Experimental Extraction of Secure Correlations from a Noisy Private State

We report experimental generation of a noisy entangled four-photon state that exhibits a separation between the secure key contents and distillable entanglement, a hallmark feature of the recently established quantum theory of private states. The privacy analysis, based on the full tomographic reconstruction of the prepared state, is utilized in a proof-of-principle key generation. The inferiority of distillation-based strategies to extract the key is exposed by an implementation of an entanglement distillation protocol for the produced state.

Quantum entanglement can guarantee secure communication as demonstrated by Ekert's protocol [1] for quantum key distribution [2] (QKD), where the random key obtained from a maximally entangled state is known exclusively to legitimate users. A natural way to realise QKD using imperfect noisy entanglement is to attempt its distillation into the maximal form using local operations and classical communication [3]. This strategy however may reduce the attainable key length or even preclude its generation altogether, which follows from the recently developed theory of private quantum states [4]. The secure key can be extracted in general at higher rates than that implied by distillable entanglement, and even from certain classes of bound entangled states.
In this Letter we report experimental generation and utilization of a noisy entangled four-photon state that exhibits the separation between secure key contents and distillable entanglement. We perform a full tomographic reconstruction of the produced state using the maximumlikelihood [5] and Bayesian reconstruction methods [6,7], which allows us to obtain credible estimates for the quantities of interest despite their nonlinear character and high sensitivity to statistical noise and experimental imperfections. We present a proof-of-principle extraction of a secure key and implement an entanglement distillation protocol verified to perform suboptimally.
The original example of extracting privacy from quantum entanglement is Ekert's QKD protocol, in which two communicating parties-Alice and Bob-need a sequence of bipartite systems prepared in a maximally entangled two-qubit state such as |φ + = 1 √ 2 |00 + |11 . Local projections performed by Alice and Bob in the computational basis |0 , |1 yield perfectly correlated random key bits. The security is checked by measuring the qubits in superposition bases to test coherence between the components |00 and |11 . If the state used for QKD is indeed pure, the monogamy of entanglement [8] prevents an eavesdropper Eve from learning measurement outcomes obtained by legitimate users. Of course, a state |φ − = 1 √ 2 |00 − |11 would be equally suitable for key generation. But an equiprobable statistical mixture of |φ + and |φ − ensures no security. This is because it can be viewed as a partial trace involving a qubit E in possession of Eve, who can gain complete information about the results of Alice's and Bob's measurements in the computational basis without introducing any disturbance. Suppose now that in addition to qubits A and B, Alice and Bob possess also qubits A ′ and B ′ prepared jointly in a statistical mixture of |φ − AB ⊗ |00 A ′ B ′ and |φ + AB ⊗ |11 A ′ B ′ . Obviously, a local measurement of A ′ or B ′ in the computational basis reveals whether the qubits A and B have been prepared in |φ + or |φ − . This enables key generation and entanglement distillation with equal rates. An intriguing case is the privacy of a mixed fourqubit state [4]: where , and we denote |ψ ± = 1 √ 2 |01 ± |10 . Unlike the preceding example, the two operators ̺ A ′ B ′ ± cannot be discriminated unambiguously by Alice and Bob using local operations and classical communication, which lowers the value of distillable entanglement E D [9]. This can be seen from an upper bound where L is the log-negativity [10] calculated for the partial transposition Γ with respect to the partition AA ′ : BB ′ . In contrast, the theory of private states [4]-of which ̺ priv is an example-shows that results of projecting qubits A and B in the computational basis cannot be learnt by Eve, thus providing one bit of a secure key. This leads to a gap between the key rate and E D , implying general sub-optimality of distillation strategies. In order to demonstrate experimentally this hallmark feature of private states we generated a noisy entangled four-photon states using a setup shown in Fig. 1. Its heart were two 1 mm long type-I down conversion betabarium borate crystals with optical axes aligned in perpendicular planes, following the arrangement introduced by Kwiat et al. [11]. The crystals were pumped using Ti:sapphire oscillator (Coherent Chameleon Ultra) emitting a 78 MHz train of 180 fs pulses frequency doubled in a 1 mm long lithium triborate crystal to give a 390 nm wavelength pump of an average power of 200 mW, and focused to a 70 µm diameter waist. The axial symmetry of type-I down-conversion implies that photons emerging along any two opposite ends of the emission cone will be maximally entangled. That way one can collect multiple photon pairs, as shown in the inset of Fig. 1(a), and obtain a four-photon state |φ + AB ⊗ |φ + A ′ B ′ with |0 and |1 corresponding to horizontal and vertical polarizations. Collimated photons after transmission through 10 nm full-width-at-half-maximum bandwidth interference filters were coupled into single-mode fibers wound on manual polarization controllers. Phase relations between two-photon probability amplitudes were controlled by two Soleil-Babinet compensators D placed in the path of the pump beam and photons A.
Photons B were sent through a half-wave plate whose two selected orientations introduced a transformation σ x = |0 1| + |1 0| or σ z = |0 0| − |1 1|. The set of two quarter-waveplates and a half-wave plate placed in the path of photons B ′ realized one of four operations 1 z randomly with equal probabilities produced ideally the state equivalent up to a local unitary to ̺ priv . The secure key can be obtained by measuring qubits A and B in the eigenbasis of σ y given by |v = 1 The photons were detected using free space polarization analyzers constructed from a quarter-wave plate, a half-wave plate and a Wollaston polarizer with two output ports coupled into multimode fibers, connected to single photon counting modules SPCM (Perkin-Elmer SPCM-AQRH), as shown in Fig. 1(b). Detection efficiencies within each polarization analyzer, determined from an independent macroscopic measurement, were equalized in the postprocessing by binomial resampling. Electric signals from SPCMs were registered with a field programmable gate array (FPGA) circuit using a coincidence window of 6 ns. Typical count rates were 10 5 s −1 for single counts, 6 × 10 3 s −1 for two-photon and 2 s −1 for fourfold coincidences.
Assuming that only four-photon events are available to Alice and Bob, we reconstructed a density matrix of a private state and performed a proof-of-principle secure key generation. A complete measurement consisted of a sequence of 33637 intervals, each 10 s long. Before a single interval, settings of individual polarization analyzers were selected randomly and independently on Alice's and Bob's side to project polarization in the eigenbasis of σ x , σ y , or σ z . The density matrix of the generated state was reconstructed from fourfold coincidences using two independent techniques: the Kalman filter (KF) method [7] based on gaussian approximation and Bayesian inference which provides an a posteriori probability distribution on the set of density matrices, and the maximum-likelihood (ML) method with physical constraints [5]. In the KF approach the resulting a posteriori distribution served to generate a sample of 10 4 physical density matrices with the help of the slice-sampling technique [12]. This sample was used to calculate mean values and standard deviations of individual elements of the density matrix depicted in Fig. 2, as well as the information-theoretic quantities reported in Eq. (7). Uncertainties of ML estimates were obtained by generating 2000 reconstructions using perturbed experimental data as an input. The uncertainties calculated account for both the Poissonian photon counting noise and 0.25 • uncertainty of the waveplate orientation in polarization analyzers. Calculation of the KF a posteriori distribution took 20 s on a standard PC, a significant advantage compared with 20 min for the ML method. A more time consuming stage, however, was generation of statistical samples of physical density matrices, which took 2 s per matrix using the KF distribution and required repetition each time of the full reconstruction in the ML case.  (7), and the ML value F ML = 0.9715 (7) is the probability of obtaining the projection onto |a by Alice. An attempt to gain information about Alice's outcome by either Bob or Eve can be viewed as a classical to quantum communication channel A → B or A → E [13]. In such a scenario-denoted as cqq-Alice and Bob can establish a secret key at a rate at least where χ B(E) is the Holevo quantity [14] for the respective channel A → B(E), defined as: S(·) denotes the von Neumann entropy, and the summations are carried out over an orthonormal basis of states |a , in our case |0 and |1 . Based on measured data, the Bayesian a posteriori distribution for density matrices yields the following estimates for the attainable key rate and the log-negativity X cqq KF = 0.690 (7), L KF = 0.581(4).
These results show a clear separation, exceeding ten standard deviations, between distillable entanglement and the key rate, exposing a fundamental feature of general private states. The ML method yields consistent results X cqq ML = 0.704(7) and L ML = 0.578(4). The slightly higher value of X cqq ML may be attributed to the fact that the ML method returns a lower-rank density matrix with weaker entanglement between the system AA ′ BB ′ and the environment E.
The consistency of KF and ML results was verified by calculating the Mahalanobis distance [7] between the density matrices produced by both the methods with the KF covariance matrix used as a metric. The obtained distance 16.8 is below the value 17.1 corresponding to a 95% confidence interval. The KF method allows one to check for the presence of systematic errors: since the mean of the a posteriori distribution is not forced to be positive definite, its Mahalanobis distance from the mean of the distribution with imposed positivity constraints is an indicator of possible systematic errors in the measurement process [7]. For our data this distance is 17.7, implying that systematic errors are not significant.
In order to extract a secure key from the four photon state we selected randomly one event from each interval when both the qubits A and B were measured in the σ y bases obtaining N = 3716 raw key bits. We simulated a binary interactive error-correction procedure [15] exchanging 990 parity bits, which corrected all errors, and performed privacy amplification using two-universal hashing functions. Using the KF estimate of Eve's knowledge in the asymptotic limit given by χ E , conservatively enhanced by five standard deviations, and adding a security margin [16] to guarantee that the probability of Eve learning at least one bit of the key is below 10 −6 , yields 2164 bits of a secure key. The subsystems A ′ and B ′ play the role of a shield protecting the private key contained in subsystems A and B from an eavesdropping attempt. Given ̺ id , tracing out A ′ and B ′ reduces the qubits A and B to a mixed state ̺ AB = 1 4 |φ − AB φ − | + 3 4 |ψ + AB ψ + |. The corresponding experimental state, shown in Fig. 3(a), has X cqq KF = −0.009 (4), which demonstrates that the shield is critical to ensure security. The shield qubits can be used to implement a simple entanglement distillation protocol for ̺ id : if A ′ and B ′ are projected in the same basis, identical outcomes collapse the state of qubits A and B to a maximally entangled state |ψ + AB , while opposite results produce a separable state 1 2 |φ − AB φ − | + |ψ + AB ψ + | = 1 2 (|00 AB 00 | + |11 AB 11 |) useless for key generation. Fig. 3(b,c) depict experimental conditional density matrices reconstructed for these two cases using the KF method. The key rate is positive only for identical outcomes and equals 0.693 (9), which multiplied by the relative frequency of these events 0.511 yields the average value X cqq KF = 0.354(5), falling significantly behind the result reported in Eq. (7). Using the resulting subset of qubit pairs to generate a key under the same security assumptions as before yields below 650 bits after error correction and privacy amplification of 1859 raw bits obtained from intervals when the qubits A and B were measured in the same bases. Note that the 50% reduction in the raw key length compared to the fourphoton key extraction corresponds exactly to the success rate of the distillation protocol which halves the raw bit rate if only compatible measurements yielding perfectly correlated outcomes are applied.
In conclusion, we demonstrated experimentally a fundamental feature of private states, namely the separation between distillable entanglement and the secret key contents, using a noisy entangled state of photon quadruplets. The results confirmed the sub-optimality of distillation-based strategies to extract private correlations. This highlights the complex nature of mixed entanglement in higher dimensions similarly to that exhibited in multiparty scenarios [17] and paves the way to develop QKD protocols that make optimal use of realistic imperfect resources.
We wish to acknowledge insightful discussions with Koenraad Audenaert and Jan Tuziemski. This work was supported by FP7 FET project CORNER, the Foundation for Polish Science TEAM project, and Polish Ministry for Scientific Research project.