Security in the Multi-Dimensional Fibonacci Protocol

David S. Simon,1, 2 Casey Fitzpatrick,1 and Alexander V. Sergienko1, 3, 4

1Dept. of Electrical and Computer Engineering,Boston University, 8 Saint Mary’s St., Boston, MA 02215

2Dept. of Physics and Astronomy, Stonehill College, 320 Washington Street, Easton, MA 023573Photonics Center, Boston University, 8 Saint Mary’s St., Boston, MA 02215

4Dept. of Physics, Boston University, 590 Commonwealth Ave., Boston, MA 02215

Security against simple eavesdropping attacks is demonstrated for a recently proposed quantumkey distribution protocol which uses the Fibonacci recursion relation to enable high-capacity keygeneration with entangled photon pairs. No transmitted pairs need to be discarded in reconciliation;the only pairs not used for key generation are those used for security-checking. Although theproposed approach does not allow eavesdropper-induced errors to be detected on single trials, itcan nevertheless reveal the eavesdropper’s action on the quantum channel by detecting changes inthe distribution of outcome probabilities over multiple trials, and can do so as well as the BB84protocol. The mutual information shared by the participants is calculated and used to show that asecret key can always be distilled.

PACS numbers: 03.67.Dd,62.23.St,42.25.Fx

I. INTRODUCTION

In quantum key distribution (QKD), two legitimateusers of the system, Alice and Bob, attempt to generatea shared encryption key in such a way that the laws ofquantum mechanics prevent an unauthorized eavesdrop-per, Eve, from obtaining the key without revealing herpresence. Restricting ourselves here to systems that usepairs of entangled photons, the most common approachis the Ekert protocol [1], which is itself an entangled ver-sion of the earlier BB84 protocol [2]. An embodimentof this approach using photon polarization works as fol-lows. Alice and Bob each receive half of the entangledpair from a common source. Often the source is in Al-ice’s lab, but it may be under the control of a third party(or even under the control of Eve herself). As the pho-tons arrive, Alice and Bob each randomly choose one oftwo bases in which to make a linear polarization mea-surement. One basis consists of horizontal and diagonalpolarization states (|H⟩ and |V ⟩), the other involves di-agonal states (↗⟩) and (| ↘⟩) polarized at 45◦ from thehorizontal and vertical. They then communicate on aclassical (possibly public) channel in order to comparetheir bases (but not the results of their measurements),discarding those trials in which they used different bases.

In the simplest possible eavesdropping attack, Eve alsomakes a polarization measurement of one photon as it isen route to Bob. She must guess randomly which mea-surement basis to use. If she guesses correctly, measuringin the same basis as Alice and Bob, then she gains full in-formation about the polarization state and therefore hascomplete information about the state of the correspond-ing key segment. Half of the time she guesses incorrectly,in which case her outcome is completely random and un-correlated with Alice’s result. When she sends on thephoton, Bob’s results will also be completely randomizedin the original basis. This disturbance in Bob’s resultsallows Eve’s actions to be revealed. Alice and Bob ran-

domly select a subset of their results for a security check,exchanging the results of their measurements as well asthe basis used on these trials. If Eve intercepts a frac-tion η of Bob’s photons she introduces an error rate ofη4 between Alice’s outcomes and Bob’s in the security-checking subset.

The polarization states have an effective Hilbert spaceof dimension 2, allowing a single bit of the key to be ex-tracted in each polarization measurement. There havebeen a number of attempts to generalize the procedureabove with other physical degrees of freedom that havehigher-dimensional effective Hilbert spaces, thereby al-lowing more than one bit of the key to be generatedper photon [3–7], as well as improved ability to detecteavesdroppers. One particularly promising way [8–10]to achieve this goal is to use the photon’s orbital an-gular momentum (OAM) [11–13] instead of polariza-tion. The OAM about the propagation axis is quan-tized, Lz = l~, where the topological charge l can takeon any integer value. If a range of OAM values of sizeN is used as the alphabet (for example l = 1, 2, . . . , N orl = −N−1

2 , . . . ,+N−12 for even N), then each photon can

be used to determine up to log2N bits of the key. Al-though in principle such schemes allow unlimited num-bers of bits per photon, their experimental complexityincreases rapidly with increasing N . For the most partwe will work in this paper with arbitrary N , but in orderto make the discussion more concrete we will at somepoints restrict ourselves to an alphabet of size N = 8(capable of achieving log2 8 = 3 bits per photon). Thegeneralization to higher values of N is straightforward.

In [14], an approach to high-dimensional QKD was pro-posed based on a novel entangled light source [15–19] thatproduces output with absolute values of the OAM spec-trum restricted to the Fibonacci sequence. (Recall thatthe Fibonacci sequence starts with initial values F1 = 1and F2 = 2, generating the rest of the sequence via therecurrence relation Fn+2 = Fn+1 + Fn.) These states

2

pump a nonlinear crystal, leading to spontaneous para-metric down conversion (SPDC), in which a small propor-tion of the input photons are split into entangled signaland idler output photons. After the crystal, any photonswith non-Fibonacci values of OAM are filtered out. An-gular momentum conservation and the Fibonacci recur-rence relation conspire to force the two output photons tohave OAM values that are adjacent Fibonacci numbers(for example Fm and Fm+1). These photons can thenbe used to generate a secret key, as detailed in the nextsection.The Fibonacci protocol requires the ability to distin-

guish between single OAM eigenstates and pairwise su-perpositions of eigenstates. This cannot be done unam-biguously on a single trial; however, as shown in [28],an interferometric approach allows statistical discrimina-tion of the possibilities over multiple trials. Using thisapproach, we show in this paper that the outcome prob-ability distributions can be built up in such a way thateavesdropping alters them in a detectable manner. In thisway, an eavesdropper can be revealed over multiple trialseven though it may not be possible to identify errors onany individual trial. This is especially important becauseeven without eavesdropping there is some probability oferror in discriminating between states in individual trials,due to the non-orthogonality of the relevant superposi-tion states. This complication must be dealt with in thereconciliation stage. BB84 and most other protocols relyon the rate of errors in individual outcomes for security,but here we must rely on statistical changes wrought bythe eavesdropper’s actions over many trials. As a result,rather than using eavesdropper-induced error rates as ameasure of eavesdropper detection, it is more appropri-ate here to use probability-based measures such as thedisturbance D [21], which is defined in section V.Section II reviews the procedure for implementing the

Fibonacci protocol in the context of OAMmeasurements.The effect of eavesdropping is examined in section III.Details of the means of dealing with the superpositionstates are described in section IV, with calculations ofvarious measures of security carried out in section V andconclusions in Section VI. A brief discussion of key rec-onciliation over a classical channel is given in AppendixA, and detailed expressions for the probability distribu-tions of outcomes for the protocol appear in AppendixB.

II. SETUP FOR KEY DISTRIBUTION

Here, we review the Fibonacci protocol [14]. The pro-tocol discussed here is a slightly improved variation onthe original proposal of [14], making use of the appara-tus described in more detail in [28]. Note that no trialsneed to be discarded in the scheme described, aside fromthose used for security checking. This is in contrast tothe original version of the Fibonacci protocol [14] where14 of the trials were discarded during reconciliation and

the BB84/Ekert protocol, where 12 must be discarded.

The Fibonacci protocol allows multiple key bits to begenerated per photon. The required basis modulationcan be done in a completely passive manner, and switch-ing only has to be done between two fixed bases, so thatthe complexity of the setup increases much more slowlywith increasing N than in other OAM-based QKD meth-ods, such as [7].

The basic setup is shown schematically in Fig. 1. Thesource on the left (see [14] for more detail) uses a downconversion source and scattering from an aperiodic spiralnanoarray [15–19] to create an entangled superpositionof states with Fibonacci-valued OAM states in the twooutput directions:

ψ =∑n

(|Fn−1⟩A|Fn−2⟩B + |Fn−2⟩A|Fn−1⟩B

), (1)

where the index n runs over the indices of the al-lowed Fibonacci numbers in the pump beam: |Ψ⟩pump =∑

n |Fn⟩. Alice and Bob each receive one photon from theentangled pair. In each of their labs is a 50/50 beam split-ter which randomly directs the photon to one of two typesof detection stages. The stage labeled “L-type” detec-tion consists of an OAM sorter [22–24] followed by a setof single-photon detectors. The OAM sorter sends OAMeigenstates with different l values into different outgoingdirections, so that they will be registered in different de-tectors, thus allowing l to be determined. The other typeof detection (labeled “D type”) is used to distinguish dif-ferent superpositions |Sn⟩ of the form

|Sn⟩ =1√2

(|Fn−1⟩+ |Fn+1⟩

). (2)

The detection of such superposition states can be ac-complished in several ways [25–27]. One complica-tion with the D-type detection is that adjacent su-perposition states, such as 1√

2(|Fn−1⟩+ |Fn+1⟩) and

1√2(|Fn+1⟩+ |Fn+3⟩) are not orthogonal, meaning that

the two states cannot be unambiguously distinguishedfrom each other. This adds complications to the clas-sical exchange and alters the corresponding detectionprobabilities; however we will see below that this extracomplication is well compensated by increased the key-generating capacity. Moreover, the degree of complica-tion does not grow with the size of the alphabet used, sothat the benefits outweigh the complications by a largeramount as the range of l values increases.

It is necessary to keep the possible key values uniformlydistributed, so that Eve can’t obtain any advantage fromknowledge of the nonuniform distribution. To do this itwill be necessary to make sure that the spectrum of signaland idler values is broader than the alphabet of valuesactually used for the key, since the nonorthogonality ofthe superposition states means that measurements canbroaden the range of outgoing values (see section III).

It should be noted that photons are lost from the setuponly once, in the filtering after the crystal; the spiral

3

D

L

L

D

Spiral SPDC

Bob’s Lab

Alice’s Lab

Two-photonoutput state:

Pump

Fibonacci Source

Classicalcommunication

FIG. 1: Schematic setup for generating cryptographic keywith Fibonacci-valued OAM states.

before the crystal simply redistributes the energy amongthe available modes through interference effects, with nonet loss of photons or energy. As a result, event ratesshould be at levels comparable to other entangled photonprotocols.

For illustration purposes, we will often restrict our-selves to the case N = 8. Assume that the pump spec-trum is broad enough to be approximately flat over asufficient span to produce signal and idler OAM valuesof uniform probability over the range Fm0 to Fm0+N−1,for some m0. The outcomes for L-type detection (OAMeigenstates) that will be used for key generation by Aliceand Bob are then simply |Fm0⟩, |Fm0+1⟩, . . . |Fm0+N−1⟩.For example, if the values N = 8, m0 = 2 are chosen,then the utilized states are

|lA⟩, |lB⟩ = {|F2⟩, |F3⟩, |F4⟩, . . . , |F9⟩} (3)

= {|2⟩, |3⟩, |5⟩, |8⟩, |13⟩, |21⟩, |34⟩, |55⟩} .

The outcomes for D-type detection (two-fold OAM su-perposition states) used by Alice and Bob for key gener-ation run from

|Sm0⟩ =1√2{|Fm0−1⟩+ |Fm0+1⟩} (4)

to

|Sm0+N−1⟩ =1√2{|Fm0+N−2⟩+ |Fm0+N ⟩} . (5)

Detection either of the states |Fn⟩ or |Sn⟩ by Alice willcorrespond to a key value K = Fn. Unfortunately, Al-ice and Bob will not necessarily agree on the same keyunless further classical information is exchanged to recon-cile their values. One possible method for reconciliationis discussed in appendix A.

State headingtoward Bob’s lab

State Bob detects

No Eavesdropping:

(a)

½

½

½

½

½

½

X

Eavesdroppingin L Basis

Eve’smeasurements Bob’s measurements

(p=1/2)

(p=1/4)

(p=1/4)

Incoming State

(b)

FIG. 2: Outcome probabilities for eigenstates. (a) Whenthere is no eavesdropping and Bob measures in the L basis,an incoming eigenstate should be detected correctly 100% ofthe time. (b) When Eve measures in the D basis, each eigen-states can result in two different superposition detections. Ifshe sends one of these superpositions on to Bob, the net resultis that there are now three eigenstates that he could detect.

III. EFFECT OF EAVESDROPPING:QUALITATIVE DISCUSSION

If an eavesdropper is acting on the photon heading toBob, she does not know which type of detection (D or L)will occur in Alice’s and Bob’s labs. If Alice detects aneigenstate, then the state arriving at Bob’s end shouldbe a superposition, whereas if Alice detects a superpo-sition then the state heading toward Bob should be aneigenstate. If Eve makes a D-type measurement whenBob’s photon is in an L state or if she makes an L-typemeasurement when Bob’s photon is in a D state, a distur-bance is made in the statistical distribution of Alice andBob’s joint outcomes, which will become apparent whenhe compares a random subset of his trials with Alice’s.In more detail:

(i) Suppose Eve makes a D-type measurement on aphoton which is actually in the eigenstate |Fm⟩. She willdetect one of the two superpositions |Fm⟩ + |Fm−2⟩ or|Fm⟩+ |Fm+2⟩, each with 50% probability, and send on acopy of it. If Bob receives one of these superpositions andmakes an L measurement, he will see one of the valuesFm, Fm−2, or Fm+2, with respective probabilities of 1

2 ,14 ,

14 . In Eve’s absence, he should only see Fm with 100%

probability (see Fig. 2).(ii) On the other hand, suppose Eve makes an L-type

4

measurement on a photon which is actually in the super-position state |Fm⟩+ |Fm−2⟩. She will detect one of thetwo eigenstates |Fm⟩ or |Fm−2⟩, each with 50% probabil-ity, and send on a copy of it. If Bob receives one of theseeigenstates and makes a D measurement, he will see oneof the superpositions |Fm⟩ + |Fm−2⟩, |Fm⟩ + |Fm+2⟩, or|Fm−2⟩ + |Fm−4⟩, with respective probabilities of 1

2 ,14 ,

14 (see fig. 3). Thus, it seems that Bob sees the sameresult whether Eve interferes or not. However, by addingan additional interferometric element to the setup, wewill see (section IV) that Bob will be able to distinguishbetween the two cases.

½

¼

¼

No Eavesdropping:

(a)

½

½

½

½

½

½

X

Eavesdroppingin L Basis

Eve’smeasurements Bob’s measurements

(p=1/2)

(p=1/4)

(p=1/4)

Incoming State

(b)

FIG. 3: Outcome probabilities for superposition states. (a)When there is no eavesdropping, an incoming superpositionstate leads to three possible outcomes when Bob makes ameasurement in the superposition (D) basis: the state can beidentified correctly with probability 1

2, or it can be misidenti-

fied as one of the other two allowed superpositions that havenonzero overlap with it. (b) When Eve measures in the Lbasis, each of the two possible eigenstates that result can leadto two different superpositions. The net result is that thereare three outcomes that have nonzero overlap with the twoeigenstates, so that the same probabilities occur as in figure(a), unless an addition is made to the apparatus (section IV).

It will be desirable to arrange the probabilities ofthe possible outcomes into a matrix. However, as seenabove, the process of measurement can cause the rangeof states present in the system to spread. States thatare within the range of our alphabet can lead to mea-surements outside the allowed range (for example, thein-range state |Sm0+N−1⟩ can be measured as the out-of-range |Sm0+N ⟩, since these two states have nonzerooverlap). Similarly, states that are initially outside thedesired range can lead to in-range measurements. This

spreading is greater when Eve is present and introducingadditional measurements. So to account for this and tomaintain the uniform distribution of key values, we al-low states beyond the desired range to propagate in thesystem and include additional rows and columns in theprobability matrix to describe the probability that themeasured state is out of range of the allowed alphabet.This will be seen explicitly in section V and AppendixB. Note that we only need to include events in which atleast one of the legitimate participants sees a value outof range; we can exclude events where the measurementsare out of range for both of them.

IV. DISCRIMINATING SUPERPOSITIONSTATES

The discrimination of OAM eigenstates in the L basisis straightforward and simply requires an OAM sorter.Discrimination of superposition states in the D basis ismore complicated. As shown in [28], the setup of figure4 is capable of sorting the superposition states. A pair ofphoton-counting detectors Cn and Dn is used at the out-put ports of the final nonpolarizing beam splitters. If Cn

fires during the key-generating trials, we count that asan |Sn−1⟩ detection. Due to destructive interference, Dn

should not fire for |Sn−1⟩ input, so its firing will countas an |Fn⟩ detection. Then the scheme of Appendix Ais used to reconcile Alice’s and Bob’s trials by classicalinformation exchange in order to arrive at an unambigu-ously agreed-upon key. During the security checks, wethen look at the distribution of counts in Cn and Dn

separately in order to detect eavesdropper-induced de-viations from the expected probability distributions. Inorder to achieve the indistinguishability required for in-terference, the OAM of each photon is shifted to zero af-ter the sorting by a spiral phase plate or by other means.Measurements with detectors Cn and Dn, respectively,are equivalent to looking for nonzero projections ontothe states

|Cn⟩ =i√2(|Fn⟩+ |Fn−2⟩) = i|Sn−1⟩ (6)

|Dn⟩ =1√2(|Fn⟩ − |Fn−2⟩) . (7)

These two sets of states are also mutually nonorthogonal:⟨Cn|Dm⟩ = − i

2 (δm,n−2 − δm,n+2) . )There are then multiple possible output states for Alice

and Bob. Each can measure in the L basis and obtain oneof the |Fn⟩ states, or they can measure in the D basis andregister one of the |Cn⟩ or |Dn⟩ states. Their joint outputprobabilities for these states can then be found by takingthe incoming state, applying the appropriate projectionoperator (|Fn⟩⟨Fn|, |Cn⟩⟨Cn|, |Dn⟩⟨Dn|), and then tak-ing the inner product of the resulting projection with theinitial state. The effect of Eve’s intervention on Bob’schannel can be dealt with by inserting similar additionalprojection operators representing Eve’s measurements.

5

OAM Sorter

FIG. 4: A portion of a detection unit for statistically detect-ing superpositions of OAM states, analogous to the polar-ization version of the previous figure. The sorter separatesdifferent OAM values, which are then shifted to zero OAMby spiral wave plates or holograms (the yellow circles). Fromthe top downward, the OAM shifters shown change the in-coming OAM value by ∆l = −Fm−2,−Fm,−Fm+2,−Fm+4.Superpositions of the form |Fm⟩+ |Fm+2⟩ cause constructiveinterference at the Cm detectors and destructive interferenceat the Dm detectors, while OAM eigenstates lead to equaldetection rates at both types.

These extra projection operators tend to spread the prob-ability distributions out, causing them to be nonzero forcombinations of outcomes that previously had vanishingprobabilities. As a result, Eve’s actions can be revealedby these alterations in the outcome probabilities.

V. MUTUAL INFORMATION AND SECURITY

For the detection events described in the previous sec-tions, we may now construct the probability distribu-tions.We begin by making some definitions. Pij will be the

joint probability that Alice measures outcome i and Bobmeasures outcome j in the absence of eavesdropping. (Inother words, these are the expected probabilities.) PEij

will be the observed probabilities for the same outcomesin the presence of eavesdropping. The index i labels Al-ice’s outcomes. i = 1 represents an L-type measurementwith with the measured value out of range of the de-sired alphabet, while values 2 ≤ i ≤ N +1 correspond tothe event that Alice measured in the L basis and foundstate |Fm0+i−2⟩; similarly, 1 ≤ j ≤ N + 1 representsBob detecting an out-of-range value or measuring state|Fm0+j−2⟩ in the eigenbasis. Value i = N + 2 representsAlice making an out-of-range detection in the D basis,while values of i in the range N + 3 ≤ i ≤ 3N + 2 repre-sent Alice measuring in the diagonal superposition basisand seeing an event in the C and D detectors. Specif-ically, i = N + 2k + 3 represents the firing of Cm0+k,

and i = N + 2k + 4 represents the firing of Dm0+k, fork = 0, . . . N − 1; similarly for Bob with j values in the

same range. P(A)i and P

(B)j will be the expected marginal

probabilities, P(A)i =

∑j Pij and P

(B)j =

∑i Pij , with

similar definitions for P(A)Ei and P

(B)Ej .

First, we give the expected probabilities for the statesin the two beams (before Bob’s measurement) in the ab-sence of eavesdropping. Columns label Alice’s measure-ments, while rows label Bob’s. The matrix of outcomeprobabilities then has the form

P0 =1

4

(L0 C0

CT0 D0

), (8)

where explicit expressions for the submatrices L0, C0,and D0 may be found in Appendix B.

The matrices L0 and D0 represent, respectively, theevents on which both Alice and Bob measured in the Lbasis or both in the D basis. C0 represents events inwhich Alice and Bob measured in different bases, one Land one D. The factor of 1

4 in eq. 8 is due to the factthat each of the four combinations of detection type (LL,DD, LD, and DL) has a probability of 1

4 in a given trial.Now let η be the proportion of trials on which Eve

eavesdrops, i.e. the fraction of the photons on which shemakes measurements. Assume she also randomly mea-sures (with equal probabilities) in the L or D basis. Thenthe probability matrix for Alice and Bob’s outcomes willchange according to:

P0 → P = (1− η)P0 + ηPE , (9)

where

PE =1

4

(L′ C ′

F ′ D′ .

)(10)

The entries in PE give the probability that Eve’s actionswill induce a change in the measured value, given that sheintervened on that particular trial. The new submatricesL′, C ′, D′, and F ′ may be found in Appendix B. We as-sume for simplicity that Eve only acts on Bob’s channel,not Alice’s. The more general case can be treated in asimilar manner. Note that F ′ no longer needs to be equalto C ′T due to the asymmetry introduced by this assump-tion. We define the change in the probability matrix dueto eavesdropping,

∆P = P − P0 (11)

=η

4

(L′ − L0 C ′ − C0

F ′ − CT0 D′ −D0

.

). (12)

The disturbance [21] introduced by the eavesdropper canbe used as a measure of how much effect she is having onthe outcomes of the communication. The disturbance Dis defined to be

D =

√∑ij

(∆Pij)2. (13)

6

η

Dis

turb

ance

FIG. 5: The disturbance to the probability distribution, plot-ted against the eavesdropping fraction, η.

For binary protocols like BB84 the disturbance simplyequals the eavesdropper-induced error rate, so D is anappropriate generalization to protocols for which thereare more than two possible outcomes per measurement.Using the probability matrices of Appendix B, D can bereadily calculated. From eqs. 12 and 13 it should clearlybe linear in the eavesdropping fraction η, as verified inthe plot of fig. 5. The disturbance reaches similar valuesto those found in [21] for the BB84 protocol.From the probability distributions, the mutual infor-

mation shared by Alice and Bob can also be computed:

IAB = HA +HB −HAB (14)

= −∑i

PA,i log2 PA,i −∑j

PB,j log2 PB,j

+∑ij

Pi,j log2 Pi,j . (15)

The information per trial gained by Eve can also befound. First note that the probability that she measuresin the correct basis is 1

2 . If she guesses the correct basisthen she can determine the correct value for Bob withcertainty; if she guesses the wrong basis, she only has a50% chance of determining the correct value. So on agiven trial, her probability of obtaining the correct valueis 3

4 . Therefore, her information gain per trial (her aver-age mutual information with Alice) is:

IAE = (prob. that Eve listens in on trial) (16)

· (probability trial is not discarded)

· (info. gained per eavesdropping)

= η · r(η) · IAB , (17)

where the fraction r(η) of trials retained is given in Ap-pendix B.These two information measures are plotted in fig. 6

as a function of eavesdropping fraction η. It can be seenthat the mutual information per trial gained by Eve isalways less than the mutual information shared betweenAlice and Bob, so that a secure key can always be distilledfrom the exchange. The secret key rate K = IAB − IAE

η

Info

rmat

ion

FIG. 6: The mutual information (upper red curve) sharedbetween Alice and Bob, and the information gain per trial byEve (lower blue curve) as functions of η.

η

Secre

t K

ey R

ate

FIG. 7: The secret key generation rate κ versus eavesdroppingfraction η.

is shown in fig. 7 as a function of η and as a function ofdisturbance in fig. 8. The slight upturn in the Alice-Bobmutual information at large η in Fig. 6 seems to be dueto the fact that Eve’s interference causes the outcomesto be more spread out (there are more nonzero entriesin PE than in P0), and more uniform distributions leadto increased information gains per measurement. Due tothe concave shape of the binary entropy function, suchan effect can also happen in schemes using binary qubits,if the error rate is able to exceed 50%.

VI. CONCLUSIONS

In this paper, we have constructed the joint probabil-ity distributions for Alice and Bob’s measurement out-comes in the Fibonacci protocol, both in the absence ofeavesdropping and for the case of simple intercept-resendattacks. For the case of three bits per photon, it hasbeen demonstrated that a secure key can be distilled andthat the eavesdropper’s presence can be revealed. Forlarger alphabets (more key bits per photon), the mutualinformation shared by Alice and Bob increases logarith-mically with alphabet size, while the amount of classicalinformation that needs to be exchanged stays constant.

7

Secre

t K

ey R

ate

Disturbance

FIG. 8: The secret key rate κ as function of disturbance, D.

It remains for future investigation to see how the protocolbehaves under more sophisticated eavesdropping attacks.

Acknowledgements

This research was supported by the DARPA QUI-NESS program through US Army Research Office awardW31P4Q-12-1-0015

Appendix A: Reconciliation

In order for Alice and Bob to determine each other’svalues they must exchange additional information on aclassical side channel. Here, a brief description is givenof one way to do this. Other methods are also possible.It is necessary to make sure that no eavesdropper canobtain the key from the classical exchange alone.If Eve intercepts both the classical and quantum ex-

changes, and if she can store the photon from the quan-tum channel until she has read the classical channel, thenshe has complete information about the bit, just as Bobdoes. However, the disturbances she introduces will thensignal her presence, causing the tainted key to be dis-carded. This is identical to the case in the BB84 or Ekertprotocols.However, in the Fibonacci case a larger classical ex-

change is required, which reduces the average amount ofinformation about the key that remains secret. This re-duces the key generation capacity per photon, partiallycanceling the advantages from the larger Hilbert space.But even in the worst case the classical exchange can bechosen such that the amount of classically revealed in-formation remains less than the amount of informationgenerated by the quantum exchange, allowing the dis-tillation of a secure key [20]. Furthermore, the amountof revealed information is independent of N , while thetotal information from the quantum exchange increaseswith increasing alphabet size like log2N ; thus this infor-mation leakage becomes more and more negligible withincreasing N , as compared to the total information.

When both experimenters measure in the L (eigen-state) basis, they should (in the absence of eavesdrop-ping) always receive adjacent Fibonacci numbers, sayFn and Fn+1, although initially neither of them knowswhether they have the lower or higher value in the pair.In order for them to determine this, they must each ex-change one bit of information over the classical channel.

One possible way to do this (illustrated for the caseN = 8, m0 = 2), is for Alice first to send either a 0 or 1to Bob in the following manner:

Alice has: 2 3 5 8 13 21 34 55Alice sends: 0 1 1 0 0 1 1 0

(18)

Once Bob receives this information he can determine Al-ice’s value, since he already knows it has to be one ofthe two values adjacent to his. Alice’s value can then beused as the key value. For arbitrary N , the probability ofguessing the correct value based on the classical exchangealone decreases with increasing N : P = 2

N .Half of the time, Alice and Bob make opposite types

of measurements, one L and one D. Suppose, for ex-ample, Alice measures the value F5 = 8 in the L ba-sis, while Bob measures in D. In principle, he shouldreceive the superposition state 1√

2(|5⟩+ |13⟩); however,

since non-orthogonal states can not be uniquely distin-guished, there is a 25% chance that Bob will instead mea-sure the superposition 1√

2(|2⟩+ |5⟩) and 25% that he will

find 1√2(|13⟩+ |34⟩). To arrive at an unambiguous value

shared by both participants, there are several possibleprocedures. One possibility (again described for the caseN = 8, m0 = 2) is for Alice to send Bob two bits ofinformation, according to the following table:

Alice has: 2 3 5 8 13 21 34 55Alice sends: 01 10 00 01 10 00 01 10

(19)

Bob then knows Alice’s value unambiguously, so thatthey can agree to use her value as the key segment; again,there is no need for Bob to send any classical informa-tion in this case. As N increases, the number of key bitsgenerated per photon grows but the amount of classicalinformation exchanged remains fixed.

Finally, Alice and Bob can both make a D measure-ment. Suppose that Alice sends two bits of classical in-formation, which could be:

Alice has: S1 S2 S3 S4 S5 S6 S8 S9 S10 S11 . . .Alice sends: 00 00 01 01 10 10 11 11 00 00 . . .

(20)Examination of the probability matrices (eqs. 27-28)makes clear that, armed with knowledge of his own su-perposition, Bob can unambiguously determine Alice’svalue, while an outsider eavesdropper on the classicalchannel again has a decreasing probability of guessingthe correct value as N increases. Once Alice and Bobagree that Alice has superposition |Sn⟩, they then adoptthe value Fn as the key value.

8

Alice’soutcomes(columns)

Bob’soutcomes

(rows)

Out of range

Out of range

Out of range

FIG. 9: The labeling of rows and columns is shown for theprobability submatrices. Different rows correspond to differ-ent outcomes for Bob, while columns correspond to Alice’soutcomes. The first row and column label detection of out-comes not included in the range of the alphabet used for keygeneration. The remaining rows and columns of L0 label al-lowed eigenstates, and those of D0 alternately label Cn andDn detection events signalling allowed superposition states.Similarly, C0 has eigenstate events running horizontally, withCn and Dn events vertically. L0, C0, and D0 are respectively(N+1)×(N+1), (N+1)×(2N+1), and (2N+1)×(2N+1)matrices.

Appendix B: Probability Matrices

Here we give explicit expressions for the joint proba-bility distributions seen by Alice and Bob for their out-

comes, with and without eavesdropping. See section Vfor the relevant definitions. The labeling of the rows andcolumns is shown in fig. 9.

To compute the probabilities in the absence of eaves-dropping, first consider the projections of the biphotonstate |ψ⟩ after the crystal (eq. 1) onto the states thatcan be detected at the various detectors on Alice’s side:

|ΨAFn

⟩ = |Fn⟩A A⟨Fn|ψ⟩ (21)

=1√2|Fn⟩A

(|Fn−1⟩B + |Fn+1⟩B

)(22)

|ΨADn

⟩ = |Dn⟩A A⟨Dn|ψ⟩ (23)

= − i

2|Dn⟩A (24)

×(|Fn−3⟩B ++2|Fn−1⟩B + |Fn+1⟩B

)|ΨA

Cn⟩ = |Cn⟩A A⟨Cn|ψ⟩ (25)

=1

2|Cn⟩A

(|Fn+1⟩B − |Fn−3⟩B

), (26)

with similar expressions for the states |ΨBFn

⟩, |ΨBCn

⟩,|ΨB

Dn⟩ on Bob’s side. Then (up to an overall constant

that can be fixed by the requiring the probabilities tosum to one) the matrix for the probabilities of joint de-tections by Alice and Bob can be built up entry by en-try by computing the various products ⟨ΨA

Xn|ΨB

Ym⟩, for

X,Y = C,D, F . We give here the results for N = 8; thegeneralization to larger N is straightforward. The resultsare:

L0 =1

16

0 1 0 0 0 0 0 0 11 0 1 0 0 0 0 0 00 1 0 1 0 0 0 0 00 0 1 0 1 0 0 0 00 0 0 1 0 1 0 0 00 0 0 0 1 0 1 0 00 0 0 0 0 1 0 1 00 0 0 0 0 0 1 0 11 0 0 0 0 0 0 1 0

C0 =

1

72

0 1 1 1 1 0 0 0 0 0 0 0 0 1 1 1 12 4 0 0 0 1 1 0 0 0 0 0 0 0 0 0 02 0 0 4 0 0 0 1 1 0 0 0 0 0 0 0 00 1 1 0 0 4 0 0 0 1 1 0 0 0 0 0 00 0 0 1 1 0 0 4 0 0 0 1 1 0 0 0 00 0 0 0 0 1 1 0 0 4 0 0 0 1 1 0 00 0 0 0 0 0 0 1 1 0 0 4 0 0 0 1 12 0 0 0 0 0 0 0 0 1 1 0 0 4 0 0 02 0 0 0 0 0 0 0 0 0 0 1 1 0 0 4 0

(27)

D0 =1

196

0 2 2 2 2 0 0 0 0 2 2 2 2 6 4 6 46 3 1 0 0 1 1 0 0 0 0 0 0 0 0 0 04 1 1 0 0 1 1 0 0 0 0 0 0 0 0 0 06 0 0 3 1 0 0 1 1 0 0 0 0 0 0 0 04 0 0 1 1 0 0 1 1 0 0 0 0 0 0 0 02 3 1 0 0 3 1 0 0 1 1 0 0 0 0 0 02 1 1 0 0 1 1 0 0 1 1 0 0 0 0 0 02 0 0 3 1 0 0 3 1 0 0 1 1 0 0 0 02 0 0 1 1 0 0 1 1 0 0 1 1 0 0 0 00 1 1 0 0 3 1 0 0 3 1 0 0 1 1 0 00 1 1 0 0 1 1 0 0 1 1 0 0 1 1 0 00 0 0 1 1 0 0 3 1 0 0 3 1 0 0 1 10 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 12 0 0 0 0 1 1 0 0 3 1 0 0 3 1 0 02 0 0 0 0 1 1 0 0 1 1 0 0 1 1 0 02 0 0 0 0 0 0 1 1 0 0 3 1 0 0 3 12 0 0 0 0 0 0 1 1 0 0 1 1 0 0 1 1

(28)

9

Eve’s measurements will alter Bob’s outcome probabil-ities. If η be the proportion of trials she intercepts, thenthe probability matrix for Alice and Bob’s outcomes willchange according to P0 → P = ηPE + (1 − η)P0, wherePE describes the change in probability due to Eve’s inter-vention on a given trial. The various joint probabilitiesare computed as before, but with additional projectionoperators inserted into Bob’s line to represent Eve’s ac-tion. For example, when Alice and Bob measure in theL basis and Eve measures in the D basis, the probabilitythat Alice detects Fp and Bob detects Fn has extra terms

added to it of the form∑m

{⟨ΨA

Fp|ΨB

Cm⟩|⟨Cm|Fn⟩|2 (29)

+⟨ΨAFp|ΨB

Dm⟩|⟨Dm|Fn⟩|2

};

these extra terms correspond to the possible outcomesof Eve’s measurement. Similar expressions apply to findthe rest of the probabilities. The net result (for N = 8)

is: PE = 14

(L′ C ′

F ′ D′

), where the new submatrices are

L′=

1

122

0 1 0 0 1 1 6 6 1111 0 1 0 0 0 0 0 06 5 0 1 0 0 0 0 06 0 5 0 1 0 0 0 01 5 0 5 0 1 0 0 01 0 5 0 5 0 1 0 00 1 0 5 0 5 0 1 00 0 1 0 5 0 5 0 11 0 0 0 0 5 0 5 0

F

′=

1

1380

0 5 5 5 5 45 45 91 9139 12 0 1 0 0 0 0 052 28 0 4 0 0 0 0 039 0 12 0 1 0 0 0 052 0 28 0 4 0 0 0 013 26 0 12 0 1 0 0 032 20 0 28 0 4 0 0 013 0 26 0 12 0 1 0 032 0 20 0 28 0 4 0 01 12 0 26 0 12 0 1 04 28 0 20 0 28 0 4 01 12 0 26 0 12 0 1 04 0 28 0 20 0 28 0 41 0 1 0 12 0 26 0 124 0 4 0 28 0 20 0 281 1 0 12 0 26 0 12 04 4 0 28 0 20 0 28 01 0 1 0 12 0 26 0 124 0 4 0 28 0 20 0 28

(30)

C′=

1

664

0 27 15 27 15 13 9 13 9 3 3 3 3 3 3 3 36 10 6 0 0 14 6 0 0 10 6 0 0 3 3 0 06 0 0 10 6 0 0 14 6 0 0 10 6 0 0 3 36 3 3 0 0 10 6 0 0 14 6 0 0 10 6 0 06 0 0 3 3 0 0 10 6 0 0 14 6 0 0 10 622 0 0 0 0 3 3 0 0 10 6 0 0 14 6 0 022 0 0 0 0 0 0 3 3 0 0 10 6 0 0 14 642 0 0 0 0 0 0 0 0 3 3 0 10 6 0 0 042 0 0 0 0 0 0 0 0 0 0 3 3 0 0 10 6

(31)

D′=

1

4294

0 103 120 28 36 28 36 4 8 4 8 28 36 28 36 103 120163 0 0 61 68 1 1 0 0 13 18 0 0 1 2 0 060 0 0 14 16 1 1 0 0 13 14 0 0 1 2 0 034 61 68 0 0 61 68 0 0 13 18 0 0 1 2 0 030 14 16 0 0 14 16 0 0 13 14 0 0 1 2 0 034 0 0 61 68 0 0 61 68 0 0 13 18 0 0 1 230 0 0 14 16 0 0 14 16 0 0 13 14 0 0 1 26 13 18 0 0 61 68 0 0 61 68 0 0 13 18 0 06 13 14 0 0 14 16 0 0 14 16 0 0 13 14 0 06 0 0 13 18 0 0 61 68 0 0 61 68 0 0 13 186 0 0 13 14 0 0 14 16 0 0 14 16 0 0 13 1434 1 2 0 0 13 18 0 0 61 68 0 0 61 68 0 030 1 2 0 0 13 14 0 0 14 16 0 0 14 16 0 034 0 0 1 2 0 0 13 18 0 0 61 68 0 0 61 6830 0 0 1 2 0 0 13 14 0 0 14 16 0 0 14 16163 0 0 0 0 1 2 0 0 13 18 0 0 61 68 0 060 0 0 0 0 1 2 0 0 13 14 0 0 14 16 0 0

(32)

Note that the matrix is no longer symmetric due to thefact that we are assuming Eve has access only to Bob’s

line but not Alice’s. In particular, this means that F ′ isnot equal to the transpose of C ′.

[1] A. K. Ekert, Phys. Rev. Lett. 67, 661 (1991). [2] C. H. Bennett, G. Brassard, in Proceedings of the IEEE

10

International Conference on Computers, Systems, andSignal Processing, Bangalore, 175 (1984).

[3] D. Bruß, Phys. Rev. Lett. 81, 3018-3021 (1998).[4] H. Bechmann-Pasquinucci, A. Peres, Phys. Rev. Lett. 85,

3313-3316 (2000).[5] M. Bourennane, A. Karlsson, G. Bjork, Phys. Rev. A 64,

012306 (2001).[6] N. J. Cerf, M. Bourennane, A. Karlsson, N. Gisin, Phys.

Rev. Lett. 88, 127902 (2002).[7] S. Groblacher, T. Jennewein, A. Vaziri, G. Weihs, A.

Zeilinger, New J. Phys. 8, 1 (2006).[8] A. Mair, A. Vaziri, G. Weihs, A. Zeilinger, Nature 412,

313 (2001).[9] A. Vaziri, G. Weihs, and A. Zeilinger, Phys. Rev. Lett.

89, 240401 (2002).[10] D. S. Simon, A. V. Sergienko, New J. Phys. 16 063052

(2014).[11] S. Franke-Arnold, L. Allen, M. Padgett, Laser Photon.

Rev. 2, 299313 (2008).[12] L. Allen, M. W. Beijersbergen, R. J. C. Spreeuw, J. P.

Woerdman, Phys. Rev. A 45, 8185-8189 (1992).[13] G. Molina-Terriza, J. P. Torres, L. Torner, Nat. Phys. 3,

305-310 (2007).[14] D. S. Simon, J. Trevino, N. Lawrence, L. dal Negro, A.

V. Sergienko, Phys. Rev. A 87, 032312 (2013).[15] S. F. Liew, H. Noh, J. Trevino, L. Dal Negro, H. Cao,

Optics Express 19, 23631-23642 (2011).[16] J. Trevino, H. Cao, L. Dal Negro, Nano Letters, 11, 2008-

2016 (2011).[17] J. Trevino, S. F. Liew, H. Noh, H. Cao, L. Dal Negro,

Optics Express, 20, 3015-3033 (2012).[18] L. Dal Negro, N. Lawrence, J. Trevino, Optics Express

20, 18209 (2012).[19] N. Lawrence, J. Trevino, L. Dal Negro, J. of App. Phys.

111, 113101 (2012).[20] I. Csiszar, J. Korner, IEEE Transactions on Information

Theory, Vol. IT-24, 339-348 (1978).[21] N. Lutkenhaus, Phys. Rev. A 54, 97 (1996).[22] J. Leach, M. J. Padgett, S. M. Barnett, S. Franke-Arnold,

J. Courtial, Phys. Rev. Lett. 88, 257901 (2002).[23] G. C. G. Berkhout, M. P. J. Lavery, J. Courtial, M.

W. Beijersbergen, M. J. Padgett, Phys. Rev. Lett. 105,153601 (2010).

[24] M. P. J. Lavery, D. J. Robertson, G. C. G. Berkhout G.D. Love, M. J. Padgett, J. Courtial, Optics Express 20,2110-2115 (2012).

[25] Y. Miyamoto, D. Kawase, M. Takeda, K. Sasaki, S.Takeuchi, J. Opt. 13, 064027 (2011).

[26] B. Jack, A. M. Yao, J. Leach, J. Romero, S. Franke-Arnold, D. G. Ireland, S. M. Barnett, M. J. Padgett,Phys. Rev. A 81, 043844 (2010).

[27] D. Kawase, Y. Miyamoto, M. Takeda, K. Sasaki, S.Takeuchi, Phys. Rev. Lett. 101, 050501 (2008).

[28] D. S. Simon, C. Fitzpatrick, A. V. Sergienko, submittedto Phys. Rev. A (2015).