Finite-key security analysis for multilevel quantum key distribution
Kamil Bradler, Mohammad Mirhosseini, Robert Fickler, Anne Broadbent, Robert Boyd
FFINITE-KEY SECURITY ANALYSIS FOR MULTILEVELQUANTUM KEY DISTRIBUTION
KAMIL BRÁDLER, MOHAMMAD MIRHOSSEINI, ROBERT FICKLER, ANNE BROADBENT, AND ROBERT BOYDA
BSTRACT . We present a detailed security analysis of a d -dimensional quantum key distributionprotocol based on two and three mutually unbiased bases (MUBs) both in an asymptotic andfinite key length scenario. The finite secret key rates (in bits per detected photon) are calculatedas a function of the length of the sifted key by (i) generalizing the uncertainly relation-basedinsight from BB84 to any d -level 2-MUB QKD protocol and (ii) by adopting recent advances in thesecond-order asymptotics for finite block length quantum coding (for both d -level 2- and 3-MUBQKD protocols). Since the finite and asymptotic secret key rates increase with d and the numberof MUBs (together with the tolerable threshold) such QKD schemes could in principle offer animportant advantage over BB84. We discuss the possibility of an experimental realization of the3-MUB QKD protocol with the orbital angular momentum degrees of freedom of photons.
1. I
NTRODUCTION
It has been more than 30 years since the proposal of the first quantum key distribution (QKD)protocol – BB84 [ ] . The ultimate goal of a QKD protocol is to establish a secure key betweentwo parties for a further cryptographic use; in this context, quantum mechanics is a powerfulally of the legitimate parties. Therefore, it is advantageous to generate the key by distributingand measuring quantum states. Contrary to communication with classical signals, for quantumstates there exists a fundamental trade-off between how much information a classical or quan-tum adversary can get and how much the quantum system is disturbed. For example, the moststraightforward strategy of simply copying a quantum state does not work [
2, 3 ] . A signifi-cant amount of effort has been invested in proving the security of BB84 and subsequent QKDprotocols (starting with its proper definition [
4, 5 ] ) and experimental realization [ ] .Most of the modern QKD schemes rely on two-level quantum systems (qubits) as quantuminformation carriers. This is especially easy to achieve using the photon polarization degreeof freedom. The theoretical background as well as the experimental techniques are mature.However, quantum d -level states (qudits) have attracted much attention recently because theynaturally offer higher quantum information transmission rates and together with continuousvariables are promising candidates for next generation quantum information processing. In thisapproach, the information is encoded onto d distinct orthogonal states, for which in principlethere is no upper limit on d . In the context of QKD, the d -level protocols not only offer agreat potential to increase the transmitted key rate but they are also known to be more resilientto errors [ ] . Experimentally, high-dimensional quantum states have been realized as discretetime-bins [ ] , positions [ ] or angular momenta [ ] in lab-scale proof-of-principle tests. They (Kamil Brádler, Anne Broadbent) D EPARTMENT OF M ATHEMATICS AND S TATISTICS , U
NIVERSITY OF O TTAWA , C
ANADA (Kamil Brádler) M AX P LANCK C ENTRE FOR E XTREME AND Q UANTUM P HOTONICS , U
NIVERSITY OF O TTAWA , C
ANADA (Mohammad Mirhosseini) T HE I NSTITUTE OF O PTICS , U
NIVERSITY OF R OCHESTER , N EW Y ORK , 14627, USA(Robert Fickler) D
EPARTMENT OF P HYSICS AND M AX P LANCK C ENTRE FOR E XTREME AND Q UANTUM P HOTONICS , U
NIVERSITYOF O TTAWA , O
TTAWA , K1N 6N5, C
ANADA (Robert Boyd) D
EPARTMENT OF P HYSICS AND M AX P LANCK C ENTRE FOR E XTREME AND Q UANTUM P HOTONICS , U
NIVERSITYOF O TTAWA , O
TTAWA , K1N 6N5, C
ANADA , T HE I NSTITUTE OF O PTICS , U
NIVERSITY OF R OCHESTER , R
OCHESTER , N EW Y ORK ,14627, USA
E-mail : [email protected] . Key words and phrases.
Security of QKD, Finite and asymptotic secret key rates, Second-order asymptotics, Quantumand private capacity, Orbital angular momentum. a r X i v : . [ qu a n t - ph ] J u l FINITE-KEY SECURITY ANALYSIS FOR MULTILEVEL QUANTUM KEY DISTRIBUTION have also been successfully studied under real world environmental conditions where air turbu-lence or inter-modal coupling in fibers have to be taken into account [
11, 12 ] .The experimental efforts for realization of multidimensional QKD has primarily relied onemploying two mutually unbiased bases (MUBs). However, it is known that using only twoMUBs for d = [ ] . Considering this observation, it is expected thatusing more than two MUBs would provide enhancement in the security of the d -dimensionalQKD protocols. It is well known that for d a prime number or the power of a prime, themaximum number of MUBs in a d -dimensional Hilbert space is d + [
14, 15 ] . For the non-prime dimensions, the number of MUBs is a major open problem. However, it is perhaps lesswell known that there always exists three MUBs for any d [ ] . Motivated by this fact, wepresent a comprehensive security analysis for d -level QKD with two and three MUBs. Our maincontribution in this paper is the calculation of the secret key rate upper bounds for discrete d -dimensional QKD protocols using two and three MUBs. We exemplify the key rate calculationson d = d . The secret key ratesare calculated in both the asymptotic and finite key length scenario. In the asymptotic case, the2-MUB rates reproduce the previously known results [
6, 7, 17–25 ] but to our best knowledgethe analytical results we obtain for 3-MUB rates and for any d are novel and the correspondingadversarial channels haven’t been studied before (only the d = [ ] ). The main reason to reproduce the already known results for the 2-MUBQKD protocol is the calculation method that may not be familiar to the practitioners of QKD.It can be summarized as “ab initio” since our starting point is the private classical capacity andthe quantum capacity of a quantum channel [ ] and we systematically derive the well-knownexpressions for the secret key rate. The main result of the asymptotic part of our analysis is thesecret key rate calculation for the 3-MUB protocol and the derivation of the tolerable thresholdfor the error rate. We found that the threshold quite substantially increases accompanied bythe increase of the secret key rate as envisaged by the comparison of BB84 and the six-stateprotocol. Our results justify the overlapping numerical results presented in [ ] .The second part of our analysis is the study of QKD in the non-asymptotic regime of a finitenumber of exchanged signals. We follow two different routes leading to excellent (achiev-able [ ] ) upper bounds on the secret key rates even for a relatively low number of signals.The first approach is the generalization of the uncertainty relation-based approach pioneeredin [ ] for two MUBs and d =
2. We generalize the key step spelled out in [ ] for any d and using the large deviation estimate for the number of errors in the non-sacrificed part ofthe sifted key we derived the corresponding secret key rates. The intermediate step includes anumerical optimization over the ratio of dits in the secret key rates that are sacrificed for theparameter estimation purposes. As the number of sifted bits asymptotically increases the por-tion of sacrificed bits tends to zero [ ] and the secret key rates approach the asymptotic onesderived previously. For another approach to the non-asymptotic regime see [
31, 32 ] .The uncertainty-relation-based method is, however, not known to be applicable to the 3-MUBQKD protocol [ ] . More precisely, it can be enforced even for three MUBs but our attemptslead to awfully suboptimal rates. Hence we adopt a different strategy. Using the recent advancesin the second-order asymptotics for the quantum coding rates [ ] we use the expansion of therelevant entropic quantity (the smooth min-entropy) in terms of the conditional entropy vari-ance [
33, 34 ] and expand the decoupling exponent of what is essentially a one-shot decouplinglemma [ ] . The resulting rates are calculated both in the 2- and 3-MUB QKD scenario. Inthe latter, the resulting secret key rates are better for any d compared to the basic estimate The secret key rate units are bits per channel where the channel is understood as a completely positive map whoseexact form will be derived. Therefore our notion of a channel differs from its typical use in quantum optics experiments.A quantum channel is said to be realized in the QKD context whenever the photon is detected and used in the process ofsecret key extraction (not discarded). Knowing the number of realizations of the channel per second gives us the totalnumber of secret bits per a unit of time, sometimes perhaps confusingly also called a rate.
INITE-KEY SECURITY ANALYSIS FOR MULTILEVEL QUANTUM KEY DISTRIBUTION 3 first brought by Renner in [ ] that is used as a template in almost all finite key studies. Sincethe 3-MUB QKD protocol for any d seems to be systematically studied for the first time here, ittherefore establishes the best known secret key rates. The second-order asymptotic expansionalso beats Renner’s rates for the 2-MUB QKD protocol (for any d ) but it is not as good as theuncertainty-relation-based estimates. This is the expected kind of behavior.The remainder of the paper is structured as follows. In Sec. 2 we introduce the minimalbackground material and notation for our approach to calculate the asymptotic secret key ratesand collect several rudimentary facts about the Pauli group for qudits and mutually unbiasedbasis. We also recall the Choi-Jamiołkowski state-map correspondence. The asymptotic ratesfor 2- and 3-MUB QKD protocol are calculated in Sec. 3. In Sec. 4 we introduce the necessaryentropic quantities that come out in the expressions for finite key length secret key rates andderive the previously discussed non-asymptotic secret key rates. In Sec. 5 we describe one possi-ble laboratory implementation of our results by considering photonic OAM based QKD schemes,which have become a promising candidate for real-life high-dimensional QKD applications. Weshow the spatial modes that would be required for three MUBs and describe possible next stepsand open challenges. We, however, do not analyze the security of the studied QKD protocols byconsidering all realistic parameters such a platform offers. This would include taking into ac-count the efficiency of photon sources and detectors together with the suboptimality of certainclassical information algorithms used in the postprocessing step. The experimental inefficienciesdo not affect the secret key rate (measured by bits per channel) but rather the speed of howmany secret bits one is able to collect per given time period.2. S ECURITY OF ASYMPTOTIC
QKD
AND PRELIMINARIES
The modern definition of security for a quantum key distribution protocol requires the finalstate (cid:37)
ABE to satisfy (cid:13)(cid:13) (cid:37)
ABE − | K | (cid:88) k ∈ K | k 〉〈 k | A ⊗ | k 〉〈 k | B ⊗ τ E (cid:13)(cid:13) ≤ ε . (1)The indices A , B stand for the legitimate sender and receiver and E is an adversary (Eve). Thecondition says that after the protocols ends, the legitimate parties share classical correlations(in this case a classical key {| k 〉〈 k |} k ), where the knowledge of Eve can be made arbitrarilysmall – the quantum system in her possession is decoupled from the legitimate participants.The expression (cid:107) M (cid:107) = Tr (cid:112) M M † denotes the trace norm. This approach was first rigorouslyintroduced in a great generality in [ ] and in the context of QKD also in [ ] . The marginalstate (cid:37) B can be seen as an output of a noisy quantum channel N between a sender and areceiver. They do not know whether the noisy evolution is caused by decoherence of any kindor by an eavesdropper and mainly they must not care. As long as they know the channel andare able to use it asymptotically (sending a large number of quantum signals) one can ofteneasily determine whether a secret key can be established. Here comes the idea of asymptoticQKD: with an ever increasing number of channel uses the parameter on the RHS of Eq. (1) isrequired to become arbitrarily small. For some channels this condition cannot ever be satisfiedand in that case the asymptotic QKD is impossible. The normalized rate at which establishingclassical correlation over a noisy quantum channel is in principle possible is called the privateclassical capacity of N . Note that a secret key is a form of classical correlations [ ] . If theprivate capacity is zero, Eq. (1) cannot be satisfied in the sense that Eve cannot be arbitrarilywell decoupled from the state shared by the sender ( A ) to a receiver ( B ). The private classicalcapacity is given by P ( N ) df = lim n →∞ n sup (cid:37) XAn P ( N ⊗ n , (cid:37) ) , (2)where P ( N , (cid:37) ) df = I ( X ; B ) σ − I ( X ; E ) σ (3)is the private information . The state σ X BE = (cid:80) x p x | x 〉〈 x | ⊗ σ x , BE is given by the action of achannel isometry W N : A (cid:55)→ BE on a classical-quantum input state (cid:37) XA = (cid:80) x p x | x 〉〈 x | ⊗ (cid:37) x , A and FINITE-KEY SECURITY ANALYSIS FOR MULTILEVEL QUANTUM KEY DISTRIBUTION X denotes a classical random variable with a probability distribution P ( p x ≡ Pr ( X = x ) ). Thequantity I ( A ; B ) is called the quantum mutual information defined as I ( A ; B ) σ = H ( A ) σ + H ( B ) σ − H ( AB ) σ , (4)where H ( A ) σ df = − Tr [ σ A log σ A ] is the von Neumann entropy of a (possibly multipartite) state σ AB ... Z . The private classical capacity in (2) is an unconstrained optimization problem whosetractable solution for a general channel N is not known at present and even the calculation ofthe one-shot private capacity ( n = P ( ) ( N ) df = sup (cid:37) XA P ( N , (cid:37) ) (5)is not straightforward since (cid:37) A admits a mixed state decomposition (cid:37) A = (cid:80) x p x (cid:37) x , A .Another fundamental quantity, seemingly unrelated to QKD, is called the quantum channelcapacity [ ] Q ( N ) df = lim n →∞ n sup (cid:37) An Q ( N ⊗ n , (cid:37) ) , (6)where Q ( N , (cid:37) ) df = H ( B ) ϑ − H ( E ) ϑ (7)is the coherent information . The isometry now acts on (cid:37) A that (crucially) can be limited to aconvex sum of rank-one states ω x , A as W N : (cid:80) x p x | ω x 〉〈 ω x | A (cid:55)→ ϑ BE . The quantum capacityfollows from a stronger condition than Eq. (1) – that the main goal is to successfully transmit aquantum state from a sender to a receiver who happens to be decoupled from the environment E (completely controlled by an adversary). Quantum channel capacity (6) is also intractable fora general channel N but the one-shot quantity (also called the optimized coherent information) Q ( ) ( N ) df = sup (cid:37) A Q ( N , (cid:37) ) (8)is fairly easy to evaluate (often not analytically but the numerics will do the job).The decoupling mechanism is naturally useful for secret key generation. This is becausethe quantum capacity can crucially be interpreted as the one-way entanglement distillationrate which itself is a lower bound on the one-way secret key rate [ ] . Once the parties sharemaximally entangled states, they can be used to teleport any type of information, in particulara secret key, at the same rate the pairs were distilled. Hence the quantum capacity is a channelsecret key rate lower bound. Formally, it can be shown in the following way [ ] (see also [ ] ).From Eq. (5) and the definition of the mutual information we write P ( ) ( N ) = sup (cid:37) XA (cid:2) I ( X ; B ) σ − I ( X ; E ) σ (cid:3) (9a) = sup (cid:37) XA (cid:2) H ( B ) σ − H ( BX ) σ − H ( E ) σ + H ( EX ) σ (cid:3) (9b) = sup (cid:37) XA (cid:2) H ( B ) σ − H ( E ) σ − (cid:88) x p x (cid:0) H ( B ) σ x − H ( E ) σ x (cid:1)(cid:3) (9c) = sup (cid:37) A (cid:2) H ( B ) σ − H ( E ) σ (cid:3) − inf (cid:37) XA (cid:88) x p x (cid:0) H ( B ) σ x − H ( E ) σ x (cid:1) (9d) = Q ( ) ( N ) − inf p x , (cid:37) x , A (cid:88) x p x Q ( N , (cid:37) x ) . ) (9e)Eq. (9c) follows from H ( BX ) σ = H (cid:0) (cid:88) x p x | x 〉〈 x | ⊗ σ x , B (cid:1) = H ( X ) P + (cid:88) x p x H ( B ) σ x and similarly for the H ( EX ) σ . The first two summands in Eq. (9d) can be optimized over (cid:37) A in-stead of (cid:37) XA since we trace over the classical variable X . The von Neumann entropy H ( X ) P over log is the logarithm base two and ln denotes the natural logarithm throughout the paper. INITE-KEY SECURITY ANALYSIS FOR MULTILEVEL QUANTUM KEY DISTRIBUTION 5 a classical probability distribution P is simply the Shannon entropy S ( { p x } ) df = − (cid:80) x p x log p x .In the end we arrived at [ ] Q ( ) ( N ) ≤ P ( ) ( N ) (10)and thus the LHS turns out to be a useful lower bound in the QKD scenario as claimed. Theequality is achieved for (cid:37) x , A = | ω x 〉〈 ω x | A in which case H ( B ) x , ϑ = H ( E ) x , ϑ for all x and so Q ( N , (cid:37) x ) = r is the followingformula [ ] r n df = n min σ AB ∈ Γ (cid:2) H ( X n | E n ) σ − H ( X n | Y n ) σ (cid:3) , (11)where σ A n B n E n is a pure tripartite state shared by all parties, σ X Y E is a classical-quantum stateobtained by measuring σ A n B n E n (so X , Y are classical variables also called a raw key) and n isthe block size. The marginal state σ A n B n over which is being optimized is essentially a Choi stateintroduced on p. 6. The set Γ are all Choi states compatible with the channel estimation step inthe protocol and we will see it in action in Eqs. (23c). Finally, the expression in Eq. (11) H ( A | B ) (cid:37) df = H ( AB ) (cid:37) − H ( B ) (cid:37) (12)is the quantum conditional entropy. We can quickly see the equivalence between Eq. (11)and P ( ) ( N ) = sup (cid:37) XA [ H ( X | E ) σ − H ( X | B ) σ ] from Eq. (9b). We get rid of the supremum byrealizing that in all mainstream QKD protocols, the input states (or private codes) (cid:37) A are purestates (or mixtures thereof) leaving us with the classical-quantum input state of the form (cid:37) XA = (cid:80) x p x | x 〉〈 x | ⊗ | ω x 〉〈 ω x | A . The maximum is achieved for (cid:37) A maximally mixed and so from Eq. 9ewe get P ( ) ( N ) = Q ( ) ( N ) , see below (10) . In the second step, we realize that in all QKDprotocols, Bob applies a POVM on the received quantum state generating a classical variable Y and so Eq. (11) for n = Q ( ) ( N ) = r ,where σ AB from the RHS represents N on the LHS via the Choi-Jamiołkowski isomorphism (seep. 6). There is also a missing sup for r (or r n in general) as opposed to Q ( ) ( N ) and this asubtle point. From the quantum capacity standpoint, the channel N is given and the maxi-mization is over all possible input states (cid:37) A (quantum codes). In the QKD scenario (specificallyin its entanglement version) the parties try to share maximally entangled states and the mostreasonable strategy is obviously to start the distribution with maximally entangled states (quan-tum codes) . The fact that they may become disrupted due to decoherence or an eavesdropperimplies that the channel will be different. As we will see later, such a disrupted code is a channelrepresentation (the Choi matrix). Pauli group for qudits and MUBs.
It is instructive to investigate the case of two complementarybases (MUBs) for higher-dimensional Hilbert spaces. To this end, we first informally introducethe qudit Pauli group Π d . It has two generators X d , Z d ∈ Π d defined as X d = d − (cid:88) k = | k ⊕ 〉〈 k | , (13a) Z d = d − (cid:88) k = ω k | k 〉〈 k | , (13b) The actual expression for the key rate can be applied under very general circumstances, see [ ] , Corollary 6.5.2. Note that we are not a priori assuming anything. If a new QKD protocol is invented, the fact that the one-shotprivate capacity is maximized for a maximally mixed state must be proved. A more general idea, that we will not discuss further, is the possibility already envisaged in [ ] to go beyond entan-glement distillation protocols in order to establish classical secret correlations. It indeed turns out that one can distributeso-called “private states” [ ] for this purpose. This is precisely the situation where Q ( ) ( N ) = P ( ) ( N ) > FINITE-KEY SECURITY ANALYSIS FOR MULTILEVEL QUANTUM KEY DISTRIBUTION where ω = exp 2 π i / d and ⊕ is addition modulo d . An arbitrary element of Π d is then X α d Z β d for0 ≤ α , β ≤ d − [ ] ) reads X d Z d = Z d X d e i ζ d . (14)Hence, the eigenvector v d in the equation X d Z d v d = e i λ d v d is also an eigenvector of X α d Z α d (upto a phase). This is because X α d Z α d = ( X d Z d ) α e i κζ d , (15)where κ = ( α − α ) / Z d through X d . But v d is also aneigenvector of the RHS (up to a phase). Choi-Jamiołkowski representation of quantum channels.
A remarkable way of representinga quantum channel is known as the Choi-Jamiołkowski isomorphism [
37, 38 ] . Let N be thequantum channel. Then there exists a positive semi-definite map R N , sometimes called Choimatrix , that represents the action of the channel via N ◦ (cid:37) A = Tr A (cid:2) ( (cid:37) (cid:62) A ⊗ id B ) R N (cid:3) . (16)The channel N is trace-preserving if its Choi matrix satisfies Tr B R N = id A . Conversely, anyquantum channel N gives rise to a Choi matrix R AB ( N ) = ( id A ⊗ N ) ◦ Φ AA (cid:48) , (17)where Φ AA (cid:48) = (cid:80) d A i = | i 〉 A | i 〉 A (cid:48) is an unnormalized maximally entangled state. The physical inter-pretation of the Choi matrix is as if the communicating parties shared a maximally entangledqudit pair. Instead of sending the actual qudit through the channel one sends a half of a maxi-mally entangled state. The Choi matrix is usually derived from another channel representation(Kraus maps, for example) but almost all QKD schemes allow its direct construction. This leadsto the so-called diagonal Bell state. To see this, recall that the states in many QKD schemes arealways sent in one of the MUB bases. That means that the number of possible errors can beenumerated – one just needs to find the error generators causing a bit flip in at least one of thebases. These are precisely the elements of the Pauli group Π d and so the Choi matrix reads˜ R AB ( N ) = d − (cid:88) α , β = λ αβ (cid:0) id ⊗ X α d Z β d (cid:1) ˜ Φ AA (cid:48) . (18)Starting from (18), the operation ◦ in (17) becomes an ordinary matrix multiplication and thetilde indicates a normalized state. The probability error coefficients satisfy 1 ≥ λ αβ ≥ (cid:80) d − α , β = λ αβ = ERIVATION OF THE AND
ADVERSARIAL CHANNELS FOR QUDITS AND THEIRASYMPTOTIC SECRET KEY RATES
We adopt and reformulate the method of adversarial channel derivation from [ ] . A conciseversion also appears in Appendix A of [ ] . The error analysis is straightforward. In the bit basis (the eigenvectors of Z d ), theerrors are caused by X α d (there is d − X α d Z β d for all α , β > ( d − ) ofthem in total). Hence the measured error rate in the bit basis reads Q b = ( d − ) λ Z + ( d − ) λ ? , (19)where λ Z ≡ λ β and λ ? is the rest. Similarly for the phase basis, by setting λ X ≡ λ α we obtain Q p = ( d − ) λ X + ( d − ) λ ? . (20)It is common and experimentally reasonable [ ] to set the error rates equal Q b = Q p ≡ Q . Thenormalization condition yields λ = − Q + ( d − ) λ ? (21) INITE-KEY SECURITY ANALYSIS FOR MULTILEVEL QUANTUM KEY DISTRIBUTION 7 and it is perhaps clear that λ ? is a free parameter that needs to be determined by taking thebest Eve’s strategy. Following [ ] , the most general quantum attack is a collective attack. Acollective attack is Eve’s interaction with a passing qubit one by one with an eventual collectivemeasurement deferred until the quantum transmission is over. In this light, the maximumamount of information provided to Eve is given by the minimized coherent information Eq. (7)which we readily rewrite as Q ( N , ˜ Φ AA (cid:48) ) = H ( B ) ˜ R − H ( AB ) ˜ R . (22)Indeed, the normalized Choi matrix ˜ R serves a double purpose: it is a channel representationbut also an output of the channel whose input is maximally entangled with the reference system A (see Eq. (17)). The minimized RHS can be immediately evaluatedmin λ ? Q ( N , ˜ Φ AA (cid:48) ) = min λ ? [ H ( B ) ˜ R − H ( AB ) ˜ R ] (23a) = log d + min λ ? d − (cid:88) α , β = λ αβ log λ αβ (23b) = log d + min λ ? (cid:2) ( − Q + ( d − ) λ ? ) log [ − Q + ( d − ) λ ? ] (23c) + ( d − ) Q − ( d − ) λ ? d − Q − ( d − ) λ ? d − + ( d − ) λ ? log λ ? (cid:3) .Equality (23b) follows from Tr A [ ˜ R AB ] = id / d (the channel represented by R AB (˜ R AB ) is unital).We also used the fact that ˜ R AB is Bell-diagonal in order to calculate H ( AB ) ˜ R using Eqs. (19),(20)and (21). From (23c), by setting dd λ ? [ Q ( N , ˜ Φ AA (cid:48) )] =
0, we find the stationary point λ ? = Q ( d − ) (24)and d d λ ? [ Q ( N , ˜ Φ AA (cid:48) )] (cid:12)(cid:12) ( ) = ( d − ) ( Q − ) Q ln2 > d and Q . Then λ Z = λ X = Q ( − Q ) d − N d ( (cid:37) ) = ( − Q ) (cid:37) + Q ( − Q ) d − d − (cid:88) α = X α d (cid:37) X α d † + Q ( − Q ) d − d − (cid:88) β = Z β d (cid:37) Z β d † + Q ( d − ) d − (cid:88) α , β = X α d Z β d (cid:37) (cid:0) X α d Z β d (cid:1) † (26)also called the BB84 channel for d =
2. The secret key rates obtained by plugging Eq. (24) intoEq. (23c) read Q ( ) ( N d ) = log d + (cid:2) Q log Q + ( − Q ) log ( − Q ) − Q log ( d − ) (cid:3) (27)and are plotted in Fig. 1 for d = d = Q ≈ [ ] . We can recover one of our earlier results also from Eq. (11). First,since H ( X ) = H ( B ) = log d and by using Eq. (4) together with the identity H ( B ) − H ( B | X ) = H ( X ) − H ( X | B ) we get H ( X | B ) = H ( B | X ) = − ( − Q ) log ( − Q ) − Q log Q + Q log ( d − ) . (28) FINITE-KEY SECURITY ANALYSIS FOR MULTILEVEL QUANTUM KEY DISTRIBUTION Q ( ) ( N M U B s d ) Q F IGURE
1. Asymptotic secret key rates for 2-MUB QKD protocol (in bits perchannel) are depicted for d = N d is unital: N d : id d d (cid:55)→ id d d . Therefore, Bob’s information is classical(knowing the basis he perfectly measures the raw bit value), Y ≡ B and H ( X | B ) = H ( X | Y ) . Wealso find H ( E ) = H ( E | X ) ≡ H ( B | X ) and by using H ( E ) − H ( E | X ) = H ( X ) − H ( X | E ) we get H ( X | E ) = log d − H ( E | X ) . (29)Putting it all together, we obtain r ( d ,2MUBs ) = log d + (cid:2) ( − Q ) log ( − Q ) + Q log Q − Q log ( d − ) (cid:3) ≡ Q ( ) ( N d ) (30)in accordance with Eq. (27).The reason for the repetition of the previous analysis is two-fold. Besides showing thatour earlier approach via quantum / private capacity is valid and arguably more perspicuous, thesecret key rates of the form of Eq. (11) enable a nice interpretation of the entropic quantitiesand a direct comparison with the results coming from the finite key size analysis performedin [ ] , which is based on the one-shot entropic uncertainty relations. The second point will bediscussed in detail in Section 4. To illustrate the first point, note that for d = [ ] r ( d ,2MUBs ) = − h ( Q ) − leak EC , (31)where h ( Q ) df = − ( − Q ) log ( − Q ) − Q log Q is the binary Shannon entropy and leak EC = h ( Q ) is the information leaked to Eve during the error correction (information reconciliation) proce-dure.Going back to a general d , typically, leak EC > H ( X | Y ) (recall Y ≡ B from below Eq. (28)).This is because the algorithms performing this purely classical part do not typically achieve theShannon limit [ ] . For our purposes we consider this step to be perfect: leak EC = H ( X | Y ) . The existence of three MUBs generated by the Pauli elements Z d , X d and X d Z d forany d [ ] is good news and it makes senses to study the secret key rates for the 3-MUB QKDprotocols. The error analysis is a bit more intricate. In the bit ( Z d ) and phase ( X d ) basis theerrors are generated by the X α d and X α d Z β d and by Z β d and X α d Z β d , respectively, assuming α , β > INITE-KEY SECURITY ANALYSIS FOR MULTILEVEL QUANTUM KEY DISTRIBUTION 9
In the bit-phase basis (the basis spanned by the eigenvectors of X d Z d ) the errors are caused by X α d , Z β d ( α , β >
0) and those not of the form X α d Z α d for α >
0. This is shown in Eq. (15).Let us first do some counting: for a given d there is in total d − X α d Z β d by excluding an identity. It contains d − X α d operators and d − Z β d operators. Thereis also d − X α d Z α d operators for α >
0. Hence, the number of operators of the form X α d Z β d ( α , β > α (cid:54) = β ) causing errors in the X d Z d basis must be d − − ( d − ) = ( d − )( d − ) .As a result we get from Eq. (18) the following error rates: Q b = ( d − ) λ Z + ( d − ) λ X + ( d − )( d − ) λ X Z , (32a) Q p = ( d − ) λ Z + ( d − ) λ ? + ( d − )( d − ) λ X Z , (32b) Q b − p = ( d − ) λ X + ( d − ) λ ? + ( d − )( d − ) λ X Z . (32c)The coefficients λ Z , λ X are defined as before and λ X Z = λ αα for 0 < α ≤ d −
1. We again set theerror rates equal: Q b = Q p = Q b − p ≡ Q . The normalization condition becomes λ + ( d − ) λ Z + ( d − ) λ X + ( d − ) λ ? + ( d − )( d − ) λ X Z = λ = − Q − ( d − ) λ ? , (34a) λ X = λ Z = λ ? , (34b) λ X Z = Q − ( d − ) λ ? ( d − )( d − ) (34c)for d >
2. The channel is of the following form N d ( (cid:37) ) = ( − Q − ( d − ) λ ? ) (cid:37) + λ ? (cid:104) d − (cid:88) α = X α d (cid:37) X α d † + d − (cid:88) β = Z β d (cid:37) Z β d † + d − (cid:88) γ = X γ d Z γ d (cid:37) (cid:0) X γ d Z γ d (cid:1) † (cid:105) + Q − ( d − ) λ ? ( d − )( d − ) d − (cid:88) α (cid:54) = β = X α d Z β d (cid:37) (cid:0) X α d Z β d (cid:1) † . (35)The minimization procedure similar to Eq. (23) leads to an analytical solution (too long to pastehere) of the following cubic equation λ = (cid:0) − ( d − ) λ ? − Q (cid:1)(cid:20) − ( d − ) λ ? + Q ( d − )( d − ) (cid:21) . (36)The resulting secret key rates are given by Q ( ) ( N d ) = log d + ( Q − ( d − ) λ ? ) log Q − ( d − ) λ ? ( d − )( d − )+ ( d − ) λ ? log λ ? + ( − Q − ( d − ) λ ? ) log ( − Q − ( d − ) λ ? ) (37)and are plotted in Fig. 2. By comparing with Fig. 1 we can see that the tolerable thresholdvalues are much better than for the corresponding 2-MUB protocol. Our results perfectly agree(in the overlapping cases) with a numerical study from [ ] as well as the secret key rates andthresholds from [ ] . The d = [ ] . The channel is the qubit depolarizing channel (see again [ ] , Appendix A) N ( (cid:37) ) = ( − Q / ) (cid:37) + Q / ( X (cid:37) X + Y (cid:37) Y + Z (cid:37) Z ) . (38)Then Q ( ) ( N ) = − S ( { q i } ) , (39)where q i = { − / Q , Q / Q / Q / } . The one-shot capacity becomes zero for the thresholdvalue Q ≈ [
6, 40 ] . Q ( ) ( N M U B s d ) Q F IGURE
2. Qudit secret key rates for the 3-MUB QKD protocol for d = d = ON - ASYMPTOTIC SECRET KEY RATES FOR THE AND d - LEVEL PROTOCOLS
The condition for a secret key generated when the resources are not unlimited is formallyidentical to Eq. (1). However, Eq. (1) cannot this time be satisfied arbitrarily well. More pre-cisely, for finite-length private codes, ε is chosen sufficiently small and it becomes an inputparameter of the secret key generation protocol. The task can be further reformulated – it isoften advantageous to investigate separately two conditions : (i) correctness Pr [ K A (cid:54) = K B ] ≤ ε cor , (40)where the key string is allowed to be different with a nonzero probability ε cor , and (ii) secrecy (cid:13)(cid:13) (cid:37) AE − | K | (cid:88) k ∈ K | k 〉〈 k | A ⊗ τ E (cid:13)(cid:13) ≤ ε sec . (41)This means that an adversary is decoupled from the resulting secret key sequence by a small(but fixed) amount ε sec . Due to composability [ ] , the errors add up and the overall securityparameter is bounded: ε ≤ ε cor + ε sec + ε PA . Similarly to the asymptotic analysis, the “measure”of decoupling, ε sec , is related, through the decoupling lemma [ ] ε sec ≤ (cid:34) + − ( − (cid:96) + H (cid:34) min ( X n | E n ) (cid:37) − n leak EC ) , (42)to the smooth min-entropy H (cid:34) min ( A | B ) (cid:37) df = max (cid:37) (cid:48) s.t. (cid:107) (cid:37) − (cid:37) (cid:48)(cid:107) ≤ (cid:34) H min ( A | B ) (cid:37) (cid:48) , (43)where H min ( A | B ) (cid:37) df = max σ B s.t.0 < Tr σ B ≤ sup ξ ∈ (cid:82) [ (cid:37) AB − − ξ id A ⊗ σ B ≤ ] . (44) We took the liberty of ignoring the possibility of failure ε PA during the privacy amplification (PA) step and theprobability of failure ε cor of correctly estimating Alice’s key, Eq. (40). Both parameters are undoubtedly important forthe overall secret key rate in the non-asymptotic scenario. They manifest themselves as additional exponents in Eq. (42)in the form proportional to − log [ /ε ] . The errors are chosen independently as part of the protocol [
19, 28 ] but ourmain interest lies in ε sec and so we will study the key rate as its function. For a practical piece of advice as what to doin the deployed scenario, where all parameters must be set, we point the reader to Ref. [ ] and also [ ] . INITE-KEY SECURITY ANALYSIS FOR MULTILEVEL QUANTUM KEY DISTRIBUTION 11
We will also need the max-entropy definition H max ( A | B ) (cid:37) df = sup σ B log (cid:104) Tr (cid:2)(cid:0) (cid:112) (cid:37) AB ( id A ⊗ σ B ) (cid:112) (cid:37) AB (cid:1) / (cid:3)(cid:105) , (45)where for two commuting distributions (cid:37) → P and σ → Q the optimization can be per-formed [ ] .Given the secrecy parameter ε sec , the secret key of the length (cid:96) df = nr ( (cid:34) , n ) can be extractedwhenever r ( (cid:34) , n ) ≤ n H (cid:34) min ( X n | E n ) (cid:37) − leak EC . (46)The secret key rate is achievable [ ] . Given the security parameters (cid:34) in (42), the constructedcode satisfies the decoupling condition. In coding theory, the statement of achievability is usu-ally proved by a random construction via a direct coding theorem. This is precisely the con-struction found in Sec. 5.4 of [ ] . The original derivation from [ ] has been further elaboratedon and sharpened providing increasingly better estimates for the secret key rate. For the mostimportant contributions, we should not forget to mention [ ] and mainly [ ] culmi-nating in [ ] whose extension to the QKD qudit protocols will be presented in the next section.Also note the similarity between Eq. (11) and Eq. (46). Indeed, this is not a coincidence, the lat-ter can be seen as a finite-key version of the former [
5, 19 ] . The conditional entropy belongs to aparametric family of the so-called Rényi entropies and both the min- and max-entropy, Eq. (44)and 45, are family members with an operational meaning relevant for QKD [ ] . Furthermore,we have the equipartition propertylim (cid:34) → lim n →∞ n H (cid:34) max ( X n | E n ) (cid:37) = lim (cid:34) → lim n →∞ n H (cid:34) min ( X n | E n ) (cid:37) = H ( X | E ) (cid:37) . (47)An important advance in the security of the finite-key size QKD using two MUBs was possibledue to the use of the uncertainty relation for smooth entropies: H (cid:34) min ( X n | E n ) (cid:37) + H (cid:34) max ( X n | Y n ) (cid:37) ≥ n log d (48)Ref. [ ] explains the physical interpretation in detail so we will only say that uncertaintyrelations in general limit the knowledge in one basis if a measurement is performed in thecomplementary basis. In this case, the complementary basis (the eigenvectors of the Pauli Z d basis) is used exclusively for the sacrificed portion of the sifted key and this consequently servesfor an estimation of the preserved part of the sifted key (which itself is transmitted in the basisspanned by the eigenvectors of the Pauli X d matrix). Bounds on the finite secret key rate.
The direct evaluation of the smooth min-entropy for0 (cid:28) n < ∞ in Eq. (46) is not straightforward. There exists a couple of methods to estimateit and the most advanced analysis so far, based on the smooth entropy uncertainty relations,appeared in [ ] following [ ] . We present its generalization to the qudit scenario for the2-MUB QKD protocol. This approach provides the best secret key rate known to the authorsbut it cannot be extended to the case of 3 MUBs in a straightforward manner. In this case weuse another strategy via the study of the asymptotic behavior of the smooth min-entropy. Thisbound already appeared in [ ] and we improve it by recent insights based on the conditionalentropy variance (the so-called second-order approximation of the quantum coding rate [ ] ).For the sake of comparison, we evaluate these bounds also for the 2-MUB qudit protocol. Here,the finite-key corrections come from two sources. First, it is the approximations of the smoothmin-entropy and the smooth quantities in general. The second source of corrections is the errorrate estimation phase, where a part of the sifted key is sacrificed in order to estimate the errorrate of the data used to extract the actual secret key.To proceed, we will recapitulate the relevant parts of the qudit 2- and 3-MUB QKD protocolin order to apply the methods of [ ] . For the case of 2 MUBs, we may adopt the same protocoldefinition as in Box 1 of Ref. [ ] . In particular, an asymmetric choice of the complementarybases is used [ ] , one for the raw key whose length will be labeled n and the other one ofthe length k used solely in the parameter estimation step. Hence, the total length of the sifted key is N = n + k . The difference compared to [ ] is the calculation of the average error λ subsequently used for the parameter estimation. As a pure formality – instead of the modulotwo addition of the publicly announced bit sequences of the length k (used to count the numberof differing bits), the communicating parties may use λ df = k (cid:88) i = { x i (cid:54) = y i | X } = k (cid:88) i = (cid:24) x i (cid:9) y i d (cid:25) , (49)where (cid:9) stands for the modulo d subtraction and { ω | A } denotes the set indicator functiondefined for two sets Ω ⊂ A as { ω | A } = ω ∈ Ω and zero otherwise. In the parameterestimation phase, the sacrificed portion of the sifted sequence of the length k over d letters(transmitted in the Pauli Z d basis) is used to estimate the error rate in the portion of the length n transmitted in the Pauli X d basis. Analogously to [ ] , we are penalized by effectively in-creasing the error rate by ν = (cid:113) N ( k + ) ln (cid:34) k ( N − k ) due to the finiteness of the statistics. More precisely,the estimate of large deviations for an independent and identically distributed random processsampled without replacement due to Serfling is used [ ] .For three MUBs, the QKD protocol must be modified only such that the Pauli X d basis willbe used for the key extraction and the Z d and X d Z d basis for the parameter estimation step.So the communicating parties will be instructed to switch the bases accordingly with equalprobabilities for the Z d and X d Z d bases. In this case, the uncertainty relations based approachdoes not provide the best secret key rates and the smooth min-entropy from Eq. (42) must beestimated differently (see Eq. (56) onwards).A useful upper bound on the classical max-entropy is given by the probability distributionsupport (the set over which the probability distribution is positive [ ] ) leading to H max ( X | Y ) P ≤ log | supp [ P ( X | Y = y )] | = log (cid:12)(cid:12)(cid:8) x ∈ {
0, 1, . . . , d − } ; Pr [ X = x | Y = y ] > (cid:9)(cid:12)(cid:12) .(50)Here we generalize the result from [ ] (Claim 9) and show that the RHS satisfieslog (cid:12)(cid:12)(cid:8) x ∈ {
0, 1, . . . , d − } ; Pr [ X = x | Y = y ] > (cid:9)(cid:12)(cid:12) ≤ n (cid:0) h ( Q + ν ) + ( Q + ν ) log ( d − ) (cid:1) (51)for the 2-MUB protocol. We start as in [ ] (cid:12)(cid:12)(cid:8) x ∈ {
0, 1, . . . , d − } ; Pr [ X = x | Y = y ] > (cid:9)(cid:12)(cid:12) ≤ (cid:88) x ∈{ d − } n { λ < n ( Q + ν ) } (52a) = n (cid:88) λ = (cid:18) n λ (cid:19) ( d − ) λ { λ < n ( Q + ν ) } (52b) = n ( Q + ν ) (cid:88) λ = (cid:18) n λ (cid:19) ( d − ) λ (52c) ≤ n ( h ( Q + ν )) ( d − ) n ( Q + ν ) . (52d)The new term ( d − ) λ in the first equality comes from an additional number of errors causedby a larger ( d -letter) alphabet. The last line comes from (cid:80) n ( Q + ν ) λ = (cid:0) n λ (cid:1) ≤ n ( h ( Q + ν )) , valid for0 ≤ Q + ν ≤ /
2, and by taking into account 0 ≤ λ ≤ n ( Q + ν ) . Upon taking the logarithmwe obtain (51). This, on the other hand, allows us to bound the min-entropy from Eq. (42)via Eq. (48): H (cid:34) min ( X n | E n ) (cid:37) ≥ n (cid:0) log d − h ( Q + ν ) − ( Q + ν ) log ( d − ) (cid:1) . (53)Hence, we get for (46) r ( (cid:34) , n ) ≤ log d − h ( Q + ν ) − ( Q + ν ) log ( d − ) − leak EC (54)and so finally the optimized secret key rate is given by (cid:98) r ( (cid:34) , n ) ≤ max k N − kN (cid:2) log d − h ( Q + ν ) − ( Q + ν ) log ( d − ) − leak EC (cid:3) . (55) INITE-KEY SECURITY ANALYSIS FOR MULTILEVEL QUANTUM KEY DISTRIBUTION 13
The numerical optimization was done by choosing a target number of sifted signals N , the errorrate Q and the security parameter (cid:34) . The result of optimization is the highest rate and also thenumber k of sacrificed bits needed to achieve it. Another option, we did not pursue, was to setthe target number n of raw bits and optimize the rate over k sa well. The choice depends moreon practical requirements. As expected, in the limit of N → ∞ or n → ∞ , we recover Eq. (27)((30)). This is because ν → N − kN = nn + k → [ ] (Cor. 3.3.7)1 n H (cid:34) min ( X n | E n ) (cid:37) ≥ H ( X | E ) (cid:37) − ( (cid:37) X + ) (cid:114) n log 2 (cid:34) . (56)A better estimate comes from the recent advances in finite block length quantum coding [ ] through 1 n H (cid:34) min ( X n | E n ) (cid:37) ≥ H ( X | E ) (cid:37) + Φ − ( (cid:34) ) (cid:114) V ( X | E ) n , (57)where V ( (cid:37) (cid:107) σ ) df = Tr (cid:2) (cid:37) (cid:0) log (cid:37) − log σ − D ( (cid:37) (cid:107) σ ) (cid:1) (cid:3) (58)is the relative entropy variance and D ( (cid:37) (cid:107) σ ) df = Tr (cid:2) (cid:37) (cid:0) log (cid:37) − log σ (cid:1)(cid:3) (59)is the quantum relative entropy [ ] . Then, as a special case, we obtain the quantum conditionalentropy and the conditional entropy variance [ ] H ( A | B ) (cid:37) = − D ( (cid:37) AB (cid:107) id A ⊗ (cid:37) B ) , (60) V ( A | B ) (cid:37) = V ( (cid:37) AB (cid:107) id A ⊗ (cid:37) B ) . (61)The expression Φ − ( x ) = −(cid:112) [( − Erf ( x ))] stands for the inverse of the complementarycumulative Gaussian distribution function. The previously mentioned large deviation estimateof the smooth min-entropy manifests itself by replacing f ( Q ) = H ( X | E ) (cid:37) with f ( Q + ν ) = (cid:101) H ( X | E ) (cid:37) ≤ f ( Q ) (62)in Eqs. (56) and (57).Combining Eq. (46) and the estimates in Eqs. (56) and (57) together with Eq. (62) we getan achievable upper bound for the secret key rate (cid:98) r ( (cid:34) , n ) ≤ max k N − kN (cid:150) (cid:101) H ( X | E ) − leak EC − ( (cid:37) X + ) (cid:198) N − k log (cid:34) − Φ − ( (cid:34) ) (cid:113) V ( X | E ) N − k . (cid:153) . (63)The optimized secret key rate (cid:98) r ( (cid:34) , n ) is plotted as the two lower curves in Fig. 3 for the 2-MUBprotocol and in Fig. 5 for the 3-MUB protocol. Then, the overall number of secret key bits isgiven by ( N − k ) log d for k found in Eq. (63). Fig. 4 shows the d = d = ISCUSSION AND C ONCLUSIONS
With the promising results of an increased secret key rate at hand, we now turn to laboratoryimplementations of discrete high-dimensional state spaces. Although the presented theoreticalanalysis is valid for any experimental realization, we focus on one prominent example, namelytransverse spatial light modes. Encoding high-dimensional quantum states on the orbital angu-lar momentum of photons is a vibrant field in which technologies to generate and manipulatethe states have matured over the last 15 years. Here, the eigenstates of two MUBs can be in-tuitively understood as the complementary variables, orbital angular momentum (OAM) andangular position (ANG). They correspond to the generators Z d and X d , respectively, which we b r ( ǫ , n ) × × × × N F IGURE
3. Secret key rates based on the finite-key length analysis for d = d , a triple of curves (blue / red / green) corre-sponds to increasingly better key rates. The worst rate (blue) is provided byoptimizing the lower expression in Eq. (63). The middle (red) curve comesfrom the second-order analysis in the upper expression Eq. (63). The highest(green) rate is given by optimizing Eq. (55) based on uncertainty relation forsmooth entropies we obtained for any d . We set Q = (cid:34) = − and N = n + k is the length of the sifted string of d letters. b r ( ǫ , n ) N F IGURE
4. Rescaled secret key rates from Fig. 3 for d = d = [ ] . More importantly, their advantage in high-dimensional QKD has beendemonstrated recently [ ] and experimental techniques for efficiently sorting the encoded qu-dits are well established [
49, 50 ] . INITE-KEY SECURITY ANALYSIS FOR MULTILEVEL QUANTUM KEY DISTRIBUTION 15 b r ( ǫ , n ) × × × × N F IGURE
5. Secret key rates based on the finite-key length analysis for 3-MUBQKD protocol for d = / blue) is givenby optimizing the lower expression in Eq. (63). Hence the second-order analy-sis provides better achievable rates compared to Renner’s original estimate [ ] (lower curves from the upper expression in Eq. (63)). We set Q = (cid:34) = − and N = n + k is the length of the sifted string of d letters.In Fig. 6, we give an example of the eigenmodes of all three MUBs for dimension d = Z , the ANG-basis X and the eigenstates of X Z . The typical vortex of OAMcarrying light modes and their according helical phase dependence (from which the OAM stems)can be seen (Fig. 6. a) as well as the angular-shaped intensity of the states in the second MUBs(Fig. 6. b). The modes of the third MUB are more complex in their intensity and phase profile(Fig. 6. c), which leads to open questions of how practical such modes are in a laboratorysetting. Although modern techniques to generate complex light fields with high fidelity andefficiency are well known [ ] , the efficient sorting of a general set of spatial modes remainsdifficult. Possible techniques will need to be efficient and to work on the single photon level.Both requirements are fulfilled for established sorting devices that are used for OAM and ANGmodes but no direct techniques is known yet, which sorts the modes of the third basis. One wayto circumvent this lack of an efficient direct sorting would be to transfer the transverse spatialdegree of freedom into different optical paths, e.g. as described [ ] . Once transferred, it isknown how to realize any unitary transformation on the state, and thus an efficient detectioncould be done in any basis [ ] . Here, the fast progress in integrated quantum optics mighta promising way to realize such a so-called multiport even for dimensions as high as d = [
54, 55 ] .In summary, we calculated secret key rates and tightly estimated achievable upper boundson acceptable errors for an asymptotic and finite key length scenario in high-dimensional QKDschemes. We were able not only to reproduce and streamline already known bounds but mainlywe (i) adapted the uncertainty-relations-based method to high-dimensional QKD with two MUBsleaving us with nonzero secret key rates even for a relatively small number of signals and (ii)extended the findings to a QKD scheme involving 3 MUBs basis. Given the assured existence of3 MUBs in any dimension, our results are not limited to dimensions where the exact numberof MUBs is known and they can be readily applied to laboratory implementations. Additionally,we give an example for a possible physical implementation, transverse spatial modes, for whichmature techniques in generating all possible qudit-states exist and devices to efficiently sortthe states of two MUBs are established. Hence, an important future challenge is to develop apractical device that efficiently sorts the modes of the third MUB. Given the derived increase in F IGURE
6. Normalized intensity (left columns) and the corresponding phaseplots (right columns) of the three mutually unbiased bases for transverse spa-tial light modes of dimension 7. Colour codings for intensity and phase areshown below in arbitrary units from 0 to 1 and 0 to 2 π , respectively. a) Eigen-states of the generator Z , which are also known vortex modes or OAM eigen-states (intensity null at the center of the beam due to the phase singularity istoo small to be seen). b) Eigenstates of the X operator can be described byso-called angle modes due to their intensity profil. c) Theoretical plot of inten-sity and phase of the eigenstates of the third mutually unbiased basis, which isconstructed by X Z .the secret key rate, the development of such a novel sorter will further boost high-dimensionalQKD schemes and their real-world implementations. INITE-KEY SECURITY ANALYSIS FOR MULTILEVEL QUANTUM KEY DISTRIBUTION 17 A CKNOWLEDGEMENT
RB, RF and KB thank the Canada Excellence Research Chairs program for support. AB, RB,and KB acknowledge support from The Natural Sciences and Engineering Research Council ofCanada. RB and MM acknowledge support from the US Office of Naval Research. In addition,KB thanks Patrick Coles for comments and pointers to relevant literature ( [ ] ).R EFERENCES [ ] Charles H. Bennett and Gilles Brassard. Quantum cryptography: Public key distributionand coin tossing. In
International Conference on Computers, Systems and Signal Processing ,pages 175–179, 1984. [ ] William K Wootters and Wojciech H Zurek. A single quantum cannot be cloned.
Nature ,299(5886):802–803, oct 1982. [ ] Peter W Milonni and M L Hardies. Photons cannot always be replicated.
Physics Letters A ,92(7):321–322, nov 1982. [ ] Igor Devetak. The private classical capacity and quantum capacity of a quantum channel.
Information Theory, IEEE Transactions on , 51(1):44–55, 2005. [ ] Renato Renner.
Security of QKD . PhD thesis, ETH, 2005, quant-ph / [ ] Valerio Scarani, Helle Bechmann-Pasquinucci, Nicolas J Cerf, Miloslav Dušek, NorbertLütkenhaus, and Momtchil Peev. The security of practical quantum key distribution.
Re-views of modern physics , 81(3):1301, 2009. [ ] Nicolas Cerf, Mohamed Bourennane, Anders Karlsson, and Nicolas Gisin. Security ofQuantum Key Distribution Using d -Level Systems. Physical Review Letters , 88(12):127902,mar 2002. [ ] Irfan Ali-Khan, Curtis Broadbent, and John Howell. Large-Alphabet Quantum KeyDistribution Using Energy-Time Entangled Bipartite States.
Physical Review Letters ,98(6):060503, feb 2007. [ ] S Walborn, D Lemelle, M Almeida, and P Ribeiro. Quantum Key Distribution with Higher-Order Alphabets Using Spatially Encoded Qudits.
Physical Review Letters , 96(9):090501,mar 2006. [ ] Mohammad Mirhosseini, Omar S Magaña-Loaiza, Malcolm N O’Sullivan, Brandon Roden-burg, Mehul Malik, Martin P J Lavery, Miles J Padgett, Daniel J Gauthier, and Robert WBoyd. High-dimensional quantum cryptography with twisted light.
New Journal of Physics ,17(3):033033, mar 2015. [ ] Mehul Malik, Brandon Rodenburg, Mohammad Mirhosseini, Jonathan Leach, Martin P JLavery, Miles J Padgett, and Robert W Boyd. Influence of atmospheric turbulence onoptical communications using orbital angular momentum for encoding.
Optics Express ,20(12):13195–13200, 2012. [ ] Brandon Rodenburg, Mohammad Mirhosseini, Mehul Malik, Omar S Magaña-Loaiza,Michael Yanakas, Laura Maher, Nicholas K Steinhoff, Glenn A Tyler, and Robert W Boyd.Simulating thick atmospheric turbulence in the lab with application to orbital angularmomentum communication.
New Journal of Physics , 16(3):033020, March 2014. [ ] Dagmar Bruss. Optimal eavesdropping in quantum cryptography with six states.
PhysicalReview Letters , 81(14):3018, 1998. [ ] William K Wootters and Brian D Fields. Optimal state-determination by mutually unbiasedmeasurements.
Annals of Physics , 191(2):363–381, may 1989. [ ] Somshubhro Bandyopadhyay, P Oscar Boykin, Vwani Roychowdhury, and Farrokh Vatan.A new proof for the existence of mutually unbiased bases.
Algorithmica , 34(4):512–528,2002. [ ] Thomas Durt, Berthold-Georg Englert, Ingemar Bengtsson, and Karol ˙Zyczkowski. Onmutually unbiased bases.
International journal of quantum information , 8(04):535–640,2010. [ ] Helle Bechmann-Pasquinucci and Asher Peres. Quantum cryptography with 3-state sys-tems.
Physical Review Letters , 85(15):3313, 2000. [ ] Dagmar Bruss and Chiara Macchiavello. Optimal eavesdropping in cryptography withthree-dimensional quantum states.
Physical Review Letters , 88(12):127901, 2002. [ ] Valerio Scarani and Renato Renner. Quantum cryptography with finite resources: Un-conditional security bound for discrete-variable protocols with one-way postprocessing.
Physical review letters , 100(20):200501, 2008. [ ] Silvestre Abruzzo, Hermann Kampermann, Markus Mertz, and Dagmar Bruß. Quantumkey distribution with finite resources: Secret key rates via Rényi entropies.
Physical ReviewA , 84(3):032321, 2011. [ ] Sylvia Bratzik, Markus Mertz, Hermann Kampermann, and Dagmar Bruß. Min-entropyand quantum key distribution: Nonzero key rates for “small” numbers of signals.
PhysicalReview A , 83(2):022330, 2011. [ ] Raymond YQ Cai and Valerio Scarani. Finite-key analysis for practical implementations ofquantum key distribution.
New Journal of Physics , 11(4):045024, 2009. [ ] Renato Renner, Nicolas Gisin, and Barbara Kraus. Information-theoretic security proof forquantum-key-distribution protocols.
Physical Review A , 72(1):012332, 2005. [ ] Agnes Ferenczi and Norbert Lütkenhaus. Symmetries in quantum key distributionand the connection between optimal attacks and optimal cloning.
Physical Review A ,85(5):052310, 2012. [ ] Lana Sheridan and Valerio Scarani. Security proof for quantum key distribution usingqudit systems.
Physical Review A , 82(3):030301, 2010. [ ] Patrick J Coles, Eric M Metodiev, and Norbert Lütkenhaus. Numerical approach for un-structured quantum key distribution.
Nature Communications , 7, 2016. [ ] Renato Renner, private correspondence. [ ] Marco Tomamichel, Charles Ci Wen Lim, Nicolas Gisin, and Renato Renner. Tight finite-key analysis for quantum cryptography.
Nature communications , 3:634, 2012. [ ] Marco Tomamichel and Anthony Leverrier. A rigorous and complete proof of finite keysecurity of quantum key distribution. arXiv preprint arXiv:1506.08458 , 2015. [ ] Hoi-Kwong Lo, Hoi-Fung Chau, and M Ardehali. Efficient quantum key distributionscheme and a proof of its unconditional security.
Journal of Cryptology , 18(2):133–165,2005. [ ] Masahito Hayashi and Toyohiro Tsurumaru. Concise and tight security analysis ofthe Bennett-Brassard 1984 protocol with finite key lengths.
New Journal of Physics ,14(9):093014, 2012. [ ] Masahito Hayashi. Quantum wiretap channel with non-uniform random number and itsexponent and equivocation rate of leaked information.
Information Theory, IEEE Transac-tions on , 61(10):5595–5622, 2015. [ ] Marco Tomamichel and Masahito Hayashi. A hierarchy of information quantities for fi-nite block length analysis of quantum tasks.
Information Theory, IEEE Transactions on ,59(11):7693–7710, 2013. [ ] Ke Li et al. Second-order asymptotics for quantum hypothesis testing.
The Annals ofStatistics , 42(1):171–189, 2014. [ ] Graeme Smith. Private classical capacity with a symmetric side channel and its applicationto quantum cryptography.
Physical Review A , 78(2):022306, 2008. [ ] Karol Horodecki, Michał Horodecki, Paweł Horodecki, and Jonathan Oppenheim. Securekey from bound entanglement.
Physical review letters , 94(16):160502, 2005. [ ] Man-Duen Choi. Completely positive linear maps on complex matrices.
Linear Algebraand its Applications , 10(3):285–290, 1975. [ ] Andrzej Jamiołkowski. Linear transformations which preserve trace and positive semidef-initeness of operators.
Reports on Mathematical Physics , 3(4):275–278, 1972. [ ] Peter W Shor and John Preskill. Simple proof of security of the BB84 quantum key distri-bution protocol.
Physical Review Letters , 85(2):441, 2000.
INITE-KEY SECURITY ANALYSIS FOR MULTILEVEL QUANTUM KEY DISTRIBUTION 19 [ ] Hoi-Kwong Lo. Proof of unconditional security of six-state quantum key distributionscheme. arXiv preprint quant-ph / , 2001. [ ] Jörn Müller-Quade and Renato Renner. Composability in quantum cryptography.
NewJournal of Physics , 11(8):085006, 2009. [ ] Marco Tomamichel. A framework for non-asymptotic quantum information theory. arXivpreprint arXiv:1203.2142 , 2012. [ ] Marco Tomamichel, Mario Berta, and Joseph M Renes. Quantum coding with finite re-sources.
Nature Communications , 7, 2016. [ ] Robert J Serfling. Probability inequalities for the sum in sampling without replacement.
The Annals of Statistics , pages 39–48, 1974. [ ] Hisaharu Umegaki. Conditional expectation in an operator algebra, iv (entropy and infor-mation). In
Kodai Mathematical Seminar Reports , volume 14, pages 59–85, 1962. [ ] Jonathan Leach, Barry Jack, Jacqui Romero, Anand K Jha, Alison M Yao, Sonja Franke-Arnold, David G Ireland, Robert W Boyd, Stephen M Barnett, and Miles J Padgett.Quantum correlations in optical angle–orbital angular momentum variables.
Science ,329(5992):662–665, 2010. [ ] Mario Krenn, Marcus Huber, Robert Fickler, Radek Lapkiewicz, Sven Ramelow, and AntonZeilinger. Generation and confirmation of a (100 × Proceedings of the National Academy of Sciences , 111(17):6243–6247, 2014. [ ] Matthew P Edgar, Daniel S Tasca, Frauke Izdebski, Ryan E Warburton, Jonathan Leach,Megan Agnew, Gerald S Buller, Robert W Boyd, and Miles J Padgett. Imaging high-dimensional spatial entanglement with a camera.
Nature communications , 3:984, 2012. [ ] Mohammad Mirhosseini, Mehul Malik, Zhimin Shi, and Robert W Boyd. Efficient sep-aration of the orbital angular momentum eigenstates of light.
Nature Communications ,4:2781, November 2013. [ ] Gregorius Berkhout, Martin Lavery, Johannes Courtial, Marco Beijersbergen, and MilesPadgett. Efficient Sorting of Orbital Angular Momentum States of Light.
Physical ReviewLetters , 105(15), 2010. [ ] Victor Arrizón, Ulises Ruiz, Rosibel Carrada, and Luis A González. Pixelated phase com-puter holograms for the accurate encoding of scalar complex fields.
JOSA A , 24(11):3500–3507, 2007. [ ] Robert Fickler, Radek Lapkiewicz, Marcus Huber, Martin PJ Lavery, Miles J Padgett, andAnton Zeilinger. Interface between path and orbital angular momentum entanglement forhigh-dimensional photonic quantum information.
Nature communications , 5, 2014. [ ] Michael Reck, Anton Zeilinger, Herbert J Bernstein, and Philip Bertani. Experimentalrealization of any discrete unitary operator.
Physical Review Letters , 73(1):58, 1994. [ ] Jacques Carolan, Christopher Harrold, Chris Sparrow, Enrique Martín-López, Nicholas J.Russell, Joshua W. Silverstone, Peter J. Shadbolt, Nobuyuki Matsuda, Manabu Oguma,Mikitaka Itoh, Graham D. Marshall, Mark G. Thompson, Jonathan C. F. Matthews,Toshikazu Hashimoto, Jeremy L. O’Brien, and Anthony Laing. Universal linear optics.
Science , 349(6249):711–716, 2015. [ ] M. Huber S. Ramelow A. Zeilinger C. Schaeff, R. Polster. Experimental access to higher-dimensional entangled quantum systems using integrated optics.