Simple Proof of Security of the BB84 Quantum Key Distribution Protocol

Peter W. Shor(1) and John Preskill(2)

(1)
AT&T Labs Research, Florham Park, NJ 07932, USA
(2)
Lauritsen Laboratory of High Energy Physics, California Institute of Technology, Pasadena, CA 91125, USA
(February 1, 2008)
We prove that the 1984 protocol of Bennett and Brassard (BB84) for quantum key distribution
is secure. We first give a key distribution protocol based on entanglement purification, which can be
proven secure using methods from Lo and Chau’s proof of security for a similar protocol. We then
show that the security of this protocol implies the security of BB84. The entanglement-purification
based protocol uses Calderbank-Shor-Steane (CSS) codes, and properties of these codes are used to
remove the use of quantum computation from the Lo-Chau protocol.
arXiv:quant-ph/0003004v2 12 May 2000

Quantum cryptography differs from conventional cryp- {0} ⊂ C2 ⊂ C1 ⊂ Fn2 ,

tography in that the data are kept secret by the prop-
erties of quantum mechanics, rather than the conjec- where Fn2 is the binary vector space on n bits [6].
tured difficulty of computing certain functions. The first A set of basis states (which we call codewords) for the
quantum key distribution protocol, proposed in 1984 [1], CSS code subspace can be obtained from vectors v ∈ C1
is called BB84 after its inventors (C. H. Bennett and as follows:
G. Brassard). In this protocol, the participants (Alice 1 X
and Bob) wish to agree on a secret key about which no v −→ 1/2
| v + wi . (1)
|C2 | w∈C
eavesdropper (Eve) can obtain significant information. 2

Alice sends each bit of the secret key in one of a set If v1 − v2 ∈ C2 , then the codewords corresponding to v1
of conjugate bases which Eve does not know, and this and v2 are the same. Hence these codewords correspond
key is protected by the impossibility of measuring the to cosets of C2 in C1 , and this code protects a Hilbert
state of a quantum system simultaneously in two conju- space of dimension 2dim C1 −dim C2 .
gate bases. The original papers proposing quantum key The above quantum code is equivalent to the dual code
distribution [1] proved it secure against certain attacks, Q∗ obtained from the two binary codes
including those feasible using current experimental tech-
niques. However, for many years, it was not rigorously {0} ⊂ C1⊥ ⊂ C2⊥ ⊂ Fn2 .
proven secure against an adversary able to perform any
physical operation permitted by quantum mechanics. This equivalence can be demonstrated by applying the
Hadamard transform
Recently, three proofs of the security of quantum key  
distribution protocols have been discovered; however, 1 1 1
H= √
none is entirely satisfactory. One proof [2], although 2 1 −1
easy to understand, has the drawback that the proto-
col requires a quantum computer. The other two [3,4] to each encoding qubit. This transformation interchanges
prove the security of a protocol based on BB84, and so the bases | 0i, | 1i and | +i, | −i, where | +i = √12 (| 0i +
are applicable to near-practical settings. However, both | 1i) and | −i = √12 (| 0i − | 1i). It also interchanges the
proofs are quite complicated. We give a simpler proof by two subspaces corresponding to the codes Q and Q∗ , al-
relating the security of BB84 to entanglement purifica- though the codewords (given by Eq. 1) of Q and Q∗ are
tion protocols [5] and quantum error correcting codes [6]. not likewise interchanged.
This new proof also may illuminate some properties of We now make a brief technical detour to define some
previous proofs [3,4], and thus give insight into them. terms. The three Pauli matrices are:
For example, it elucidates why the rates obtainable from      
these proofs are related to rates for CSS codes. The proof 0 1 0 −i 1 0
σx = , σy = , σz = .
1 0 i 0 0 −1
was in fact inspired by the observation that CSS codes
are hidden in the inner workings of the proof given in [3]. The matrix σx applies a bit flip error to a qubit, while
We first review CSS codes and associated entangle- σz applies a phase flip error. We denote the Pauli matrix
ment purification protocols. Quantum error-correcting σa acting on the k’th bit of the CSS code by σa(k) for
codes are subspaces of the Hilbert space C2 which are
n
a ∈ {x, y, z}. For a binary vector s, we let
protected from errors in a small number of these qubits,
s1 s2 s3 sn
so that any such error can be measured and subsequently σa[s] = σa(1) ⊗ σa(2) ⊗ σa(3) ⊗ . . . ⊗ σa(n)
corrected without disturbing the encoded state. A quan-
tum CSS code Q on n qubits comes from two binary where σa0 is the identity matrix and si is the i’th bit of s.
[s] [s]
codes on n bits, C1 and C2 , one contained in the other: The matrices σx (σz ) have all eigenvalues ±1.

1
 In a classical error correcting code, correction proceeds
by measuring the syndrome, which is done as follows. A
parity check matrix H of a code C is a basis of the dual
vector space C ⊥ . Suppose that we transmit a codeword
v, which acquires errors to become w = v + ǫ. The k’th
row rk of the matrix H determines the k’th bit of the syn-
drome for w, namely rk ·w (mod 2). The full syndrome is
thus Hw. If the syndrome is 0, then w ∈ C. Otherwise,
the most likely value of the error ǫ can be calculated from
the syndrome [7]. In our quantum CSS code, we need to
correct both bit and phase errors. Let H1 be a parity
check matrix for the code C1 , and H2 one for the code
C2⊥ . To calculate the syndrome for bit flips, we measure
[r]
the eigenvalue of σz for each row r ∈ H1 (−1’s and 1’s
of the eigenvalue correspond to 1’s and 0’s of the syn-
drome). To calculate the syndrome for phase flips, we
[r]
measure the eigenvalue of σx for each row r ∈ H2 . This
lets us correct both bit and phase flips, and if we can
correct up to t of each of these types of errors, we can
also correct arbitrary errors on up to t qubits [6].
The useful property of CSS codes for demonstrating
the security of BB84 is that the error correction for the
phases is decoupled from that for the bit values, as shown
above. General quantum stabilizer codes can similarly be
turned into key distribution protocols, but these appear
to require a quantum computer to implement.
If one requires that a CSS code correct all errors on at
most t = δn qubits, the best codes that we know exist
satisfy the quantum Gilbert-Varshamov bound. As the
block length n goes to infinity, these codes asymptoti-
cally protect against δn bit errors and δn phase errors,
and encode [1 − 2H(2δ)]n qubits, where H is the binary
Shannon entropy H(p) = −p log2 (p) − (1 − p) log2 (1 − p).
In practice, it is better to only require that random errors
are corrected with high probability. In this case, codes
exist that correct δn random phase errors and δn random
bit errors, and which encode [1 − 2H(δ)]n qubits.
We also need a description of the Bell basis. These are
the four maximally entangled states
1 1
Ψ± = √ (| 01i ± | 10i), Φ± = √ (| 00i ± | 11i),
2 2
which form an orthogonal basis for the quantum state
space of two qubits.
Finally, we introduce a class of quantum error correct-
ing codes equivalent to Q, and parameterized by two n-
bit binary vectors x and z. Suppose that Q is determined
as above by C1 and C2 . Then Qx,z has basis vectors in-
dexed by cosets of C2 in C1 , and for v ∈ C1 , the corre-
sponding codeword is
1 X
v −→ (−1)z·w | x + v + wi . (2)
|C2 |1/2
w∈C2
Quantum error correcting codes and entanglement pu-
rification protocols are closely connected [5]; we now de-
2
scribe the entanglement purification protocol correspond-
ing to the CSS code Q. For now, we assume that the
codes C1 and C2⊥ correct up to t errors and that Q en-
codes m qubits in n qubits. Suppose Alice and Bob share
n pairs of qubits in a state close to (Φ+ )⊗n . For the
entanglement purification protocol, Alice and Bob sepa-
[r]
rately measure the eigenvalues of σz for each row r ∈ H1
[r ′ ]
and σx for each row r′ ∈ H2 . Note that for these mea-
surements to be performable simultaneously, they must
[r] [r ′ ]
all commute; σz and σx commute because the vector
spaces C1⊥ and C2 are orthogonal.
If Alice and Bob start with n perfect EPR pairs, mea-
[r] [r ′ ]
suring σz for r ∈ H1 and σx for r′ ∈ H2 projects each
of their states onto the code subspace Qx,z , where x and
z are any binary vectors with H1 x and H2 z equal to the
measured bit and phase syndromes, respectively. After
projection, the state is (Φ+ )⊗m encoded by Qx,z .
Now, suppose that Alice and Bob start with a state
close to (Φ+ )⊗n . To be specific, suppose that all their
EPR pairs are in the Bell basis, with t or fewer bit flips
(Ψ+ or Ψ− pairs) and t or fewer phase flips (Φ− or Ψ−
pairs). If Alice and Bob compare their measurements
[r] [r]
of σz (σx ), the rows r for which these measurements
disagree give the bits which are 1 in the bit (phase) syn-
dromes. From these syndromes, Alice and Bob can com-
pute the locations of the bit and the phase flips, can
correct these errors, and can then decode Qx,z to obtain
m perfect EPR pairs.
We will show that the following is a secure quantum
key distribution protocol.
Protocol 1: Modified Lo-Chau
1: Alice creates 2n EPR pairs in the state (Φ+ )⊗n .
2: Alice selects a random 2n bit string b, and performs
a Hadamard transform on the second half of each
EPR pair for which b is 1.
3: Alice sends the second half of each EPR pair to
Bob.
4: Bob receives the qubits and publicly announces this
fact.
5: Alice selects n of the 2n encoded EPR pairs to serve
as check bits to test for Eve’s interference.
6: Alice announces the bit string b, and which n EPR
pairs are to be check bits.
7: Bob performs Hadamards on the qubits where b
is 1.
8: Alice and Bob each measure their halves of the n
check EPR pairs in the | 0i, | 1i basis and share the
results. If too many of these measurements dis-
agree, they abort the protocol.
9: Alice and Bob make the measurements on their
[r] [r]
code qubits of σz for each row r ∈ H1 and σx for
each row r ∈ H2 . Alice and Bob share the results,
compute the syndromes for bit and phase flips, and
 then transform their state so as to obtain m nearly
perfect EPR pairs.
10: Alice and Bob measure the EPR pairs in the | 0i,
| 1i basis to obtain a shared secret key.
We now show that this protocol works. Namely, we
show that the probability is exponentially small that Al-
ice and Bob agree on a key about which Eve can obtain
more than an exponentially small amount of information.
We need a result of Lo and Chau [2] that if Alice and
Bob share a state having fidelity 1 − 2−s with (Φ+ )⊗m ,
then Eve’s mutual information with the key is at most
2−c + 2O(−2s) where c = s − log2 (2m + s + 1/ loge 2).
For the proof, we use an argument based on one from
Lo and Chau [2]. Let us calculate the probability that
the test on the check bits succeeds while the entangle-
ment purification on the code bits fails. We do this by
considering the measurement that projects each of the
EPR pairs onto the Bell basis.
We first consider the check bits. Note that for the EPR
pairs where b = 1, Alice and Bob are effectively measur-
ing them in the | +i, | −i basis rather than the | 0i, | 1i
basis. Now, observe that
fewer than (δ − ǫ)n errors on the check bits is asymptoti-
cally less than exp[− 41 ǫ2 n/(δ − δ 2 )]. We conclude that if
Alice and Bob have greater than an exponentially small
probability of passing the test, then the fidelity of Alice
and Bob’s state with (Φ+ )⊗m is exponentially close to 1.
We now show how to turn this Lo-Chau type proto-
col into a quantum error-correcting code protocol. Ob-
serve first that it does not matter whether Alice measures
her check bits before or after she transmits half of each
EPR pair to Bob, and similarly that it does not matter
whether she measures the syndrome before or after this
transmission. If she measures the check bits first, this is
the same as choosing a random one of | 0i, | 1i. If she
also measures the syndrome first, this is equivalent to
transmitting m halves of EPR pairs encoded by the CSS
code Qx,z for two random vectors x, z ∈ Fn2 . The vector
[r]
x is determined by the syndrome measurements σz for
rows r ∈ H1 , and similarly for z. Alice can also measure
her half of the encoded EPR pairs before or after trans-
mission. If she measures them first, this is the same as
choosing a random key k and encoding k using Qx,z . We
thus obtain the following equivalent protocol.
 +
+   −
−  Protocol 2: CSS Codes
Ψ Ψ +Ψ Ψ  = | 01 i h 01 | + | 10 i h 10 | ,
 − 
−   −
− 
Φ Φ +Ψ Ψ  = | +−i h+− | + | −+i h−+ | .
These relations show that the rates of bit flip errors and
of phase flip errors that Alice and Bob estimate from
their measurements on check bits are the same as they
would have estimated using the Bell basis measurement.
We next consider the measurements on the code bits.
We want to show that the purification protocol applied
to n pairs produces a state that is close to the encoded
(Φ+ )⊗m . The purification protocol succeeds perfectly
acting on the space spanned by Bell pairs that differ from
(Φ+ )⊗n by t or fewer bit flip errors and by t or fewer
phase flips errors. Let Π denote the projection onto this
space. Then if the protocol is applied to an initial density
operator ρ of the n pairs, it can be shown that the final
density operator ρ′ approximates (Φ+ )⊗m with fidelity
F ≡ h(Φ+ )⊗m | ρ′ |(Φ+ )⊗m i ≥ tr (Πρ) . (3)
Hence the fidelity is at least as large as the probability
that t or fewer bit flip errors and t or fewer phase flip
errors would have been found, if the Bell measurement
had been performed on all n pairs.
Now, when Eve has access to the qubits, she does not
yet know which qubits are check qubits and which are
code qubits, so she cannot treat them differently. The
check qubits that Alice and Bob measure thus behave
like a classical random sample of the qubits. We are
then able to use the measured error rates in a classical
probability estimate; we find that probability of obtain-
ing more than δn bit (phase) errors on the code bits and
3
1: Alice creates n random check bits, a random m-bit
key k, and a random 2n-bit string b.
2: Alice chooses n-bit strings x and z at random.
3: Alice encodes her key | ki using the CSS code Qx,z
4: Alice chooses n positions (out of 2n) and puts the
check bits in these positions and the code bits in
the remaining positions.
5: Alice applies a Hadamard transform to those qubits
in the positions having 1 in b.
6: Alice sends the resulting state to Bob. Bob ac-
knowledges receipt of the qubits.
7: Alice announces b, the positions of the check bits,
the values of the check bits, and the x and z deter-
mining the code Qx,z .
8: Bob performs Hadamards on the qubits where b is
1.
9: Bob checks whether too many of the check bits have
been corrupted, and aborts the protocol if so.
10: Bob decodes the key bits and uses them for the key.
Intuitively, the security of the protocol depends on the
fact that for a sufficiently low error rate, a CSS code
transmits the information encoded by it with very high
fidelity, so that by the no-cloning principle very little in-
formation can leak to Eve.
We now give the final argument that turns the above
protocol into BB84. First note that, since all Bob cares
about are the bit values of the encoded key, and the string
z is only used to correct the phase of the encoded qubits,
Bob does not need z. This is why we use CSS codes:
they decouple the phase correction from the bit correc-
tion. Let k ′ ∈ C1 be a binary vector that is mapped by
Eq. (2) to the encoded key. Since Bob never uses z, we
can assume that Alice does not send it. Averaging over
z, we see that Alice effectively sends the mixed state
1 Xh X
n
(−1)(w1 +w2 )·z
2 |C2 | z
w1 ,w2 ∈C2
i rected. To prove that the protocol works in this case, we
× | k ′ + w1 + xi hk ′ + w2 + x |
1 X ′
= | k + w + xi hk ′ + w + x | , (4)
|C2 |
w∈C2
which is equivalently the mixture of states | k ′ + x + wi
with w chosen randomly in C2 . Let us now look at the
protocol as a whole. The error correction information Al-
ice gives Bob is x, and Alice sends | k ′ + x + wi over the
quantum channel. Over many iterations of the algorithm,
these are random variables chosen uniformly in Fn2 with
the constraint that their difference k ′ + w is in C1 . After
Bob receives k ′ + w + x + ǫ, he subtracts x, and corrects
the result to a codeword in C1 , which is almost certain
to be k ′ + w. The key is the coset of k ′ + w over C2 .
In the BB84 protocol given below, Alice sends | vi to
Bob, with error correction information u + v. These are
again two random variables uniform in Fn2 , with the con-
straint that u ∈ C1 . Bob obtains v + ǫ, subtracts u + v,
and corrects the result to a codeword in C1 , which with
high probability is u. The key is then the coset u + C2 .
Thus, the two protocols are completely equivalent.
Protocol 3: BB84
1: Alice creates (4 + δ)n random bits.
2: Alice chooses a random (4 + δ)n-bit string b. For
each bit, she creates a state in the | 0i, | 1i basis
(if the corresponding bit of b is 0) or the | +i, | −i
basis (if the bit of b is 1).
3: Alice sends the resulting qubits to Bob.
4: Bob receives the (4 + δ)n qubits, measuring each in
the | 0i,| 1i or the | +i,| −i basis at random.
5: Alice announces b.
6: Bob discards any results where he measured a dif-
ferent basis than Alice prepared. With high prob-
ability, there are at least 2n bits left (if not, abort
the protocol). Alice decides randomly on a set of 2n
bits to use for the protocol, and chooses at random
n of these to be check bits.
7: Alice and Bob announce the values of their check
bits. If too few of these values agree, they abort
the protocol.
8: Alice announces u + v, where v is the string con-
sisting of the remaining non-check bits, and u is a
random codeword in C1 .
9: Bob subtracts u + v from his code qubits, v + ǫ, and
corrects the result, u + ǫ, to a codeword in C1 .
10: Alice and Bob use the coset of u + C2 as the key.
4
There are a few loose ends that need to be tied up.
The protocol given above uses binary codes C1 and C2⊥
with large minimum distance, and thus can obtain rates
given by the quantum Gilbert-Varshamov bound for CSS
codes [6]. To reach the better Shannon bound for CSS
codes, we need to use codes for which a random small set
of phase errors and bit errors can almost always be cor-
need to ensure that the errors are indeed random. We do
this by adding a step where Alice scrambles the qubits
using a random permutation π before sending them to
Bob, and a step after Bob acknowledges receiving the
qubits where Alice sends π to Bob and he unscrambles
the qubits. This can work as long as the measured bit
and phase error rates are less than 11%, the point at
which the Shannon rate 1 − 2H(δ) hits 0.
For a practical key distribution protocol we need the
classical code C1 to be efficiently decodeable. As is shown
in [3], we can let C2 be a random subcode of an efficiently
decodeable code C1 , and with high probability obtain a
good code C2⊥ . While known efficiently decodeable codes
do not meet the Shannon bound, they come fairly close.
A weakness in both the proof given in this paper and
the proofs in [3,4] is that they do not apply to imper-
fect sources; the sources must be perfect single-photon
sources. A proof avoiding this difficulty was recently dis-
covered by Michael Ben-Or [8]; it shows that any source
sufficiently close to a single-photon source is still secure.
However, most experimental quantum key distribution
systems use weak coherent sources, and no currently
known proof covers this case.
The authors thank Michael Ben-Or, Eli Biham, Hoi-
Kwong Lo, Dominic Mayers and Tal Mor for explana-
tions of and informative discussions about their secu-
rity proofs. We also thank Ike Chuang, Dan Gottesman,
Alexei Kitaev and Mike Nielsen for their discussions and
suggestions, which greatly improved this paper. Part of
this research was done while PWS was visiting Caltech.
This work has been supported in part by the Department
of Energy under Grant No. DE-FG03-92-ER40701, and
by DARPA through Caltech’s Quantum Information and
Computation (QUIC) project administered by the Army
Research Office.
[1] C. H. Bennett and G. Brassard, “Quantum cryptogra-
phy: Public-key distribution and coin tossing,” in Pro-
ceedings of IEEE International Conference on Computers,
Systems and Signal Processing, Bangalore, India, 1984,
(IEEE Press, 1984), pp. 175–179; C.H. Bennett and G.
Brassard, “Quantum public key distribution,” IBM Tech-
nical Disclosure Bulletin 28, 3153–3163 (1985).
[2] H.-K. Lo and H. F. Chau, “Unconditional security of
quantum key distribution over arbitrarily long distances,”
Science 283, 2050–2056 (1999), arXive e-print quant-
ph/9803006.
[3] D. Mayers, “Unconditional security in quantum cryptog-
raphy,” J. Assoc. Computing Machinery (to be published),
arXive e-print quant-ph/9802025; preliminary version in
D. Mayers, “Quantum key distribution and string oblivous
transfer in noisy channels,” in Advances in Cryptology—
Proceedings of Crypto ’96, (Springer-Verlag, New York,
1996) pp. 343–357.
[4] E. Biham, M. Boyer, P. O. Boykin, T. Mor and V. Roy-
chowdhury, “A proof of the security of quantum key distri-
bution,” in Proceedings of the Thirty-Second Annual ACM
Symposium on Theory of Computing (ACM Press, New
York, in press), arXive e-print quant-ph/9912053.
[5] C. H. Bennett, D. P. DiVincenzo, J. A. Smolin and W. K.
Wootters, “Mixed state entanglement and quantum error
correction,” Phys. Rev. A, 54, 3824–3851 (1996), arXive
e-print quant-ph/9604024.
[6] A. R. Calderbank and P. Shor, “Good quantum error cor-
recting codes exist,” Phys. Rev. A 54, 1098–1105 (1996),
arXive e-print quant-ph/9512032; A. M. Steane, “Multiple
particle interference and error correction,” Proc. R. Soc.
London A 452, 2551–2577 (1996), arXive e-print quant-
ph/9601029.
[7] This calculation may be quite difficult, but for now we
ignore this practical complication.
[8] M. Ben-Or (unpublihsed).