Finite-key analysis for quantum key distribution with weak coherent pulses based on Bernoulli sampling

An essential step in quantum key distribution is the estimation of parameters related to the leaked amount of information, which is usually done by sampling of the communication data. When the data size is finite, the final key rate depends on how the estimation process handles statistical fluctuations. Many of the present security analyses are based on the method with simple random sampling, where hypergeometric distribution or its known bounds are used for the estimation. Here we propose a concise method based on Bernoulli sampling, which is related to binomial distribution. Our method is suitable for the Bennett-Brassard 1984 (BB84) protocol with weak coherent pulses [C. H. Bennett and G. Brassard, Proceedings of the IEEE Conference on Computers, Systems and Signal Processing (IEEE, New York, 1984), Vol. 175], reducing the number of estimated parameters to achieve a higher key generation rate compared to the method with simple random sampling. We also apply the method to prove the security of the differential-quadrature-phase-shift (DQPS) protocol in the finite-key regime. The result indicates that the advantage of the DQPS protocol over the phase-encoding BB84 protocol in terms of the key rate, which was previously confirmed in the asymptotic regime, persists in the finite-key regime.

Figure 1

Secure key ratio of the qubit-based BB84 protocol to the asymptotic limit as a function of total rounds of the protocol $n_{\mathrm{rep}}$. We assume no errors ($k_X=0$) and no loss ($n_{\mathrm{tot}}=n_{\mathrm{rep}}$). The security parameters are set to ${\epsilon }_{\mathrm{c}}={10}^{-15}$ and ${\epsilon }_{\mathrm{s}}={10}^{-10}$. The top, middle, and bottom curves represent the ratios $l^{\left(\mathrm{opt}\right)}/n_{\mathrm{rep}}$, $l^{\left(\mathcal{H}\right)}/n_{\mathrm{rep}}$ (method with simple random sampling), and $l^{\left(\mathcal{B}\right)}/n_{\mathrm{rep}}$ (Bernoulli-sampling method), respectively. In the limit of $n_{\mathrm{rep}}\to \infty$, each curve converges to $l/n_{\mathrm{rep}}=1$.

Figure 2

Comparison of estimation methods for the WCP-BB84 protocol. The top curve (Bernoulli-sampling method) shows the secure key ratio to the asymptotic limit $l_{\mathrm{WCP}}^{\left(\mathcal{B}\right)}/(n_{\mathrm{rep}}/e)$ as a function of total rounds of the protocol $n_{\mathrm{rep}}$. The bottom curve (method with simple random sampling) is an upper bound on the derived secure key ratio $l_{\mathrm{WCP}}^{\left(\mathcal{H}\right)}/(n_{\mathrm{rep}}/e)$. We assume no error ($k_X=0$) and no loss $[n_{\mathrm{tot}}=n_{\mathrm{rep}}(1-e^{-\mu })]$. The security parameters are set to ${\epsilon }_{\mathrm{c}}={10}^{-15}$ and ${\epsilon }_{\mathrm{s}}={10}^{-10}$. In the limit of $n_{\mathrm{rep}}\to \infty$, each curve converges to $l_{\mathrm{WCP}}/(n_{\mathrm{rep}}/e)=1$.

Figure 3

Secure key rate per signal of the WCP-BB84 protocol $l_{\mathrm{WCP}}^{\left(\mathcal{B}\right)}/n_{\mathrm{rep}}$ as a function of channel transmission ${\eta }_c$. The parameters are set to be the same as in Ref. [23]. The quantum efficiency of detectors ${\eta }_d=0.1$, the dark count probability per pulse per detector $p_{\mathrm{dark}}={10}^{-5}$, the loss-independent bit error is $0.5\%$, the error correction cost ${\lambda }_{\mathrm{EC}}\left({\epsilon }_{\mathrm{c}}\right)=1.05h(E/Q)+{\log }_2(1/{\epsilon }_{\mathrm{c}})$, and the security parameters are ${\epsilon }_{\mathrm{c}}={10}^{-10}$ and ${\epsilon }_{\mathrm{s}}={10}^{-5}$. From the top to the bottom curve, the numbers of detected signals are $n_{\det }={10}^7$, ${10}^6$, ${10}^5$, and ${10}^4$, respectively. The required number of detected signals to generate a final key is less than ${10}^4$, while it was $\sim {10}^7$ in the previous result [23].

Figure 4

Setup for the $L$-pulse DQPS protocol. The protocol regards a train of $L$ pulses as a block and the working basis is chosen for each block. At Alice's site, pulses are modulated with phase $\{0,\pi ,\frac{\pi }{2},\frac{3\pi }{2}\}$ according to her random bit and basis choice. The randomization of the overall optical phase is also done for each block of $L$ pulses. At Bob's site, each pulse train is fed to a delayed Mach-Zehnder interferometer with phase shift 0 or $\frac{\pi }{2}$ according to his basis choice. Valid timings of detection are labeled by integers $1,2,...,L-1$, according to the index of the pulse from the short arm of the interferometer. Detection from interference between pulses from different blocks is regarded as invalid and ignored.

Figure 5

Secure key rate per pulse of the DQPS protocol $l_{\mathrm{DQPS}}/\left(n_{\mathrm{rep}}L\right)$ as a function of overall transmission $\eta$. Solid curves are the results of the finite-key analysis with total pulse number $n_{\mathrm{rep}}L={10}^7$ and dashed curves are the results of the asymptotic case ($n_{\mathrm{rep}}L\to \infty$), which are obtained in Ref. [13]. For both solid and dotted curves, the top, middle, and bottom curves represent the key rate for $L=20$, $L=4$, and $L=2$, respectively. The parameters are set as follows: the dark count rate per pulse per detector $p_{\mathrm{dark}}=0.5\times {10}^{-5}$, the loss-independent bit error is $3\%$, the cost for error correction ${\lambda }_{\mathrm{EC}}\left({\epsilon }_{\mathrm{c}}\right)=1.1h\left(E\right)+{\log }_2(1/{\epsilon }_{\mathrm{c}})$, and the security parameters are ${\epsilon }_{\mathrm{c}}={10}^{-15}$ and ${\epsilon }_{\mathrm{s}}={10}^{-10}$. We see that the key rate of the DQPS protocol ($L>2$) is higher than that of the PE-BB84 protocol ($L=2$) for both the asymptotic and finite-key cases.