Secure Coherent-state Quantum Key Distribution Protocols with Efficient Reconciliation

We study the equivalence between a realistic quantum key distribution protocol using coherent states and homodyne detection and a formal entanglement purification protocol. Maximally-entangled qubit pairs that one can extract in the formal protocol correspond to secret key bits in the realistic protocol. More specifically, we define a qubit encoding scheme that allows the formal protocol to produce more than one entangled qubit pair per coherent state, or equivalently for the realistic protocol, more than one secret key bit. The entanglement parameters are estimated using quantum tomography. We analyze the properties of the encoding scheme and investigate its application to the important case of the attenuation channel.

1 Introduction

Quantum key distribution (QKD), also called quantum cryptography, allows two parties, Alice and Bob, to share a secret key that can be used for encrypting messages using a classical cipher, e.g., the one-time pad. The main interest of such a key distribution scheme is that any eavesdropping is, in principle, detectable as the laws of quantum mechanics imply that measuring a quantum state generally disturbs it.

The resources required by QKD comprise a source of non-orthogonal quantum states on Alice's side, a quantum channel conveying these states to Bob, a measuring apparatus on Bob's side, and a (public) authenticated classical channel between Alice and Bob. In addition to being used to generate a secret key, the quantum channel is subject to probing by the legitimate parties, so as to determine how many secret bits can be generated.

Most interest in QKD has been devoted to protocols involving (an approximation to) a single-photon source on Alice's side and a single-photon detector on Bob's side (see [1] and the references therein). However, protocols involving quantum continuous variables have been considered with an increasing interest [2, 3, 4, 5]. Of special importance are coherent-state protocols [6, 7]. The quantum source at Alice's side randomly generates coherent states of a light mode with Gaussian-distributed quadratures, and Bob's measurements are homodyne measurements. These protocols seem to allow for facilitated implementations and higher secret-key generation rates than the protocols involving single-photon sources [7].

Consequently, there is an increasing interest for studying the security of coherent state protocols under general classes of attacks. Individual Gaussian attacks are considered in [6, 7], and are found to be optimal in the more general class of finite-width non-Gaussian incoherent attacks [8]. Individually-probed collective attacks are also considered in [9, 10]. The recent techniques of [11, 12] do not make any assumptions on the eavesdropper's technology and are also considered in [9, 10] for coherent state protocols, although giving lower secret key rates.

In this paper, we study the security of a prepare-and-measure QKD protocol [6, 7] by establishing its equivalence to an entanglement purification (EP) protocol, which produces maximally-entangled qubit pairs. A maximally-entangled qubit pair is by definition completely factored from its environment, and thus the values obtained by measuring each side are fully correlated and secret. The equivalent prepare-and-measure QKD protocol also enjoys this property. This particular technique thus allows one to relieve from any assumptions on the eavesdropper's strategy and was used in [13] to assess the security of the BB84 protocol and in [3] for a squeezed state protocol. More recently, this technique was extended to the case of coherent state protocols [14].

To show the equivalence between a QKD protocol and of an EP protocol, one has to explicitly take into account the secret key distillation, that is, the techniques used to make Alice's and Bob's keys equal (reconciliation) and fully secret (privacy amplification). In [13], the EP protocol uses CSS quantum codes [15, 16], which are equivalent in QKD to reconciliation with syndromes of binary linear codes and privacy amplification by multiplication with a parity-check matrix. In contrast to BB84, the modulation of coherent states in the protocol we consider here is continuous, therefore producing continuous key elements from which to extract a secret key. Reconciliation of a Gaussian-distributed key was studied in [17], and a generic protocol called sliced error correction was designed so as to distill a binary key.

In contrast to [14], the EP protocol is constructed in such a way that it is equivalent to a QKD protocol with sliced error correction for reconciliation. The advantage is the higher secret key rate and the better resistance to attenuation that one can achieve. In particular, more than one maximally-entangled pair (or secret key bit) can be produced per coherent state. Furthermore, thanks to its generality, the asymptotic efficiency of the EP protocol inherits to some extent from the asymptotic efficiency of the classical reconciliation protocol.

The paper is organized as follows. First, in Sec. 2, we macroscopically describe the formal EP protocol and its equivalent QKD protocol that are used throughout the paper. Then, in Sec. 3, we show how the channel can be probed so as to determine the number of secret key bits that Alice and Bob can generate. The encoding of qubits, that is, the generalization of sliced error correction to EP, is described in Sec. 4. Then, Sec. 5 deals with the important particular case of an attenuation channel. Finally, the asymptotic properties of the qubit encoding scheme are detailed in Sec. 6.

2 From Entanglement Purification to Secret Key Distillation

After we review the case of EP using CSS codes and its equivalence to BB84, we give a high-level description of a QKD protocol based on EP. We consider this protocol as formal, that is, we do not expect a physical implementation of it. Instead, we propose a prepare-and-measure QKD protocol, derived from the formal one, which also encompasses error correction and privacy amplification.

2.1 Binary CSS codes

In the case of BB84, the CSS codes can readily be used to establish the equivalence between an EP protocol and a QKD protocol [13]. Since we will use CSS codes as an ingredient for the EP and QKD protocols below, let us briefly review their properties.

Let C₁ and C₂ be two binary error correcting codes of n bits (i.e., C₁ and C₂ are vector spaces of F₂ⁿ) with parity check matrices H₁ and H₂, resp. They are chosen such that {0}⊂C₂⊂C₁⊂F₂ⁿ. A CSS code is a k-dimensional subspace of Hⁿ, the Hilbert space of n qubits, with k=dimC₁-dimC₂ [15, 16]. The code C₁ allows to correct bit errors, while C₂^⊥ (the dual code of C₂) allows to correct phase errors—one important property of the CSS codes is to be able to correct bit errors and phase errors independently.

For entanglement purification, Alice and Bob must compare their syndromes, both for bit errors and phase errors. The relative syndrome determines the correction that Bob must apply to align his qubits to Alice's. Translating this into the BB84 protocol, one can show [13] that the relative syndrome for bit errors in the EP protocol is equal to the relative syndrome for bit errors that Alice and Bob would have reconciled in the BB84 protocol. So, reconciliation can be done using the C₁ code. Phase errors of the EP protocol do not have such a direct equivalent in the BB84 protocol: The prepare-and-measure protocol works as if Alice measured her part of the state in the {|0〉,|1〉} basis, thereby discarding information on the phase. However, one does not really need to correct the phase errors in the BB84 protocol. Instead, if C₂^⊥ would be able to correct them in the EP protocol, the syndrome of C₂ in C₁ of Alice and Bob's bit string turns out to be a valid secret key in the prepare-and-measure protocol. Stated otherwise, H₁ determines the syndrome Alice has to send to Bob to perform reconciliation, while H₂ determines the way the final key is computed for privacy amplification.

Overall, the number of secret key bits is thus k=dimC₁-dimC₂, provided that C₁ (resp. C₂^⊥) is small enough to correct all the bit (resp. phase) errors. When considering asymptotically large block sizes, the CSS codes can produce

We conclude this section by noting that the bit error rate e^b determines the number of bits revealed by reconciliation (asymptotically h(e^b)), whereas the phase error rate e^p determines the number of bits discarded by privacy amplification due to eavesdropping (asymptotically h(e^p)).

2.2 Quantum key distribution based on entanglement purification

In BB84, the modulation of qubits can be transposed as if Alice prepares a |φ⁺〉 state and measures her part. In the case of the QKD protocol with Gaussian-modulated coherent states, the formal state that Alice prepares is of course different, as it must reduce to the proper modulation when Alice measures her part. We define the formal state as:

where g(x,p) denotes a bi-variate Gaussian distribution g(x,p)=√(G₁(x)G₂(p)). The kets |x〉, |p〉, |x+ip〉 are shorthand notations for respectively a x-quadrature eigenstate with eigenvalue x, a p-quadrature eigenstate with eigenvalue p and a coherent state whose x mean value equals x and whose p mean value equals p. The subscripts a₁, a₂ (resp. b) denote that the system is lying on Alice's side (resp. Bob's side).

The state (2.3) does not have a direct physical meaning. In particular, the systems a₁ and a₂ must be understood as classical pointers, e.g., resulting from the (formal) homodyne measurement of an EPR state as studied in [18].

In the entanglement purification picture, the b part of the system is sent to Bob (and possibly attacked by Eve) and the a part stays at Alice's station. If Alice measures x in a₁ and p in a₂, the state is projected as if Alice sent Bob a coherent state centered on x+ip.

Let us now describe the EP protocol, which reduces to the prepare-and-measure QKD protocol described further.

The details of the EP procedure, which uses CSS codes as an ingredient, are given in Sec. 4, while the estimation is detailed in Sec. 3.

2.3 Prepare-and-measure quantum key distribution

By virtually measuring the a part of the state |Ψ〉, the protocol above reduces to the following one.

The reconciliation and privacy amplification procedures are based on classical error correcting codes, which derive from the CSS codes used in the formal EP protocol.

3 Error Rates Estimation using Tomography

In QKD protocols derived from EP, an important step is to show how one can infer the bit and phase error rates of the samples that compose the key. A fraction of the samples sent by Alice to Bob are sacrificed so as to serve as test samples. By randomly choosing them within the stream of data, they are statistically representative of the whole stream.

In [3, 13], one can simply make measurements and directly count the number of bit and phase errors from the results. This is possible since Bob's apparatus can measure both bit and phase values. In [14], however, it is not possible to measure directly phase errors. Yet some data post-processing can be applied on measurements so as to infer the number of phase errors in the stream of data. In this section, we wish to show that we can extend this to more general (and more efficient) encodings of qubits (in the EP picture) or bits (in the derived QKD protocol).

The encoding of bits will be described in a further section—for the moment, the qubit pair system (i.e., one among possibly several ones), which Alice and Bob will process using CSS codes, is abstractly represented by its Pauli operators acting in a₁: Z_s (phase flip) and X_s (bit flip), and in b: Z_e and X_e. (The subscripts s and e stand for slice and estimator, resp., to follow the convention of the following sections.) The bit errors are assumed to be easy to determine, that is, Z_s has a diagonal expansion in |x〉_a₁〈x|, and Z_e can directly be determined by a single homodyne measurement on b. This ensures, in the derived prepare-and-measure QKD protocol, that Alice knows the bit value she sent, and Bob can determine the received bit value. A measurement of the observable X_sI_a₂X_e associated to the phase error rate, however, cannot be implemented by a single homodyne measurement on b. Therefore, we have to invoke quantum tomography with a quorum of operators [19] to get an estimate of the phase error rate.

3.1 Estimating phase errors in the average state

In the EP picture, let ρ⁽ⁿ⁾ be the state of the n samples used for estimation of the phase error rate (i.e., n instances of the a₁a₂b system). To count the number of phase errors in a set of n samples, one needs to measure O=X_sI_a₂X_e on the n samples and sum the results (with I_a₂ the identity in the system a₂). This is equivalent to measuring O⁽ⁿ⁾=∑_iI_a₁a₂b^⊗i-1⊗X_sI_a₂X_e⊗I_a₁a₂b^⊗n-i. If the true phase error probability in the n+l samples is e^p, the error variance is σ₁²=2e^p(1-e^p)/n, and thus the probability of making an estimation error of more than Δ is [3, 13] asymptotically exp(-Δ²n/4e^p(1-e^p)). It is easy to see that

If the measurement of O=X_sI_a₂X_e cannot be made directly, one instead looks for a quorum of operators Q_λ such that O=∫dλo(λ)Q_λ; estimating 〈O〉 comes down to measuring several times Q_λ for values of λ chosen randomly and independently of each other, and averaging the results weighted by o(λ): O≈∑_io(λ_i)Q_{λ_i} [19]. If the values of λ are chosen independently of the sample index on which Q_λ is applied, we get unbiased results, as Tr(Oρ)=E_λ[Tr(Q_λρ)], with E the expectation. Of course, the estimation of Tr(Oρ) with a quorum cannot be perfect and an estimation variance σ₂² must also be considered and added, σ²=σ₁²+σ₂².

3.2 Estimating phase errors using coherent states and homodyne detection

We now explain how the phase error rate can be estimated, in principle, using coherent states modulated in both quadratures and homodyne detection in all quadratures.

It is clear that the knowledge of matrix elements of the average state ρ gives the knowledge of 〈O〉. Let ρ₀=|Ψ〉〈Ψ| be the state that Alice and Bob would share if the transmission was perfect. Since the a part of the system stays at Alice's station, we only need to learn about how the b part of the system is affected. In the prepare-and-measure picture, let T be the completely positive (CP) map that maps the states sent by Alice onto the states received by Bob, (Id⊗T)(ρ₀)=ρ. In particular, let the coherent state |x+ip〉〈x+ip| be mapped onto ρ_T(x+ip) and the (pseudo-)position state |x〉〈x^′| be mapped onto ρ_T(x,x^′). The functions ρ_T(x+ip) and ρ_T(x,x^′) are related by the following identity:

By inspecting Eq. (3.3), it seems that due to the factors e^-S²/8N₀ and e^-D²/8N₀, two different CP-maps T and T^′ may make ρ_T(x+ip) and ρ_T^′(x+ip) only vanishingly different. It thus seems unlikely that Eq. (3.3) should allow us to extract the coefficients ρ_T(x+S+D,x+S-D). However, assuming that T depends only on a finite number of parameters, a variation of these parameters will induce a measurable variation of ρ_T(x+ip). We will now discuss why it is reasonable to make such an assumption.

Due to the finite variance of the modulation of coherent states, the probability of emission of a large number of photons vanishes—this intuitively indicates that we only need to consider the description of T for a bounded number of emitted photons. More precisely, one can consider the emission of w joint copies of the state ρ_0b=Tr_a(ρ₀). For w sufficiently large ρ_0b^⊗w can be represented in the typical subspace Γ_δ(ρ_0b) of dimension not greater than 2^{w(H(ρ_0b)+δ)}, for any δ>0 [20], where H(ρ) is the Von Neumann entropy of a state ρ. The probability mass of ρ_0b^⊗w outside the typical subspace can be made arbitrarily small and does not depend on the eavesdropping strategy. This means that the support for the input of T has finite dimension, up to an arbitrarily small deviation.

The number of photons received by Bob can also be upper bounded. Alice and Bob can first assume that no more than n_max photons are received. This fact may depend on a malicious eavesdropper, so Bob has to do hypothesis testing. The test comes down to estimating 〈Π〉 with Π=∑_{n>n_max}|n〉〈n|. If the threshold is well chosen so that n>n_max never occurs, we can apply the central limit theorem and upper bound the probability that 〈Π〉>ε for any chosen ε>0. The positivity of the density matrices implies that the off-diagonal coefficients are also bounded. We can thus now express ρ_T(x+ip) as ρ_T(x+ip)=∑_{n,n^′≤n_max}ρ_T(x+ip,n,n^′)|n〉〈n^′|. Note that the test can be implemented either by explicitly measuring the intensity of the beam (therefore requiring an additional photodetector) or by exploiting the correlation between the high intensity of the beam and the high absolute values obtained when doing homodyne measurements in all directions.

Finally, the estimation of the coefficient of |n〉〈n^′| can be done with arbitrarily small statistical error using homodyne detection in all directions [19, 21]. This is achieved by considering the quorum of operators (x_θ)_0≤θ<2π, where x_θ=cosθx+sinθp denotes the amplitude of the quadrature in direction θ. Considering a finite combination of arbitrarily small statistical errors on parameters also gives arbitrarily small overall statistical error on the phase error rate.

4 Encoding of Multiple QuBits in an Oscillator

Reconciliation and privacy amplification are integral parts of the prepare-and-measure protocols derived from entanglement purification protocols. In our case, we wish to derive a prepare-and-measure protocol with sliced error correction (SEC) [17] as reconciliation, which allows us to obtain a higher secret key rate and a better resistance to losses than in [14]. We therefore need to describe an entanglement purification procedure that reduces to SEC when the corresponding prepare-and-measure protocol is derived. An overview of SEC is proposed next.

4.1 Sliced error correction with invertible mappings

We here recall the main principles of SEC in a form that is slightly different from the presentation in [17]. To suit our needs, we here describe SEC in terms of invertible functions giving the slices and the estimators—the invertibility property will be required when we generalize SEC to entanglement purification. Also, from the generality of [17], two parameters are fixed here: Binary error correction is operated by sending syndromes of classical linear error-correcting codes (ECC), and we momentarily restrict ourselves to the case of scalar values.

Suppose Alice and Bob have l pairs of correlated random variables (X₁,X₁^′),…,(X_l,X_l^′), with X_i,X_i^′∈R, i=1…l, from which they intend to extract common bits.

First, Alice wishes to convert each of her variables X into m bits and thereby defines m binary functions: S₁(X),…,S_m(X). To make the mapping invertible, she also defines a function S^¯(X) such that mapping from X to the vector (S^¯(X),S_1…m(X)) is bijective. As a convention, the range of S^¯(X) is [0;1]. The mapping from R to [0;1]×{0,1}^m:

Concretely, the functions S_i(X) implicitly cut the real line into intervals (see [17] for more details), whereas S^¯(X) indicates where to find X within a given interval.

Then, we can assemble the bits produced by the l random variables X₁…X_l into m l-bit vectors. To each bit vector ("slice") S_i(X_1…l)=(S_i(X₁),…,S_i(X_l)), is associated an ECC that Alice and Bob agreed upon. To proceed with the correction, Alice sends the syndrome ξ_i^b=H_i^bS_i(X_1…l) to Bob over the public authenticated channel, where H_i^b is the l_i^b×l parity check matrix of the ECC associated to slice i. Alice also sends S^¯(X_1…l).

Bob would like to recover S_1…m(X_1…l) from his knowledge of X_1…l^′, ξ_1…m^b and S^¯(X_1…l). To do so, he also converts each of his variables X_1…l^′ into m bits, but he does so in a consecutive manner. He tries to produce bits that are best correlated to Alice's and takes advantage of the corrected bits of slices j<i before trying to estimate the bits of slice i. In particular, to produce bits that are best correlated to Alice's first slice S₁(X_1…l), he uses a function E₁(X^′,S^¯(X)), which gives his best estimate on Alice's corresponding bit S₁(X) given the known correlations between X and X^′. By applying the function E₁ on all the variables X_1…l^′ and S^¯(X_1…l), Bob is able to construct a string of l bits that is equal to Alice's up to some error rate e₁^b. Given the knowledge of ξ₁^b and assuming the adequacy of the ECC, Bob has enough information to determine S₁(X_1…l) with high probability. Then, for slice i>1, he estimates S_i(X_1…l) using the estimator function E_i(X^′,S^¯(X),β₁,…,β_i-1), where β_j is the random variable indicating Bob's knowledge of S_j(X), so that β_j=S_j(X) with arbitrarily high probability. (Note that the estimators can also be written as jointly working on l samples at once: E_i(X_1…l^′,S^¯(X_1…l),ξ₁^b,…,ξ_i-1^b), but we will preferably use the previous notation for its simplicity since, besides the ECC decoding, all the operations are done on each variable X or X^′ independently.)

We also need a supplementary function to ensure that the process on Bob's side is described using bijective functions: E^¯(X^′,S^¯(X),β₁,…,β_m) (or jointly E^¯(X_1…l^′,S^¯(X_1…l),ξ₁^b,…,ξ_m^b)). As a convention, the range of E^¯ is [0;1]. E^¯ is chosen so that the mapping E defined below is invertible,

Similarly to S, the functions E_1…m of E cut the real line into intervals. However, these intervals are adapted as a function of the information sent by Alice, so as to estimate Alice's bits more reliably. Like for S^¯, the function E^¯ indicates where to find X^′ within an interval.

The mapping S summarizes Alice's process of conversion of her real values X into m bits (plus a continuous component). The mapping E represents the bits (and a continuous component) produced by Bob from his real values X^′ and his knowledge of S^¯(X) and of the syndromes ξ_1…m^b. The bits produced by the functions E_i are not yet corrected by the ECC, even though they take as input the corrected values of the previous slices S_j(X), j<i. The description of the mapping E with the bits prior to ECC correction allows us to easily express the bit error rate between Alice's slices and Bob's estimators and thereby to deduce the size of the parity matrices of the ECCs needed for the binary correction. Simply, we define e_i^b=Pr[S_i(X)≠E_i(X^′,S^¯(X),S_1…i-1(X))]. As the block size l→∞, there exist ECCs with size l_i^b→lh(e_i^b) and arbitrarily low probability of decoding error. The number of common (but not necessarily secret) bits produced by SEC is therefore asymptotically equal to H(S_1…m(X))-∑_i=1^mh(e_i^b) per sample [17].

The generalization of the SEC to a quantum entanglement purification protocol is examined next.

4.2 Quantum sliced error correction

From classical binary error correcting codes, one can construct CSS quantum codes and use them to extract EPR pairs from noisy qubit pairs. We will now show that, similarly, from SEC, it is possible to construct an encoding and decoding procedure, which when applied on entangled quantum oscillator systems, also allows to extract pure EPR pairs. Such a purification protocol is formal, as it would of course be very difficult to implement in practice.

The purification uses a few quantum registers, which we now list. Alice's system a₁ is split into m qubit systems s_1…m and a continuous register s^¯. On Bob's side, the system b is split into m qubit systems e_1…m and a continuous register e^¯. He also needs m qubit registers s_1…m^′ for temporary storage. All these registers must of course be understood per exchanged sample: As Alice generates l copies of the state |Ψ〉, the legitimate parties use l instances of the registers listed above.

The usual bit-flip and phase-flip operators X and Z, resp., can be defined as acting on a specific qubit register among the systems s_i and e_i. E.g., Z_{s_i} is defined as acting on s_i only. These operators are used by Alice and Bob to construct the CSS codes that produce entangled qubits, which are in turn used to produce EPR pairs in the registers s_ie_i for i=1…m. Since each CSS code operates in its own register pair, the action of one does not interfere with the action of the other. It is thus possible to extract more than one EPR pair |φ⁺〉 per state |Ψ〉. If asymptotically efficient binary codes are used, the rate or EPR pairs produced is R=∑_i(1-h(e_i^b)-h(e_i^p)), where e_i^b (resp. e_i^p) indicates the bit error rate (resp. the phase error rate) [13].

4.2.1 The mappings QS and QE

First, we define the unitary transformation QS: L²(R)→L²([0;1])⊗H^⊗m by its application on the basis of quadrature eigenstates:

For each slice i, Alice and Bob agree on a CSS code, defined by its parity matrices H_i^b for bit error correction and H_i^p for phase error correction. For the entanglement purification, let us assume that Alice computes the syndromes of the CSS code with a quantum circuit. For each slice, she produces l_i^b qubits in the state |ξ_i^b〉 and l_i^p qubits in the state |ξ_i^p〉 that she sends to Bob over a perfect quantum channel, so that the syndromes are received without any distortion. In the entanglement purification picture, the syndromes can be transmitted over a non-perfect channel if they are encoded using appropriate error correcting codes. Also, after reduction to a prepare-and-measure protocol, this perfect transmission is actually done over the public authenticated channel. Alice also sends the s^¯ system to Bob.

Then, the slice estimators are defined as the unitary transformation QE from L²([0;1])⊗H^⊗m⊗L²(R) to L²([0;1])⊗H^⊗m⊗H^⊗m⊗L²([0;1]):

Assume that Bob first calculates, using a quantum circuit, the first slice estimator (classically: E₁(X^′,S^¯(X))), which does not depend on any syndrome. That is, he applies the following mapping, defined on the bases of s^¯ and b: |s^¯〉_s^¯|x^′〉_b→|s^¯〉_s^¯|E₁(x^′,s^¯)〉_e₁|E^¯₁(x^′,s^¯)〉_e^¯₁ (up to normalization), where the function E^¯₁ is needed only to make the mapping unitary. From the l qubits in the l systems e₁ and the syndrome sent by Alice |ξ₁^b〉, there exists a quantum circuit that calculates the relative syndrome of Alice's and Bob's bits, that is a superposition of the classical quantities ξ₁^b⊕H₁^bE₁(X_1…l). From this, a quantum circuit calculates the coset leader of the syndrome, that is (a superposition of) the most probable difference vector between Alice's and Bob's qubits. An extra l-l₁^b blank qubits are needed for this operations; we assume they are all initialized to |0〉:

Following this approach for the next slices, we can define: |s^¯〉_s^¯|s₁〉_s₁^′|E₁(x^′,s^¯)〉_e₁|E^¯₁(x^′,s^¯)〉_e^¯₁→|s^¯〉_s^¯|s₁〉_s₁^′|E₁(x^′,s^¯)〉_e₁|E₂(x^′,s^¯,s₁)_e₂|E^¯₂(x^′,s^¯,s₁)〉_e^¯₂, and reasonably assume that the bit value given in s₁^′ is equal to Alice's S₁(X). This reasoning can be applied iteratively, so as to fill the system s_1…m^′ with all the corrected bit values, and with an extra step to set E^¯(x^′,s^¯,s_1…m) in e^¯.

As a last step, Bob can revert the ECC decoding operations and come back to the situation where he has blank qubits in s_1…m^′ as depicted in Fig. 4.2.

Finally, the qubits produced by QE can be transformed into EPR pairs using the CSS codes and the syndromes Alice sent to Bob.

4.2.2 Phase coherence

Neither the unitary transformation QS nor QE take into account the modulation of the coherent state in the p-quadrature. By ignoring what happens in the a₂ system of Eq. (2.3), the reduced system ρ_a₁b lacks phase coherence:

Actually, we could formally include this a₂-dependent operation in the QE mapping, by adding |p〉_a₂ to its input and output (unmodified) and by multiplying by a factor of the form e^{ix^′p/4N₀} in Eq. (4.4), with N₀ the vacuum fluctuations. For notation simplicity, however, we mention it here without explicitly writing it.

Also, for the simplicity of the notation in the next section, we can assume without loss of generality that the coefficients of |Ψ〉 in the x-basis of b are real, after adjustment by Bob as a function of p.

4.2.3 Construction of S^¯ and E^¯

Let us now make explicit the construction of the functions S^¯ and E^¯. First assume, for simplicity, that we have only one slice (m=1)—for this we do not write the slice index as a subscript. The mapping has thus the following form:

Let us take some state ρ of the systems ss^¯ee^¯. In the entanglement purification picture, our goal is to be able to extract entangled pairs in the subsystem ρ_se=Tr_All∖{s,e}(ρ). We thus want ρ to be a product state of the form ρ_se⊗ρ_s^¯e^¯. If S^¯(X) contains information about S(X), or if E^¯(X^′,S^¯(X),S(X)) contains information about E(X^′,S^¯(X)), the subsystem ρ_se will not be pure. In the prepare-and-measure picture, information on S(X) in S^¯(X) will be known to Eve and therefore may not be considered as secure. Note that information in E^¯(…) is not disclosed, but since it is excluded from the subsystems from which we wish to extract entanglement (or secrecy), any correlation with e^¯ will reduce the number of entangled qubits (or secret bits); or stated otherwise, the calculated number of secret bits will be done as if E^¯(…) was public. As an extreme example, if S(X) and E(X^′,S^¯(X)) are perfectly correlated and if S(X) can be found directly as a function of S^¯(X), then ρ_se will be of the form ρ_se=p₀|00〉〈00|+p₁|11〉〈11|, which does not allow us to extract any EPR pairs, or equivalently, does not contain any secret information. Consequently, S^¯ and E^¯ should be as statistically independent as possible of S and E.

We define S^¯ and E^¯ as the following cumulative probability functions: S^¯(x)=Pr[X≤x|S(X)=S(x)] and E^¯(x^′,s^¯,s)=Pr[X^′≤x^′|S^¯(X)=s^¯,S(X)=s,E(X^′,s^¯)=E(x^′,s^¯)]. By definition, these functions are uniformly distributed between 0 and 1, independently of the other variables available to the party calculating it (Alice for S^¯ and Bob for E^¯). These functions also enjoy the property of making the subsystem ρ_se pure in absence of eavesdropping (i.e., when ρ is pure), indicating that this choice of S^¯ and E^¯ does not introduce more impurity in ρ_se than ρ already has.

When more than one slice is involved, the functions S^¯ and E^¯ are defined similarly:

5 The Attenuation Channel

We now apply the slicing construction and display some results on the rates one can achieve in an important practical case. These results serve as an example and do not imply an upper bound on the achievable rates or distances. Instead, they can be viewed as lower bounds on an achievable secure rate in the particular case of an attenuation channel with given losses. Stated otherwise, this section simulates the rates we would obtain in a real experiment where Alice and Bob would be connected by an attenuation channel. For more general properties of the construction, please refer to Sec. 6.

The purpose of this section is twofold. First, we wish to illustrate the idea of the previous section and show that it serves realistic practical purposes. Beyond the generality of the sliced error correction, its implementation may be easier than it first appears. Furthermore, the purification (resp. distillation) of more than one qubit (resp. bit) per sample is useful, as illustrated below.

Second, it is important to show that the construction works in a case as important as the attenuation channel. Clearly, requesting that a QKD protocol yields a non-zero secret key rate under all circumstances is unrealisitic—an eavesdropper can always block the entire communication. On the other hand, a QKD protocol that would always tell Alice and Bob that zero secure bits are available would be perfectly secure but obviously also completely useless. Of course, between these two extreme situations, the practical efficiency of a QKD protocol is thus important to consider.

The attenuation channel can be modeled as if Eve installed a beam-splitter in between two sections of a lossless line, sending vacuum at the second input. We here assume that Alice sends coherent states with a modulation variance of 31N₀, with N₀ the vacuum fluctuations, which gives Alice and Bob up to I(A;B)=2.5 common bits in absence of losses or noise. This matches the order of magnitude implemented in [7]. We define the slices S₁ and S₂ by dividing the real axis into four equiprobable intervals labeled by two bits, with S₁ representing the least significant bit and S₂ the most significant one. More precisely, S₁(x)=0 when x≤-τ or 0<x≤τ and S₁(x)=1 otherwise, with τ=√(2×31N₀)erf^-1(1/2), and S₂(x)=0 when x≤0 and S₂(x)=1 otherwise.

In this constructed example, we wish to calculate the theoretical secret key rate we would obtain in an identical setting. For various loss values, the secret key rates are evaluated by numerically calculating Tr((Z_{s_i}⊗Z_{e_i})ρ), to obtain the bit error rates of slices i=1,2 and Tr((X_{s_i}⊗X_{e_i})ρ) to obtain the phase error rates. Then, assuming asymptotically efficient binary codes, the rate is R=R₁+R₂=∑_i=1,2(1-h(e_i^b)-h(e_i^p)).

Figure 5.1: Error and EPR rates with two slices in an attenuation channel
	ρ₁	ρ₂
0.0dB	3.11%	5.33%	0.752	0.0000401	0.710%	0.938
0.4dB	3.77%	13.7%	0.193	0.0000782	28.6%	0.135
0.7dB	4.32%	20.0%	0.0204	0.000125	37.5%	0.0434
1.0dB	-	0.000194	42.3%	0.0147
1.4dB	-	0.000335	45.6%	0.00114

Using this two-slice construction, we were able to get the EPR rates described in Fig. 5.1. For the case with no losses, it is thus possible to distill R=0.752+0.938=1.69 EPR pairs per sample. Al

σ(x(s,s^¯))=	σ₀(s)(f₁(x(s,s^¯)))^-1,	(4.10a)
ε(s^¯,x^′(e,e^¯,s^¯),s)=	ε₀(e,s)(f₂(x(s,s^¯),x^′(e,e^¯,s^¯)))^-1,	(4.10b)

σ₀²(s)=	∫_x:S(x)=s\|f₁(x)\|²dx,	(4.11a)
ε₀²(e,s)=	∫_{x,x^′:S(x)=s,E(x^′,S^¯(x))=e}\|f₂(x,x^′)\|₂dxdx^′.	(4.11b)

	ρ₁			ρ₂
Losses	e₁^b	e₁^p	R₁	e₂^b	e₂^p	R₂
0.0dB	3.11%	5.33%	0.752	0.0000401	0.710%	0.938
0.4dB	3.77%	13.7%	0.193	0.0000782	28.6%	0.135
0.7dB	4.32%	20.0%	0.0204	0.000125	37.5%	0.0434
1.0dB	-			0.000194	42.3%	0.0147
1.4dB	-			0.000335	45.6%	0.00114