Demonstration of free-space reference frame independent quantum key distribution

Quantum key distribution (QKD) promises secure communications based not on the hardness of a mathematical problem but on the laws of physics [1–3]. The main effort in the development of QKD is directed towards long-range communication, mostly fibre-based [4–9] as well as in free space [10–13]. A prospective new application of QKD is in securing short-range line-of-sight communications between a terminal and a handheld device (see figure 1(a)) [14, 15]. Current mobile payment techniques, e.g. near field communications, have a range of security challenges including eavesdropping. Similar considerations apply to securing Wi-Fi access points. We believe that future handheld QKD systems can address these security challenges and provide a high degree of wireless security.

Zoom In Zoom Out Reset image size

One of the unique problems faced by handheld QKD is the fact that the relative orientation of the emitter and the receiver is variable. In previous works, this problem has been addressed by using entanglement [16, 17] or by encoding information on angular momenta [18], which are invariant under rotation. The reference frame independent (RFI) QKD scheme proposed in [19] does not require entanglement and allows the use of polarization encoding without the need for alignment of the qubit reference frames. In this scheme the qubits are prepared and measured in three mutually unbiased bases. Only one of those bases, on which the key is encrypted, needs to be stable. The two other bases are allowed to drift slowly and are used to estimate the security parameters of the quantum channels. The requirement for one basis to be stable is met in most practical implementations. In the case of free-space polarization-based encoding, the stable basis is the circular polarization, which is rotation independent. Figure 1(b) shows the bases used by the emitter (Alice) X_A, Y_A, Z_A and the receiver (Bob) X_B, Y_B, Z_B for an undetermined relative orientation. The use of additional bases compared to e.g. BB84 enables the reference frame independence of the scheme.

In order to demonstrate the feasibility of such a protocol we implement a prepare and measure scheme based on faint pulses and analyse the security of the channel. In addition to the reference frame independence implied by the protocol, we develop a theoretical analysis that allows us to take into account deviations from the ideal perpendicular preparation and measurement bases. Although we cannot claim to achieve full device independence [20], which generally requires entanglement, we are able to deal with device imperfections and uncalibrated devices within our selected model. In any QKD scheme the number of measurements available for the parameter estimation step is finite. Parameters obtained from the measurements are estimates with a non-zero variance, which impacts the secure key fraction as discussed in [21–23]. In our security analysis we take this into account to derive a secret key fraction. In this paper, section 2 describes the experimental setup we used to implement an RFI protocol, while in section 3 we analyse the security of the quantum channel including the influence of finite size effects, imperfectly calibrated devices and mismatched detector efficiencies. In section 4 we discuss our results.

In the prepare and measure RFI protocol, Alice needs to be able to randomly pick a light polarization state out of three different bases, i.e. horizontal/vertical, antidiagonal/diagonal, left circular/right circular, corresponding to X, Y and Z basis. This is implemented by activating one of six 850 nm vertical-cavity surface-emitting laser (VCSEL) diodes. Their respective polarizations are separately engineered before their optical beams are combined in a common mode. They are electrically driven by a pattern generator with six individually controllable outputs. Each output generates 0.5 ns pulses and their amplitudes are adjusted so that the average photon number per pulse at Alice's output is the same for all the lasers. Pseudorandom bit sequences allowing only one of the six lasers to be active every 4 ns (i.e. 250 × 10⁶ pulses s⁻¹) are programmed in the pattern generator's memory. The random bit pattern is repeated every 500 pulses. Engineering of the polarizations is performed by a set of polarizing beam splitters (PBSs) and waveplates (see figure 2). At first, the polarization of the VCSELs is ill-defined but it is filtered by the polarization beam splitters with an extinction ratio of about 13 dB. The outputs of the PBSs are polarized either horizontally or vertically depending on which laser is active. One of the PBS output's polarization is left unchanged. The output of another PBS passes through a 22.5° rotated λ/2 waveplate resulting in diagonal/antidiagonal polarizations. The output of the last PBS is directed towards a 45° rotated λ/4 waveplate resulting in left/right circular polarizations. The waveplate used in this experiment is achromatic but we estimate their retardance at 850 nm to be 0.535 and 0.265 (±0.05) for the half and quarter waveplates respectively. Those discrepancies together with the PBS extinction ratio are responsible for the biasing of the bases that are discussed in the theoretical section. After preparing the polarizations the three resulting beams are combined with two non-PBSs. The spatial profile of the combined beams is filtered with a 1 mm pinhole, while the direction profiles are filtered with a 5 μm pinhole between two lenses. Finally, light passes through a neutral density filter reducing the intensity down to below 0.05 photons per pulse. After the output of the emitter, a rotating λ/2 waveplate is used to simulate a rotation between the emitter and the receiver. The photons then travel through free space for slightly more than a metre to the measurement terminal. At the input of the measurement device, a spectral filter with 10 nm passband and 0.7 maximum transmission is used to reduce background noise. The optical arrangement of the receiver is similar to the emitter except that it is used in reverse. The common optical mode is divided into three beams by the non-PBSs and waveplates are used before the PBSs to allow measurements in the three bases. Thus, the measurement basis is passively selected by the path of the photon, making it perfectly random. The six PBS outputs are coupled with approximately 0.8 efficiency to multimode optical fibres leading to single-photon detectors. The photo detectors are silicon avalanche photodiodes with 0.45 efficiency at 850 nm, 400 dark counts per second, a timing resolution of 600 ps and 50 ns deadtime. Their firing times as well as a clock pulse coming from the pattern generator are continuously recorded by a counting card. In post-processing, we eliminate all the counts that happened when another detector was still in its deadtime, i.e. whenever two counts happen within 60 ns. Bitrates could possibly be increased by using detection events in other detectors during a given detector's deadtime, but the implications on security are unexplored. The remaining number of counts for a measurement duration of 1 s is approximately 2 × 10⁶ out of the 250 × 10⁶ weak pulses generated. The experiment is performed in the dark and owing to spectral filtering background noise is negligible compared to detector dark counts.

Zoom In Zoom Out Reset image size

Finally, by matching recorded detection times with the original random patterns we can construct a 6 × 6 matrix (see figure 3(a)) corresponding to the number of times one of the six detectors fired when one of the six lasers was active. The number of counts is maximal if the emitting and receiving polarizations are the same, it is minimal if they are opposite and it is approximately half of the maximum for all the other polarizations. This matrix constitutes the raw data of the security analysis. The counts in this matrix will be used for two different purposes. Half of the counts when both the sending and the measurement basis were Z are set aside as the raw key. The remaining half with all other counts forms the basis of the parameter estimation. The raw key length for each 1 s interval is approximately 2 × 10⁵. In order to demonstrate the robustness of our QKD scheme against reference frame rotations, we insert a half waveplate on a rotating mount in the free-space optical path between the two terminals. Varying the optic axis angle of the half waveplate simulates rotations of Alice's device. For each angle, a measurement is taken similar to that presented in figure 3(a). A comparison between measurement data and the 6 × 6 matrix predicted for ideal preparation and detection is shown in figure 3(c). The matching detector count patterns in figure 3(c) already suggest that a quantum channel between the terminals is established, but in order to claim the possibility of QKD we need to analyse the results more rigorously.

Zoom In Zoom Out Reset image size

The security of the RFI QKD protocol is discussed in [19]: two parameters are estimated from the measurements: the quantum bit error rate Q and a rotation invariant quantity C (see appendix B). While this analysis gives a good intuition why the scheme is RFI, it does not take into account factors that can impact the keyrate negatively in a real-world setting, such as non-orthogonality of the measurement directions or finite size effects. In this section we derive the secure key fraction in the qubit subspace based on a model of the device including imperfect calibration of preparation and measurement bases, non-uniform detector efficiencies and also the effect of a finite number of measurements. In general, the calculation of the secret key fraction can be posed as an inference problem: given the measurements and a device model what is the maximum amount of information an eavesdropper can possess about the distributed key? We first introduce a simplified expression for the secure key fraction, then consider a model of our QKD system and minimize the secure key fraction subject to constraints derived from the model and the measurements.

The secure key fraction can be reduced from the ideal 100% due to leakage of information at two stages in the protocol [24]. During the quantum stage information can leak to an eavesdropper, while during error correction a certain minimum amount of information needs to be exchanged over a classical channel. The two terms of the following expression [25] for the secret key fraction reflect the impact of those two information leaks

$$\begin{equation} r=S(\chi_{A}|\rho_{E})-H(\chi_{A}|\chi_{B}), \end{equation} \tag{ 1 }$$

where S(·|·) denotes the conditional von Neumann entropy, H(·|·) the conditional Shannon entropy, χ_A are the classical bit values at terminal A, χ_B are the classical bit values at terminal B and ρ_E denotes the density matrix of the eavesdropper. The first term describes the entropy of the key bits χ_A given the eavesdropper's information, we will call this 'usable entropy', S_U. The second term is the minimum necessary information to successfully perform error correction at the Shannon limit. In any real-world implementation this number has to be multiplied by a factor larger than one to account for non-ideal error correction schemes. The main objective of the parameter estimation step is to find the minimum usable entropy given the constraints set by the measurements. These constraints also take into account the uncertainties associated with a finite number of performed measurements. Additionally, the parameter estimation step provides information about the bit error rate, which is needed for error correction and thus an estimate for the second term. In our analysis we assume that the measurement results are produced by a two qubit density matrix ρ_AB shared between parties A and B. The usable entropy can be expressed as (see appendix C)

$$\begin{equation} S_{U}=S(\rho_{A\!B} \! \parallel \! \mathscr{P}\rho_{A\!B}), \end{equation} \tag{ 2 }$$

where $S(A\! \parallel \! B)$ denotes the relative entropy and the super-operator $\mathscr{P}\rho =P_{0}^{A}\rho P_{0}^{A}+P_{1}^{A}\rho P_{1}^{A}$ with the projector on the bit values at terminal A defined as $P_{0/1}^{A}=\frac {1}{2}(1\pm \sigma _{z}^{A})$. To estimate the usable entropy we have to establish a model for our QKD system. This consists of a model of the quantum channel, embodied in the density matrix, along with a model of the terminal devices. The secret key fraction can be obtained as the minimum over all channel and device parameters that are consistent with the performed measurements. For a finite number of measurements, the constraints will possess a statistical uncertainty that has to be taken into account in the minimization procedure. As we are looking for an upper bound for the usable entropy, it suffices to consider a simplified density matrix (see appendix D), guaranteed to give a lower usable entropy than the full density matrix. The usable entropy for this density matrix becomes

$$\begin{equation} S_{U}(\lambda_{1},\lambda_{2})=1+\sum_{i}\eta_{i}\log_{2}\eta_{i}-h\left(2\eta_{1}\right) \end{equation} \tag{ 3 }$$

with the eigenvalues of the density matrix η₁ = η₂ = 1/4(1 − λ₁), η₃ = 1/4(1 + λ₁ − 2λ₂) and η₄ = 1/4(1 + λ₁ + 2λ₂) and h(x) = −x log₂x − (1 − x)log₂(1 − x). With perfectly calibrated and aligned devices no additional model parameters have to be taken into account. Imperfect measurement devices can lead to a large number of additional parameters, such as non-orthogonalities in the preparation and measurement bases and detector efficiencies, which can be collected into the vector α (for the details of the model see appendix E). The usable entropy is obtained as the minimum over all parameters α, λ_1/2

$$\begin{equation} S_{\min}=\min_{\boldsymbol{\alpha},\lambda_{1},\lambda_{2}}S_{U}(\lambda_{1},\lambda_{2}). \end{equation} \tag{ 4 }$$

The parameters have to obey the constraints imposed by the observations

$$\begin{equation} f_{i}(\boldsymbol{m})-\sigma\delta f_{i}(\boldsymbol{m})\leqslant f_{i}[\boldsymbol{q}(\boldsymbol{\alpha},\lambda_{1},\lambda_{2})]\leqslant f_{i}(\boldsymbol{m})+\sigma\delta f_{i}(\boldsymbol{m}), \end{equation} \tag{ 5 }$$

where m is a matrix containing all relevant detector counts, q is the corresponding probability of observing a detector count according to the device model (see appendix E), the f_i are the functions defining the different constraints, the δf_i are their corresponding variances and σ is chosen to give a certain probability that the estimated usable entropy is too high. In our parameter estimation step we use a set of 21 constraints (see appendix F) consisting of nine correlation functions C_AB, A,B = X,Y,Z, the six probabilities that a photon was prepared in a certain polarization direction P_A±, A = X,Y,Z and the six probabilities to detect in a certain detector D_B±, B = X,Y,Z. For each function f_i we can give the standard deviation δf_i (see appendix F). To obtain the secret key fraction, we need to subtract the observed relative entropy in the key basis from the usable entropy

$$\begin{equation} r=S_{\min}-h\left(\frac{1-C_{ZZ}+\sigma\delta C_{ZZ}}{2}\right). \end{equation} \tag{ 6 }$$

The full set of measurements enables us to calculate an RFI keyrate. From the detector counts we can construct nine correlation functions

$$\begin{equation} C_{A\!B}=\frac{m_{++}^{AB}+m_{--}^{AB}-m_{+-}^{AB}-m_{-+}^{AB}}{m_{++}^{AB}+m_{--}^{AB}+m_{+-}^{AB}+m_{-+}^{AB}},\quad A,B=X,Y,Z, \end{equation} \tag{ 7 }$$

where the m^AB_±± are the four different detector counts given that the qubit was prepared in direction A ±  and detected in direction B ± . In the case of orthonormal preparation and measurement bases these can be directly identified with the qubit correlation functions. A secret key fraction can be obtained as the minimum keyrate over all density matrices consistent with the observed correlators. In the BB84 protocol [25, 26] only two correlators, e.g. C_XX and C_ZZ, are used as constraints. When the reference frames are rotated C_XX will drop and so will the secret key fraction. The RFI QKD scheme uses the four correlators C_XX, C_XY , C_{Y X}, C_{Y Y} as well as C_ZZ. While each individual correlator may decrease under reference frame rotations, the combination C = C²_XX + C²_XY  + C²_{Y X} + C²_{Y Y} ideally stays constant, enabling RFI secret key fractions. In order to treat imperfect preparation and measurement, we have to depart from the assumption of orthonormal bases and include a more detailed detector model. Each preparation and each detector are associated with a direction on the Poincaré sphere, given by a unit vector. Since we aim to use the z-basis for the key bits we can identify two preparation directions with the ±z direction on the Poincaré sphere, without overestimating the secret key fraction. Each direction is parametrized by two variables (e.g. azimuth and polar angles), resulting in a total of 20 free parameters (see appendix E). Different absorptions may occur in the preparation channels, and similarly detectors may have different efficiencies. With six possible preparation directions and six possible detection directions this adds another set of 12 parameters. The quantum channel can be represented by a two-parameter two-qubit density matrix in a simplification over the more commonly employed Bell diagonal density matrix (see appendix D). This results in a model with 34 free parameters. The secret key fraction is then obtained as the minimum over all parameters that fulfil the constraints imposed by the measurements, e.g. from the correlators C_AB; in our case a set of 21 constraints. For the number of detector counts approaching infinity the constraints are equalities, but for a finite number of observations the value can lie within an interval determined by the number of counts and the desired uncertainty. A small number of counts will lead to larger uncertainty in the correlation function and therefore to lower results for the secret key fraction.

Our main result is that the secret key fraction remains above 0.2 for all rotation angles even in the presence of device imperfections, see U-RFI in figure 4. To better understand the calculated keyrate we make a comparison with established protocols: the BB84 protocol and the RFI QKD protocol as proposed by Laing et al [19]. For the sake of comparison we assume that in these protocols both preparation bases and measurement bases are perfect, i.e. the measured correlation functions are indeed the qubit correlation functions of the underlying density matrix. A summary of the calculation of the BB84 and RFI QKD keyrates can be found in appendices A and B. We clearly see in figure 4 that while the BB84 keyrate drops to zero for certain angles the RFI QKD keyrate remains non-zero for all rotation angles. The plot also shows that for certain angles the RFI secret key fraction estimate is too optimistic compared to the U-RFI rates. This happens due to non-orthogonal measurement directions, which are not taken into account in the RFI QKD security analysis. The distinct peaks in the secret key fraction coincide with the peaks visible in the secret key fraction calculated for the BB84 protocols, as outlined above. This can be understood in the following way: the secret key fraction we calculate depends on the correlators C_AB, A,B = X,Y,Z. The correlator C_ZZ is linked to the qubit error rate. The correlators C_XX, C_XY , C_{Y X}, C_{Y Y} are related to monitoring the eavesdropping. If the absolute value of one of these correlators is large then eavesdropping in the key basis is small, even if other correlators are relatively small. This also makes the secret key fraction larger than the RFI keyrate for some angles. In the region between the peaks no individual correlator is large and only their combination gives a positive secret key fraction. In the presence of alignment errors some of the contributing correlators may be small and as a result the secret key fraction drops.

Zoom In Zoom Out Reset image size

During each transmission of 1 s we set aside approximately 2 × 10⁵ raw key bits. After obtaining the correct secret key fraction from the parameter estimation step, we can perform the privacy amplification step by applying the appropriate two-universal hash function (e.g. a Toeplitz matrix [27]) to the raw key and obtain a secure key. With a secret key fraction of around 0.25 we arrive at an approximate keyrate of 5 × 10⁴ s⁻¹. In the current implementation of our scheme potential security loop holes exist due to side channels [28], the most obvious one coming from the use of six different lasers in the preparation stage. While this loophole can be plugged by using a single laser and a 1 × 6 optical switch further analysis of the impact of side channels on the keyrate is required (e.g. the effect of photon number statistics [29] or detector characteristics [30] on our scheme).

Nevertheless, we are able to give an estimate of the impact of photon number statistics on the keyrate in our scheme. Without employing decoy states we have to assume that in pulses that contain more than one photon and which are contributing to the raw key all information is lost to the eavesdropper. Our photon source generates weak coherent pulses with a rate of 250 MHz and an average photon number of 0.05 per pulse. In order to assess the impact of a hypothetical photon number splitting attack, we have to characterize the quantum channel. An important quantity is the accessible loss [31] in the quantum channel, i.e. the part of the loss that is, in principle, under the control of the eavesdropper. Due to the short-range free-space transmission, no absorption occurs between Alice and Bob. A small amount of absorption (coupling efficiency ≈0.8) can be attributed to the mode mismatch between sender and receiver and could be manipulated by an eavesdropper. All other losses occur in the Bob device and are inaccessible losses. Starting from a 250 MHz pulse rate and 0.05 photons per pulse we arrive at a raw single-photon rate of 12.5 MHz. The recorded photon count rate is 2 MHz, giving a total absorption of η = 0.16. The accessible part of the absorption is η_A = 0.8, while the inaccessible part, containing absorption in filters, losses in optical components and finite detector efficiency contributes η_I = 0.2, so that η = η_Aη_I. The rate of two-photon pulses according to Poisson statistics is 0.3 MHz. The remaining single photons after a photon number splitting attack will still experience the inaccessible losses, so that the total number of recorded detector clicks associated with two-photon pulses is 60 kHz. Of these photons only a fraction contributes to the raw key. For our setup that fraction is 0.1. For a key distribution lasting 1 s we estimate that an eavesdropper can at most have information about 6000 key bits out of 2 × 10⁵ key bits, or the secure key fraction has to be reduced by approximately 0.03, due to the probabilistic nature of the photon source, only slightly modifying our secret key fraction.

In summary, we have shown the feasibility of RFI key distribution using off the shelf bulk optical components in a compact assembly. Our setup uses passive components and can readily be transferred to a miniaturized version using integrated optics on a chip [32, 33]. Our analysis employed in the parameter estimation step obviates the need for precise alignment of the preparation and measurement qubit bases. The achievable keyrates are sufficient to distribute hundreds of 256 bit keys within 1 s. In order to realize a handheld QKD device additional functionality, like steering of the emitted photons, towards a receiver needs to be implemented. Possible solutions include movable mirrors, movable lenses or phased arrays. Overall, the work presented here paves the way for mass-produced handheld QKD devices.

For the calculation of the keyrate for the BB84 protocol we follow [25], with the difference that we use two parameters for the quantum channel, the correlation functions C_XX and C_ZZ . The secure key fraction for the BB84 protocol is given by

$$\begin{equation} r=\min_{\eta_{i}}\left(1+\sum_{i=1}^{4}\eta_{i}\log_{2}\eta_{i}\right) \end{equation} \tag{ A.1 }$$

under the constraints

$$\begin{equation} C_{XX}=1-2\eta_{2}-2\eta_{4}, \end{equation} \tag{ A.2 }$$

$$\begin{equation} C_{ZZ}=1-2\eta_{3}-2\eta_{4}, \end{equation} \tag{ A.3 }$$

$$\begin{equation} \sum_{i=1}^{4}\eta_{i}=1. \end{equation} \tag{ A.4 }$$

This can be solved analytically to give

$$\begin{equation} \fl r=1+z_{+}x_{+}\log_{2}(z_{+}x_{+})+z_{+}x_{-}\log_{2}(z_{+}x_{-})+z_{-}x_{+}\log_{2}(z_{-}x_{+})+z_{-}x_{-}\log_{2}(z_{-}x_{-}) \end{equation} \tag{ A.5 }$$

with

$$\begin{equation} x_{\pm}=\frac{1\pm C_{XX}}{2},\quad z_{\pm}=\frac{1\pm C_{ZZ}}{2}. \end{equation} \tag{ A.6 }$$

Alternatively other correlators than C_XX can be used to obtain a keyrate. In the case of misaligned reference frames the correlators C_XY or C_{Y X} may give a more favourable keyrate.

RFI QKD was introduced in [19]. The scheme solves the problem of aligning reference frames between two partners in a QKD protocol if one stable direction exists (e.g. in polarization encoding physical rotation does not influence the circular polarization direction). The stable direction is used for encoding the qubits, while perpendicular directions are used for parameter estimation. It is sufficient to consider two quantities constructed from the qubit correlation functions: the bit error rate

$$\begin{equation} Q=\frac{1-C_{ZZ}}{2} \end{equation} \tag{ B.1 }$$

and the quantity

$$\begin{equation} C=C_{XX}^{2}+C_{XY}^{2}+C_{YX}^{2}+C_{YY}^{2} \end{equation} \tag{ B.2 }$$

with the qubit correlation functions given by

$$\begin{equation} C_{A\!B}={\rm Tr}\left(\sigma_{A}\sigma_{B}\rho\right), \end{equation} \tag{ B.3 }$$

where ρ is the two qubit density matrix. Under rotations around the z-axis the Pauli matrices transform σ_x → σ_x cos α + σ_y sin α and σ_y → σ_y cos α − σ_x sin α, with the rotation angle given by α. One can see that the quantity C stays invariant under these kinds of rotations. The secret key fraction can be shown to be a function of C and Q. For Q ≲ 0.159 the secret key fraction becomes

$$\begin{equation} r=1-h(Q)-(1-Q)h\left(\frac{1+u}{2}\right)-Qh\left(\frac{1+v}{2}\right) \end{equation} \tag{ B.4 }$$

with h(x) = −log₂x − (1 − x)log₂(1 − x) the Shannon entropy function and $u=\min (\sqrt {C/2}/(1-Q),1)$ and $v=\sqrt {C/2-(1-Q)^{2}u^{2}}/Q$.

A quantum communication channel between parties Alice (A) and Bob (B) can be described by the density matrix ρ_AB. In general, this density matrix will not be pure due to noise, errors and the action of an eavesdropper. In order to prove security of the communication channel, we have to assume all deviations from the ideal case are due to an eavesdropper. The combined state of ρ_AB and an eavesdropper can then be expressed as the pure state

$$\begin{equation} |\psi\rangle_{A\!B\!E}=\sum_{i=1}^{4}\sqrt{\lambda_{i}}|\Phi_{i}\rangle_{A\!B}|\nu_{i}\rangle_{E}, \end{equation} \tag{ C.1 }$$

where the λ_i are the eigenvalues of ρ_AB, |Φ_i〉_AB are the corresponding eigenfunctions and |ν_i〉 are an orthogonal basis for the state of the eavesdropper. Note that the dimension of the Hilbert space of the eavesdropper equals the dimensions of ρ_AB. The density matrices in the subspaces can then be obtained as

$$\begin{equation} \rho_{A\!B}={\rm Tr}_{E}\left(|\psi\rangle_{A\!B\!E}\langle\psi|_{A\!B\!E}\right) \end{equation} \tag{ C.2 }$$

and

$$\begin{equation} \rho_{E}={\rm Tr}_{A\!B}\left(|\psi\rangle_{A\!B\!E}\langle\psi|_{A\!B\!E}\right). \end{equation} \tag{ C.3 }$$

The reduced density matrix of the eavesdropper equals the reduced density matrix of Alice and Bob up to a unitary transformation

$$\begin{equation} \rho_{E}=U\rho_{A\!B}U^{\dagger}. \end{equation} \tag{ C.4 }$$

Let us consider the entropy of the key bits χ_A given that the eavesdropper knows the state of the system χ_E, S(χ_A|χ_E). We can rewrite the conditional entropy as

$$\begin{equation} S(\chi_{A}|\rho_{E})=S(\chi_{A})+S(\chi_{E}|\chi_{A})-S(\rho_{E}). \end{equation} \tag{ C.5 }$$

With X being the classical value of Alice's qubit we can write

$$\begin{equation} S(\rho_{E}|\chi_{A})=\sum_{x=0,1}p_{x}S(E_{x}). \end{equation} \tag{ C.6 }$$

If Alice prepares key bit 0 with probability p₀ and key bit one with probability p₁ we can write the corresponding density matrices E₀, E₁ with the help of the projection operators

$$\begin{equation} P_{x}=|x\rangle_{A}\langle x|_{A},\quad x=0,1 \end{equation} \tag{ C.7 }$$

as

$$\begin{equation} E_{x}={\rm Tr}_{A\!B}\left(P_{x}|\psi\rangle_{A\!B\!E}\langle\psi|_{A\!B\!E}\right) \end{equation} \tag{ C.8 }$$

or

$$\begin{equation} E_{x}=\frac{1}{p_{x}}\sqrt{\rho_{A\!B}}P_{x}\sqrt{\rho_{A\!B}}. \end{equation} \tag{ C.9 }$$

Since unitary transformations do not change the entropy we can replace ρ_AB with ρ_E in the calculation of entropies

$$\begin{equation} S\left(\frac{1}{p_{x}}\sqrt{\rho_{A\!B}}P_{x}\sqrt{\rho_{A\!B}}\right)=S\left(\frac{1}{p_{x}}\sqrt{\rho_{E}}P_{x}\sqrt{\rho_{E}}\right). \end{equation} \tag{ C.10 }$$

We can use

$$\begin{equation} {\rm Tr}\left[\sqrt{\rho}P\sqrt{\rho}F(\sqrt{\rho}P\sqrt{\rho})\right]={\rm Tr}\left[P\rho P\!F(P\rho P)\right], \end{equation} \tag{ C.11 }$$

where F is any function and we used

$$\begin{equation} F(\sqrt{\rho}P\sqrt{\rho})=\sum_{n}c_{n}(\sqrt{\rho}P\sqrt{\rho})^n=\sum_{n}c_{n}\sqrt{\rho}P\left(P\rho P\right)^{n-1}P\sqrt{\rho}. \end{equation} \tag{ C.12 }$$

We can therefore write

$$\begin{equation} S(\rho_{E}|\chi_{A})=\sum_{x=0,1}p_{x}S\left(\frac{1}{p_{x}}P_{x}\rho_{E}P_{x}\right). \end{equation} \tag{ C.13 }$$

Since the P_x project onto orthogonal subspaces we can use (see  [34, p 518]) to write

$$\begin{equation} S(\rho_{E}|\chi_{A})=S\left(\sum_{x=0,1}P_{x}\rho_{E}P_{x}\right)-S(\chi_{A}). \end{equation} \tag{ C.14 }$$

The equality holds if the projectors P_x project onto orthogonal subspaces and acts as an upper bound on the usable entropy otherwise. The conditional entropy therefore becomes

$$\begin{equation} S(\chi_{A}|\rho_{E})=S\left(\sum_{x=0,1}P_{x}\rho_{E}P_{x}\right)-S(\chi_{E}). \end{equation} \tag{ C.15 }$$

Introducing the projective measurement

$$\begin{equation} \mathscr{P}\rho=\sum_{x}P_{x}\rho P_{x} \end{equation} \tag{ C.16 }$$

we can write

$$\begin{equation} S(\chi_{A}|\rho_{E})=S\left(\mathscr{P}\rho_{E}\right)-S(\rho_{E}). \end{equation} \tag{ C.17 }$$

Since $\mathscr{P}$ is a projective measurement this simplifies further to the relative entropy

$$\begin{equation} S(\chi_{A}|\rho_{E})=S\left(\rho_{E}\! \parallel \! \mathscr{P}\rho_{E}\right)=S\left(\rho_{A\!B}\! \parallel \! \mathscr{P}\rho_{A\!B}\right). \end{equation} \tag{ C.18 }$$

We now want to investigate how a further projective measurement influences the relative entropy. Introducing

$$\begin{equation} \mathscr{L}\rho=\sum_{i}L_{i}\rho L_{i} \end{equation} \tag{ C.19 }$$

with the projection operators L_i. We consider the relative entropy before and after the projective measurement $\mathscr{L}$

$$\begin{equation} S\left(\rho_{A\!B}\! \parallel \! \mathscr{P}\rho_{A\!B}\right)-S\left(\mathscr{L}\rho_{A\!B}\! \parallel \! \mathscr{P}\mathscr{L}\rho_{A\!B}\right). \end{equation} \tag{ C.20 }$$

For commuting operations

$$\begin{equation} \mathscr{PL}=\mathscr{LP} \end{equation} \tag{ C.21 }$$

and using that the relative entropy of two density matrices decreases or stays the same under completely positive trace preserving maps [35] we obtain

$$\begin{equation} S\left(\rho_{A\!B}\! \parallel \! \mathscr{P}\rho_{A\!B}\right)-S\left(\mathscr{L}\rho_{A\!B}\! \parallel \! \mathscr{L}\mathscr{P}\rho_{A\!B}\right)\geqslant0 \end{equation} \tag{ C.22 }$$

if the operations $\mathscr{L}$ and $\mathscr{P}$ commute.

We can use the inequality above to simplify the model density matrix for parameter estimation. Starting from the full two qubit density matrix with 15 free parameters we can apply a series of projective measurements

$$\begin{equation} \mathscr{L}=\mathscr{L}_{2}\mathscr{L}_{1} \end{equation} \tag{ D.1 }$$

to arrive at a simpler density matrix with fewer parameters that is guaranteed to give a smaller value for the usable entropy. The individual projective measurement super-operators are

$$\begin{equation} \mathscr{L}_{i}=\lim_{t\rightarrow\infty}\,\mathrm{e}^{-t\mathscr{K}_{i}} \end{equation} \tag{ D.2 }$$

and the corresponding Liouvillian

$$\begin{equation} \mathscr{K}_{i}\rho=\left\{ \Sigma_{i}\Sigma_{i},\rho\right\} -2\Sigma_{i}\rho\Sigma_{i},\quad\Sigma_{1}=\sigma_{z}^{A}-\sigma_{z}^{B},\Sigma_{2}=\sigma_{x}^{A}\sigma_{x}^{B}. \end{equation} \tag{ D.3 }$$

If we use the z basis for the key bits then the measurement operator becomes

$$\begin{equation} \mathscr{P}\rho=P_{0}^{A}\rho P_{0}^{A}+P_{1}^{A}\rho P_{1}^{A} \end{equation} \tag{ D.4 }$$

with the projector on the bit values at terminal A defined as

$$\begin{equation} P_{0/1}^{A}=\textstyle\frac{1}{2}\left(1\pm\sigma_{z}^{A}\right). \end{equation} \tag{ D.5 }$$

It can be shown that

$$\begin{equation} \mathscr{P}\mathscr{L}_{i}\rho-\mathscr{L}_{i}\mathscr{P}\rho=0 \end{equation} \tag{ D.6 }$$

for all density matrices ρ. After applying all the projective measurements to a general density matrix the simplified density matrix takes the form

$$\begin{equation} \rho=\frac{1}{4}\left(\begin{array}{@{}cccc@{}} 1+\lambda_{1} & 0 & 0 & 2\lambda_{2}\\ 0 & 1-\lambda_{1} & 0 & 0\\ 0 & 0 & 1-\lambda_{1} & 0\\ 2\lambda_{2} & 0 & 0 & 1+\lambda_{1} \end{array}\right). \end{equation} \tag{ D.7 }$$

This density matrix can now be used in models for parameter estimation.

We want to construct a model for the probability of registering a detector count in the detector measuring in basis B, direction V , provided the bit was prepared in basis A, direction U, p^AB_UV . The probability of observing a count in a detector given a certain preparation is proportional to

$$\begin{equation} q_{UV}^{AB}=t_{AU}^{1}t_{BV}^{2}{\rm Tr}(\skew3\hat{P}_{{\kern-2pt}AU}\skew3\hat{P}_{{\kern-2pt}BV}\rho), \end{equation} \tag{ E.1 }$$

where t¹ and t² account for the preparation and detection efficiencies. The projectors $\skew3\hat{P}_{{\kern-2pt}AU} \ \mathrm {and}\;\skew3\hat{P}_{{\kern-2pt}BV}$ are along a certain preparation or measurement direction, given by a unit vector n_AX or r_BY

$$\begin{equation} \skew3\hat{P}_{{\kern-2pt}AU}=\textstyle\frac{1}{2}\left(1+\boldsymbol{n}_{{\kern-2pt}AU}\cdot\boldsymbol{\sigma}_{{\kern-2pt}A}\right),\quad\skew3\hat{P}_{{\kern-2pt}BV}=\textstyle\frac{1}{2}\left(1+\boldsymbol{r}_{{\kern-2pt}BV}\cdot\boldsymbol{\sigma}_{{\kern-2pt}B}\right), \end{equation} \tag{ E.2 }$$

where σ_A/B is a vector of Pauli matrices in the respective local basis. Using the simplified density matrix equation (D.7), we obtain

$$\begin{equation} q_{UV}^{AB}=\frac{t_{{\kern-2pt}AU}^{1}t_{BV}^{2}}{4}\left[1+\sum_{ij}n_{i}^{AU}r_{j}^{BV}{\rm Tr}(\hat{\sigma}_{i}^{A}\hat{\sigma}_{j}^{B}\rho)\right] \end{equation} \tag{ E.3 }$$

with

$$\begin{equation} {\rm Tr}(\hat{\sigma}_{i}^{A}\hat{\sigma}_{j}^{B}\rho)=\delta_{ij}l_{i}=\Lambda_{ij},\quad\boldsymbol{l}=(\lambda_{2},\lambda_{2},\lambda_{1}) \end{equation} \tag{ E.4 }$$

and therefore

$$\begin{equation} q_{UV}^{AB}=\frac{t_{{\kern-1pt}AU}^{1}t_{BV}^{2}}{4}\left(1+\boldsymbol{n}_{{\kern-1pt}AU}\cdot\Lambda\cdot\boldsymbol{r}_{{\kern-1pt}BV}\right), \end{equation} \tag{ E.5 }$$

so that the probabilities become

$$\begin{equation} p_{UV}^{AB}=\frac{q_{UV}^{AB}}{\sum_{ABUV}q_{UV}^{AB}}. \end{equation} \tag{ E.6 }$$

For our measurement setup there are six distinct preparation directions n_AU, A = X,Y,Z, U = ± , with two free parameters, the azimuthal and polar angles, specifying each direction. The z-direction is identified with the qubit directions at terminal A and therefore we fix n_Z± = (0,0,±1). Similarly there are six measurement directions r_BV, B = X,Y,Z, V = ± .

The calculation of the secret key fraction is based on a minimization subject to a number of constraints. In our implementation we use a total of 21 constraints. Each constraint and its corresponding standard deviation can be calculated from the raw detector counts obtained in the parameter estimation process. The first set of constraints is given by the nine correlation functions

$$\begin{equation} C_{A\!B}(\boldsymbol{m})=\frac{m_{++}^{AB}+m_{--}^{AB}-m_{+-}^{AB}-m_{-+}^{AB}}{m_{++}^{AB}+m_{--}^{AB}+m_{+-}^{AB}+m_{-+}^{AB}},\quad A,B=X,Y,Z. \end{equation} \tag{ F.1 }$$

Additional six constraints are the probabilities for preparing a certain direction

$$\begin{equation} P_{{\kern-1pt}AU}(\boldsymbol{m})=\frac{\sum_{BV}m_{UV}^{AB}}{N_{0}},\quad N_{0}=\sum_{ABUV}m_{UV}^{AB}, \end{equation} \tag{ F.2 }$$

where N₀ is the total number of detector counts. Further six constraints are the probabilities for detecting a certain direction

$$\begin{equation} D_{BV}(\boldsymbol{m})=\frac{\sum_{{\kern-1pt}AU}m_{UV}^{AB}}{N_{0}}. \end{equation} \tag{ F.3 }$$

The corresponding standard deviations are

$$\begin{equation} \delta C_{A\!B}(\boldsymbol{m})=\sqrt{\frac{4\left(m_{++}^{AB}+m_{--}^{AB}\right)\left(m_{+-}^{AB}+m_{-+}^{AB}\right)}{\left(m_{++}^{AB}+m_{--}^{AB}+m_{+-}^{AB}+m_{-+}^{AB}\right)^{3}}} \end{equation} \tag{ F.4 }$$

and

$$\begin{equation} \delta P_{{\kern-1pt}AU}(\boldsymbol{m})=\sqrt{\frac{(N_{0}-\sum_{BV}m_{UV}^{AB})\sum_{BV}m_{UV}^{AB}}{N_{0}^{3}}} \end{equation} \tag{ F.5 }$$

as well as

$$\begin{equation} \delta D_{BV}(\boldsymbol{m})=\sqrt{\frac{(N_{0}-\sum_{{\kern-1pt}AU}m_{UV}^{AB})\sum_{{\kern-1pt}AU}m_{UV}^{AB}}{N_{0}^{3}}}. \end{equation} \tag{ F.6 }$$

This gives us a total of 21 constraints derived from the raw detector counts to be used in the calculation of the secret key fraction.