Norbert Lütkenhaus

In our work, we developed an optical CVQKD system that uses polarization-based QPSK modulation designed for atmospheric quantum communication and a corresponding post-processing pipeline including error correction and privacy amplification. In a first laboratory experiment, we applied the security statement of a recently published security proof to calculate composable key rates with a total security parameter of ε = 1e-10 in the finite size regime against i.i.d. collective attacks. We also used the post-processing pipeline to study the effect of error correction and frame errors on the actual key extraction in a finite-size system – finding that the common approach of going to high frame errors to increase the ECC efficiency β does not optimize the extractable key length.Furthermore, we deployed the system over an ad-hoc atmospheric channel of 1.7 km in Mai 2023 in the city of Jena, Germany. In a first proof-of-principle study, we were able to apply the full optical and post-processing pipeline to extract pseudo-asymptotic keys and discuss the further steps necessary to move the system to the finite-size regime. To the best of our knowledge, this is the first CVQKD demonstration over a real atmospheric channel combining both the new class of DMCVQKD security proofs without Gaussian optimality and error correction steps.

We present a security proof for variable-length QKD against IID collective attacks. Our proof can be lifted to coherent attacks using the postselection technique. Our first main result is a theorem to convert a sequence of security proofs for fixed-length protocols satisfying certain conditions to a security proof for a variable-length protocol. This conversion requires no new calculations, does not require any changes to the final key lengths or the amount of error-correction information, and at most doubles the security parameter. Our second main result is the description and security proof of a more general class of variable-length QKD protocols, which does not require characterizing the honest behaviour of the channel connecting the users before the execution of the QKD protocol. Instead, these protocols adaptively determine the length of the final key, and the amount of information to be used for error-correction, based upon the observations made during the protocol. We apply these results to the qubit BB84 protocol, and show that variable-length implementations lead to higher expected key rates than the fixed-length implementations. Finally, we point out a critical flaw in the analysis of privacy amplification that arises due to sifting. We provide an elegant solution that retroactively fixes this flaw.

Proving the security of quantum key distribution (QKD) protocols against arbitrary attacks is a challenging task for arbitrary protocols. Here, we accomplish this task by extending and improving both the decoy-state analysis against collective attacks, and the postselection technique to uplift this security proof to arbitrary attacks. First, we improve the postselection technique - both by improving the cost paid for the uplift, and by rigorously showing how it can be applied to generic optical protocols. Second, we fundamentally improve the decoy-state analysis in such a way that we require only one decoy intensity to achieve the same performance as prior analysis with two decoy intensities. This has two consequences - it makes the protocol easier to practically implement, and reduces the penalty incurred by using the postselection technique. Third, we extend the finite-size QKD analysis to decoy-state protocols and generically improve the finite-size correction terms that appear. Thus, we provide a full security proof against arbitrary attacks for generic decoy-state protocols.

Security proofs for quantum key distribution (QKD) based on the entropic uncertainty relations and the phase-error approach have the advantage of producing some of the tightest key rates against coherent attacks. We prove the security of QKD using the entropic uncertainty relations, for scenarios where Eve is allowed full control of the detection efficiency and dark rates of all detectors within some specified ranges. Thus, our work solves the practically important problem of detector side channels. Our work also removes the requirement of ``basis-independent loss'' required by these proof techniques. Thus, we render these proof techniques applicable to practical QKD scenarios. Furthermore, we prove security for variable-length QKD protocols, which do not require Alice and Bob to characterize the honest behaviour of the channel.

Security analyses in quantum key distribution (QKD) and other adversarial quantum tasks often assume perfect device models. However, real-world implementations often deviate from these models. Thus, it is important to develop security proofs that account for such deviations from ideality. In this work, we develop a general framework for analysing imperfect threshold detectors, treating uncharacterised device parameters such as dark counts and detection efficiencies as adversarially controlled within some ranges. This approach enables a rigorous worst-case analysis, ensuring security proofs remain valid under realistic conditions. Our results strengthen the connection between theoretical security and practical implementations by introducing a flexible framework for integrating detector imperfections into adversarial quantum protocols.

In recent years, quantum key distribution (QKD) has transitioned from a purely academic field to a commercially available cryptographic solution, supported by mathematically formulated security proofs. However, due to the fragmented nature of the literature, obtaining a comprehensive understanding of these proofs and their limitations remains a considerable challenge. Our work addresses this by providing a rigorous finite-size security proof for the 1-decoy and 2-decoy BB84 protocols against coherent attacks, based on Renner's entropic uncertainty relation (EUR) framework. We resolve key technical issues in previous analyses, including the treatment of fixed-length protocols and acceptance testing. Special attention is given to the 1-decoy protocol, where statistics are computed after error correction, leading to important subtleties when applying the entropic uncertainty relation. By unifying and refining results from the literature, our work contributes to a more robust and accessible understanding of QKD security.

We provide a security proof for quantum key distribution (QKD) protocols using passive detection setups within the entropic uncertainty relation (EUR) framework. Passive detection avoids the need for active basis choice but introduces challenges due to beam splitters and imperfections in detectors. We show how to define and bound the phase-error rate in passive detection setups, even when detector imperfections are not precisely known but lie within known ranges. Our analysis applies in the finite-size regime against general coherent attacks.

While most current quantum network nodes are connected via fiber-based or free-space fixed point-to-point links, there have been many advancements in the last decade that expand these nodes to include mobile, re-configurable, and wireless platforms such as uncrewed aerial vehicles (UAVs) and satellites. The size, weight, and power (SWaP) restrictions of these platforms pose constraints that potentially impact the system performance of mobile nodes. Here, we will discuss our progress towards developing a low-SWaP mobile quantum key distribution (QKD) platform that can exchange quantum-secured random keys between both drones and cars. We implement a finite-key security proof that incorporates system imperfections in state preparation and analysis, including channel losses. These imperfections, present in any system, require consideration during key consolidation to minimize information leakage. We demonstrate average finite secure key rates between mobile platforms up to 19.6 kbit/s.

Discrete-Modulated Continuous-Variable Quantum Key Distribution (DMCVQKD) protocols are amenable for deployment in quantum communication networks due to their experimental simplicity, but pose theoretical challenges impeding their tight security analyses. Major progress has recently been made in the finite-size regime against independent and identical (iid) collective attacks (Kanitschar, F. et. al., (2023), PRX Quantum, 4(4), p.040306). However, a complete and rigorous analysis must take into account correlated rounds of attack beyond the iid-collective assumption, and must not assume a photon-number cutoff on the signal states. The difficulty of achieving this lies in the absence of an information-theoretic framework for proving security that handles infinite dimensional multipartite quantum states that are a priori unstructured, i.e., beyond the asymptotic iid setting. We present a composable security proof against coherent attacks in the finite-size regime for a general DMCVQKD protocol. We introduce a framework to handle states that are in part iid and in part unstructured (almost iid) in infinite dimensional Hilbert spaces. We use a de Finetti reduction for infinite dimensional almost iid states (Renner, R., Cirac, J. I., Phys. Rev. Lett. 102, 110504 (2009)), and generalise the acceptance test and the energy test to almost iid states handling Eve’s correlated infinite dimensional side information. As work in progress, we address the issue of a missing chain rule that formulates an explicit key rate expression. Numerical simulation of key rates (Winick, A. et. al., Quantum 2, 77 (2018)) can then be performed, demonstrating the efficacy of the security proof.

We examine the performance of three Quantum Key Distribution (QKD) protocols with different classical announcement structures, namely BB84, SARG04 and No Public Announcement of Basis (NPAB) BB84, using numerical security proof techniques. We simulate these protocols in a Weak Coherent Pulse (WCP) implementation in order to characterize their behaviour in a realistic implementation without decoy states. We vary the quantum channel characteristics and compare key rates of the three protocols in asymptotic and finite-size regimes. The three protocols show different relative advantages depending on the channel behaviour. Canonical BB84 shows robustness against errors and depolarization, SARG04 demonstrates resilience against high loss channels and NPAB BB84 shows potential advantages when we introduce physical misalignment between QKD devices.

The security analysis of many protocols relies on closed form bounds on entropic quantities that model devices. These closed form expressions can typically only be found by exploiting some sort of symmetry not present in many realistic unstructured QKD protocols. Our software provides a framework for efficiently evaluating secret key rates of generic unstructured QKD protocols with tighter lower bounds while providing more flexible and realistic modelling capabilities. Through its modular structure, our software package breaks down the task of constructing a (numerical) security proof into well defined domains including protocol design, modelling implementations, security frameworks, and numerical optimization, each of which has its own community of experts. By utilizing modules built by these communities, we aim to facilitate wide spread collaboration throughout the QKD community. The newly expanded and redesigned software is expected to be released early May 2024.

An important goal in quantum key distribution (QKD) is the task of providing a finite-size security proof without the assumption of collective attacks. For prepare-and-measure QKD, one approach for obtaining such proofs is the generalized entropy accumulation theorem (GEAT), but thus far it has only been applied to study a small selection of protocols. In this work, we present techniques for applying the GEAT in finite-size analysis of generic prepare-and-measure protocols, with a focus on decoy-state protocols. In particular, we present an improved approach for computing entropy bounds for decoy-state protocols, which has the dual benefits of providing tighter bounds than previous approaches (even asymptotically) and being compatible with methods for computing min-tradeoff functions in the GEAT. Furthermore, we develop methods to incorporate some improvements to the finite-size terms in the GEAT, and implement techniques to automatically optimize the min-tradeoff function. Our approach also addresses some numerical stability challenges specific to prepare-and-measure protocols, which were not addressed in previous works.

An important goal in quantum key distribution (QKD) is the task of providing a finite-size security proof without assuming that the states across the protocol rounds are independent and identically distributed (IID). For prepare-and-measure QKD, one recently developed approach for obtaining such proofs is the generalized entropy accumulation theorem (GEAT), but thus far it has only been applied to study a small selection of protocols. In this work, we present techniques for applying the GEAT in finite-size analysis of generic prepare-and-measure protocols, incorporating several methods to optimize the min-tradeoff function and minimize the second-order term in the GEAT. As a particular focus, we analyze decoy-state protocols and present a method for generically obtaining min-tradeoff functions for such protocols, even those where a closed-form expression for the asymptotic rate is not known. Furthermore, we highlight that the techniques we develop in the process should also yield improved bounds on the keyrates of decoy-state protocols even in the asymptotic limit.

We point out a critical flaw in the analysis of Quantum Key Distribution (QKD) protocols that employ the two-way error correction protocol Cascade. Specifically, this flaw stems from an incom-plete consideration of all two-way communication that occurs during the Cascade protocol. We present a straightforward and elegant alternative approach that addresses this flaw and produces valid key rates. We exemplify our new approach by comparing its key rates with those generated using older, incorrect approaches, for Qubit BB84 and Decoy-State BB84 protocols. We show that in many practically relevant situations, our rectified approach produces the same key rate as older, incorrect approaches. However, in other scenarios, our approach produces valid key rates that are lower, highlighting the importance of properly accounting for all two-way communication during Cascade.

The coherent one-way (COW) protocol is a promising commercial solution to practical quantum key distribution (QKD) due to its simple optical implementation. However, the non-IID structure of COW due to its inter-signal coherence makes standard security analysis inapplicable. Recently, it has been shown that a modified COW setup allows standard IID analysis, but at the cost of imposing extra limitations and increasing the number of pulses required for each bit. Here we propose a variant that possesses the IID structure and completely retains the optical setup of COW, but with a different data processing scheme that ignores inter-signal information. We obtain key rate lower bound close to analysis for the previously proposed IID variant, and achieves a higher number of key bits transmitted per second.

Without access to robust quantum memory or gates, long distance QKD relies upon trusted relays. Several implementations place these relays on satellites, however they are limited in computational power and numerically intensive tasks such as privacy amplification cause bottlenecks for continuous key exchange. Currently, one solution is the simplified trusted relay which leaves all privacy amplification to the end parties at a potentially significant cost to key rate. We developed a post processing technique called pre-privacy amplification which performs a small and efficient post processing step to boost key rates without any additional rounds of communication. For a simplified trusted relay running an asymptotic qubit six-state protocol, we demonstrate an increase to the maximum tolerable QBER from 9.05% to 11.7%. We also identify several sufficient conditions to determine functionally unique pre-privacy amplification maps, and connect it to the graph isomorphism problem.

Besides discrete-variable QKD, where single photon detection is used, continuous-variable (CV) protocols are using homodyne detection and are thus promising to be compatible with existing classical coherent communication technology. Originally, the research on CV QKD protocols mostly focused on Gaussian modulation (see review [1]), where one assumes that Alice can continuously displace coherent states according to a 2D Gaussian distribution. This modulation allows the security proofs to take advance of Gaussian optimality conditions, but experimental implementations can only reach this pattern up to some finite discretization. Another approach is to directly use a discrete-modulated (DM) CV QKD protocol. Here, Alice is required to prepare a finite number of displaced coherent states, aiming for a higher experimental simplicity, with the drawback of higher theoretical complexity. Recently, new security proofs such as [2] and corresponding experiments [3,4] could show the feasibility of systems using quadrature amplitude modulation (QAM) with 64 and 256 displaced states. However, the security proof was limited to the asymptotic regime and since the experiments did not use implemented error correction codes, one could only estimate the achievable key rates, but could not generate the secret key itself. In this poster, we demonstrate experiments with a protocol with a smaller constellation size of four coherent states that share the same amplitude but are shifted by 90° in phase (QPSK modulation). We exploit a recently published security proof providing tight secret key rates for collective attacks even in the finite size regime [5]. Furthermore, we show that the QPSK data is compatible with our implemented low density parity check (LDPC) codes for binary symmetric channels. This allows us to perform the full QKD protocol from experimental quantum state exchange to classical post processing and to generate a secret key shared between Alice and Bob. For this purpose, we use a laboratory system based on polarization encoding in the Stokes parameters which is equivalent to a QPSK pattern in phase space. This scheme is designed to cope with the challenges of a turbulent atmospheric channel. While the fluctuating nature of such a channel can be targeted by sub-binning the transmission channels [6], the atmosphere is in general non-birefringent, allowing for atmospheric quantum communications [7]. [1] F. Laudenbach et al., Adv. Quantum Technol. 1, 1800011 (2018) [2] A. Denys et al., Quantum 5, 540 (2021) [3] F. Roumestan et al., arXiv:2207.11702 (2022) [4] Y. Pan et al., Optics Letters 47, 3307-3310 (2022) [5] F. Kanitschar et al., arXiv:2301.08686v1 (2023) [6] V. Usenko et al., New J. Phys. 14, 093048 (2012) [7] B. Heim et al., New J. Phys. 16, 113018 (2014)

Quantum dot-based entangled photon sources are promising candidates for quantum key distribution (QKD), as they can in principle emit deterministically, with high brightness and low multiphoton contribution. However, quantum dots (QD) often inherently possess a fine structure splitting (FSS). Since the entangled photonic state in the presence of non-zero FSS is oscillating, one must settle for a lower efficiency source through temporal post-selection or a lower measured entanglement fidelity. In both cases, the overall key rate is reduced. Our QKD analysis shows that this trade-off can be overcome by constructing a time-resolved QKD protocol where all photon pairs emitted by a QD with non-zero FSS can be used in secret key generation. This protocol works only when the detection system's temporal resolution is much smaller than the FSS period. By implementing our protocol, higher key rates can be achieved as compared to previous QKD experiments with QD entangled photon pair sources. Additionally, unlike previous security analyses that assume perfect qubit states, we rigorously bound the effect of any multi-photon components of the optical state on the key rate, which is more applicable to practical implementations.

Quantum key distribution (QKD) aims to extract secret keys from correlations between quantum systems. Most QKD research focuses on "device-dependent" protocols whose security is conditioned on their quantum devices operating within specified tolerances. These assumptions on device operation render device-dependent protocols vulnerable to attacks that exploit the differences in real devices and their models in security proofs, and hence threaten the security of such protocols. Alternatively, Device-independent (DI) QKD seeks to achieve security with minimal assumptions on quantum devices by relying on quantum correlations that violate Bell inequalities, overcoming this short-coming of device-dependent QKD. Our work is motivated by the following two observations. First, DIQKD is more secure but has worse noise and loss tolerances than device-dependent QKD. This point has motivated investigations into new techniques to improve these tolerance thresholds such as random key generation, random post-selection, noisy pre-processing and advantage distillation, the last of which we investigate, and which describes a two-way communication procedure in the error correction step of the protocol. Second, the precise circumstances in which DIQKD is possible are unclear, since not all correlations that violate Bell inequalities can be used to distill a secret key in DIQKD. Under the independent and identically distributed (IID) collective attacks framework, previous work sought to resolve both problems by implementing DIQKD with an advantage distillation protocol called the repetition-code protocol. The authors derived both a sufficient and a conjectured necessary condition for security based on the fidelity between some states in the protocol. However, the significance of their results was limited by a gap between the two security conditions, which prevented the calculation of tight noise tolerance bounds and suggested that the fidelity is not the right quantity to consider to characterize exactly when key distillation in DIQKD is possible. Furthermore, in our work we replace the fidelity in the security proofs with the quantum Chernoff divergence, a measure of distinguishability in symmetric hypothesis testing, and achieve equivalent sufficient and necessary conditions for security for the repetition-code DIQKD protocol under the i.i.d collective attacks framework. Consequently, our work strongly indicates that quantum Chernoff divergence is the relevant quantity to describe the security of the repetition-code DIQKD protocol. With our new security condition, we show that the noise tolerance thresholds of the repetition-code DIQKD protocol outperform even one-way DIQKD protocols implemented with noisy pre-processing and random key measurements.

Decoy state methods improve the feasibility of quantum key distribution (QKD) by enabling the use of simple, robust sources, and techniques have been developed to allow for the use of decoy analysis in the regime where only a finite number of signals are sent. We present an iid security proof for finite-size key rates of prepare-and-measure protocols with probabilistic testing, including decoy state methods, within a composable security framework that allows for future extensions to device imperfections. Additionally, we improve the acceptance set over previous works through the use of entrywise constraints, allowing us to efficiently perform decoy state protocols. Moreover, we introduce a new figure of merit, the expected key rate, to capture the tradeoff between aborting too often and achieving high key rates, which allows for increased practicality of QKD implementations.

The postselection technique is a widely used tool to lift the security of Quantum Key Distribution (QKD) protocols against IID collective attacks to coherent attacks. While various other approaches for proving security against coherent attacks exist, they have limitations that make them less suitable for typical optical prepare-and-measure protocols. We identify and address some limitations of the postselection technique as applied to optical prepare-and-measure QKD protocols. We extend this analysis to decoy-state protocols, which are essential for long-distance QKD. Finally, we also improve the practical applicability of the postselection technique. Thus, we argue that the postselection technique, with the relevant modifications, is the only lift to coherent attacks that can be broadly applied to optical implementations of generic prepare-and-measure QKD protocols.