Quantum key distribution with simply characterized light sources

To guarantee the security of quantum key distribution (QKD), security proofs of QKD protocols have assumptions on the devices. Commonly used assumptions are, for example, each random bit information chosen by a sender to be precisely encoded on an optical emitted pulse and the photon-number probability distribution of the pulse to be exactly known. These typical assumptions imposed on light sources such as the above two are rather strong and would be hard to verify in practical QKD systems. The goal of the paper is to replace those strong assumptions on the light sources with weaker ones. In this paper, we adopt the differential-phase-shift (DPS) QKD protocol and drastically mitigate the requirements on light sources, while for the measurement unit, trusted and photon-number-resolving detectors are assumed. Specifically, we only assume the independence among emitted pulses, the independence of the vacuum emission probability from a chosen bit, and upper bounds on the tail distribution function of the total photon number in a single block of pulses for single, two and three photons. Remarkably, no other detailed characterizations, such as the amount of phase modulation, are required. Our security proof significantly relaxes demands for light sources, which paves a route to guarantee implementation security with simple verification of the devices.


Introduction
Quantum key distribution (QKD) holds promise for information-theoretically secure communication between two distant parties, Alice and Bob [1].Since QKD is a physical cryptography in which security is based on a mathematical model of the devices, several assumptions on Alice's light source and Bob's measurement unit have to be satisfied to guarantee the security.Any discrepancies between the device model and properties of the actual devices could be exploited to hack the implemented QKD systems.In fact, several experiments to crack implementation of QKD systems have been reported [2][3][4][5], which is a crucial threat for security of QKD, and therefore it is important to close the gap between theory and practice.
So far, tremendous efforts have been made to relax the demands for light sources (see e.g. a review article [6]).One possible approach to close the gap is to use device-independent (DI) QKD (see e.g.[7] and references therein).However, to share an almost maximally entangled state between distant Alice and Bob in order to violate the Bell inequality is not practical with current technology, which renders DI protocols impractical at present.On the other hand, as for the devicedependent QKD, the BB84 protocol [8] is one of the most investigated protocols, and its security assuming an ideal single-photon source [9][10][11] and an ideal phase randomized coherent-light source [12] were proved.The security proofs were generalized to accommodate dominant imperfections of the devices.For example, perfect phase randomization is relaxed to discrete phase randomization [13], inter-pulse intensity correlations be-tween neighboring pulses have been accommodated [14], and a perfectly symmetric encoding of random bit information is relaxed to asymmetric encoding with the losstolerant protocol [15,16].Another promising protocol is the round-robin differential phase shift (RRDPS) protocol [17].Its implementation security proof has been studied [18], which shows that the RRDPS protocol is robust against source flaws.However, the variable-delay interferometer used in this protocol is an obstacle to simple implementation.
In this paper, we adopt the differential-phase-shift (DPS) protocol [19] and drastically mitigate the demands for light sources, which is useful for simple characterization of the devices with quantified security.Our characterizations of light sources are based on the photon-number statistics of emitted pulses.Specifically, we suppose that the vacuum emission probability of each pulse is independent of a chosen bit, and an upper bound q n (for n ∈ {1, 2, 3}) on the probability that each block of pulses contains n or more photons.Here, these probabilities are the ones that would be obtained if we performed a photon number measurement, and we do not assume that the state is a classical mixture of Fock states.Remarkably, detailed characterizations of the source devices that were needed in previous security proofs of DPS protocol [20,21] and the original DPS protocol [19], such as the precise control of phase modulations, complete knowledge of the photon-number probability distribution, block-wise phase randomization, and a single-mode assumption on the emitted pulse are not necessary.

Results
Assumptions on the devices.Before describing the protocol, we summarize the assumptions we make on the source and the receiver.First, we list up the assumptions on Alice's source as follows.In this paper, for simplicity of the security analysis, we consider the case where Alice employs three pulses contained in a single-block.
(A1) Alice chooses a random three-bit sequence b and b A i is encoded only on the i th pulse in system S i .Depending on the chosen b A , Alice prepares a following three-pulse state in system S := S 1 S 2 S 3 : Here, ρb A i Si denotes a density operator of the i th pulse when b A i is chosen.We suppose that each system R i that purifies each of the state ρb A i Si is possessed by Alice, and Eve does not have access to system R i .(A2) The vacuum emission probability of the i th pulse is independent of the chosen bit b A i .That is, we require that the following equality holds for any i: where |vac is the vacuum state.(A3) For any chosen bit sequence b A , the probability that a single-block of pulses contains n (with n ∈ {1, 2, 3}) or more photons is upper-bounded by q n .That is, where n block denotes the number of photons contained in a single-block1 .By using a calibration method based on a conventional Hanbury-Brown-Twiss setup with threshold photon detectors [22], Alice can verify {q n } 3 n=1 before running the protocol.If {q n } 3 n=1 are estimated from such an off-line test, we need to assume that these bounds do not change during the on-line experiment.
We emphasize that for the security proof, we do not make any assumptions on phase modulations.That is, the precise control over the phase modulation and its characterization are not needed.We also emphasize that we do not make the single-mode assumption on the pulses, and the optical mode of the emitted pulse can depend on the bit b A i .This includes, for example, the case where the state of the pulse when b A i = 0 (1) is horizontal (vertical) polarization state.Our framework covers the original DPS protocol [19] using coherent states {|α , | − α }.In this case, q n in Eq. ( 3) is obtained through a priori Poissonian assumption.We note that the previous security proofs [20,21] of the DPS protocol have assumed ideally phase modulated single-mode coherent states {|α , | − α } with block-wise phase randomization, which is removed in our analysis.
Next, we list up the assumptions on Bob's measurement as follows.
(B1) Bob uses a one-bit delay Mach-Zehnder interferometer with two 50:50 beam splitters (BSs) and with its delay being equal to the interval of the neighboring emitted pulses.(B2) After the interferometer, the pulses are detected by two photon-number-resolving (PNR) detectors, which can discriminate the vacuum, a singlephoton, and two or more photons of a specific optical mode.A click event of each detector corresponds to bit values of 0 and 1, respectively.We suppose that the quantum efficiencies and dark countings are the same for both detectors.
In Bob's measurement, the j th (1 ≤ j ≤ 2) time slot is defined as an expected detection time at Bob's detectors from the superposition of the j th and (j + 1) th incoming pulses.Also, the 0 th (3 rd ) time slot is defined as an expected detection time at Bob's detectors from the superposition of the 1 st (3 rd ) incoming pulse and the 3 rd incoming pulse in the previous block (1 st incoming pulse in the next block).

Protocol.
The protocol runs as follows.
In its description, |κ| denotes the length of a bit sequence κ.Fig. 1 depicts a protocol with a coherent laser source, which is one possible implementation within our security framework.
(P1) Alice chooses a random three-bit sequence b A and sends three pulses in a state ρ b A S to Bob via a quantum channel.(P2) Bob receives an incoming three pulses and puts them into the Mach-Zehnder interferometer followed by photon detection by using the PNR detectors.We call the event detected if Bob detects exactly one photon in total among the 1 st and 2 nd time slots.The detection event at the j th (1 ≤ j ≤ 2) time slot determines the raw key bit k B ∈ {0, 1}.If Bob does not obtain the detected event, Alice and Bob skip steps (P3) and (P4) below.(P3) Bob announces the detected time slot j over an authenticated public channel.FIG.1: One possible implementation of the protocol within our security framework.At Alice's site, coherent laser pulse trains are generated by a conventional laser source followed by the phase modulator (PM) that randomly modulates a phase 0 or π.At Bob's site, each pulse train is fed to a onebit delay Mach-Zehnder interferometer with two 50:50 beam splitters (BSs).The pulse trains leaving the interferometer are measured by two photon-number-resolving (PNR) detectors corresponding to bit values "0" and "1".A successful detection event occurs if Bob detects a single-photon in total among the 1 st and 2 nd time slots.We emphasize that the use of a coherent laser source and precise control over PM are one of the examples of the implementations, and we can use any source as long as it satisfies assumptions (A1)-(A3).In this paper, we only consider the secret key rate in the asymptotic limit of an infinite sifted key length.We consider the limit of N em → ∞ while the following observed parameters are fixed:

(P4) Alice calculates her raw key bit k
Security proof.Here, we summarize the security proof of the actual protocol described above and determine the fraction of privacy amplification f PA in the asymptotic limit.The proof is detailed in Methods section.Our proof is based on the security proof [21] of the DPS protocol with block-wise phase randomization that employs complementarity [23].A major difference between our proof and the previous proof [21] is that we do not assume block-wise phase randomization.If block-wise phase randomization is performed, the state of each single-block can be seen as a classical mixture of the total photon number state.This phase randomization simplifies the security proof because the amount of privacy amplification |κ A |f PA can be estimated separately for each photon number emission.However, under our assumptions (A1)-(A3), a phase coherence generally exists among blocks, and the state of each single-block cannot be regarded as a classical mixture of photon number states.Therefore, we need to take into account this phase coherence in proving the security.In our security proof, the central task is to derive the information increase due to this phase coherence among the blocks.
For the security proof with complementarity, we consider alternative procedures for Alice's state preparation in step (P1) and the calculation of her raw key bit k A in step (P4).We can employ these alternative procedures to prove the security of the actual protocol because Alice's procedure of sending optical pulses, and producing the final key is identical to the actual protocol.Also, Bob's procedure of receiving the pulses and making his public announcement j (for each round) in the actual protocol is identical to the corresponding procedure in the alternative protocol.
As for Alice's state preparation in step (P1), she alternatively prepares three auxiliary qubits in system A 1 A 2 A 3 , which remain at Alice's site during the whole protocol, and the three pulses (system S) to be sent, in the following state: Here, Ĥ := 1/ √ 2 x,y=0,1 (−1) xy |x y| is the Hadamard operator, and Si .Note from the assumption (A1) that system R i is assumed to be possessed by Alice.
As for the calculation of the raw key bit k A in step (P4), this bit can be alternatively extracted by applying the controlled-not (CNOT) gate on the j th and (j + 1) th auxiliary qubits with the j th one being the control and the (j + 1) th one being the target followed by measuring the j th auxiliary qubit in the X-basis.Here, we define the Z-basis states for the j th auxiliary qubit as {|0 Aj , |1 Aj }, and the CNOT gate Û (j) CNOT is defined on this basis by Û (j) CNOT |x Aj |y Aj+1 = |x Aj |x+y mod2 Aj+1 with x, y ∈ {0, 1}.Also, the X-basis states are defined as In order to discuss the security of the key κ A , we consider a virtual scenario of how well Alice can predict the outcome of the measurement complementary to the one to obtain k A .In particular, we take the Z-basis measurement as the complementary basis, and we need to quantify how well Alice can predict its outcome z j ∈ {0, 1} on the j th auxiliary qubit.To enhance the accuracy of her estimation, Alice measures the (j + 1) th auxiliary qubit in the Z-basis after performing Û (j) CNOT on the j th and (j + 1) th auxiliary qubits.As for Bob, instead of aiming at learning κ A , he tries to guess the complementary observable z j to help Alice's prediction.More specifically, Bob performs a virual measurement to learn which of the j th or (j + 1) th half pulse has a single-photon, whose information is sent to Alice.We define the occurrence of phase error to be the case where Alice fails her prediction of the complementary measurement outcome z j (see Eq. ( 20) for the explicit formula of the POVM element of obtaining a phase error).Let N ph denote the number of phase errors, namely, the number of wrong predictions of z j among |κ A | trials.Suppose that the upper bound f (ω obs ) on the number of phase errors is estimated as a function of ω obs which denotes all the experimentally available parameters Q, e bit in Eq. ( 4) and {q n } 3 n=1 in Eq. (3).In the asymptotic limit considered here, a sufficient amount of privacy amplification is given by [23] where h(x) is defined as h(x) = −x log 2 x−(1−x) log 2 (1− x) for 0 ≤ x ≤ 0.5 and h(x) = 1 for x > 0.5.Then, the secret key rate (per pulse) is given by The quantity e U ph := f (ω obs )/|κ A | in Eq. ( 7) is the upper bound on the phase error rate e ph := N ph /|κ A |. Our main result, Theorem 1, derives e U ph with experimentally available parameters Q, e bit and {q n } 3 n=1 (see Methods section for the proof).Theorem 1 In the asymptotic limit of large key length |κ A |, the upper bound on the phase error rate is given by From this theorem and Eq. ( 7), the scaling of the key rate R with respect to the channel transmission η is estimated.
If the protocol is implemented by a weak coherent laser pulse as a light source with its mean photon number µ, the detection rate Q is in the order of O(µη) and both √ q 1 q 3 and q 2 are in the order of O(µ 2 ).To obtain a positive secret key rate, the upper bound on the phase error rate must be smaller than 0.5: To maximize the key rate under this constraint, µ is decreased in proportion to η.Therefore, we find that the scaling of the key rate is in the order of Simulation of secure key rates.We show the simulation results of asymptotic key rate R per pulse given by Eq. ( 7) as a function of the overall channel transmission η (including detector efficiency).For simplicity of the simulation, we assume that each emitted pulse is a coherent pulse from a conventional laser with mean photon number µ.In this setting, q n in Eq. ( 3) is given by We adopt f EC = h(e bit ) and suppose the detection rate as Q = 2ηµe −2ηµ , where in the simulation we omit the cost of random sampling as its cost is negligible in the asymptotic limit.In Fig. 2, we plot the key rates for e bit = 0.01, e bit = 0.02 and e bit = 0.03 (from top to bottom).The key rates are optimized over µ for each value of η.The optimized values of µ when e bit = 0.02 is about 7 × 10 −5 (with η = 10 −2 ) and about 7 × 10 −3 (with η = 1).From these lines, we see that all the key rates are proportional to η 2 .If we consider the overall channel transmission as η = 0.1 × 10 −0.5 /10 (with denoting the distance between Alice and Bob) and laser diodes operating at 1 GHz repetition rate, we can generate a secure key at a rate of 170 bits s −1 for a channel length of 50km and a bit error rate of 1%.

Discussion
In this paper, we have provided the informationtheoretic security proof of the DPS protocol based on simple source characterizations.Once one admits the commonly used assumption (A1) to be physically reasonable, our proof only requires the independence of the vacuum emission probability from a chosen bit, and the upper bounds {q n } 3 n=1 on the probabilities that a single-block contains at least n (n ∈ {1, 2, 3}) photons.Even with these experimentally simple assumptions, we demonstrated that we can generate a secret key at the rate of about 100 bits s −1 for inner-city QKD ( ∼ 50 km) given realistic bit error rate of 1% ∼ 3%.
We end with some open questions.
As for Alice's side, it is interesting to extend our security proof by relaxing the assumption (A2) to the case where the vacuum emission probability is different trρ 0 Si |vac vac| = trρ 1 Si |vac vac|, and Alice only knows the bounds on trρ 0 Si |vac vac| and trρ 1 Si |vac vac|.As for Bob's measurement unit, it is important to relax the assumption (B2) to allow the use of threshold detectors.

Methods
Outline.Here we prove our main result, Theorem 1. First, we introduce notations that we use in the following discussions.Second, we introduce the POVM (positive operator valued measure) elements corresponding to a bit and phase error.Third, we explain the relation between the Z-basis measurement outcome (z j ) on the auxiliary qubit system A j and the number of photons contained in the j th emitted pulse.Finally, we prove Theorem 1 by using two lemmas, Lemmas 1 and 2. We leave the proofs of Lemmas 1 and 2 to Appendixes A and B, respectively.
Notations.We first summarize the notations that we use in the following discussions: for a vector |ψ that is not necessarily normalized, and the Kronecker delta Furthermore, we introduce the Z-basis states of Alice's auxiliary qubit system A as Peven := P0 + P2 , POVM element for a detected event.We introduce POVM elements for Bob's procedure of determining the detected time slot j and the bit value k B .Based on the following procedure, Bob can determine whether the event is detected or not prior to determining j and k B .Bob sends the first pulse to the first BS in Fig. 1, and after the first pulse is split, one of the pulses goes to the long arm of the Mach-Zehnder interferometer, and we call it first half pulse.Bob keeps the second pulse as it is, and sends the third pulse to the first BS.After the third pulse is split at the first BS, one of the pulses goes to the short arm of the Mach-Zehnder interferometer (we call it the third half pulse).Bob then performs the quantum nondemolition (QND) measurement of the total photon number among the first half pulse, the third half pulse and the second pulse.The detected event is equivalent to an event where the QND measurement reveals exactly one photon.If the detected event occurs, the state of the three pulses after the QND measurement is in the subspace spanned by the orthonormal basis {|i B } 3 i=1 with i representing the position of the single-photon (at the half pulse when i = 1, 3 and at the original pulse when i = 2).Given the detection, the POVM elements { Πj,k B } j,k B for detecting the bit k B at the j th time slot (1 ≤ j ≤ 2) is given by with where w 1 = w 3 = 1 and w 2 = 1/2.
Bit-and phase-error POVM elements.Here, we construct the bit-and phase-error POVM elements êbit and êph , respectively.Alice and Bob measure their systems A and B just after the QND measurement reveals exactly one photon to learn whether a bit error or phase error exists.Importantly, these POVM elements are defined only on Alice's auxiliary qubit system A and Bob's system B, and the assumptions on the encoded states in system S do not come into their description.Therefore, even if the assumptions on Alice's emitted states are different from those in the security proof [21] of the DPS protocol with block-wise phase randomization, the same formulas of the bit-and phase-error POVM elements in [21] can be used.Here, we only provide brief explanations of how to construct êbit and êph , and refer details to Ref. [21].First, we introduce the POVM element êj bit corresponding to announcing the j th time slot and the occurrence of a bit error.As a bit error occurs when k A (Alice's X-basis measurement outcome of the j th auxiliary qubit after performing Û (j) CNOT on the j th and (j + 1) th ones) and Bob's measurement outcome k B are different, êj bit is given by Here and henceforth, we omit identity operators on subsystems, such as those for Alice's irrelevant auxiliary qubits in the above equation.Eq. ( 17) is re-expressed as This equation shows that there are no cross terms between even parity terms (|z j z j+1 Aj Aj+1 with z j + z j+1 is even) and odd parity terms (|z j z j+1 Aj Aj+1 with z j +z j+1 is odd).Therefore, we have This equation can be derived more intuitively.The parity of wt(z) can be determined by measuring the auxiliary qubits in the Z-basis except for the j th one after performing Û (j) CNOT on the j th and (j + 1) th qubits.This implies that the measurement { Peven , Podd } and êj bit commute, and hence we obtain Eq. (19).Eq. ( 19) plays an important role in proving Theorem 1.
Second, we introduce the POVM element êj ph corresponding to announcing the j th time slot and the occurrence of a phase error.A phase error event is defined as an event where Alice fails her prediction of the Z-basis measurement outcome z j on the j th auxiliary qubit.To enhance the accuracy of her estimation, she measures the (j + 1) th auxiliary qubit in the Z basis (with z j+1 denoting its result) after performing Û (j) CNOT , and Bob measures system B to learn which of the j th or (j + 1) th pulse has a single-photon.With the help of information of z j+1 and Bob's information, Alice adopts the following strategy for predicting z j .As for the case of z j+1 = 1, if Bob reveals that the j th [(j + 1) th ] pulse has a singlephoton, Alice predicts z j = 1 [z j = 0].On the other hand, if z j+1 = 0, Alice predicts z j = 0 regardless of Bob's information.The phase error event is defined as an instance of a wrong prediction of z j , and the POVM element corresponding to announcing the j th time slot and the occurrence of a phase error is represented by Since êj ph is diagonal in the basis |z A , we have Then, by taking the sum over all the time slots, we obtain the bit and phase error operators as êbit := It follows that the probability of having a bit error is given by trσê bit , and the one of having a phase error is trσê ph .Here, σ denotes a state of Alice and Bob's systems A and B just after the QND measurement reveals exactly one photon.
Relation between wt(z) and n block .Here, we derive the relation between wt(z) and n block .For this, we first derive the number of photons (n j ) contained in system S j when z j = 1.Recall that the assumption (A2) guarantees that trρ 0 Sj |vac vac| = trρ 1 Sj |vac vac| =: P vac j .From this assumption, by expanding the orthonormal basis of S j with the photon number states, |ψ 0 Sj Rj (a purification of ρ0 Sj ) and |ψ 1 Sj Rj (a purification of ρ1 Sj ) can be written as Here, |u 0 , |u 1 , |v 0 and |v 1 are normalized vectors of system R j , and Since a purification has a freedom of choosing a unitary operator Û on system R j , the following state |ψ 1 Sj Rj is also a purification of ρ1 Sj : In the following discussions, Û is chosen such that Û |v 0 = |u 0 holds.Note from Eq. ( 5) that if z j = 1, the j th state can be written as This equation means that if z j = 1, the state in system S j contains at least one photon.That is, Therefore, we obtain and from Eq. ( 3), the following inequality holds Proof of Theorem 1.Here, we prove Theorem 1 in the main text.For this, we first find an upper-bound on the phase error probability trê ph σ in terms of the bit error probability trê bit σ, which holds for any state σ.According to Eq. ( 20 With the relation between the bit and phase error probabilities, the next step is to derive an upper bound on the number of phase errors with experimentally available data.For this, we use Azuma's inequality [24] to achieve this goal.Suppose that there are N det detected systems AB, and Alice and Bob sequentially measure each detected state in order.Let us consider the following specific way for choosing the sampled bits among the detected events; Alice probabilistically associates each detected event with a sample pair with probability 1 − t or a code pair with probability t, where 0 < t < 1.The sample pairs are employed for random sampling to obtain e bit whereas the code pairs are for distilling secret key.For each code (sample) pair, Alice and Bob measure their systems to learn whether a phase (bit) error occurs or not.If a code (sample) pair entails a phase (bit) error, we call such an event "ph" ("bit"), otherwise we call "ph" ("bit").Also, for each code pair, Alice measures her system A in the Z-basis to obtain the outcome wt(z) = a ∈ {0, 1, 2, 3}.Such simulataneous measurements are allowed because [ê ph , Pa ] = 0 holds for any a (0 ≤ a ≤ 3).In this stochastic trial, the set of the measurement outcomes for each detected event is given by S := {bit, bit} ∪ ( Next, let us introduce various parameters that are needed in later discussions.The phase error rate in the code pair and the bit error rate in the sample pair are defined as where N code and N sample respectively denote the number of code and sample pairs.We define the number N l Ω of events that take Ω ∈ S among l trials as and the sum P l Ω of probabilities of obtaining Ω at the i th trial conditioned on the previous outcomes {ξ k } i−1 k=0 with ξ 0 being constant as We can show that the sequence of random variables {X 0 γ , ..., X N det γ } (with γ ∈ {ph, bit, a}), which are defined as and X 0 γ := 0, satisfies the Martingale condition with respect to random variables {ξ 0 , ξ 1 , ..., ξ Here, E[X|Y ] denotes the expectation of X conditioned on Y .Also, {X 0 γ , ..., X  Here and henceforth, we consider the limit of large N det and neglect ζ.In this asymptotic limit, as N code → tN det and N sample → (1 − t)N det in Eq. (34), we obtain e ph ≤ λe bit + 1 t The last task for deriving the upper bound on e ph is to upper-bound Ñ N det a≥n with experimentally available data.In so doing, in addition to the detected instances, we assume that Alice and Bob randomly associate each of the non-detected instances with a code instance with probability t or a sample instance with probability 1 − t.Then, we have that the the number Ñ N det a≥n of obtaining the outcome a ≥ n among the detected instances can never be larger than the one M Nem a≥n among the emitted code blocks.Since the probability of obtaining a code pair and the outcome a ≥ n when Alice emits the i th block is upperbounded by q n according to Eq. (29), we can imagine independent trials with probability q n .Therefore, we can use Chernoff bound and obtain When the number N em of emitted blocks gets larger for any fixed χ > 0, the probability of violating this inequality decreases exponentially.In the condition of asymptotic limit of N em , we neglect χ in the following discussions.By substituting Eq. (44) to Eq. ( 43), we finally obtain This ends the proof of Theorem 1.
) Alice and Bob repeat (P1)-(P4) N em times.(P6) Alice randomly selects a small portion of her raw key for random sampling.Over the authenticated public channel, Alice and Bob compare the bit values for random sampling and obtain the bit error rate e bit among the sampled bits.This gives the estimate of the bit error rate in the remaining portion.(P7) Alice and Bob respectively define their sifted keys κ A and κ B by concatenating their remaining raw keys.(P8) Bob corrects the bit errors in κ B to make it coincide with κ A by sacrificing |κ A |f EC bits of encrypted public communication from Alice by consuming the same length of a pre-shared secret key.(P9) Alice and Bob conduct privacy amplification by shortening their keys by |κ A |f PA to obtain the final keys.

FIG. 2 :
FIG. 2:Secure key rate R per pulse as a function of the overall channel transmission η.The top, the middle and the bottom lines respectively represent the key rates for e bit = 0.01, e bit = 0.02 and e bit = 0.03.
) with z = z 1 z 2 z 3 and z i ∈ {0, 1}, and wt(z) denotes the Hamming weight of a bit string z.Let us define the projectors Pa (with 0 ≤ a ≤ 3), Peven and Podd as Pa := z:wt(z)=a P [|z A ],

Ñ N det ph := 3 a=0
N N det ph∧a and Ñ N det a := N N det ph∧a + N N det ph∧a .When N det gets larger with any fixed ζ > 0, the probability of violating Eq. (42) decreases exponentially.