entropy

Review An Overview of Geometrical Optics Restricted Quantum Key Distribution

Ziwen Pan * and Ivan B. Djordjevic

Department of Electrical & Computer Engineering, College of Engineering, The University of Arizona, 1230 E Speedway Blvd, Tucson, AZ 85721, USA; [email protected] * Correspondence: [email protected]

Abstract: Quantum key distribution (QKD) assures the theoretical information security from the physical layer by safely distributing true random numbers to the communication parties as secret keys while assuming an omnipotent eavesdropper (Eve). In recent years, with the growing applications of QKD in realistic channels such as satellite-based free-space communications, certain conditions such as the unlimited power collection ability of Eve become too strict for security analysis. Thus, in this invited paper, we give a brief overview of the quantum key distribution with a geometrical optics restricted power collection ability of Eve with its potential applications.

Keywords: quantum key distribution; satellite; free-space channel

1. Introduction There has been a long history of cryptography [1–6]. Before the 20th century, cryptog-



 raphy was considered as an art that mainly relies on personal skills to construct or break codes, without proper theoretical study [7]. Focused on message confidentiality, classical Citation: Pan, Z.; Djordjevic, I.B. An cryptography was known to ensure secrecy in communications under different situations Overview of Geometrical Optics such as military or diplomat use or between spies. An important representative of classic Restricted Quantum Key Distribution. cryptography is transposition ciphers, which rearrange the message to hide the original Entropy 2021, 23, 1003. https:// meanings. After the early 20th century, following the establishment of the information doi.org/10.3390/e23081003 theory by Harry Nyquist, Ralph Hartley, and Claude Shannon [8–13], the study of cryptog- raphy started to exploit the tools of mathematics. Cryptography also became a branch of Academic Editor: Steeve Zozor engineering, especially after the use of computers, which allows binary encryption of data. Two major schemes of modern cryptography include symmetric (private-key) cryptogra- Received: 29 June 2021 phy, e.g., the Data Encryption Standard (DES) [14] and Advanced Encryption Standard Accepted: 27 July 2021 Published: 31 July 2021 (AES) [15], and asymmetric (public-key) cryptography, e.g., RSA algorithm [16]. Symmetric cryptography relies on the shared key between the communication parties (Alice and Bob),

Publisher’s Note: MDPI stays neutral whereas in asymmetric cryptography, the encryption keys are different from decryption with regard to jurisdictional claims in keys. In general, symmetric cryptography is more efficient than asymmetric cryptography published maps and institutional affil- with more concise designs, but it has difficulties when it comes to the safe distribution of iations. the shared keys. On the other hand, asymmetric cryptography using a public key and a private key for encryption and decryption, respectively, relies upon mathematical problems termed one-way functions that are computationally infeasible from one direction (public key) [17], and are more widely used today for avoiding the risky stage of safe distribution of keys in symmetric cryptography. Copyright: © 2021 by the authors. Licensee MDPI, Basel, Switzerland. However, with the fast development of quantum computing [18] and its potential This article is an open access article in solving conventional one-way functions, it is possible to break the current encryption distributed under the terms and systems [19] with algorithms such as Shor’s algorithm [20] and Grover’s algorithm [21]; conditions of the Creative Commons thus, the QKD is now becoming more and more important in the new era of information Attribution (CC BY) license (https:// security. Different from the asymmetric cryptography used today, QKD is based on creativecommons.org/licenses/by/ symmetric cryptography, guaranteeing the secure distribution of the secret keys with 4.0/). the laws of quantum mechanics that the measurement process generally disturbs the

Entropy 2021, 23, 1003. https://doi.org/10.3390/e23081003 https://www.mdpi.com/journal/entropy Entropy 2021, 23, 1003 2 of 11

measured system. This can be used to detect eavesdropping actions as any adversaries would have to perform measurement to eavesdrop. Since the study of the first QKD protocol BB84 [2], the theory of QKD has vastly developed, with numerous protocols proposed [3–5,22–32] to improve security and increase secure-key rate (SKR). Combined with the one-time pad proved to be asymptotically safe in 1949 by Claude Shannon [1], QKD promises completely secure communication. On the other hand, QKD conventionally assumes that Eve is only limited by the laws of physics even though some assumptions might be unrealistic. For example, Eve is always assumed to have the ability to collect all photons that do not arrive at Bob’s receiver, which would make sense in cases such as fiber communication but would be too strict for wireless communication cases. Thus, interest has been rising surrounding the study of QKD with more realistic power collection assumptions and its potential applications [33–40]. In this invited paper, we present an overview of the geometrical optics restricted quantum key distribution with certain power collection restrictions applied on Eve. We start by reviewing the conventional QKD studies in Section2 with different protocols and compare the achievable secure-key rate between the famous discrete variable protocol BB84 with decoy states added and the continuous variable Gaussian modulated QKD scheme. Then, in Section3, we introduce the geometrical optics restricted model by limiting Eve’s collectable power with a beam splitter and showcase the lower bound results in this model. After that, we present some possible applications of this model by studying some representative scenarios with it.

2. Quantum Key Distribution (QKD) With the fast development of potential applications of QKD such as quantum net- works [41,42] and satellite-based quantum secure communication [43–47], various protocols have been proposed aimed at improved security while assuming an all-powerful eavesdrop- per. For example, the first QKD protocol BB84 was studied in 1984 by Charles H. Bennett et al. to use polarization states to securely distribute secret keys [2]. It was also known as the first prepare-and-measure (PM) model as it exploits the result of quantum indeterminacy that measuring an unknown quantum state in general changes the state. It was then simplified to the B92 protocol by using two non-orthogonal states [3] before extending to its entanglement-based (EB) version BBM92 [4] in 1992. Different from the PM models, the EB models use entangled pairs in the transmission stage to distribute secret keys to the two communication parties. BBM92 was also consid- ered as an improvement to the first EB model E91 [5], which uses three mutually unbiased bases instead of two in BBM92. There was also an important equivalence established between PM and EB models in [4] that the security proof of one implies the same for the other. However, when it comes to device-independent (DI) studies, EB models have advan- tages over PM models [23] since the security proofs of DI-QKD are mainly based on the violation of Bell inequalities [48–51]. Some PM models are proven to be partially DI [52] The device independence study was first proposed in [6] using internal operations to “self-test” quantum apparatus. Different protocols have since been studied [22–24]. Another important category of quantum key distribution protocols is the continuous- variable (CV-) QKD. Different from most protocols described above, which are called discrete-variable (DV) protocols that rely on single photon sources and single photon detectors, CV protocols encode keys into CV observables of light fields [53]. This enabled CV protocols to be more easily implementable as it is compatible with most current communication devices. The first protocol using squeezed states [25] was proposed in 2000, which generalizes the BB84 protocol using squeezed states. In 2002, another important CV protocol GG02 using Gaussian modulated coherent states [26] was proposed as coherent states are much easier to generate experimentally. Other interesting directions in QKD research include using decoy states [27–29,54] against photon number splitting (PNS) attack [55] where the eavesdropper exploits the EntropyEntropy 2021 2021, 23, ,1003 23, 1003 3 of 311 of 11

Entropy 2021, 23, 1003 3 of 11

OtherOther interesting interesting directions directions in QKDin QKD research research include include using using decoy decoy states states [27–29,54] [27–29,54] against photon number splitting (PNS) attack [55] where the eavesdropper exploits the Entropy 2021, 23, 1003 against photon number splitting (PNS) attack [55] where the eavesdropper exploits3 the of 11 loophole of a non-ideal single photon transmission; finite-size analysis [56] where the Other interestingloophole directionsof a non-ideal in QKD single research photon include transm usingission; decoy finite-size states analysis[27–29,54] [56] where the transmitted sequence is not large enough for asymptotic security analysis; measurement- against photontransmitted number splitting sequence (PNS) is not attack large [55]enough where for theasymptotic eavesdropper security exploits analysis; the measurement- device-independent (MDI-) QKD [57] that comes from DI-QKD but assumes perfect prep- loophole of a device-independentnon-ideal single photon (MDI-) transm QKD ission;[57] that finite-size comes from analysis DI-QKD [56] but where assumes the perfect prep- aration of the states; and high-dimensional QKD that exploits high dimensional degrees transmitted sequencearationloophole ofis not ofthe a largestates; non-ideal enough and single high-dimensional for photonasymptotic transmission; security QKD that analysis; finite-size exploits measurement- analysis high dimensional [56] where thedegrees trans- of freedom such as the orbital angular momentum (OAM) [30–32] and the temporal-spec- device-independentofmitted freedom (MDI-) sequence such QKD as is the[57] not orbital largethat comes enough angular from for mo DI-QKD asymptoticmentum but (OAM) security assumes [30–32] analysis; perfect and measurement-device-prep- the temporal-spec- tral [58,59] aimed at increasing key rates, etc. Here we present introductions to two repre- aration of the tralstates;independent [58,59] and aimedhigh-dimensional (MDI-) at increasing QKD [57 ]QKD key that rates, comesthat exploits et fromc. Here DI-QKD high we presentdimensional but assumes introductions degrees perfect to preparation two repre- of sentatives in DV and CV protocols: of freedom suchsentativesthe as states;the orbital in and DV high-dimensionalangular and CV mo protocols:mentum QKD (OAM) that [30–32] exploits and high the dimensional temporal-spec- degrees of freedom tral [58,59] aimedsuch at increasing as the orbital key angular rates, et momentumc. Here we present (OAM) introductions [30–32] and the to two temporal-spectral repre- [58,59] aimed2.1. BB84 at increasing key rates, etc. Here we present introductions to two representatives in sentatives in DV2.1. and BB84 CV protocols: DV and CV protocols: BB84BB84 protocol protocol uses uses single single phot photonsons to distribute to distribute secret secret keys. keys. First, First, Alice Alice randomly randomly pre- pre- pares a sequence chosen from two sets of orthogonal bases as in Figure 1 and sends them 2.1. BB84 pares2.1. BB84a sequence chosen from two sets of orthogonal bases as in Figure 1 and sends them to Bob.to Bob. BB84 protocol usesBB84 single protocol phot usesons to single distribute photons secret to keys. distribute First, Alice secret randomly keys. First, pre- Alice randomly pares a sequenceprepares chosen afrom sequence two sets chosen of orth fromogonal two bases sets ofas orthogonalin Figure 1 basesand sends as in them Figure 1 and sends to Bob. them to Bob.

FigureFigure 1. BB84 1. BB84 polarization polarization bases. bases.

Next, Bob would also randomly choose from these two sets of orthogonal bases to Figure 1. BB84 polarizationNext, bases.Bob Figurewould 1.alsoBB84 randomly polarization choose bases. from these two sets of orthogonal bases to measuremeasure the thereceived received photons. photons. After After completing completing the themeasurements, measurements, Bob Bob would would report report his his basis of measurement. If Alice’s preparing basis is the same as Bob’s measurement basis, Next, Bobbasis would ofNext, measurement. also Bob randomly would If alsochoose Alice’s randomly from preparing these choose batwosis from sets is the of these sameorthogonal two as setsBob’s bases of measurement orthogonal to bases basis, to then the result should be the same, which would be the sifted keys. measure the receivedthenmeasure the photons. result the received should After becompleting photons. the same After ,the which completingmeasurements, would be the the measurements,Bob sifted would keys. report Bob his would report his If Eve intercepts the photons transmitted, performs a measurement of her own, and basis of measurement.basisIf ofEve If measurement. Alice’sintercepts preparing the If photons Alice’s basis preparing transmitted,is the same basis as performs Bob’s is the measurement same a measurement as Bob’s basis, measurement of her own, basis,and resends the photons to Bob, then when Eve’s measurement basis is not the same as Alice’s then the resultresends shouldthen the thebe result thephotons same should ,to which Bob, be the thenwould same, when be which the Eve’s sifted would measurement keys. be the sifted basis keys. is not the same as Alice’s and Bob’s, the polarization state would be changed so that the sifted keys would be dif- If Eve interceptsand Bob’s,If the Eve thephotons intercepts polarization transmitted, the photons state wouldperforms transmitted, be achanged measurement performs so that a of measurementthe her sifted own, keys and of would her own, be dif- and ferent on Alice’s and Bob’s side. Thus, either Alice or Bob can reveal some of the sifted resends the photonsferentresends toon Bob, theAlice’s photons then and when toBob’s Bob, Eve’s side. then measurement Thus, when either Eve’s basis measurementAlice is ornot Bob the can basissame reveal isas not Alice’s some the same of the as Alice’ssifted keys publicly for the other party to compare and detect possible eavesdropping. An illus- and Bob’s, thekeys polarizationand publicly Bob’s, the forstate polarization the would other beparty state changed wouldto compar so be that changede and the detect sifted so that possiblekeys the siftedwould eavesdropping. keys be dif- would be An different illus- trative example of this process is shown in Table 1. ferent on Alice’strativeon and Alice’s example Bob’s and side. of Bob’s this Thus, side.process either Thus, is Alice shown either or inBob Alice Table can or 1. reveal Bob can some reveal of the some sifted of the sifted keys keys publicly forpublicly the other for party the other to compar party toe and compare detect and possible detect ea possiblevesdropping. eavesdropping. An illus- An illustrative Entropy 2021, 23, 1003 Table 1. BB84 protocol process illustration. 4 of 11 trative exampleTableexample of this1. BB84 process of protocol this processis shown process is in shownillustration. Tablein 1. Table 1.

Random Bits 0 1 0 0 1 1 1 0 1 Random Bits Table 1. BB840 protocol process1 Table illustration. 1.0 BB84 protocol0 process1 illustration.1 1 0 1

RandomBobAlice basis basis Bits b 0 a a 1a 0a b 0b a b 1 b a a 1 1b b 0a b b 1a Random Bits Alice basis 0 1 a 0 a 0 b 1 a 1 b 1 a 0 b 1 b a Alice basis a a b a b a b b a

Alice basis a a b a b a b b a PolarizationBobPolarization measurement state state sent results sent random random random random random Polarization state sent

Polarization state sent BobSifted basis keys b1 a a b 1 b1 a b1 a b

Bob measurement results random random random random random

2.2. GG02 Sifted keys 1 1 1 1 GG02 protocol uses Gaussian modulated coherent states, as in Figure 2, to distribute secret keys. First, Alice generates random real number pairs (ax, ap) from two independent Gaussian distributions with given modulation variances and sends them to Bob. Next, Bob randomly chooses to measure either x or p quadrature components.

Figure 2. Gaussian modulated coherent states distributed on phase space.

After all the transmission and measurements are done, Bob discloses for each meas- urement whether he measured x or p components. Then, Alice retains the corresponding ax and ap values. Secret keys can then be extracted with certain reconciliation and privacy amplification. For these protocols, if Bob is the one performing the measurement and Alice is post- processing its outcomes to infer Bob’s encodings, assisted by classical communications from Bob to Alice, this is the reverse reconciliation scheme. Otherwise, it is the direct rec- onciliation scheme. Here we present a secure key rate lower bound (achievable rate) com- parison between CV Gaussian modulation protocol with coherent states, heterodyne de- tection, reverse reconciliation, and DV protocol Decoy-State (DS-) BB84, of which detailed calculations can be found in [33,60]. We assume that a weak coherent-state source with signal-state pulses is used which transmits photons per pulse on average at a rate states per second over an Alice-to-Bob channel with overall transmissivity . Thermal noise is denoted as per mode. In Figure 3a,b, the reconciliation efficiency for CV protocol and for DV proto- col are both set to one. By comparing Figure 3a,c, we can see that in a pure loss channel ( = 0), the CV protocol always outperforms its DV counterpart. However, when ther- mal noise is non-zero, DV can outperform CV, especially when reconciliation is not per- fect. We can also compare DV and CV results with input power optimized, as in Figure 4, where the input power is optimized correspondingly with perfect reconciliation. We can

Entropy 2021, 23, 1003 4 of 11

Bob basis b a a b b a b a b

Bob measurement results random random random random random

Sifted keys 1 1 1 1

Entropy 2021, 23, 1003 4 of 11

2.2. GG02 GG022.2. GG02 protocol uses Gaussian modulated coherent states, as in Figure 2, to distribute GG02 protocol uses Gaussian modulated coherent states, as in Figure2, to distribute secret keys. First, Alice generates random real number pairs (ax, ap) from two independent secret keys. First, Alice generates random real number pairs (ax, ap) from two independent GaussianGaussian distributions distributions with with givengiven modulation modulation variances variances and sends and them sends to Bob. them Next, to Bob Bob. Next, Bob randomlyrandomly chooses chooses to measureto measure either eith x orer p quadraturex or p quadrature components. components.

FigureFigure 2. Gaussian 2. Gaussian modulated modulated coherent coherent statesstates distributed distributed on phase on phase space. space. After all the transmission and measurements are done, Bob discloses for each mea- Aftersurement all whetherthe transmission he measured and x or measurementsp components. Then, are Alice done, retains Bob the discloses corresponding for each meas- urementax and whether ap values. he Secretmeasured keys canx or then p components. be extracted with Then, certain Alice reconciliation retains the and corresponding pri- ax andvacy ap values. amplification. Secret keys can then be extracted with certain reconciliation and privacy amplification.For these protocols, if Bob is the one performing the measurement and Alice is post- processing its outcomes to infer Bob’s encodings, assisted by classical communications Forfrom these Bob to protocols, Alice, this if is Bob the reverse is the reconciliationone performing scheme. the Otherwise,measurement it is theand direct Alice is post- processingreconciliation its outcomes scheme. Hereto infer we present Bob’s aencodi securengs, key rate assisted lower boundby classical (achievable communications rate) from comparisonBob to Alice, between this CVis the Gaussian reverse modulation reconciliation protocol scheme. with coherent Otherwise, states, heterodyne it is the direct rec- onciliationdetection, scheme. reverse Here reconciliation, we present and DV a secure protocol key Decoy-State rate lower (DS-) bound BB84, of (achievable which detailed rate) com- calculations can be found in [33,60]. We assume that a weak coherent-state source with parisonsignal-state between pulses CV isGaussian used which modulation transmits µ photons protocol per pulsewith on coherent average at states, a rate R heterodynestates de- tection,per reverse second over reconciliation, an Alice-to-Bob and channel DV protoc with overallol Decoy-State transmissivity (DS-)η. ThermalBB84, of noise which is detailed calculationsdenoted ascanne beper found mode. in [33,60]. We assume that a weak coherent-state source with signal-stateIn Figurepulses3a,b, is theused reconciliation which transmits efficiency β forphotons CV protocol per andpulsefL foron DVaverage protocol at a rate statesare per both second set to one.over By an comparing Alice-to-Bob Figure channel3a,c, we canwith see overall that in atransmissivity pure loss channel . Thermal (ne = 0), the CV protocol always outperforms its DV counterpart. However, when thermal noisenoise is denoted is non-zero, as DV canper outperform mode. CV, especially when reconciliation is not perfect. We Incan Figure also compare 3a,b, the DV andreco CVnciliation results with efficiency input power for optimized, CV protocol as in Figure and 4, where for DV proto- col arethe both input set power to one. is optimized By comparing correspondingly Figure with 3a,c, perfect we reconciliation.can see that Wein a can pure see thatloss channel ( =although 0), the Gaussian-modulatedCV protocol always CV outperforms protocol has advantages its DV counterpart. over DS-BB84 However, on the secure when ther- key rate, it does not outperform DS-BB84 when it comes to the transmission distance as mal noisechannel is lossnon-zero, increases DV with can increasing outperform transmission CV, especially distance. when reconciliation is not per- fect. We can also compare DV and CV results with input power optimized, as in Figure 4, where the input power is optimized correspondingly with perfect reconciliation. We can

Entropy 2021, 23, 1003 5 of 11

Entropy 2021, 23, 1003 5 of 11

Entropy 2021, 23, 1003see that although Gaussian-modulated CV protocol has advantages over DS-BB84 on the 5 of 11 secure key rate,see it thatdoes although not outperform Gaussian-modulated DS-BB84 when CV it protocolcomes to has the advantagestransmission over dis- DS-BB84 on the tance as channelsecure loss increaseskey rate, withit does increasing not outperform transmission DS-BB84 distance. when it comes to the transmission dis- tance as channel loss increases with increasing transmission distance.

(a) (b) (a) (b)

(c) (d) (c) (d) Figure 3. ComparisonFigure 3. Comparison of CV Gaussian of CV modulation Gaussian protocolmodulation with prot coherentocol with states, coherent heterodyne states, detection, heterodyne reverse de- reconciliation, tection, reverse reconciliation,Figure 3. Comparison and DV of protocol CV Gaussian DS-BB84 modulation with mean prot photonocol with number coherent per stinputates, heterodyne de- and DV protocol DS-BB84 with mean photon number per input mode. (a) Perfect reconciliation in pure loss channel. mode. (a) Perfecttection, reconciliation reverse in reconciliation, pure loss channel. and DV (b) protocolPerfect reconciliation DS-BB84 with with mean photon = 0.0001 number. per input (b) Perfect reconciliation with ne = 0.0001.(c) Imperfect reconciliation in pure loss channel. (d) Imperfect reconciliation (c) Imperfect reconciliationmode. (a) Perfect in pure reconciliation loss channel. in (d pure) Imperfect loss channel. reconciliation (b) Perfect with reconciliation = 0.0001 with. = 0.0001. with ne = 0.0001. (c) Imperfect reconciliation in pure loss channel. (d) Imperfect reconciliation with = 0.0001.

Figure 4. Comparison of CV Gaussian modulation protocol with coherent states, heterodyne detec- tion, reverse reconciliation, and DV protocol DS-BB84 with channel loss. Here the input power is optimized correspondingly. Reconciliation is perfect for both CV and DV protocols.

Entropy 2021, 23, 1003 6 of 11

Figure 4. Comparison of CV Gaussian modulation protocol with coherent states, heterodyne detec- tion, reverse reconciliation, and DV protocol DS-BB84 with channel loss. Here the input power is optimized correspondingly. Reconciliation is perfect for both CV and DV protocols. Entropy 2021, 23, 1003 6 of 11

3. Geometrical Optics Restricted Model 3. GeometricalIn this Optics section, Restricted we introduce Model the geometrical optics restricted model with realistic powerIn this collection section, we introducerestriction the on geometrical the eavesdropper. optics restricted In model [33], witha wiretap realistic channel is used to de- powernote collection the power restriction collection on the eavesdropper.restriction on In [Eve33], a as wiretap in Figure channel 5. is Here used to the beam splitter with denote the power collection restriction on Eve as in Figure5. Here the beam splitter with transmissivitytransmissivityκ denotes denotes that Eve canthat only Eve collect canκ onlyfraction collect of the photons fraction that doof not the photons that do not arrivearrive at Bob’s at Bob’s receiver. receiver. The Alice-to-Bob The Alice-to-Bob channel is with channel transmissivity is withη. transmissivity .

FigureFigure 5. The 5. wiretapThe wiretap channel notationchannel of notation the geometrical of the optics geometrical restricted model. optics restricted model. Similar notations have been seen in broadcast channel studies [61,62]. Starting from the HashingSimilar inequality notations [63] the have lower been bound seen on the in secure broadcast key rate channel for both direct studies and [61,62]. Starting from reversethe Hashing reconciliation inequality were derived [63] without the lower a specified bound detection on the scheme secure on one key of therate for both direct and communication parties: reverse reconciliation were derived without a specified detection scheme on one of the ! νER − 1 communication parties: yi K→ ≥ βg(ne(1 − η) + ηµ) − ∑ g − βg(ne(1 − η)) + g(ne(1 − ηκ)) (1) i 2 −1 (1) ER !   ER ! ≥((1−νy − )1 +) −ηµ(1 + µ) −(νy1−− 1 )+((1−)) ≥ → ( ) − i − − + i K← βg µ ∑i g βg µ 2 ∑i g (2) 2 1 + ne − neη + ηµ 2

g(x) = (x + 1) log2(x + 1) − x log2 x (3) where detailed expressions of νER can be found in [33]. () ≥() y−i ∑ −− +∑ (2) Here we reproduce← the comparison in Figure 4 between DV protocol DS-BB84 and CV Gaussian modulation protocol with coherent states, heterodyne detection, and reverse reconciliation as in Figure6. We retain the results from Figure4, as κ = 1 case and plotted the DV and CV rate with κ = 0.5. We( can) = see(+1 an increase) log in( the + achievable 1) − log rate in both CV (3) and DV protocols and that the CV protocol only holds advantages over the DV protocols whenwhere channel detailed loss is small.expressions We can also of see that can when beκ found= 0.5, the in rate[33]. goes to zero at a larger channelHere loss,we suggestingreproduce larger the transmission comparison distance in Fi ingure this case. 4 between DV protocol DS-BB84 and CV Gaussian modulation protocol with coherent states, heterodyne detection, and reverse reconciliation as in Figure 6. We retain the results from Figure 4, as =1 case and plotted the DV and CV rate with =0.5. We can see an increase in the achievable rate in both CV and DV protocols and that the CV protocol only holds advantages over the DV proto- cols when channel loss is small. We can also see that when =0.5, the rate goes to zero at a larger channel loss, suggesting larger transmission distance in this case.

EntropyEntropy2021 2021,,23 23,, 1003 1003 77 ofof 1111

Figure 6. DV protocol DS-BB84 and CV Gaussian modulation protocol with coherent states, hetero- Figure 6. DV protocol DS-BB84 and CV Gaussian modulation protocol with coherent states, hetero- dyne detection, and reverse reconciliation SKR comparison with input power optimized. dyne detection, and reverse reconciliation SKR comparison with input power optimized.

TheThe geometricalgeometrical opticsoptics restricted restricted model model has has multiple multiple potential potential applications applications in differentin differ- scenariosent scenarios of practical of practical importance. importance. Here Here we presentwe present some some possible possible directions. directions.

3.1.3.1. Application of GeometricalGeometrical OpticsOptics RestrictedRestricted Model:Model: Limited ApertureAperture SizeSize AnalysisAnalysis DifferentDifferent from the assumptions in in conventional conventional QKD QKD study study that that Eve Eve is isunlimited unlimited in inher her ability ability of power of power collection, collection, in most in most realistic realistic application application scenarios, scenarios, especially especially in wire- in wirelessless communication, communication, Eve is Eve limited is limited by her by receiver her receiver aperture aperture size. Taking size. Taking free-space free-space optical opticalcommunication communication link aslink an example, as an example, the receiver the receiver aperture aperture size usually size usually ranges ranges from from a few a fewcentimeters centimeters to a tofew a fewdecimeters. decimeters. If we If only we only restrict restrict Eve’s Eve’s aperture aperture size sizebut grant but grant her mo- her mobilitybility of ofher her aperture, aperture, which which could could be be accomplished accomplished through through unmanned aerial vehiclevehicle (UAV)(UAV) or or usage usage of of a a spy spy satellite satellite during during satellite satellite communications, communications, we we can can study study the the security secu- ofrity specific of specific application application occasions. occasions. InIn [[35,37,38],35,37,38], thethe straightforwardstraightforward casecase scenarioscenario ofof aa limited-sizedlimited-sized apertureaperture ofof EveEve isis consideredconsidered wherewhere EveEve placesplaces herher apertureaperture besidebeside Bob’sBob’s receiverreceiver inin aa satellite-to-satellitesatellite-to-satellite communicationcommunication schemescheme asas inin FigureFigure7 7a.a. It It is is shown shown in in Figure Figure7 b7b that that the the rate rate tends tends to to be be a a constantconstant whenwhen thethe transmissiontransmission distancedistance isis sufficientlysufficiently large.large. This was also derived in detail as in Equations (4) and (5), where m is the ratio of Eve’s aperture size versus Bob’s aperture size.

lim K→ ≥ − log m (4) µ→∞,L→∞ 2

m 1+m lim K← ≥ − log e (5) µ→∞,L→∞ 2 m + 1 In [36,40], the case with dynamically positioned eavesdropper aperture is considered with Eve’s position being optimized, as in Figure8a. In Figure8b, both CV and DV lower bounds are presented with optimized Eve’s position. Assuming the Gaussian beam is transmitted, because of the cylindrical symmetry of a Gaussian beam, the distance D between Eve’s aperture to the beam transmission axis can be used to denote Eve’s position combined with Bob-to-Eve distance LBE. It is clear that by optimizing Eve’s position, advantages over Alice and Bob can be further obtained by Eve compared with Figure7b.

Entropy 2021, 23, 1003 8 of 11

Entropy 2021, 23, 1003 Entropy 2021, 23, 1003 8 of 11 8 of 11

(a) (b)

Figure 7. (a) Setup of the limited aperture scenario. , , respectively refer to the aperture area of Alice (radius ), Bob (radius ), and Eve (radius ). is the distance between Alice’s ap- erture and Bob’s. (b) CV and DV SKR lower bounds versus transmission distance with optimized input power. Gaussian beam with beam waist = and wavelength = 1550 nm is transmit- ted. The space temperature is set to =3 K.

This was also derived in detail as in Equations (4) and (5), where is the ratio of Eve’s aperture size versus Bob’s aperture size.

lim → ≥−log →,→ (4)

lim ← ≥−log (5) →,→ +1 In [36,40], the case with dynamically positioned eavesdropper aperture is considered with Eve’s position being optimized, as in Figure 8a. In Figure 8b, both CV and DV lower bounds are presented(a) with optimized Eve’s position. Assuming(b) the Gaussian beam is Figuretransmitted, 7. (a) Setup because of the of limitedthe cylindrical aperture syscenario.mmetry of, a ,Gaussian respectively beam, referthe distance to the aperture be- Figure 7. (a) Setup of the limited aperture scenario. Aa, Ab, Ae respectively refer to the aperture area of Alice (radius ra), areatween of AliceEve’s (radius aperture ), toBob the (radius beam transmission), and Eve (radius axis can). be is usedthe distance to denote between Eve’s Alice’s position ap- Bob (radius rb), and Eve (radius re). L is the distance between Alice’s aperture and Bob’s. (b) CV and DV SKR lower bounds erture and Bob’s. (b) CV and DV SKR lower bounds versus transmission distance with optimized versuscombined transmission with distance Bob-to-Eve with optimized distance input power.. It is Gaussian clear that beam by with optimizing beam waist Eve’sW0 =position,ra and wavelength ad- λ = 1550inputvantages nm power. is transmitted. over Gaussian Alice The andbeam space Bob with temperature can beam be furtherwaist is set to obtainedT ==3 K. and by wavelength Eve compared = 1550 with n mFigure is transmit- 7b. ted. The space temperature is set to =3 K.

This was also derived in detail as in Equations (4) and (5), where is the ratio of Eve’s aperture size versus Bob’s aperture size.

lim → ≥−log →,→ (4)

lim ← ≥−log (5) →,→ +1 In [36,40], the case with dynamically positioned eavesdropper aperture is considered with Eve’s position being optimized, as in Figure 8a. In Figure 8b, both CV and DV lower bounds are presented with optimized Eve’s position. Assuming the Gaussian beam is transmitted, because of the cylindrical symmetry of a Gaussian beam, the distance be- tween Eve’s aperture to the beam transmission axis can be used to denote Eve’s position

combined with Bob-to-Eve(a) distance . It is clear that by optimizing(b) Eve’s position, ad- vantages over Alice and Bob can be further obtained by Eve compared with Figure 7b. Figure 8. (a) Setup of the dynamic positioning of Eve. , , respectively refer to the aper- Figure 8. (a) Setup of the dynamic positioning of Eve. Aa, Ab, AEve respectively refer to the aperture area of Alice (radius ture area of Alice (radius ), Bob (radius ), and Eve (radius ). is the distance between Al- ra), Bob (radius rb), and Eve (radius re). LAB is the distance between Alice’s aperture and Bob’s. LBE is the distance between ice’s aperture and Bob’s. is the distance between Bob’s aperture and Eve’s. (b) CV and DV Bob’s aperture and Eve’s. (b) CV and DV lower bound secret keys versus Bob-to-Eve distance LBE with Alice-to-Bob distance LAB = 50 km. Gaussian beam with beam waist W0 = ra = rb = re = 10 cm and wavelength λ = 1550 nm is transmitted. The space temperature is set to T = 3 K.

3.2. Application of Geometrical Optics Restricted Model: Exclusion Zone Analysis From the defense point of view, one of the most effective ways to suppress Eve’s power collection ability is to set an exclusion zone around the legitimate receiver. In [39] an exclusion zone is assumed to be set surrounding the legitimate receiver, excluding the eavesdropper Eve from collecting photons in this region, as in Figure9a. In Figure9b, an exclusion zone is shown to increase the secure key rate for both CV and DV protocols, but this is more effective when the transmission distance is not too large.

(a) (b)

Figure 8. (a) Setup of the dynamic positioning of Eve. , , respectively refer to the aper- ture area of Alice (radius ), Bob (radius ), and Eve (radius ). is the distance between Al- ice’s aperture and Bob’s. is the distance between Bob’s aperture and Eve’s. (b) CV and DV

Entropy 2021, 23, 1003 9 of 11

lower bound secret keys versus Bob-to-Eve distance with Alice-to-Bob distance = 50 km. Gaussian beam with beam waist = = = = 10 cm and wavelength = 1550 nm is trans- mitted. The space temperature is set to =3 K.

3.2. Application of Geometrical Optics Restricted Model: Exclusion Zone Analysis From the defense point of view, one of the most effective ways to suppress Eve’s power collection ability is to set an exclusion zone around the legitimate receiver. In [39] an exclusion zone is assumed to be set surrounding the legitimate receiver, excluding the Entropy 2021, eavesdropper23, 1003 Eve from collecting photons in this region, as in Figure 9a. In Figure 9b, an 9 of 11 exclusion zone is shown to increase the secure key rate for both CV and DV protocols, but this is more effective when the transmission distance is not too large.

(a) (b) Figure 9. (a) Setup of exclusion zone scenario. , , respectively refer to the area of Alice’s Figure 9. (a) Setup of exclusion zone scenario. Aa, Ab, Aex respectively refer to the area of Alice’s aperture (radius ra), Bob’s aperture (radius ), Bob’s aperture (radius ), and the exclusion zone (radius ). is the dis- aperture (radius rb), and the exclusion zone (radius rex). L is the distance between Alice’s aperture and Bob’s. (b) CV and DV lowertance bound between of secret Alice’s keys aperture versus transmission and Bob’s. distance(b) CV andL with DV or lower without bound an exclusion of secret zone. keys Gaussian versus trans- beam with mission distance with or without an exclusion zone. Gaussian beam with beam waist = beam waist W0 = ra and wavelength λ = 1550 nm is transmitted. The space temperature is set to T = 3 K. and wavelength = 1550 nm is transmitted. The space temperature is set to =3 K. 4. Discussion 4. Discussion In this paper, we provided a brief overview of the geometrical optics restricted QKD In this paper,and we discussed provided its a potential brief overview applications. of the We geomet startedrical by reviewing optics restricted some of the QKD existing QKD and discussed itsschemes potential before applications. going into We the geometricalstarted by opticsreviewing restricted some model of the notation existing in a wiretap channel that can better characterize the power collection state of some realistic scenarios QKD schemes before going into the geometrical optics restricted model notation in a wire- instead of attributing too much power to Eve. After we introduced the lower bound results tap channel that canin this better model, characterize we then presented the power some collection of the application state of directionssome realistic of this scenar- model, mostly in ios instead of attributingfree-space too channels much suchpower as satelliteto Eve. communication.After we introduced We showcased the lower selected bound results from results in this model,both we Eve’s then side presented with her optimized some of the position application strategy directions and the communication of this model, parties’ side mostly in free-spacewith channels an exclusion such zone as assatellite a defense communication. strategy. We showcased selected results from both Eve’s side with her optimized position strategy and the communication parties’ side withFunding: an exclusionNational zone Science as a Foundation defense strategy. (1828132, 1907918). Acknowledgments: The authors thankfully acknowledge helpful discussions with Saikat Guha, Funding: National KaushikScience Foundation P. Seshadreesan, (1828132, and John 1907918). Gariano from the University of Arizona, Jeffrey H. Shapiro from Massachusetts Institute of Technology, and William Clark and Mark R. Adcock from General Dynamics. Acknowledgments: The authors thankfully acknowledge helpful discussions with Saikat Guha, Kaushik P. Seshadreesan,Conflicts and of John Interest: GarianoThe authors from the declare University no conflict of Arizona, of interest. Jeffrey H. Shapiro from Massachusetts Institute of Technology, and William Clark and Mark R. Adcock from General Dy- References namics. 1. Shannon, C.E. Communication theory of secrecy systems. Bell Syst. Tech. J. 1949, 28, 656–715. [CrossRef] 2. Bennett,Conflicts C.H.; Gilles, of Interest: B. Quantum The cryptography: authors declare Public no key conflict distribution of interest. and coin tossing. Comput. Sci. 2014, 560, 7–11. [CrossRef] 3. Bennett, C.H. Quantum cryptography using any two nonorthogonal states. Phys. Rev. Lett. 1992, 21, 3121. [CrossRef][PubMed] 4. Bennett, C.H.; Gilles, B.; Mermin, N.D. Quantum cryptography without Bell’s theorem. Phys. Rev. Lett. 1992, 68, 557. [CrossRef] [PubMed] 5. Ekert, A.K. Quantum cryptography based on Bell’s theorem. Phys. Rev. Lett. 1991, 67, 661. [CrossRef][PubMed] 6. Mayers, D.; Yao, A. Quantum Cryptography with Imperfect Apparatus. In Proceedings of the 39th Annual Symposium on Foundations of Computer Science (Cat. No. 98CB36280), Palo Alto, CA, USA, 8–11 November 1998. 7. Katz, J.; Yehuda, L. Introduction to Modern Cryptography; CRC Press: Boca Raton, FL, USA, 2020. 8. Nyquist, H. Regeneration theory. Bell Syst. Tech. J. 1932, 11, 126–147. [CrossRef] 9. Nyquist, H. Certain factors affecting telegraph speed. Bell Syst. Tech. J. 1924, 3, 324–346. [CrossRef] 10. Nyquist, H. Certain topics in telegraph transmission theory. Trans. AIEE 1928, 47, 617–644, Reprint as classic paper in Proc. IEEE 2002, 90, 280–305. [CrossRef] 11. Hartley, R.V.L. Relations of Carrier and Side-Bands in Radio Transmission. Proc. IRE 1923, 11, 34–56. [CrossRef] 12. Hartley, R.V.L. Transmission of Information. Bell Syst. Tech. J. 1928, 7, 535–563. [CrossRef] Entropy 2021, 23, 1003 10 of 11

13. Shannon, C.E. A mathematical theory of communication. Bell Syst. Tech. J. 1948, 27, 379–423. [CrossRef] 14. Data Encryption Standard. Available online: https://telluur.com/utwente/master/SyS%20-%20System%20Security/2018 /Aanvullende%20docs/Data_Encryption_Standard.pdf (accessed on 28 July 2021). 15. Advanced Encryption Standard. Available online: https://telluur.com/utwente/master/SyS%20-%20System%20Security/2018 /Aanvullende%20docs/AES.pdf (accessed on 28 July 2021). 16. Rivest, R.L.; Shamir, A.; Adleman, L. A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Commun. ACM. 1978, 21, 120–126. [CrossRef] 17. Diffie, W.; Hellman, M. New Directions in Cryptography (PDF). IEEE Trans. Inf. Theory 1976, 6, 644–654. [CrossRef] 18. Preskill, J. Quantum Computing in the NISQ era and beyond. Quantum 2018, 2, 79. [CrossRef] 19. Mavroeidis, V.; Kamer, V.; Mateusz, D.Z.; Audun, J. The impact of quantum computing on present cryptography. Int. J. Adv. Comput. Sci. Appl. 2018, 9, 405–414. [CrossRef] 20. Shor, P.W. Algorithms for quantum computation: Discrete logarithms and factoring. In Proceedings of the 35th Annual Symposium on Foundations of Computer Science, Washington, DC, USA, 20–22 November 1994. 21. Grover, L.K. A fast quantum mechanical algorithm for database search. In Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, Philadelphia, PA, USA, 22–24 May 1996; pp. 212–219. 22. Barrett, J.; Hardy, L.L.; Kent, A.A. No Signaling and Quantum Key Distribution. Phys. Rev. Lett. 2005, 95, 010503. [CrossRef] 23. Pironio, S.; Acín, A.; Brunner, N.; Gisin, N.; Massar, S.; Scarani, V. Device-independent quantum key distribution secure against collective attacks. New J. Phys. 2009, 11, 045021. [CrossRef] 24. McKague, M. Device independent quantum key distribution secure against coherent attacks with memoryless meas-urement devices. New J. Phys. 2009, 11, 103037. [CrossRef] 25. Cerf, N.J.; Lévy, M.; Van Assche, G. Quantum distribution of Gaussian keys using squeezed states. Phys. Rev. A 2001, 63, 052311. [CrossRef] 26. Grosshans, F.; Grangier, P. Continuous Variable Quantum Cryptography Using Coherent States. Phys. Rev. Lett. 2002, 88, 057902. [CrossRef] 27. Wang, X.-B. Decoy-state protocol for quantum cryptography with four different intensities of coherent light. Phys. Rev. A 2005, 72, 012322. [CrossRef] 28. Lo, H.-K.; Ma, X.; Chen, K. Decoy State Quantum Key Distribution. Phys. Rev. Lett. 2005, 94, 230504. [CrossRef] 29. Ma, X.; Qi, B.; Zhao, Y.; Lo, H.-K. Practical decoy state for quantum key distribution. Phys. Rev. A 2005, 72, 012326. [CrossRef] 30. Mafu, M.; Dudley, A.; Goyal, S.; Giovannini, D.; McLaren, M.; Padgett, M.; Konrad, T.; Petruccione, F.; Lutkenhaus, N.; Forbes, A. Higher-dimensional orbital-angular-momentum-based quantum key distribution with mutually unbiased bases. Phys. Rev. A 2013, 88, 032305. [CrossRef] 31. Pan, Z.; Cai, J.; Wang, C. Quantum Key Distribution with High Order Fibonacci-like Orbital Angular Momentum States. Int. J. Theor. Phys. 2017, 56, 2622–2634. [CrossRef] 32. Djordjevic, I.B. Deep-space and near-Earth optical communications by coded orbital angular momentum (OAM) modulation. Opt. Express 2015, 19, 14277–14289. [CrossRef] 33. Pan, Z.; Seshadreesan, K.P.; Clark, W.; Adcock, M.R.; Djordjevic, I.B.; Shapiro, J.H.; Guha, S. Secret-Key Distillation across a Quantum Wiretap Channel under Restricted Eavesdropping. Phys. Rev. Appl. 2020, 14, 024044. [CrossRef] 34. Pan, Z.; Seshadreesan, K.P.; Clark, W.; Adcock, M.R.; Djordjevic, I.B.; Shapiro, J.H.; Guha, S. Secret key distillation over a pure loss quantum wiretap channel under restricted eavesdropping. In Proceedings of the 2019 IEEE International Symposium on Information Theory (ISIT), Paris, France, 7–12 July 2019; pp. 3032–3036. [CrossRef] 35. Pan, Z.; Djordjevic, I.B. Security of Satellite-Based CV-QKD under Realistic Assumptions. In Proceedings of the 2020 22nd International Conference on Transparent Optical Networks (ICTON), Bari, Italy, 19–23 July 2020; pp. 1–4. 36. Pan, Z.; Gariano, J.; Djordjevic, I.B. Secret Key Distillation over Satellite-to-satellite Free-space Channel with Eavesdropper Dynamic Positioning. In OSA Advanced Photonics Congress (AP) 2020 (IPR, NP, NOMA, Networks, PVLED, PSC, SPPCom, SOF); The Optical Society: Washington, DC, USA, 2020; p. SpTu3I.4. 37. Pan, Z.; Djordjevic, I.B. Secret key distillation over satellite-to-satellite free-space optics channel with a lim-ited-sized aperture eavesdropper in the same plane of the legitimate receiver. Opt. Express 2020, 28, 37129–37148. [CrossRef][PubMed] 38. Pan, Z.; Gariano, J.; Clark, W.; Djordjevic, I.B. Secret key distillation over realistic satellite-to-satellite free-space channel. In Proceedings of the OSA Quantum 2.0 Conference, Washington, DC, USA, 14–17 September 2020; p. QTh7B.15. 39. Pan, Z.; Djordjevic, I.B. Secret key distillation over realistic satellite-to-satellite free-space channel: Exclusion zone analysis. arXiv 2020, arXiv:2009.05929. 40. Pan, Z.; Djordjevic, I.B. Secret Key Distillation over Satellite-to-satellite Free-space Optics Channel with Eaves-dropper Dynamic Positioning. arXiv 2020, arXiv:2012.13865. 41. Fröhlich, B.; Dynes, J.F.; Lucamarini, M.; Sharpe, A.W.; Yuan, Z.; Shields, A.J. A quantum access network. Nat. Cell Biol. 2013, 501, 69–72. [CrossRef] 42. Kimble, H.J. The quantum internet. Nat. Cell Biol. 2008, 453, 1023–1030. [CrossRef] 43. Vallone, G.; Bacco, D.; Dequal, D.; Gaiarin, S.; Luceri, V.; Bianco, G.; Villoresi, P. Experimental Satellite Quantum Communications. Phys. Rev. Lett. 2015, 115, 040502. [CrossRef] Entropy 2021, 23, 1003 11 of 11

44. Jian-Yu, S.; Yang, B.; Sheng-Kai, L.; Zhang, L.; Shen, Q.; Xiao-Fang, H.; Jin-Cai, W. Direct and full-scale experimental verifications towards ground–satellite quantum key distribution. Nat. Photonics 2013, 7, 387–393. 45. Liao, S.-K.; Cai, W.-Q.; Liu, W.-Y.; Zhang, L.; Li, Y.; Ren, J.-G.; Yin, J.; Shen, Q.; Cao, Y.; Li, Z.-P.; et al. Satellite-to-ground quantum key distribution. Nat. Cell Biol. 2017, 549, 43–47. [CrossRef] 46. Bedington, R.; Arrazola, J.M.; Ling, A. Progress in satellite quantum key distribution. Quantum Inf. 2017, 3, 30. [CrossRef] 47. Ecker, S.; Liu, B.; Handsteiner, J.; Fink, M.; Rauch, D.; Steinlechner, F.; Scheidl, T.; Zeilinger, A.; Ursin, R. Strategies for achieving high key rates in satellite-based QKD. Npj Quantum Inf. 2021, 7, 1–7. [CrossRef] 48. Pironio, S.; Acín, A.; Massar, S.; Boyer de La Giroday, A.; Matsukevich, N.D.; Maunz, P.; Olmschenk, S. Random numbers certified by Bell’s theorem. Nature 2010, 464, 1021–1024. [CrossRef] 49. Masanes, L.; Pironio, S.; Acín, A. Secure device-independent quantum key distribution with causally in-dependent measurement devices. Nat. Commun. 2011, 2, 1–7. [CrossRef] 50. Pironio, S.; Masanes, L.; Leverrier, A.; Acín, A. Security of Device-Independent Quantum Key Distribution in the Bounded- Quantum-Storage Model. Phys. Rev. X 2013, 3, 031007. [CrossRef] 51. Vazirani, U.; Vidick, T. Fully Device Independent Quantum Key Distribution. Phys. Rev. Lett. 2014, 62, 133. [CrossRef] 52. Pusey, M.F. Verifying the quantumness of a channel with an untrusted device. J. Opt. Soc. Am. B 2015, 32, A56–A63. [CrossRef] 53. Braunstein, S.L.; Van Loock, P. Quantum information with continuous variables. Rev. Mod. Phys. 2005, 77, 513–577. [CrossRef] 54. Schmitt-Manderbach, T.; Weier, H.; Fürst, M.; Ursin, R.; Tiefenbacher, F.; Scheidl, T.; Perdigues, J. Experimental demonstration of free-space decoy-state quantum key distribution over 144 km. Phys. Rev. Lett. 2007, 98, 010504. [CrossRef] 55. Lutkenhaus, N. Security against individual attacks for realistic quantum key distribution. Phys. Rev. A 2000, 61, 052304. [CrossRef] 56. Scarani, V.; Renato, R. Quantum cryptography with finite resources: Unconditional security bound for discrete-variable protocols with one-way postprocessing. Phys. Rev. Lett. 2008, 100, 200501. [CrossRef] 57. Lo, H.-K.; Curty, M.; Qi, B. Measurement-Device-Independent Quantum Key Distribution. Phys. Rev. Lett. 2012, 108, 130503. [CrossRef] 58. Tittel, W.; Brendel, J.; Zbinden, H.; Gisin, N. Quantum Cryptography Using Entangled Photons in Energy-Time Bell States. Phys. Rev. Lett. 2000, 84, 4737–4740. [CrossRef] 59. Qi, B. Single-photon continuous-variable quantum key distribution based on the energy-time uncertainty relation. Opt. Lett. 2006, 31, 2795–2797. [CrossRef] 60. Pirandola, S.; Laurenza, R.; Ottaviani, C.; Banchi, L. Fundamental limits of repeaterless quantum communications. Nat. Commun. 2017, 8, 15043. [CrossRef] 61. Takeoka, M.; Seshadreesan, K.P.; Wilde, M.M. Unconstrained distillation capacities of a pure-loss bosonic broadcast channel. In Proceedings of the 2016 IEEE International Symposium on Information Theory (ISIT), Barcelona, Spain, 10–15 July 2016; pp. 2484–2488. [CrossRef] 62. Takeoka, M.; Seshadreesan, K.P.; Wilde, M.M. Unconstrained Capacities of Quantum Key Distribution and Entanglement Distillation for Pure-Loss Bosonic Broadcast Channels. Phys. Rev. Lett. 2017, 119, 150501. [CrossRef][PubMed] 63. Devetak, I.; Winter, A. Distillation of secret key and entanglement from quantum states. Proc. R. Soc. A Math. Phys. Eng. Sci. 2005, 461, 207–235. [CrossRef]