Loss tolerant device-independent quantum key distribution: a proof of principle

We here present the rate analysis and a proof of principle realization of a device-independent quantum key distribution (QKD) protocol requiring the lowest detection efficiency necessary to achieve a secure key compared to device-independent protocols known so far. The protocol is based on non-maximally entangled state and its experimental realization has been performed by two-photon bipartite entangled states. The improvement with respect to protocols involving maximally entangled states has been estimated.


I. INTRODUCTION
Quantum Key Distribution (QKD) represents an unconditional secure way to share a secret key between two authenticated users, usually called Alice and Bob. Photons are the ideal candidates for QKD implementations due to their low interaction with the environment; moreover, they can be easily transmitted over long distances with optical fibers [1][2][3] or free-space links [4][5][6][7][8][9][10]. Security of the key is typically proven by using trusted preparation and measurement devices (for a review on QKD security and experimental implementations, see [11]). In the last years, great effort have been devoted to the so called Device-Independent QKD (DI-QKD), aiming at the demonstration of the security when the measuring devices are completely untrusted and their working mechanism is not known to the users. The key ingredient for DI-QKD is the exploitation of entangled states shared between the two users: by violating a Bell inequality, it is possible to prove the secrecy of the obtained key.
The DI-QKD offers the advantage that security is independent of the practical details of the implementation. Indeed, the violation of a Bell inequality certifies the secrecy of the transmission, allowing Alice and Bob even to use devices directly provided by Eve. The violation of a Bell inequality without any additional assumption requires a very high global detection efficiency, from the source to the detectors. It is well known that non-maximally entangled states offer an advantage, in terms of required detection efficiency, with respect to maximally entangled state to violate the Clauser-Horne-Shimony-Holt (CHSH) inequality [12,13]. Recently, detection loophole-free violations of the CHSH inequality by non-maximally entangled photons were indeed reported [14,15]. Non-maximally entangled states were proven to be also useful for several bipartite Bell inequalities [16] and for quantum steering [17].
The ent-B92 protocol, a version of the B92 protocol [18] realized with non-maximally entangled states, was proposed in [19]. We here propose its generalization and analyze its secret key rate when detection inefficiencies are taken into account. We moreover present a proof-of-principle realization of the protocol by exploiting non-maximally entangled states produced by spontaneous parametric down conversion. With proof-ofprinciple we mean that we demonstrated that it is in principle possible to realize the DI protocol with our experimental generated state if higher detection efficiencies were used. Due to the efficiency of our setup (about 10%) it was not possible to achieve a complete DI-QKD demonstration. However, by using eq. (13) (see below), we will predict the experimental value of the Bell parameter achievable with our experimentally generated state in case of a given efficiency η. By this prediction we will estimate the achievable rate of our DI-QKD protocols.
We will show that the protocols here presented allow a DI-QKD security with the lowest required threshold detection efficiency to date.

II. GENERALIZED ent-B92 PROTOCOL
Let's consider Alice and Bob sharing the following nonmaximally entangled state: where |H and |V are the horizontal and vertical polarization states and 0 < θ ≤ π/2. The parameter θ is monotonically related to the amount of entanglement, since the concurrence [20] is given by C = sin θ. The protocol works as follow: Alice measures with low probability p 1 its photon along the A 1 ≡ {|a 1 , |ā 1 } basis, with |a 1 = |V and |ā 1 = |H . With high probability 1 − p she measures along the A 0 ≡ {|a 0 , |ā 0 } basis, where |a 0 = 1 √ 2 (|H + |V ) and |ā 0 is its orthogonal state; Bob randomly and with probability 1/2 measures the incoming states in the B 0 or B 1 basis where The results from Alice's A 0 basis measurements are used as bits of the raw key together with Bob's results, while those from the A 1 basis will be used to perform a test against the eavesdropper attack, as in the uninformative states B92 QKD protocol (us-B92) introduced in [21]. On Alice side, the states |a 0 and |ā 0 correspond to bits 0 and 1 respectively. Upon obtaining the state |b k Bob decodes Alice's bit as j = k ⊕ 1 (the symbol ⊕ means "addition modulo 2") and labels the result as conclusive; on the contrary, upon obtaining the state |b k , Bob labels the result as inconclusive. The probability of a conclusive event is given by P c = 1 2 (1 − cos θ cos ϕ), independent on Alice measurements. The sifted key is obtained by selecting the conclusive results corresponding to Alice's A 0 measurements. The ent-B92 protocol of [19] corresponds to the choice ϕ = θ.
The main problem of a fully DI-QKD protocol is related to the so called detection loophole, namely the fact that the photon detection is inefficient and, if the detectors are not trusted, an eavesdropper can exploit this inefficiency to gain information on the key. In the next section we will show how to extract a secure key in the device-independent scenario in presence of detection (and transmission) inefficiencies.

III. KEY RATE ANALYSIS
In this section we will derive the secret key rate (see equation (9)) of the generalized ent-B92 protocol in case of detection inefficiencies, improving the results obtained in [19].
Let's consider a transmission of N pairs in which Alice chooses the A 0 basis and Bob chooses with probability 1 2 the basis B 0 or B 1 . The ±1 outputs of Alice's measurements correspond to bits 1 and 0 of the sifted key. The overall efficiencies (including transmission and detection efficiencies) are given by η A and η B and Alice and Bob must decide a strategy to deal with non-detection events. On Bob's side, only +1 outputs, the so called conclusive outcomes, are taken into account to build the key: thus, on Bob side, non-detection event will be associated to −1 output (corresponding to non-conclusive outcomes). Then, all the Alice's bits corresponding to non-conclusive Bob outcomes, can be simply discarded as it is usually done in the sifting phase of the BB84 protocol. On the other side, when Alice measures in the A 0 basis and does not obtain physical detection, she randomly chooses an outcome: whatever value she decides to output, the bit will enter into the key. Alice thus assigns to non-detection events the |a 0 or |ā 0 outcome with 1/2 probability in this case.
Due to inefficiencies, Bob receives N P c η B conclusive counts. After the sifting phase, Alice string A c and Bob's string B c consists of N P c η B bits. In Ref [19] (see in particular eq. (11) and (12)), the secure key rate -the ratio between secure bits and the overall sent pairsis given in term of the quantum bit error rate Q c and the Clauser-Horne (CH) parameter where and h 2 (x) is the binary entropy given by . The rate is derived under the assumption that the measurement devices are memoryless. In the previous expression P (a i , b j ) is the joint probability that Alice measures the state |a i and Bob detects the state |b i , while P (a 1 ) and P (b 1 ) are the probabilities that Alice and Bob respectively measure |a 1 and |b 1 , regardless of what is measured by the other user. The quantum bit error rate (QBER) Q c , defined as the ratio of the number of errors over the number of conclusive outcomes, must be evaluated over the sifted strings A c and B c . By using a technique introduced in [22], Alice and Bob can improve the secure key rate: they will perform a post-selection on A c and B c , by selecting only the bits in which also Alice obtained a physical detection. We called A ps and B ps the post-selected Alice's and Bob's strings, with length N P c η A η B .
The length of the secure key can be bounded by [23] where H min (B ps |E) is the min-entropy of B ps conditioned on Eve's information. As usual H(B ps |A ps ) = N P c η B η A h 2 (Q ps ) is related to the classical error correction protocol between the A ps and B ps strings. In the previous expression Q ps is the QBER on the postselected data, and, its theoretical value Q ps th in the case of no channel or measurement errors, is given by : The choice ϕ = θ, used in the ent-B92 protocol, gives null QBER. We will see that this choice doesn't always represent the optimal choice for the secure key rate. As demonstrated in [22], by using the chain rule and the data-processing inequality for smooth min-entropy [23,24], it is possible to bound Eve's information on the sifted bits by using her information on B c : where N P c η B (1 − η A ) is the difference between the B c and the B ps string length.
As shown in [25], the min-entropy can be related to the maximal probability of guessing the key bits, namely By using the results of [26], the probability of guessing the bits can be related to the Bell in- The final secure key length can be thus written as ] and the final rate r = /N becomes As usual, in the secure rate formula, the h 2 (Q ps ) term corresponds to the bits used for error correction, while the log 2 contribution is related to Eve's knowledge on the key and the required compression in the privacy amplification stage. The violation of the CH inequality S CH ≤ 0 [12] is a test against the local-realism of quantum physics: it can be trivially checked that, when the inequality is not violated, the secure rate (9) is zero 1 .
In case of perfect efficiencies, the theoretical value of S CH for the non-maximally entangled state (1) and the measurement defined in (2) is given by S CH (θ, ϕ) = 1 2 (cos ϕ + sin θ sin ϕ − 1). The choice ϕ = arctan(sin θ) leads to the maximum achievable violation with the state (1), namely S max CH (θ) = 1 2 ( sin 2 θ + 1 − 1). It is worth noting that considering a trusted measurement device is equivalent to taking perfect efficiencies, namely η A = 1 and/or η B = 1. In fact, if the device is trusted, we can safely consider only the detected events. In this way, we can have three possible scenarios: full DI-QKD when the actual efficiencies are considered, one-side device independent-QKD (1SDI-QKD) [22] in which only one of the two devices (Alice or Bob) is trusted, and standard QKD with both trusted devices. In case of standard QKD (corresponding to η A = η B = 1), the achievable rate with the ent-B92 protocol (corresponding to ϕ = θ), is shown in Fig. 1 with the maximum rate obtained for θ 65.28 • . By using the angle that maximizes the violation of the Bell inequality (ϕ = arctan(sin θ)) it is possible to improve the rate when θ > ∼ 71.62 • (see Fig. 1). More generally, it is possible to numerically optimize the value of the parameter ϕ = ϕ (θ) in function of θ to maximize the achievable rate, as shown with dashed line in Fig. 1. Note that, whenever ϕ = θ, the theoretical QBER is not vanishing: however, the non vanishing QBER can be compensated by a larger violation of the CH inequality, allowing more secrecy in the privacy amplification stage. It is clear that, when Alice and Bob have trusted devices (corresponding to the fair sampling assumption of non-locality tests), the ent-B92 protocol cannot offer 1 If the key rate r obtained in (9) is negative, no secure key can be distilled. advantages with respect to the entangled version of the BB84 protocol [26,27]. In fact, in this case, the secure key rate of ent-B92 is always lower than the BB84, given by r BB84 = 1 − 2h 2 (Q). As we will see, the advantages come when one (or both) device is not trusted: in this case, the lower threshold detection required by the (generalized) ent-B92 protocol to violate the CH inequality, gives considerable improvement of the secure key rate with respect to protocols based on maximally entangled states. The rate achieved in (9) on the post-selected data can be compared to the one obtained without post-selection (3), with QBER Q c evaluated over all conclusive events. Since Alices assigns to non-detection events the |a 1 or |ā 1 outcomes with 1/2 probability, in this case the QBER of the sifted key will be It is easy to show that the rater (3) is lower than the rate r (9) achievable with the post-selection technique for any η A < 1 whiler = r when η A = 1. It is also useful to compare the result obtained in (9) to the one obtained with the post-selection technique in [22] using the usual DI-QKD protocol of [26] implemented with maximally entangled states (the entangled version of the BB84 protocol): The difference from r and r arises from the fact that in the BB84 protocol the key is obtained by using the results of Bob in a single basis, while in the generalized ent-B92 protocol the key is obtained by keeping the Bob's conclusive results in the basis B 0 and B 1 .

IV. PROOF OF PRINCIPLE REALIZATION
In this section we present a proof of principle realization of the protocols above described. As anticipated in the introduction, we will not present a complete DI-QKD demonstration due to the low detection efficiencies measured in our setup. By generating a two-photon non-maximally entangled state by spontaneous parametric down conversion, we will demonstrate that it is in principle possible to realize the DI protocol with our experimental generated state if higher detection efficiencies were used. We first describe the results obtained in a trusted scenario (standard QKD) in order to test our entanglement source and then analyze what can be achieved in a DI framework.
Our source of non-maximally entangled states, shown in Fig. 2, is given by two overlapped Type-I non-linear BBO crystals shined by a pulsed UV laser at 405nm. The two spontaneous parametric down converted photons are emitted at 810nm. The two crystals have the optical axis rotated by 90 • : the first crystal generates the |HH pairs, while the second crystal generates the |V V pairs. By using a pump laser with polarization cos θ 2 |V p + sin θ 2 |H p the non-maximally entangled state (1) can be generated. By varying the linear polarization on the pump laser it is possible to change the relative contribution of the |HH and |V V terms in the generated state. The UV laser has pulse duration of about 10ps and 76MHz repetition rate. Due to the long coherence time of the pump laser, it is not necessary to compensate the temporal walk-off in the BBO crystals. We note that, by this protocols, Bob does not need to project into the |b k states, since they don't appear in the CH inequality neither are used in the sifted key generation. Bob measurements can be thus restricted to the positive-operator valued measure (POVM) Π 0 = 1 2 |b 0 b 0 |, Π 1 = 1 2 |b 1 b 1 | and Π inconc = 1 1 − Π 0 − Π 1 . From the experimental point of view the Bob measurement can be simply represented by a beam splitter and two polarizers.
As said, we tested our source by measuring the Bell parameter S CH and the achievable secure key rate in case of trusted measurement devices. In figure 3 we show the experimental value of S CH and the secure key rate r in function of the entanglement parameter θ. If the obtained rate r is below zero, no secure key can be extracted. In order to take into account imperfections in the setup, the experimental generated state can be expressed by the following noise model: In the previous equation the state ρ c is given by ρ c = cos 2 θ 2 |HH HH| + sin 2 θ 2 |V V V V | and p c (p w ) represent the amount of colored (white) noise. Dashed line in Fig. 3 represent the theoretical value of the S CH parameter and the secure rate r obtained by the state (12) with p w = 0.007 and p c = 0.015, with good agreement between the model and the obtained results. To further no B e ll violat ion r e gion validate our noise model we present in B its prediction for the threshold detection efficiencies required for the violation of the Bell inequality.
Let us now analyze what can be achieved in a DI framework. We calculated the overall detection efficiency of our system by evaluating the ratio between the measured coincidences and the single counts, thus taking into account transmission, coupling into fibers and detection losses. Since the measured detection efficiency is about 10% for both Alice and Bob we cannot achieve DI secure key rate. Nevertheless, we can estimate the key rate achievable with given detection efficiencies η A and η B . Indeed, by assuming that probabilities P (a i , b j ) are related to the probabilities p(a i b j ) normalized on the post-selected events in which Alice and Bob have a coincidence, we can predict the CH parameter as (see A for its derivation): The previous expression can be derived under the condition that on the A 1 , B 0 and B 1 basis, non-detection events are associated to −1 outputs, namely to the states |ā 1 , |b 0 and |b 1 while the states |a 0 and |ā 0 are randomly chosen in case of non-detection in the A 0 basis.
Then, by measuring the probabilities appearing in equation (13), we can estimate the value of the Bell parameter in case of arbitrary efficiencies η A and η B and thus predict the secure key rate achievable with our experiment states when more efficient detectors are used. It is worth noticing that overall efficiencies of the order of 75% were already demonstrated in the lab by using superconducting TES detectors in [14,15].
Let's first consider full DI-QKD with Alice and Bob having the same efficiency η A = η B = η. For each value of η is possible to optimize the value of θ (or θ and ϕ) that maximizes the key rate for the ent-B92 (or generalized ent-B92) protocol: in figure 4(left) we illustrate the achievable key rate in function of the detection efficiency for the ent-B92 and the generalized protocol. We note that positive secure key rate can be obtained up to an efficiency of 90.57%, improving the results of 90.9% and 91.1% obtained respectively in [28] and [22]. We also show the rates that can be achieved with our experimental generated state. In particular, we indicate with dashed lines the predicted rates achievable by using the theoretical noisy state of eq. (12) to calculate the probabilities appearing in eq. (13). With green squares we report the rates achievable when the probabilities that we have experimentally measured are used to evaluate eq. (13). Such rates are below the rates achievable with a perfect non-maximally entangled state |Φ(θ) due to the presence of decoherence and white noise causing a decrease of the state purity. Our measurements indicate that it is necessary to generate states with high purity in order to reach low detection efficiencies.
Great improvement with respect to state-of-the-art results are obtained by considering one-side DI-QKD in which Alice device is trusted, corresponding to η A = 1 in the secure key rate (9) and in the predicted Bell parameter (13). In this case the rate r correspond to the fraction of secure bits over the Alice detected bits. In figure 4(right), we show the achievable key rate in function of the detection efficiency in the oneside DI-QKD case. For the ent-B92 protocol, the secure key rate (without experimental imperfection) becomes r = η B P c [1 − log 2 f (S CH )], which is positive whenever the Bell inequality S CH ≤ 0 is violated. Note that the same rate can be obtained by the original analysis of the ent-B92 protocol [19] applied for the one-side case. We remark that it is possible to obtain positive secure key rate up to a detection efficiency of 50%, improving the result obtained in [22] in which an efficiency greater than 65.9% is required for key generation. Also in this case we show the rate predicted by our experimental data: these data shows again that, in order to fully exploit the properties of low entangled states, it is necessary to generate quantum state with low amount of noise.
Our result closes the gap, from the theoretical point of view, between one-side Bell inequality (also known as steering inequality [22,29,30]) and key generation in 1SDI-QKD, since in our protocol the violation of the Bell inequality corresponds to a positive secure key rate. For fully DI-QKD still remains a gap, which is due to difference between the threshold of η > 82.8% needed for a violation of the CHSH inequality [13] and the efficiency required for the security of DI-QKD, namely η > 90.57%.

V. CONCLUSIONS
We have derived an efficient key rate for the (generalized) ent-B92 protocol in case of detection inefficiencies. We experimentally tested our result with twophoton non-maximally entangled states with good agreement between theory and experiment. The protocol is able to achieve secure key rate with the lowest detection efficiency to date. While the improvement for the full DI-QKD case is small and has mainly theoretical relevance (we lowered the threshold efficiency from 90.9% to 90.57%), great improvement is obtained in the one-side DI-QKD: it is possible to achieve positive secure key rate up to 50% efficiency, to be compared with the state of the art result of 65.9% [22]. . We also report the threshold achievable with a perfect maximally entangled state (MES).
If Fig. 5 we show the theoretical prediction and the experimental values of η th and η th B . Continuous lines represent theoretical prediction without imperfection, while dashed lines correspond to the prediction of the model (B1) with p w = 0.007 and p c = 0.015. Also in this case, we have a good agreement between the model and the obtained results. As the model predicts, when white noise is turned on, states with very low entanglement cannot offer advantages with respect to states with larger entanglement. In order to full exploit the properties of low entangled states it is necessary to generate quantum state with low amount of noise.