A. Novel BB84-QKD System

Currently the four-state protocol originally proposed by Bennett and Brassard, called BB84 [22], is most widely implemented in the world. Its key rate and distance had been improved rapidly until 2010, when GHz-clocked QKD systems were first deployed in a field environment [16]. Key generation at around 100 kb/s over a 50 km installed fiber became possible. Since then, however, further improvement of QKD performance has remained little. The main bottleneck is the performance limits of single photon detection. The maximum count rate is roughly a few hundred mega counts per sec (cps) for both avalanche photodiode (APD) and superconducting nanowire single photon detector (SSPD). APDs are usually operated in the gated mode, whose gating speed is limited at about 1 GHz. So the clock rate of a fast QKD system is also set at this rate. Dark counts (and after-pulses for APD) mainly limits the distance of successful key generation, where the signal counts fall down at the dark count noise level. Dark count and after-pulse probabilities for novel APDs for a gating period of 1 ns or less are $< 10^{-6}$ and $< 1\%$, respectively. Then the dark count noise level is roughly 1 kcps for a GHz-clocked QKD system. Assuming a standard fiber with a loss rate of 0.2 dB/km, the distance limit of meaningful key generation is roughly 90 km. If SSPDs are applied, the dark counts can be smaller by an order of magnitude, and hence the distance can be extended further at around 150 km. However, drastic improvement of single photon detectors from the current level is not easy. Array formatted detectors will enable faster operation, but suppression of dark count noise need to be realized.

A reasonable option to increase the key generation rate is to use WDM for a QKD system [35], [36]. We have developed a GHz-clocked WDM-QKD system with maximally eight wavelength channels. The scheme is decoyed BB84 using time-bin signals. The clock rate is 1.244 GHz. Fig. 3 shows a photo of this WDM-QKD system. The WDM encoder and decoder structures are summarized in Fig. 4. It provides a flexible solution to support a variety of applications including secure voice transmission and real-time secure TV conferencing with one-time pad (OTP) encryption. We put this system with two-channel WDM to field test. The two wavelengths were $\lambda _1=1547.72$  nm and $\lambda _2=1550.92$ nm. In the receiver, two APD systems were used. The quantum efficiency and dark count rate were 10–15% and 1–2 kcps.

Fig. 3.

A photo of the GHz-clocked WDM-QKD system. Alice's transmitter includes a laser source, a PLC time-bin encoder, eight mudulator units for the signal and decoy information, a multiplexer, a controller, and a key distillation engine. Bob's receiver consists of two 19-inch lacks. The right rack includes a PLC time-bin decoder, four demultiplexers, a photon detector unit containing four APDs, a controller, and a key distillation engine. The left rack include another photon detector unit. Thus in this photo, two-channel WDM is implemented.

Show All

Fig. 4.

WDM encoder and decoder structures. At Alice, optical pulses of 50-ps-width pass through a 2$\times$2 asymmetric Mach–Zehnder interferometer of PLC, and are converted into the time-bin pulses with a 400 ps separation. The time-bin pulses are de-multiplexed, and each wavelength component is independently encoded with the signal and decoy information. The signals are multiplexed again, together with the clock and frame synchronization signal, and input into a single fiber. At Bob, the clock signal is first separated, and the quantum signals pass through the PLC interferometer. They are then de-multiplexed at each of the four ports, and finally detected by the photon detectors.

Show All

The field fiber was 22 km in a loopback configuration between Koganei and Fuchu. The total loss is 12.6 dB. More than 95% of the channel is in an aerial fiber over poles. So it suffers from large polarization drift, which is mainly influenced by the sunlight time. In order to perform QKD in such a severe condition, we developed several stabilization techniques, as summarized in Fig. 4 . [37]. One is polarization independent decoder based on planar light wave circuit (PLC). By carefully tuning the temperature, any polarization states can interfere properly at the output port of the PLC decoder. The similar PLC is also used in the encoder, where the temperature is fixed at a certain value, and photons passing through it are polarized. The PLC is connected to the WDM coupler and the modulators by polarization maintaining fibers. The polarization is disturbed in the channel, but its drift is not a matter in our decoder system. The other is feedback control to optimize temperature of the PLC encoder and decoder, bias voltage for the modulators, and gating time for APDs, by using photon count rate and bit error rate. These techniques allow one to realize stable high speed QKD for a long time, namely, quantum bit error rate (QBER) of 1.6% and key rate of 152 kb/s for the $\lambda_1$-channel, and QBER of 1.9% and key rate of 78 kb/s for the $\lambda_2$ -channel for a 30-day period [19].

We have also developed a compact demonstration model for single channel operation at 1.244 GHz, whose photo is shown in Fig. 5. The transmitter/receiver is enclosed in a half-height rack. The transmitter occupies even less than half a volume of it. A typical key rate is 100 kb/s at a distance of 60 km assuming a fiber loss rate of 0.2 dB/km.

Fig. 5.

A photo of the demonstration model.

Show All

B. Entanglement QKD

Now let us turn our attention to a next generation QKD, entanglement-based QKD scheme [38]. The entanglement-based QKD schemes require no random number sources because random selection of bases can be automatically done in a passive manner in the measurement process. This allows one a simpler implementation. The scheme is also less susceptible to side-channel attacks. When highly efficient photon detectors are employed, DI security can be ensured by setting a criterion of appropriate inequalities testing the degree of entanglement.

We are particularly develop a scheme based on a hybrid entanglement source, which generates entangled photons between two different degrees of freedoms, time-bin format for fiber transmission at a telecom wavelength and polarization format for free space transmission at a near-infrared wavelength. This hybrid entanglement source will allow one to make a quantum link between fiber and space channels. It will also be useful for storing and relaying quantum information encoded in telecom photons via atomic or electronic systems with resonance at a near-infrared wavelength.

The scheme is depicted in Fig. 6. A periodically poled lithium niobate (PPLN) crystal pumped by continuous wave laser at 532 nm generates pairs of two photons in the two different wavelengths, one at 1550 nm and the other at 810 nm, in the same polarization. They are separated by a dichroic mirror. The pair correlation time is roughly 20 ps which was estimated from the spectral distribution of down converted photons from PPLN, and specifies the temporal scale of photon wave packets. This is much shorter than the detector time resolution of 400 ps. So the photons are correlated at each instantaneous time $t$, and are randomly distributed in the time domain.

Fig. 6.

Schematic of hybrid entanglement distribution.

Show All

Time-bin qubit is defined at Bob by his decoder, which is an asymmetric PLC interferometer. The long and short arms make a time difference of $\tau$ for the time-bin qubit. The long arm has a phase shifter with $\theta _2$. Alice encodes polarization qubit by the format transformer from the time-bin qubit. Alice first rotates the polarization into 45$^\circ$ and put the photon into the format transformer. It is a polarization dependent delay line, consisting of a Glan laser prism with a delaying fiber. In this circuit, the horizontal polarization goes though straight, while the vertical polarization is reflected, delayed with a phase shift of $\theta _1$ , and finally comes back into the straight line.

With these delay circuits, a photon is distributed in three time slots, centered at $t-\tau$, $t$ , and $t+\tau$. Alice and Bob finally select only the slot at $t$, and discards the other time slots. After all, the entanglement is formed between the polarization qubit at Alice and the time-bin qubit at Bob such as, for example, by selecting Z-basis measurement,

View Source \begin{equation} \frac{1}{\sqrt{2}} \biggr \lbrace e^{i\theta (\tau)} {|H\rangle}_A {|1\rangle}_B + e^{i[\theta (t+\tau)-\theta _1-\theta _2]} {|V\rangle}_A {|0\rangle}_B \biggl \rbrace \end{equation}

We had performed a hybrid entanglement distribution experiment with the time-bin signal of 2.5 ns time separation using Si APDs for Alice and InGaAs APDs for Bob [39]. The quantum interference visibility of 95.8% and 88% with tolerance $\pm$ 0.2% and $\pm$ 1% along Z–Z and X–X axes, respectively, were demonstrated with a coincidence count rate of more than 800 cps, violating the threshold of 70.7% of the Bell inequality.

We have recently extended the scheme to an entanglement QKD system based on the modified Ekert 91 protocol [40]. The time separation was shortened to 800 ps. Alice's detectors were extended from four APDs to six, comprising the measurement with three sets of polarization qubit basis whose relative offset angles are $0^\circ$, $-22.5^\circ$, $-67.5^\circ$, respectively. Bob's detection of 1550 nm-wavelength photons were carried out by highly efficient SSPDs with detection efficiency of 60–70%. With this setup, we could have demonstrated the violation of the Clauser–Horne–Shimony–Holt inequality for the entanglement between the polarization qubit in free space and the time-bin qubit through 20 km fiber transmission. The secure key rate in our system is estimated to be $\sim$70–150 b/s.

C. Efficient Photon Source

The distance and key rate of the entanglement-QKD are still poorer than one-way QKD like BB84. For improving the key rate, more efficient photon sources are desired. We have developed the photon source based on type-II parametric down-conversion with a group-velocity matched periodically poled KTiOPO$_4$ (GVM-PPKTP) for the telecom bands. Picosecond laser pulses with a duration of 2 ps, whose central wavelength is tunable from 700 to 1000 nm, are used to pump a 30-mm-long PPKTP crystal with a poling period of 46.1 $\mu$m. This source could generate photon pairs with high spectral purity and tunability that can cover a wide range from 1460 to 1675 nm, namely covering the S-, C-, L-, and U-band in telecommunication wavelengths [41] , [42].

We have also implemented Sagnac polarization-entangled photon source with a PPKTP crystal, which is compact, stable, highly entangled, spectrally pure and ultra-bright. The schemetic is shown in Fig. 7. The photons were detected by two SSPDs with detection efficiencies of 70% and 68% at dark counts of less than 1 kcps [43]. Recently the coincidence count rate has been doubled from the result reported in [43], by optimizing the alignment in the Sagnac loop. As shown in the interference pattern in Fig. 8 , at 10 mW pump, the maximum coincidence count was 20 kcps (with single counts of 90 kcps for D1 and 120 kcps for D2), which corresponded to a coincidence of 40 kcps without polarizers. The visibility has also been increased from 96% in [43] to 98%. Thus a new tool box of quantum light source and detector at the telecom bands is now available, which surpasses the performace obtained so far in the near infrared wavelengths matched for the Si APD window. It will bring us a step closer to the realization of quantum information and communications technology in optical fiber infrastructures.

Fig. 7.

Schemetic of Sagnac polarization-entangled photon source with a PPKTP crystal.

Show All

Fig. 8.

Interference visibility of entangled photons from the Sagnac-PPKTP source.

Show All

D. QKD Platform

Various QKD protocols can be integrated into a network by key relay via trusted nodes. In our QKD platform, the key management layer plays a role of networking. At each node, key management agent (KMA) is located, and receives the key material, resizes and saves them as well as to store information on quantum BER, key generation rate and so on. Secure key is encapsulated with the other key, and is relayed securely to the terminal. The KMAs also have APIs and supply secure key to variety of applications in the upper layers.

Fig. 9 depicts a secure network scheme which includes QKD-enhanced Layer-2 and Layer-3 switches. Layer-2 switches identify the media access control address (MAC address) of both sending and receiving devices, and switch packets in LANs. Currently high speed Layer-2 crypto-systems are commercially available, which directly encrypt data stream from the Layer-2 switch by using advanced encryption standard. The cipher text includes not only payload but also MAC and IP addresses of the users. QKD platform supports key refresh to Layer-2 encryptor/decriptor, and also adds OTP mode in Layer 2. Layer-3 switches perform routing based in IP addresses. The QKD-enhanced Layer-3 switches at Alice and Bob receive two kinds of secure key pairs. At Alice, one is used for encrypting payload and IP address by OTP, creating an OTP-encrypted IP packet. The other is used together with universal hash functions such as Wegman–Carter protocol, for generating an authentication tag from that packet. The packet consisting of the encrypted IP packet and the authentication tag is then routed to to Bob at the terminal node. Thus both encryption of data transfer and ITS authentication can be realized simultaneously in a compatible manner with the current standard of IPsec.

Fig. 9.

QKD-enhanced Layer-2 and Layer-3 switches.

Show All

E. Key Rate Bound

Before closing this section, let us consider what is the maximum achievable key rate for the unconditionally secure QKD. The key rates of all the known point-to-point QKD protocols (BB84, CV-QKD, etc. without quantum repeater or trusted nodes), decay exponentially with the fiber distance, i.e., decay linearly with the transmittance of the channel. A natural question arisen is then whether there are yet-to-be discovered protocols that could circumvent this rate-loss tradeoff without using quantum repeaters. Recent theoretical progress revealed that this is impossible. This is shown by establishing a fundamental upper bound on the secret key generation rate of a point-to-point QKD [23].

To derive the fundamental bound, we need to consider the most generic point-to-point optical QKD protocol. Suppose Alice and Bob are given a pure-loss optical channel with transmittance $\eta$ ($0\le \eta \le 1$). Alice transmits $n$ pulses of optical quantum states where $n$ can be arbitrarily large (asymptotically long code) and the transmitted state can be any possible quantum states (perfect single photons, highly entangled states over $n$ pulses and/or Alice's auxiliary system, etc). Bob can make any possible measurements allowed by quantum mechanics to detect these $n$ pulses sent through a channel. They are also allowed unlimited two-way public classical communication over an authenticated channel in order to generate secret keys. As usual in QKD theory, Eve is assumed to make any kind of access to the channel allowed by quantum mechanics (note that we do not consider the Eve's attack on the devices kept by Alice and Bob since we assume that they can prepare perfectly noiseless/lossless ones). She also has access to all the public communication between Alice and Bob. In the above setting, Alice and Bob try to share secret keys that guarantee the information theoretic security. The question to be asked is what is the maximum secret key generation rate per pulse in the above setting.

The classical version of the problem was rigidly formulated in 1993 by Maurer [44] and Ahlswede and Csiszàr [45] (interestingly, [44] mentions that it was inspired by the invention of BB84) where they introduced the secret key agreement capacity on the classical wiretap channel assisted by two-way public communication and proved its lower and upper bounds. Though its exact capacity formula has not been known yet, Maurer and Wolf later introduced a quantity called the intrinsic information and proved that this quantity optimized over all channel input distribution is a sharp upper bound on the secret key agreement capacity [46].

This intrinsic information was extended to the quantum realm. Christandl and Winter defined the squashed entanglement of a bipartite quantum state and showed that it works as a good entanglement measure in quantum information theory [47]. More recently, we further extended these results by defining the squashed entanglement of a quantum channel and proved that this quantity has a more direct analog to the intrinsic information, i.e., it is an upper bound on the secret key agreement capacity, as well as the quantum capacity, in a quantum channel assisted by two-way classical public communication [48]. This upper bound has a relatively simple form and thus one can calculate it for various channels. In particular, applying it to a pure-loss optical channel, we can show that the key generation rate per pulse $R$ is bounded by [23]

View Source \begin{equation} R \le \log _2 \frac{1+\eta}{1-\eta}. \end{equation}

Fig. 10 compares the upper bound and the key rate achievable by the ideal BB84 where we assume a perfect single-photon source, detectors, and other devices, an ideal key distillation protocol, and the efficient BB84 protocol [49]. Note that the key rate per mode for the ideal BB84 is given by $\eta /2$ where the factor two comes from the fact that the BB84 usually encodes one qubit into two modes (two polarization modes or two temporal modes). The figure shows that though there exists some gap between the upper bound and the ideal BB84 key rate, it does not seem very worth to pursue alternative repeaterless QKD protocols for higher key rate over a lossy optical channel. Note that the discussion here does not include technical imperfections and excess channel noises. It is another issue to consider better protocols against the excess noises, device imperfections, side attacks, etc.

Fig. 10.

Upper bound on the secret key capacity in a pure-loss optical channel assisted by two-way public communication (blue solid line) and the achievable key rate by the ideal BB84 (black dashed line).

Show All

A. Background

The key rate bound shown in the last subsection tells us how difficult it is to implement the unconditionally secure key distribution against Eve with unbounded physical and computational powers. The performance of this bound, even if realized, is insufficient to cover the ranges of rate and distance required for nation-wide and global scale uses of QKD. In principle, trusted-node QKD network can be extended to the nation-wide scale, however, an extention to the global scale including space links faces the intrinsic limit. Although quantum relay based on tele-amplification was proposed for space links, the key rate is always sacrificed (see Fig. 11) [51]. This fact motivates us to study more practical schemes that can cover the ranges mentioned above with reasonably compromised assumptions on Eve while keeping a required security level.

Fig. 11.

A numerical example of the secrecy capacities for a wiretap channel with various tapping ratios in red by an eavesdropper.

Show All

The notion of cryptographic security can be categorized into the two; algorithmic security and provable security (or information-theoretic security, ITS). The former relies on that certain mathematical problems are practically impossible to solve with current computer resources and well-known attacks. The latter is based on security proofs made in an information theoretic manner by showing the existence of channel coding that can effectively establish the statistical independence between the legitimate users and the eavesdropper, given a physical model of a channel [50]. Provably secure cryptography is also referred to as physical layer cryptography [24]. This has been originally studied in the RF domain in wireless networks. Studies in the optical domain also attract attention recently, especially in free space optical communications. Some milestone demonstrations of optical space data links have been successful recently, and the security concern is becoming an issue. Established algorithmic crypto-schemes should be a first option, but updating their specifications in satellites would not be easy when security vulnerabilities come out. Next option may be physical layer cryptography. In fact optical space communications are done in a line of sight between the sender (Alice) and the receiver (Bob). If an eavesdropper (Eve) is in the channel, then she is easily visible for Alice and Bob. So what Eve should do is to hide from Alice and Bob away from the channel, and try to collect scattered light to get information from Alice. Thus one may limit the physical ability of Eve. Note here that Eve can have unbounded computational power. Then in such a degraded condition for Eve, Alice and Bob can realize a much higher transmission rate with ITS.

B. Assumptions on the Channel Model

QKD is an extreme example of physical layer cryptography in the sense that the provable security is ensured for Eve with unlimited physical abilities and computational power. In the standard context of physical layer cryptography, however, the channel from Alice to Eve (wiretap channel) is assumed to be degraded compared with that from Alice to Bob (main channel). As an typical example, consider space laser link with photon counting by Bob and Eve. The main and wiretap channels are modeled by the channel transmittances $\eta _y$ and $\eta _z$, and the dark count rates $\lambda _y$ and $\lambda _z$. In the most common scenario, the signal-to-noise ratio (SNR) of Eve is worse than that of Bob, equivalently $\eta _z/\lambda _z < \eta _y/\lambda _y$, referred to as the degraded condition. On the other hand, other cases can also be possible, such as $\lambda _z \ll \lambda _y$ and $\eta _z < \eta _y$ , if the mutual information between Alice and Bob $I(X;Y)$ is greater than that between Alice and Eve $I(X;Z)$, which is referred to as the more-capable condition. In any case, the mutual information difference between them should remain positive as

View Source \begin{equation} C_S=\max _{P_x}\left[ I(X;Y) - I(X;Z) \right] \end{equation}

C. Our Numerical Results

Here we present our numerical results on the secrecy capacity of physical layer cryptography with an on–off keying scheme based on pulse position modulation (PPM) coding for a carrier wavelength centered at 1550 nm. Fig. 11 compares the secrecy capacities as a function of the channel transmittance $\eta _y$ (for the Alice-Bob main channel) for decoyed BB84 and physical layer cryptography. Here we assume that the pulse generation rate is 1 GHz. For decoyed BB84, the dark count probability is assumed to be 10 $^{-6}$ per pulse (1000 cps), which is typical for the current detectors used in QKD systems. The final key rate is typically 100 kb/s at a distance of $-$ 20 dB loss, roughly corresponding to a 100 km distance for a low loss fiber. The key rate rapidly falls down at a distance of $-$ 40 dB loss, which is roughly the best link budget for a low-earth-orbit-to-ground distance in optical space communication. The curve entitled Tele-amplified BB84 represents a scheme with quantum relay to extend a distance [51]. One sees that there is a tradeoff between the final key rate and the distance, namely extension of distance sacrifices the key rate. Decoyed BB84 hardly generates the secure key at around $-$40 dB, while tele-amplified BB84 can make a QKD link over longer distances. But the key rate may still be poor.

The secrecy capacities of an on–off keyed PPM scheme are shown by solid, long-dashed, dashed, and dotted lines with the wiretap ratios $\eta _z/\eta _y=$ 0.01, 0.5, 0.95, and 0.999, respectively. The pulse generation rate is again 1 GHz, and the transmission power is assumed to be 1 W. We then numerically calculate the secrecy capacity under this power constraint. Background counts are assumed to be $\lambda _y=10^4$  cps for Bob and $\lambda _z=1$ cps for Eve, i.e. Eve has a much less noisy system. As seen, we can cover a wide range of performance of the provably secure communications with relatively high transmission rates. As the channel transmittance decreases below $-$100 dB, the transmission rate starts to decrease because the SNR gets smaller.

D. Our Theory of Finite Length Analysis

The secrecy capacity is the achievable rate in the asymptotic limit at code length $n\rightarrow \infty$. A stronger characterization can be made at any finite code length $n$, namely by showing how fast Bob's error probability and the leaked information to Eve decrease as code length $n$ increases. In coding for physical layer cryptography, one should add not only redundant bits to perform error correction but also randomness bits to deceive Eve. So there are two kinds of rates, the reliable transmission rate $R_B$ for Bob (message bit length/$n$), and the randomness rate $R_E$ to deceive Eve (randomness bit length/$n$) as shown in Fig. 12. The redundancy and randomness are in a tradeoff relation, and to be minimal within the tradeoff. We would like to know how Bob's error probability and the leaked information to Eve can be small for various rates $R_B$ and $R_E$ at finite code length $n$. We want to estimate required resources of bits for any given level of reliability for Bob and secrecy against Eve.

Fig. 12.

Conceptual codeword structure, the rate $R_B$ for Bob and the randomness rate $R_E$ to deceive Eve, as well as the related metrics of the decoding error and the KL distance.

Show All

Conceptual codeword structure and the definitions of related metrics are shown in Fig. 12. Bob's decoding error $\epsilon _n^B$ is defined as an average over all the messages of $M$ in code length $n$

View Source \begin{equation} \epsilon _n^{B} \equiv \frac{1}{M}\sum _ {m \in {\cal M}_n}\Pr \left\lbrace m^{\prime}\ne m\right\rbrace . \end{equation}

$$\begin{equation} \delta _n^{E} \equiv \frac{1}{M}\sum _{m\in {\cal M}_n}D(P^{(m)}_n||\pi _n) \end{equation}$$ View Source \begin{equation} \delta _n^{E} \equiv \frac{1}{M}\sum _{m\in {\cal M}_n}D(P^{(m)}_n||\pi _n) \end{equation}

So we would like to make Bob's decoding error $\epsilon _n^B$ and Eve's KL distance $\delta _n^E$ as small as desired. The upper bound of Bob's decoding error was derived in the form of exponentially decreasing function of length $n$ by Gallager [52]. The exponent is called the reliability function. This method was extended to upper-bounding the leaked information (the mutual information) to Eve by Hayashi [54] without the cost constraint. We extend it to the cost constrained case with the KL distance.

In Fig. 13, we depict a channel model and the quantities necessary to describe the main result. We define the following dual functions;

View Source \begin{eqnarray} &&{\phi (\rho |W_B,q,r)}= \nonumber \\ &&\quad -\,\log \left[ \sum _{y\in {\cal Y}} \left(\sum _{x\in {\cal X}}q(x)W_B(y|x)^{\frac{1}{1+\rho}} e^{r[\Gamma -c(x)]} \right)^{1+\rho}\right]\\ &&{\phi (-\rho |W_B,q,r)}= \nonumber \\ &&\quad -\,\log \left[ \sum _{z\in {\cal Z}} \left(\sum _{x\in {\cal X}}q(x)W_E(z|x)^{\frac{1}{1-\rho}} e^{r[\Gamma -c(x)]} \right)^{1-\rho}\right] \quad \end{eqnarray}

$$\begin{eqnarray} {F_c(q, R_B, R_E,\infty)}&=& \sup _{0\le \rho \le 1}\sup _{r\ge 0} \Biggl [ \phi (\rho |W_B, q, r)\nonumber \\ && - \,\rho (R_B+R_E) \Biggr] \\ H_c(q, R_E,\infty) &=& \sup _{0 < \rho < 1}\sup _{r\ge 0} \Biggl [ \phi (-\rho |W_E, q, r) + \rho R_E \Biggr]. \nonumber\\ \end{eqnarray}$$ View Source \begin{eqnarray} {F_c(q, R_B, R_E,\infty)}&=& \sup _{0\le \rho \le 1}\sup _{r\ge 0} \Biggl [ \phi (\rho |W_B, q, r)\nonumber \\ && - \,\rho (R_B+R_E) \Biggr] \\ H_c(q, R_E,\infty) &=& \sup _{0 < \rho < 1}\sup _{r\ge 0} \Biggl [ \phi (-\rho |W_E, q, r) + \rho R_E \Biggr]. \nonumber\\ \end{eqnarray}

$$\begin{eqnarray} \epsilon _n^B &\le&2 e^{-n F_c(q, R_B, R_E, +\infty)}, \\ \delta _n^E &\le&2 e^{-n H_c(q, R_E, n)}. \end{eqnarray}$$ View Source \begin{eqnarray} \epsilon _n^B &\le&2 e^{-n F_c(q, R_B, R_E, +\infty)}, \\ \delta _n^E &\le&2 e^{-n H_c(q, R_E, n)}. \end{eqnarray}

Fig. 13.

The channel matrices $W_B(y|x)$ and $W_E(y|x)$ for the main and wiretap channels, respectively, and the a priori probabilities $q(x)$ for $X$. The cost constraint $\Gamma$, which may be the power constraint and so on, is imposed in the input $X$.

Show All

Fig. 14 plots the reliability functions for several cost constraints in the case of the on-off keying photon channel presented in Fig. 11 (at $-$90 dB of $\eta _y$ with $\eta _z/\eta _y=0.5$). $\Gamma$ is understood here as a given transmission power. As seen, larger power allows larger reliability. The horizontal axis is a sum of the rates $R_B$ and $R_E$. The points of the rates where the reliability function becomes zero, correspond to the mutual information between Alice and Bob, $I(X;Y)$.

Fig. 14.

The reliability functions for several cost constraints.

Show All

On the other hand, Fig. 15 plots the secrecy functions. Larger power implies weaker secrecy. The horizontal axis is the randomness rate $R_E$ .

Fig. 15.

The secrecy functions for several cost constraints.

Show All

In Fig. 16, we plot the reliability and secrecy functions at the same time. The reliable transmission with the provable security is possible for the rates in the interval indicated by the green arrow. The figure also shows an example of the tradeoff engineering to increase the secrecy, keeping the reliability of Bob. The randomness rate $R_E$ is increased to $R_E^{\prime}$, while the rate for Bob $R_B$ is decreased, keeping the sum of the two the same value. The change of the secrecy function quantifies the increase of the secrecy level.

Fig. 16.

The reliability and secrecy functions, and the tradeoff engineering to increase the secrecy against Eve, keeping the reliability for Bob.

Show All

Finally we consider the maximum criteria, m–$\epsilon _n^B$ and m–$\delta _n^E$ over all possible message ${m\in {\cal M}_n}$, instead of the averaged criteria $\epsilon _n^B$ and $\delta _n^E$. The m–$\delta _n^E$ is particularly important, because even with small $\delta _n^E$ , we cannot exclude a possibility that the KL distance is very large for some particular message $m$, which implies that the message $m$ is not saved from successful decryption by Eve. On the other hand, with small m–$\delta _n^E$, every message ${m\in {\cal M}_n}$ is guaranteed to be highly confidential against Eve. This kind of criterion has never been shown for the KL distance against Eve. We apply Gallager's technique for the decoding error [52] and have derived that the maxima of Bob's decoding error and Eve's KL distance are upper bounded as [53];

View Source \begin{eqnarray} \mathrm{m-}\epsilon _n^{B} &\equiv & \max _{m \in {\cal M}_n}\Pr \left\lbrace m^{\prime}\ne m\right\rbrace\nonumber \\ &\le&6 e^{-n F_c(q, R_B, R_E, +\infty)} \\ \mathrm{m-}\delta _n^{E} &\equiv & \max _{m\in {\cal M}_n}D(P^{(m)}_n||\pi _n) \nonumber \\ &\le&6 e^{-n H_c(q, R_E, n)}. \end{eqnarray}