Passive decoy-state quantum key distribution for the weak coherent photon source with finite-length key

Cite this Article

Li Yuan, Bao Wansu, Li Hongwei, Zhou Chun, Wang Yang. Passive decoy-state quantum key distribution for the weak coherent photon source with finite-length key. Chinese Physics B , 2016, 25(1): 010305 Copy to clipboard

Permissions

Passive decoy-state quantum key distribution for the weak coherent photon source with finite-length key

Li Yuan ^{1, 2}, Bao Wansu ^{1, 2, †,}, Li Hongwei ^{1, 2}, Zhou Chun ^{1, 2}, Wang Yang ^{1, 2}

1 Zhengzhou Information Science and Technology Institute, Zhengzhou 450004, China

2 Synergetic Innovation Center of Quantum Information and Quantum Physics, University of Science and Technology of China, Hefei 230026, China

† Corresponding author. E-mail: 2010thzz@sina.com

Project supported by the National Natural Science Foundation of China (Grant No. 11304397).

Abstract

Passive decoy-state quantum key distribution systems, proven to be more desirable than active ones in some scenarios, also have the problem of device imperfections like finite-length keys. In this paper, based on the WCP source which can be used for the passive decoy-state method, we obtain the expressions of single-photon error rates, single-photon counts, and phase error rates. According to the information of smooth min-entropy, we calculate the key generation rate under the condition of finite-length key. Key generation rates with different numbers of pulses are compared by numerical simulations. From the results, it can be seen that the passive decoy-state method can have good results if the total number of pulses reaches 10 ¹⁰. We also simulate the passive decoy-state method with different probabilities of choosing a pulse for parameter estimation when the number of pulses is fixed.

PACS : 03.67.Dd ; 03.67.Hk

Keyword : quantum key distribution ; passive decoy-state ; finite-length key ; weak coherent pulses

Show Figures

1. Introduction

Quantum key distribution (QKD) ^{[ 1 , 2 ]}allows two legitimate parties, Alice and Bob, to establish a common and secret key when the channel is accessible to an eavesdropper, Eve. Since the best-known Bennett–Brassard 1984 (BB84) protocol ^{[ 1 ]}was put forward, QKD has attracted more and more attention all over the world, due to its unconditional security based on the fundamental laws of physics: no-cloning theorem and the uncertainty principle. ^{[ 3 ]}

QKD has been developed well both theoretically and experimentally ^{[ 4 – 11 ]}in recent years. However, people have come across all sorts of difficulties in a real situation. ^{[ 12 ]}Though an ideal QKD system is unconditional security, in fact the necessary assumptions that ideal QKD system need are not easy to be satisfied. These practical factors such as finite resources and imperfections of setups, will undoubtedly threaten the security of the real QKD system, and Eve can take advantage of the leaks to attack the system. To prevent the attacks, many countermeasures have been applied. One of them is to employ the decoy-state method ^{[ 13 – 17 ]}which introduces two or more decoy states to confuse Eve so that she cannot distinguish the signal state from the decoy states. Another important approach is the notion of device-independent QKD (DI-QKD). ^{[ 18 – 28 ]}What is more, people make works to characterize the effects of the real imperfect factors on the security of QKD system in a mathematical way to give a security proof. ^{[ 12 ]}

The finite-length key is an important practical factor which needs to be solved in a real QKD system. Under ideal conditions, the data transformed between Alice and Bob are infinite, and QKD can generate the final secure key from the infinite data. However, in practice, the data above cannot be infinite. It may cause statistical fluctuations on relating parameters. When we regard the finite-length keys, we should reconsider the security bound in the asymptotic regime.

In recent years, many significant advances have been achieved. ^{[ 29 – 32 ]}In 2008, Scarani and Renner ^{[ 33 ]}creatively presented the smooth min-entropy theory to obtain the security bound for practical BB84 with finite-length keys. Then Tan and Cai ^{[ 34 , 35 ]}studied the passive decoy-state with finite-length keys and demonstrated its unconditional security. Their works show that the practical decoy state can reach the asymptotic limit, where the resource is large enough but not infinite. In 2014, Zhou et al. ^{[ 36 ]}presented a concise and stringent formula to calculate the key generation rate for QKD using SPDCSs with finite-length keys.

In this paper, we first briefly introduce the decoy state protocol. We focus on the passive decoy-state protocol and the differences from the active decoy-state protocol. Then we introduce the phase-randomized WCP source used for the passive decoy-state method. With this source, we describe the passive decoy-state protocol without considering the finite-length key.

The rest of this paper is organized as follows. In Sections 2 and 3, we briefly introduce decoy state protocol and the WCP source which has been transformed for the passive decoy-state method, respectively. Next, in Section 4, we consider the passive decoy-state method with the infinite-length key. The affect of the finite-length key on the passive decoy-state method is analyzed in detail in Section 5. The numerical simulations of this section are shown in Section 6. Finally, Section 7 concludes the paper with a summary.

2. Decoy state protocol

In Section 1, we presented the fact that the necessary assumptions an ideal QKD system needs are not easy to satisfy. In the original proposal of the BB84 protocol, a single-photon source is necessary, but the single-photon source is still unavailable with current technology. Usually, a weak coherent pulse (WCP) source is used instead and many WCP-based experiments have been done since the first QKD experiment was carried out. ^{[ 37 ]}However, due to the multiphoton pulse sent from the WCP source, the QKD system will suffer from photon-number splitting (PNS) attack. ^{[ 38 , 39 ]}To protect the QKD system from PNS attack, one can use the decoy-state method which could closely reach the performance of single-photon sources. Actually, the method that Alice prepares the decoy state actively can be called the active decoy-state method. Similarly, the active decoy-state method also suffers from some practical factors. Because of imperfect experiments and channels, it may bring in some side channel information that Eve can take advantage of having an attack. For the real active (regular) decoy-state experiments, it is more difficult to verify the assumption that Eve cannot distinguish decoy and signal states. ^{[ 40 ]}

However, the passive decoy-state method ^{[ 41 , 42 ]}can reduce the side channel information in the decoy-state preparation procedure. Different from the active decoy-state method which actively changes the intensity of the laser pulses randomly, the passive decoy-state method only has one intensity pulse. The key point to distinguish in the passive decoy-state method is clicking or no clicking for Alice’s detector.

The common point between the passive decoy state and the active decoy state is that the yields and the error rates of the same photon-number states of the signal states and the decoy states shall be equal to each other, which means ^{[ 14 ]}

where Y _mand

denote the yields of m photons of signal states and decoy states, respectively, e _mand

denote the error rates of m photons of signal states and decoy states, respectively.

3. Transformed WCP source used for the passive decoy-state method

Due to the characters of the WCP source itself, it cannot be used for the passive decoy-state method directly. Curty et al. ^{[ 43 , 44 ]}have adjusted the WCP source to make it output two Fock diagonal states, so that it can be used for the passive decoy-state method. The fundamental setups are shown in Fig. 1 .

	Figure Option View Download New Window
	Fig. 1. The WCP sources ^{[ 43 , 44 ]}used for passive decoy-state method.

In Fig. 1 , ρ and σ denote the coherent states of two phase-randomized WCP source states, respectively,

with μ ₁and μ ₂denoting the mean photon numbers of the two signals, respectively. It should be noted that the WCP source that Curty et al. changed is phase-randomized WCP. Without additional explanations, the WCP source mentioned throughout this paper is the source shown in Fig. 1 . We consider the threshold detector as the photon-detector in Fig. 1 . In this scenario, the joint probability of having n photons in output mode a and m photons in output mode b can be written as ^{[ 44 ]}

where the parameters υ , γ , and ξ are given by

where t denotes the transmittance of a beam splitter.

Whenever the sender, Alice, does not care about the result of the measurement in mode b , the probability of having n photons in mode a can be written as

For Alice’s detector, the joint probability of having n photons in mode a and no click in the threshold detector now has the form

where the parameter d _Adenotes dark count and η _ddenotes the detection efficiency of the detector, and then, the probability of having n photons in mode a and producing a click in Alice’s threshold detector is

In this paper, we define that c denotes “click” of the detector while c̄ denotes “no click”. We also denote the signals that cause a click of Alice’s detector as signal states. The ones that cause no click of Alice’s detector are decoy states.

4. Passive decoy-state method using the WCP source with infinite-length key

In this section, we discuss the ideal passive decoy-state method. In the passive decoy-state method, two-mode states are a prerequisite as shown in Fig. 1 . When Alice measures mode b with a threshold detector described by detection efficiency η _Aand dark-count rate d _A, the mode a can be divided into two parts according to the result of the threshold detector: the “click” events and “no click” events. Here, we denote that the “click” events are signal states. The “no click” events are decoy states.

In Section 3, we have mentioned the parameter the probability of having n photons in mode a . It is divided into two parts and Usually, we describe as ^{[ 38 ]}Here, the parameters and can be written as

where P _nis the probability of “click” detection event when n -photon states are emitted from the WCP source, and P _n= 1 – (1 – d _A) (1 – η _A) ⁿ. ^{[ 41 ]}

According to the passive decoy-state method, the counting rates and the error rates of the n -photon states of the signal states and the decoy states are

From Eqs. ( 10 ) and ( 11 ), it is easy to find that and have a relation. ^{[ 37 ]}In this paper, we use a parameter δ _nto represent it, that is

where δ _nis a monotonically increasing function.

The overall gain of Alice’s detector producing a click is Q _cand no click is Q _c̄. They can be expressed by

In order to calculate the lower bound of Q _{1, c̄}, we eliminate and elements. Applying equation (12) and the monotonicity of δ _n, we can obtain

and then, the lower bound

can be obtained ^{[ 42 ]}

where δ = Q _c/ Q _c̄. Since Q _{1, c̄}and Q _{1, c}satisfy Eq. ( 12 ), we can obtain the lower bound of Q _{1, c}as

Next, we will calculate the upper bound of error rates of the signal state and the decoy state. According to the quantum bit error rate (QBER),

we can obtain two upper bounds of e _{1, c}as

where e _{0, c}= e _{0, c̄}= 0.5. The minimum of Eqs. ( 21 ) and ( 22 ) is the upper bound

^{[ 41 ]}

Due to Q _{1, c̄}, e ₁≥ 0, a parameter x is introduced, x = Q _{0, c̄}/ Q _c̄and its range is

Finally, taking the parameters above into the GLLP formula, one can obtain the following final key rate: ^{[ 42 ]}

where H ₂( x ) is the binary Shannon entropy function.

5. Passive decoy-state method using the WCP source with finite-length key

Because of the finite-size data sets in real-life condition, parameters have various fluctuations. In this paper, we mainly consider the influence of the finite-size data on the single-photon yield and single-photon error rate. Here, we will use smooth min-entropy to study the passive decoy-state method with the finite-length key.

Firstly, we introduce some related definitions.

Compassable security definition ^{[ 45 , 46 ]}Assume a QKD protocol output keys of K _Aand K _Bon Alice’s and Bob’s sides, respectively. It is considered to be ε -secure if it satisfies both the correctness and the secrecy. Correctness means that the probability of K _A≠ K _Bwill not exceed ε _cor, i.e.,

Secrecy means that K _Aand K _Bsatisfy the inequality

where K denotes either K _Aor K _B, ρ _KEis the quantum state about K and Eve, I _Krepresents the uniform mixture of all possible values of K , and ρ _Eis the system that Eve owns.

For QKD protocol, correctness can be regarded as the maximal probability of error-correction failure. Secrecy implies the probability that the final key is equal to the key without Eve is no less than 1 – ε _sec.

Smooth min-entropy ^{[ 45 ]}Let ε ≥ 0, σ _B∈ S ( H _B), and ρ _AB∈ S _≤( H _AB). The smooth min-entropy taken over a set of state B ^ε( ρ ) that are ε -close to ρ _AB, is defined as

where

and id _Ais the identity operator on A , and

is a distance measure based on fidelity and ε is called the smoothing parameter, and

means the largest amount of information which Eve can obtain.

Chain-rule inequality for the smooth min-entropy ^{[ 47 ]}Let ε ≥ 0, ε ′, ε ″ ≥ 0, and ρ _ABC∈ S _∈( H _ABC), and then

where

Here, we make E the information that Eve can obtain from the raw key X _Aof Alice, prior to the error-verification step. After the privacy amplification step, the length of the secure key S _Acan be expressed by the following lemma.

Lemma 1 ^{[ 48 , 49 ]}Let ε _n, n _c, n _c̄> 0, and let and be the quantum states of the “click” and “no click” n -photon events, respectively. They are both permutation-invariant quantum states, and let 𝔍 be a positive-operator-value measure (POVM) on H _ABwhich outputs the yield and quantum bit error rate, where Let ϒ _{n , c}and ϒ _{n , c̄}be the frequency distributions of the measurement events, e.g., the yield, when applying the measurements 𝔍 ^{n ₁}and 𝔍 ^{n ₂}, respectively. Then, for any elements Y _{n , c}and Y _{n , c̄}from ϒ _{n , c}and ϒ _{n , c̄}except with probability ε _n,

with

Here, we change Eq. ( 28 ) for convenience as

Lemma 2 (Secret key based on smooth min-entropy) ^{[ 45 , 50 ]}By applying privacy amplification with two-universal hashing, a secret key extracted from X _Ais ε _sec-secret if its length ℓ is chosen such that

where v + v̄ ≤ ε _secwith v and v̄ chosen to be proportional to ε _sec/ p _pass, and

quantifies the amount of uncertainty system Eve has on X _A.

Due to the influence of the finite-length key, the yields of the signal state and decoy state are no longer equal to each other, that is

However, Lemma 2 provides a relationship between Y _{n , c}and Y _{n , c̄}under the condition of finite-length key.

Next, we can calculate the lower bound of the single-photon counting rates for the decoy state and signal state.

Similar to that in Section 4, we need to eliminate the elements of n ≥ 2 in Eq. ( 15 ). According to Eq. ( 30 ), the elements can be expressed by

After being multiplied by δ ₂, the upper inequality is changed to

and then, replacing

and

by Q _c– Q _{0, c}– Q _{1, c}and Q _c̄– Q _{0, c̄}– Q _{1, c̄}respectively, inequality ( 34 ) can be written by

Now, we can obtain the lower bound of Q _{1, c̄}as

Comparing inequality ( 36 ) with inequality ( 17 ) in Section 4, we find that

should be considered. It means that in the condition of a finite-length key, the essence of the decoy state cannot be satisfied which will affect

By introducing the parameters p _peand N ,

can be expressed by

where N denotes the number of total pulses emitted from the WCP source and p _peis the probability of choosing a pulse as the sample bits used for parameter estimation. In the QKD protocol, the signal pulses that Bob receives can be divided into two parts. One part can generate the raw keys, another part is used for parameter estimation, p _peis the selection probability and χ is

In the ideal condition, N is infinite, n _cand n _c̄of ξ ( ε _n, n _c, n _c̄) are

and

respectively.

Similarly, we can obtain the lower bound of Q _{1, c}according to inequalities ( 30 ), ( 37 ) and Eq. ( 14 ) as

Next, we will recalculate the upper bounds of e _{1, c}and e _{1, c̄}.

Due to e _{1, c}≠ e _{1, c̄}, we can obtain two sample upper bounds of e _{1, c}and e _{1, c̄}from Eqs. ( 19 ) and ( 20 ), respectively,

Substituting elements Q _{1, c}and Q _{1, c̄}, we can obtain

where e _{0, c}= e _{0, c̄}= 1/2.

To calculate the final key generation rate, Lemma 2 is usually used to obtain the length of the secret key firstly. In this paper, we set

which considers the key generated from the signal state. Reference [50] gives the expression of the length of the secret key in this situation as follows:

where

and

denotes the phase error rate of the signal state in QKD. The phase error rate e _pis given by

where

and

Combined with the lower bounds of Q _{1, c}, Q _{1, c̄}and the upper bounds of e _{1, c}, e _{1, c̄}, equation (45) can be expressed by

According to the definition of the key generation rate, it is the fraction of the length of secret key and the number of total pulses, i.e., R = ℓ / N . One can obtain the final key generation rate as

However, it has been noted that the decoy state also has contributions to the key generation rate in the passive decoy-state method, so equation (44) is not suitable here. Recently, reference [ 36 ] considered the key generation rate of the decoy state of the passive decoy-state method and gave the length of the secret key in this situation as

where

is the raw key extracted from the decoy states and I ^c̄is the information that Eve can get from

The final secret key can be said to be ε _sec-secret if its length ℓ _{c + c̄}is chosen by

where

Now, combined with the lower bounds of the single-photon counting rate and the upper bounds of the error rate that have been calculated above, one can obtain the length of the final secret key as

where

n and l can be taken from NQ _{1, c̄}(1 – p _pe) and NQ _{1, c̄}p _pe.

According to the definition of the key generation rate, the final key generation rate under this condition is

where

and I _a,brepresents the modified Bessel function of the first kind.

Finally, the length of the final secret key is

6. Numerical simulations

In this section, we will take some numerical simulations to show how the finite-length key influences the final key generation rate of the passive decoy-state method. In the scenario we considered, the yields Y _ncan be expressed by

where η _sysdenotes the overall transmittance of the system. It can be written as

where η _Bobdenotes the overall transmittance of Bob’s detection apparatus and η _cis the transmittance of the quantum channel. It can be calculated by η _c= 10 ^{– αd /10}, where d represents the transmission distance measured in km for the given QKD schemes and α denotes the loss coefficient of the channel (e.g., an optical fiber) measured in dB/km.

The parameters , , and are calculated by Eqs. ( 6 )–( 8 ), respectively. We set μ _{1 = 0.5}and μ _{2 = 0.0001}. In this paper, ε _secand ε _corare 10 ^–10and 10 ^–12, respectively. The other parameter values in detail are listed in Table 1 . ^{[ 50 ]}

Table 1.

Experimental QKD parameters.

Figure 2 shows the relationship between the key generation rate R and the transmission distance d when the number N ( N = 10 ⁱ, i = 7, 8, 9, 10, ∞) of the total pulses from the WCP source is fixed by different values. From Fig. 2 , we can directly see that R becomes smaller with the increase of d . When the transmission distance d is fixed, the key generation rate R is getting larger with the increase of N . Meanwhile, when N is very small (e.g., N = 10 ⁷), the declining rate is fast. It would generate few keys if d ≥ 55 km. The curve of N = 10 ¹⁰is getting close to the ideal situation; it indicates that the number of total pulses from the WCP source can really influence the QKD system. When the number of total pulses is larger than 10 ¹⁰, the passive decoy-state QKD with the WCP source can implement well. However, by comparing these results with the results in Ref. [ 50 ], it can be seen that the passive decoy-state method is weaker than the active one both in the key generation rate and the extra transmission distance.

	Figure Option View Download New Window
	Fig. 2. Key generation rate R versus transmission distance d with different N ( N = 10 ⁱ, i = 7, 8, 9, 10, ∞).

Figure 3 shows the relationship between the key generation rate R and the number of total pulses N when the transmission distances are different. We can find that the passive decoy-state method can generate keys when N is 2 × 10 ⁷, 3.5 × 10 ⁷, 7 × 10 ⁷with 60 km, 70 km, and 80 km. When R is fixed, it needs more pulses with d becoming larger.

	Figure Option View Download New Window
	Fig. 3. Key generation rate R versus N with different d .

Finally, we analyse the relationship between R and d with different p _pewhich means the probability of choosing a pulse as the sample bits used for parameter estimation when N is fixed. Figure 4 is an example whose N = 10 ⁹. When the transmission distance is 60 km, it is easy to find that the lines of p _pe= 0.5 and p _pe> 0.5 are coincident which means that the key generation rates of p _pe= 0.5 and p _pe> 0.5 are almost equal. According to the definition of p _pe, the more pulses will be used to generate the key if it is getting smaller. Then, the QKD system can get more secure key bits. Hence, considering a compromised scheme, we take p _pe= 0.5 as an optimal reference value.

	Figure Option View Download New Window
	Fig. 4. Key generation rate R versus transmission distance d with different p _pe.

7. Conclusions

In summary, we introduce the decoy state method and analyze the phase-randomized WCP source that can be used in passive decoy-state protocol. Then, we study the passive decoy-state method using the WCP source with an infinite-length key. After recalculating the phase error rate, counting rate, and error rate of the single photon state, we obtain the length of the secret key considering both the signal state and the decoy state in the passive decoy-state method. According to the results of numerical simulations, we find that the finite-length key influences the real QKD system. It can affect the key generation rate and the transmission distance. The key generation rate and the extreme transmission distance become larger with the increase of the number of total pulses. When the number is larger than 10 ¹⁰, the passive decoy-state QKD with the WCP source will perform well. Meanwhile, we study the relationship between the key generation rate and the probability of choosing a pulse as the sample bits used for parameter estimation. It can help us to select the optimal value to make sure that the passive decoy-state method in this paper will be implemented best. Our work can help QKD experimentalists to improve the performance and provide references about how to choose the data-size.

Reference

1	Bennett C H Brassard G 1984 Proc. IEEE Int. Conf. on Computers, Systems, and Signal Processing Bangalore India (New York: IEEE) 175 179
2	Ekert A K 1991 Phys. Rev. Lett. 67 661
3	Nielsen M A Chuang I L 2000 Quantum Computation and Quantum Information Cambridge Cambridge University Press Chaps. 2 and 12
4	Lo H K Chau H F 1990 Science 283 2050
5	Shor P Preskill J 2000 Phys. Rev. Lett. 85 441
6	Gottesman D Lo H K Lütkenhaus N Preskill J 2004 Quantum Inf. Comput. 4 325
7	Wang S Chen W Guo J F Yin Z Q 2012 Opt. Lett. 37 1008
8	Jouguet P Kunz-Jacques S Leverrier A Grangier P Diamanti E 2013 Nat. Photonics 7 378
9	Wang J Y 2013 Nat. Photonics 7 387
10	Zhao L Y Li H W Yin Z Q Chen W You J Han Z F 2014 Chin. Phys. B 23 100304
11	Li M Treeviriyanupab P Zhang C M Yin Z Q Chen W Han Z F 2015 Chin. Phys. B 24 010302
12	Scarani V Bechmann-Pasquinucci H Cerf N J Dusek M Lütkenhaus N Peev N 2009 Rev. Mod. Phys. 81 1301
13	Hwang W Y 2003 Phys. Rev. Lett. 91 057901
14	Lo H K Ma X Chen K 2005 Phys. Rev. Lett. 94 230504
15	Wang X B 2005 Phys. Rev. Lett. 94 230503
16	Wang X B 2005 Phys. Rev. A 72 012322
17	Ma X Qi B Zhao Y Lo H K 2005 Phys. Rev. A 72 012326
18	Acin A Brunner N Gisin N Massar S Pironio S Scarani V 2007 Phys. Rev. Lett. 98 230501
19	Gisin N Pironio S Sangouard N 2010 Phys. Rev. Lett. 105 070501
20	Pawlowski M Brunner N 2011 Phys. Rev. A 84 010302
21	Braunstein S L Pirandola S 2012 Phys. Rev. Lett. 108 130502
22	Lo H K Curty M Qi B 2012 Phys. Rev. Lett. 108 130503
23	Tamaki K Lo H K Fung C H F Qi B 2012 Phys. Rev. A 85 042307
24	Ma X F Razavi M 2012 Phys. Rev. A 86 062319
25	Zhou C Bao W S Chen W Li H W Yin Z Q Wang Y Han Z F 2013 Phys. Rev. A 88 052333
26	Li F Y Yin Z Q Li H W Chen W Wang S Wen H Zhao Y B Han Z F 2014 Chin. Phys. Lett. 31 070302
27	Dong C Zhao S H Zhang N Dong Y Zhao W H Liu Y 2014 Acta Phys. Sin 63 200304 (in Chinese)
28	Dong C Zhao S H Dong Y Zhao W H Zhao J 2014 Acta Phys. Sin 63 170303 (in Chinese)
29	Hayashi M 2007 Phys. Rev. A 76 012329
30	Li H W Zhao Y B Yin Z Q Wang S Han Z F Bao W S Guo G C 2009 Opt. Commun. 282 4162
31	Song T T Zhang J Qin S J Wen Q Y 2011 Quantum Inf. Comput. 11 374
32	Somma R D Hughes R J 2013 Phys. Rev. A 87 062330
33	Scarani Renner R 2008 Phys. Rev. Lett. 100 200501
34	Tan Y G Cai Q Y 2011 Internation Journal of Quantum Information 9 903
35	Tan Y G Cai Q Y 2010 Eur. Phys. J. D 56 449
36	Zhou C Bao W S Li H W Wang Y Li Y Yin Z Q Chen W Han Z F 2014 Phys. Rev. A 89 052328
37	Bennett C H Bessette F Brassard G Salvail L Smolin J A 1992 J. Cryptology 5 3
38	Huttner B Imoto N Gisin N Mor T 1995 Phys. Rev. A 51 1863
39	Brassard G Lütkenhaus N Mor T Sanders B C 2000 Phys. Rev. Lett. 85 1330
40	Ma X Lütkenhaus N 2008 New J. Phys. 10 073018
41	Mauerer W Silberhorn C 2007 Phys. Rev. A 75 050305
42	Adachi Y Yamamoto T Koashi M Imoto N 2007 Phys. Rev. Lett. 99 180503
43	Curty M Morder T Ma X Lutkenhaus N 2009 Opt. Lett. 34 3238
44	Curty M Ma X Qi B Moroder T 2010 Phys. Rev. A 81 022310
45	Renner R 2008 Int. J. Quantum Inf. 6 1
46	Muller-Quade J Renner R 2009 New J. Phys. 11 085006
47	Vitnov A Dupuis F Tomamichel M Renner R 2013 IEEE Trans. Inf. Theory 59 2603
48	Tomamichel M Lim C C W Gisin N Renner R 2012 Nat. Commum. 3 634
49	Mertz M Kampermann H Bratzik S Bruss D 2013 Phys. Rev. A 87 012315
50	Lim C C W Curty M Walenata F Xu F Zbinden H 2014 Phys. Rev. A 89 022307