sign in sign up
<<
Home , The Arrival (Fringe)

Unconditional Security of Time-Energy Entanglement Quantum Key Distribution Using Dual-Basis Interferometry

The MIT Faculty has made this article openly available. Please share how this access benefits you. Your story matters.

Citation Zhang, Zheshen, Jacob Mower, Dirk Englund, Franco N. C. Wong, and Jeffrey H. Shapiro. “Unconditional Security of Time-Energy Entanglement Quantum Key Distribution Using Dual-Basis Interferometry.” Physical Review Letters 112, no. 12 (March 2014). © 2014 American Physical Society

As Published http://dx.doi.org/10.1103/PhysRevLett.112.120506

Publisher American Physical Society

Version Final published version

Citable link http://hdl.handle.net/1721.1/89019

Terms of Use Article is made available in accordance with the publisher's policy and may be subject to US copyright law. Please refer to the publisher's site for terms of use. week ending PRL 112, 120506 (2014) PHYSICAL REVIEW LETTERS 28 MARCH 2014

Unconditional Security of Time-Energy Entanglement Quantum Key Distribution Using Dual-Basis Interferometry

Zheshen Zhang,* Jacob Mower, Dirk Englund, Franco N. C. Wong, and Jeffrey H. Shapiro Research Laboratory of Electronics, Massachusetts Institute of Technology, 77 Massachusetts Avenue, Cambridge, Massachusetts 02139, USA (Received 4 November 2013; published 26 March 2014) High-dimensional quantum key distribution (HDQKD) offers the possibility of high secure-key rate with high photon-information efficiency. We consider HDQKD based on the time-energy entanglement produced by spontaneous parametric down-conversion and show that it is secure against collective attacks. Its security rests upon visibility data—obtained from Franson and conjugate-Franson interferometers—that probe photon-pair frequency correlations and arrival-time correlations. From these measurements, an upper can be established on the eavesdropper’s Holevo information by translating the Gaussian-state security analysis for continuous-variable quantum key distribution so that it applies to our protocol. We show that visibility data from just the Franson interferometer provides a weaker, but nonetheless useful, secure-key rate lower bound. To handle multiple-pair emissions, we incorporate the decoy-state approach into our protocol. Our results show that over a 200-km transmission distance in optical fiber, time-energy entanglement HDQKD could permit a 700-bit=sec secure-key rate and a photon information efficiency of 2 secure-key bits per photon coincidence in the key-generation phase using receivers with a 15% system efficiency.

DOI: 10.1103/PhysRevLett.112.120506 PACS numbers: 03.67.Dd, 03.67.Hk, 42.50.Dv

Quantum key distribution (QKD) [1] promises uncondi- [16,17] uses the quadrature-component covariance matrix tionally secure communication by enabling one-time to derive a lower bound on the SKR in the presence of a pad transmission between remote parties, Alice and Bob. collective attack. We take an analogous approach—using Continuous-variable QKD (CVQKD) [2,3] and discrete- the time-frequency covariance matrix (TFCM)—for our variable QKD (DVQKD) [4,5] utilize infinite-dimensional time-energy entanglement HDQKD protocol. and finite-dimensional Hilbert spaces, respectively. The TFCM for our protocol can be obtained using the CVQKD exploits the wave nature of light to encode dispersive-optics scheme from [18], although dense wave- multiple bits into each transmission, but it has been limited length-division multiplexing (DWDM) may be required to to 80 km in optical fiber [3,6,7] because the eavesdropper do so [19]. An experimentally simpler technique—utilizing (Eve) can obtain partial information from a beam-splitting a Franson interferometer—has been conjectured [13,14] to attack. The predominant DVQKD protocol is Bennett- be sufficient for security verification. Its robustness against Brassard 1984 (BB84), which uses a two-dimensional some specific attacks has been discussed [14,20],but Hilbert space. The decoy-state BB84 protocol [8,9] has security against collective attacks has not been proven demonstrated nonzero secure-key rates (SKRs) over and [20] suggests that such a proof may be impossible. 144 km in free space [10] and 107 km in optical fiber This Letter proves that time-energy entanglement [11], but its photon information efficiency (PIE) cannot HDQKD can be made secure against Eve’s collective exceed 1 key bit per sifted photon. attack when a Franson interferometer is used for security High-dimensional QKD (HDQKD) using single photons verification in conjunction with a dispersion-based [12] can utilize the best features of the continuous and frequency-difference measurement. Our proof relates the discrete worlds, with the Hilbert space of single-photon Franson interferometer’s visibility to the TFCM’s arrival times providing an appealing candidate for frequency elements that, together with the frequency- its implementation. The time-energy entanglement of difference measurement, establishes an upper bound on photon pairs produced by spontaneous parametric down- Eve’s Holevo information. We introduce another nonlocal conversion (SPDC) has been employed in HDQKD experi- interferometer—the conjugate-Franson interferometer— ments [13,14], although these works lacked rigorous and link its fringe visibility to the TFCM’s arrival-time security proofs. Security proofs for time-energy entangled elements [21]. Employing both interferometers increases HDQKD have been attempted by discretizing the continu- the SKR. ous Hilbert space to permit use of DVQKD security Our fringe visibility results presume that the entangle- analyses [12,15], but the validity of the discretization ment source emits at most one photon pair in a measurement approach has not been proven. CVQKD security analysis frame, which need not be the case for SPDC. Thus, we

0031-9007=14=112(12)=120506(5) 120506-1 © 2014 American Physical Society week ending PRL 112, 120506 (2014) PHYSICAL REVIEW LETTERS 28 MARCH 2014 incorporate decoy-state operation [8,9] to handle multiple- they obey the canonical commutation relations, † pair emissions. We show that time-energy entanglement ½Eˆ ðtÞ; Eˆ ðuÞ ¼ δ δðt − uÞ, for J;K ¼ S; I. Their fre- J K JK ˆ ˆ HDQKD could permit a 700 bit=sec SKR over a 200-km quency-domain counterparts, ASðωÞ and AIðωÞ, annihilate transmission distance in optical fiber. We also show that a signal and idler photons at detunings ω and −ω, respec- PIE of 2 secure-key bits per photon coincidence can be tively. Our interest, however, is in the arrival-time and achieved in the key-generation phase using receivers with angular-frequency operators, a 15% system efficiency. Before beginning our security Z analysis, we provide a brief explanation of our protocol. † tˆ ¼ dttEˆ ðtÞEˆ ðtÞ; (3a) Suppose Alice has a repetitively pumped, frequency- J J J degenerate SPDC source that, within a time frame of duration Z ¼ 3 ω of Tf sec, which is centered at time tm mTf, emits a ωˆ ¼ d ω ˆ †ðωÞ ˆ ðωÞ (3b) single photon pair in the state [22] J 2π AJ AJ ; Z Z 2 2 2 2 ¼ −ðtþ−t Þ =4σ −t−=4σ −iω tþ for J S; I when only one photon pair is emitted by the jψ i ∝ dt dt e m coh cor P jt i jt i m SI S I S S I I source. Restricting these time and frequency operators to (1) the single-pair Hilbert space implies that they measure the arrival times and frequency detunings of the signal and for some integer m. In this expression, ωP is the pump idler photons. It also leads to the commutation relation j i j i ½ωˆ ˆ ¼ ϵ δ ϵ ¼ −ϵ ¼ 1 frequency; tS S ( tI I) represents a single photon of the J; tK i J JK [26], where S I , making these signal (idler) at time tS (tI); tþ ≡ ðtS þ tIÞ=2; t− ≡ tS − tI; operators conjugate observables analogous to the quad- σ ¼ ptheffiffiffiffiffiffiffiffiffiffiffiffiffiffi root-mean-square coherence time coh Tf= rature components employed in CVQKD and justifying our 8 lnð2Þ ∼ nsec is set by the pump pulse’s duration; translating CVQKD’s covariance-based security analysis σ ¼ pandffiffiffiffiffiffiffiffiffiffiffiffiffiffi the root-mean square correlation time cor [16,17] to our protocol. 2 ð2Þ 2π ∼ ln = BPM psec is set by the reciprocal of the To exploit the connection to CVQKD, we define an Oˆ ¼½ˆ ˆ T full-width at half-maximum (FWHM) phase-matching observable vector tS ωˆ S tI ωˆ I . For a single- ˆ ˆ bandwidth, BPM, in Hz. Now suppose that, despite propa- pair state, the mean value of O is m ¼hOi, and the TFCM † gation losses and detector inefficiencies, Alice and Bob is Γ ¼hðΔOˆ ΔOˆ þ H:c:Þi=2, where ΔOˆ ≡ Oˆ − m and detect the signal and idler, respectively, from the preceding H.c. denotes Hermitian conjugate. The characteristic func- ˆ photon pair and record the associated arrival times [23,24]. tion associated with the single-pair state is χðζÞ¼heiζT Oi. After many such frames, they use public communication to Given the covariance matrix Γ, the Gaussian state with reconcile their arrival-time data, resulting in their sharing χðζÞ¼eiζT m−ζT Γζ=2 yields an m-independent upper bound nR random bits per postselected frame, i.e., frames used on Eve’s Holevo information [16,17,27] when the SPDC for key generation in which Alice and Bob both made source emits a single-pair state. ’ detections. How many of those bits are secure against Eve s A direct, complete measurement of the TFCM is quite collective attack? Before turning to the security analysis, challenging, so we resort to indirect measurements— we pause for a brief note about Eq. (1). This expression using a Franson interferometer and a conjugate-Franson is an oft-used approximation for the postselected biphoton interferometer—that provide useful partial information. state produced by an SPDC source (see, e.g., [14]). A Franson interferometer [28], shown in the top panel of Moreover, entanglement engineering can be employed to Fig. 1, consists of two unequal path-length Mach-Zehnder achieve a close match to a truly Gaussian biphoton wave interferometers, with the signal going through one and the function [25]. Our security analysis begins with the positive- ˆ ˆ frequency field operators, ESðtÞ and EIðtÞ, for the linearly polarized single spatial-mode signal and idler fields emitted by Alice’s source, and their associated frequency decompositions: Z dω − ðω 2þωÞ ˆ ð Þ¼ ˆ ðωÞ i P= t (2a) ES t 2π AS e ; Z dω ˆ ˆ −iðωP=2−ωÞt EIðtÞ¼ AIðωÞe . (2b) FIG. 1 (color online). (Top panel) Diagram for the Franson inter- 2π ferometer. (Bottom panel) Diagram for the conjugate-Franson ˆ ˆ interferometer. PM, phase modulator; OFS, optical-frequency The time-domain field operators ESðtÞ and EIðtÞ annihilate shifter; Dispþ, positive dispersion element; Disp−, negative signal and idler photons, respectively, at time t, and dispersion element; D, detector.

120506-2 week ending PRL 112, 120506 (2014) PHYSICAL REVIEW LETTERS 28 MARCH 2014 ~ ~ idler going through the other. The time delay ΔT between where tS (tI) is the random variable associated with the each Mach-Zehnder interferometer’s long and short paths measured signal (idler) arrival time from the Franson σ is much greater than the correlation time cor, ruling out interferometer with its long arms disabled. local interference in the individual interferometers. It is also Lemmas 1 and 2 are used below to bound Eve’s Holevo greater than the FWHM detector timing jitter, δT, so that information for a frame in which Alice’s source emits a coincidences are only registered when both photons go single photon pair. Because there is no security assurance through the long or the short path. Each long path is for multiple-pair emissions, we follow the lead of DVQKD equipped with a phase modulator, imparting phase shifts by employing decoy states [8,9] to deal with this problem. − ϕ − ϕ e i S and e i I to the signal and the idler, respectively. In particular, Alice operates her SPDC source at several The following lemma shows that Franson measurements, different pump powers, enabling Bob and her to estimate augmented by dispersion-based frequency measurements, the fraction, F, of their coincidences that originated from bound the signal-idler frequency correlations [26]. single-pair emissions [30]. — ðΔ Þ¼ Lemma 1. For a single-pair state, let VFI T To put an upper bound on Eve’s Holevo information, we ½PC ð0Þ − PC ðπÞ=½PC ð0ÞþPC ðπÞ, where PC ðϕS þ start from the following points: (1) Symmetry dictates that ϕ ÞFI FI ’ FI FI FI 0 π hΔωˆ 2i I is Alice and Bob s coincidence probability, be the - only 10 TFCM elements need to be found. Of these, S hΔˆ2i ’ fringe visibility when the Franson interferometer has and tS are immune to Eve s attack because Eve does not delay ΔT. Then the variance of the signal-idler frequency have access to Alice’s apparatus, which contains the SPDC difference satisfies source. (2) Given the Franson and conjugate-Franson interferometer’s fringe visibilities, making hΔtˆ Δωˆ i ≠ 4 J K 2 2½1 − V ðΔTÞ hðω~ − ω~ Þ i 2 0, for J; K ¼ S; I, does not increase Eve’s Holevo hðΔωˆ − Δωˆ Þ i ≤ FI þ S I ΔT ; S I ΔT2 12 information [26]. (3) From lemmas 1 and 2, we can (4) determine upper bounds on the excess noise factors 1 þ ξ ≡ hðΔωˆ − Δωˆ Þ2i hðΔωˆ − Δωˆ Þ2i 1 þ ξ ≡ ω S I = S0 I0 and t ω~ ω~ hðΔˆ − Δˆ Þ2i hðΔˆ − Δˆ Þ2i hðΔˆ − Δˆ Þ2i where S ( I) is the random variable associated with the tS tI = tS0 tI0 , where tS0 tI0 hðΔωˆ − Δωˆ Þ2i ’ measured signal (idler) angular frequency from the con- and S0 I0 are the source s variances as mea- jugate-Franson interferometer with its frequency-shifted sured by Alice during her source-characterization phase. arms disabled, i.e., when dispersion enables frequency Points 1–3 specify a set, M, of physically allowed correlations to be measured from arrival-time coincidences. TFCMs that preserve the Heisenberg uncertainty rela- A conjugate-Franson interferometer, shown in the tions for the elements of Oˆ , which are implied by ˆ bottom panel of Fig. 1, consists of two equal path-length ½ωˆ J; tK¼iϵJδJK. For each TFCM Γ ∈ M, the Gaussian Mach-Zehnder interferometers with one arm of each state χðζÞ¼e−ζT Γζ=2 affords Eve the maximum Holevo containing an electro-optic optical-frequency shifter. To information [16,17,27]. Using χΓðA; EÞ to denote that rule out local interference, these devices shift the signal Holevo information, our partial information about Γ gives −ΔΩ ΔΩ UB and idler frequencies by and , respectively, while us the upper bound χξ ξ ðA; EÞ¼supΓ∈M½χΓðA; EÞ on − ϕ t; ω phase modulators (not shown) apply phase shifts e i S what Eve can learn from a collective attack on a single-pair − ϕ and e i I , as was done in the Franson interferometer. frame. Thus, Alice and Bob’s SKR (in bits per second) has The positive and negative dispersionpffiffiffi elements have coef- the lower bound [9,26,31]: ficients β2 satisfying β2ΔΩ ¼ 2Tg > δT, where Tg is the duration of detectors’ coincidence gate [29]. They qp SKR ≥ r ½βIðA; BÞ − ð1 − FÞn − FχUB ðA; EÞ. (6) ’ R ξt;ξω disperse the signal and idler s frequency components with 3Tf respect to time so that two detectors suffice to measure their frequency coincidences [18,26]. The following lemma Here, q is the fraction of the frames used for key generation shows that conjugate-Franson measurements, augmented (as opposed to Franson or conjugate-Franson operation or by arrival-time measurements, bound the signal-idler decoy-state transmission for parameter estimation); pr is arrival-time correlations [26]. the probability of registering a coincidence in a frame; β is — Lemma 2. For a single-pair state, let the reconciliation efficiency; and IðA; BÞ is Alice and Bob’s V ðΔΩÞ¼½P ð0Þ − P ðπÞ=½P ð0ÞþP ðπÞ, CFI CCFI CCFI CCFI CCFI Shannon information. where P ðϕ þ ϕ Þ is Alice and Bob’s coincidence CCFI S I In Fig. 2, the left panel plots Alice and Bob’s SKR versus 0 π probability, be the - fringe visibility when the conjugate- transmission distance for two frame durations and two Franson interferometer has frequency shift ΔΩ. Then the system efficiencies for Alice (ηA) and Bob’s(ηB) receivers, variance of the signal-idler arrival-time difference satisfies which use superconducting nanowire single-photon detec- tors. To calculate the ξωs, we assume that the measured V 2½1 − ðΔΩÞ hð~ − ~ Þ4i FI 2 VCFI tS tI 2 — ¼ 16δ hðΔtˆ − Δtˆ Þ i ≤ þ ΔΩ ; values are their ideal values 93.25% for Tf T and S I ΔΩ2 12 ¼ 32δ — 98.27% for Tf T multiplied by 0.995. (These VFI (5) values are achievable; see [32] in which a 99.6% fringe

120506-3 week ending PRL 112, 120506 (2014) PHYSICAL REVIEW LETTERS 28 MARCH 2014

3.5 8 10 3 DWDM channel comparable to the detector timing jitter 6 10 2.5 [19] and deriving key from time-frequency coincidences. In 4 10 2 this case, the conjugate-Franson interferometer becomes 2 10 1.5 crucial because part of the secure key information is 0 10 1 SKR (bits/s) PIE (bits/coin) obtained by frequency measurements. Nevertheless, the −2 10 0.5 TFCM is still sufficient to bound Eve’s Holevo −4 10 0 0 50 100 150 200 250 300 0 50 100 150 200 250 300 information. Transmission distance (km) Transmission distance (km) Before concluding, it behooves us to compare our FIG. 2 (color). (Left panel) Alice and Bob’s SKR versus security predictions with the individual-attack results transmission distance. (Right panel) Alice and Bob’s PIE versus reported in Brougham et al. [20]. The comparison is not transmission distance. Both assume the following values. entirely straightforward because those authors considered a Entangled-pair flux: 0.01 pairs=frame;pffiffiffi detector timing jitter time-binned version of time-energy entanglement HDQKD δ ¼ 30 ¼200 Δ 2¼ ¼3 6δ ΔΩ 2π¼ T ps; BPM pffiffiffi GHz; T= Tg . T; = with no multiple-pair emissions or dark counts, whereas 5 β ΔΩ ¼ 2 ¼ 0 5 β ¼ 0 9 ¼ 8 GHz; 2 Tg; q . ; . ; nR ; our protocol operates in continuous time and includes both 3 dark-count rate ¼ 10 = sec; and fiber loss ¼ 0.2 dB=km. Solid of those effects. Consider the 1024-bin example from [20], ¼ 16δ ξ ¼ 0 22 ¼ 32δ curves: Tf T and ω . . Dashed curves: Tf T in which Eve obtains 6 of 10 bits when the Franson ξ ¼ 1 01 η ¼ η ¼ 15% and ω . . Blue curves: A B . Red and black interferometer’s fringe visibility is 99.2% and 5 bits when curves: η ¼ η ¼ 90%. Red and blue curves: ξ ¼ 41.5. Black A B t that visibility is 99.8%.pffiffiffi To compare our results with those, curves: ξt ¼ 400. we set Tf ¼ 1024 2δT so that Alice and Bob’s mutual information equals 10 bits per coincidence in the presence δ visibility was reported.) For the red and blue curves, we of T timing jitter when there are neither dark counts ξ nor multiple-pair emissions. Under these conditions, our calculate the ts by assuming that the measured VCFIs security analysis sets upper bounds of 6.07 and 5.83 bits are their ideal values—99.96% for both Tf ¼ 16δT and on Eve’s Holevo information for 99.2% and 99.8% Franson Tf ¼ 32δT—multiplied by 0.995. For the black curve, ξt represents jitter-limited raw arrival-time measurements. interferometer visibility, respectively. We see that QKD is possible out to 200 km when Alice In summary, we adapted the Gaussian-state security and Bob have receivers with 15% system efficiency. Going analysis for CVQKD to our time-energy entanglement to 90% system efficiency allows QKD out to 300 km and HDQKD protocol. We showed that a Franson interferom- ’ increases the SKR by nearly 2 orders of magnitude. eter s fringe visibility suffices against arbitrary collective There is an important point to make about the SKR attacks when that measurement is used in conjunction with decoy states, which allow the fraction of single-pair curves associated with the two ξt values we have employed. SPDC frames to be estimated. Adding a conjugate-Franson Constraining Eve to ξt ¼ 41.5 requires the use of a conjugate-Franson interferometer because jitter-limited interferometer to the system enables tighter constraints raw arrival-time measurements cannot measure finer than on the TFCM, leading to a higher SKR. Our protocol promises QKD over 200 km and multiple secure bits per ξt ¼ 400 with our system parameters. Surprisingly, ξt ¼ 400 still yields a positive SKR. This is because eavesdrop- coincidence. ping in one basis disturbs correlation in the conjugate basis. We thank T. Zhong for valuable discussions. This work In our protocol, Alice and Bob generate key from the time was supported by the DARPA Information in a Photon basis, so degradation in the timing correlation does not Program through Army Research Office Grant ’ increase Eve s Holevo information, although it slightly No. W911NF-10-1-0416. reduces Alice and Bob’s mutual information and hence their SKR. The PIE is defined to be the number of secure-key bits per photon coincidence in the key-generation phase, *[email protected] PIE ¼ SKR × 3Tf=qpr. The right panel of Fig. 2 plots [1] N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, Rev. Mod. PIE versus transmission distance. It shows that Alice and Phys. 74, 145 (2002). Bob achieve PIE ≥ 2 secure-key bits per coincidence in the [2] F. Grosshans, G. Van Assche, J. Wenger, R. Brouri, N. J. key-generation phase out to 200 km when their receivers Cerf, and P. Grangier, Nature (London) 421, 238 (2003). have a 15% system efficiency. [3] J. Lodewyck et al., Phys. Rev. A 76, 042305 (2007). Our protocol sacrifices potential SKR when detector [4] C. H. Bennett and G. Brassard, in Proceedings of IEEE International Conference on Computers, Systems, and timing jitter, δT, exceeds the SPDC source’s correlation σ ð ; Þ Signal Processing, Bangalore, India (IEEE, New York, time, cor; i.e., I A B cannot approach the ultimate limit 1984), p. 175. ðσ σ Þ of log2 coh= cor bits per coincidence that is set by the [5] A. K. Ekert, Phys. Rev. Lett. 67, 661 (1991). source’s Schmidt number. That limit can be achieved with [6] Q. D. Xuan, Z. Zhang, and P. L. Voss, Opt. Express 17, DWDM that makes the two-photon correlation time in each 24244 (2009).

120506-4 week ending PRL 112, 120506 (2014) PHYSICAL REVIEW LETTERS 28 MARCH 2014

[7] P. Jouguet, S. Kunz-Jacques, A. Leverrier, P. Grangier, and There will be many empty frames because the average E. Diamanti, Nat. Photonics 7, 378 (2013). number of pairs per frame will be much smaller than one. [8] X.-B. Wang, Phys. Rev. Lett. 94, 230503 (2005). [23] The SPDC source’s pair flux will be kept well below one [9] H.-K Lo, X. F. Ma, and K. Chen, Phys. Rev. Lett. 94, pair per Tf-sec frame. Nevertheless, security demands that 230504 (2005). multiple-pair frames be accounted for. Later we describe [10] T. Schmitt-Manderbach et al., Phys. Rev. Lett. 98, 010504 how that is done via decoy states. (2007). [24] Alice and Bob’s clocks must be synchronized to better than [11] D. Rosenberg, J. W. Harrington, P. R. Rice, P. A. Hiskett, their detectors’ timing jitters, but this is not problematic. C. G. Peterson, R. J. Hughes, A. E. Lita, S. W. Nam, and Synchronization of remote optical clocks is an active J. E. Nordholt, Phys. Rev. Lett. 98, 010503 (2007). research area that focuses on femtosecond and subfemto- [12] L. Zhang, C. Silberhorn, and I. A. Walmsley, Phys. Rev. second precision, which is far better than the ∼10 ps we Lett. 100, 110504 (2008). require [see, e.g., J. Kim, J. A. Cox, J. Chen, and F. X. [13] W. Tittel, J. Brendel, H. Zbinden, and N. Gisin, Phys. Rev. Kärtner, Nat. Photonics 2, 733 (2008); K. Predehl et al., Lett. 84, 4737 (2000). Science 336, 441 (2012)]. Furthermore, although Eve’s [14] I. Ali-Khan, C. J. Broadbent, and J. C. Howell, Phys. Rev. manipulation of Alice and Bob’s timing channel could Lett. 98, 060503 (2007). degrade their Shannon information, any information it [15] J. Nunn, L. J. Wright, C. Söller, L. Zhang, I. A. Walmsley, affords Eve about their raw key is still bounded above by χUB ðA; EÞ. and B. J. Smith, Opt. Express 21, 15959 (2013). ξt;ξω [16] M. Navascués, F. Grosshans, and A. Acín, Phys. Rev. Lett. [25] P. B. Dixon, J. H. Shapiro, and F. N. C. Wong, Opt. Express 97, 190502 (2006). 21, 5879 (2013). [17] R. García-Patrón and N. J. Cerf, Phys. Rev. Lett. 97, 190503 [26] See the Supplemental Material at http://link.aps.org/ (2006). supplemental/10.1103/PhysRevLett.112.120506 for the [18] J. Mower, Z. Zhang, P. Desjardins, C. Lee, J. H. proof. Shapiro, and D. Englund, Phys. Rev. A 87, 062322 [27] M. M. Wolf, G. Giedke, and J. I. Cirac, Phys. Rev. Lett. 96, (2013). 080502 (2006). [19] J. Mower, F. N. C. Wong, J. H. Shapiro, and D. Englund, [28] J. D. Franson, Phys. Rev. Lett. 62, 2205 (1989). arXiv:1110.4867. [29] The variousp timeffiffiffiffiffiffiffiffiffiffiffiffiffi intervals associated with our protocol ¼ 8 ð2Þσ Δ δ ≫ σ [20] T. Brougham, S. M. Barnett, K. T. McCusker, P. G. Kwiat, satisfy Tf ln coh > T>Tg > T cor. and D. J. Gauthier, J. Phys. B 46, 104010 (2013). [30] Alice and Bob use all frames in which they have coinci- [21] A similar interferometer was suggested in W. Grice et al., dences. The Supplemental Material at http://link.aps.org/ Digest of Frontiers in Optics 2010 (Optical Society of supplemental/10.1103/PhysRevLett.112.120506 explains America, Washington, DC, 2010), paper FTuG3. how they deal with frames that contain multiple coincidences. [22] We take Tf to be the full-width-at-half-maximum coherence [31] D. Gottesman, H.-K. Lo, N. Lütkenhaus, and J. Preskill, time of the SPDC source and put Tf-second-long buffer Quantum Inf. Comput. 4, 325 (2004). intervals on both sides of each frame to minimize the [32] T. Zhong and F. N. C. Wong, Phys. Rev. A 88, 020103(R) likelihood of more than one pair per frame being emitted. (2013).

120506-5