Continuous-variable quantum cryptography with an untrusted relay: Detailed security analysis of the symmetric configuration
Carlo Ottaviani, Gaetana Spedalieri, Samuel L. Braunstein, Stefano Pirandola
aa r X i v : . [ qu a n t - ph ] J un Continuous-variable quantum cryptography with an untrusted relay:Detailed security analysis of the symmetric configuration
Carlo Ottaviani, ∗ Gaetana Spedalieri, Samuel L. Braunstein, and Stefano Pirandola † Department of Computer Science, University of York, York YO10 5GH, United Kingdom (Dated: July 2, 2018)We consider the continuous-variable protocol of Pirandola et al . [Nature Photonics , 397–402(2015), see also arXiv.1312.4104] where the secret-key is established by the measurement of anuntrusted relay. In this network protocol, two authorized parties are connected to an untrustedrelay by insecure quantum links. Secret correlations are generated by a continuous-variable Belldetection performed on incoming coherent states. In the present work we provide a detailed study ofthe symmetric configuration, where the relay is midway between the parties. We analyze symmetriceavesdropping strategies against the quantum links explicitly showing that, at fixed transmissivityand thermal noise, two-mode coherent attacks are optimal, manifestly outperforming one-modecollective attacks based on independent entangling cloners. Such an advantage is shown both interms of security threshold and secret-key rate. PACS numbers: 03.67.Dd, 03.65.-w, 42.50.-p, 89.70.Cf
I. INTRODUCTION
Rather than layers of physical security or obscure cod-ing in the distribution of a classical key [1], quantumcryptography claims to rely on the fundamental laws ofquantum physics to provide secure quantum key distri-bution (QKD) [2]. In the simplest scheme, informationis encoded on non-orthogonal states which are transmit-ted from Alice to Bob via a quantum channel. Afterclassical procedures of error correction and privacy am-plification, Alice and Bob are then able to distill sharedsecret bits [2]. Any attempt by Eve at gleaning informa-tion inevitably introduces noise in the quantum channel;by quantifying this noise, Alice and Bob determine howmuch distillation must be applied to make Eve’s infor-mation negligible or if there is too much noise (breachingthe security threshold ) they abort the protocol.Over the last several decades, QKD has been imple-mented many times, more recently even in simple net-work configurations [3–5]. By utilizing an iterated point-to-point strategy, a secret key may be shared with legit-imate users on more distant network nodes. This strat-egy explicitly requires secure and trusted intermediaterelay stations. However, modern communication proto-cols (e.g., TCP/IP) rely on a more advanced ‘end-to-endprinciple’ [6, 7] with simple, unreliable and untrusted re-lays; any layers of security are provided by the two end-parties.A first step in this direction has been done by Ref. [8],which extended QKD to the mediation of an untrustedrelay, void of quantum sources (e.g., entanglement) andperforming a quantum measurement which generatessecret correlations in remote stations. This idea ofa measurement-based untrusted relay (also known as ∗ Electronic address: [email protected] † Electronic address: [email protected] ‘measurement-device independence’) has been experi-mentally implemented with discrete variables [9, 10].More recently, the use of measurement-based un-trusted relays has been introduced in continuous-variableQKD [11] with the aim of exploiting the advantagesof bosonic systems [12, 13] in terms of cheap quantumsources and highly-efficient detectors. Indeed this pro-tocol is able to achieve secret-key rates orders of magni-tude higher than any protocol based on discrete-variablesystems. This is possible thanks to the use of the cheap-est possible quantum sources, i.e., coherent states, com-bined with simple linear optics and homodyne detectorsat the relay station. Ref. [11] found that the optimal per-formances are achieved in the asymmetric configurationwhere the relay is close to one of the parties.In this paper, we deepen the analysis of Ref. [11] con-sidering the symmetric configuration where the relay ismidway between Alice and Bob. Despite the fact this isnot the optimal setup in terms of rates and security dis-tances, it is still very important to analyze for potentialapplications in network scenarios where two parties areroughly equidistant from a public server or access point.Another reason for analyzing this kind of setup is in itssimple analytical formulas for the secret-key rates. Us-ing these formulas, we can provide a very detailed com-parison between the most important Gaussian attacksagainst the quantum links.In our cryptanalysis of the symmetric protocol weclearly show that, at fixed transmissivity and thermalnoise on the links, the optimal eavesdropping strategyis a two-mode coherent Gaussian attack, where Eve in-jects quantum correlations in both the quantum chan-nels leading to the relay. In this attack, these channelsare combined (via beam-splitters) with two entangledmodes, which have been prepared in a suitable Einstein-Podolsky-Rosen (EPR) state. Such a strategy greatlyoutperforms the single-mode collective attack based ontwo independent entangling cloners which was assumedin some recent investigations [16–18]. Any such securityanalysis relying on independent attacks on the channelsis therefore incomplete and opens security loopholes.The paper is organized as follows: In Section II wedescribe the setup in the symmetric scenario. In Sec-tion III we analyze its security and provide a formulafor the key rate. In Section IV we compare the variousGaussian attacks, identifying the optimal attack and thecorresponding minimum key rate of the protocol. Finally,in Section V we draw our conclusions.
II. THE PROTOCOL
Let us consider the scenario where Alice and Bob donot access a direct communication link. Instead theyconnect to a perfectly-in-the-middle relay via insecurequantum links, as shown in Fig. 1(a). The relay is un-trusted, meaning that it is assumed to be operated byEve in the worst case scenario.The protocol proceeds as follows: Alice and Bob pos-sess two modes, A and B , which are prepared in coherentstates, | α i and | β i , with randomly-modulated amplitudes(according to a complex Gaussian distribution with largevariance). They send these modes to the intermediaterelay where the output modes, A ′ and B ′ , are subjectto a continuous-variable Bell detection [19]. This meansthat A ′ and B ′ are mixed on a balanced beam splitterand the output ports are conjugately homodyned: Oneport is homodyned in the ˆ q -quadrature with outcome q − ,while the other port is homodyned in the ˆ p -quadraturewith outcome p + . Compactly, the measurement providesthe complex outcome γ := ( q − + ip + ) / √ γ ≃ α − β ∗ , so that the communica-tion of γ creates a posteriori correlations between Alice’sand Bob’s variables. Each party can easily infer the vari-able of the other. For instance, Alice could compute thequantity α − γ ≃ β ∗ recovering Bob’s encoding β up todetection noise [11]. This procedure partly recalls thepost-processing of the two-way QKD protocols [20, 21].Note that Eve’s knowledge of variable γ would be of nohelp to extract information on the individual variables α and β , i.e., we have I ( α : γ ) = I ( β : γ ) = 0 in terms ofmutual information [22, 23]. By contrast, as a result ofthe broadcast of γ , the conditional mutual information ofAlice and Bob becomes non-zero I ( α : β | γ ) > I ( α : β ).Thus, if Eve wants to steal information, she needs tointroduce loss and noise.In general, the action of Eve may involve a globalunitary operation correlating all the uses of the pro-tocols. However, using random permutations of theirdata [25, 26], Alice and Bob can always reduce this sce-nario to an attack which is coherent within the singleuse of protocol. This can be a joint attack of both thelinks and the relay. The parties can further reduce thiseavesdropping to consider a coherent attack of the links BRelay α β Alice A q - p + Bob
A Ba b
Bob
Relay E E Q M Alice τ τ α β (a)(b) γγ e Q M QME ’ E ’ A ’ B ’ A ’ B ’ FIG. 1: (Color online) (a) Relay-based protocol performedin the symmetric configuration with the untrusted relay per-fectly in the middle between the parties. Alice and Bob pre-pare coherent states with Gaussianly-modulated amplitudes, α and β , respectively. The relay performs a continuous-variable Bell measurement with complex outcome γ := ( q − + ip + ) / √
2, which is publicly broadcast. From the knowledgeof γ each party can infer the variable of the other party.(b) Entanglement-based representation of the protocol undertwo-mode Gaussian attack. Using two beam splitters withtransmissivity τ , Eve injects to ancillary modes, E and E ,prepared in a two-mode Gaussian state with zero mean andCM in the symmetric normal form of Eq. (2). See text fordetails. only, assuming a properly-working relay, i.e., a relay im-plementing a continuous-variable Bell detection. In par-ticular, since the protocol is based on the Gaussian mod-ulation and Gaussian detection of Gaussian states, theoptimal coherent attack of the links will be based on aGaussian unitary interaction [13–15]. See Ref. [11] formore details about this general reduction of the attack. III. CRYPTOANALYSIS OF THE PROTOCOL
According to the previous discussion, we can reducethe attack to a two-mode Gaussian attack against thequantum links of Alice and Bob. The most realistic im-plementation of such an attack consists of two beam split-ters combining the signals with ancillary modes preparedin a generally quantum-correlated Gaussian state (moreexotic Gaussian attacks may be constructed using othercanonical forms [27]). In particular, we will consider thesymmetric configuration of this attack, where the param-eters are identical for the two links, so that the perfor-mances of the protocol are invariant under exchange ofAlice and Bob. In order to analyze this symmetric Gaus-sian attack, we adopt the entanglement-based (EB) rep-resentation of the protocol, where Alice’s and Bob’s en-sembles of coherent states are simulated using two EPRstates subject to local heterodyne detections.
A. Entangled-based representation
The EB-representation of the protocol is described inFig. 1(b). Alice and Bob possess two EPR states, ρ aA and ρ bB , with the same covariance matrix (CM) [13] V ( µ ) = (cid:18) µ I p µ − Z p µ − Z µ I (cid:19) , (1)where I = diag(1 , Z = diag(1 , −
1) and µ ≥ a and b , Alice and Bob prepares coherent states, | α i and | β i , on the other EPR modes, A and B , respec-tively. In particular, their amplitudes, α and β , are mod-ulated according to a complex Gaussian distribution withvariance ϕ := µ −
1, that we take to be very large ϕ ≫ A and B are then sent to the relay for detection. B. Symmetric two-mode Gaussian eavesdropping
Alice’s and Bob’s modes A and B are mixed with an-cillary modes, E and E , respectively. This is done bymeans of two beam-splitters with the same transmis-sivity τ . The ancillas belong to an environmental set { E , E , e } in the hands of Eve, and the reduced stateof E and E is a zero-mean Gaussian state σ E E withCM in the symmetric normal form V E E = (cid:18) ω I GG ω I (cid:19) , G := (cid:18) g g ′ (cid:19) . (2)Here ω is the variance of the thermal noise injected inthe beam splitters, while G accounts for the quantumcorrelations between the two ancillas. (The various pa-rameters ω , g , and g ′ satisfy simple physical constraintsimposed by the uncertainty principle [28, 29]).The output modes, A ′ and B ′ , are subject to thecontinuous-variable Bell detection (with the outcomebroadcast), while Eve’s output modes, E ′ and E ′ , to-gether with all the other ancillary modes e are storedin a quantum memory, which is detected by an optimalcoherent measurement at the end of the protocol.Note that we may consider different transmissivities, τ A and τ B , for the beam splitters, and an asymmetricCM with different thermal variances, ω A and ω B . Thisis the general asymmetric case considered in Ref. [11].However, when the relay is midway between the two par-ties, the amount of loss and noise present in the links isrealistically expected to be identical. In other words, itis reasonable to consider here a symmetric attack as theone previously described, which has τ A = τ B := τ, ω A = ω B := ω . (3) Thanks to this symmetry, we can reduce the number ofparameters and derive a simple analytical expression forthe secret-key rate, which allows us to perform a detailedanalysis of the various specific symmetric attacks whichare possible against our protocol. In particular, we caneasily study the performances of these attacks in terms ofthe correlation parameters, g and g ′ , and identify the op-timal one which minimizes key rate and security thresh-old. Furthermore, due to the symmetry, Alice and Bobcan be interchanged, which implies that there is no dif-ference between direct and reverse reconciliation [13]. Inother words, we can consider a unique secret-key rate forthe protocol (assuming one-way classical communicationfor error correction and privacy amplification). C. Secret-key rate
Without loss of generality, we assume that Alice is theencoder of information (variable α ) while Bob is the de-coder, so that he post-processes his variable β to infer α . In the EB-representation, these variables are infor-mationally equivalent to the outcomes of the heterodynedetections [11]. To derive the rate, we note that theBell detection at the relay and the heterodyne detectionsof the two parties commute with each other. For thisreason, we can equivalently compute the rate from theconditional state ρ ab | γ of modes a and b after the com-munication of the outcome γ . The rate is given by [11] R = I ab | γ − I E | γ , (4)where I ab | γ is Alice and Bob’s conditional mutual infor-mation, while I E | γ is Eve’s Holevo information [23] onAlice’s variable (which can be computed from the stateof the output ancillas).Since all output modes are in a global pure state andthe various detections are rank-1, we can write [11] I E | γ = S ( ρ ab | γ ) − S ( ρ b | γα ) , (5)where S ( . ) is the von Neumann entropy [23], computedon the post-relay state ρ ab | γ of Alice and Bob, and thedouble-conditional state ρ b | γα of Bob, conditioned to re-lay’s and Alice’s detections (computable from ρ ab | γ ). D. Computation of the key rate
Both the mutual information I ab | γ and Eve’s Holevoentropy I E | γ can be computed from the post-relay state ρ ab | γ , in particular, from its CM V ab | γ . Imposing thesymmetry conditions of Eq. (3) in the general expressionof V ab | γ computed in Ref. [11], we derive V ab | γ = (cid:18) µ I 00 µ I (cid:19) − τ ( µ − × (6) × τµ + λ − τµ + λ τµ + λ ′ τµ + λ ′ − τµ + λ τµ + λ τµ + λ ′ τµ + λ ′ , where λ := (1 − τ )( ω − g ) , λ ′ := (1 − τ )( ω + g ′ ) . (7)Note that Eq. (6) represents a particular case of the gen-eral CM of Eq. (A10), which is obtained in the Appendix,where non-unit quantum efficiencies of the detectors arealso included.Now, we can easily compute [13] the symplectic spec-trum of eq.(6) in the limit of large modulation µ ≫ ν → r λµτ , ν → r λ ′ µτ . (8)Then, entropy term S ( ρ ab | γ ) in Eq. (5) can be computedusing the function h ( x ) := x + 12 log x + 12 − x −
12 log x −
12 (9) → log e x + O (cid:18) x (cid:19) for x ≫ . (10)Thus, we have S ( ρ ab | γ ) = h ( ν ) + h ( ν ) → log e τ √ λλ ′ µ. (11)To compute S ( ρ b | γα ) we derive the double-conditionalCM V b | γα . We put Eq. (6) in the block-form V ab | γ = (cid:18) A CC T B (cid:19) , (12)and we apply a partial gaussian heterodyne measurementon Alice’s remote mode a, given by [13, 19, 24], V b | γα = B − C T ( A + I ) − C , (13)which gives V b | γα = µ − ( µ − ττ ( µ +1)+2 λ µ − ( µ − ττ ( µ +1)+2 λ ′ ! . (14)For µ ≫
1, its symplectic eigenvalue is given by ν → p ( τ + 2 λ )( τ + 2 λ ′ ) τ , (15) and we have S ( ρ b | γα ) = h ( ν ). We can then computeEve’s Holevo information, asymptotically given by I E | γ = log e √ λλ ′ µ τ − h " p ( τ + 2 λ )( τ + 2 λ ′ ) τ . (16)Alice and Bob’s conditional mutual information I ab | γ canbe computed from the classical CM V ( α, β | γ ) = ( V ab | γ + I ) / I AB | γ = log τ µ p ( τ + λ )( τ + λ ′ ) . (17)As a result, we computed the following asymptotic secret-key rate for the symmetric Gaussian attack R sym = log " τ e p λλ ′ ( τ + λ )( τ + λ ′ ) + h " p ( τ + 2 λ )( τ + 2 λ ′ ) τ , (18)which is function of the parameters τ , ω , g and g ′ .A complete analysis of the performances of the schemein presence of non-ideal experimental conditions is de-scribed in Appendix A IV. DETAILED ANALYSIS OF THESYMMETRIC ATTACKS
For fixed transmissivity τ and thermal noise ω affectingeach link, there are remaining degrees of freedom in thetwo-mode Gaussian attack. These are given by the corre-lation parameters g and g ′ , which can be represented asa point on a ‘correlation plane’ (see Fig. 2). Each pointof this plane describes an attack (with different amountand kind of correlations) to which it corresponds a spe-cific key rate according to Eq. (18). Here we provide adetailed comparison between these attacks, showing howthe optimal coherent attack greatly outperforms the col-lective attack based on independent entangling cloners.Because of the symmetry, we have a simple character-ization of the set of possible Gaussian attacks which areaccessible to Eve. These correspond to points ( g, g ′ ) suchthat [28, 29] | g | < ω, | g ′ | < ω, (19) ω | g + g ′ | ≤ ω + gg ′ − . (20)Among all these accessible attacks, those satisfying thefurther condition ω − gg ′ − ≥ ω | g − g ′ | (21)are separable attacks ( σ E E separable), while those vio-lating Eq. (21) are entangled attacks ( σ E E entangled).See Fig. 2 for a numerical representation. In particular, gg' (4) (1) (2)(2) (3) (5)(6) FIG. 2: (Color online) Correlation plan for a symmetric Gaus-sian attack. Given τ and ω (here set to 2), the attack is fullyspecified by the two correlation parameters ( g, g ′ ), whose ac-cessible values are represented by the non-white area. In par-ticular, the inner darker region represents the set of separableattacks ( σ E E separable), while the two outer and lighterregions represent entangled attacks ( σ E E entangled). Thenumbered points represent the specific attacks described inSec. IV. we can identify the following attacks: Collective attack.
This is the simplest attack, repre-sented by point (1) in Fig. 2, i.e., the origin of the plane( g = g ′ = 0). This corresponds to using two identical andindependent entangling cloners with transmissivity τ andthermal noise ω . In fact, we have σ E E = σ E ⊗ σ E ,where σ E k ( k = 1 ,
2) is a thermal state with variance ω ,whose purification Φ E k e k is an EPR state in the handsof Eve. Separable attacks . Within the separable attacks wecan identify points (2), (3), and (4) in Fig. 2. These arecharacterized by the condition | g | = | g ′ | = ω − g = g ′ = ω − g = g ′ = 1 − ω , point (3) correspondsto g = − g ′ = ω −
1, and point (4) to g = − g ′ = 1 − ω . EPR attacks.
Finally, points (5) and (6) in Fig. 2 arethe most entangled attacks, where Eve’s ancillas E and E are described by an EPR state. Point (5) is the ‘pos-itive EPR attack’ with g = − g ′ = √ ω −
1, while (6) isthe ‘negative EPR attack’ with g = − g ′ = −√ ω − τ = 0 . R as func-tion of the thermal noise ω . In Fig. 4 we plot the securitythresholds. These are given by the condition R = 0, andthey are expressed in terms of maximum tolerable ther-mal noise versus transmissivity ω = ω ( τ ).Our analysis identifies “good” and “bad” entanglementfor the security of the protocol. Good entanglement R ω (1)(3)(5) (2)(6) (4) FIG. 3: (Color online) Secret-key rate R (bits) versus thermalnoise ω for the various symmetric attacks (1)-(6) classified inSec. IV and displayed in Fig. 2. Link-transmissivity is set to τ = 0 .
9. Note that the negative EPR attack (6) is the optimalattack minimizing the rate of the protocol. (3)+ - + + (1)+ - - (6) - (2) + - (5) +(4) - ΤΩ FIG. 4: (Color online) Security threshold ( R = 0) ex-pressed as maximum tolerable thermal noise ω versus link-transmissivity τ . We compare the various symmetric attacks(1)-(6) classified in Sec. IV and displayed in Fig. 2. The neg-ative EPR attack (6) is the optimal corresponding to the low-est security threshold. Also note the peculiar inversion of thethreshold for the positive EPR attack (5), for which the rateis positive for values of thermal noise above the threshold. refers to the entangled attacks in the bottom right areaof Fig. 2, with g = − g ′ >
0, of which the attacks (3)and (5) are border points. This entanglement is goodbecause it injects correlations of the type ˆ q E ≈ ˆ q E andˆ p E ≈ − ˆ p E , therefore helping the Bell detection (whichprojects on ˆ q A ′ ≈ ˆ q B ′ and ˆ p A ′ ≈ − ˆ p B ′ ). As a result, Eveactively helps the key distribution.This is evident from the performance of the positiveEPR attack (5) both in terms of rate (Fig. 3) and se-curity threshold (Fig. 4). In fact, from Fig. 3, we seethat the rate is increasing in the thermal noise ω and, inFig. 4, we see a peculiar inversion of the security thresh-old so that thermal noise above the threshold is tolerable.These features are typical of all entangled attacks with ω − < g ≤ √ ω − g ′ = − g , corresponding tothe segment of points between (3) (excluded) and (5)(included). In Figs. 3 and 4, these attacks have curveswhich are intermediate between those of (3) and (5).By contrast, bad entanglement refers to the entangledattacks in the top left area of Fig. 2, with g = − g ′ < q E ≈ − ˆ q E and ˆ p E ≈ ˆ p E , which areopposite to those established by the Bell detection. Inthis case, Eve decreases the correlations between Alice’sand Bob’s variables, and she is able to eavesdrop moreinformation, with the optimal strategy achieved by thenegative EPR attack (6) as clear from the rates of Fig. 3and the security thresholds of Fig. 4. The asymmetricversion of this attack is optimal in case of asymmetricsetups [11].By comparing the curves (6) and (1) in Figs. 3 and 4,we clearly see the substantial advantage given by thisoptimal attack with respect to the standard collectiveattack based on independent entangling cloners. Analyt-ically, the minimum key rate associated with the optimalattack is given by R min = h (cid:18) τ + 2 λ opt τ (cid:19) + log (cid:20) τ e λ opt ( τ + λ opt ) (cid:21) , (22)with λ opt = (1 − τ )( ω + √ ω − R coll = h (cid:20) τ + 2(1 − τ ) ωτ (cid:21) + log (cid:26) τ e (1 − τ )[ τ + (1 − τ ) ω ] ω (cid:27) . (23)Thus, the security analysis which is valid for one-waycontinuous-variable QKD protocols [13], and based onthe study of collective (single-mode) entangling-cloner at-tacks, cannot be applied to our relay-based protocol. Forthis reason, the studies provided by Refs. [16, 17] are in-complete and cannot prove the unconditional security ofthe relay-based (measurement-device independent) QKDwith continuous variables. V. CONCLUSIONS
In conclusion, we have provided a detailed analysis ofthe relay-based QKD protocol of Ref. [11], considering acompletely symmetric setup under the action of symmet-ric attacks. Despite the fact that this particular case doesnot represent the optimal configuration of the scheme,still it is important for its potential implementation innetwork scenarios. Furthermore, the symmetry condi-tions allow us to greatly simplify the cryptoanalysis andderive simple analytical results.Thanks to this approach, we have been able to providea very detailed classification of the symmetric attacksagainst the protocol, characterizing the different possi-ble strategies in terms of their correlation properties. Atfixed transmissivity and thermal noise, we have identi-fied the optimal symmetric attack which corresponds to a coherent attack where the ancillas are maximally en-tangled with a specific type of EPR correlations (negativeEPR attack). In particular, this attack greatly outper-forms the standard collective attack based on indepen-dent entangling-cloners, which is therefore unsuitable forassessing the security of this kind of protocol (contrary tothe claims of other analysis [16, 17]). This also confirmsthe results of Ref. [11] which were given in the generalcase of asymmetric setups.Finally our work clarifies the crucial role of quantumcorrelations in assessing the security of QKD protocolswhich are based on untrusted relays. Further studiesmay include the extension of this protocol to thermal-QKD [21, 30, 31], with the aim of using different wave-lengths of the electromagnetic field, e.g., in mixed tech-nology platforms using both optical/infrared and mi-crowave carriers.
Acknowledgments
This work was funded by a Leverhulme Trustresearch fellowship, the EPSRC via ‘HIPERCOM’(grant no. EP/J00796X/1), ‘qDATA’ (grant no.EP/L011298/1) and the UK Quantum Technology Hubfor Quantum Communications Technologies (Grant no.EP/M013472/1).
Appendix A: Extension to experimentalimperfections
In this appendix we analyze the role of experimentalimperfections computing the key-rates and the securitythresholds in the presence of Bell detectors with non-ideal quantum efficiencies. We also study finite-size ef-fects connected with finite Gaussian modulations [13],and the role played by the non-ideal efficiency of theclassical reconciliation codes [32]. We show that, alsoin the presence of realistic experimental limitations, theoptimal eavesdropping is given by the two-mode coherent“negative-EPR attack”.
1. Post-relay covariance matrix for non-ideal Belldetectors
We generalize Eq.(6) to include detectors’ efficienciesby placing two beam splitters with transmissivities η and η ′ , as illustrated in Fig. 5. To preserve the purity ofthe global (Alice-Bob-Eve) state, the non-detected sig-nals are sent to Eve’s quantum memory (this is the as-sumption to make in the worst-case scenario, since therelay is untrusted and Eve can control the loss of thedetectors).We follow the general approach given in Ref. [19]. We Bell relay QM γη q - p + A ’ B ’ η ’ FIG. 5: (Color online) Untrusted relay with inefficient de-tectors. Two additional beam splitters, with transmissivities( η, η ′ ) are placed in front of the ideal detectors. One outputfrom each beam splitter is sent to the detectors for measure-ments. The other outputs are sent to Eve’s quantum memory. write the total CM in the block form V = (cid:18) V ab CC T B (cid:19) , (A1)where the block B = (cid:18) B DD T B (cid:19) , (A2)describes the modes sent to the relay, A ′ and B ′ . Theseare processed by the balanced beam splitter and thenmeasured. In our case it is easy to verify [11, 19] thatthe blocks B , B and D take the following expressions B = B = [ τ µ + (1 − τ ) ω ] I , (A3) D =(1 − τ ) G , (A4)where I =diag(1 ,
1) and G =diag( g, g ′ ) . In Eq. (A1) the sub-matrix V ab describes the jointquantum state of remote modes a and b , while the block C = ( C C ) is a rectangular matrix accounting for thecorrelations between the remote modes and the transmit-ted ones, i.e., A ′ and B ′ . In particular, we compute C = (cid:18) p τ ( µ − Z0 (cid:19) , C = (cid:18) p τ ( µ − Z (cid:19) . (A5)Applying Eq. (74) from Ref. [19] to Eq. (A1), we ob-tain Alice and Bob’s CM conditioned to the relay Bellmeasurement. This is given by V ab | γ = V ab −
12 det γ ( η, η ′ ) X i,j =1 , C i (cid:16) X Ti γ ( η, η ′ ) X j (cid:17) C Tj , (A6)where X = (cid:18) (cid:19) , X = (cid:18) − (cid:19) . (A7) Here the quantum efficiencies of the detectors, simulatedby the beam splitter transmissivities η and η ′ , are con-tained in the symmetric matrix γ ( η, η ′ ) = (cid:18) γ ( η ) γ γ γ ( η ′ ) (cid:19) . (A8)In the case of a Bell detection the matrix γ ( η, η ′ )can explicitly be computed, according to Eqs. (54-59)of Ref. [19]. In particular, its entries take the form γ ( η ) = γ + 1 − ηη ,γ ( η ′ ) = γ + 1 − η ′ η ′ ,γ = 0 (A9)where γ = τ µ +(1 − τ )( ω − g ) and γ = τ µ +(1 − τ )( ω + g ′ )are easily obtained from Eq. (A3) and (A4), using theformulas of Ref. [19].After simple algebra we derive the post-relay CM in-clusive of the quantum efficiencies V ab | γ = (cid:18) µ I 00 µ I (cid:19) − τ ( µ − ×× γ ( η ) − γ ( η )1 γ ( η ′ ) 1 γ ( η ′ ) − γ ( η ) 1 γ ( η )1 γ ( η ′ ) 1 γ ( η ′ ) . This CM can be rewritten in the form V ab | γ = (cid:18) µ I 00 µ I (cid:19) − τ ( µ − ×× τµ + λ ( η ) − τµ + λ ( η )1 τµ + λ ′ ( η ′ ) 1 τµ + λ ′ ( η ′ ) − τµ + λ ( η ) 1 τµ + λ ( η )1 τµ + λ ′ ( η ′ ) 1 τµ + λ ′ ( η ′ ) , (A10)where λ ( η ) = ( ω − g )(1 − τ ) + − ηη ,λ ′ ( η ′ ) = ( ω + g ′ )(1 − τ ) + − η ′ η ′ . (A11)Note that Eq. (A10) could have been computed directlyfrom Eq. (6) by applying the transformations [34] λ → λ ( η ) , λ ′ → λ ′ ( η ′ ) . (A12)
2. Asymptotic generalized key-rate
From the previous CM we can write the sub-matrixdescribing Bob’s mode V b | γ = µ − τ ( µ − τµ + λ ( η )] τ ( µ − τµ + λ ′ ( η ′ )] ! . (A13)Then, by applying Eq. (13) to the generalized CM ofEq. (A10), we derive the doubly-conditional CM of Bob,conditioned to both relay’s and Alice’s detections, i.e., V b | γα ( η, η ′ ) = µ − τ ( µ − τ ( µ +1)+2 λ ( η )] µ − τ ( µ − τ ( µ +1)+2 λ ′ ( η ′ )] ! . (A14)We can now derive the symplectic spectra of the CMsof Eq. (A10) and (A14). We find simple analytical ex-pressions in the limit of large modulation. For V ab | γ wehave the symplectic eigenvalues ν ( η ) and ν ( η ′ ), whilefor V b | γα we have ν ( η, η ′ ). These eigenvalues can be ob-tained by applying the transformations of Eq. (A12) tothe Eqs. (8) and (15).Using these spectra, we can compute the correspondingtotal and conditional von Neumann entropies and there-fore the Holevo bound. In the limit of large modulation,Eve’s Holevo information becomes I E | γ ( η, η ′ ) = log e p λ ( η ) λ ′ ( η ′ ) µ τ − h " p [ τ + 2 λ ( η )][ τ + 2 λ ′ ( η ′ )] τ , (A15)which extends Eq. (16) to arbitrary efficiencies η and η ′ .Similarly, we can extend the formula for Alice andBob’s mutual information, which here becomes I AB | γ ( η, η ′ ) = log τ µ p [ τ + λ ( η )][ τ + λ ′ ( η ′ )] , (A16)for large modulation. Combining the previous results, wederive the asymptotic key-rate in the presence of detectorinefficiencies R sym ( η, η ′ ) = log " τ e p λ ( η ) λ ′ ( η ′ )[ τ + λ ( η )][ τ + λ ′ ( η ′ )] + h " p [ τ + 2 λ ( η )][ τ + 2 λ ′ ( η ′ )] τ , (A17)which clearly extends the formula given in Eq. (18).
3. Role of the imperfections on key-rate, securitythresholds and achievable distances
In this section we study in detail the combined role ofthe various experimental limitations and imperfections,confirming the main findings presented in the main bodyof this paper. We compute the key-rate and the secu-rity thresholds considering not only the realistic quan-tum efficiency of the detectors, but also the use of a finiteGaussian modulation and the non-ideal reconciliation ef-ficiency provided by realistic codes for error correctionand privacy amplification. - - Ω R - - Ω R Μ =70 Μ =10 FIG. 6: (Color online) The key-rate R (bits) is plotted versusthermal noise ω for µ = 10 (SNU) (top-panel) and µ = 70(bottom-panel). Other parameters are τ = 0 . β = 0 .
95 and η = η ′ = 0 .
98. We compare two eavesdropping strategies:The collective one-mode entangling cloner attack g ′ = g = 0(dotted black line) and the two-mode “negative EPR” attack g = − g ′ = −√ ω − β = 1),ideal detectors ( η = η ′ = 1) and large modulation ( µ ≫ a. Secret key rate In order to extract a secret key, the honest parties mustprocess their correlated data in stages of perform errorcorrection and privacy amplification. This data process-ing is today implemented with a limited efficiency β ≤ β ≃ . ÷ .
97 [32, 33]. To include thislimitation, we have to multiply Alice and Bob’s mutualinformation by β , and consider the realistic key-rate [13] R ( β, µ, τ, ω, g, g ′ , η, η ′ ) = βI AB | γ − I E | γ , (A18)where I AB | γ and I E | γ are now computed considering fi-nite modulation µ besides non-ideal detector efficiencies η and η ′ (clearly these quantities must tend to Eqs. (A15)and (A16) in the limit of large modulation).In general, the mutual information can be computedfrom the formula I AB | γ = log Σ, where Σ is defined inRef. [11]. Eve’s Holevo information can be computed us-ing the formula of the von Neumann entropy S = Σ x h ( x ),with h ( x ) defined in Eq. (9) and applied to the numeri-cal symplectic eigenvalues of the CMs given in Eqs. (A10) ΤΩ ΤΩ Μ =10 Μ =70 FIG. 7: (Color online) We plot the security threshold ω = ω ( τ ) for µ = 10 (top panel) and µ = 70 (bottom panel). Otherparameters are β = 0 .
95 and η = η ′ = 0 .
98. We compare thetwo-mode negative EPR attack (continuous black lines) andthe one-mode entangling cloner attack (dotted black lines).Red curves refer to the ideal case β = η = η ′ = 1 and µ ≫ and (A14). In Fig. 6, we plot the key-rate of Eq. (A18)as a function of the thermal noise ω for two values of theGaussian modulation µ = 10 (top) and µ = 70 (bottom)vacuum shot noise unit (SNU), and choosing τ = 0 . η = η ′ = 0 .
98 and β = 0 .
95. We see that the key-rateof a negative EPR attack is clearly lower than that of acollective one-mode attack. This behavior is generic byvarying the previous parameters. b. Security thresholds and achievable distances
Here we study the impact of the experimental limita-tions on the security thresholds, comparing the two-modeoptimal attack with one-mode collective attack. The se-curity threshold is obtained by solving the equation R ( β, µ, τ, ω, g, g ′ , η, η ′ ) = 0 . (A19)In this equation, we fix the values of the Gaussian mod-ulation ( µ = 10 or 70), the reconciliation efficiency( β = 0 . η = η ′ = 0 . ω = ω ( τ ). The comparison is provided in Fig. 7,where we see that the threshold of the optimal two-modeattack is always lower than the threshold of the one-modecollective attack.The previous analysis can be performed by express-ing the transmissivity in term of distances. In fact, we distance H Km L Ω distance H Km L Ω Μ = 70 (SNU) Μ = H SNU L FIG. 8: (Color online) This figure shows the security thresh-olds as ω = ω ( d ), where d is the distance in km, assumingthe loss rate of 0 . β = η = η ′ = 1 and µ ≫
1. The black curves refer to thenon ideal case β = 0 . η = η ′ = 0 .
98 and µ = 70 (SNU) . The bottom panel shows the degradation of the performanceas we increase the modulation from µ = 70 (black curves) to µ = 1000 (green curves), for β = 0 . η = η ′ = 0 . may consider τ = 10 − . d , where d is the distance in km,assuming the standard loss rate in fibre of 0 . β = η = η ′ = 1 and µ ≫
1) the performances deteri-orate. All others curves are obtained for realistic rec-onciliation efficiencies β = 0 .
95, and detectors efficien-cies η = η ′ = 0 .
98. The top panel compares the idealthresholds with the case µ = 70 (black), while in the bot-tom panel we show the degradation of the performanceswhile increasing the modulation from µ = 70 (black) to µ = 1000 (green).It is interesting to note the effect of the reconciliationefficiency on the optimal modulation variance. For valuesof β <
1, the optimal modulation is not infinite. In fact,for the realistic value considered here, β = 0 .
95, we havea range of finite modulations 30 . µ .
70, for which theperformances are improved. c. Discussion
Here we summarize some important aspects emergedfrom this further analysis. First, we have shown that0positive key-rates are still achievable over the range ofmetropolitan distances in the presence of various exper-imental limitations. Second, the negative-EPR attack,already identified to be the optimal attack in the idealcase (see main text) continues to be the most powerfuleavesdropping strategy also considering realistic experi-mental conditions, i.e., finite modulation, non-ideal rec- onciliation and non-ideal detectors. Third, the degrada-tion of the performances of the protocol does not comefrom the finite modulation (e.g., we checked that valuesas low as µ = 10 are still acceptable) but mainly fromthe quantum efficiencies of the detectors, η and η ′ , andthe reconciliation efficiency β of the classical codes. [1] B. Schneier, Applied Cryptography (John Wiley & Sons,New York, 1996) p.23.[2] N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, Rev.Mod. Phys. et al Proceedings ofthe Second International Conference on Distributed Com-puting Systems (Paris, France, April 8-10, 1981).[7] P. Baran, IEEE Trans. on Comm. , pp. 1-9 (1964).[8] S. L. Braunstein, and S. Pirandola, Phys. Rev. Lett. ,130502 (2012).[9] A. Rubenok, J. A. Slater, P. Chan, I. Lucio-Martinez,and W. Tittel, Phys. Rev. Lett. , 130501 (2013).[10] T. Ferreira da Silva, D. Vitoreti, G. B. Xavier, G. C. doAmaral, G. P. Tempor˜ao, and J. P. von der Weid, Phys.Rev. A , 052303 (2013).[11] S. Pirandola, C. Ottaviani, G. Spedalieri, C. Weedbrook,S.L. Braunstein, S. Lloyd, T. Gehering, C.S. Jacobsenand U.L. Andersen, Nature Photonics , 397–402 (2015).See also arXiv.1312.4104.[12] S. L. Braunstein and P. van Loock, Rev. Mod. Phys. ,513 (2005).[13] C. Weedbrook, S. Pirandola, R. Garcia-Patron, N. J.Cerf, T. C. Ralph, J. H. Shapiro, and S. Lloyd, Rev.Mod. Phys. , 621 (2012).[14] R. Garc´ıa-Patr´on and N.J. Cerf, Phys. Rev. Lett. ,190503 (2006).[15] M. Navascues, F. Grosshans, A.Acin, Phys. Rev. Lett. , 190502 (2006).[16] Z. Li, Y-C. Zhang, F. Xu, X. Peng, and H. Guo, Phys.Rev. A , 052301 (2014).[17] X-C. Ma, S-H. Sun, M-S. Jiang, M. Gui, and L-M. Liang,Phys. Rev. A , 042335 (2014).[18] Note that Ref. [17] computed the rate of the protocolat fixed transmissivity τ and thermal noise ω , since theyfixed both τ and ε = ( ω − − τ ) /τ . However, while thelatter formula provides the excess noise for standard one-way protocols [13] it does not for the considered relay- based protocol (see Ref. [11] for the correct definition ofexcess noise in this more complex case).[19] G. Spedalieri, C. Ottaviani, and S. Pirandola, Open Syst.Inf. Dyn. , 1350011 (2013).[20] S. Pirandola, S. Mancini, S. Lloyd, and S. L. Braunstein,Nature Phys. , 726 (2008).[21] C. Weedbrook, C. Ottaviani, and S. Pirandola, Phys.Rev. A , 012309 (2014).[22] M.A. Nielsen and I. L. Chuang, Quantum Computationand Quantum Information (Cambridge University Press,Cambridge, 2000).[23] M. M. Wilde,
From Classical to Quantum Shannon The-ory (Cambridge University Press, Cambridge, 2013).[24] G. Giedke and J.I. Cirac, Phys. Rev. A , 032316(2002).[25] R. Renner, Nature Phys . , 645 (2007).[26] R. Renner, J.I. Cirac, Phys. Rev. Lett. 102, 110504(2009).[27] S. Pirandola, S. L. Braunstein, and S. Lloyd, Phys. Rev.Lett. , 200504 (2008).[28] S. Pirandola, A. Serafini, and S. Lloyd, Phys. Rev. A ,052327 (2009).[29] S. Pirandola, New J. Phys. , 113046 (2013).[30] C. Weedbrook, S. Pirandola, S. Lloyd, and T.C. Ralph,Phys. Rev. Lett. , 110501 (2010).[31] C. Weedbrook, S. Pirandola, and T.C. Ralph, Phys. Rev.A , 022318 (2012).[32] Paul Jouguet, S´ebastien Kunz-Jacques, Anthony Lever-rier, Phys. rev. A , 378 (2013).[34] Note that, in the presence of a pure-loss attack ( ω = 1and g = g ′ = 0), the non-unit quantum efficiencies of thedetectors can be included in the loss of the channels. Forsimplicity, for η = η ′ we can write ττ µ + λ ( η ) = τ ητ ηµ + 1 − τ η which is equivalent to consider τ ητ η