for general permutation invariant protocols by using the method introduced in [11].
First, it is usually easier to prove that a protocol is secure against collective attacks than coherent ones, so the problem is approached for a particular state, the de-Finetti-Hilbert-Schmidt state τ A N B N , which represents the mixture over states that could be held by Alice and Bob after Eve makes a collective attack. This state is defined as: where d HS is the measure induced by the Hilbert-Schmidt metric, ∆ HS (X − Y ) = X − Y HS and X 2 HS = Tr(X † X).
Let E be the actual protocol for which security is to be proven and F be an ideal key-generation protocol composed of the actual protocol E and a map S that takes classical inputs and outputs a perfectly random perfectly correlated key string, i.e. F = S • E that for any inputs gives Alice and Bob the output of an ideal key. (See Figure 1.) The main theorem of [11] guarantees the security of this protocol against any coherent attack where ∆(E, F) ρ and ∆(E, F) τ are the diamond-norm distances between the protocols for arbitrary states ρ and the de-Finetti-Hilbert-Schmidt state τ respectively, and N is the number of signals or subsystems each with dimension d 2 (bipartite qudits shared by Alice and Bob). Since ρ is an arbitrary state it can correspond to an arbitrary quantum-mechanically-allowed attack by Eve.
In order to find the secret key fraction for finite length keys, it is also necessary to consider the effect of Eve's possession of the purification of ρ A N B N . This is already considered for collective attacks when the min-entropy of Alice's information given Eve's, H min (A|E), is used to bound the secret key fraction. Let H E be the system Eve holds that purifies σ AB . (See Figure 4.) Now it is necessary to also include the extra information she may have as a result of holding the purification of the mixture of the state on N systems τ A N B N E N = σ ⊗N ABE d(σ ABE ) where d(·) is the Haar measure over pure states, σ ABE . Let the purification of this N -system state be on the Hilbert space H E . So now we must consider Hε min (A N |E N E ) in the equation for the secret key fraction. We use the entropy bound A space of dimension no more than (N + 1) d 4 −1 is needed to construct such a purification and so H E cannot contain more than log (N + 1) d 4 −1 bits of information. We therefore subtract twice this from the available entropy and divide by the number of signals N to obtain equation (3). So, the post-selection technique gives another way to relate a bound that can be shown for collective attacks to a bound for an unknown optimal coherent attack, provided that there is a bound on the dimension of the systems being exchanged d. In other words, this result just as the de Finetti theorem cannot be used as such for continuous variables.