Introduction

Future quantum networks will require bright low-noise sources of single photons to enable applications including secure communication and distributed quantum computing1. There is a range of promising platforms for such a source, including quantum dots, molecules, quantum emitters in two-dimensional materials such as WSe2 and hBN, and colour centres in wide band-gap materials such as diamond and SiC. Comparing these platforms for single-photon emitters, quantum dots (QDs) have demonstrated the highest count rates with the lowest multiphoton emission probability2,3,4.

Fibre-based QKD requires single-photons at 1550 nm where loss in fibre is lowest. This can be realised with QDs in two ways, fabricating the QD to emit directly at 1550 nm or using quantum frequency-conversion to shift the wavelength of a QD which emits at shorter wavelengths to 1550 nm. The best available QDs in all relevant metrics emit at shorter wavelengths2,3,4, although recent improvements have been made with C-band emitters in terms of brightness and multiphoton noise but not coherence5. Quantum frequency-conversion has been shown to be a viable route to realise a bright, coherent telecom QD single-photon source with low multiphoton noise, leveraging the performance of shorter wavelength QDs6,7,8.

In this work, we demonstrate Bennett-Brassard ’84 (BB84) QKD9 using a bright frequency-converted QD source over optical fibre. In the asymptotic case the source outperforms previous demonstrations of prepare-and-measure QKD with single-photon emitters in terms of achievable key rate and maximum tolerable loss thanks to the brightness and low \({g}^{\left(2\right)}\left(0\right)\) of our source, see Table 1. In the composable security framework, we use improved analytical bounds for the random sampling without replacement problem related to the phase error rate and the multiplicative Chernoff bound that has been proven to be a tighter finite key bound in other contexts10. These bounds are used to calculate the fluctuations between expected and observed values.

Table 1 Comparison of other QKD demonstrations based on single-photon emitters
Full size table

The finite key treatment implemented in this work reduces the number of signals Bob must receive to approach the asymptotic case from 1015 to 107 compared with widely used previous single-photon source QKD analyses. Equivalently, the integration time required to approach the asymptotic case is reduced from 104 years to just one hour.

Results

Experimental setup

The experimental setup including single-photon source, communication channel and receiver is shown in Fig. 1. The quantum light source consists of an InGaAs/GaAs quantum dot inside an oxide-apertured micropillar11 emitting photons at 940 nm. The QD is excited using a dark-field confocal microscope; single photons are collected in a cross-polarised scheme with 107 suppression of the excitation laser. The QD is operated under pulsed quasi-resonant excitation using the third order cavity mode detuned by 440 GHz from the QD emission. This quasi-resonant excitation has strongly damped photon-number coherence compared to resonant excitation of the source6, this allows the output photon number states to be treated as mixed12 with no inter-pulse coherence. Femtosecond pulses from a Ti:Sapphire laser are stretched to 30 ps using a 4f Fourier pulse shaper and temporally multiplexed up to 160.7 MHz. We measure ≈5 MHz count rate with a \({g}^{\left(2\right)}(0)=0.019(1)\) directly from the QD. The single-photon emission is converted to 1550 nm in a difference frequency generation (DFG) process in a 48 mm periodically-poled lithium niobate (ppLN) waveguide pumped by a 2400 nm continuous-wave laser. The internal conversion efficiency of the DFG process is 57%. Further details on the source can be found in ref. 6.

Fig. 1: Experimental setup of Alice’s single-photon source and Bob’s passive BB84 receiver.
figure 1

The QD is excited at 160 MHz by temporally multiplexing an 80 MHz pulse train from a Ti:Sapphire laser. The 940 nm single photons are combined with a 2.4 μm seed laser and converted to 1550 nm in a ppLN ridge waveguide designed to be single-mode at 1550 nm. The seed beam is removed with short-pass filters at 2050 nm (SP2050) before the telecom photons are isolated with a long pass filter at 1400 nm (LP1400) and a bandpass filter at 1550 nm (BP1550). The transmission channel consists of spools of fibre of various length which are joined using physical contact connectors for the different distances measured in Fig. 2. Bob’s receiver passively chooses between X and Z basis measurements using a 50/50 fibre beam-splitter (BS). Projections are made using polarising beam-splitter (PBS) cubes and in-fibre polarisation controllers (PC) to align the measurement basis.

Full size image

The four BB84 polarisation states \(\left\{H,V,D,A\right\}\) are encoded using a motorised half-wave plate. Photons are then transmitted through the quantum channel consisting of SMF-28 fibre spools with an average propagation loss of 0.1904 dB/km including connectors. The fibre is housed in an insulating box to reduce temperature fluctuations, which keeps the fibre-induced polarisation rotation stable over the typical acquisition time of 30 min per polarisation state.

The BB84 receiver consists of a 50/50 fibre beam-splitter followed by two polarising beam splitters and in-fibre polarisation controllers to project into the H/V and D/A basis respectively. Photons are detected with superconducting nanowire single-photon detectors (SNSPDs).

The average transmittivity of the four arms of the receiver is 87% including relative efficiency of each detector measured by comparing the count rate observed on each detector with a reference parametric down-conversion source. The SNSPDs are biased to have an average dark count rate of 11.5 Hz at the cost of 5-10% of the peak efficiency. The detectors are time gated around the arrival time of the signal photons to reduce the effect of dark counts (see Fig. 2), the average time gate across all distances is 3.19 ns. This gives a dark count probability per pulse of pdc = 3.67 × 10−8.

Fig. 2: Asymptotic key rate and quantum bit error rate.
figure 2

a Experimental asymptotic key rate (orange dots) and the theoretical key rate based on the experimentally measured parameters with and without pre-attenuation of Alice’s source. The pre-attenuation increases 2.6 dB the maximum tolerable loss. The inset shows a typical data set for Alice sending horizontally polarised photons over 80 km of fibre. Red boxes show the typical time gating used to optimise the key rate. b Measured error rate as a function of fibre distance. The theory fit is based on Eq. (1) with the experimental parameters listed in the main text. The deviations from the best fit are due to inconsistency in aligning the in-fibre polarisation controller. The QBER at the maximum tolerable loss of ~35 dB is ~2%. Maximum tolerable loss is primarily limited by the photon-number noise \({g}^{\left(2\right)}\left(0\right)=0.036(3)\), shown in the inset of b.

Full size image

Asymptotic key rate

We send each of the BB84 states \(\left\{H,\,V,\,D,\,A\right\}\) in turn and record at least 5 × 106 detected events for each state for seven distances between 0-175 km. The probability that a given round registers in one of Bob’s detectors, pclick, is estimated as the ratio of detected events to the number of clock pulses from the Ti:Sapphire which are recorded over the integration period. For convenience, we assume equal probabilities for both bases, i.e. \({p}_{dc}\equiv {p}_{dc}^{X}\equiv {p}_{dc}^{Z}\) and \({p}_{{{{{{{{\rm{click}}}}}}}}}\equiv {p}_{{{{{{{{\rm{click}}}}}}}}}^{X}\equiv {p}_{{{{{{{{\rm{click}}}}}}}}}^{Z}\). We measure a count rate of 1.6 MHz in Bob’s receiver at zero distance. This gives a mean photon number of 〈n〉 = 0.0142 injected into the communication channel backing out the known receiver transmission, the relative efficiency on average due to the measured losses of each detector \(\left(\approx 87\%\right)\) and the estimated quantum efficiency of the detectors \(\left(\approx 75\%\right)\).

The quantum bit error rate (QBER) eX/Z, in the X or Z basis is calculated by comparing the ratio of detected events for the state orthogonal to Alice’s encoded state to the total number of detected events in that basis. By fitting the measured QBER to

$${e}_{X/Z}=\frac{{p}_{dc}+{p}_{mis}\langle n\rangle T}{2{p}_{dc}+\langle n\rangle T},$$
(1)

the average polarisation misalignment pmis can be extracted, which typically is found to be pmis = 0.3%13. T represents the total optical efficiency from the quantum channel to Bob’s detection apparatus. The dark count probability pdc and mean photon number 〈n〉 are held as fixed parameters.

With pclick,  eX/Z,  〈n〉 and \({g}^{\left(2\right)}(0)\) experimentally characterised it is possible to calculate the asymptotic key rate (AKR) according to14,15

$$S={p}_{{{{{{{{\rm{sift}}}}}}}}}{p}_{{{{{{{{\rm{click}}}}}}}}}\left[A\left(1-H\left(\frac{{e}_{X}}{A}\right)\right)-{f}_{EC}({e}_{Z})H({e}_{Z})\right],$$
(2)

where \({p}_{{{{{{{{\rm{sift}}}}}}}}}={p}_{X}^{2}+{(1-{p}_{X})}^{2}\) is the sifting ratio for the key generation bits assuming both bases are used, pX is the basis bias, \(H\left(x\right)\) is the binary Shannon entropy and \({f}_{EC}\left(x\right)\, > \,1\) is the error correction efficiency factor.

For the experimental setup presented here \({p}_{{{{{{{{\rm{sift}}}}}}}}}=\frac{1}{2}\) which allows for a comparison to previously published work (Table 1). For \({f}_{EC}\left(x\right)\) we use values linearly interpolated between those reported in ref. 16 (typically fEC = 1.16 for the range of error rates seen in the experiment). \(A=\left({p}_{{{{{{{{\rm{click}}}}}}}}}-{p}_{m}\right)/{p}_{{{{{{{{\rm{click}}}}}}}}}\) is the fraction of signals which are single-photon pulses and pm is the upper bound on the probability that Alice emits a multiphoton pulse taken to be \({p}_{m}\le {g}^{\left(2\right)}(0){\langle n\rangle }^{2}/2\)13. From the measured 〈n〉 = 0.0142 and \({g}^{\left(2\right)}(0)=0.036(3)\) (see Fig. 2), we estimate pm ≤ 3.63 × 10−6 without any additional pre-attenuation before the final collection fibre. The small increase in \({g}^{\left(2\right)}(0)\) compared to the emission directly from the QD is due to Raman scattering in the frequency-conversion process.

The key rate at shorter distances is increased compared to previous works thanks to the high brightness and temporally multiplexed excitation presented in this work. The maximum tolerable loss is also increased due to the relatively high brightness and low noise compared to previous demonstrations with telecom wavelength QD sources. The current maximum range is limited by pclick → pm, at which point the fraction of signals received from single photon pulses goes to zero A → 0, and a secure key is no longer possible. As the multiphoton emission and click probabilities are evaluated on a signal-by-signal basis, the multiplexed excitation does not improve the maximum distance over which a secure key can be extracted.

Finite key analysis

In assessing the performance of a practical QKD system the finite key rate must be considered. To date, most experiments with single-photon emitters17,18 have used the method outlined in15 to derive finite block size estimates of the secure key. Since the publication of15, there has been considerable development of tighter statistical estimation bounds, mainly in the context of weak coherent pulse decoy state and entangled protocols. Here, we adapt and employ recent results based on Chernoff bounds to produce significant improvements in the finite key rate. This reduces the block size required for a positive key rate or, conversely, yields a much greater key rate for a fixed block size.

A full derivation of the finite key rate can be found in the Methods section with the main result discussed here. For a finite block size defined as either the number of sent NS or received signals NR, the total secure key length is,

$$\ell=\lfloor {\underline{N}}_{R,nmp}^{X}\left(1-H\left({\overline{\phi }}^{X}\right)\right)-{\lambda }_{EC}-2{\log }_{2}\frac{1}{2{\varepsilon }_{PA}}-{\log }_{2}\frac{2}{{\varepsilon }_{cor}}\rfloor,$$
(3)

where \({\underline{N}}_{R,nmp}^{X}\) is the lower bound on the number of received signals in the key generation basis due to non-multiphoton source emissions (including vacuum and single-photon emissions), \({\overline{\phi }}^{X}\) is the upper bound of the phase error rate in the key generation basis, λEC is the information leaked during error correction19, and the remaining terms are security and correctness parameters derived using the methods in20. The key rate is then defined as \(r=\frac{\ell }{{N}_{S}}\) and the fixed parameters used are shown in Table 2. The ratio of signals in the key generation basis to the parameter estimation basis, and the additional attenuation Alice adds to the source to reduce the multiphoton emission probability are all numerically optimised for each distance.

Table 2 Baseline QKD system parameters
Full size table

The improvement to the finite key rate can be viewed in two different ways: at long distances the block size required to produce the same key rate is massively reduced, Fig. 3a; alternatively, for a fixed acquisition time we can tolerate more loss and achieve the same secure key rate, Fig. 3b. The improvement to the finite key rate is quantified by comparing the number of signals required to approach the asymptotic key rate. To approach the asymptotic key rate with the method of15, the received block size has to be on the order of 1015, dotted purple curve Fig. 3a. Our results indicate a factor 108 improvement, the finite key rate curve reaches the asymptotic limit with Alice’s pre-attenuation for just 107 received signals. With respect to a fixed acquisition time, previous security analysis restricts the maximum distance over which a key can be exchanged after one second of acquisition time to less than 1 km, Fig. 3b, whereas we calculate a maximum tolerable loss of 26.9 dB which is equivalent to over 140 km of fibre. For all acquisition times considered the analysis presented here can achieve the same key rate over an additional 25 dB of channel loss.

Fig. 3: Comparison of finite key rate based on the Chernoff bound and previous finite-key analysis based on15.
figure 3

The finite key rate for different block sizes is shown in a; this work is shown with solid lines and previous work with a dashed line. For both versions, Alice’s pre-attenuation and pX are optimised for each distance and integration time. The bound presented in this work results in substantially better finite key rates using smaller block sizes. b shows the maximum tolerable loss achievable as a function of the acquisition time. This work substantially improves the distance over which a key can be generated compared to ref. 15, particularly for short acquisition times.

Full size image

Discussion

We have demonstrated that fibre-based QKD with frequency-converted quantum dot is possible at high rates for distances and acquisition times relevant for metropolitan communication networks. The source performance exceeds other single-photon emitters suggested for use in QKD systems in terms of key rate and maximum tolerable loss. Combining state-of-the-art QD performance in brightness2 and multiphoton suppression21, with the frequency conversion demonstrated here into one device would allow for key rates comparable to decoy-state QKD with weak coherent pulses. Ultimately, surpassing weak coherent pulse implementations will require sources much closer to the ideal performance of unity collection efficiency with multiphoton emission probabilities approaching zero.

Regarding the key rate introduced with Eq. (3), a more up-to-date version for the terms of the security parameters and an additional fluctuation in the phase error rate due to the random sampling without replacement problem were introduced compared to previous studies. The considerable enhancement of the finite key rate is due to the improved bounds of the statistical fluctuations achieved using the Chernoff bound applied to the number of events versus bounding probabilities as in22.

The deviations of the probabilities from the ideal estimate are magnified when expressed in the total number of events, e.g. number of errors and multiphoton emissions, although they might seem to be relatively small23. In particular, the Chernoff bound on events provides tighter estimates on the maximum number of multiphoton emissions increasing the single photon yield at longer distances and consequently the key rate.

Methods

Click and error probability estimation

In this section, we describe the modelling of click probabilities and error rates to later simulate the detections and error events. First, the click probability in each basis is,

$${p}_{{{{{{{{\rm{click}}}}}}}}}^{X,Z}={c}_{dt}\mathop{\sum }\limits_{n=0}^{\infty }{p}_{n}\left[1-(1-{p}_{dc}^{X,Z}){\left(1-{\eta }_{ch}{\eta }_{det}^{X,Z}{\eta }_{att}\right)}^{n}\right],$$
(4)

where pn is the probability that a pulse emitted by the source contains n photons, \({\eta }_{det}^{X,Z}\) is the detector detection efficiency and \({p}_{dc}^{X,Z}\) is the average dark count probability of the two detectors associated with each basis. For simplicity we assume that all detectors have the same efficiencies and dark count rates. If they differ, then the security analysis should be adapted to avoid any loopholes introduced by detector efficiency mismatch20. We add a pre-attenuation factor ηatt13 which can be inserted between the source and the Eve-controlled channel to reduce multiphoton leakage in the high loss regime. The channel transmittance is given by ηch = 10l/10 where l is the channel loss in dB. A correction factor cDT is added to account for the dead time of the detectors. For a dead time τ and repetition rate R this correction is of the form

$${c}_{dt}=\frac{1}{1+R\tau {p}_{{{{{{{{\rm{click}}}}}}}}}^{X,Z}}.$$
(5)

The error probability is then given by

$${p}_{e}^{X,Z}={c}_{dt}\left\{{p}_{0}\,{p}_{dc}^{X,Z}+\mathop{\sum }\limits_{n=1}^{\infty }{p}_{n}\left[1-(1-{p}_{dc}^{X,Z}){(1-{\eta }_{ch}{\eta }_{det}^{X,Z}{\eta }_{att})}^{n}\right]{p}_{mis}\right\},$$
(6)

where pmis is the probability of error due to the misalignment of the set-up.

For modelling purposes, we will assume that the multiphoton contribution is dominated by the 2-photon component, hence consider a source distribution of the form {pn} = {p0, p1, p2} with emission probabilities of vacuum p0, single photons p1 and two photon states p2. Given mean values for photon number 〈n〉 and \({g}^{\left(2\right)}(0)\),

$${p}_{2}=\frac{{g}^{(2)}(0){\langle n\rangle }^{2}}{2},\quad {p}_{1}=\langle n\rangle -2{p}_{2},\quad {p}_{0}=1-{p}_{2}-{p}_{1}.$$
(7)

Note that the security of the key rate analysis is not compromised by such an assumed form of the photon number distribution as the distribution that only has non-zero {p0, p1, p2} saturates the bound of13,

$${p}_{m}\le \frac{{g}^{\left(2\right)}(0){\langle n\rangle }^{2}}{2},$$
(8)

and any other distribution consistent with 〈n〉 and \({g}^{\left(2\right)}(0)\) will have a lower pm.

Finite key length based on Chernoff bounds

In this section, we follow the method and notation as described in ref. 10 though suitably adapted for the non-decoy single-photon source case which is akin to weak coherent pulse (WCP) protocols before the advent of decoy-state methods24.

After basis sifting, the number of events where both Alice and Bob chose the Z and X bases are \({N}_{R}^{X}={N}_{S}{p}_{X}^{2}{p}_{{{{{{{{\rm{click}}}}}}}}}^{X}\) and \({N}_{R}^{Z}={N}_{S}{p}_{Z}^{2}{p}_{{{{{{{{\rm{click}}}}}}}}}^{Z}\), respectively, these are directly observed. Here, we adopt the convention that the Z basis is used for parameter estimation and the X basis is used to generate the key. The legitimate parties publically compare all the Z basis results to determine thenumber of Z errors \({m}_{Z}={N}_{S}{p}_{Z}^{2}{p}_{e}^{Z}\) which is then used to estimate the phase error rate ϕX in the X basis. The X basis results are never directly revealed.

The expected number of received signals that result from non-multiphoton emissions by Alice (lumping together the vacuum and single photon yields) is given by \({N}_{R,nmp}^{X,Z}={N}_{R}^{X,Z}-{N}_{S,mp}^{X,Z*}\) where \({N}_{S,mp}^{X,Z*}={N}_{S}{p}_{X}^{2}{p}_{m}\) is the expected number (we use * to denote the mean) of sifted multiphoton emissions from Alice in the X, Z basis respectively. We assume that pm can be determined in a pre-calibration phase with negligible uncertainty (similar to the pulse intensities in WCP protocols), else a suitable upper bound can be chosen for pm itself. Here, we assume that all multiphoton pulses are detected by Bob (Eve introducing a lossless channel in this case) and that the remaining detected pulses come from the non-multiphoton fraction (if \({N}_{R}^{X,Z} > {N}_{S,mp}^{X,Z}\)). As we do not directly observe the actual number of multiphoton emissions, the actual number \({N}_{S,mp}^{X,Z}\) can deviate from \({N}_{S,mp}^{X,Z*}\) due to statistical fluctuations, and we need to upper bound the tail probability with error εPE. The upper Chernoff bound (denoted by the overbar) for a sum of binary variables x = ∑xj with xj {0, 1} is given by

$$\overline{x}=(1+{\delta }^{U}){x}^{*},$$
(9)

where \({\delta }^{U}=\frac{\beta+\sqrt{8\beta {x}^{*}+{\beta }^{2}}}{2{x}^{*}},\) and \(\beta=-{\log }_{e}({\varepsilon }_{PE})\). This can be applied to derive an upper bound to the actual number of multiphoton emissions \({\overline{N}}_{S,mp}^{X,Z}\), hence lower bound the number of received signals from non-multiphoton emission events, \({\underline{N}}_{R,nm}^{X,Z}\) in each basis,

$${\underline{N}}_{R,nmp}^{X,Z}={N}_{R}^{X,Z}-{\overline{N}}_{S,mp}^{X,Z}.$$
(10)

We note that tighter upper bounds on \({\overline{N}}_{S,mp}^{X,Z}\) could in principle be used, such as those based on the “factorial moment”25 or the Klar bounds26. Practically, the scope for potential improvement is minimal in our case and only possible for the highest tolerable losses of each finite block. These alternate bounds are also less amenable for numerical evaluation for the parameter ranges typical in QKD.

The phase error rate ϕX now needs to be upper bounded based on the observed number of errors in the Z basis mZ. We conservatively assume that all Z basis errors occur on the received non-multiphoton fraction, hence we have an estimate of the phase error rate,

$${\phi }^{X}=\frac{{m}_{Z}}{{\underline{N}}_{R,nmp}^{Z}}.$$
(11)

However, this estimate is the result of \({N}_{R}^{Z}\) samples in the Z basis but we need to upper bound the phase error rate in the unannounced \({N}_{R}^{X}\) samples in the X (key generating) basis. For this random sampling without replacement problem and a tail bound error ε, the upper bound of the unobserved value χ can be estimated from the observed value λ by

$$\chi=\lambda+{\gamma }^{U}\left(n,k,\lambda,{\varepsilon }^{{\prime} }\right),$$
(12)

where

$${\gamma }^{U}\left(n,k,\lambda,{\varepsilon }^{{\prime} }\right)=\frac{1}{2+2\frac{{A}^{2}G}{{(n+k)}^{2}}}\left\{\frac{(1-2\lambda )AG}{n+k}+\sqrt{\frac{{A}^{2}{G}^{2}}{{(n+k)}^{2}}+4\lambda (1-\lambda )G}\right\},$$
(13)
$$A=\max \{n,k\},$$
(14)
$$G=\frac{n+k}{nk}{\log }_{e}\frac{n+k}{2\pi nk\lambda (1-\lambda ){{\varepsilon }^{{\prime} }}^{2}},$$
(15)

under the assumption that 0 < λ < χ < 0.5 which is true for typical QKD scenarios. This now allows us to calculate an upper bound,

$${\overline{\phi }}^{X}={\phi }^{X}+{\gamma }^{U}\left({N}_{R}^{X},\,{N}_{R}^{Z},\,{\phi }^{X},\,\frac{{\varepsilon }_{sec}}{6}\right).$$
(16)

The secrecy of the protocol is εsec ≥ εPA + εPE + εEC where: \({\varepsilon }_{PA}={\varepsilon }^{{\prime} }\) is the privacy amplification failure probability; \({\varepsilon }_{PE}=2{n}_{PE}{\varepsilon }^{{\prime} }\) is the parameter estimation failure probability where nPE = 2 is the number of constraints as quantified in post-processing; \({\varepsilon }_{EC}={\varepsilon }^{{\prime} }\) is the error correction failure probability. Thus, the secrecy comes from setting each failure probability to a common value \({\varepsilon }^{{\prime} }\), i.e. \({\varepsilon }_{sec}=6{\varepsilon }^{{\prime} }\). Moreover, the QKD protocol is εqkd-secure if it is εcor-correct and εsec-secret with εqkd ≥ εcor + εsec. We set εcor = 10−15 and εsec = 10−10.

This leads to the length of the secure key fraction,

$$\ell=\lfloor {\underline{N}}_{R,nmp}^{X}\left(1-H\left({\overline{\phi }}^{X}\right)\right)-{\lambda }_{EC}-2{\log }_{2}\frac{1}{2{\varepsilon }_{PA}}-{\log }_{2}\frac{2}{{\varepsilon }_{cor}}\rfloor,$$
(17)

where λEC is the known leakage of information during error correction. The key rate is then defined as \(r=\frac{\ell }{{N}_{S}}\).

Security bounds and secure key rate

The security analysis follows that of20 using min-entropy and the failure probabilities that appear in Table 2 therein. We use uncertainty relations for bounding Bob’s raw key obtained from Alice’s raw key and conditioned on Eve’s information. Let us first consider Eve’s information E and Alice’s raw key XA, that is generated by choosing a random sample from \(N^{X}_{R,nmp}\), after the error correction and verification steps. The question is how much information Eve can extract from XA that is completely unknown to her. The probability of guessing XA given E is defined as the classical min-entropy,

$${H}_{min}\left({X}_{A}|E\right)={\log }_{2}{p}_{guess}\left({X}_{A}|E\right),$$
(18)

where \({p}_{guess}\left({X}_{A}|E\right)\) represents the probability of correctly guessing XA applying an optimal extraction strategy having access to E. The optimal strategy means to guess the value x of X with the highest conditional probability pXE=e(x) for each value e of E. For this process, let us assume that a part XB of XA with length , that is uniform conditioned on the information E, can be extracted by Bob. In other words, there is a function fs that maps XA to Bob’s raw key XB = fs(XA) considering the quantum state between Alice and Eve \({\rho }_{{X}_{A}E}\) is fixed. It has been shown that the probability of guessing XB is \({p}_{guess}\left({X}_{B}|E\right)={2}^{-\ell }\) and using Eq. (18) we obtain,

$${H}_{min}\left({X}_{B}|E\right)=\ell,$$
(19)

where is the secure key length. Furthermore, because XB comes from mapping XA, the probability of correctly guessing XB has to be greater than the probability of guessing XA. Therefore, these min-entropies can be expressed as the following inequality

$${H}_{min}\left({X}_{B}|E\right)\le {H}_{min}\left({X}_{A}|E\right)\Rightarrow \ell \le {H}_{min}\left({X}_{A}|E\right).$$
(20)

To extend this to the general case of almost uniform randomness, the smooth min-entropy \({H}_{min}^{\varepsilon }\left({X}_{A}|E\right)\) needs to be introduced. This is set as the maximum value of \({H}_{min}\left({X}_{A}|E\right)\). For privacy amplification, we consider that Alice and Bob apply a two-universal hash function. The Leftover Hashing Lemma27 gives us an exact equation for the inequality of Eq. (20) using the smooth min-entropy to relate the already mentioned Eve’s information E and Alice’s raw key XA

$$\ell={H}_{min}^{\varepsilon }\left({X}_{A}|E\right)-2\,{\log }_{2}\frac{1}{2{\varepsilon }_{PA}}$$
(21)

for the maximum number of extractable bits l that are εPA-close to uniform, conditioned on E.

We consider leakage λEC during error correction as well as additional bits for verification. Thus, the information that remains in Eve’s system \({E}^{{\prime} }\) after error correction is related by,

$${H}_{min}^{\varepsilon }\left({X}_{A}|E\right)\ge {H}_{min}^{\varepsilon }\left({X}_{A}|{E}^{{\prime} }\right)-{\lambda }_{EC}-{\log }_{2}\frac{2}{{\varepsilon }_{cor}}.$$
(22)

The leakage in one-way protocols is lower bounded as19,

$${\lambda }_{EC} \,\ge \,{n}_{X}H({e}_{X})\\+\left[{n}_{X}\left(1-{e}_{X}\right)-{F}^{-1}\left({\varepsilon }_{cor};\,{n}_{X},\,1-{e}_{X}\right)\right]{\log }_{2}\frac{1-{e}_{X}}{{e}_{X}}\\ -\frac{1}{2}{\log }_{2}{n}_{X}-{\log }_{2}\frac{1}{{\varepsilon }_{cor}},$$
(23)

where H(x) is the binary Shannon entropy, and \({F}^{-1}\left({\varepsilon }_{cor};\,{n}_{X},\,1-{e}_{X}\right)\) is the inverse of the cumulative distribution of the binomial distribution. Achievable rates by practical codes may not achieve this bound for large blocks so we choose the greater estimate of leakage given either by the above or fEC = 1.1616.

We use an uncertainty relation for smooth min-entropy to establish a bound between the remaining information that Eve has, \({E}^{{\prime} }\), and Alice’s raw key, XA. This reflects that the better Bob can estimate Alice’s raw key in the Z basis, the worse Eve can guess Alice’s raw key in the X basis, formally expressed as,

$${H}_{min}^{\varepsilon }\left({X}_{A}|{E}^{{\prime} }\right)\ge q\,{N}_{R,nmp}^{X}-{H}_{max}^{\varepsilon }\left({Z}_{A}|{Z}_{B}\right),$$
(24)

limited to the non-multiphoton events in the key generation basis X. Here, q quantifies the efficiency of Bob’s orthogonal qubit measurements, in this work we assume q = 1, although in practice the sent states by Alice are not perfect qubits. \({H}_{max}^{\varepsilon }\left({Z}_{A}|{Z}_{B}\right)\) is the smooth max-entropy of ZB conditioned on ZA. If ZB and ZA are highly correlated, we can deduce that \({H}_{max}^{\varepsilon }\left({Z}_{A}|{Z}_{B}\right)\) is small and thus, as the following bound shows28, the observed number of errors is small,

$${H}_{max}^{\varepsilon }\left({Z}_{A}|{Z}_{B}\right)\le {N}_{R,nmp}^{X}H({\phi }_{X}),$$
(25)

where ϕX is the X-basis phase error rate of non-multiphoton events. Finally, the bound for the min-entropy is,

$${H}_{min}^{\varepsilon }\left({X}_{A}|{E}^{{\prime} }\right)\ge {N}_{R,nmp}^{X}\left[1-H({\phi }_{X})\right].$$
(26)

Protocol optimisation

To maximise the rate and tolerable loss whilst maintaining security, we consider optimisations of the basis bias and signal pre-attenuation that can provide some improvement over standard protocol values, i.e. equal basis choice and no-attenuation.

The Efficient BB84 protocol simplifies standard BB84 by utilising one basis for key generation and the other basis for parameter estimation of the phase error rate, without compromising security29. In this paper, we adopt the convention that the X basis is used for the key with the Z basis used for phase error rate estimation. Alice and Bob randomly and independently choose their basis for each signal with bias pX and pZ = (1 − pX). The sifting ratio is \(1-2{p}_{X}(1-{p}_{X}) \, > \,\frac{1}{2}\) for unequal bias, higher than the sifting ratio \(\frac{1}{2}\) for \({p}_{X}=\frac{1}{2}\) as in standard BB84. Additionally, this simplification also reduces the number of parameters to be estimated, hence improving finite-statistical bounds and the reduction in key length due to composable security parameters20,30,31,32,33. The value of pX can be optimised to balance the amount of raw key bits (proportional to \({p}_{X}^{2}\)) and parameter estimation signals (proportional to \({(1-{p}_{X})}^{2}\)). In the asymptotic limit, pX → 1, hence the sifting ratio also approaches unity.

At long distances and high losses, the key rate is limited by the multi-photon emission probability. When the upper bound on the number of multiphoton emission events exceeds the number of detections, then Eve must be assumed to have full information about Alice and Bob’s string, hence there can be no secure key. Waks et al.13 proposed the addition of linear attenuation (characterised by transmission factor ηatt) of the signals prior to injection into the quantum channel controlled by Eve. The bound on the multiphoton components is reduced by a factor of \({\eta }_{att}^{2}\) while the average photon number is only reduced by ηatt. At high losses and with low dark count rates, the reduction in detection probability (and increase in QBER) may be offset by the greater fraction of Bob’s received events being the result of non-multiphoton emissions by Alice, potentially leading to increased key rate and extending the non-zero key rate region to longer ranges.