1. Introduction
With the advent of the information age, the demand for secure communication is omnipresent. Classical cryptography protocols rely on computational difficulty to ensure security, but they are increasingly threatened by the progress of quantum algorithms and technology. Quantum key distribution (QKD), which operates based on the principles of quantum mechanics, offers a promising approach to achieve information-theoretical security in communication [1–3]. The BB84 protocol [4], proposed by Bennet and Brassard in 1984, is the most well-known QKD protocol. Since its inception, numerous experimental and theoretical studies have been conducted [5–17], greatly advancing the widespread adoption of QKD.
In practical applications, prepare-and-measure QKD protocols are commonly used, employing weak coherent states due to their ease of operation and moderate cost. However, weak pulse implementations are vulnerable to the photon number splitting (PNS) attack [18], where an eavesdropper can forward multiphoton components in pulses to the receiver while blocking the single photon. To counteract the PNS attack, two major solutions have been proposed. One is the decoy-state method [19–21], which aims to extract secure keys only from the single-photon component of the signals. The other is the SARG04 protocol, which is similar to the BB84 protocol, except for its classical sifting procedure. In the SARG04 protocol, a classical bit is encoded into a pair of non-orthogonal states from two or more suitable sets, making it impossible for eavesdroppers to perfectly discriminate between them [22]. It has been demonstrated that the SARG04 protocol is capable of extracting secure keys from multiphoton components [23–25]. Thus far, the SARG04 protocol has been extensively explored both theoretically and experimentally [26–30]. However, it is worth noting that most of the security and feasibility claims were obtained without considering the statistical fluctuations resulting from finite-key effects.
In practical quantum cryptography, the imperfections of devices can create vulnerabilities for potential eavesdroppers [3, 31–34]. One significant aspect to consider is the afterpulse effect in commonly used single-photon avalanche detectors [35–40]. This effect is a type of quantum noise that has been extensively studied within the context of quantum communication [35–40]. The afterpulse effect occurs when carriers trapped by defects and impurities in the multiplication layer are released [41]. The probability of afterpulses, denoted as Pap, depends on several conditions, such as the avalanche duration time, hold-off time and the lifetime of the de-trapped carriers. Recent investigations have extensively explored the impact of the afterpulse effect in various QKD systems, including BB84, reference-frame-independent and round-robin differential phase shift QKD systems [35, 40, 42]. This understanding is particularly crucial when employing the decoy-state method. Additionally, for practical QKD protocols, where finite-key effects cannot be neglected, the security bounds are highly sensitive to Pap [35].
In our research, we focus on providing rigorous security bounds for a practical decoy-state SARG04 protocol, taking into account the presence of the afterpulse effect. To achieve this, we employ a combination of the one-decoy method and a recently developed afterpulse model, which allows us to analyze the protocol using current implementations. The use of the one-decoy method simplifies the experimental steps by utilizing only one decoy state, making it easier to implement. By applying our realistic security bounds to a fiber-based model, we can evaluate the performance and effectiveness of the protocol.
2. Model for practical SARG04 protocol
First, let us introduce how the SARG04 protocol works. In the scheme there are four polarization quantum states: $\left|H\right\rangle ,\left|V\right\rangle ,\left|+\right\rangle =\tfrac{\left|H\right\rangle +\left|V\right\rangle }{\sqrt{2}}\ $ and $\ \left|-\right\rangle =\tfrac{\left|H\right\rangle -\left|V\right\rangle }{\sqrt{2}}$. The four states are then arranged into four sets, ($\left|H\right\rangle ,\left|+\right\rangle $), ($\left|H\right\rangle ,\left|-\right\rangle $), ($\left|V\right\rangle ,\left|+\right\rangle $) and ($\left|V\right\rangle ,\left|-\right\rangle $), where the first and second states of each set correspond to logic 0 and 1, respectively. The steps for the protocol are as follows. Alice sends a sequence of signals to Bob through the insecure channel, where each signal is randomly chosen from the four sets listed above. Then Bob randomly measures the signals using X ($\left|+\right\rangle ,\left|-\right\rangle $) or Z ($\left|H\right\rangle ,\left|V\right\rangle $) bases. If his detector fails to register a click, he broadcasts this information, and Alice and Bob discard the corresponding data. Afterwards, Alice publicly announces the set in which each state is located, and Bob compares his measurement results to the two states in the set. If Bob's measurement result is orthogonal to one of the states in the set, he concludes that the other state has been sent, which is a conclusive result and will be broadcast to Alice. Otherwise, the result is inconclusive. Alice randomly selects a portion of remaining signals as test bits and announces them to Bob, and Bob estimates the bit error rate to test for eavesdroppers and decides whether to abort the protocol. Finally, they perform error correction and privacy amplification on the remaining bit string to obtain the secret key.
2.1. One-decoy-state scheme
For phase-randomized weak coherent sources with infinite-decoy states, the secure key rate (SKR) for four-state SARG04 can be written as [24, 25]
$\begin{eqnarray}\begin{array}{l}{R}_{{\rm{SARG}}04}=-{Q}_{\mu }f({E}_{\mu })H({E}_{\mu })\\ \,+\,{Q}_{1}[1-H({Z}_{1}| {X}_{1})]+{Q}_{2}[1-H({Z}_{2}| {X}_{2})]\\ \,+\,{Q}_{3}[1-H({Z}_{3}| {X}_{3})]+\cdots ,\end{array}\end{eqnarray}$
where Qn represents the gain of an n-photon state, fe denotes the error correction efficiency, $H\left(x\right)$ is the binary Shannon entropy given by the formula $H\left(x\right)=-{{x}{\rm{l}}{\rm{o}}{\rm{g}}}_{2}\left(x\right)\,-\left(1-x\right){{\rm{log}}}_{2}\left(1-x\right)$, and H(Zi∣Xi) represents the conditional entropy. Here, Qμ and Eμ correspond to the total gain and quantum bit error rate under signal states with an intensity of μ, respectively, and can be expressed as follows: $\begin{eqnarray}\begin{array}{rcl}{Q}_{\mu } & = & \displaystyle \frac{1}{2}{Y}_{0}{e}^{-\eta \mu }+\left(\displaystyle \frac{{e}_{\det }}{2}+\displaystyle \frac{1}{4}\right)(1-{e}^{-\eta \mu }),\\ {E}_{\mu } & = & \displaystyle \frac{1}{4}{Y}_{0}{e}^{-\eta \mu }+\displaystyle \frac{{e}_{\det }}{2}(1-{e}^{-\eta \mu })/{Q}_{\mu },\ \end{array}\end{eqnarray}$
where Y0, η, and edet are the dark counts, overall transmission probability and misalignment, respectively.For simplicity, we consider the four-state SARG04 protocol with up to two-photon components. In this case, the conditional entropy can be expressed as [25]:
$\begin{eqnarray}\begin{array}{l}H({Z}_{1}| {X}_{1})=-\left(1+{e}_{a}-{e}_{b}-{e}_{p}\right){{\rm{log}}}_{2}\\ \,\times \,\displaystyle \frac{1+{e}_{a}-{e}_{b}-{e}_{p}}{1-{e}_{b}}\\ \,-\,({e}_{p}-{e}_{a}){{\rm{log}}}_{2}\displaystyle \frac{{e}_{p}-{e}_{a}}{1-{e}_{b}}-({e}_{b}-{e}_{a})\\ \,\times \,{{\rm{log}}}_{2}\displaystyle \frac{{e}_{b}-{e}_{a}}{{e}_{b}}-{e}_{a}{{\rm{log}}}_{2}\displaystyle \frac{{e}_{a}}{{e}_{b}},\end{array}\end{eqnarray}$
$\begin{eqnarray}H({Z}_{2}| {X}_{2})=H({Z}_{2})=H({e}_{p,2}),\end{eqnarray}$
where ep and eb represent the probabilities of a phase error and a bit error, respectively. The parameter ea denotes the probability that both a bit flip and a phase shift occur.First, we calculate the secret key rates (SKRs) versus the transmission distance for the SARG04 protocol by considering both single- and two-photon contributions, as well as for the case where only single-photon contributions are considered. In our simulation, we utilize the parameters ${\unicode{x000A0}}({Y}_{0},{e}_{det},{\eta }_{{\rm{B}}{\rm{o}}{\rm{b}}},{f}_{{\rm{e}}},\alpha )$, as listed in table 1. Figure 1 demonstrates that the two-photon component has a minimal contribution to the key rate as the transmission distance increases. Additionally, curves depicting the infinite-decoy BB84 scheme have been plotted. The optimal mean photon numbers for the BB84 protocol are used at all distances. By comparing these curves, it can be seen that the higher key generation rates and longer secure distance can be achieved for the BB84 scheme.
Figure 1. Simulation of SKRs versus transmission distance for BB84 (blue curve) and SARG04 with both single- and two-photon components (black curve) and with only single-photon components (red curve). |
Table 1. The experimental parameters used in the numerical simulations. |
| Y0 | edet | ηBob | α | fe | ${\varepsilon }_{{\rm{\sec }}}$ | ϵcor |
|---|---|---|---|---|---|---|
| 6 × 10−7 | 5 × 10−3 | 0.1 | 0.2dB/km | 1.16 | 10−9 | 10−15 |
For the security analysis of QKD protocols with realistic devices, the decoy-state method is often used to achieve a long secure distance. In experiments, the setup for the SARG04 scheme is almost the same as the BB84 scheme; therefore, one can easily extend the decoy-state method to SARG04 by only modifying the classical post-processing procedure in the BB84 protocol [23]. Additionally, it has been shown that the one-decoy-state protocol is easier to implement than the two-decoy-state protocol, and the former protocol is advantageous for most experimental settings [43]. Here, for the one-decoy-state SARG04, the sender randomly modulates the pulse into the signal (mean photon number μ) and decoy states (mean photon number ν) with probabilities pμ and pν, respectively.
Although the quantum states are divided into four sets in the SARG04 protocol, we can still consider the scenarios where the states are encoded in the Z basis for the analysis of detection events (the analysis in the X basis follows a similar approach). In this case, the finite key (measured in bits per pulse) under composable security against general attacks can be bounded by
$\begin{eqnarray}\begin{array}{l}l\leqslant {s}_{Z,0}^{L}+{s}_{Z,1}^{L}\left(1-H\left({Z}_{1}| {X}_{1}\right)\right)\\ \quad -{\lambda }_{{\rm{EC}}}-{{b}{\rm{l}}{\rm{o}}{\rm{g}}}_{2}\left(\displaystyle \frac{c}{{\varepsilon }_{{\rm{\sec }}}}\right)-{{\rm{log}}}_{2}\left(\displaystyle \frac{2}{{\varepsilon }_{{\rm{cor}}}}\right).\end{array}\end{eqnarray}$
In the equation given, ${s}_{Z,n}^{L}$ represents the lower bound of the n-photon events, λEC denotes the number of discarded bits during the error correction stage, and ${\varepsilon }_{{\rm{\sec }}}$ and ϵcor represent the secrecy and correctness parameters, respectively. The values of b and c depend on the specific security analysis being considered. For our subsequent simulations, we have adopted b = 6 and c = 18, as described in [43, 44].According to [43], the lower bound of the single-photon events and the upper bound of the vacuum events in the Z basis can be estimated using the following formula:
$\begin{eqnarray}{s}_{Z,1}^{L}=\displaystyle \frac{{\tau }_{1}\mu }{\nu \left(\mu -\nu \right)}\left({n}_{Z,\nu }^{L}-\displaystyle \frac{{\nu }^{2}}{{\mu }^{2}}{n}_{Z,\mu }^{U}-\displaystyle \frac{\left({\mu }^{2}-{\nu }^{2}\right){s}_{Z,0}^{U}}{{\mu }^{2}}\right),\end{eqnarray}$
with $\begin{eqnarray}\begin{array}{l}{s}_{Z,0}^{U}=\max \left[2\left({\tau }_{0}\displaystyle \frac{{e}^{k}}{{p}_{k}}\left({m}_{Z,k}+\delta \left({m}_{Z},{\varepsilon }_{1}\right)\right)\right.\right.\\ \,\left.\left.+\,\delta \left({n}_{Z},{\varepsilon }_{1}\right)\right),2\left({m}_{Z}+\delta \left({n}_{Z},{\varepsilon }_{1}\right)\right)\right],\end{array}\end{eqnarray}$
where ${s}_{Z,n}^{L\left(U\right)}$ is the lower (upper) bound of the n-photon event, τn represents the probability of sending an n-photon state, which is calculated as the sum of τn = ∑k=μ,νe−kknPk/n!. Additionally, ${n}_{{\bf{Z}},k}^{L(U)}$ and ${m}_{{\bf{Z}},k}^{L(U)}$ correspond to the lower(upper) bounds of the number of detections and bit errors of basis Z with intensity $k\in \left\{\mu ,\nu \right\}$. With regard to the lower bound of vacuum events in the Z basis, it can be estimated using the following formula: $\begin{eqnarray}{s}_{Z,0}\geqslant {s}_{Z,0}^{L}:= \displaystyle \frac{{\tau }_{0}}{\mu -\nu }\left(\mu {n}_{Z,\nu }^{L}-\nu {n}_{Z,\mu }^{U}\right).\end{eqnarray}$
For the protocol with a single-photon source, we have
$\begin{eqnarray}{e}_{b,1}=\displaystyle \frac{{\nu }_{X,1}}{{s}_{X,1}},{e}_{p,1}=\displaystyle \frac{3}{2}{e}_{b,1},a=\displaystyle \frac{1}{2}{e}_{b,1},\end{eqnarray}$
where νX,1 denotes the error events of single photons in the X basis and can be calculated by $\begin{eqnarray}{\nu }_{X,1}\leqslant {\nu }_{X,1}^{U}=\displaystyle \frac{{\tau }_{1}}{\mu -\nu }\left({m}_{Z,\mu }^{U}-{m}_{Z,\nu }^{L}\right).\end{eqnarray}$
The relation between the observed variables ${n}_{Z,k}\left({m}_{Z,k}\right)$ and the corresponding asymptotic case ${n}_{Z,k}^{* }\left({m}_{Z,k}^{* }\right)$ can be given by Hoeffding's inequality [44]
$\begin{eqnarray}\begin{array}{l}\left|{n}_{Z,k}^{* }-{n}_{Z,k}\right|\leqslant \delta \left({n}_{Z},{\varepsilon }_{1}\right),\\ | {m}_{Z,k}^{* }-{m}_{Z,k}| \leqslant \delta \left({m}_{Z},{\varepsilon }_{2}\right),\end{array}\end{eqnarray}$
where the relations hold with a probability of 1 − 2ϵ1 and 1 − 2ϵ2, respectively, and$\ \delta \left({n}_{Z},{\varepsilon }_{1}\right)=\sqrt{{n}_{Z}/2{ln}\left(1/\varepsilon \right)}$ and $\delta \left({m}_{Z},{\varepsilon }_{2}\right)=\sqrt{{m}_{Z}/2{ln}\left(1/\varepsilon \right)}$.According to [43], the upper and lower bounds of ${n}_{Z,k}\ \left({m}_{Z,k}\right)$ are given by
$\begin{eqnarray}\begin{array}{rcl}{n}_{Z,k}^{L} & := & \displaystyle \frac{{e}^{k}}{{p}_{k}}\left({n}_{z,k}-\sqrt{\displaystyle \frac{{n}_{z}}{2}\mathrm{ln}\displaystyle \frac{1}{{\varepsilon }_{1}}}\right),k\in \{\mu ,\nu \},\\ {n}_{Z,k}^{U} & := & \displaystyle \frac{{e}^{k}}{{p}_{k}}\left({n}_{{\rm{Z}},k}+\sqrt{\displaystyle \frac{{n}_{{\rm{Z}}}}{2}\mathrm{ln}\displaystyle \frac{1}{{\varepsilon }_{1}}}\right),k\in \{\mu ,\nu \},\\ {m}_{z,k}^{L} & := & =\displaystyle \frac{{e}^{k}}{{p}_{k}}\left({m}_{{}_{Z,k}}-\sqrt{\displaystyle \frac{{m}_{{}_{Z}}}{2}\mathrm{ln}\displaystyle \frac{1}{{\varepsilon }_{{}_{2}}}}\right),k\in \{\mu ,\nu \},\\ {m}_{z,k}^{U} & := & =\displaystyle \frac{{e}^{k}}{{p}_{k}}\left({m}_{{}_{Z,k}}+\sqrt{\displaystyle \frac{{m}_{{}_{Z}}}{2}\mathrm{ln}\displaystyle \frac{1}{{\varepsilon }_{{}_{2}}}}\right),k\in \{\mu ,\nu \}.\end{array}\end{eqnarray}$
The security parameters in one-decoy-state SARG04 are $\begin{eqnarray}{\varepsilon }_{{\rm{\sec }}}=2\left(2{\alpha }_{1}+{\alpha }_{2}+{\alpha }_{3}\right)+{\rm{V}}+4{\varepsilon }_{1}+5{\varepsilon }_{2},\end{eqnarray}$
where α1,α2,α3 and V are error terms carried out in the security analysis [43, 44].In the numerical simulation, nZ,k and mZ,k can be derived by
$\begin{eqnarray}\begin{array}{rcl}{n}_{Z,k} & = & \displaystyle \frac{{n}_{z}}{{P}_{Z,\det ,\mathrm{tot}}}{P}_{Z,\det ,k},\\ {m}_{Z,k} & = & \displaystyle \frac{{n}_{Z}}{{P}_{Z,\det ,\mathrm{tot}}}{P}_{Z,\mathrm{err},k},\end{array}\end{eqnarray}$
where $k\in \left\{\mu ,\nu \right\}$ is the intensity, and $\begin{eqnarray}\begin{array}{c}{P}_{Z,det,k}={P}_{{{\rm{set}}}_{Z}}{P}_{X}{p}_{k}\left[\displaystyle \frac{1}{2}{Y}_{0}{e}^{-\eta k}\right.\\ \,\left.+\,\left(\displaystyle \frac{{e}_{det}}{2}+\displaystyle \frac{1}{4}\right)\left(1-{e}^{-\eta k}\right)\right],\\ {P}_{Z,{\rm{err}},k}={P}_{{{\rm{set}}}_{Z}}{P}_{X}{p}_{k}\left[\displaystyle \frac{1}{4}{Y}_{0}{e}^{-\eta k}\right.\\ \,\left.+\,\displaystyle \frac{{e}_{det}}{2}\left(1-{e}^{-\eta k}\right)\right],\end{array}\end{eqnarray}$
where pk denotes the probability that Alice prepares states with intensity k, PX is the probability that Bob chooses the X basis, and ${P}_{{{\rm{set}}}_{Z}}$ is the probability that the set contains a quantum state in the Z basis sent by Alice.2.2. Afterpulse effect
The afterpulse effect is an inherent characteristic of single-photon detectors that are widely used in QKD due to their affordability and durability. As the detection rate increases, the impact of the afterpulse becomes more pronounced. It is assumed that some of the background counts stem from dark count events. According to [38], the afterpulse effect can be expressed in terms of the detection probability ${P}_{Z,{\rm{\det }},k}$ and the error probability PZ,err,k
$\begin{eqnarray}\begin{array}{l}{P}_{Z,{\rm{\det }},k}={P}_{{{\rm{set}}}_{Z}}{P}_{X}{p}_{k}\left[\displaystyle \frac{1}{2}{Y}_{0}{e}^{-\eta k}+\left(1+{P}_{{\rm{ap}}}\right)\right.\\ \,\left.\times \,\left(\displaystyle \frac{{e}_{{\rm{\det }}}}{2}+\displaystyle \frac{1}{4}\right)\left(1-{e}^{-\eta k}\right)\right],\\ {P}_{Z,{\rm{err}},k}={P}_{{{\rm{set}}}_{Z}}{P}_{X}{p}_{k}\left[\displaystyle \frac{1}{4}{Y}_{0}{e}^{-\eta k}\right.\\ \,\left.+\,\left(\displaystyle \frac{{e}_{{\rm{\det }}}}{2}+\displaystyle \frac{{P}_{{\rm{ap}}}}{2}\right)\left(1-{e}^{-\eta k}\right)\right],\end{array}\end{eqnarray}$
where Pap is the value of the afterpulse probability. Notably, the SARG04 protocol is identical to BB84 at the ‘quantum' level. Thus, Pap can be expressed as [20, 35–38]. $\begin{eqnarray}{P}_{{\rm{ap}}}=\displaystyle \frac{p}{1-p}{\hat{Q}}^{d},\end{eqnarray}$
where p is the overall afterpulse rate. Here, ${\hat{Q}}^{d}$ is the average response probabilities caused by two intensities (μ and ν) and can be expressed as $\begin{eqnarray}{\hat{Q}}^{d}=\displaystyle \sum _{k=\mu ,\nu }{p}_{k}{\tilde{Q}}_{k},\end{eqnarray}$
where ${\tilde{Q}}_{k}$ is the average response probabilities in all basis combinations.3. Numerical simulations
In this section, we present the finite-key simulations of the one-decoy SARG04 protocol, taking into account the afterpulse effect. To achieve a high key rate, the optimization of all parameters involves optimizing various factors to enhance system performance. This includes optimizing parameters such as μ, ν, pμ, pν, ${P}_{{{\rm{set}}}_{Z}}$, and PX. The simulation parameters, as referenced in [35], are provided in table 1.
First, we investigate the impact of finite-key size on the one-decoy SARG04 schemes, and plot the final SKR with respect to the transmission distance using five different post-processing block sizes in figure 2(a). It can be observed that the performance improves with larger block sizes. However, for relatively large block sizes (≥108), the SKR and maximum transmission distance show only slight differences. Therefore, in practical applications, a smaller block size is preferred as it allows shorter data collection times and requires fewer computational resources. Similar behavior for the BB84 protocol is shown in figure 2(b). We also note that the SARG04 protocol has a smaller key generation rate and a shorter secure distance than the BB84 scheme. Figure 3 illustrates the impact of the afterpulse effect on the SKR using a block size of 108 for three QKD protocols, namely the two-decoy BB84, one-decoy BB84 and one-decoy SARG04 protocols, with two different values of afterpulse probability. To compare the afterpulse effect between the one-decoy [43] and two-decoy [44] methods, we present the results from [43] specifically for the BB84 protocol. It is observed that the SKR decreases as the value of p increases, particularly in the two-decoy method. Furthermore, the afterpulse effect has a more pronounced impact on the SARG04 protocol compared to the BB84 protocol. Specifically, when p = 5%, the SKR of the SARG04 protocol is reduced by 60% compared to the situation when p = 0, and the maximum transmission distance is also decreased by approximately 15 km.
Figure 2. The SKR versus fiber length for one-decoy SARG04 (a) and BB84 (b) protocols with different lock sizes. The dashed black line is the asymptotic SKR. |
Figure 3. Comparison of the afterpulse effect on the two-decoy BB84, one-decoy BB84 and one-decoy SARG04 protocols, with a block size of 108. |
4. Conclusion
In conclusion, our study proposes a one-decoy-state method and applies it to the rigorous finite-key analysis of the SARG04 QKD protocol by considering the afterpulse effect. The numerical simulations conducted demonstrate that the contribution to the key rate and secure distance from the two-photon states is minimal. Additionally, we analyze the impact of finite-key length and observe a slight increase in the SKR and maximum transmission distance with the enlargement of the block size. The achievable SKRs for large block sizes are comparable to those obtained in the asymptotic regime. Moreover, through the utilization of the afterpulse-compatible model, we evaluate the tolerance of both the BB84 and SARG04 protocols towards afterpulse effects. We anticipate that the combination of the one-decoy-state method and the afterpulse model will enhance the practicality of the SARG04 protocol.