Abstract
Despite enormous theoretical and experimental progress in quantum cryptography, the security of most current implementations of quantum key distribution is still not rigorously established. One significant problem is that the security of the final key strongly depends on the number, M, of signals exchanged between the legitimate parties. Yet, existing security proofs are often only valid asymptotically, for unrealistically large values of M. Another challenge is that most security proofs are very sensitive to small differences between the physical devices used by the protocol and the theoretical model used to describe them. Here we show that these gaps between theory and experiment can be simultaneously overcome by using a recently developed proof technique based on the uncertainty relation for smooth entropies.
Similar content being viewed by others
Introduction
Quantum Key Distribution (QKD), invented by Bennett and Brassard1 and by Ekert2, can be considered the first application of quantum information science, and commercial products have already become available. Accordingly, QKD has been an object of intensive study over the past few years. On the theory side, the security of several variants of QKD protocols against general attacks has been proved3,4,5,6,7,8. At the same time, experimental techniques have reached a state of development that enables key distribution at MHz rates over distances of 100 km (refs 9, 10, 11).
Despite these developments, there is still a large gap between theory and practice, in the sense that the security claims are based on assumptions that are not (or cannot be) met by experimental implementations. For example, the proofs often rely on theoretical models of the devices (such as photon sources and detectors) that do not take into account experimentally unavoidable imperfections (ref. 12 for a discussion). In this work, we consider 'prepare-and-measure' quantum key distribution protocols, like the original Bennett–Brassard 1984 (BB84) protocol1. Here one party prepares quantum systems (for example, the polarization degrees of freedom of photons) and sends them through an insecure quantum channel to another party who then measures the systems. To analyse the security of such protocols, the physical devices used by both parties to prepare and measure quantum systems are replaced by theoretical device models. The goal, from a theory perspective, is to make these theoretical models as general as possible so that they can accommodate imperfect physical devices independently of their actual implementation. (This approach, in the context of 'entanglement-based' protocols, also led to the development of device-independent quantum cryptography; refs 13, 14 for recent results.)
Another weakness of many security proofs is the asymptotic resource assumption, that is, the assumption that an arbitrarily large number M of signals can be exchanged between the legitimate parties and used for the computation of the final key. This assumption is quite common in the literature, and security proofs are usually only valid asymptotically as M tends to infinity. However, the asymptotic resource assumption cannot be met by practical realizations; in fact, the key is often computed from a relatively small number of signals (M<<106). This problem has recently received increased attention and explicit bounds on the number of signals required to guarantee security have been derived15,16,17,18,19,20,21.
In this work, we apply a novel proof technique22 that allows us to overcome the above difficulties. In particular, we derive almost tight bounds on the minimum value M required to achieve a given level of security. The technique is based on an entropic formulation of the uncertainty relation23 or, more precisely, its generalization to smooth entropies22. Compared with preexisting methods, our technique is rather direct. It therefore avoids various estimates, including the de Finetti theorem24 and the Post-selection technique25, that have previously led to too pessimistic bounds. Roughly speaking, our result is a lower bound on the achievable key rate which deviates from the asymptotic result (where M is infinitely large) only by terms that are caused by, probably unavoidable, statistical fluctuations in the parameter estimation step. Moreover, we believe that the theoretical device model used for our security analysis is as general as possible for protocols of the prepare-and-measure type.
Results
Security definitions
We follow the discussion of composable security in ref. 26 and first take an abstract view on QKD protocols. A QKD protocol describes the interaction between two players, Alice and Bob. Both players can generate fresh randomness and have access to an insecure quantum channel as well as an authenticated (but otherwise insecure) classical channel. (Using an authentication protocol, any insecure channel can be turned into an authentic channel. The authentication protocol will, however, use some key material, as discussed in ref. 27.)
The QKD protocol outputs a key, S, on Alice's side and an estimate of that key, Ŝ, on Bob's side. This key is usually an -bit string, where depends on the noise level of the channel, as well as the security and correctness requirements on the protocol. The protocol may also abort, in which case we set
In the following, we define what it means for a QKD protocol to be 'secure'. Roughly speaking, the protocol has to, approximately, satisfy two criteria called 'correctness' and 'secrecy'. These criteria are conditions on the probability distribution of the protocol output S and Ŝ as well as the information leaked to an adversary E in general. These depend on the attack strategy of the adversary, who is assumed to have full control over the quantum channel connecting Alice and Bob, and has access to all messages sent over the authenticated classical channel.
A QKD protocol is called 'correct', if, for any strategy of the adversary, Ŝ = S. It is called ɛcor-correct, if it is ɛcor-indistinguishable from a correct protocol. In particular, a protocol is ɛcor-correct, if
To define the secrecy of a key, we consider the quantum state ρSE that describes the correlation between Alice's classical key S and the eavesdropper, E (for any given attack strategy). A key is called Δ-secret from E if it is Δ-close to a uniformly distributed key that is uncorrelated with the eavesdropper, that is, if
where ωS denotes the fully mixed state on S. For a motivation and discussion of this particular secrecy criterion (in particular the choice of the norm) we refer to ref. 28.
A QKD protocol is called secret, if, for any attack strategy, Δ=0 whenever the protocol outputs a key. It is called ɛsec-secret, if it is ɛsec-indistinguishable from a secret protocol. In particular, a protocol is ɛsec-secret, if it outputs Δ-secure keys with (1−pabort)Δ≤ɛsec, where pabort is the probability that the protocol aborts. (To see that this suffices to ensure ɛsec-indistinguishability, note that the secrecy condition is trivially fulfilled if the protocol aborts.)
In some applications, it is reasonable to consider correctness and secrecy of protocols separately, because there may be different requirements on the correctness of the key (that is, that Bob's key agrees with Alice's, implying that messages encrypted by Alice are correctly decrypted by Bob) and secrecy. In fact, in many realistic applications, an incorrect decoding of the transmitted data would be detected so that the data can be resent. For such applications, ɛcor may be chosen larger than ɛsec.
However, secrecy of the protocol alone as defined above does not ensure that Bob's key is secret from the eavesdropper as well. One is thus often only interested in the overall security of the protocol (which automatically implies secrecy of Bob's key).
A QKD protocol is called secure if it is correct and secret. It is called ɛ-secure if it is ɛ-indistinguishable from a secure protocol. In particular, a protocol is ɛ-secure, if it is ɛcor-correct and ɛsec-secret with ɛcor+ɛsec≤ɛ.
Finally, the robustness, ɛrob, is the probability that the protocol aborts even though the eavesdropper is inactive. (More precisely, one assumes a certain channel model that corresponds to the characteristics of the channel in the absence of an adversary. For protocols based on qubits, the standard channel model used in the literature is the depolarizing channel. We also chose this channel model for our analysis in the Discussion section, thus enabling a comparison to the existing results.) A trivial protocol that always aborts is secure according to the above definitions, and a robustness requirement is therefore necessary. In this work, we include the robustness ɛrob in our estimate for the expected key rate (when the eavesdropper is inactive) and then optimize over the protocol parameters to maximize this rate.
Device model
Recall that Alice and Bob are connected by an insecure quantum channel. On one side of this channel, Alice controls a device allowing her to prepare quantum states in two bases, and . In an optimal scenario, the prepared states are qubits and the two bases are diagonal, for example, ={|0〉,|1〉} and ={|+〉,|−〉} with More generally, we characterize the quality of a source by its 'preparation quality', q. The preparation quality, as we will see in the following,is the only device parameter relevant for our security analysis. It achieves its maximum of q=1, if the prepared states are qubits and the bases are diagonal, as in the example above. In the following, we discuss two possible deviations from a perfect source and how they can be characterized in terms of q.
First, if the prepared states are guaranteed to be qubits, we characterize the quality of Alice's device by the maximum fidelity it allows between states prepared in the basis and states prepared in the basis. Namely, we have q=−log max|〈ψx|ψz〉|2, where the maximization is over all states ψx and ψz prepared in the and basis, respectively. (In this work, log denotes the binary logarithm.) The maximum q=1 is achieved, if the basis states are prepared in diagonal bases, as is the case in the BB84 protocol.
In typical optical schemes, qubits are realized by polarization states of single photons. An ideal implementation therefore requires a single-photon source in Alice's laboratory. To take into account the sources that emit weak coherent light pulses instead, the analysis presented in this paper can be extended using photon tagging29 and decoy states30. This approach, although beyond the scope of the present article, can be incorporated into our finite-key analysis. (See also refs 31, 32, 33 for recent results on the finite-key analysis of such protocols.)
Second, consider a source that prepares states in the following way: the source produces two entangled particles and then sends out one of them while the other is measured in one of two bases. The choice of basis for the measurement decides whether the states are prepared in the or basis. Together with the measurement outcome, which is required to be uniformly random for use in our protocol, this determines which of the four states is prepared. For such a source, the preparation quality is given by , where {Mx} and {Nz} are the elements of the positive operator-valued measurements that are used to prepare the state in the and the basis, respectively. If the produced state is that of two fully entangled qubits and the measurements are projective measurements in diagonal bases, we recover BB84 and q=1 (ref. 34). Sources of this type have recently received increased attention as they can be used as heralded single photon sources35,36 and have applications in (device-independent) quantum cryptography37,38,39.
On the other side of the channel, Bob controls a device allowing him to measure quantum systems in two bases corresponding to and . We will derive security bounds that are valid independently of the actual implementation of this device as long as the following condition is satisfied: we require that the probability that a signal is detected in Bob's device is independent of the basis choices ( or ) by Alice and Bob. This assumption is necessary. In fact, if it is not satisfied (which is the case for some implementations), a loophole arises that can be used to eavesdrop on the key without being detected40. (Remarkably, this assumption can be enforced device-independently: Bob simply substitutes a random bit whenever his device fails to detect Alice's signal. If this is done, however, the expected error rate may increase significantly.)
Finally, we assume that it is theoretically possible to devise an apparatus for Bob which delays all the measurements in the -basis until after parameter estimation, but produces the exact same measurement statistics as the actual device he uses. This assumption is satisfied if Bob's actual measurement device is memoryless. (To see this, we could (in theory) equip such a device with perfect quantum memory that stores the received state until after the parameter estimation.) The assumption is already satisfied, if the measurement statistics are unaffected when the memory of the actual device is reset after each measurement. It is an open question whether this assumption can be further relaxed.
Protocol definition
We now define a family of protocols, Φ[n, k, , Qtol, ɛcor, leakEC], which is parametrized by the block size, n, the number of bits used for parameter estimation, k, the secret key length, , the channel error tolerance, Qtol, the required correctness, ɛcor, and the error correction leakage, leakEC. The protocol is asymmetric, so that the number of bits measured in the two bases (n bits in the basis and k bits in the basis) are not necessarily equal41.
These protocols are described in Box 1.
Security analysis
The following two statements constitute the main technical result of our paper, stating that the protocols described above are both ɛcor-correct and ɛsec-secure, if the secret key length is chosen appropriately. Correctness is guaranteed by the error-correction step of the protocol, where a hash of Alice's raw key is compared with the hash of its estimate on Bob's side. The following holds:
The protocols are ɛsec-secure if the length of the extracted secret key does not exceed a certain length. Asymptotically for large block sizes n, the reductions of the key length due to finite statistics and security parameters can be neglected, and a secret key of length max=n(q−h(Qtol))−leakEC can be extracted securely. Here h denotes the binary entropy function. Because our statistical sample is finite, we have to add to the tolerated channel noise a term that accounts for statistical fluctuations. Furthermore, the security parameters lead to a small reduction of the key rate logarithmic in ɛcor and ɛsec. The following holds:
The protocol Φ[n, k,, Qtol, ɛcor, leakEC] using a source with preparation quality q is ɛsec-secret if the secret key length satisfies
A sketch of the proof of these two statements follows in the methods section and a rigorous proof of slightly more general versions of the theorems presented above can be found in Supplementary Material 1.
Discussion
In this section, we discuss the asymptotic behaviour of our security bounds and compare numerical bounds on the key rate for a finite number of exchanged signals with previous results. For this purpose, we assume that the quantum channel, in the absence of an eavesdropper, can be described as a depolarizing channel with quantum bit error rate Q. (This assumption is not needed for the security analysis of the previous section.) The numerical results are computed for a perfect single-photon source, that is, q=1. Furthermore, finite detection efficiencies and channel losses are not factored into the key rates, that is, the expected secret key rate calculated here can be understood as the expected key length per detected signal.
The efficiency of a protocol Φ is characterized in terms of its expected secret key rate,
where M(n, k) is the expected number of qubits that need to be exchanged until n raw key bits and k bits for parameter estimation are gathered (see protocol description).
Before presenting numerical results for the optimal expected key rates for finite n, let us quickly discuss its asymptotic behaviour for arbitrarily large n. It is easy to verify that the key rate asymptotically reaches rmax(Q)=1−2h(Q) for arbitrary security bounds ɛ>0. To see this, error correction can be achieved with a leakage rate of h(Q) (for example, see ref. 42). Furthermore, if we choose, for instance, k proportional to the statistical deviation in equation (2), μ, vanishes and the ratio between the raw key length, n, and the expected number of exchanged qubits, M(n, k), approaches one as n tends to infinity, that is, n/M(n, k)→1. This asymptotic rate is optimal43. Finally, the deviations of the key length in equation (2) from its asymptotic limit can be explained as fluctuations that are due to the finiteness of the statistical samples we consider and the error bounds we chose. These terms are necessary for any finite-key analysis. In particular, one expects a statistical deviation μ that scales with the inverse of the square root of the sample size k as in equation (2) from any statistical estimation of the error rate. In this sense, our result is tight.
To obtain our results for finite block sizes n, we fix a security bound ɛ and define an optimized ɛ-secure protocol, Φ*[n, ɛ], that results from a maximization of the expected secret key rate over all ɛ-secure protocols with block size n. For the purpose of this optimization, we assume an error correction leakage of leakEC=ξnh(Qtol) with ξ=1.1. Moreover, we bound the robustness ɛrob by the probability that the measured security parameter exceeds Qtol, which (for depolarizing channels) decays exponentially in Qtol−Q. (For general quantum channels, the error rate in the and bases may be different. Hence, the error correction leakage is, in general, not a function of Qtol but of the expected error rate in the basis. Similarly, ɛrob generally is the sum of the robustness of parameter estimation as above and the robustness of the error correction scheme. In this discussion, the analysis is simplified as we consider a depolarizing channel, and, thus, the expected error rate is the same in both bases.)
In Fig. 1, we present the expected key rates r=r(Φ, Q) of the optimal protocols Φ*[n, ɛ] as a function of the block size n. These rates are given for a fixed value of the security rate , that is, the amount by which the security bound ɛ increases per generated key bit. (In other words, can be seen as the probability of key leakage per key bit.) The plot shows that significant key rates can be obtained already for n=104.
In Table 1, we provide selected numerical results for the optimal protocol parameters that correspond to block sizes n={104, 105, 106} and quantum bit error rates Q∈{1%, 2.5%}. These block sizes exemplify current hardware limitations in practical QKD systems.
In Fig. 2, we compare our optimal key rates with the maximal key rates that can be shown secure, using the finite key analysis of Scarani and Renner18. For comparison with previous work, we plot the rate ℓ/n, that is, the ratio between key length and block size, instead of the expected secret key rate as defined by equation (3). We show a major improvement in the minimum block size required to produce a provably secret key. The improvements are mainly due to a more direct evaluation of the smooth min-entropy via the entropic uncertainty relation and the use of statistics optimized specifically to the problem at hand (Supplementary Note 2).
In conclusion, this article gives tight finite-key bounds for secure quantum key distribution with an asymmetric BB84 protocol. Our novel proof technique, based on the uncertainty principle, offers a conceptual improvement over earlier proofs that relied on a tomography of the state shared between Alice and Bob. Most previous security proofs against general adversaries7,18,21,20, are arranged in two steps: An analysis of the security against adversaries restricted to collective attacks and a lifting of this argument to general attacks. The lifting is often possible without a significant loss in key rate using modern techniques24,25; hence, the main difference lies in the first part. In security proofs against collective attacks, Alice and Bob usually do tomography on their shared state, that is, they characterize the density matrix of their shared state. As the eavesdropper can be assumed to hold a purification of this state, it is then possible to bound the von Neumann entropy of the eavesdropper on Alice's measurement result. The min-entropy of the eavesdropper (which characterizes the probability of the eavesdropper guessing the secret key) is, in turn, bounded using the quantum asymptotic equipartition property7,44, introducing a penalty scaling with on the key rate. (A notable exception is20 where the min-entropy is bounded directly from the results of tomography.)
In contrast, our approach bounds the min-entropy directly and does not require us to do tomography on the state shared between Alice and Bob. In fact, we are only interested in one correlation (between Z and Z′) and, thus, our statistics can be produced more efficiently. (However, that this is also the reason why our approach does not reach the asymptotic key rate for the six-state protocol45. There, full tomography puts limits on Eve's information that go beyond the uncertainty relation in ref. 22.) Finally, as our considerations are rather general, we believe that they can be extended to other QKD protocols.
Methods
Correctness
The required correctness is ensured in the error-correction step of the protocol, when Alice and Bob compute a random hash function of their keys. If these hash values disagree, the protocol aborts and both players output empty keys (These keys are trivially correct.). Because arbitrary errors in the key will be detected with high probability when the hash values are compared46, we can guarantee that Alice's and Bob's secret keys are also the same with high probability.
Secrecy
To establish the secrecy of the protocols, we consider a gedankenexperiment in which Alice and Bob, after choosing a basis according to probabilities px and pz as usual, prepare and measure everything in the basis. We denote the bit strings of length n that replace the raw keys X and X′ in this hypothetical protocol as Z and Z′, respectively. The secrecy then follows from the fact that, if Alice has a choice of encoding a string of n uniform bits in either the or basis, the following holds: the better Bob is able to estimate Alice's string if she prepared in the Z basis, the worse Eve is able to guess Alice's string, if she prepared in the basis. This can be formally expressed in terms of an uncertainty relation for smooth entropies22,
where ɛ≥0 is called a smoothing parameter and q, as seen below, is the preparation quality defined previously. The smooth min-entropy, (X|E), introduced in ref. 7, characterizes the average probability that Eve guesses X correctly using her optimal strategy with access to the correlations stored in her quantum memory47. The smooth max-entropy, (Z|Z′), corresponds to the number of extra bits that are needed to reconstruct the value of Z using Z′ up to a failure probability48. For precise mathematical definitions of the smooth min- and max-entropy, we refer to ref. 49.
The sources we consider in this article are either (a) qubit sources or (b) sources that create BB84 states by measuring part of an entangled state. In case b), a comparison with ref. 22 reveals that the bound on the uncertainty is given by −log c, where c is the overlap of the two measurement employed in the source. For general positive operator-valued measurements, {Mx} for preparing in the basis and {Nz} for preparing in the basis, this overlap is given by . This justifies the definition of the preparation quality q=−log c for such sources. In case a), the preparation process can be purified into an entanglement-based one of the type above. To see this, simply consider a singlet state between two qubits and projective measurements on the first qubit. It is easy to verify that the overlap of the prepared states in the two bases is equal to the overlap of the two projective measurements used to prepare them. Hence, the preparation quality of this source is given by q=−log c, where c is the maximum overlap of the prepared states.
In the gedankenexperiment picture, the observed average error, λ, is calculated from k measurements sampled at random from n+k measurements in the basis. Hence, if λ is small, we deduce that, with high probability, Z and Z′ are highly correlated and, thus, (Z|Z′) is small. In fact, as the protocol aborts if λ exceeds Qtol, the following bound on the smooth max-entropy (conditioned on the correlation test passing) holds:
where μ takes into account statistical fluctuations and depends on the security parameter via Equation (5) is shown in Supplementary Note 2, using an upper bound by Serfling50 on the probability that the average error on the sample, λ, deviates by more than μ from the average error on the total string51.
In addition to the uncertainty relation, our analysis employs the Quantum Leftover Hash Lemma7,52, which gives a direct operational meaning to the smooth min-entropy. It asserts that, using a random universal2 hash function, it is possible to extract a Δ-secret key of length from X, where
Here E′ summarizes all information Eve learned about X during the protocol, including the classical communication sent by Alice and Bob over the authenticated channel. For the protocol discussed here, a maximum of leakEC+⌈log(1/ɛcor)⌉ bits of information about X are revealed to the eavesdropper during the protocol. Hence, using a chain rule for smooth min-entropies, we can relate the smooth min-entropy before the classical post-processing, (X|E), with the min-entropy before privacy amplification, (X|E′) as follows.
Collecting the bounds on the smooth entropies we got from the uncertainty relation, (4), and the parameter estimation, (5), we further find that
Combining this with the Quantum Leftover Hashing Lemma (6) and using the bound on the key length given in equation (2), we get
Finally, the protocol is ɛsec-secret, if we choose ɛ proportional to ɛsec and sufficiently small.
Additional information
How to cite this article: Tomamichel, M. et al. Tight finite-key analysis for quantum cryptography. Nat. Commun. 3:634 doi: 10.1038/ncomms1631 (2012).
References
Bennett, C. H. & Brassard, G. in Proc. IEEE Int. Conf. on Comp. Sys. and Signal Processing 175–179 (Bangalore, India, 1984).
Ekert, A. K. Quantum cryptography based on Bell's theorem. Phys. Rev. Lett. 67, 661–663 (1991).
Lo, H.- K. & Chau, H. F. Unconditional security of quantum key distribution over arbitrarily long distances. Science 283, 2050–2056 (1999).
Shor, P. & Preskill, J. Simple proof of security of the BB84 quantum key distribution protocol. Phys. Rev. Lett. 85, 441–444 (2000).
Biham, E., Boyer, M., Boykin, P. O., Mor, T. & Roychowdhury, V. A proof of the security of quantum key distribution. J. Cryptol. 19, 381–439 (2006).
Mayers, D. Unconditional security in quantum cryptography. J. ACM 48, 351–406 (2001).
Renner, R. Security of Quantum Key Distribution. PhD thesis, ETH Zurich. Preprint arXiv:0512258 (2005).
Renner, R., Gisin, N. & Kraus, B. Information-theoretic security proof for quantum-key-distribution protocols. Phys. Rev. A 72, 012332 (2005).
Takesue, H. et al. Quantum key distribution over 40 dB channel loss using superconducting single photon detectors. Nat. Photon. 1, 343–357 (2007).
Dixon, A. R., Yuan, Z. L., Dynes, J. F., Sharpe, A. W. & Shields, A. J. Gigahertz decoy quantum key distribution with 1 Mbit/s secure key rate. Opt. Express 16, 18790–18979 (2008).
Stucki, D. et al. High rate, long-distance quantum key distribution over 250 km of ultra low loss fibres. New J. Phys. 11, 75003 (2009).
Scarani, V. & Kurtsiefer, C. The black paper of quantum cryptography: real implementation problems. Preprint arXiv:0906.4547 (2009).
Hänggi, E. Device-Independent Quantum Key Distribution. PhD thesis, ETH Zurich. Preprint arXiv:1012.3878 (2010).
Masanes, L., Pironio, S. & Acín, A. Secure device-independent quantum key distribution with causally independent measurement devices. Nat. Commun. 2, 238 (2011).
Hayashi, M. Practical evaluation of security for quantum key distribution. Phys. Rev. A 74, 022307 (2006).
Meyer, T., Kampermann, H., Kleinmann, M. & Bruß, D. Finite key analysis for symmetric attacks in quantum key distribution. Phys. Rev. A 74, 042340 (2006).
Inamori, H., Lütkenhaus, N. & Mayers, D. Unconditional security of practical quantum key distribution. Eur. Phys. J. 41, 599–627 (2007).
Scarani, V. & Renner, R. Quantum cryptography with finite resources: unconditional security bound for discrete-variable protocols with one-way postprocessing. Phys. Rev. Lett. 100, 200501 (2008).
Bouman, N. & Fehr, S. Sampling in a quantum population, and applications. Preprint arXiv:0907.4246 (2009).
Bratzik, S., Mertz, M., Kampermann, H. & Bruß, D. Min-entropy and quantum key distribution: nonzero key rates for, small numbers of signals. Phys. Rev. A 83, 022330 (2011).
Sheridan, L., Le, T. P. & Scarani, V. Finite-key security against coherent attacks in quantum key distribution. New J. Phys. 12, 123019 (2010).
Tomamichel, M. & Renner, R. Uncertainty relation for smooth entropies. Phys. Rev. Lett. 106, 110506 (2011).
Berta, M., Christandl, M., Colbeck, R., Renes, J. M. & Renner, R. The uncertainty principle in the presence of quantum memory. Nature Phys. 6, 659–662 (2010).
Renner, R. Symmetry of large physical systems implies independence of subsystems. Nature Phys. 3, 645–649 (2007).
Christandl, M., König, R. & Renner, R. Postselection technique for quantum channels with applications to quantum cryptography. Phys. Rev. Lett. 102, 020504 (2009).
Canetti, R. in Proc. 42nd IEEE Symp. on Foundations of Computer Science 136–145 (2001).
Müller-Quade, J. & Renner, R. Composability in quantum cryptography. New J. Phys. 11, 085006 (2009).
König, R., Renner, R., Bariska, A. & Maurer, U. Small accessible quantum information does not imply security. Phys. Rev. Lett. 98, 140502 (2007).
Lütkenhaus, N. Security against individual attacks for realistic quantum key distribution. Phys. Rev. A 61, 052304 (2000).
Lo, H.- K., Ma, X. & Chen, K. Decoy state quantum key distribution. Phys. Rev. Lett. 94, 230504 (2005).
Hasegawa, J., Hayashi, M., Hiroshima, T. & Tomita, A. Security analysis of decoy state quantum key distribution incorporating finite statistics. Preprint arXiv:0707.3541 (2007).
Cai, R. Y. Q. & Scarani, V. Finite-key analysis for practical implementations of quantum key distribution. New J. Phys. 11, 045024 (2009).
Song, T.- T., Zhang, J., Qin, S.- J., Gao, F. & Wen, Q.- Y. Finite-key analysis for quantum key distribution with decoy states. Quant. Inf. Comput. 11, 0374–0389 (2011).
Bennett, C. H., Brassard, G. & Mermin, N. D. Quantum cryptography without Bell's theorem. Phys. Rev. Lett. 68, 557–559 (1992).
Pittman, T., Jacobs, B. & Franson, J. Heralding single photons from pulsed parametric down-conversion. Opt. Commun. 246, 545–550 (2005).
Xiang, G. Y., Ralph, T. C., Lund, A. P., Walk, N. & Pryde, G. J. Heralded noiseless linear amplification and distillation of entanglement. Nat. Photon. 4, 316–319 (2010).
Gisin, N., Pironio, S. & Sangouard, N. Proposal for implementing device-independent quantum key distribution based on a heralded qubit amplifier. Phys. Rev. Lett. 105, 070501 (2010).
Curty, M. & Moroder, T. Heralded-qubit amplifiers for practical device-independent quantum key distribution. Phys. Rev. A 84, 010304 (2011).
Pitkänen, D., Ma, X. F., Wickert, R., van Loock, P. & Lütkenhaus, N. Efficient heralding of photonic qubits with apllications to device independent quantum key distribution. Phys. Rev. A 84, 022325 (2011).
Lydersen, L. et al. Hacking commercial quantum cryptography systems by tailored bright illumination. Nat. Photon. 4, 686–689 (2010).
Lo, H.- K., Chau, H. & Ardehali, M. Efficient quantum key distribution scheme and a proof of its unconditional security. J. Cryptol. 18, 33–165 (2004).
Cover, T. M. & Thomas, J. A. Elements of Information Theory (Wiley, 1991).
Renner, R., Gisin, N. & Kraus, B. Information-theoretic security proof for quantum-key-distribution protocols. Phys. Rev. A 72, 012332 (2005).
Tomamichel, M., Colbeck, R. & Renner, R. A fully quantum asymptotic equipartition property. IEEE Trans. Inf. Theory 55, 5840–5847 (2009).
Bruß, D. Optimal eavesdropping in quantum cryptography with six states. Phys. Rev. Lett. 81, 3018–3021 (1998).
Carter, J. L. & Wegman, M. N. Universal classes of hash functions. J. Comp. Syst. Sci. 18, 143–154 (1979).
König, R., Renner, R. & Schaffner, C. The operational meaning of min- and max-entropy. IEEE Trans. Inf. Theory 55, 4337–4347 (2009).
Renes, J. M. & Renner, R. One-shot classical data compression with quantum side information and the distillation of common randomness or secret keys. Preprint arXiv:1008.0452 (2010).
Tomamichel, M., Colbeck, R. & Renner, R. Duality between smooth min- and max-entropies. IEEE Trans. Inf. Theory 54, 4674–4681 (2010).
Serfling, R. J. Probability inequalities for the sum in sampling without replacement. Ann. Statist. 2, 39–48 (1974).
van Lint, J. H. Introduction to Coding Theory (Graduate Texts in Mathematics) (Springer, 1999).
Tomamichel, M., Schaffner, C., Smith, A. & Renner, R. Leftover hashing against quantum side information. IEEE Trans. Inf. Theory 57, 5524–5535 (2011).
Bennett, C. H., Brassard, G., Crepeau, C. & Maurer, U. M. Generalized privacy amplification. IEEE Trans. Inf. Theory 41, 1915–1923 (1995).
Renner, R. & König, R. in Proc. TCC 3378 of LNCS (ed. Kilian, J.) 407–425 (Springer, Berlin/Heidelberg, Cambridge, USA, 2005).
De, A., Portmann, C., Vidick, T. & Renner, R. Trevisan's Extractor in the Presence of Quantum Side Information. Preprint arXiv:0912.5514 (2009).
Acknowledgements
We thank Silvestre Abruzzo, Normand Beaudry, Dagmar Bruss, Hermann Kampermann, Markus Mertz, Norbert Lütkenhaus, Christoph Pacher, Momtchil Peev, and Hugo Zbinden for valuable comments and stimulating discussions. We acknowledge support from the National Centre of Competence in Research QSIT, the Swiss NanoTera project QCRYPT, the Swiss National Science Foundation (grant no. 200021-119868), and the European Research Council (grant No. 258932 and No. 227656).
Author information
Authors and Affiliations
Contributions
The main ideas were developed by all authors. M.T. and R.R. formulated and proved the technical claims and wrote the manuscript. C.L. provided numerical simulations and contributed to the technical derivations and write-up.
Corresponding author
Ethics declarations
Competing interests
The authors declare no competing financial interests.
Supplementary information
Supplementary Information
Supplementary Notes S1-S2 (PDF 227 kb)
Rights and permissions
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/3.0/
About this article
Cite this article
Tomamichel, M., Lim, C., Gisin, N. et al. Tight finite-key analysis for quantum cryptography. Nat Commun 3, 634 (2012). https://doi.org/10.1038/ncomms1631
Received:
Accepted:
Published:
DOI: https://doi.org/10.1038/ncomms1631
This article is cited by
-
On the (relation between) efficiency and secret key rate of QKD
Scientific Reports (2024)
-
Practical, high-speed Gaussian coherent state continuous variable quantum key distribution with real-time parameter monitoring, optimised slicing, and post-processed key distillation
Scientific Reports (2023)
-
Atomically-thin single-photon sources for quantum communication
npj 2D Materials and Applications (2023)
-
Security of quantum key distribution from generalised entropy accumulation
Nature Communications (2023)
-
High-rate quantum key distribution exceeding 110 Mb s–1
Nature Photonics (2023)
Comments
By submitting a comment you agree to abide by our Terms and Community Guidelines. If you find something abusive or that does not comply with our terms or guidelines please flag it as inappropriate.