Large-Alphabet Time-Frequency Entangled Quantum Key Distribution by means of Time-to-Frequency Conversion

We introduce a novel time-frequency quantum key distribution (TFQKD) scheme based on photon pairs entangled in these two conjugate degrees of freedom. The scheme uses spectral detection and phase modulation to enable measurements in the temporal basis by means of time-to-frequency conversion. This allows large-alphabet encoding to be implemented with realistic components. A general security analysis for TFQKD with binned measurements reveals a close connection with finite-dimensional QKD protocols and enables analysis of the effects of dark counts on the secure key size.


Introduction
Light and matter are ultimately constituted of quantum entities, so that the limitations of technology cannot be prescribed by the principles of classical physics.Quantum-optical devices promise better-than-classical performance in sensing [1,2], computation [3,4,5] and, in particular, communications [6,7].Quantum effects in optical systems are easily observed at room temperature because of the high carrier frequency of optical signals compared with thermal background radiation.Light has numerous degrees of freedom that can be co-opted for the transmission of quantum information, and optical signals can be generated and detected efficiently.Modern telecommunications leverage the very large capacity of optical channels via dense multiplexing techniques, and the efficiency of quantum information processing can be similarly enhanced with the use of large-alphabet encoding strategies.In this connection, timefrequency encoding offers numerous advantages over polarisation or spatial-mode encodings, since multiple spectral modes are supported in waveguides and optical fibres with minimal dispersion, and zero cross-talk.For this reason, large-alphabet spectral-temporal multiplexing in quantum optics has recently received growing attention [8,9], with immediate applications in quantum key distribution (QKD) [10,11,12].
Public key cryptography underpins much of commerce today [13], but it is threatened by the advanced computational tools made possible by quantum information processing.Although a quantum computer remains many years away, the threat is sufficient to motivate the search for security that is immune to a quantum adversary.Quantum key distribution [14] provides this security, and in the three decades since the first proposals were made based on polarized photons [15], it has developed into both a burgeoning industry [16], and a diverse research field [17,18,19,20].While polarisation states are vulnerable to corruption in waveguides and optical fibres, the arrival time of photons is a more robust encoding [21].In general, transmission losses limit the range of QKD, but the use of entangled photons [22] allows the distance to be extended by means of quantum repeaters [23,24], which employ entanglement swapping between short segments to distribute secure correlations over large distances.
These considerations motivate the study of QKD with photon pairs entangled in their chronocyclic degree of freedom [25,26,27,28,29,8].The security of such time-frequency QKD (TFQKD) protocols is based on the ability to detect non-classical correlations in at least two complementary measurement bases, and these bases should be mutually unbiased (i.e.Fourier conjugates of one another) to maximise the sensitivity of the measured correlations to intrusion by an eavesdropper.Time and frequency domain detection provides a particularly convenient conjugate pair both because time-and frequency-resolving measurements are mature technologies, and because photon sources based on parametric scattering, such as spontaneous downconversion or four-wave mixing naturally produce photon pairs with widely-tunable correlation properties ranging from uncorrelated emission [30,31] to extremely broadband spectral entanglement [32,33,34].However, accessing the large entropy of these photon pairs requires precise measurements in both time and frequency bases, which is a non-trivial problem because of technical constraints on the timing jitter of photon detectors and the resolution of spectrometers.
Recently it was proposed to use fast time-resolving photon detectors to record the correlated arrival times of entangled photons, and to insert a dispersive medium before the detectors to measure in the frequency basis [10].The dispersion delays each spectral component of the incident photons differently, converting the arrival time at the detector into a frequency measurement [35].This protocol has the advantage that a single detector can sample a large region in chronocyclic space [36].However the timing jitter of the detector sets a lower limit to the correlation time of the photon pairs.Fast detectors are not yet efficient [37,38], whereas efficient detectors are generally slower [39,40,41], so with current technology the spectral correlations should be very narrowband in order for the arrival-time correlations to extend over a long enough period to be resolved by the detectors.Besides the challenges of engineering a bright photon source to fit these criteria, the narrow bandwidth also means that extremely dispersive media are required to implement the frequency measurements, which are generally lossy.It was found in [10] that a photon efficiency of up to 2 bits per photon could be achieved with realistic components.
Here we introduce an alternative large-alphabet entangled TFQKD protocol that is dual to [10].We propose to use spectral measurements to detect frequency correlations, and to use phase modulators to convert these measurements to the time basis.We show that with this detection scheme it is feasible to demultiplex up to 4 bits per photon with readily available components, while technical advances -essentially improving the power dissipation of electrooptical phase modulators to allow larger modulation depth -could allow much larger alphabets.While chronocyclic entanglement produces correlations between the continuous variables of arrival time and frequency, measurements inevitably map these correlations to a set of discrete outcomes.We provide a security analysis that accounts for the effects of this detectorbinning, and we model the constraints on the secure key arising from dark counts.

The protocol
Fig. 1.Time-frequency quantum key distribution with spectrally entangled photon pairs.Top: we assume a Gaussian anti-correlated joint spectral amplitude f (ω, ω ) (left) and a corresponding positively correlated Gaussian arrival time distribution f (t,t ) (right).Black ruled lines indicate spectral/temporal measurements made by Alice and Bob centred at the values {ω j }/{t j } (see text).Middle: photon pairs from the source are distributed to Alice and Bob, who have identical measurement setups.Bottom: spectral correlations are revealed with photon-counting spectrometers (spect).Security is certified by measurements in the conjugate arrival-time basis using time-to-frequency conversion (TFC), which is implemented with a dispersive element (disp) followed by a phase modulator (mod).
Key distribution aims at generating a pair of correlated random bit strings shared exclusively by two parties -conventionally called Alice and Bob -that can be used to encrypt and decrypt communications by means of a one time pad [42].In our TFQKD protocol, Alice and Bob construct correlated bit strings by recording the results of joint measurements on pairs of spectrally entangled photons.The entanglement produces correlations in both the frequencies and the arrival times of the photons which are destroyed if the system is measured by a third party.Uncorrelated measurement results therefore reveal the presence of an eavesdropper (Eve) when Alice and Bob compare a subset of their bits.As shown in Fig. 1, a parametric source (which may or may not be under the control of Eve) produces photon pairs in the entangled state (ignoring for the moment the emission of vacuum or double pairs) where | ω, ω indicates a photon pair received by Alice and Bob with frequencies ω + ω 0 and ω + ω 0 , respectively, with ω 0 the central frequency of the pair.Here f (ω, ω ) is the joint spectral amplitude describing the frequency correlations between a photon pair emitted with detunings ω, ω from degeneracy.In general, energy conservation and phasematching considerations produce non-factorable joint spectra, f (ω, ω ) = f A (ω) f B (ω ) [43,44], and the degree of entanglement -the number of correlated spectral modes -is conveniently quantified by the Schmidt number K = 1/ ∑ j λ 4 j , where the {λ j } are the singular values of f .Broad spectral entanglement with K ∼ 10 3 has been observed [45] and routes to extremely multimode emission with K ∼ 10 7 have been proposed [34].Therefore although source engineering is non-trivial, it is already possible to produce photon pairs with a high degree of quantum correlations.As discussed above, the primary challenge for implementing TFQKD lies with the detection scheme.In our protocol, Alice and Bob each have a photon-counting spectrometer, which they use to measure the frequencies of their photons.A photon entering one of the spectrometers is spatially dispersed and then directed towards one of M photon counting detectors, such that a 'click' at the j th detector ( j = 1, 2, . . ., M) is described by a projective positive operator-valued measure (POVM) element Here F j is the instrument response that represents the finite resolution of the spectrometerthat is, the range of frequencies coupled to the j th detector.For simplicity in the calculations to follow we will assume a 'top hat' profile with ω j = ω 0 + [ j − (M + 1)/2]δ ω.This describes a spectrometer with a resolution δ ω and a flat response to all frequencies in the range ω 0 − ∆ω/2 ≤ ω ≤ ω 0 + ∆ω/2, where ∆ω = Mδ ω.This description would be appropriate for a grating spectrometer equipped either with a photon counting charge-coupled device (CCD), or a v-groove array of fibres coupled to Geiger-mode avalanche photodiodes (APDs), for example [46].The entanglement of the state in Eq. ( 1) will cause correlated clicks at the outputs of Alice's and Bob's spectrometers, which they can use to generate a cryptographic key.The frequency measurements have M possible outcomes, so that a detection event can extract up to a maximum of I M = log 2 M bits of information from each photon pair.However to certify the security of their key, they need to also check that the arrival times of the photons are correlated.As mentioned previously, the large timing jitter ( 200 ps for APDs) of efficient photon-counting detectors makes it challenging to resolve the temporal correlations directly.Instead, we propose to implement measurements in the time basis by sending each photon through a time-to-frequency converter [47,48,49].As shown in Fig. 1, this comprises a dispersive element followed by a phase modulator, the combined effect of which is to implement a Fourier transform on the incident waveform, thus converting time to frequency.The effect is rigorously analogous to a spatial Fourier transform implemented on the transverse profile of a light field using a lens followed by free-propagation over a distance equal to its focal length.To see how this works, consider first the effect of the phase modulator on an incoming field (analogous to free propagation alone).The modulator imprints a sinusoidally time-varying1 phase φ (t) = A cos(Ωt) with amplitude A and angular frequency Ω. Near the peak of the modulation at t ≈ 0 the phase has a quadratic time dependence φ (t) ≈ −AΩ 2 t 2 /2 = − φt 2 /2, where we have defined φ = AΩ 2 and we dropped an unimportant global phase.The time-dependent amplitude E(t) of the incident field is transformed to E(t) exp{i φt 2 /2}, which in frequency space induces a transformation analogous to the Fresnel-Kirchhoff diffraction formula, We now consider that the field has previously propagated through a system with quadratic, or group velocity dispersion, which imparts a spectral phase ϕ(ω) = −ϕ ω 2 /2 (analogous to a lens).Inserting this phase and multiplying out the Gaussian exponent in Eq. ( 4), the full transformation becomes The choice ϕ = 1/ φ corresponds to the spectral Fraunhofer limit [51] in which the quadratic phase factor in the integrand of Eq. ( 5) is removed, and the transformation is then operationally identical to a Fourier transform (the analogous cancellation of Fresnel diffraction in the focal plane of a lens is well-known).That is, any measurement of the spectral intensity of the transformed field is equivalent to a measurement of the temporal intensity -the arrival time -of the input field, described by the POVM element where we have defined The temporal resolution of this measurement is δt = δ ω/ φ , where δ ω is the spectral resolution of the photon-counting spectrometer, as described above.Note that this is independent of the timing jitter of the photon counters used to register the photons.Like an ordinary spatial lens, the time lens has a finite aperture τ, which is the region in time over which the phase modulation remains quadratic.To a good approximation this is given by τ = 1/Ω [47].This sets a limit to how fast the modulator can be run, since the signals to be detected must pass through the aperture within this time window.
Having described how to implement temporal measurements, we consider the parameters required for an effective TFQKD protocol using our approach.As an idealised example, we assume a Gaussian correlated joint spectrum of the form [52,53] where ω ± = (ω ± ω )/ √ 2 and ∆ + , ∆ − are the marginal and correlation bandwidths, respectively.The Schmidt number is given by 2K = ∆ + /∆ − + ∆ − /∆ + , which is roughly the ratio of the major and minor widths of the joint spectrum (see Fig. 1).This coincides with the intuition that the number of correlated modes is found by dividing up the joint spectrum and counting the number of bins of width roughly equal to the correlation bandwidth ∆ − .To access these correlated modes with our detectors, we engineer the source such that ∆ − = β − δ ω and ∆ + = β + ∆ω, where the constants β ± are chosen so that the spectral resolution roughly matches the correlation bandwidth, and the spectral response covers the full width of the joint spectrum.For example, the choice β + = 3/4 yields a reasonably flat marginal probability distribution across all detection channels, while choosing β − = 1/5 provides sufficiently tight correlations that cross-talk between channels is negligible.
The correlations in the time domain are determined by the joint temporal amplitude f (t,t ), which is the two-dimensional Fourier transform of the joint spectral amplitude, f (ω, ω ).The form assumed in Eq. ( 9) is convenient because f (t,t ) is again a correlated Gaussian as shown in Fig. 1, with major and minor temporal widths given by T ± = 1/∆ ∓ .If we require the same ability to resolve temporal correlations as spectral correlations, we should have a temporal resolution δt = T − /β − , which fixes the modulator phase curvature to be We also require that the temporal aperture of the modulator is long enough to accommodate the full signal, τ ≥ T + , which limits the modulator frequency to Since the modulation frequency is restricted, the modulation depth A must be large enough to achieve the required phase curvature.The demands on the modulation depth are minimised by matching the modulator frequency and the spectrometer resolution to achieve equality in the above condition.This can be achieved with modern GHz-bandwidth modulators and a relatively modest grating spectrometer.For instance, using the choices for β ± introduced above, a 50 GHz modulator could be used with a 2 nm-resolution spectrometer and telecoms-band photons.Operating at this limit, the modulation depth required to implement the time lens is This is a relatively demanding condition: the modulation depth must rise in proportion to the number of frequency bins used for the QKD protocol.That is, exponentially in the number of bits carried by each photon pair.However modulation depths of order 20π radians are feasible with lithium-niobate modulators [54], which would allow M = 16 (an alphabet size of I M = 4 bits per photon pair).We note finally that the dispersion required to reach the Fraunhofer limit in this example would be provided by ∼220 m of ordinary silica fibre, with a GVD on the order of 300 fs 2 cm −1 .Such a short length of fibre would introduce very small losses.

Security
The output of TFQKD is a digital bit string, as for all QKD protocols, but this is extracted from measurements on continuous degrees of freedom.Therefore it is not immediately obvious whether a security analysis developed for discrete-variable QKD protocols can be applied.
To examine the security of TFQKD with entangled photons, we adapt arguments developed for spatially-encoded QKD [55] to the case of finite detector resolution [56,57,58,59].To proceed, we consider the correlations revealed by the sifted joint probability distribution {p BA ba } describing the probability of Bob's b th detector firing along with Alice's a th detector, when both measure in the frequency basis.These correlations are quantified by the mutual information I BA , where p B b = ∑ a p BA ba is the marginal distribution of Bob's outcomes, and where p A a is similarly Alice's marginal distribution.For simplicity we suppose that Alice and Bob post-process their sifted key bits using a one-way forward reconciliation protocol, for which the size -in bitsof the secret key they can distill is bounded by the excess information where I BE is the mutual information between Bob and Eve2 .We can calculate I BA from the statistics of Alice's and Bob's measurements but I BE is not known and must be bounded by analyzing the correlations in the complementary (temporal) basis.To proceed, we write the mutual information in the form I XY = H X − H X|Y [55], where H X = − ∑ x p X x log 2 p X x is the marginal entropy and where the conditional entropy is given by where is the entropy associated with the conditional probabilities p XY x|y that the x th detector of party X fires, given that the y th detector of party Y fires.We then obtain Next we need to find a lower bound for H B|E .To do this, we note that the variability of Bob's measurement results in time and frequency are restricted by Heisenberg's uncertainty principle.More generally, if Bob receives an arbitrary quantum state ρ, the marginal entropies H B (ρ) ( H B (ρ)) for Bob's measurements in frequency (time), satisfy the entropic uncertainty relation where B is a number that depends only on Bob's measurements, not on the state ρ.Alice's and Eve's measurements on the state emitted by the source produce a conditional state ρ B|A=a,E=e at Bob's detectors, so that we have H B (ρ B|A=a,E=e ) = H B|A=a,E=e , using a natural tripartite extension of the notation in Eq. ( 14).Substituting this conditional state into Eq.( 16) and averaging over the possible outcomes of Alice's and Eve's measurements, we obtain Now, since uncertainty (entropy) is only increased by removing a "given" precondition from a conditional distribution, we can remove Alice as a given from the first conditional entropy, and Eve as a given from the second, to get Inserting this into Eq.( 15) gives The formula for the entropic bound is where k || ∞ , with ||A|| ∞ denoting the largest singular value of the operator A [60].This bound is how the complementarity of the temporal/spectral measurement bases underpins the security of the key.As shown in Appendix A, C is well approximated by the quantity δ ωδt/2π, so that finally the size of the secret key is where we have included the natural constraint that the secret key is upper bounded by the marginal entropy H B of the measurements (since H B|E ≤ H B ).That is, regardless of the measurement precision, the secret key cannot exceed the entropy of Bob's marginal statistics.This is in turn bounded from above by H B ≤ I M = log 2 M, which is the maximum information content for M-outcome measurements.By design M = (β + /2β − )K is roughly equal to the Schmidt number of the source, to within a factor on the order of unity.With appropriate choices of β ± and for sufficiently resolving measurements (such that δ ωδt ∼ M −1 ), this protocol can therefore be efficient in terms of the information extracted from the quantum states it consumes as a resource.For the modulation scheme described above, we have δt = δ ω/ φ , which along with Eq. (10) indeed yields δ ωδt = (β + β − M) −1 .However we note that Eq. ( 21) is a general expression for the size of the secret key for a TFQKD protocol with arbitrary finite resolution in both the time and frequency bases, which is not specific to our proposed modulation scheme and makes no assumptions about the form of the state produced by the source, or the power of Eve's interventions.

Practical considerations
So far we have considered the security of finite-resolution measurements on photon-pair states, but the real photonic states emitted by a parametric source contain dominant contributions from vacuum (no photons emitted), and smaller contributions from multi-pair emission (most significantly, four photons emitted instead of two).Multi-pair emission does not necessarily represent a security threat, since in general the spectral correlations of the source are strictly pair-wise, meaning that Eve cannot glean extra information by 'splitting off' extraneous photons.However our security proof is based on a representation of the POVMs in the Hilbert space spanned by a single photon impinging on each detector.The proof is therefore only approximate, but squashing protocols have been proposed for qubit-based QKD to deal with the effects of multipair emission [61], and a similar idea could be used here by randomly assigning measurement outcomes whenever more than one detector in an array fires.
Alice and Bob can remove the influence of the vacuum components by post-selecting on joint detection events, and this also allows the protocol to run when the channel transmission and detector efficiencies are less than unity.For Alice and Bob to use postselection, they must employ spectral filters and temporal gates that prevent signals entering their detectors with spectral or temporal components outside the range of their measurements.To see why, suppose that Eve is capable of performing a very precise projective (non-destructive) frequency measurement on Bob's photon.If he goes on to measure in the frequency basis, he will get the same result as Eve, and if Alice also used the frequency basis, this measurement result will form part of the sifted key.However, if Bob makes a temporal measurement without any time gate, the narrowband photon produced by Eve's measurement will fall mostly outside of Bob's detection range in the time domain, and so will not be detected.Alice and Bob therefore discount this event, since they are post-selecting events where both parties receive a photon.Mutatis mutandis Eve can make the same kind of intercept-resend attack in the temporal basis.In this way, Eve can gain perfect knowledge of the sifted key, while forcing Alice and Bob to ignore those events where she failed to choose the correct measurement basis.Alice and Bob can prevent this attack by always rejecting photons occupying regions of chronocyclic space outside the sensitivity regions of their detectors, by means of spectral filters and temporal gates [25].In our proposed protocol this could be accomplished with a combination of a dielectric stack and a Pockels cell preceding each of Alice's and Bob's detection systems.See [59] for a more general discussion of the effects of finite detection range on entanglement verification.
With postselection as described above, non-unit efficiencies and losses do not directly affect the security, but they reduce the key exchange rate which increases the fraction of uncorrelated dark counts.As is the case with all other QKD protocols, the increasingly important role of dark counts as channel losses grow ultimately limits the distance over which TFQKD can be run securely [62,10,55].To analyse this limitation we consider a simple error model in which the source joint spectrum produces perfect correlations at Alice's and Bob's detectors, while random errors occur with probability p in either the time or frequency measurements, so that where p = M p/(M − 1).With a dark count probability d for each of the M detectors in any given run of the photon source, the error probability is found to be (see Appendix B), Here η = η chan η d , with η chan = e −L/L att the transmission through a quantum channel of length L and attenuation length L att and η d the overall detector efficiency, assuming Alice and Bob have identical equipment.We have also introduced the photon-pair emission probability ε such that the quantum state emitted by the source is approximately given by |0 + √ ε |ψ , with |0 the vacuum state and |ψ given in Eq. (1) (see part (a) of Fig. 2).Note that in a typical implementation with M 1 and {η, ε} 1, with a small dark count probability d ηε/M, we have p ≈ p ≈ 2Md/η.With the error model in Eq. ( 22) the conditional entropies are both given by where h(x) = −x log 2 x−(1−x) log 2 (1−x) is the binary entropy.Substituting these expressions into Eq.( 21), using δ ωδt = 1/β + β − M, one obtains where we have defined the 'binning deficit' c = − log 2 (2πβ + β − ).The security condition I ≥ 0 is of the same form as that derived in [63], which considered QKD with finite dimensional quantum systems [64] 3 .Therefore we see that TFQKD, based on the continuous chronocyclic degree of freedom, can be treated as a finite-dimensional QKD protocol, with a small correction factor represented by c, that takes account of the choices made in binning the measurements.
A realistic joint spectrum, as approximated in Eq. ( 9), will not exactly produce the simplified delta-correlated outcome distribution in Eq. ( 22); in general there will be some finite cross-talk between adjacent detection channels and a Gaussian-like variation in the marginal detection probabilities.However we have verified numerically, using Eq. ( 9), that the choices β + = 3/4, β − = 1/5, which we introduced previously, generate H B ≈ I M , and agree with Eq. ( 24), to within 0.05 bits, so that Eq. ( 25) is approximately correct even for a source with a realistic joint spectral amplitude.Part (b) of Fig. 2 shows the variation of the secure key size I on the size I M of the alphabet for a typical implementation with APD-type detectors and a channel length with L = L att (typically ∼20 km in the C-band), assuming the values of β ± used previously.The secure key initially grows in proportion to the alphabet, albeit with a magnitude reduced by the binning deficit c ≈ 0.086 bits.Here the deficit is small enough that exchanging up to 4 secure key bits per detected photon pair remains feasible with the components described previously.However for I M > 11 (i.e.M > 2048) the secure key decreases and rapidly falls to zero, since the dark count rate from the growing number of detectors causes significant errors that are attributed to Eve.This calculation exemplifies a natural technical trade-off in TFQKD, where information can be extracted rapidly from photon pairs using detector arrays as we propose here, whereas singledetector protocols extract less information per registered photon pair, but are affected much less by dark counts [10].

Conclusion
We have described an implementation of highly multiplexed time-frequency quantum key distribution using photon-counting spectrometers and phase modulators to implement frequency and arrival-time measurements on pairs of spectrally correlated photons by means of time-tofrequency conversion.We analysed the technical demands required for such a protocol and found that a large-alphabet detection system is feasible with commercially-available components.We developed a general security analysis for continuous-variable QKD protocols with binned measurement results, and applied it to our protocol to model the effects of dark counts on the size of the secure key.The protocol we presented is one of a family of time-frequency protocols well suited to transmission using waveguides and optical fibres, where spatial or polarisation mode encoding is vulnerable to cross-talk and differential scattering losses.Highly multimode quantum light sources are now a well-developed technology, and the use of entangled beams allows the communication distance to be extended via entanglement swapping with quantum repeaters.Our measurement scheme based on phase modulation represents a compact and technically straightforward way to demultiplex a large-alphabet key from a multimode entangled light source, which is a convenient source of correlations that removes the need for an active encoding step.The security analysis we presented shows how the protocol can be treated as a finite-dimensional QKD scheme, despite the continuous nature of the chronocyclic degree of freedom.We anticipate that these results will influence the next generation of quantum cryptographic systems.

A. Entropic uncertainty relation for finite-resolution measurements
Numerical calculations confirm that this remains an excellent approximation to the largest singular value of the function in Eq. ( 27) provided δ ω/(2π φ /δ ω) < 0.1, which is guaranteed by Eq. ( 10) for a large-alphabet protocol with M 1/β + β − .Substituting Eq. ( 28) into Eq.( 20) and using δt = δ ω/ φ , we obtain the bound on the secret key given in Eq. ( 21).We note that the resulting bound applies quite generally to any TFQKD protocol employing binned frequency and time measurements with resolutions δ ω, δt.

B. Dark count error probability
The error probability p is given by [63] p = P incorrect P correct + P incorrect , where P correct , P incorrect are the probabilities for recording correlated and uncorrelated detector clicks, respectively.Alice and Bob postselect on single clicks at each side, so only events where one detector fires each are counted.We make the simplifying assumption that if both photons from a photon pair are successfully emitted and detected, without a dark count occurring in any other channel, then the two registered outcomes are perfectly correlated.If these photons are not registered, but dark counts occur, it is possible that the outcomes are incorrectly correlated.
Taking into account all possibilities yields and where the overbar notation x = 1 − x denotes the probabilistic complement.The common factor of d 2(M−1) represents the probability that there is no dark count in the M − 1 remaining bins on each side, and this factor cancels out in the expression for p.After some algebra, one obtains the expressions in Eq. ( 23).

Fig. 2 .
Fig. 2. TFQKD in the presence of losses and noise.(a) The source emits mostly the vacuum state | 0 , with ε the small probability to emit a correlated photon pair.For simplicity we consider the source located equidistant from Alice and Bob, connected by lossy channels of length L with attenuation length L att .The photon detectors comprising the spectrometers have efficiency η d and suffer dark counts with probability d.(b) We compute the secure key size I as a function of the alphabet size I M for a typical protocol with ε = 0.1, η d = 25% (including coupling losses) and d = 10 −6 , at a distance L = L att .Dark counts cause a sharp drop in the secure key size for alphabets larger than 11 bits.