Efficient decoy-state quantum key distribution with quantified security

: We analyse the finite-size security of the efficient Bennett-Brassard 1984 protocol implemented with decoy states and apply the results to a gigahertz-clocked quantum key distribution system. Despite the enhanced security level, the obtained secure key rates are the highest reported so far at all fibre distances.


Introduction
In recent years, the possibility to use quantum key distribution (QKD) [1][2][3][4][5] to securely transmit cryptographic keys to remote users has received increasing attention.Consequently, QKD has rapidly grown from early stage experiments to sophisticated demonstrations, suitable for realworld applications [6][7][8][9][10].To keep pace with the fast progress, high efficiency protocols are demanded.At the same time, it is compelling to demonstrate the security of any such protocol not only in an ideal scenario but also, and more importantly, in the real experimental situation.For example, most of the existing QKD security proofs assume that an infinite dataset is available to the experimenters, the so-called "asymptotic scenario".This leads to overestimate a protocol's security level because the QKD parameters are assumed to be determinable with infinite precision.On the contrary, in a real scenario, the dataset is finite and the security-related quantities are subjected to statistical fluctuations in the sample.Hence, the security level of a real system is also finite and needs to be precisely quantified.This problem has been theoretically addressed in a few security proofs [11][12][13][14][15][16][17][18], some of which also guarantee composable security [19,20].Most of them consider a QKD setup running with the BB84 protocol [2] and making use of an ideal single-photon source.However, in practice, this is not the most convenient choice.Firstly, it is advantageous to use an efficient version of the BB84 protocol [21] rather than the standard one, to increase the key rate of the system.Secondly, an attenuated laser combined with the decoy state technique [22][23][24][25] is by far more effective than a single-photon source.Therefore, it would be beneficial to study the security of this more profitable QKD configuration.To realise that, we purposely designed a protocol, termed "T12", which removes the aforementioned idealisations and encompasses all the features that can possibly increase the practicality of a QKD protocol.Among these, the efficient selection of the basis and that of the light intensity, plus others that will follow from the protocol's security proof.In turn, the security analysis is facilitated by the definition of a protocol, because all the steps leading to the final secure key rate are reunited under a unique description.For the analysis, we build on previous finite-size security proofs.Among them, the one described in [16,17,26] entails several advantages (see also the recent contribution published in [27] and the theoretical studies in [28,29]).Firstly, it guarantees universally composable security [19,20], meaning that the key remains secure regardless of the application it is used for, except for some small failure probability ɛ.Secondly, it includes the squashing model [30,31] and so the possibility to use threshold detectors.Finally, it is not necessary to perform either a random permutation of the users' strings before the classical post-processing stage [32] or the encryption of error correction information [33].However, one severe drawback of the aforementioned proof is that when decoy states are taken into account, the key rate remains positive only for very large sample sizes.In fact, in [26] a numerical simulation shows that the data sample must contain at least 10 6 bits in order to provide a positive key rate.This minimum sample size becomes considerably worse, in fact more than 16 times larger, if the same simulation is run with experimental parameters similar to the ones presented in this work.Moreover, even for a reasonably large sample of 10 8 bits, the secure key rate is reduced to half its asymptotic value.Here, we show that the main cause of these problems is the adopted parameter estimation (PE) procedure.Therefore, we review the security proof of [26] and endow it with a more efficient PE, based on numerical optimisation.This improves the results dramatically.We use the new estimates in the security proof to quantify the secure key rate of a gigahertz-clocked QKD system and obtain record rates at all optical fibre distances tested.The approach shows high resistance against small size effects.Using the experimental parameters obtained on a 50.Km optical fibre, the finite-size rate reaches 85% its asymptotic value for a data sample of 10 8 bits and remains positive for sample sizes as small as 1.410 5 bits.

Protocol
We start from a description of the T12 protocol.We assume that the transmitter (Alice) has a phase-randomised source of coherent states [34].This makes the source statistically equal to a Poissonian distribution of number states such that, when the average photon number, or simply the intensity, from the light source is μ , the probability to send a k-photon pulse is Poissonian: -μk e μ /k! .The light pulses are modulated both in intensity and in another degree of freedom, which is used to encode the quantum information.It can be, e.g., the polarisation, or the relative phase from an asymmetric Mach-Zehnder interferometer, like in our setup (see Fig. 1 in Section 5 for a description).For the intensity, Alice randomly chooses among three possible values [25], which we denote with u (signal), v (decoy1) and w (decoy2).It is convenient to introduce a specific intensity label j μ , with j={0,1,2}, so that 0 μ =u , According to this convention, Z is the majority basis, i.e., the one selected most often, and X the minority basis.When Z X pp  , there is an increase of efficiency with respect to the standard BB84 protocol, in which It is convenient, for the following discussion, to introduce also a basis index Intensities and states are chosen independently by Alice, so that it is possible to pair any state with any different intensity.This allows for a simpler implementation and prevents accidental correlations between the intensity and the information encoding.In addition, it is possible to distill key bits from both the bases and obtain the standard BB84 result as a particular case when X Z p p  .This adaptability is useful in practice, as the optimal ratio between the bases can depend on the characteristics of the quantum channel.
In a single key session, N pulses are sent by the transmitter to the receiver (Bob).Because of channel and detector losses, only CN  non-empty counts are registered by Bob in each session.From these counts, the users distil the final key, through a series of classical procedures which require communication over a public channel.These include sifting, to select the non-empty counts with matching bases; error correction (EC), to determine the number of transmission errors, E , in the non-empty counts and correct them; privacy amplification (PA), to remove from a potential eavesdropper (Eve) the information which has possibly leaked to her; authentication and verification, to prevent man-in-the-middle attacks and guarantee that the users strings match with probability arbitrarily close to 1.All this information can be used to split the numbers N , C and E , into smaller groups, according to the users choices of the basis and of the intensity for each pulse, thus realising the advanced data analysis necessary for the T12 protocol.Whenever the bases do not match, the data are discarded through the sifting procedure.From the results with matching bases, the quantities summarized in Table 1 can be drawn.The number of pulses N satisfies the following relations: . Similar relations hold for C and E .These quantities and the knowledge of j μ are used to assess the security of the protocol in the finite-size scenario.The final rate of the protocol is given by the sum of the two secure key rates distilled from the signal pulses separately in the two bases.

Secure key rate
In this section we determine the rate equation for the T12 protocol using the proof method of [16], later extended in [26].The proof starts by providing an entanglement-based description of the preparation and distribution stage of the T12 protocol.The N pulses of the T12 protocol are prepared by Alice using an attenuated laser that emits a series of weak coherent states with random phases.She also varies the intensity of the laser in order to realise the decoy-state technique.This source has been shown to be statistically equivalent to the preparation of N entangled states NN AB ρ followed by Alice's measurement of the subspace A [35].Such a measurement can be done at any time, so it is possible to postpone it at the very end of the protocol without loss of generality, thus remaining with an entangled state shared by the users.The single entangled state AB ρ contributing to NN AB ρ can be written as [35] ( , where D={Z, X} is a basis index, k is the number of photons in the light pulses, and in the basis D with bit values 0 and 1, respectively.As a result, the entanglement based description adopted in [16] holds for the T12 protocol.As a second step, we assume that Bob's detectors are threshold detectors with equal efficiency.When no detector clicks, an empty count is registered by Bob, while all the other cases are nonempty counts.This can be treated as a binary positive-operator valued measure (POVM), a particular 2-dimensional case of the proof method in [16].Also, the results from Bob's measurement are non-ambiguous if we assign orthogonal outcomes to the two detectors and double counts to one of the two detectors, chosen at random.Overall, this description of the T12 protocol detection stage coincides with that adopted in various security proofs, among which those more relevant to the present paper, described in [16,17,26,35].After N signals have been distributed, C non-empty counts are detected by Bob.Using a public (authenticated) channel, the users run the sifting procedure, in which they discard the data corresponding to empty counts and non-matching bases and remain with a pair of raw keys.By performing the PE procedure, they can compute from their data the statistics (a ,b) λ , i.e. the frequencies of the detected symbols and of the errors in the detected symbols.This will let them infer the maximum information gained by Eve during the key session.After that, EC and PA will complete the key distillation procedure and provide them with the final key.In [16], it is shown how to calculate in the finite-size scenario, under the assumption of collective attacks, the rate per detected qubit r L/ n  for any protocol which comply with the description given above.This legitimates us to use this method for estimating the T12 protocol secure key rate in the finite-size case.In the definition of r , the symbol L is the number of secure bits after PA, while n is the number of raw key bits before EC that will contribute to the final key.In the T12 protocol, it is In what follows, we assume for simplicity that the secure bits are distilled from the Z basis.Therefore we omit the basis label.However, all the results hold for the X basis too and the final rate is given by the sum of the two rates from the two separate bases.From [16], we can write the rate per detected qubit as follows: with and The term EC leak in Eq. ( 1) accounts for the number of bits publicly transmitted during EC; it is a classical quantity and can be directly measured in the experiment.A common way to appraise it is by using the expression , where h(.) is the binary entropy and Γ , specified later on together with the other quantities appearing in Eq. ( 3).

The entropy  
H A |E has been explicitly given in equation ( 13) of [26] under the same protocol description given so far.After translating that result into our notation, it reads: where In Eq. ( 4), (1)   X q is the error rate in the X basis of the pulses containing 1 photon.In Eq. ( 5), the quantity (k ) Z y is the k-photon yield, i.e. the conditional probability that Bob registers a count when Alice emits k photons, in the Z basis.These quantities are indicated with a tilde to recall that they have to be optimised in the finite-size setting in order to obtain the final key rate, as prescribed by the minimisation procedure contained in Eq. ( 2).It is worthy to point out that the result in Eq. ( 4) has been initially obtained by Koashi [35], under the same entanglement-based description of an efficient BB84 protocol with decoy states and imperfect devices as the one adopted thus far for the T12 protocol.Specifically, the Heisenberg uncertainty principle was used to show that Eve's uncertainty about Alice's string distilled in the Z basis can be quantified as Eq. ( 9) of [35]).In fact, this leads to an expression equal to that in Eq. ( 4).The T12 protocol key rate, i.e. the amount of secure information per qubit, in the finite-size scenario, for the Z basis, can then be obtained by replacing Eqs. ( 2) -( 5) and the explicit expression for EC leak into Eq.( 1), and multiplying r by the detection rate of the signal pulses in the Z basis: As said, an equation analogous to Z R can be obtained for X R by swapping the Z and X labels in all equations.In Eqs. ( 6), (7), capital letters indicate quantities which are directly measurable in the experiment, while the small letters are for parameters which have to be indirectly estimated.Notice that the minimisation in Eq. ( 2) has translated into that of Eq. ( 6), which in turn is accomplished in Eq. ( 7) by minimising (0) Z y , (1) Z y and maximising (1) X q in their variability range according to a worst-case treatment.In Eq. ( 7) we have introduced the notation X q , respectively.How to find such intervals and perform the optimisation will be explained in the next section.Here, we tighten up some loose ends of the above discussion.
The conditional von Neumann entropy in Eq. ( 2) is the result of a lower bound to the smooth min entropy [16].Under the assumption of collective attacks by Eve, this bound holds for any protocol which can be described as an entanglementdistribution protocol and adopts the proper PE procedure to compute the statistics  2), which, in [16], was defined via the following relation: The meaning of Eq. ( 8) is that if the statistics m λ , acquired from a dataset of size m, is closer than PE ξ to the asymptotic statistics λ  , obtained from an infinite dataset, then the state Γ , except with a probability PE ε .In this case, AE σ is a legitimate state for the minimisation procedure set forth in Eq. ( 2) and then in Eq. ( 6).
In order to turn Eq. ( 8) into an operative definition, it is necessary to find a relation between the upper bound to the variation distance PE ξ and the probability PE ε that PE will fail to select the correct set of states for the minimisation of Eq. ( 2).In [16], this relation was governed by a Lemma through the law of large numbers.We limit here to the case of a binary POVM, because this is the only one present in the T12 protocol.In this case, it was proven that if . Hence, the subsequent assignment was used to select an interval around λ  in which the true value of the statistics falls with probability PE 1 ε  .Such a method clearly requires the knowledge of the asymptotic statistics λ  , without which the finite-size statistics m λ cannot be drawn.In [26], λ  was taken from the analytical expressions given in [23].Then the m-size statistics was obtained from the assignment m λ  PE λ ξ   , as said, with the sign chosen according to whether a lower or an upper bound was needed for the quantities appearing in a rate equation analogous to our Eq.(7).In our solution, we use a statistical method to directly estimate the confidence interval for λ  , without the need of knowing λ  itself.We call PE ε I the confidence interval which contains the true value of the statistics with probability PE 1 ε  .To determine it, we initially set a confidence level equal to PE 1 ε  and then we use this value to directly solve the optimisation problems of Eq. ( 7), as explained in the next section.This provides the upper and lower bounds, λ  and λ  , of the confidence interval for λ  , formally, For an easy comparison with [16], we note that our approach would be equivalent to choosing   ) for a parameter that needs to be minimised (maximised) in Eq. ( 7).In this case, the exact value of λ  would not be relevant anymore, because of the assignment less than or equal to PE ε , as required in [16].
Finally, we should complete the description of the parameters given in Eq. ( 3).The smoothing parameter s ε 0  descends from the smooth min entropy   s ε nn min

H
A |E , used after Lemma 1 in [16] to quantify the number of uniform bits that can be extracted from an error-corrected key using PA.A perfectly uniform distribution of the output bits is attainable only in the asymptotic limit.In the finite-size case, it is necessary to accept some deviation from the ideal uniform distribution, quantified by s ε .The failure probability of the PE procedure is indicated as PE ε .
It has the meaning mentioned above that the estimated confidence interval Moreover, it is intuitive that smaller values of PE ε correspond to a higher security level and to a lower key rate.The probability that EC fails is denoted by EC ε .However, it should be said that EC includes also the verification step in which the users verify that their keys are equal.So EC ε more properly represents the probability that EC fails to correct the key, with the users unaware of this failure.Finally, the total failure probability of the system is ɛ, which is given by the sum of the other failure probabilities, It amounts to 10 -10 in the present work.We choose and fix the numerical values of all the epsilon values so to fulfil the chain relation [16].

Finite-size statistical analysis and parameter estimation
The T12 protocol rate in Eq. ( 7) contains three optimisation procedures which have to be performed over a range specified by the statistics acquired during the PE procedure.In this section, we give a more detailed description of such a procedure.In the asymptotic setting, the decoy state technique allows to put the measurable quantities in one-to-one correspondence with the parameters to be estimated [24]: With the implicit assumption that the single terms in the sums, e.g. (k ) Z y , do not depend explicitly on μ [23], the above set of equations allows to determine all the unknown parameters exactly.
The measurable quantities are on the LHS while the unknowns are on the RHS, coupled with the Poissonian distribution of the photon number.
μZ Y is the rate of Bob's detections when a pulse with average photon number μ was prepared and the Z basis used.
μX B is the bit error rate measured from pulses with average photon number μ , in the X basis.
In the finite-size setting, there is no more exact correspondence between measured quantities and estimated parameters and the acquired statistics allows for different realisations of (k ) Z y and (k ) X q .Among these, security imposes to select the one which maximises Eve's information through a constrained optimisation process.A first optimisation is required because there is only a finite number of intensities that Alice can prepare.A second optimisation is required because the data sample itself is finite.These two processes are usually carried out separately: the former gives rise to analytical estimates [23][24][25] which are then corrected to take the latter into account [26,29].While this can provide positive key rates, it might not be the ideal strategy.In fact, there is no guarantee that the analytical estimates are optimal.Moreover, the numerical fluctuations in the finite sample are often treated using an approximate method, like the Wald statistical test [36], in which the actual coverage probability of the confidence interval is much smaller than expected [37].
To overcome these limitations, we use a combination of statistical analysis and constrained optimisation [38,39].The statistical analysis relies on the Clopper-Pearson (CP) test [40], which avoids approximations and provides the most conservative confidence interval compatible with the statistics acquired from the PE procedure.This allows us to map the experimental quantities of Table 1 into useful bounds with confidence level PE 1 ε  .Then, using these bounds as constraints, we can obtain the estimated quantities through an optimisation algorithm.Both these steps can be efficiently performed via standard numerical routines.In Table 2 we summarise the relevant steps and quantities involved in this approach.When the data sample is finite, Eqs. ( 9), (10) turn into a set of inequalities which can still be used to guarantee the security of the protocol [25,38,39].In fact, they can be rewritten for the three intensity levels j μ of the T12 protocol as: The quantity j μZ Y  ( j μX B  ) contains lower and upper bounds to the detection rate (error rate) of the pulses with intensity j μ measured by the users in the Z (X) basis.From this, we can draw the confidence intervals introduced in Section 3, for the detection rate and for the error rate, each with the appropriate confidence level coming from the CP test.It is easy to see that under the assumption of independent and identically distributed (i.i.d) variables, the quantities measured in our QKD experiment follow the Binomial distribution.In fact, to measure, e.g., the transmission errors, a binary POVM is employed which determines whether the users share the same bit (success) or not (failure).The same is true for the output of Bob's threshold detector which, as said in Section 3, can only give as a response either "click" or "no-click".As a result, a series of Bernoulli trials is obtained from the experiment and the bounds can be deduced by the CP method for all the intensity values and for the Z basis (the X basis is analogous) via the following equations: Here β(α;s,t) is the α-th quantile from a beta distribution with shape parameters s and t , which are related to the measurable quantities of Table 1.The bounds Z y and maximise (1)   X q in their respective confidence intervals.The explicit problems are shown in the Appendix.The solutions have already been introduced in Section 3 and written in Eq. ( 7) as (k ) Z y , k={0,1}, and ( Because objective functions and constraints in the optimisation problems are all reduced to linear functions, the solutions are guaranteed to be global maxima or minima [41].This ensures that when they are finally plugged into Eq.( 7), the obtained finite-size secure key rate of the T12 protocol is an absolute minimum, given the experimental statistics acquired by the users, i.e. a worst-case bound to the real rate.

Experimental implementation and numerical simulation
In this section, we describe the experimental implementation of the T12 protocol in a high bit rate QKD system.In all the experiments, we set 10 ε 10   .Moreover, we choose the probability of the minority basis to be . To determine this value, we initially run a simulation and find the value opt X p that maximises the secure key rate.Then, for experimental convenience, we choose the power-of-2 value which is the closest to opt X p .Following the same logic, we choose the intensity probabilities as The values for the average photon number are u 0.425  , v 0.044  , w 0.001  .They are derived from a simulation under the constraint of being compatible with the actual intensity modulator used in the setup.Small variations of these values do not affect the overall secure rate, thus showing that they are all close to optimal.Fig. 1.Experimental setup for the T12 protocol.In Alice's layout, light pulses are emitted by a 1550 nm laser diode (LD), pulsed at 1 GHz, and transmitted through an intensity modulator (IM) and an unbalanced Mach-Zehnder interferometer.This is composed by a fibre-integrated beam-splitter (BS), a phase modulator (PM) and a final polarising BS (PBS).A variable attenuator (VA) is used to set the intensity of the pulses at the desired level.An optical power meter (OPM) measures the total flux in the fibre and adjust the VA in real-time in order to keep it constant.After a fibre spool of different lengths, the light passes through a polarization control (PC) and a second interferometer that matches Alice's.In one arm, a fibre-stretcher (FS) is used to match the arms length between the two distant interferometers, thus generating interference at the final BS.Pulses are eventually measured by a detection unit (DU).
The QKD experimental setup is shown in Fig. 1.The system operates in the telecom band at a wavelength of 1550 nm.On Alice's side, encoding is accomplished through phase modulator voltages corresponding to (0, π) for the Z basis and (π/2, 3π/2) for the X basis.Bob uses a (0, π/2) modulation for decoding.The two communicating parties are linked together via a dispersion shifted fibre which has a dispersion coefficient of 4 ps/(km•nm).Single photons are detected by gated InGaAs avalanche photodiode (APD) in the self-differencing mode [42].The APDs are cooled thermoelectrically to -30°C and operated at a detection efficiency of 20.5%, dark count probability per gate of 2.1×10 -5 and after pulse probability 5.25%.A software program controls all the equipment continuously, calculates the QBER for the fibre-stretcher to counteract any drift in the phase and corrects the detector gate delay and polarisation so as to maximise the count rate.The average photon number is stabilised using the feedback from a power meter connected to the main channel through a beam splitter with fixed known splitting ratio. .Parameters are obtained with the setup of Fig. 1 from an experimental QKD run over a 50 Km optical fibre.The key rate, depicted with a red line, is measured in percentage from the asymptotic value.Pie-charts with the breakdown of the counts leading to the final secure bits are given for sample sizes of 10 11 counts and 1.410 5 counts.The latter value is the smallest sample size providing a positive rate and can be acquired in less than 60 ms with our system.For a typical acquisition time of 20 minutes, the block size is ~510 9 counts and the corresponding secure key rate is indicated by a violet circle on the red line.In addition, the minority basis probability has been optimised so to obtain the highest secure key rate at all distances.It goes from pX=0.0065 for a sample of 10 11 counts to pX=0.2290 for a sample of 1.410 5 counts.
The experimental parameters given above have been used to numerically simulate the secure key rate of the T12 protocol as a function of the detected sample size on a fibre distance of 50.Km.This is shown in Fig. 2, with the sample size decreasing from left to right.The secure key rate is calculated by applying Eq. ( 7), separately to each basis, and then adding up the two resulting partial rates.As expected, it decreases when the sample size becomes smaller.However, already for a sample size of 10 8 counts, the protocol performs at about 85% of its asymptotic value.Moreover, the key rate remains positive up to a sample size of 1.410 5 counts.With the same experimental parameters, the security proof by Cai and Scarani [26] would provide 50% of the asymptotic rate for a sample size of 10 8 counts, and 1.610 7 counts as the minimum size tolerated by the protocol.Therefore our model is significantly more resilient to finite size effects.In Fig. 2, we also show two pie-charts with the breakdown of the counts collected in the experiment, one for a large data sample (10 11 counts) and the other for the minimum data sample tolerated by the protocol (1.410 5 counts).The total detected sample is reduced by basis sifting, EC and PA applied to multi-photon events and phase-errors before reaching the final secure key fraction.The detrimental contribution of the finite-size effects becomes apparent for smaller sample sizes.

Experimental results
With the setup shown in Fig. 1, a series of experiments were conducted to verify the feasibility and practicality of the T12 protocol.The main feature to be demonstrated is the capability to measure the quantities in Table 1 which enter the secure key rate of the protocol.This requires an advanced data analysis of the experimental sample, which takes into account not only the basis information [21,44], but also the intensity information.To our knowledge, such an advanced data analysis has never been shown before in QKD.In Fig. 3, we report the sifted count rates for the two bases Z and X, for the three intensity values u , v and w .In the lower part of the figure, we show the QBERs in the two bases, for the intensity u .The error rates related to v and w do not enter the secure key rate of the protocol (see Appendix) and are not displayed.Data are measured over an optical fibre length of 50 km, with key sessions of 20 minutes and for a total time of more than 3 hours.In this period, the average sifted counts, expressed in counts per session, are   .The mean value of the error rates is determined mainly by the modulation errors, lowest in the X basis, while the standard deviation is smaller in the Z basis, due to the larger sample from which the statistics is drawn.From Fig. 3 we can also see that the sample collected in a 20 minute session is of about 510 9 counts, therefore implying from Fig. 2 that the reduction due to finite-size effects is negligible.From the measured quantities, the secure key rate of the T12 protocol is automatically calculated in the system.We display it in Fig. 4, under the same experimental conditions as in Fig. 3.For comparison, we also show the key rate of the standard BB84 protocol, implemented by changing the basis bias to X Z p p 1/ 2   .Notice that to calculate the key rate of the BB84 protocol, we can use exactly the same rate equation as for the T12 protocol.For both protocols the total key rate is given by the sum of the key rates distilled separately in the two bases.Hence we also show in Fig. 4 the basis-dependent key rates.The total rate for the T12 protocol is 1.09 Mbps and is distilled almost entirely from the majority basis Z, while the total rate for BB84 is 0.63 Mbps and the two bases contribute nearly equally to form it.Because in the T12 protocol X p 1/16  , only 11.7% of the detected counts are discarded, as opposed to 50% in the BB84 protocol.This increases the theoretical efficiency of the T12 protocol to 88.3%, which is 76.6% higher than the standard BB84 protocol.The experimental results in Fig. 4 agree well with this value.In fact, the obtained enhancement is 73.5%, very close to the theoretical limit.Finally, in Fig. 5, we show the total secure key rate as a function of the fibre distance, for both the T12 protocol and the BB84 protocol.Data was acquired using 4 different lengths of fibre spool connecting the users, 35, 50, 65 and 80 km, respectively.For a fair comparison at all distances, we kept the acquisition time per data block fixed, equal to 20 minutes.The T12 secure key rates are, for increasing distances, 2.20, 1.09, 0.40 and 0.12 Mbps, the highest reported to date in QKD literature.With respect to previous experiments with finite-size security on BB84like protocols [44][45][46], these results represent an improvement of 3 orders of magnitude [46] or more [44,45].

Conclusion
We have investigated the finite-size security of the efficient version of the BB84 protocol, implemented with attenuated laser and decoy state technique.For that, we have purposely defined a protocol, namely the T12, which includes several practical advantages.After gathering all aspects under a unified description, we have applied the Scarani and Renner proof method [16] to assess the protocol secure key rate.Then we have adopted a more efficient parameter estimation procedure to improve the resistance of the protocol to finite-size effects.As a result, the minimum data sample size providing a positive key rate has now greatly improved, by more than two orders of magnitude.Numerical simulations have been provided, showing explicitly the effect of the data sample finiteness on the secure key rate.With samples of 10 8 bits, finite-size effects reduce the asymptotic key rate by about 15%.For higher sample sizes, the reduction becomes negligible.
We have then implemented the T12 protocol using a gigahertz-clocked QKD system.All the main features of the protocol, including the high key rate and the increased efficiency over the standard BB84 protocol, have been experimentally tested and agree well with the theoretical predictions.
To demonstrate the correct execution of the protocol, we have shown the results from an advanced data analysis, in which experimental quantities are acquired and processed in real time according to their basis and intensity information.
The high bit rate of the system allows to collect 510 9 counts in a typical session of 20 minutes thus providing a key rate that is not appreciably affected by the finiteness of the sample.Despite its large security level, represented by a failure probability ε=10 -10 , the system provides the highest secure key rates reported to date over tens of kilometres in optical fibre.

1 μ =v and 2 μ
=w .Then the symbol μ indicates a generic intensity value, while the symbol j μ is an intensity index taking on the three specific intensity values u, v and w.The values j μ are selected with probabilities the encoding, Alice randomly selects one of four possible states, as in the standard BB84 protocol[2], indicated as |0Z, |1Z (Z basis) and |0X= (|0Z+|1Z)/√2, |1X= (|0Z|1Z)/√2 (X basis).The bases Z and X are selected with probabilities non-empty counts from pulses with intensity j μ and basis Z, X errors in the non-empty counts from pulses with intensity j μ and basis Z, X the previous section and the states(k ) are distilled from the Z basis or from the X basis, respectively.
rate measured in the Z basis.The parameter EC f1  accounts for the EC efficiency.In Eq. (2), the conditional von Neumann entropy   H A |E represents Eve's uncertainty about Alice's string.It has to be minimised over all possible Alice-Eve joint states AE σ which are contained in a set PE ξ the entanglement-based description of the T12 protocol.The discussion of the PE procedure involves the definition of the set PE ξ Γ in Eq. ( , which removes λ  from the problem and leaves

I
fails to contain the true value of the statistics.Generally speaking, the wider the interval, the lower PE ε .

Fig. 2 .
Fig. 2. Secure key rate of the T12 protocol versus the size of the detected data sample, for

Fig. 3 .
Fig. 3. Advanced data analysis for the T12 protocol.Displayed are the basis-dependent and intensity-dependent counts and QBERs acquired by the system.The quantum channel is a 50.km optical fibre and the key session time is 20 minutes.

Fig. 4 .
Fig.4.Experimental total and basis-dependent secure key rates.For the T12 protocol (pX=1/16) data are in red colours.For the standard BB84 protocol (pX=1/2) data are in blue colours.Experimental data are obtained over a 50 km optical fibre link and a typical acquisition time of 20 minutes.Each of the total key rates is given by the sum of the respective basis-dependent key rates.

Fig. 5 ,
Fig.5, Experimental secure key rates as a function of fibre distance.The fibre distances experimentally tested are 35, 50, 65 and 80 km, respectively.For the T12 protocol (pX=1/16, filled circles) the values of the secure key rate at these distances are 2.20, 1.09, 0.40 and 0.12 Mbps.For the standard BB84 protocol (pX=1/2, empty circles) they are 1.18, 0.63, 0.26 and 0.06 Mbps.The solid and dashed lines are theoretical curves for T12 and BB84 protocol, respectively.The inset shows the real-time secure key rate provided by the T12 protocol at 50 km, over more than 3 hours of continuous operation.All the samples at this distance feature secure key rates exceeding 1 Mbps.