Page 1

arXiv:0901.4669v1 [quant-ph] 29 Jan 2009

Upper bounds for the secure key rate of decoy state quantum key distribution

Marcos Curty1, Tobias Moroder2,3, Xiongfeng Ma2, Hoi-Kwong Lo4and Norbert L¨ utkenhaus2,3

1ETSI Telecomunicaci´ on, Department of Signal Theory and Communications,

University of Vigo, Campus Universitario, E-36310 Vigo (Pontevedra), Spain

2Institute for Quantum Computing, University of Waterloo, Waterloo, ON, N2L 3G1, Canada

3Quantum Information Theory Group, Institut f¨ ur Theoretische Physik I,

and Max-Planck Research Group, Institute of Optics, Information and Photonics,

University of Erlangen-N¨ urnberg, 91058 Erlangen, Germany

4Center for Quantum Information and Quantum Control (CQIQC),

Department of Electrical & Computer Engineering and Department of Physics,

University of Toronto, Toronto, ON, M5S 3G4, Canada

The use of decoy states in quantum key distribution (QKD) has provided a method for sub-

stantially increasing the secret key rate and distance that can be covered by QKD protocols with

practical signals. The security analysis of these schemes, however, leaves open the possibility that

the development of better proof techniques, or better classical post-processing methods, might fur-

ther improve their performance in realistic scenarios. In this paper, we derive upper bounds on

the secure key rate for decoy state QKD. These bounds are based basically only on the classical

correlations established by the legitimate users during the quantum communication phase of the

protocol. The only assumption about the possible post-processing methods is that double click

events are randomly assigned to single click events. Further we consider only secure key rates based

on the uncalibrated device scenario which assigns imperfections such as detection inefficiency to the

eavesdropper. Our analysis relies on two preconditions for secure two-way and one-way QKD: The

legitimate users need to prove that there exists no separable state (in the case of two-way QKD), or

that there exists no quantum state having a symmetric extension (one-way QKD), that is compati-

ble with the available measurements results. Both criteria have been previously applied to evaluate

single-photon implementations of QKD. Here we use them to investigate a realistic source of weak

coherent pulses. The resulting upper bounds can be formulated as a convex optimization problem

known as a semidefinite program which can be efficiently solved. For the standard four-state QKD

protocol, they are quite close to known lower bounds, thus showing that there are clear limits to

the further improvement of classical post-processing techniques in decoy state QKD.

PACS numbers:

I.INTRODUCTION

Quantum key distribution (QKD) [1, 2] allows two par-

ties (Alice and Bob) to generate a secret key despite

the computational and technological power of an eaves-

dropper (Eve), who interferes with the signals. Together

with the Vernam cipher [3], QKD can be used to provide

information-theoretic secure communications.

Practical QKD systems can differ in many important

aspects from their original theoretical proposal, since

these proposals typically demand technologies that are

beyond our present experimental capability. Especially,

the signals emitted by the source, instead of being single

photons, are usually weak coherent pulses (WCP) with

typical average photon numbers of 0.1 or higher. The

quantum channel introduces errors and considerable at-

tenuation (about 0.2 dB/km) that affect the signals even

when Eve is not present.

lengths, standard InGaAs single-photon detectors can

have a detection efficiency below 15% and are noisy due

to dark counts. All these modifications jeopardize the

security of the protocols, and lead to limitations of rate

and distance that can be covered by these techniques [4].

A main security threat of practical QKD schemes based

on WCP arises from the fact that some signals contain

Besides, for telecom wave-

more than one photon prepared in the same polarization

state. Now Eve is no longer limited by the no-cloning

theorem [5] since in these events the signal itself provides

her with perfect copies of the signal photon. She can per-

form, for instance, the so-called photon number splitting

(PNS) attack on the multi-photon pulses [4]. This at-

tack gives Eve full information about the part of the key

generated with the multi-photon signals, without causing

any disturbance in the signal polarization. As a result, it

turns out that the standard BB84 protocol [6] with WCP

can deliver a key generation rate of order O(η2), where η

denotes the transmission efficiency of the quantum chan-

nel [7, 8].

To achieve higher secure key rates over longer dis-

tances, different QKD schemes, that are robust against

the PNS attack, have been proposed in recent years

[9, 10, 11, 12, 13]. One of these schemes is the so-called

decoy state QKD [9, 10, 11] where Alice varies, indepen-

dently and at random, the mean photon number of each

signal state that she sends to Bob by employing differ-

ent intensity settings. Eve does not know a priori the

mean photon number of each signal state sent by Alice.

This means that her eavesdropping strategy can only de-

pend on the photon number of these signals, but not on

the particular intensity setting used to generate them.

Page 2

2

From the measurement results corresponding to differ-

ent intensity settings, the legitimate users can estimate

the classical joint probability distribution describing their

outcomes for each photon number state. This provides

them with a better estimation of the behaviour of the

quantum channel, and it translates into an enhancement

of the achievable secret key rate and distance. This tech-

nique has been successfully implemented in several recent

experiments [14], and it can give a key generation rate of

order O(η) [9, 10, 11].

While the security analysis of decoy state QKD in-

cluded in Refs. [9, 10, 11] is relevant from a practical

point of view, it also leaves open the possibility that the

development of better proof techniques, or better clas-

sical post-processing protocols, might further improve

the performance of these schemes in realistic scenarios.

For instance, it is known that two-way classical post-

processing protocols can tolerate a higher error rate than

one-way communication techniques [15, 16], or that by

modifying the public announcements of the standard

BB84 protocol it is possible to generate a secret key even

from multi-photon signals [12]. Also, the use of local

randomization [17] and degenerate codes [18] can as well

improve the error rate thresholds of the protocols.

In this paper we consider the uncalibrated device sce-

nario [2] and we assume the typical initial post-processing

step where double click events are not discarded by Bob,

but they are randomly assigned to single click events

[19]. In this scenario, we derive simple upper bounds

on the secret key rate and distance that can be covered

by decoy state QKD based exclusively on the classical

correlations established by the legitimate users during

the quantum communication phase of the protocol. Our

analysis relies on two preconditions for secure two-way

and one-way QKD. In particular, Alice and Bob need

to prove that there exists no separable state (in the

case of two-way QKD) [20, 21], or that there exists no

quantum state having a symmetric extension (one-way

QKD) [22], that is compatible with the available mea-

surements results. Both criteria have been already ap-

plied to evaluate single-photon implementations of QKD

[20, 21, 22, 23, 24]. Here we employ them for the first

time to investigate practical realizations of QKD based

on the distribution of WCP.

We show that both preconditions for secure two-way

and one-way QKD can be formulated as a convex op-

timization problem known as a semidefinite program

(SDP) [25]. Such instances of convex optimization prob-

lems appear frequently in quantum information theory

and can be solved with arbitrary accuracy in polynomial

time, for example, by the interior-point methods [25]. As

a result, we obtain ultimate upper bounds on the perfor-

mance of decoy state QKD when this typical initial post-

processing of the double clicks is performed. These up-

per bounds hold for any possible classical communication

technique that the legitimate users can employ in this sce-

nario afterwards like, for example, the SARG04 protocol

[12], adding noise protocols [17], degenerate codes proto-

cols [18] and two-way classical post-processing protocols

[15, 16]. The analysis presented in this manuscript can

as well be straightforwardly adapted to evaluate other

implementations of the BB84 protocol with practical sig-

nals as, for instance, those experimental demonstrations

based on WCP without decoy states or on entangled sig-

nals coming from a parametric down conversion source.

The paper is organized as follows. In Sec. II we de-

scribe in detail a WCP implementation of the BB84 pro-

tocol based on decoy states. Next, in Sec. III we apply

two criteria for secure two-way and one-way QKD to this

scenario. Here we derive upper bounds on the secret key

rate and distance that can be achieved with decoy state

QKD as a function of the observed quantum bit error rate

(QBER) and the losses in the quantum channel. More-

over, we show how to cast both upper bounds as SDPs.

These results are then illustrated in Sec. IV for the case

of a typical behaviour of the quantum channel, i.e., in

the absence of eavesdropping. Finally, Sec. V concludes

the paper with a summary.

II.DECOY STATE QKD

In decoy state QKD with WCP Alice prepares phase-

randomized coherent states with Poissonian photon num-

ber distribution. The mean photon number (intensity) of

this distribution is chosen at random for each signal from

a set of possible values µl. In the case of the BB84 proto-

col, and assuming Alice chooses a decoy intensity setting

l, such states can be described as

ρk

B(µl) = e−µl

∞

?

n=0

µn

n!|nk?B?nk|,

l

(1)

where the signals |nk?Bdenote Fock states with n pho-

tons in one of the four possible polarization states of

the BB84 scheme, which are labeled with the index

k ∈ {0,...,3}. On the receiving side, we consider that

Bob employs an active basis choice measurement setup.

This device splits the incoming light by means of a polar-

izing beam-splitter and then sends it to threshold detec-

tors that cannot resolve the number of photons by which

they are triggered. The polarizing beam-splitter can be

oriented along any of the two possible polarization basis

used in the BB84 protocol. This detection setup is char-

acterized by one positive operator value measure (POVM)

that we shall denote as {Bj}.

In an entanglement-based view, the signal preparation

process described above can be modeled as follows: Alice

produces first bipartite states of the form

|Ψsource?AB=

3

?

k=0

∞

?

l=0

√qkpl|k?A1|l?A2|φkl?A3B, (2)

where system A is the composition of systems A1, A2,

and A3, and the orthogonal states |k?A1and |l?A2record,

respectively, the polarization state and decoy intensity

Page 3

3

setting selected by Alice. The parameters qkand plrep-

resent the a priori probabilities of these signals. For in-

stance, in the standard BB84 scheme the four possible

polarization states are chosen with equal a priori prob-

abilities and qk = 1/4 for all k.

that appears in Eq. (2) denotes a purification of the state

ρk

B(µl) and can be written as

The signal |φkl?A3B

|φkl?A3B= e−µl/2

∞

?

n=0

√µln

√n!

|n?A3|nk?B, (3)

where system A3acts as a shield, in the sense of Ref. [26]

and records the photon number information of the sig-

nals prepared by the source. This system is typically

inaccessible to all the parties. One could also select as

|φkl?A3Bany other purification of the state ρk

ever, as we will show in Sec. III, the one given by Eq. (3)

is particularly suited for the calculations that we present

in that section.

Afterwards, Alice measures systems A1 and A2 in

the orthogonal basis |k?A1and |l?A2, corresponding to

the measurement operators Akl = |k?A1?k| ⊗ |l?A2?l|.

This action generates the signal states ρk

priori probabilities qkpl. The reduced density matrix

ρA = TrB(ρAB), with ρAB = |Ψsource?AB?Ψsource|, is

fixed by the actual preparation scheme and cannot be

modified by Eve. In order to include this information in

the measurement process, one can add to the observables

{Akl⊗Bj}, measured by Alice and Bob, other observables

{Ci⊗ 1 1B} such that {Ci} form a complete tomographic

set of Alice’s Hilbert space HA[21]. In order to simplify

our notation, from now on we shall consider that the ob-

served data pklj = Tr(Akl⊗ Bj ρAB) and the POVM

{Akl⊗Bj} contain also the observables {Ci⊗1 1B}. That

is, every time we refer to {Akl⊗Bj} we assume that these

operators include as well the observables {Ci⊗ 1 1B}.

B(µl). How-

B(µl) with a

III.UPPER BOUNDS ON DECOY STATE QKD

Our starting point is the observed joint probability

distribution pklj obtained by Alice and Bob after their

measurements {Akl⊗ Bj}. This probability distribution

defines an equivalence class S of quantum states that are

compatible with it,

S =?σAB| Tr(Akl⊗ BjσAB) = pklj ∀k,l,j?.(4)

A.Two-way classical post-processing

Let us begin by considering two-way classical post-

processing of the data pklj. It was shown in Ref. [21]

that a necessary precondition to distill a secret key in

this scenario is that the equivalence class S does not

contain any separable state. That is, we need to find

quantum-mechanical correlations in pklj, otherwise the

secret key rate, that we shall denote as K, vanishes [27].

As it is, this precondition answers only partially the im-

portant question of how much secret key Alice and Bob

can obtain from their correlated data. It just tells if the

secret key rate is zero or it may be positive. However,

this criterion can be used as a benchmark to evaluate any

upper bound on K. If S contains a separable state then

the upper bound must vanish. One upper bound which

satisfies this condition is that given by the regularized

relative entropy of entanglement [28]. Unfortunately, to

calculate this quantity for a given quantum state is, in

general, a quite difficult task, and analytical expressions

are only available for some particular cases [29]. Besides,

this upper bound depends exclusively on the quantum

states shared by Alice and Bob and, therefore, it does

not include the effect of imperfect devices like, for in-

stance, the low detection efficiency or the noise in the

form of dark counts introduced by current detectors [23].

Another possible approach is that based on the best sepa-

rable approximation (BSA) of a quantum state σAB[30].

This is the decomposition of σAB into a separable state

σsep and an entangled state ρent, while maximizing the

weight of the separable part. That is, any quantum state

σABcan always be written as

σAB= λ(σAB)σsep+ [1 − λ(σAB)]ρent,

where the real parameter λ(σAB) ≥ 0 is maximal.

Given an equivalence class S of quantum states, one

can define the maximum weight of separability within

the class, λS

BSA, as

(5)

λS

BSA= max{λ(σAB) | σAB∈ S}.

Note that the correlations pklj can originate from a sep-

arable state if and only if λS

the equivalence class of quantum states given by

(6)

BSA= 1. Let Sent

BSAdenote

Sent

BSA= {ρent| σAB∈ S and λ(σAB) = λS

where ρent represents again the entangled part in the

BSA of the state σAB. Then, it was proven in Ref. [23]

that the secret key rate K always satisfies

BSA}, (7)

K ≤ (1 − λS

BSA)Ient(A;B), (8)

where Ient(A;B) represents the Shannon mutual infor-

mation calculated on the joint probability distribution

qklj = Tr(Akl⊗ Bj ρent). As it is, this upper bound

can be applied to any QKD scheme [23], although the

calculation of the parameters λS

challenge. Next, we consider the particular case of decoy

state QKD.

BSAand ρentmight be a

Upper bound on two-way decoy state QKD

The signal states ρk

mixtures of Fock states with different Poissonian pho-

ton number distributions of mean µl. This means, in

B(µl) that Alice sends to Bob are

Page 4

4

particular, that Eve can always perform a quantum non-

demolition (QND) measurement of the total number of

photons contained in each of these signals without in-

troducing any errors. The justification for this is that

the total photon number information via the QND mea-

surement “comes free”, since the execution of this mea-

surement does not change the signals ρk

the realization of this measurement cannot make Eve’s

eavesdropping capabilities weaker [31]. If Eve performs

such a QND measurement, then the signals ρAB =

|Ψsource?AB?Ψsource| are transformed as

B(µl). That is,

ρAB?→ γAB=

∞

?

n=0

rn|ϕn?A1B?ϕn|⊗|µn?A2?µn|⊗|n?A3?n|,

(9)

where the probabilities rnare given by

rn=

∞

?

l=0

ple−µlµn

l

n!

,(10)

the signals |ϕn?A1Bhave the form

|ϕn?A1B=

3

?

k=0

√qk|k?A1|nk?B, (11)

and the normalized states |µn?A2only depend on the sig-

nals |l?A2and the photon number n.

From the tensor product structure of γAB we learn

that the signals γAB can only contain quantum corre-

lations between systems A1 and B. Therefore, without

loss of generality, we can always restrict ourselves to only

search for quantum correlations between these two sys-

tems. Additionally, in decoy state QKD Alice and Bob

have always access to the conditional joint probability

distribution describing their outcomes given that Alice

emitted an n-photon state. This means that the search

for quantum correlations in S can be done independently

for each n-photon signal. That is, the legitimate users

can define an equivalence class of signal states for each

possible Fock state sent by Alice.

A further simplification arises when one considers the

typical initial post-processing step where double click

events are not discarded by Bob, but they are randomly

assigned to single click events [19]. In the case of the

BB84 protocol, this action allows Alice and Bob to al-

ways explain their observed data as coming from a single-

photon signal where Bob performs a single-photon mea-

surement {Tj} [32]. This measurement is characterized

by a set of POVM operators which are projectors onto

the eigenvectors of the two Pauli operators σx and σz,

together with a projection onto the vacuum state |vac?

which models the losses in the quantum channel,

T0 =

1

2|0?B?0|,

1

2|±?B?±|,

T1=1

2|1?B?1|,

T± =Tvac= |vac?B?vac|,(12)

with |±? = (|0? ± |1?)/√2 and where?

bility distribution obtained by Alice and Bob after their

measurements {Ak⊗Tj}, with Ak= |k?A1?k|, given that

Alice emitted an n-photon state. That is, pn

random assignment of double clicks to single click events.

As before, we consider that the observables {Ak⊗ Tj}

contain as well other observables {Ci⊗ 1 1B} that form a

tomographic complete set of Alice’s Hilbert space HA1.

We define the equivalence class Snof quantum states

that are compatible with pn

kjas

jTj = 1 1B [32].

In particular, let pn

kjdenote the conditional joint proba-

kjincludes the

Sn=?σn

Then, the secret key rate K can be upper bounded as

A1B| Tr(Ak⊗ Tjσn

A1B) = pn

kj, ∀k,j}. (13)

K ≤

?

n≥1

rn(1 − λSn

BSA)Ient

n (A;B), (14)

where λSn

ity within the equivalence class Sn, and Ient

resents the Shannon mutual information calculated on

qn

part in the BSA of a state σn

of separability is maximum.

The main difficulty when evaluating the upper bound

given by Eq. (14) still relies on obtaining the parameters

λSn

by means of a semidefinite program (SDP) [25]. For that,

we need to prove first the following observation.

Observation: Within the equivalence classes Snof

quantum signals given by Eq. (13) Alice and Bob can

only detect the presence of negative partial transposed

(NPT) entangled states [33].

Proof. The signals σn

posed as

BSAdenotes the maximum weight of separabil-

n (A;B) rep-

kj= Tr(Ak⊗ Tj ρn

ent), with ρn

entbeing the entangled

A1B∈ Snand whose weight

BSAand ρn

ent. Next, we show how to solve this problem

A1B∈ Sncan always be decom-

σn

A1B= p˜ ρn

A1B+ (1 − p)˜ ρn

A1⊗ |vac?B?vac|, (15)

for some probability p ∈ [0,1], and where ˜ ρn

H2, and ˜ ρn

be entangled if ˜ ρn

A1Bis also entangled. In order to detect

entanglement in the latter one, Bob projects it onto the

eigenvectors of the two Pauli operators σxand σz. This

means, in particular, that the class of accessible entangle-

ment witness operators W that can be constructed from

the available measurements results satisfy W = WΓ.

Here Γ denotes transposition with respect to Bob’s sys-

tem. We have, therefore, that Tr(W ˜ ρn

with Ω =

A1B]. For the given dimensionali-

ties, it was proven in Ref. [34] that whenever Ω is non-

negative it represents a separable state, i.e., Tr(WΩ) ≥ 0.

This means that Alice and Bob can only detect entan-

gled states ˜ ρn

previous condition is only possible when ˜ ρn Γ

Let us now write the search of λSn

This is a convex optimisation problem of the following

A1B∈ HA1⊗

A1Bcan only

A1∈ HA1. That is, the state σn

A1B) = Tr(WΩ),

1

2[˜ ρn

A1B+ ˜ ρn Γ

A1Bthat satisfy Ω ? 0. Since ˜ ρn

A1B≥ 0, the

A1B? 0. ?

entas a SDP.

BSAand ρn

Page 5

5

form [25]:

minimizecTx

(16)

subject toF(x) = F0+

?

i

xiFi≥ 0,

where the vector x represents the objective variable, the

vector c is fixed by the particular optimisation problem,

and the matrices F0and Fiare Hermitian matrices. The

goal is to minimize the linear function cTx subjected to

the linear matrix inequality (LMI) constraint F(x) ≥ 0.

The SDP that we need to solve has the form [35]:

minimize

subject to

1 − Tr[σn

σn

A1B(x) ≥ 0,

Tr[σn

A1B(x)] = 1,

Tr[Ak⊗ Tjσn

σn

sep(x) ≥ 0,

σn Γ

sep(x) ≥ 0,

σn

sep(x)](17)

A1B(x)] = pn

kj, ∀k,j,

A1B(x) − σn

sep(x) ≥ 0,

where the objective variable x is used to parametrise the

density operatorsσn

A1B. For that, we employ the

method introduced in Refs. [23, 24]. The state σn

appears in Eq. (17) is not normalized, i.e., it also includes

the parameter λ(σn

A1B). The first three constraints in

Eq. (17) guarantee that σn

A1Bis a valid normalized den-

sity operator that belongs to the equivalence class Sn, the

following two constraints impose σn

state, while the last one implies that the entangled part

of σn

A1Bis a valid but not normalized density operator.

Its normalization factor is given by 1 − λ(σn

denotes a solution to the SDP given by Eq. (17) then

sepand σn

sepwhich

septo be a separable

A1B). If xsol

λSn

BSA= Tr[σn

sep(xsol)], (18)

and the state ρn

entis given by

ρn

ent=σn

A1B(xsol) − σn

1 − λSn

sep(xsol)

BSA

. (19)

B. One-way classical post-processing

The classical post-processing of the observed data can

be restricted to one-way communication [36]. Depending

on the allowed direction of communication, two differ-

ent cases can be considered: Direct reconciliation (DR)

refers to communication from Alice to Bob, reverse rec-

onciliation (RR) permits only communication from Bob

to Alice [37]. In this section, we will only consider the

case of DR. Expressions for the opposite scenario, i.e.,

RR, can be obtained in a similar way. In Ref. [22] it was

shown that a necessary precondition for secure QKD by

means of DR (RR) is that the equivalence class S given

by Eq. (4) does not contain any state having a symmetric

extension to two copies of system B (system A).

A

B

AB

A

B

B'

AB AB'

σABB'≥ 0

AB

σ

σ

σ

σ

≅

FIG. 1: Graphical illustration of a quantum state σAB which

has a symmetric extension to two copies of system B.

A state σAB is said to have a symmetric extension to

two copies of system B if and only if there exists a tri-

partite state σABB′ ≥ 0, with Tr(σABB′) = 1, and where

HB∼= HB′, which fulfills the following two properties

[38]:

TrB′(σABB′) = σAB,

PσABB′P = σABB′,

(20)

(21)

where the swap operator P satisfies P|ijk?ABB′

|ikj?ABB′. A graphical illustration of a state σABwhich

has a symmetric extension to two copies of system B is

given in Fig. 1. This definition can be easily extended

to cover also the case of symmetric extensions of σABto

two copies of system A, and also of extensions of σABto

more than two copies of system A or of system B.

The best extendible approximation (BEA) of a given

state σABis the decomposition of σABinto a state with a

symmetric extension, that we denote as σext, and a state

without symmetric extension ρne, while maximizing the

weight of the extendible part, i.e.,

=

σAB= λ(σAB)σext+ [1 − λ(σAB)]ρne,

where the real parameter λ(σAB) ≥ 0 is maximal [22, 39].

Note that this parameter is well defined since the set of

extendible states is compact.

Equation (22) follows the same spirit like the BSA

given by Eq. (5). Now, one can define analogous parame-

ters and equivalence classes as in Sec. IIIA. In particular,

the maximum weight of extendibility within an equiva-

lence class S is defined as λS

S}. That is, the correlations pklj = Tr(Akl⊗ Bj σAB)

can originate from an extendible state if and only if

λS

class of quantum states given by Sne

S and λ(σAB) = λS

tendible part in the BEA of the state σAB. Then, it was

proven in Ref. [22] that the one-way secret key rate K→

satisfies

(22)

BEA= max{λ(σAB) | σAB∈

BEA= 1. Finally, one defines Sne

BEAas the equivalence

BEA= {ρne| σAB∈

BEA}, where ρne denotes the nonex-

K→≤ (1 − λS

BEA)Ine(A;B), (23)

where Ine(A;B) represents the Shannon mutual informa-

tion now calculated on the joint probability distribution

qklj= Tr(Akl⊗ Bjρne) with ρne∈ Sne

BEA.

Page 6

6

Upper bound on one-way decoy state QKD

The analysis contained in Sec. IIIA to derive Eq. (14)

from Eq. (8) also applies to this scenario and we omit it

here for simplicity. We obtain

K→≤

?

n≥1

rn(1 − λSn

BEA)Ine

n(A;B). (24)

where λSn

ity within the equivalence class Sngiven by Eq. (13),

and Ine

n(A;B) represents the Shannon mutual informa-

tion calculated on qn

the nonextendible part in the BEA of a state σn

and whose weight of extendibility is maximum.

The parameter λSn

can directly be obtained by solving the following SDP:

BEAdenotes the maximum weight of extendibil-

kj= Tr(Ak⊗Tjρn

ne), with ρn

nebeing

A1B∈ Sn

BEAand the nonextendible state ρn

ne

minimize

subject to

1 − Tr[σn

σn

A1B(x) ≥ 0,

Tr[σn

A1B(x)] = 1,

Tr[Ak⊗ Tjσn

ρn

A1BB′(x) ≥ 0,

Pρn

TrB′[ρn

σn

ext(x)] (25)

A1B(x)] = pn

kj, ∀k,j,

A1BB′(x)P = ρn

A1BB′(x)] = σn

A1B(x) − σn

extis not normalized, i.e., it also in-

cludes the parameter λ(σn

A1B). The first three constraints

coincide with those of Eq. (17).

that σn

pose σn

extto have a symmetric extension to two copies

of system B, while the last one implies that the nonex-

tendible part of σn

A1Bis a valid but not normalized den-

sity operator. Its normalization factor is 1 − λ(σn

This SDP does not include the constraint σn

cause non-negativity of the extension ρn

with the condition TrB′(ρn

non-negativity of σn

ext. If xsolrepresents a solution to the

SDP given by Eq. (25) then we have that

A1BB′(x),

ext(x),

ext(x) ≥ 0,

where the state σn

They just guarantee

A1B∈ Sn. The following three constraints im-

A1B).

ext≥ 0 be-

A1BB′, together

ext, already implies

A1BB′) = σn

λSn

BEA= Tr[σn

ext(xsol)], (26)

and the state ρn

neis given by

ρn

ne=σn

A1B(xsol) − σn

1 − λSn

ext(xsol)

BEA

.(27)

IV.EVALUATION

In this section we evaluate the upper bounds on the se-

cret key rate both for two-way and one-way decoy state

QKD given by Eq. (14) and Eq. (24). Moreover, we com-

pare our results with known lower bounds for the same

scenarios. The numerical simulations are performed with

the freely available SDP solver SDPT3-3.02 [40], together

with the parser YALMIP [41].

pn

kj

Tj=0

Yn(1−en)

8

Ynen

8

Yn

16

Yn

16

Tj=1

Tj=+

Tj=−

Tj=vac

1−Yn

4

1−Yn

4

1−Yn

4

1−Yn

4

k = 0

k = 1

k = 2

k = 3

Ynen

8

Yn(1−en)

8

Yn

16

Yn

16

Yn

16

Yn

16

Yn

16

Yn

16

Ynen

8

Yn(1−en)

8

Yn(1−en)

8

Ynen

8

TABLE I: Conditional joint probability distribution pn

Tr(Ak ⊗ Tj σn

bels, respectively, the four possible polarization states of the

BB84 protocol (0,1,+,−), and the operators Tj are given by

Eq. (12). It satisfiesP

kj =

A1B), where the index k ∈ {0,...,3} la-

k,jpn

kj= 1.

A.Channel model

To generate the observed data, we consider the chan-

nel model used in Ref. [10, 42]. This model reproduces

a normal behaviour of the quantum channel, i.e., in the

absence of eavesdropping. Note, however, that our anal-

ysis can as well be straightforwardly applied to other

quantum channels, as it only depends on the probability

distribution pn

kjthat characterizes the results of Alice’s

and Bob’s measurements. This probability distribution

is given in Tab. I, where the conditional yields Ynhave

the form

Yn= Y0+ [1 − (1 − η)n],(28)

with Y0 being the background detection event rate of

the system, and where η represents the overall transmit-

tance, including the transmission efficiency of the quan-

tum channel and the detection efficiency. The parameter

en denotes the quantum bit error rate of an n-photon

signal. It is given by

en=edet[1 − (1 − η)n] +1

2Y0

Yn

,(29)

where edetrepresents the probability that a photon hits

the wrong detector due to the misalignment in the quan-

tum channel and in the detection apparatus.

The parameter η can be related with a transmission

distance l measured in km for the given QKD scheme as

η = 10−αl

optical fiber measured in dB/km. The total dB loss of

the channel is given by αl.

10, where α represents the loss coefficient of the

B.Illustration of the upper bounds

As discussed in Sec. III, the reduced density matrix

of Alice, that we shall denote as ρn

not be modified by Eve. This state has the form ρn

TrB(|ϕn?A1B?ϕn|) =

where |ϕn?A1Bis given by Eq. (11).

BB84 protocol the probabilities qksatisfy qk= 1/4. We

A1, is fixed and can-

A1=

?3

k,k′=0

√qkqk′?nk′|nk?|k?A1?k′|,

In the standard

Page 7

7

obtain, therefore, that ρn

A1can be expressed as

ρn

A1=1

4

1

0

0

1

2−n/2

2−n/2(−1)n2−n/2

1

0

2−n/2

2−n/2

2−n/2(−1)n2−n/2

2−n/2

0

1

(30)

.

To include this information in the measurement process,

we consider that Alice and Bob have also access to the

results of a set of observables {Ci⊗1 1B} that form a tomo-

graphic complete set of Alice’s Hilbert space HA1. In par-

ticular, we use a Hermitian operator basis {C1,...,C16}.

These Hermitian operators satisfy Tr(Ci) = 4δi1 and

have a Hilbert-Schmidt scalar product Tr(CiCj) = 4δij.

The probabilities Tr(Ci⊗ 1 1Bσn

ρn

A1given by Eq. (30).

The resulting upper bounds on the two-way and one-

way secret key rate are illustrated, respectively, in Fig. 2

and Fig. 3. They state that no secret key can be distilled

from the correlations established by the legitimate users

above the curves, i.e., the secret key rate in that region

is zero. These figures include as well lower bounds for

the secret key rate obtained in Refs. [8, 10, 16]. Note,

however, the security proofs included in Refs. [8, 10]

implicitly assume that Alice and Bob can make public

announcements using two-way communication, and only

the error correction and privacy amplification steps of

the protocol are assumed to be realized by means of one-

way communication. We consider the uncalibrated de-

vice scenario and we study two different situations in each

case: (1) no errors in the quantum channel, i.e., Y0= 0,

edet= 0, and (2) Y0= 1.7×10−6and edet= 0.033. This

last scenario corresponds to the experimental parameters

reported by Gobby-Yuan-Shields (GYS) in Ref. [43]. Fig-

ure 2 and Fig. 3 do not include the sifting factor of 1/2

for the BB84 protocol, since this effect can be avoided

by an asymmetric basis choice for Alice and Bob [44].

Moreover, we consider that in the asymptotic limit of a

large number of transmitted signals most of them repre-

sent signal states of mean photon number µ0. That is,

the proportion of decoy states used to test the behaviour

of the quantum channel within the total number of sig-

nals sent by Alice is neglected. This means that p0 in

Eq. (10) satisfies p0≈ 1 and

rn=e−µ0µn

A1B) = Tr(Ciρn

A1), with

0

n!

. (31)

C.Discussion

In the case of no errors in the quantum channel (Case

(1) above) the lower bounds for two-way and one-way

QKD derived in Refs. [8, 10, 16] coincide. Furthermore,

for low values of the total dB loss, the upper bounds

shown in the figures present a small bump which is spe-

cially visible in this last case. The origin of this bump is

010 2030 405060 70

−12

−10

−8

−6

−4

−2

0

Total dB loss

Log (Key generation rate) [per pulse]

UB (Case 1)

LB (Case 1)

UB (Case 2)

LB (Case 2)

FIG. 2: Upper bounds on the two-way secret key rate K given

by Eq. (14) in logarithmic scale in comparison to known lower

bounds for the same scenario given in Ref. [16]. The figure

includes two cases. (1) No errors in the quantum channel, i.e.,

Y0 = 0 and edet = 0. In this case, the upper bound (UB) is

represented by a thin solid line, while the lower bound (LB)

is represented by a thin dashed line. (2) Y0 = 1.7 × 10−6

and edet = 0.033, which correspond to the GYS experiment

reported in Ref. [43]. In this case, the upper bound (UB) is

represented by a thick solid line, while the lower bound (LB)

after 3 B steps is represented by a thick dashed line. We

assume asymmetric basis choice to suppress the sifting effect

[44].

the potential contribution of the multi-photon pulses to

the key rate.

Let us now consider the cutoff points for decoy state

QKD in the case of errors in the quantum channel (Case

(2) above). These are the values of the total dB loss for

which the secret key rate drops down to zero in Fig. 2

and Fig. 3. We find that they are given, respectively,

by: ≈ 51.1 dB (lower bound two-way after 3 B steps),

≈ 57.4 dB (upper bound two-way), ≈ 44.9 dB (lower

bound one-way), and ≈ 53.5 dB (upper bound one-way

with RR). These quantities can be related with the fol-

lowing transmission distances: 179.2 km, 209.2 km, 149.6

km and 190.6 km. Here we have used α = 0.21 dB/km

and the efficiency of Bob’s detectors is 4.5% [43]. It is in-

teresting to compare the two-way cutoff point of 209.2 km

with a similar distance upper bound of 208 km provided

in Ref. [16] for the same values of the experimental pa-

rameters. Note, however, that the upper bound derived

in Ref. [16] relies on the assumption that a secure key

can only be extracted from single photon states. That

is, it implicitly assumes the standard BB84 protocol. If

this assumption is removed and one also includes in the

analysis the potential contribution of the multi-photon

signals to the key rate (due, for instance, to the SARG04

protocol [12]), then the cutoff point provided in Ref. [16]

transforms from 208 km to 222 km, which is above the

209.2 km presented here.

Page 8

8

0 102030 4050 6070

−12

−10

−8

−6

−4

−2

0

Total dB loss

Log (Key generation rate) [per pulse]

UB DR (Case 2)

LB RR (Case 2)

UB RR (Case 2)

LB RR (Case 1)

UB RR (Case 1)

UB DR (Case 1)

05

−1

−0.5

0

FIG. 3: Upper bounds on the one-way secret key rate K→

given by Eq. (24) in logarithmic scale in comparison to known

lower bounds for the same scenario given in Refs. [8, 10].

The figure includes two cases. (1) No errors in the quantum

channel, i.e., Y0 = 0 and edet = 0. In this case, the upper

bound (UB) RR is represented by a thin solid line, while the

lower bound (LB) is represented by a thin dashed line. (2)

Y0 = 1.7 × 10−6and edet = 0.033, which correspond to the

GYS experiment reported in Ref. [43]. In this case, the upper

bound (UB) RR is represented by a thick solid line, while the

lower bound (LB) is represented by a thick dashed line. The

two lines on the left hand side of the graphic represent upper

bounds for the case of DR (case (1) short dashed line, case (2)

dash-dotted line). The inset figure shows an enlarged view of

the upper bounds for a total dB loss ranging from 0 to 5 dB.

We assume asymmetric basis choice to suppress the sifting

effect [44].

Figure 3 shows a significant difference between the

behaviour of the upper bounds for one-way classical

post-processing with RR and DR. Most importantly, the

upper bounds on K→ for the case of DR can be be-

low the lower bounds on the secret key rate derived in

Refs. [8, 10]. Note, however, that the scenario considered

here is slightly different from the one assumed in the se-

curity proofs of Refs. [8, 10]. In particular, the analysis

contained in Sec. IIIB for the case of DR does not allow

any communication from Bob to Alice once the condi-

tional probabilities pn

kjare determined. This means, for

instance, that Bob cannot even declare in which partic-

ular events his detection apparatus produced a “click”.

However, as mentioned previously, Refs. [8, 10] implicitly

assume that only the error correction and privacy ampli-

fication steps of the protocol are performed with one-way

communication. If the analysis performed in Sec. IIIB

is modified such that Bob is now allowed to inform Alice

which signal states he actually detected, then it turns out

that the resulting upper bounds in this modified scenario

coincide with those derived for the case of RR. To include

this initial communication step from Bob to Alice in the

analysis, one can use the following procedure. Let the

projector ΠA1Bbe defined as

ΠA1B= 1 1A1⊗ (1 1B− |vac?B?vac|).

Then, one can add to Eq. (25) one extra constraint

(32)

σn post

A1B(x) =ΠA1Bσn

A1B(x)ΠA1B

Yn

,(33)

and substitute the condition σn

A1B(x) − σn

ext(x) ≥ 0 by

σn post

A1B(x) − σn

ext(x) ≥ 0. (34)

Equation (33) refers to the normalized state that is posts-

elected by Alice and Bob once Bob declares which signals

he detected. Equation (34) indicates that the BEA has to

be applied to this postselected state. Finally, each term

in the summation given by Eq. (24) has to be multiplied

by the yield Yn, i.e., the probability that Bob obtains

a “click” conditioned on the fact that Alice sent an n-

photon state.

Our numerical results indicate that the upper bounds

given by Eq. (14) and Eq. (24) are close to the known

lower bounds available in the scientific literature for the

same scenarios. However, one might expect that these

upper bounds can be further tightened in different ways.

For instance, by substituting in Eq. (14) and Eq. (24) the

Shannon mutual information with any other tighter up-

per bound on the secret key rate that can be extracted

from a classical tripartite probability distribution mea-

sured on a purification of the state ρn

two-way QKD) or of the state ρn

over, as they are, Eq. (14) and Eq. (24) implicitly assume

that the legitimate users know precisely the number of

photons contained in each signal emitted. However, in

decoy state QKD Alice and Bob have only access to the

conditional joint probability distribution describing their

outcomes given that Alice emitted an n-photon state, but

they do not have single shot photon number resolution

of each signal state sent.

As a side remark, we would like to emphasize that to

calculate the upper bounds given by Eq. (14) and Eq. (24)

it is typically sufficient to consider only a finite number

of terms in the summations. This result arises from the

limit imposed by the unambiguous state discrimination

(USD) attack [31]. This attack does not introduce any

errors in Alice’s and Bob’s signal states. Moreover, it cor-

responds to an entanglement-breaking channel [45] and,

therefore, it cannot lead to a secure key both for the case

of two-way and one-way QKD [20, 22]. The maximum

probability of unambiguously discriminating an n-photon

state sent by Alice is given by [31]

ent(in the case of

ne(one-way QKD). More-

Pn

D=

0

1 − 21−n/2

1 − 2(1−n)/2n odd.

n ≤ 2

n even

(35)

For typical observations this quantity can be related with

a transmission efficiency ηnof the quantum channel, i.e.,

Page 9

9

an ηnthat provides an expected click rate at Bob’s side

equal to Pn

D. This last condition can be written as

ηn= 1 − (1 − Pn

D)1/n.(36)

Whenever the overall transmission probability of each

photon satisfies η ≤ ηn, then any pulse containing n or

more photons is insecure against the USD attack. After

a short calculation, we obtain that the total number of

n-photon signals that need to be considered in the sum-

mations of Eq. (14) and Eq. (24) can be upper bounded

as

n ≤

? ?

1

log2[√2(1−η)]

2log2[√2(1−η)]

?

n even

n odd.

?

1

?

(37)

V.CONCLUSION

In this paper we have derived upper bounds on the

secret key rate and distance that can be covered by two-

way and one-way decoy state quantum key distribution

(QKD). Our analysis considers the uncalibrated device

scenario and we have assumed the typical initial post-

processing step where double click events are randomly

assigned to single click events. We have used two pre-

conditions for secure two-way and one-way QKD. In par-

ticular, the legitimate users need to prove that there ex-

ists no separable state (in the case of two-way QKD), or

that there exists no quantum state having a symmetric

extension (one-way QKD), that is compatible with the

available measurements results. Both criteria have been

previously employed in the scientific literature to evalu-

ate single-photon implementations of QKD. Here we have

applied them to investigate a realistic source of weak co-

herent pulses, and we have shown that they can be for-

mulated as a convex optimization problem known as a

semidefinite program (SDP). Such instances of convex

optimization problems can be solved efficiently, for ex-

ample by means of the interior-point methods.

As a result, we have obtained fundamental limitations

on the performance of decoy state QKD when this initial

post-processing of the double clicks is performed. These

upper bounds cannot be overcome by any classical com-

munication technique (including, for example, SARG04

protocol, adding noise protocols, degenerate codes and

two-way classical post-processing protocols) that the le-

gitimate users may employ to process their correlated

data afterwards. Moreover, our results seem to be al-

ready close to well known lower bounds for the same sce-

narios, thus showing that there are clear limits to the fur-

ther improvement of classical post-processing techniques

in decoy state QKD.

The analysis presented in this paper could as well be

straightforwardly adapted to evaluate other implemen-

tations of the BB84 protocol with practical signals like,

for example, those experimental demonstrations based

on WCP without decoy states or on entangled signals

coming from a parametric down conversion source.

VI. ACKNOWLEDGEMENTS

M.C. especially thanks H.-K. Lo and N. L¨ utkenhaus

for hospitality and support during his stay at the Univer-

sity of Toronto and at the Institute for Quantum Com-

puting (University of Waterloo) where this manuscript

was finished. This work was supported by the European

Projects SECOQC and QAP, NSERC, Quantum Works,

CSEC, CFI, CIPI, CIFAR, the CRC program, MITACS,

OIT, OCE, by Xunta de Galicia (Spain, Grant No.

INCITE08PXIB322257PR), and by University of Vigo

(Program “Axudas ´ a mobilidade dos investigadores”).

[1] N. Gisin, G. Ribordy, W. Tittel and H. Zbinden, Rev.

Mod. Phys. 74, 145 (2002); M. Duˇ sek, N. L¨ utkenhaus

and M. Hendrych, Progress in Optics 49, Edt. E. Wolf

(Elsevier), 381 (2006).

[2] V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M.

Duˇ sek, N. L¨ utkenhaus and M. Peev, Preprint quant-

ph/0802.4155, accepted for publication in Rev. Mod.

Phys.

[3] G. S. Vernam, J. Am. Inst. Electr. Eng. XLV, 109 (1926).

[4] B. Huttner, N. Imoto, N. Gisin, and T. Mor, Phys. Rev.

A 51, 1863 (1995); G. Brassard, N. L¨ utkenhaus, T. Mor

and B. C. Sanders, Phys. Rev. Lett. 85, 1330 (2000).

[5] W. K. Wootters and W. H. Zurek, Nature 299, 802

(1982).

[6] C. H. Bennett and G. Brassard, Proc. IEEE Int. Con-

ference on Computers, Systems and Signal Processing,

Bangalore, India, IEEE Press, New York, 175 (1984).

[7] H. Inamori, N. L¨ utkenhaus and D. Mayers, Eur. Phys. J.

D 41, 599 (2007).

[8] D. Gottesman, H.-K. Lo, N. L¨ utkenhaus and J. Preskill,

Quant. Inf. Comput. 4, 325 (2004).

[9] W.-Y. Hwang, Phys. Rev. Lett. 91, 057901 (2003).

[10] H.-K. Lo, X. Ma and K. Chen, Phys. Rev. Lett. 94,

230504 (2005).

[11] X.-B. Wang, Phys. Rev. Lett. 94, 230503 (2005); X. Ma,

B. Qi, Y. Zhao and H.-K. Lo, Phys. Rev. A 72, 012326

(2005); X.-B. Wang, Phys. Rev. A 72, 012322 (2005);

X.-B. Wang, Phys. Rev. A 72, 049908 (E) (2005).

[12] V. Scarani, A. Ac´ ın, G. Ribordy and N. Gisin, Phys. Rev.

Lett. 92, 057901 (2004).

[13] M. Koashi, Phys. Rev. Lett. 93, 120501(2004);

Tamaki, N. L¨ utkenhaus, M. Koashi and J. Batuwantu-

dawe, Preprint quant-ph/0607082; K. Inoue, E. Waks

and Y. Yamamoto, Phys. Rev. A 68, 022317 (2003).

[14] Y. Zhao, B. Qi, X. Ma, H.-K. Lo and L. Qian, Phys.

Rev. Lett. 96, 070502 (2006); Y. Zhao, B. Qi, X. Ma,

H.-K. Lo and L. Qian, Proc. of IEEE International Sym-

posium on Information Theory (ISIT’06), 2094 (2006);

C.-Z. Peng, J. Zhang, D. Yang, W.-B. Gao, H.-X. Ma, H.

Yin, H.-P. Zeng, T. Yang, X.-B. Wang and J.-W. Pan,

K.

Page 10

10

Phys. Rev. Lett. 98, 010505 (2007); D. Rosenberg, J. W.

Harrington, P. R. Rice, P. A. Hiskett, C. G. Peterson,

R. J. Hughes, A. E. Lita, S. W. Nam and J. E. Nord-

holt, Phys. Rev. Lett. 98, 010503 (2007); T. Schmitt-

Manderbach, H. Weier, M. F¨ urst, R. Ursin, F. Tiefen-

bacher, T. Scheidl, J. Perdigues, Z. Sodnik, C. Kurtsiefer,

J. G. Rarity, A. Zeilinger and H. Weinfurter, Phys. Rev.

Lett. 98, 010504 (2007); Z. L. Yuan, A. W. Sharpe and

A. J. Shields, Appl. Phys. Lett. 90, 011118 (2007); Z.-Q.

Yin, Z.-F. Han, W. Chen, F.-X. Xu, Q.-L. Wu and G.-

C. Guo, Chin. Phys. Lett 25, 3547 (2008); J. Hasegawa,

M. Hayashi, T. Hiroshima, A. Tanaka and A. Tomita,

Preprint quant-ph/0705.3081; J. F. Dynes, Z. L. Yuan,

A. W. Sharpe and A. J. Shields, Optics Express 15, 8465

(2007).

[15] D. Gottesman and H.-K. Lo, IEEE Trans. Inf. Theory

49, 457 (2003).

[16] X. Ma, C.-H. F. Fung, F. Dupuis, K. Chen, K. Tamaki

and H.-K. Lo, Phys. Rev. A 74, 032330 (2006).

[17] B. Kraus, N. Gisin and R. Renner, Phys. Rev. Lett. 95,

080501 (2005); R. Renner, N. Gisin and B. Kraus, Phys.

Rev. A 72, 012332 (2005); J. M. Renes and Graeme

Smith, Phys. Rev. Lett. 98, 020502 (2007).

[18] P.W. Shorand

quant-ph/9604006v2; D. P. DiVincenzo, P. W. Shor and

J. A. Smolin, Phys. Rev. A 57, 830 (1998); G. Smith and

J. A. Smolin, Phys. Rev. Lett. 98, 030501 (2007); H.-K.

Lo, Quantum Inf. Comput. 1, 81 (2001); G. Smith,

J. M. Renes and J. A. Smolin, Phys. Rev. Lett. 100,

170502 (2008); O. Kern and J. M. Renes, Quantum Inf.

Comput. 8, 756 (2008).

[19] N. L¨ utkenhaus, Phys. Rev. A 59, 3301 (1999); N.

L¨ utkenhaus, Appl. Phys. B: Lasers Opt. 69, 395 (1999);

N. L¨ utkenhaus, Phys. Rev. A 61, 052304 (2000).

[20] M. Curty, M. Lewenstein and N. L¨ utkenhaus, Phys. Rev.

Lett. 92, 217903 (2004).

[21] M. Curty, O. G¨ uhne, M. Lewenstein and N. L¨ utkenhaus,

Phys. Rev. A 71, 022306 (2005).

[22] T. Moroder, M. Curty and N. L¨ utkenhaus, Phys. Rev. A

74, 052301 (2006).

[23] T. Moroder, M. Curty and N. L¨ utkenhaus, Phys. Rev. A

73, 012311 (2006).

[24] M. Curty and T. Moroder, Phys. Rev. A 75, 052336

(2007).

[25] L. Vandenberghe and S. Boyd, SIAM Review 38, 49

(1996); S. Boyd and L. Vandenberghe, Convex Optimiza-

tion (Cambridge University Press, Cambridge, England,

2004).

[26] K. Horodecki, M. Horodecki, P. Horodecki and J. Oppen-

heim, Preprint arXiv:quant-ph/0506189.

[27] Here we define quantum correlations as those correlations

that cannot be explained by means of an intercept-resend

attack [20, 21].

[28] K. Horodecki, M. Horodecki, P. Horodecki and J. Oppen-

heim, Phys. Rev. Lett. 94, 160502 (2005); V. Vedral and

M. B. Plenio, Phys. Rev. A 57, 1619 (1998).

[29] K. Audenaert, J. Eisert, E. Jan´ e, M. B. Plenio, S. Vir-

J. A.Smolin, Preprint

mani and B. De Moor, Phys. Rev. Lett. 87, 217902

(2001).

[30] M. Lewenstein and A. Sanpera, Phys. Rev. Lett. 80, 2261

(1997); S. Karnas and M. Lewenstein, J. Phys. A 34, 6919

(2001).

[31] M. Duˇ sek, M. Jahma and N. L¨ utkenhaus, Phys. Rev. A

62, 022306 (2000).

[32] T. Tsurumaru and K. Tamaki, Phys. Rev. A 78, 032302

(2008); N. Beaudry, T. Moroder and N. L¨ utkenhaus,

Phys. Rev. Lett. 101, 093601 (2008).

[33] A. Peres, Phys. Rev. Lett. 77, 1413 (1996).

[34] B. Kraus, J. I. Cirac, S. Karnas and M. Lewenstein, Phys.

Rev. A 61, 062302 (2000).

[35] Note that every equality constraint of the form f(x) =

g(x), for any functions f and g, can always be repre-

sented by two inequality constraints f(x)−g(x) ≥ 0 and

−[f(x) − g(x)] ≥ 0. Moreover, two (or even more) LMI

constraints F0(x) ≥ 0,F1(x) ≥ 0, can always be com-

bined into a single new LMI constraint as

F(x) =

„F0(x)0

0

F1(x)

«

≡ F0(x) ⊕ F1(x) ≥ 0.

[36] Before restricting Alice and Bob to only communicate

one-way, one typically allows them to realize an initial

two-way communication step to estimate the joint prob-

ability distribution describing their measurements out-

comes. This is the approach that we follow in this paper.

In decoy state QKD this is also important in order to dis-

tinguish between signal and decoy pulses and to estimate

the conditional probabilities pn

[37] F. Grosshans, G. van Assche, J. Wenger, R. Brouri, N.

Cerf and P. Grangier, Nature (London) 421, 238 (2003).

[38] A. C. Doherty, P. A. Parrilo and F. M. Spedalieri, Phys.

Rev. Lett. 88, 187904 (2002); A. C. Doherty, P. A. Parrilo

and F. M. Spedalieri, Phys. Rev. A 69, 022308 (2004);

A. C. Doherty, P. A. Parrilo, and F. M. Spedalieri, Phys.

Rev. A 71, 032333 (2005).

[39] From now on, the term extension will always stand for

a symmetric extension to two copies of system A or B.

We will not make any further distinction between the

different types of extension and we simply call the state

extendible. The extension to two copies of system B cor-

responds to DR, and extensions to two copies of system

A corresponds to RR.

[40] K. C. Toh, R. H. Tutuncu and M. J. Todd, Optim. Meth-

ods Software 11, 545 (1999).

[41] J. L¨ ofberg, in Proceedings of the CACSD Conference,

Taipei, Taiwan, p. 284 (2004).

[42] X. Ma, Ph.D. thesis, University of Toronto, 2008.

[43] C. Gobby, Z. L. Yuan and A. J. Shields, Appl. Phys. Lett.

84, 3762 (2004).

[44] H.-K. Lo, H. F. C. Chau and M. Ardehali, J. Cryptology

18, 133 (2005).

[45] M. Horodecki, P. W. Shor, and M. B. Ruskai, Rev. Math.

Phys. 15, 629 (2003); M. B. Ruskai, Rev. Math. Phys.

15, 643 (2003).

kj.