Scribd
Upload
2 views

LectureNotes_SecurityQKD

QKD

Uploaded by

pulivendula
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
2 views

LectureNotes_SecurityQKD

QKD

Uploaded by

pulivendula
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 34

Lecture notes:

Security proofs of Quantum Key Distribution


Gláucia Murta

Last update: November 2023

Contents
1 Quantum key distribution 3
1.1 The BB84 protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Entanglement-based version . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Eavesdropper’s attack . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.4 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2 Tools for the security analysis 6


2.1 Distance between quantum states . . . . . . . . . . . . . . . . . . . . . 7
2.2 cq-states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.3 Entropies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.3.1 Shannon entropy . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.3.2 von Neumann entropy . . . . . . . . . . . . . . . . . . . . . . . 9
2.3.3 Guessing probability . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3.4 More entropy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3.5 Smooth entropies . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3 Security of quantum key distribution 14


3.1 Privacy amplification . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.2 Information reconciliation . . . . . . . . . . . . . . . . . . . . . . . . . 16

4 Security against collective attacks 18


4.1 Asymptotic key rate of the BB84 . . . . . . . . . . . . . . . . . . . . . 19
4.1.1 Reduction to Bell diagonal states . . . . . . . . . . . . . . . . . 19
4.1.2 Asymptotic key rate . . . . . . . . . . . . . . . . . . . . . . . . 20

5 Security against coherent attacks 22


5.1 Post-selection technique . . . . . . . . . . . . . . . . . . . . . . . . . . 22
5.2 Uncertainty relation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

6 BB84 with imperfect sources (decoy states method) 24

1
7 Untrusted detectors: measurement device-independent quantum key-
distribution (MDI-QKD) 25

8 Device-independent quantum key distribution (DIQKD) 27


8.1 DIQKD against collective attacks . . . . . . . . . . . . . . . . . . . . . 28
8.2 DIQKD against coherent attacks . . . . . . . . . . . . . . . . . . . . . 30
1 Quantum key distribution
Quantum key distribution is a cryptographic task in which two honest parties, Alice
and Bob, wish to establish a common secret key, i.e., a shared string of bits which is
unknown to any third party, including a potential eavesdropper Eve.
As resources, Alice and Bob have access to a classical authenticated public channel
and an insecure quantum channel.

Figure 1: Quantum key distribution: Alice and Bob establish a secret key using a
classical authenticated public channel and an insecure quantum channel.

1.1 The BB84 protocol


The first quantum key distribution protocol, the BB84 [1], was proposed by Bennet
and Brassard, building on the ideas of conjugate coding introduced by Wiesman
in [2]. Indeed, the BB84 protocol makes use of two non-orthogonal bases to encode a
classical bit:
0 7→ |0⟩ or |+⟩
(1)
1 7→ |1⟩ or |−⟩

where |±⟩ = √12 (|0⟩ ± |1⟩).


The BB84 protocol consists of the following steps:

Security proofs of Quantum Key Distribution – Gláucia Murta 3


BB84 Protocol
1: Distribution and measurements:
2: for i = 1 to n do
3: Alice chooses random bits x and a.
4: If x = 0, Alice uses the Z-basis to encode a (if a = 0 she prepares the state
|0⟩, and if a = 1 she prepares |1⟩). Similarly, if x = 1, Alice uses the X-basis to
encode a.
5: Alice sends the prepared state to Bob through the insecure quantum channel.
6: Bob announces whether he received the state.
7: Bob randomly chooses a bit y.
8: If y = 0, Bob measures the system in the Z-basis. If y = 1, he measures in
the X-basis.
9: Bob records the outcome b.
10: end for
11: Sifting: Alice and Bob publicly announce their choices of basis, x and y, and
compare them. They discard the rounds in which Bob measured in a different
basis than the one prepared by Alice, i.e., when x ̸= y.
12: Parameter estimation: Alice and Bob use a fraction of the remaining rounds
(in which both measured in the same basis) in order to estimate the quantum bit
error rates (QBERs) QX and QZ .
13: Information reconciliation: Alice and Bob choose a classical error correcting
code and communicate over the authenticated public channel in order to correct
their string of bits. At the end of this phase Alice and Bob should hold the same
bit-string.
14: Privacy amplification: Alice and Bob use an extractor on the previously es-
tablished strings to generate shorter but completely secret strings of ℓ bits, which
is their final keys KA and KB .

Remark 1: The “quantum part” ends after distribution and measurement. The
remaining steps of a QKD protocol consist of processing classical information.

Remark 2: As shown in [3], the efficiency of these protocols can be increased, without
compromising security, if one of the bases is chosen with a higher probability. Then,
in the asymptotic limit, the preferred basis is used almost all the time. We can use
the less frequent basis for parameter estimation and reserve the rounds measured in
the frequent basis for key generation. For this reason, it is common to denote the
basis respectively, test basis and key generation basis.

1.2 Entanglement-based version


The protocol described in the previous section only requires the preparation and mea-
surement of single qubit states, and for this reason it is called a prepare-and-measure

Security proofs of Quantum Key Distribution – Gláucia Murta 4


protocol. An equivalent entanglement-based protocol can be designed [4], which is
based on the distribution of entangled states in the quantum phase:

Entanglement-based BB84 Protocol


1: Distribution and measurements:
2: for i = 1 to n do
3: A source distributes a two-qubit system (ideally in the maximally entangled
state |Φ+ ⟩ = √12 (|00⟩ + |11⟩)) to Alice and Bob.
4: Alice chooses a random bit x.
5: If x = 0 Alice measures her part of the system in the Z-basis, and if x = 1
she measures in the X-basis.
6: Alice records the outcome a.
7: Similarly, Bob chooses a random bit y.
8: If y = 0 Bob measures his system in the Z-basis, and if y = 1 he measures in
the X-basis.
9: Bob records the outcome b.
10: end for

All the other steps of the protocol are the same as the previous protocol.

Remark 1: If the source is in Alice’s laboratory we have a completely analogous


situation: measuring her part of the system corresponds to preparing Bob’s part of
the system in one of the BB84 states.

Remark 2: The entanglement-based protocol offers stronger security. The source


does not have to be in Alice’s laboratory and could be even in control of a malicious
eavesdropper Eve.

The entanglement-based version of a QKD protocol is very useful for its security
proof. In fact, the first simple proof of the BB84, presented [5], was based on entan-
glement purification results. In this course we will also focus on the entanglement
based version to derive the security proofs. However, we will use the more general
approach developed in references [6, 7] which does not rely directly on entanglement
purification.

1.3 Eavesdropper’s attack


We can consider three different types of attack that an eavesdropper can perform:

• Individual attacks: the eavesdropper can only interact (perhaps intercept


and measure) with each round of the protocol individually. This is the case
when the eavesdropper has no quantum memory.

Security proofs of Quantum Key Distribution – Gláucia Murta 5


• Collective attacks: in this case it is assumed that the system distributed
to Alice and Bob is the same in every round of the protocol (i.e., the state
distributed in n rounds can be described as ρ⊗n
AB , they are i.i.d.), however the
eavesdropper is allowed to store and make arbitrary global operations on her
quantum side information;

• Coherent attacks: this is the most general type of attack. Eve can perform
a global operation on her quantum side information and moreover the states
distributed to Alice and Bob can have arbitrary correlations (ρAn1 B1n ̸= ρ⊗n
AB ).

1.4 Assumptions
We note several assumptions that are present in the description of the BB84 protocol.

• Isolated labs: no information is leaked from or enters Alice’s and Bob’s labs,
apart from the state distribution before the measurements and the public clas-
sical information described by the protocol.

• Local random number generators: Alice and Bob possess independent and
trusted random number generators.

• Trusted classical post-processing: all the public classical communication is


performed using an authenticated channel and the local classical computations
are trusted.

• Trusted measurements: the measurement devices of Alice and Bob imple-


ment the measurements specified by the protocol.

• Trusted source for prepare-and-measure: Alice’s device prepares the state


specified by the protocol. The trust in the source can be relaxed for an entan-
glement based implementation.

• Quantum mechanics: the systems of Alice, Bob and any additional party is
correctly described by quantum theory.

2 Tools for the security analysis


In the following we denote the set of quantum states of a system A with Hilbert space
HA by S(A):

S(A) = {ρA ∈ L(HA ) : ρA ≥ 0 and tr(ρA ) = 1} , (2)

where L(HA ) is the set of linear operators acting on HA .

Security proofs of Quantum Key Distribution – Gláucia Murta 6


2.1 Distance between quantum states
Definition 2.1 (Trace distance). Let ρ and σ be two quantum states,

∥ρ − σ∥tr := sup tr(P (ρ − σ)). (3)


P
0≤P ≤I

Alternatively
1
∥ρ − σ∥tr = ∥ρ − σ∥1 , (4)
2

where ∥X∥1 = tr(|X|) = tr( X † X).

The trace distance has an operational interpretation: if ∥ρ − σ∥tr = ϵ, then the


probability of distinguishing between ρ and σ with a single measurement is bounded
by 21 (1 + ϵ).

The trace distance can be generalized to sub-normalized states ρ̂ and σ̂, i.e., for
positive operators with trace smaller or equal to 1, in the following way
1 1
∥ρ̂ − σ̂∥tr = ∥ρ̂ − σ̂∥1 + |tr(ρ̂ − σ̂)| (5)
2 2
For details, see [8, Chapter 3].

Another distance of interest is the purified distance, also defined for sub-normalized
states.

Definition 2.2 (Purified distance). Let ρ and σ be two sub-normalized states, the
purified distance is defined as
p
DP (ρ, σ) := 1 − F (ρ, σ), (6)

where F is the generalized fidelity


 q  2
√ √ p
F (ρ, σ) := tr ρσ ρ + (1 − trρ)(1 − trσ) . (7)

The name comes from the fact that the purified distance actually represents the
minimum trace-distance of purifications of the respective states:

DP (ρ, σ) = min ∥ϕ − φ∥tr , (8)


ϕ,φ

where ϕ and φ are purifications of ρ and σ, respectively.


The purified distance is related to trace distance by [8]:
q
∥ρ − σ∥tr ≤ DP (ρ, σ) ≤ 2∥ρ − σ∥tr . (9)

Security proofs of Quantum Key Distribution – Gláucia Murta 7


Proposition 2.3 (Properties of distances). The trace distance and the purified dis-
tance are metrics. I.e., they satisfy:

• Positive-definiteness: ∆(ρ, σ) ≥ 0 and ∆(ρ, σ) = 0 ⇔ ρ = σ,

• Symmetry: ∆(ρ, σ) = ∆(σ, ρ),

• Triangle inequality: ∆(ρ, σ) ≤ ∆(ρ, η) + ∆(η, σ).

Moreover, they are non-increasing under trace-non-increasing completely positive maps

∆(M(ρ), M(σ)) ≤ ∆(ρ, σ). (10)

Where ∆(ρ, σ) stands for ∥ρ − σ∥tr or DP (ρ, σ).

2.2 cq-states
When analysing the security of a QKD protocol we will be often interested in making
statements about a classical-quantum state, or cq-state for short. These are states of
the form
X
ρAE = p(x) |x⟩⟨x|A ⊗ ρE|x (11)
x

where {|x⟩} forms an orthonormal basis for system A and can represent a classical
random variable X that assumes value x with probability p(x), and ρE|x is a general
quantum state on system E that may depend on the specific value of x.

2.3 Entropies
2.3.1 Shannon entropy
The Shannon entropy quantifies the uncertainty about a random variable. If X is a
random variable that assume the value x with probability p(x) then the entropy of
the variable X is given by
X
H(X) = − p(x) log p(x). (12)
x

In this text, all the logarithms are in base 2.


The conditional entropy quantifies the remaining uncertainty about a variable X
given that the value of a variable Y is known
X
H(X|Y ) = − p(x, y) log p(x|y) = H(X, Y ) − H(Y ). (13)
x,y

Security proofs of Quantum Key Distribution – Gláucia Murta 8


Exercise 1. Given random variables X and Y that assume values x ∈ (0, 1, 2, 3) and
y ∈ (0, 1) respectively, with distribution
1 1
p(x = 0, y = 0) = , p(x = 1, y = 0) =
4 4 (14)
1 1
p(x = 2, y = 1) = , p(x = 3, y = 1) =
4 4
Compute:

a) H(X)

b) H(Y )

c) H(X|Y )

d) H(Y |X)

2.3.2 von Neumann entropy


The concept of entropy also plays an important role in quantum information theory.
The von Neumann entropy can be seen as a generalization of Shannon entropy from
probability distributions to positive semidefinite operators. And the von Neumann
entropy of a system X in state ρ is given by

H(X)ρ = −tr(ρ log ρ). (15)

Similarly, a conditional quantum entropy can be defined.

Definition 2.4 (Conditional von Neumann entropy). The entropy of system A con-
ditioned on system E is given by

H(A|E) = H(AE) − H(E), (16)

where H(E) = −tr(ρE log ρE ) is the von Neumann entropy of the quantum state ρE
of system E, and similarly for H(AE).

If X and Y are classical variables with joint probability distribution {p(x, y)}, then
the conditional von Neumann entropy reduces to the conditional Shannon entropy
(13).

Exercise 2. Calculate the conditional von-Neumann entropy H(A|E) for the follow-
ing quantum states:

a) ρAE = |Φ+ ⟩⟨Φ+ |AE

Security proofs of Quantum Key Distribution – Gláucia Murta 9


1
b) ρAE = 2 |0⟩⟨0|A ⊗ |+⟩⟨+|E + 21 |1⟩⟨1|A ⊗ |−⟩⟨−|E
1
c) ρAE = 2 |0⟩⟨0|A ⊗ σE|0 + 12 |1⟩⟨1|A ⊗ σE|1 where

σE|0 = |f00 ⟩⟨f00 | + |f01 ⟩⟨f01 | , σE|1 = |f10 ⟩⟨f10 | + |f11 ⟩⟨f11 |

and
p p
|f00 ⟩ = λ00 |e00 ⟩ + λ01 |e01 ⟩
p p
|f01 ⟩ = λ10 |e10 ⟩ + λ11 |e11 ⟩
p p
|f10 ⟩ = λ10 |e10 ⟩ − λ11 |e11 ⟩
p p
|f11 ⟩ = λ00 |e00 ⟩ − λ01 |e01 ⟩

where |fij ⟩ are non-normalized states and {|eij ⟩} forms an orthonormal basis
on system E.

Proposition 2.5. The conditional von Neumann entropy satisfies:

1. Positivity for separable states [8, Lem. 5.11]: If ρAB is separable then

H(A|B)ρ ≥ 0 (17)

2. Data processing [8, Cor. 5.5]: Let τAB ′ = IA ⊗ EB (ρAB ), where EB is a


CPTP(B, B ′ ) channel, then

H(A|B)ρ ≤ H(A|B ′ )τ . (18)

3. Additivity [8, Cor. 5.9]: For ρAB ⊗ τA′ B ′ it holds that

H(AA′ |BB ′ )ρ⊗τ = H(A|B)ρ + H(A′ |B ′ )τ . (19)

4. ConditioningP on classical information [8, Prop. 5.4]: Let ρABX be a cq-


state, ρABX = x p(x) |x⟩⟨x| ⊗ ρAB|x , then
P P
H(A|BX)ρ = x p(x)H(A|BX = x)ρ = x p(x)H(A|B)ρ|x . (20)

5. Removing classical information [8, Lem. 5.15]: For ρABX classical in X,

H(A|XB) ≥ H(A|B) − log |X|, (21)

where |X| is the dimension of system X.

Security proofs of Quantum Key Distribution – Gláucia Murta 10


The conditional von Neumann entropy finds applications when describing the
resources required to perform certain information processing tasks in the i.i.d. limit
of many repetitions (e.g. data compression given quantum side information [9]).
However, when it comes to consider the one-shot scenario – in which a finite number
of repetitions, not necessarily i.i.d., are performed – the von Neumann entropy is
insufficient. Moreover, as we will see, in cryptography we are often interested in
analysing the performance of a particular task allowing for a small probability of
failure. Therefore we need entropic quantities that have meaningful interpretations
in these scenarios. For a discussion of one-shot information processing, we refer the
reader to [10].

2.3.3 Guessing probability


Let ρAE be a cq-state
X
ρAE = p(a) |a⟩⟨a| ⊗ ρE|a . (22)
a

The guessing probability, pguess (A|E), is the optimal probability with which someone
that has access to system E can correctly guess the value of the variable A:
X
p(a)Tr MEa ρE|a ,

pguess (A|E)ρ = sup (23)
{MEa } a

where the supremum is over all possible measurements, described by the set of POVMs
{MEa }a on the system E.
It was shown in [11] that, similarly to the classical case, the conditional min-
entropy Hmin (A|E) of a classical variable A is directly related to the guessing proba-
bility:

Hmin (A|E)ρ = − log pguess (A|E)ρ . (24)

2.3.4 More entropy


Another entropy that will appear in the security analysis is the max-entropy, that
can be defined as:

Hmax (A|E)ρ = sup log F (ρAE , IA ⊗ σE ) (25)


σE ∈S(E)

where F is the fidelity.


All the entropies introduced so far can be seen as particular cases of a one pareme-
ter family of conditional entropies.

Security proofs of Quantum Key Distribution – Gláucia Murta 11


Definition 2.6 (Sandwiched α-Rényi entropies). For any density operator ρAE and
for α ∈ [ 12 , 1) ∪ (1, ∞) the sandwiched α-Rényi entropy of A conditioned on E is
defined as
  α 
1 1−α 1−α
Hα (A|E)ρ := sup log Tr IA ⊗ σE ρAE IA ⊗ σE
2α 2α
, (26)
σE ∈S(E) 1 − α

where the generalized inverse (i.e., the usual inverse evaluated on the operator’s sup-
port) is used where appropriate.
The extremal cases of definition (26) correspond to the previously introduced
entropies:
• α → ∞ defines the min-entropy Hmin (A|E).
• α= 1
2 defines the max-entropy Hmax (A|E).
• For α → 1, one recover H(A|E).
Moreover, we have the following relation
Hmin (A|E) ≤ H(A|E) ≤ Hmax (A|E). (27)
And in general, the sandwiched α-Rényi entropies are monotonically decreasing in α,
i.e.:
Hα (A|E)ρ ≥ Hα′ (A|E)ρ for α ≤ α′ . (28)
Proposition 2.7. The conditional α-Rényi entropies satisfy:
1. Data processing [8, Cor. 5.5]: Let τAB ′ = IA ⊗ EB (ρAB ), where EB is a
CPTP(B, B ′ ) channel, then
Hα (A|B)ρ ≤ Hα (A|B ′ )τ . (29)

2. Additivity [8, Cor. 5.9]: For ρAB ⊗ τA′ B ′ it holds that


Hα (AA′ |BB ′ )ρ⊗τ = Hα (A|B)ρ + Hα (A′ |B ′ )τ . (30)

3. ConditioningP on classical information [8, Prop. 5.4]: Let ρABX be a cq-


state, ρABX = x p(x) |x⟩⟨x| ⊗ ρAB|x , then
  
1−α
α P Hα (A|B)ρ|x
Hα (A|BX)ρ = 1−α log x p(x)2 α
, (31)

where ρ|x is short for ρAB|x . And for the conditional von Neumann it holds that
P P
H(A|BX)ρ = x p(x)H(A|BX = x)ρ = x p(x)H(A|B)ρ|x . (32)

4. Removing classical information [8, Lem. 5.15]: For ρABX classical in X,


Hα (A|XB) ≥ Hα (A|B) − log |X|, (33)
where |X| is the dimension of system X.

Security proofs of Quantum Key Distribution – Gláucia Murta 12


2.3.5 Smooth entropies
We are now ready to define quantities that will play a crucial role in determining the
key rate of a QKD protocol. The smoothed min- and max-entropies are defined as
an optimization over operators that are ϵ-close, in the purified distance, to the state
of interest.
ϵ
Hmin (A|E)ρ = max Hmin H(A|E)ρ̃ , (34)
ρ̃∈Bϵ (ρ)
ϵ
Hmax (A|E)ρ = min Hmax H(A|E)ρ̃ . (35)
ρ̃∈Bϵ (ρ)

This optimization takes into account also operators that are sub-normalized, i.e.
positive operators with trace smaller than 1
B ϵ (ρ) = {ρ̃AE ∈ L(AE) : ρ̃AE ≥ 0, tr(ρ̃AE ) ≤ 1 and DP (ρAE , ρ̃AE ) ≤ ϵ} . (36)
The smoothed entropies, defined with respect to the purified distance, display
many interesting properties. In particular, they satisfy a duality relation.
Proposition 2.8 (Duality of smoothed entropies). Let ρABC be a pure quantum
state, then
ϵ ϵ
Hmax (A|B)ρ = −Hmin (A|E)ρ . (37)
Moreover, the smooth min- and max-entropies inheret some properties of the
α-Rényi entropies.
Proposition 2.9. The smoothed entropies satisfy:
1. Data processing [8, Thm. 6.19]: Let τAB ′ = IA ⊗ EB (ρAB ), where EB is a
CPTP(B, B ′ ) channel, then
ϵ
Hmin ϵ
(A|B)ρ ≤ Hmin (A|B ′ )τ , (38)
ϵ
Hmax (A|B)ρ ≤ ϵ
Hmax (A|B ′ )τ , (39)

2. Removing classical information [8, Lem. 6.18]: For ρABX classical X,


ϵ ϵ
Hmin (A|XB)ρ ≥ Hmin (A|B)ρ − log |X|, (40)
ϵ ϵ
Hmax (A|XB)ρ ≥ Hmax (A|B)ρ − log |X| (41)
where |X| is the dimension of system X.
Interestingly, we will see that the smooth min- and max-entropies converge to the
von Neumann entropy in the limit of several copies of a quantum state:
1 ϵ 1 ϵ
lim Hmin (An1 |E1n )ρ⊗n = lim Hmax (An1 |E1n )ρ⊗n = H(A|E)ρ (42)
n→∞ n n→∞ n

This means that if a resource usage in the one-shot setting is characterized by the
smooth min- or max-entropy, then in the i.i.d. limit of many repetitions the rate of
resource usage is given by the von Neumann entropy.

Security proofs of Quantum Key Distribution – Gláucia Murta 13


3 Security of quantum key distribution
The security of quantum key distribution can be split into two conditions.

Definition 3.1 (Correctness). A QKD protocol is ϵcorr -correct if the probability that
the final key of Alice, KA , differs from the final key of Bob, KB , is smaller than ϵcorr ,
i.e.

P (KA ̸= KB ) ≤ ϵcorr . (43)

Definition 3.2 (Secrecy). Let Ω be the event that the QKD protocol does not abort,
and p(Ω) be the probability of the event Ω. The protocol is ϵsec -secret if

p(Ω) · ∥ρKA E |Ω − τKA ⊗ ρE|Ω ∥ ≤ ϵsec , (44)


tr

1 P
where τKA = 2ℓ k |k⟩⟨k|A is the maximally mixed state in the space of strings KA ∈
{0, 1}ℓ .

If a protocol is ϵcorr -correct and ϵsec -secret, then it is ϵsQKD -correct-and-secret for
any ϵsQKD ≥ ϵcorr + ϵsec .

Remark: a third condition, called completeness or robustness, is required from a


QKD protocol. Completeness states that there should exist an honest implementation
for which the probability of aborting the protocol is very small.

For a QKD protocol with n rounds of distribution and measurement that generates
an ϵ-correct-and-secret key of ℓ bits, the secret key rate is defined as

r= bits/round. (45)
n
The above rate is evaluated in bits/round, but the generation rate τ , i.e., how many
rounds can be generated per second, can also be taken into account to give a rate in
bits/s

r = τ bits/s. (46)
n
The goal of the security analysis of a QKD protocol is to derive the secret key rate
as a function of the parameters that Alice and Bob can estimate during the execution
of the protocol.

3.1 Privacy amplification


We now deal with the ‘classical’ part of a QKD protocol.
In the last step of a QKD protocol, Alice and Bob want to turn their equal string
of bits, which may be partially known to an eavesdropper, into a shorter completely

Security proofs of Quantum Key Distribution – Gláucia Murta 14


secure string of bits. In order to do that, they are going to make use of a 2-universal
family of hash functions.
A hash function f : {0, 1}n → {0, 1}ℓ is a function that maps a longer string of
bits into a shorter string, ℓ ≤ n. We will be interested in particular families of hash
functions that satisfy a property called 2-universality.
Definition 3.3 (2-universal hash functions). A family of hash functions F = {f :
{0, 1}n → {0, 1}ℓ } is called 2-universal if for every two strings x, x′ ∈ {0, 1}n with
x ̸= x′ then
1
Pr (f (x) = f (x′ )) = , (47)
f ∈F 2ℓ
where f is chosen uniformly at random in F.
The property of 2-universality ensures a good distribution of the outputs. For
ℓ ≤ n there always exist a 2-universal family of hash functions [12].

We are now ready to state a very important result that allows Alice and Bob to
establish privacy amplification in the presence of a quantum eavesdropper.
Theorem 3.4 (Leftover Hashing Lemma). Let ρAn1 E be a cq-state, where the classical
register An1 stores an n-bit string, and let F be a 2-universal family of hash functions,
from {0, 1}n to {0, 1}ℓ , that maps An1 into KA , then
1 − 1 (Hmin (An1 |E)ρ −ℓ)
∥ρKA F E−τKA ⊗ρF E ∥ ≤ 2 2 , (48)
tr 2
where F is a classical register that stores the hash function f .
The Leftover Hashing Lemma establishes a relation between the size ℓ of a secret
key that can be extracted and the min-entropy of the system before privacy amplifi-
cation. For more details and proof of the left-over hashing lemma, we refer the reader
to [7, 13].

The Leftover Hashing lemma can also be formulated in terms of the smooth min-
entropy. This is important because the smooth min-entropy can be much larger than
the min-entropy, and the price to pay is only a linear term in the security parameter1 .
Theorem 3.5 (Leftover Hashing Lemma with smooth min-entropy ). Let ρAn1 E be
a cq-state, where the classical register An1 stores an n-bit string, and let H be a 2-
universal family of hash functions, from {0, 1}n to {0, 1}ℓ , that maps An1 into KA ,
then
1 1 ϵ n
∥ρKA F E − τKA ⊗ ρF E ∥tr ≤ 2− 2 (Hmin (A1 |E)ρ −ℓ) + 2ϵ. (49)
2
1
In Ref. [7], the leftover hash lemma was formulated with the smooth min-entropy defined as a
maximum over states that are ϵ-close to ρ in the trace norm. The proof of Theorem 3.5, with the
smooth min-entropy defined according to eq. (34), can be found in Ref. [13]

Security proofs of Quantum Key Distribution – Gláucia Murta 15


Proof. Let ρ̃An1 E be a sub-normalized state such that Hmin (An1 |E)ρ̃ = Hmin
ϵ (An |E)
1 ρ
and DP (ρAn1 E , ρ̃An1 E ) ≤ ϵ.
Given that the purified distance is non-increasing under CPTP maps, eq. (10),
we have
DP (ρF E , ρ̃F E ) ≤ DP (ρKA F E , ρ̃KA F E ) ≤ ϵ. (50)
Now we make use of the triangle inequality
∥ρKA F E − τKA ⊗ ρF E ∥tr ≤ ∥ρKA F E − ρ̃KA F E ∥tr +∥ρ̃KA F E − τKA ⊗ ρ̃F E ∥tr
| {z }
≤ϵ
(51)
+ ∥τKA ⊗ ρ̃F E − τKA ⊗ ρF E ∥tr .
| {z }
≤ϵ

The fact that the first and third term are bounded by ϵ follows from (50) and the
relation with the trace distance, eq. (9). The second term can be bounded using
Theorem 3.4, from which we obtain the desired relation.

The Leftover hashing lemma gives us a tool to bound the distance of the state
of the protocol after privacy amplification to an ideal state. Indeed we can use the
following steps
p(Ω) · ∥ρKA E |Ω − τKA ⊗ ρE|Ω ∥ = ∥ρKA E ∧Ω − τKA ⊗ ρE ∧Ω ∥tr (52)
tr
1 1 ϵ n
≤ 2− 2 (Hmin (A1 |E)ρ∧Ω −ℓ) + 2ϵ (53)
2
where ρKA E ∧Ω = p(Ω)ρKA E |Ω is a subnormalized state.
We now note that by choosing
 
ϵ n 1
ℓ = Hmin (A1 |E)ρ − 2 log (54)
2ϵP A
we obtain a ϵsec -secret key with ϵsec = ϵP A + 2ϵ.
ϵ (An |E) ϵ n
Remark: Eq. (54) follows from the fact that Hmin 1 ρ∧Ω ≥ Hmin (A1 |E)ρ as
proved in [13, Lemma 10]. This is a technicality to deal with the fact that we will
have an estimate of ρ instead of the conditioned state.

3.2 Information reconciliation


In the previous section we have seen that the key length is basically determined by
the smooth min-entropy of Alice’s string of raw bits conditioned on the information
available to the eavesdropper.
The total information available to Eve, that here we denote2 ET , is composed by
her quantum side information and all the public classical communication performed
2
Note that, in order to avoid overloading notation, ET was denoted simply E in the previous
sections.

Security proofs of Quantum Key Distribution – Gláucia Murta 16


by Alice and Bob. We can now use Property 2.9.2 to remove the dependence on the
information exchanged by Alice and Bob during information reconciliation
ϵ
Hmin (An1 |ET )ρ ≥ Hmin
ϵ
(An1 |E)ρ − leakIR , (55)
where now E denotes the side information of Eve excluding the knowledge of public
information exchanged during information reconciliation, and leakIR is the amount
of bits communicated by Alice and Bob during information reconciliation.

We will consider a one-way information reconciliation3 protocol based on 2-universal


hashing functions which leads to the minimum possible leakage.

One-way Information reconciliation


1: Alice sends a syndrome C = synd(An 1 ) to Bob.
2: Using his string B1 and the syndrome C, Bob computes a guess Ân
n
1 for Alice’s
string.
3: Alice computes a hash n
 fIR (A1 ) (chosen from a two-universal family of hashing
1
functions) of log ϵIR bits and sends it to Bob.
4: Bob checks if fIR (Ân1 ) = fIR (An1 ), and aborts if that is not the case.

The minimum leakage for a one-way information reconciliation was established


in [14, 15].
Theorem 3.6. The minimum leakage of a one-way information reconciliation pro-
tocol satisfies
ϵ′IR
!  
n n 8 2 1
leakIR ≤ Hmax (A1 |B1 ) + log ′ 2 +
2
+ log . (56)
ϵIR 2 − ϵ′IR ϵIR

We note that, due to step 3 of the information reconciliation protocol and the
property (47) of two-universal hashing functions, if Ω is the event that Alice and Bob
does not abort in the information reconciliation protocol, then
P (Ω|An1 ̸=Ân1 ) = ϵIR
⇓ (57)
P (An1 ̸= Ân1 ∧ Ω) ≤ ϵIR .
Therefore, we can calculate
P (KA ̸= KB ) = P (KA ̸= KB ∧ Ω)
≤ P (An1 ̸= Ân1 ∧ Ω) (58)
≤ ϵIR
3
The term‘one-way’ stands for the fact that Alice’s string is fixed and only Bob performs correc-
tions to match Alice’s string.

Security proofs of Quantum Key Distribution – Gláucia Murta 17


where the first equality follows from the fact that, when the protocol aborts, we can
consider Alice and Bob to trivially share the same key of size zero.
We have, then, establish that we have an ϵcorr -correct protocol with ϵcorr = ϵIR .

4 Security against collective attacks


The earlier proofs of QKD security were based on entanglement distillation [5]. In
particular, Devetak and Winter [16], derived that the asymptotic key rate of a QKD
protocol against collective attacks is given by:

r = H(A|E) − H(A|B). (59)

Here we will derive the asymptotic key rate following the results of [7, 13].
So far we have established that the key is given by the conditional smooth min-
ϵ (An |E).
entropy Hmin 1
We start by analysing the case that the eavesdropper is restricted to collective
attacks. In this case, the state at the end of the protocol ρAn1 E is of the form:

ρAn1 E = ρ⊗n
AE . (60)

The quantum asymptotic equipartition property (AEP) [17] is the key result that
allows us to break the conditional smooth min-entropy of state the total ρ⊗n
AE into n
times the conditional von Neumann entropy of a single state ρAE .

Theorem 4.1 (Asymptotic equipartition property [17]). For n ≥ 58 log ϵ22 :


ϵ √
Hmin (An1 |E1n )ρ⊗n ≥ nH(A|E)ρAE − n δ(ϵ, ηAE ) (61)
AE
ϵ √
Hmax (An1 |E1n )ρ⊗n ≤ nH(A|E)ρAE + n δ(ϵ, ηAE ) (62)
AE

q √ √
where δ(ϵ, ηAE ) = 4 log ηAE log ϵ22 and ηAE = 2−Hmin (A|E)ρ + 2Hmax (A|E)ρ + 1.

Therefore, under the assumption of collective attacks, the quantum AEP reduces
the problem of estimating the key rate of a string of n bits to the problem of bounding
the one-round conditional von Neumann entropy. We remark that the AEP implies

an additional term, proportional to n, which is significant for the finite regime
analyses.

We can also use the AEP to bound the information leaked during information
reconciliation
 ′ !

  
ϵ IR 8 2 1
leakIR ≤ nH(A|B)ρ + n δ , ηAB + log ′ 2 + + log .
2 ϵIR 2 − ϵ′IR ϵIR
(63)

Security proofs of Quantum Key Distribution – Gláucia Murta 18


Putting the results together we have that the asymptotic key rate is given by

r∞ = lim = H(A|E)ρ − H(A|B)ρ . (64)
n→∞ n

Note that eqs. (61) and (63) provide a way to calculate the key rate for a real
implementation with a finite number of rounds. For small n (< 106 ), the terms

depending on n are significant, which implies that a secure key, ℓ > 0, can only be
obtained if a minimum number of rounds nmin is performed.

4.1 Asymptotic key rate of the BB84


We are ready to focus again on the BB84 protocol. In the BB84, the only information
we obtain about the state are the two parameters estimated during the protocol, QX
and QZ :
QX = p(a ̸= b|X-basis measurement) (65)
QZ = p(a ̸= b|Z-basis measurement) (66)
Therefore our goal is to compute:
r∞ = inf {H(A|E)ρ − H(A|B)ρ } , (67)
ρ∈S(QX ,QZ )

where S(QX ,QZ ) is the set of quantum states with QBERs QX and QZ .

4.1.1 Reduction to Bell diagonal states


In fact we can restrict the analysis to Bell diagonal states only. These are states of
the form
ρ̃AB = λ00 Φ00 + λ01 Φ01 + λ10 Φ10 + λ11 Φ11 (68)
where Φij = |Φij ⟩⟨Φij | and |Φij ⟩ = X i Z j ⊗ I |Φ+ ⟩ form the Bell basis.
To see that we first note that the state ρ̃ can be obtained from ρ by the following
operation:
1
ρ̃AB = (ρAB + X ⊗ XρAB X ⊗ X + Y ⊗ Y ρAB Y ⊗ Y + Z ⊗ ZρAB Z ⊗ Z) , (69)
4
which preserves the Bell diagonal elements
⟨Φij | ρAB |Φij ⟩ = ⟨Φij | ρ̃AB |Φij ⟩ = λij , (70)
and also the QBERs: just note that the maps applied in each term either commute
with the measurement basis or flips the outcome of Alice and Bob, which does not
change the QBERs.
Moreover, it is possible to show that
H(A|E)ρ ≥ H(A|E)ρ̃ , (71)
so without loss of generality we will restrict the analysis to Bell diagonal states.

Security proofs of Quantum Key Distribution – Gláucia Murta 19


4.1.2 Asymptotic key rate
We start with the Bell diagonal state ρ̃, eq. (68), and construct a purification which
is held by the eavesdropper
Xp
|ψ⟩ABE = λij |Φij ⟩ ⊗ |eij ⟩ (72)
i,j
1 p p 
= |00⟩ √ λ00 |e00 ⟩ + λ01 |e01 ⟩
2
1 p p 
+ |11⟩ √ λ00 |e00 ⟩ − λ01 |e01 ⟩
2
(73)
1 p p 
+ |01⟩ √ λ10 |e10 ⟩ + λ11 |e11 ⟩
2
1 p p 
+ |10⟩ √ λ10 |e10 ⟩ − λ11 |e11 ⟩ .
2
After Alice and Bob measure in the Z basis and we trace out Bob, we obtain the
state
1 1
ρAE = |0⟩⟨0|A ⊗ σE|0 + |1⟩⟨1|A ⊗ σE|1 , (74)
2 2
where

σE|0 = |f00 ⟩⟨f00 | + |f01 ⟩⟨f01 | , σE|1 = |f10 ⟩⟨f10 | + |f11 ⟩⟨f11 | (75)

and
p p
|f00 ⟩ = λ00 |e00 ⟩ + λ01 |e01 ⟩
p p
|f01 ⟩ = λ10 |e10 ⟩ + λ11 |e11 ⟩
p p (76)
|f10 ⟩ = λ10 |e10 ⟩ − λ11 |e11 ⟩
p p
|f11 ⟩ = λ00 |e00 ⟩ − λ01 |e01 ⟩

From Exercise 2.c) we have that

H(A|E)ρ̃ = 1 + h(λ10 + λ11 ) − H({λij }), (77)

P h(p) = −p log p − (1 − p) log(1 − p) is the binary entropy and H({λij }) =


where
− ij λij log λij .
For the information reconciliation term we get
X
H(A|B)ρ̃ = − p(a, b) log p(a|b) (78)
a,b

=h(λ10 + λ11 ). (79)

Security proofs of Quantum Key Distribution – Gláucia Murta 20


And since the QBERs QX and QZ relate to the Bell coefficients by

QZ = λ10 + λ11 (80)


QX = λ01 + λ11 , (81)

we see that, in the asymptotic limit, the leakage in the information reconciliation is
determined by the QBER on the measurement basis:

leakIR = h(QZ ). (82)

Combining (77) and (79) we have that

r∞ = inf 1 − H({λij }). (83)


{λij }∈S(QX ,QZ )

Minimizing the r.h.s. with respect to a single free parameter we obtain4

r∞ = 1 − h(QX ) − h(QZ ). (84)

Exercise 3. Consider a noisy implementation where the source distributes a maxi-


mally entangled state that undergoes depolarizing noise, i.e., the state shared by Alice
and Bob at each round is
I
ρAB = (1 − ν)Φ+ + ν . (85)
4
What is the maximum amount of noise ν that an implementation of the BB84 with
this setup can tolerate? How does that translate to the values of QBERs QX and QZ ?

4
Hint: To achieve the desired expression you can use the parametrization
 
QX + t + QZ
λ00 = 1 −
2
QX + t − QZ
λ01 =
2
−QX + t + QZ
λ10 =
2
QX − t + QZ
λ11 =
2
and the fact that
   
λ10 λ00
H({λij }) ≡ h(λ10 + λ11 ) + (λ10 + λ11 )h + (λ00 + λ01 )h .
λ10 + λ11 λ00 + λ01

Security proofs of Quantum Key Distribution – Gláucia Murta 21


5 Security against coherent attacks
5.1 Post-selection technique
The extension of de Finetti theorems to the quantum setting establishes that if a
quantum state of N parties is symmetric, i.e., invariant under the permutation of
parties, then the state of a small subset of m ≪ N parties is of the form σ ⊗m , for
some unknown state σ. Improved versions of quantum de Finetti theorems and their
application to quantum key distribution were explored in [7, 18]. In summary, by
exploring the symmetries of a QKD protocol, we can reduce the analysis to collective
attacks.
The most recent de Finetti-type result is the post-selection technique introduced
in [19], which provides tighter bounds for QKD security.

Theorem 5.1. Let PQKD be a QKD protocol that is invariant under the permutation
of the input subsystems. Then if PQKD is ϵ-secure against collective attacks generating
a key of size ℓ, the PQKD is ϵ′ -secure against collective attacks if the key is shortened
to a size ℓ′ where
2 −1
ϵ′ = (n + 1)d ϵ (86)

and

ℓ′ = ℓ − 2(d2 − 1) log(n + 1), (87)

where d is the dimension of each subsystem shared by Alice and Bob, and n the total
number of rounds.

For a detailed proof of the post-selection technique we refer the reader to [20].

The post-selection technique is a general result, valid for any QKD protocol with
the required symmetry. We note that the BB84 protocol is invariant under the
permutation of the input states, since the protocol acts in the same way in each
round of the protocol. Moreover, for the BB84 we have that d = 4.

5.2 Uncertainty relation


Another way of proving security of the BB84 against coherent attacks is using the
uncertainty relation for smooth entropies [21].

Theorem 5.2 (Uncertainty relation


n ′ ofor smooth entropies). Let ρABE be a tri-partite
a } and M a
quantum state and {MX be two POVMs on A. Then,
Z

 
ϵ ϵ 1
Hmin (AZ |E)ρ + Hmax (AX |B)ρ ≥ log , (88)
c

Security proofs of Quantum Key Distribution – Gláucia Murta 22


where
p a q a′ 2
c := max

MX M Z (89)
a,a ∞

and ∥X∥∞ is the operator norm that corresponds to the largest singular value of X.
n ′o
For the BB84 protocol we can take MZa to be the measurement in the Z-basis
a } to be the measurement of the n qubits in the X
of the n qubits of Alice and {MX
basis, and then we have that
2  n
O 1
c = max |aX i ⟩ ⟨aX i |aZ i ⟩ ⟨aZ i | = , (90)
⃗aX ,⃗aZ 2
i ∞

since ⟨aX i |aZ i ⟩ = √12 , as |aX i ⟩ ∈ {|+⟩ , |−⟩} and |aZ i ⟩ ∈ {|0⟩ , |1⟩}.
Therefore we have
ϵ
Hmin (An1 |E)ρ ≥ n − Hmax
ϵ
(AX n1 |B)ρ (91)
ϵ
≥n− Hmax (AX n1 |BX n1 )ρ (92)

where in the second inequality we use the data-processing of smoothed entropies


(Property 2.9.1). Hmax ϵ (A n |B n ) is the conditional entropy of Alice’s outcomes
X1 X1 ρ
given Bob’s outcomes, had they measured all the systems in the X-basis.
The problem is now reduced to bounding the entropy of a classical probability
distribution, given the parameters estimated in the protocol.
Using classical results for sampling without replacement, the authors of [13, 22]
bound Hmaxϵ (A n |B n ) by a function of the estimated QBER in the X basis. In
X1 X1 ρ
the limit of infinitely many rounds, their result states that
1 ϵ
H (AX n1 |BX n1 )ρ −→ H(AX |BX ) = h(QX ). (93)
n max
The leakage in the information reconciliation can be evaluated for an honest i.i.d.
implementation and therefore it is bounded by (63). Therefore, using the uncertainty
relation we again obtain:

r∞ = 1 − h(QX ) − h(QZ ). (94)

Remark 1: Both techniques to prove security against coherent attacks, the post-
selection technique and the uncertainty relation, achieve the same asymptotic key rate
and show that collective attacks are optimal in the limit of infinitely many repetitions.
In the finite regime, however, the security analysis based on the uncertainty relation
leads to tighter results (it has smaller overhead terms and therefore better rates in
the finite regime).

Security proofs of Quantum Key Distribution – Gláucia Murta 23


Remark 2: Security proof based on the uncertainty relation is restricted to pro-
tocols in which Alice performs only two possible measurements. The post-selection
technique, on the other hand, can be applied to more general protocols (in particular
the six-state protocol [23] in which Alice and Bob perform measurements in three
basis, X, Y and Z).

6 BB84 with imperfect sources (decoy states method)


A feasible source for the implementation of the BB84 protocol consists of phase
randomized weak coherent pulses (WCP) (i.e. the BB84 states are encoded in the
polarization of a coherent state). The problem is that, in this case, Alice may send
more than one photon per round. If Eve can intercept some of these extra photons,
what is called a photon-number-splitting (PNS) attack, then she will have access to
the same information as Bob and not generate any QBER in the system. Therefore
Alice and Bob will not detect the attack and end up with an insecure key.
The way to overcome this problem, as proposed in [24], is to account for the fact
that security is only guaranteed for the rounds in which the source emitted single
photons. The asymptotic key rate of the BB84 is then modified to:
h i
(1)
r∞ = Γ(1) 1 − h(qX ) − Γ h(QZ ) (95)

where

• Γ: is the gain of the signal state, i.e. the probability that Bob has a detection
given that Alice sent a state

• Γ(1) : is the gain of the single photon state, i.e. the probability that Bob has a
detection of a single photon event.

• QZ : QBER of the signal state in the Z basis.


(1)
• qX : QBER of single photon events in the X basis.
(1)
The problem is that Γ(1) and qX are not directly observed quantities.

The method of decoy states (see [25] for details) provides a way to estimate Γ(1)
(1)
and qX . The idea is that, in some of the rounds, Alice uses different intensities to
prepare the so called decoy states.
A phase-randomized WCP source with mean photon number µ is described by
the state:
Z 2π ∞
1 √ iθ ED√ iθ X µn
ρµ = dθ µe µe = e−µ |n⟩⟨n| (96)
2π 0 n!
n=0

Security proofs of Quantum Key Distribution – Gláucia Murta 24


−|α|2 P∞ αn
where |α⟩ = e 2
n=0

n!
|n⟩ is a coherent state. This state describes a situation
n
in which the probability that Alice’s signal has n photons is given by pn = e−µ µn! .
The gain of this source can be described by

µ2 µn
Γ(µ) = Y (0) e−µ + Y (1) e−µ µ + Y (2) e−µ + . . . + Y (n) e−µ + ..., (97)
2 n!
where

Y (n) = Pr(Bob detects a photon|Alice emitted n photons) (98)

is the yield of an n-photon signal.


(n) (n)
Similarly the QBER can depend on the photon number, and we define qZ (qX )
as the QBER of an n-photon signal in the Z(X) basis. The total (observed) QBER
is given by
(0) (1) n (n)
Y (0) e−µ qZ + Y (1) e−µ µqZ + . . . + Y (n) e−µ µn! qZ + . . .
QZ (µ) = (99)
Γ(µ)

which is the weighted average of the QBERs of different photon number. And simi-
larly for QX (µ).
Since Eve cannot distinguish a decoy from a signal state, but the only information
(n)
available to her is the photon number, then the yields Y (n) and QBERs qZ , are
independent of the intensities µ, i.e. it is independent of whether the photons come
from a decoy state or a signal state.
By generating phase-randomized WCPs of different intensities µ in the testing
rounds and measuring the observable quantities Γ(µ), QX (µ), and QZ (µ), Alice and
(1)
Bob can estimate the values of Γ(1) and qX (note that equation (97) is linear on the
(n)
parameters Y (n) , and afterwards equation (99) is linear on the parameters qX ).
More precisely, we want to determine a lower bound on Γ(1) = Y (1) e−µ µ, for the
(1)
signal state, and an upper bound on qX . The use of only two decoy states was shown
to be sufficient to achieve almost optimal results [26].

7 Untrusted detectors: measurement device-independent


quantum key-distribution (MDI-QKD)
Another big weakness of the BB84 protocol lies in the assumption that the mea-
surement devices are performing the required measurements. Measurement device-
independent QKD is a proposal to drop this assumption. For a review on MDI-QKD
see [27].
In the MDI setting, Alice and Bob have trusted sources in which they can prepare
BB84 states. They send the prepared states to an unstrusted relay (which can be

Security proofs of Quantum Key Distribution – Gláucia Murta 25


controlled by the eavesdropper Eve) that performs a Bell state measurement and
announces the outcome.
For the rounds in which Alice and Bob used the same basis for preparation, the
outcome of the relay reveals the parity of their encoded bits (see Table 1).

Figure 2: MDIQKD setup: Alice and Bob prepare BB84 states and send to an
untrusted relay who performs a Bell state measurement.

Relay output Φ+ Φ− Ψ+ Ψ−
Z-basis preparation a=b a=b a ̸= b a ̸= b
X-basis preparation a=b a ̸= b a=b a ̸= b

Table 1: Relation of Alice and Bob encoded bits given the Bell state measured by
the relay, for preparation in the Z and the X bases.

The knowledge of the parity does not allow the relay to obtain information about
the actual values of Alice and Bob shared bits. And by comparing the outcomes of
some of the rounds and estimating the QBERs QX and QZ , Alice and Bob can ensure
that the relay is behaving honestly.

Imperfect state preparation can also be accounted for in MDI-QKD by combining


it with the method of decoy states [28]. The difference here is that now we have Alice
and Bob preparing states. Therefore security is guaranteed only when both, Alice
and Bob’s sources, prepared single photons. In this case the asymptotic key rate is
given by:
h i
(1,1)
r∞ = Γ(1,1) 1 − h(qX ) − Γ h(QZ ), (100)

(m,n) (m,n)
where Γ is the total gain of the source, and Γ(m,n) , qX (qZ ) are the gain and
QBER in the X(Z) basis, of the signal states sent by Alice and Bob, when Alice’s
source sends n photons and Bob sends m.

Security proofs of Quantum Key Distribution – Gláucia Murta 26


In this scenario the method of decoy states generates the set of equations
X µn −ν ν m (n,m)
Γ(µ, ν) = e−µ e Y , (101)
n,m
n! m!

−µ µn e−ν ν m Y (n,m) q (n,m)


P
n,m e n! m! X
QX (µ, ν) = , (102)
Γ(µ, ν)

and similarly for QZ (µ, ν).

8 Device-independent quantum key distribution (DIQKD)


In the MDI-QKD scenario discussed in the previous section, we still need to assume
that Alice and Bob’s preparation device is somewhat trusted (although we can over-
come some imperfections, such as multiple-photon generation, using decoy states).
We are now going to relax all the assumptions about the specific workings of the
systems and measurement devices. In the device-independent scenario the systems
and measurement-devices are modelled as black-boxes.

Figure 3: Device-independent scenario: the uncharacterized devices of Alice and Bob


are treated as black boxes. The only relevant information is the statistics of inputs
and outputs.

In the DI scenario, the only relevant information about the system is the statistics
of inputs and outputs {p(ab|xy)}, without assumptions on how these statistics were
generated. Security is then going to be inferred by the violation of a Bell inequality.
The simplest Bell inequality is the CHSH-inequality [29], in which Alice and Bob
have each two inputs with two possible outputs. The CHSH inequality reads:

β = ⟨A0 B0 ⟩ + ⟨A0 B1 ⟩ + ⟨A1 B0 ⟩ − ⟨A1 B1 ⟩ ≤ 2 (103)

for

⟨Ax By ⟩ = p(a = b|xy) − p(a ̸= b|xy). (104)

Security proofs of Quantum Key Distribution – Gláucia Murta 27



Interestingly, quantum mechanics can violate this inequality up to the value 2 2.
The idea of device-independent QKD arouse from the E91 protocol [30], which
proposed to use a test of the CHSH inequality in order to check for the presence of
an eavesdropper.
The simplest DIQKD protocol uses the CHSH inequality for the security test:

Protocol 1 DIQKD protocol


1: for i = 1 to n do
2: A source distributes a quantum state to Alice and Bob.
3: Alice chooses x ∈ {0, 1}, performs the corresponding measurement, and
records the outcome a.
4: Bob chooses y ∈ {0, 1, 2}, performs the corresponding measurement, and
records the outcome b.
5: end for
6: Sifting: Alice and Bob publicly announce their choices of basis, x and y, and
compare them. They discard the rounds in which Alice and Bob chose x = 1 and
y = 2.
7: Parameter estimation: Using the rounds in x ∈ {0, 1} and y ∈ {0, 1}, Alice
and Bob estimate the Bell violation β. And using some of the rounds in which
x = 0 and y = 2, they estimate the QBER Q. The other rounds form their raw
keys.
8: Information reconciliation: Alice and Bob choose a classical error correcting
code and communicate over the authenticated public channel in order to correct
their string of bits. At the end of this phase Alice and Bob should hold the same
bit-string.
9: Privacy amplification: Alice and Bob use an extractor on the previously es-
tablished strings to generate shorter but completely secret strings of ℓ bits, which
are their final keys KA and KB .

8.1 DIQKD against collective attacks


If we are restricted to collective attacks, we have seen that the Asymptotic equipar-
tition property (Theorem 4.1) reduces the problem of computing the asymptotic key
rate to the problem of bounding the entropies:
H(A|E)ρ and H(A|B)ρ . (105)
Remark: In the DI scenario, the assumption of collective attacks also constraints
the devices, who are then supposed to behave in the same way in each round of the
protocol. In particular, the devices need to be memoryless.

The leakage of information reconciliation is straightforwardly determined by the


estimated QBER Q:
H(A|B)ρ = h(Q). (106)

Security proofs of Quantum Key Distribution – Gláucia Murta 28


It only remains to estimate H(A|E)ρ given the observed violation β:

inf H(A|E)ρ . (107)


ρ∈Sβ

The problem we face here is that in the DI scenario we don’t even make a assumption
about the dimension of the underlying state, which makes the optimization seemly
intractable.
For the CHSH inequality this problem was solved in [31, 32]. Here we report the
main result:

Theorem 8.1. For a state ρAB that achieves a violation β for the CHSH inequality,
it holds that  s  
2
1 1 β
H(A|E)ρ ≥ 1 − h  + − 1 . (108)
2 2 2

So finally we obtain the asymptotic key rate for the DIQKD protocol based on
the CHSH inequality
 s  
2
1 1 β
r∞ = 1 − h  + − 1 − h(Q). (109)
2 2 2

Exercise 4. As a benchmark, consider again a noisy implementation where the source


distributes a maximally entangled that undergoes depolarizing noise, see eq (85). If
the devices perform the measurements that maximize the CHSH violation for the
maximally entangled state Φ+ , then the parameters of interest relate to the noise
parameter ν by
ν √
Q= and β = 2 2(1 − ν). (110)
2
What is the maximum amount of noise ν that an implementation of the DIQKD
protocol with this setup can tolerate? How does that translate into the value of the
QBER Q?

The CHSH inequality is significantly simpler than other Bell inequalities. Due
to the fact that the CHSH inequality has only two binary inputs per party, a strong
result [33, 34] states that the description of any realization of a CHSH experiment
can be decomposed into subspaces of dimension two, where projective measurements
are performed in each subspace. This significantly simplifies the optimization (107)
which can then be restricted to qubit states.
For other Bell inequalities, one can in general use the relation

H(A|E)ρ ≥ Hmin (A|E)ρ . (111)

Security proofs of Quantum Key Distribution – Gláucia Murta 29


to obtain lower bounds. Indeed the conditional min-entropy can be computed as a
function of the Bell violation by semi-definite programming [35]. The idea is that
in order to estimate the min-entropy one can upper bound the guessing probability,
pguess (see Eq. (23)), of the eavesdropper. The problem of bounding the guessing
probability can then be expressed as an optimization over probability distributions,
which is exactly the information available in the device-independent scenario. As
shown in Ref. [35], for any Bell inequality, an upper bound on the pguess can be
obtained by semidefinite programming making use of the NPA-hierarchy [36].

8.2 DIQKD against coherent attacks


In standard QKD, we have seen that the post-selection technique, Theorem 5.1, al-
lows to extend the proofs against collective attacks to coherent attacks for protocols
that present some symmetry. The price to pay is an overhead term in the security pa-
rameter that depends on the dimension of the underlying system. In the DI scenario,
we do not make assumptions on the dimension of the underlying system. Moreover,
symmetry of the protocol is not guaranteed, as we do not know the behaviour of the
measurement devices. Therefore, de Finetti techniques cannot be used to straight-
forwardly extend the security proofs against collective attacks to coherent attacks in
the device-independent scenario.
This problem was overcome by a recently developed technique called the entropy
accumulation theorem (EAT) [37, 38]. When applied to DIQKD, the EAT theorem
can be summarized as follows.
Theorem 8.2 (EAT applied to QKD). For an event Ω that happens with probability
pΩ , it holds that
ϵ √
Hmin (An1 |E)ρ|Ω > nfmin (Ω) − O( n), (112)

and fmin (Ω) is a convex function such that

fmin (Ω) ≤ inf H(A|E)σ , (113)


σ∈S(Ω)

where S(Ω) is the set of quantum states that lead to the event Ω. Moreover the ex-

plicit form of the O( n) depends on pΩ , ϵ,∥∇fmin ∥∞ and the dimension of classical
registers An1 and B1n .
We refer the reader to [37, 38] for more formal details.

Analogous to the AEP, the entropy accumulation theorem allows us to break the
entropy of the string of bits conditioned into some event Ω (e.g., a certain violation β
of the CHSH inequality) into the entropy of a single round. Note, however, that this
single-round entropy does not refer to the entropy of the real state of the protocol at
each round. It is minimized over hypothetical states that would achieve the observed
violation.

Security proofs of Quantum Key Distribution – Gláucia Murta 30


Remark: It is important to remark that a crucial assumption in the EAT [37, 38]
is that some of the variables of interested satisfy what is called the Markov condi-
tion. This is the case for QKD protocols performed sequentially. For definition and
discussion of the implications of the Markov condition, see [37].

References
[1] C. H. Bennett and G. Brassard, “Quantum cryptography: Public key distri-
bution and coin tossing,” in Proceedings of IEEE International Conference on
Computers, Systems and Signal Processing, 1984, pp. 175 – 179.

[2] S. Wiesner, “Conjugate coding,” SIGACT News, vol. 15, no. 1, p. 78–88, Jan.
1983. [Online]. Available: https://doi.org/10.1145/1008908.1008920

[3] H.-K. Lo, H. Chau, and M. Ardehali, “Efficient quantum key distribution
scheme and a proof of its unconditional security,” Journal of Cryptology,
vol. 18, no. 2, pp. 133–165, 2005. [Online]. Available: https://doi.org/10.1007/
s00145-004-0142-y

[4] C. H. Bennett, G. Brassard, and N. D. Mermin, “Quantum cryptography


without bell’s theorem,” Phys. Rev. Lett., vol. 68, pp. 557–559, Feb 1992.
[Online]. Available: https://link.aps.org/doi/10.1103/PhysRevLett.68.557

[5] P. W. Shor and J. Preskill, “Simple proof of security of the bb84 quantum
key distribution protocol,” Phys. Rev. Lett., vol. 85, pp. 441–444, Jul 2000.
[Online]. Available: https://link.aps.org/doi/10.1103/PhysRevLett.85.441

[6] B. Kraus, N. Gisin, and R. Renner, “Lower and upper bounds on the
secret-key rate for quantum key distribution protocols using one-way classical
communication,” Phys. Rev. Lett., vol. 95, p. 080501, Aug 2005. [Online].
Available: https://link.aps.org/doi/10.1103/PhysRevLett.95.080501

[7] R. Renner, “Security of quantum key distribution,” International Journal of


Quantum Information, vol. 06, no. 01, pp. 1–127, 2008.

[8] M. Tomamichel, “Quantum information processing with finite re-


sources,” SpringerBriefs in Mathematical Physics, 2016, [Theorem refs
based on arXiv:1504.00233]. [Online]. Available: http://dx.doi.org/10.1007/
978-3-319-21891-5

[9] I. Devetak and A. Winter, “Classical data compression with quantum side
information,” Phys. Rev. A, vol. 68, p. 042301, Oct 2003. [Online]. Available:
https://link.aps.org/doi/10.1103/PhysRevA.68.042301

[10] M. Tomamichel, “A framework for non-asymptotic quantum information


theory,” 2012. [Online]. Available: https://arxiv.org/abs/1203.2142

Security proofs of Quantum Key Distribution – Gláucia Murta 31


[11] R. Konig, R. Renner, and C. Schaffner, “The operational meaning of min- and
max-entropy,” IEEE Transactions on Information Theory, vol. 55, no. 9, pp.
4337–4347, Sep. 2009.
[12] J. Carter and M. N. Wegman, “Universal classes of hash functions,”
Journal of Computer and System Sciences, vol. 18, no. 2, pp. 143–154,
1979. [Online]. Available: https://www.sciencedirect.com/science/article/pii/
0022000079900448
[13] M. Tomamichel and A. Leverrier, “A largely self-contained and complete
security proof for quantum key distribution,” Quantum, vol. 1, p. 14, 2017.
[Online]. Available: https://doi.org/10.22331/q-2017-07-14-14
[14] G. Brassard and L. Salvail, “Secret-key reconciliation by public discussion,” in
Advances in Cryptology — EUROCRYPT ’93, T. Helleseth, Ed. Berlin, Hei-
delberg: Springer Berlin Heidelberg, 1994, pp. 410–423.
[15] R. Renner and S. Wolf, “Simple and tight bounds for information reconciliation
and privacy amplification,” in Advances in Cryptology - ASIACRYPT 2005,
B. Roy, Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 2005, pp. 199–216.
[16] I. Devetak and A. Winter, “Distillation of secret key and entanglement from
quantum states,” Proc. R. Soc. A, vol. 461, January 2005. [Online]. Available:
https://doi.org/10.1098/rspa.2004.1372
[17] M. Tomamichel, R. Colbeck, and R. Renner, “A fully quantum asymptotic
equipartition property,” IEEE Transactions on Information Theory, vol. 55,
no. 12, pp. 5840–5847, 2009.
[18] R. Renner, “Symmetry of large physical systems implies independence of
subsystems,” Nature Physics, vol. 3, no. 9, p. 645–649, Jul 2007. [Online].
Available: http://dx.doi.org/10.1038/nphys684
[19] M. Christandl, R. König, and R. Renner, “Postselection technique for
quantum channels with applications to quantum cryptography,” Phys.
Rev. Lett., vol. 102, p. 020504, Jan 2009. [Online]. Available: https:
//link.aps.org/doi/10.1103/PhysRevLett.102.020504
[20] P. Belzig, “Studying stabilizer de finetti theorems and possible applications in
quantum information processing,” Master thesis, 2020.
[21] M. Tomamichel and R. Renner, “Uncertainty relation for smooth entropies,”
Phys. Rev. Lett., vol. 106, p. 110506, Mar 2011. [Online]. Available:
https://link.aps.org/doi/10.1103/PhysRevLett.106.110506
[22] M. Tomamichel, C. C. W. Lim, N. Gisin, and R. Renner, “Tight finite-key
analysis for quantum cryptography,” Nature Communications, vol. 3, p. 634,
2012. [Online]. Available: https://doi.org/10.1038/ncomms1631

Security proofs of Quantum Key Distribution – Gláucia Murta 32


[23] D. Bruß, “Optimal eavesdropping in quantum cryptography with six states,”
Phys. Rev. Lett., vol. 81, pp. 3018–3021, Oct 1998. [Online]. Available:
https://link.aps.org/doi/10.1103/PhysRevLett.81.3018

[24] D. Gottesman, H.-K. Lo, N. Lütkenhaus, and J. Preskill, “Security of quantum


key distribution with imperfect devices,” Quantum Info. Comput., vol. 4, no. 5,
p. 325–360, Sep. 2004.

[25] H.-K. Lo, X. Ma, and K. Chen, “Decoy state quantum key distribution,”
Phys. Rev. Lett., vol. 94, p. 230504, Jun 2005. [Online]. Available:
https://link.aps.org/doi/10.1103/PhysRevLett.94.230504

[26] X. Ma, B. Qi, Y. Zhao, and H.-K. Lo, “Practical decoy state for quantum key
distribution,” Phys. Rev. A, vol. 72, p. 012326, Jul 2005. [Online]. Available:
https://link.aps.org/doi/10.1103/PhysRevA.72.012326

[27] F. Xu, M. Curty, B. Qi, and H. Lo, “Measurement-device-independent quantum


cryptography,” IEEE Journal of Selected Topics in Quantum Electronics, vol. 21,
no. 3, pp. 148–158, 2015.

[28] H.-K. Lo, M. Curty, and B. Qi, “Measurement-device-independent quantum


key distribution,” Phys. Rev. Lett., vol. 108, p. 130503, Mar 2012. [Online].
Available: https://link.aps.org/doi/10.1103/PhysRevLett.108.130503

[29] J. F. Clauser, M. A. Horne, A. Shimony, and R. A. Holt, “Proposed experiment


to test local hidden-variable theories,” Phys. Rev. Lett., vol. 23, pp. 880–884, Oct
1969. [Online]. Available: https://link.aps.org/doi/10.1103/PhysRevLett.23.880

[30] A. K. Ekert, “Quantum cryptography based on Bell’s theorem,” Phys.


Rev. Lett., vol. 67, pp. 661–663, 1991. [Online]. Available: https:
//link.aps.org/doi/10.1103/PhysRevLett.67.661

[31] A. Acı́n, N. Brunner, N. Gisin, S. Massar, S. Pironio, and V. Scarani,


“Device-independent security of quantum cryptography against collective
attacks,” Phys. Rev. Lett., vol. 98, p. 230501, 2007. [Online]. Available:
https://link.aps.org/doi/10.1103/PhysRevLett.98.230501

[32] S. Pironio, A. Acı́n, N. Brunner, N. Gisin, S. Massar, and V. Scarani, “Device-


independent quantum key distribution secure against collective attacks,” New
Journal of Physics, vol. 11, no. 4, p. 045021, 2009. [Online]. Available:
http://stacks.iop.org/1367-2630/11/i=4/a=045021

[33] L. Masanes, “Asymptotic violation of Bell inequalities and distillability,”


Phys. Rev. Lett., vol. 97, p. 050503, 2006. [Online]. Available: https:
//link.aps.org/doi/10.1103/PhysRevLett.97.050503

Security proofs of Quantum Key Distribution – Gláucia Murta 33


[34] B. Tsirelson, “Some results and problems on quantum Bell-type inequalities,”
Hadronic Journal Supplement, vol. 8, pp. 329–345, 1993. [Online]. Available:
http://www.tau.ac.il/∼tsirel/download/hadron.html

[35] L. Masanes, S. Pironio, and A. Acı́n, “Secure device-independent quantum


key distribution with causally independent measurement devices,” Nature
Communications, vol. 2, p. 238, 2011.

[36] M. Navascues, S. Pironio, and A. Acin, “A convergent hierarchy of semidefi-


nite programs characterizing the set of quantum correlations,” New Journal of
Physics, vol. 10, no. 7, p. 073013, jul 2008.

[37] R. Arnon-Friedman, F. Dupuis, O. Fawzi, R. Renner, and T. Vidick, “Practical


device-independent quantum cryptography via entropy accumulation,” Nature
Communications, vol. 9, p. 459, 2018. [Online]. Available: https://doi.org/10.
1038/s41467-017-02307-4

[38] F. Dupuis, O. Fawzi, and R. Renner, “Entropy accumulation,” 2016,


arXiv:quant-ph/1607.01796.

Security proofs of Quantum Key Distribution – Gláucia Murta 34

You might also like