From Classical to Semi-Quantum Secure Communication

# From Classical to Semi-Quantum Secure Communication

Allison Gagliano Departments of Mathematics & Computer Science
Eastern Connecticut State University
Willimantic, CT 06226
Walter O. Krawec and Hasan Iqbal Computer Science & Engineering Department
University of Connecticut
Storrs, CT 06268
Email: walter.krawec@uconn.edu
###### Abstract

In this work we introduce a novel QKD protocol capable of smoothly transitioning, via user-tuneable parameter, from classical to semi-quantum in order to help understand the effect of quantum communication resources on secure key distribution. We perform an information theoretic security analysis of this protocol to determine what level of “quantumness” is sufficient to achieve security, and we discover some rather interesting properties of this protocol along the way.

## I Introduction

A semi-quantum key distribution (SQKD) protocol’s goal is similar to that of a quantum key distribution (QKD) protocol, namely the establishment of a secret key between two parties, Alice () and Bob (), secure against an all-powerful adversary Eve (). Semi-quantum cryptography, first introduced in 2007 by Boyer et al., in [1], imposes the restriction, however, that one of the users (typically ), is limited to being “classical” or “semi-quantum.” This restriction implies is limited to working only in the computational basis (spanned by states and ). He may not measure or prepare states in any other basis (we will discuss the exact capabilities of later in this paper).

The primary interest of these protocols is to help answer the question “how quantum must a protocol be to gain an advantage over a classical one?” We know that, if both parties are classical, key distribution is impossible unless computational assumptions are made. Thus, the question semi-quantum protocols seek to help answer is: what quantum resources are required to attain unconditional security? However, besides removing certain key quantum capabilities from the two users, there has not been a semi-quantum protocol that can smoothly transition from classical to quantum allowing us to study the effects of quantum communication on secure key distribution.

In this paper, we propose such a protocol and analyze its properties. We introduce a novel SQKD protocol with a user-tuneable parameter allowing one to, in a way, set the level of “quantumness” of the entire protocol. Indeed, when , the protocol collapses to a classical one (which is insecure). As increases, the protocol, in a way, becomes more quantum (in that Alice, the quantum user, is allowed to send and receive states which are less orthogonal). However, Bob’s capabilities, being classical in nature, are not affected by this parameter. In fact, as the protocol becomes “more quantum” Bob has more trouble determining ’s key bit since is always restricted to the computational basis.

Our protocol is purely of theoretical interest. We are interested in devising a way to measure the effect of quantum state generation and measurement on the security properties of a key-distribution system where one user is forced to be classical and as the other user varies in quantum capabilities. We perform an information theoretic security analysis of our protocol and look at how affects the noise tolerance of the protocol (i.e., how does the secure communication rate change as becomes more or less quantum, even when an all-powerful adversary is attacking). Naturally, when is too small, the protocol is “too classical” to be secure - as increases the protocol can attain security for some noise levels; however once increases too much, then Alice is “too quantum” for Bob to understand completely (i.e., he is unable to correctly guess what key-bit is trying to send to him).

We make several contributions in this work. We introduce a novel SQKD protocol which is interesting theoretically as it is the first such protocol, that we are aware of, to allow researchers to gauge the effect of quantum state preparation and measurement on a key-distribution protocol where one user remains classical in nature. This protocol is also highly restrictive in nature as and both have severe restrictions placed on them, yet we are still able to prove security. Second, we perform an information theoretic security analysis of this protocol and our proof technique (which extends that of [2] but to the highly restricted case where fewer noise statistics may be observed) may be of independent interest and applicable to other (S)QKD protocols where users are severely limited in their ability to measure the noise in the quantum channel (note that SQKD protocols require two-way quantum channels allowing Eve two opportunities to attack each qubit - this, in addition to the fact that and cannot observe all noise statistics due to their restrictions, greatly increases the complexity of the security analysis). Finally, we evaluate our protocol, examining the effect of the parameter for various channels and noise scenarios, discovering interesting properties along the way.

### I-a Notation and (S)QKD Security

We denote by to be the computational basis consisting of states . We use to be the Shannon entropy of and to mean the binary Shannon entropy, namely . Note that all logarithms in this paper are base two.

Given a density operator (that is, a Hermitian positive semi-definite operator of unit trace), we write to be the von Neumann entropy of defined as . If acts on Hilbert space , we often write . In this case, we define to be the partial trace over the system, namely . This notation extends to three or more systems. To simplify notation, given in some Hilbert space, we will write to mean .

If acts on , then we write to mean . We also write to mean the conditional von Neumann entropy defined to be . We will forgo writing the subscript “” if the context is clear.

Any (S)QKD protocol requires both a quantum channel and an authenticated classical channel and these protocols operate in two stages. The first, called the quantum communication stage, utilizes the quantum channel and authenticated classical channel, over numerous iterations, to agree on a so-called raw-key of size -bits. Eve, who was attacking the quantum channel, and listening to the authenticated classical communication, also has an ancilla partially entangled with and ’s raw key. At this point, the system ( and ’s raw key along with ’s ancilla) may be represented by a classical-quantum state:

 ρABE=∑a,b∈{0,1}nP(a,b)[a]A⊗[b]B⊗ρ(a,b)E. (1)

From this, and run an error correction protocol (leaking additional information to ) and a privacy amplification protocol, shrinking the -bit raw key to a secret key of size on which has negligible information (in an information theoretic sense). In the asymptotic scenario as , which we consider here, ’s information, and also all failure probabilities, go to zero. An important statistic in any security proof is the key-rate: . For more information on these general concepts and definitions, the reader is referred to [3].

As with almost all (S)QKD security proofs, we consider collective attacks, whereby attacks the channel in an i.i.d. manner but is free to postpone her measurement of her ancilla to any future point in time and, indeed, may later perform an optimal coherent measurement of her entire ancilla. Usually, proving security against collective attacks is sufficient to prove security against general, arbitrary, attacks [4, 5, 6]. We suspect this result also holds true for our protocol; however due to the highly restrictive nature of and ’s operation, a complete proof of this is outside the scope of this paper and would make for interesting future work.

Under a collective attack (in which case from Equation 1 may actually be written for some classical-quantum state ), we may employ the Devetak-Winter key-rate equation [7] which states:

 r=limn→∞ℓ(n)n=inf[S(A|E)σ−H(A|B)],

where the infimum is over all collective attacks which induce the observed statistics (e.g., the observed error rate, though one may also look at other statistics such as mismatched events [8, 9, 2]). It is this computation of (in particular, the computation of since the computation of is generally trivial) that is the key element in any (S)QKD security proof and our main focus in this work. From this, one may look at a protocol’s noise tolerance - that is for what noise levels does remain positive.

In our security proof, we will make use of the following result proven in prior work (though slightly generalized here):

###### Theorem 1.

(From [2]): Given the classical-quantum state:

 ρAE=1N[0]A⊗(M∑i=1[Ei])+1N[1]A⊗(M∑i=1[Fi]),

then:

 S(A|E)ρ

where:

 (2)

and is any subset .

###### Proof.

The proof for can be found in [2]. The result also follows for arbitrary subset by noting that, in the proof, the term:

is the result of computing the conditional entropy of a classical-quantum state which is known to be always non-negative. ∎

### I-B Semi-Quantum Cryptography and Related Work

Since the framework’s introduction in 2007 by Boyer et al., [1, 10], numerous SQKD protocols have been proposed [1, 10, 11, 12, 13, 14, 15, 16] (just to list a few), some with information theoretic proofs of security [17, 18, 2]. Often one is interested in removing requirements on one or both users while still attempting to attain security against an all-powerful adversary - this is to study the effects of these resources and abilities on the secure communication rate of the resulting protocol. However, no prior SQKD protocols allow for the smooth transition from a purely classical protocol to a semi-quantum one.

An SQKD protocol requires a two-way quantum channel, allowing a qubit to travel from to (the forward direction) and return from to (the reverse direction). , the fully quantum user, is allowed to prepare any arbitrary quantum state and send it to the “classical” user , who is allowed only to directly work with the basis. In more detail, on receiving a qubit, may choose to do one of two operations:

1. Measure and Resend: If he chooses this option, he performs a basis measurement on the qubit, resulting in outcome , for . He then resends the same state to . Note that he can only measure and prepare qubits in this single basis.

2. Reflect: In this case, disconnects from the quantum channel and reflects all qubits back to . If this is chosen, is, essentially, communicating with herself.

When a qubit returns to , she is allowed to perform any quantum operation on it. Note that, under this scenario, Eve is allowed two opportunities to attack every qubit.

## Ii The Protocol

Our protocol, being a semi-quantum one, requires a two-way quantum channel and forces to be “classical” in nature as described in the previous section. We also place additional restrictions on the quantum user . On each iteration of the quantum communication stage, is allowed to send only one of two possible states: either or , where is a public, user-specified, parameter and .

Bob is the classical user - as such, on receipt of a qubit from , he may only directly interact with it through the basis (by choosing Measure and Resend), or he may simply ignore the qubit and reflect it back to (by choosing Reflect).

When a qubit returns to , she will perform a measurement using the three-outcome POVM defined: and where . The parameter , which is another public constant, must be chosen to ensure . Furthermore, wishes to maximize so that the probability she receives the indeterminate outcome “?” is minimized. Some algebra reveals that the maximal that satisfies this is . Note that, in this work, where we only consider the asymptotic scenario, the actual choice of is not that important so long as . In a finite key analysis, this choice of would be much more important, but we leave this as future work.

Notice that, when , the protocol “collapses” to a purely classical communication system where sends and only and where she is always measuring in the basis (since approaches as decreases and so , and ). Of course, is classical regardless of the choice of since he is only able to measure and send in the basis (or disconnect from the quantum channel, thus causing to simply “talk to herself”). For , the protocol is inherently quantum - but the question is, how far from classical () must the communication be before we start attaining secure communication? Our protocol in detail is described in Protocol 1.

The reader will observe that, for , our protocol always has some noise in the raw key, even when no adversary is present! Indeed, unless the protocol is purely classical (), the classical user will be unable to determine exactly the information that is trying to send. The issue is exacerbated when an adversary comes into play (adding additional noise). As mentioned in the introduction, the protocol is purely a theoretical one studied for its theoretical interest to help study the “gap” between classical and quantum communication. We do not expect this protocol to ever be implemented in practice (unless some faulty hardware forces this protocol to be used). Note that we are also not concerned with practical attacks such as photon loss or multi-photon states [3, 20, 21] - though interesting, these issues are outside the scope of this theoretical analysis.

We are interested in two questions: Given an observed noise level , for what is the protocol secure? Of course when , the protocol will never be secure. Secondly, what is an optimal choice of ? That is, how “far” from the classical case of must the communication be to optimize the secure transfer of information between and when faced with a quantum adversary .

## Iii Security Analysis

Our goal in this section is to compute our protocol’s key-rate (specifically ) as a function of and those observable parameters that and may measure in the channel (which are very few). We begin by deriving a density operator description of a single “successful” iteration of the protocol (where by “successful” we mean an iteration leading to the distillation of a raw key bit). For now we assume collective attacks whereby Eve attacks each iteration in an i.i.d. manner. In this case, as shown in [22], for SQKD protocols, it suffices to only prove security against so-called restricted collective attacks. These restricted attacks consist of an isometry applied in the forward channel (connecting to ) and a unitary operator applied in the reverse channel and acting on . Here we use to denote the two-dimensional space modeling the qubit in transit and is Eve’s ancilla. The action of is simply:

 F|0⟩T =q0|0,0⟩TE+q1|1,e⟩TE (3) F|1⟩T =q2|0,f⟩TE+q3|1,0⟩TE,

where subject to and where and are arbitrary, normalized, vectors in . There are some additional restrictions that may be made on this attack (in particular and may exist with a two-dimensional subspace of spanned by and a second basis vector); however, this notation is sufficient for the discussion at hand. For further information on the restricted attack, and the proof that security against such attacks implies security against arbitrary collective attacks, the reader is referred to [22]. Note that, by linearity of , we also have the following:

 F|a⟩ =|0⟩T⊗(q0α|0⟩E+q2β|f⟩E) (4) +|1⟩T⊗(q1α|e⟩E+q3β|0⟩E).

To build the desired density operator, we trace the evolution of an iteration of the protocol. Following ’s preparation (randomly sending or ), and Eve’s first attack , and after measures in the basis (recall, we are currently only interested in a key-distillation iteration and so we condition on the event that chooses Measure and Resend), the joint state is found to be:

 12[0]A⊗([0]B⊗q20[0,0]TE+[1]B⊗q21[1,e]TE) + 12[1]A⊗([0]B⊗P(q0α|0,0⟩TE+q2β|0,f⟩TE) +[1]B⊗P(q1α|1,e⟩TE+q3β|1,0⟩TE)),

where . Following this, the qubit returns to ; however, before arriving, Eve has a second opportunity to attack using operator . We write the action of abstractly as:

 UR|0,0⟩TE=|0,e0⟩+|1,e1⟩ UR|1,0⟩ =|0,e2⟩+|1,e3⟩ (5) UR|1,e⟩TE=|0,f0⟩+|1,f1⟩ UR|0,f⟩ =|0,f2⟩+|1,f3⟩.

Above, the states and are arbitrary states in (though, unitarity of imposes some restrictions on them which will be important momentarily).

Following the application of this attack, the qubit returns to who simply discards it (recall, we are conditioning on an iteration that leads to a raw-key bit). Thus, we may simply trace out the Transit space following the application of . The final density operator, therefore, is found to be:

 ρABE =12[0]A⊗([0]B⊗q20([e0]+[e1]) (6) +[1]B⊗q21([f0]+[f1])) +12[1]A⊗([0]B⊗[P(q0α|e0⟩+q2β|f2⟩) +P(q0α|e1⟩+q2β|f3⟩)]) +12[1]A⊗([1]B⊗[P(q1α|f0⟩+q3β|e2⟩) +P(q1α|f1⟩+q3β|e3⟩)]).

To clean up the notation, we define the following vectors:

 |g0⟩=q1α|f1⟩+q3β|e3⟩ |g1⟩=q1α|f0⟩+q3β|e2⟩ |g2⟩=q0α|e1⟩+q2β|f3⟩ |g3⟩=q0α|e0⟩+q2β|f2⟩

From this, we may then use Theorem 1 to derive the following lower-bound:

 (7)

Though, by setting from the theorem, we also have the following (weaker) lower-bound:

 (8)

It is this lower-bound we will actually consider. To compute (giving us the key-rate), we need to compute, or bound, the inner-products appearing in the above expression, based only on statistics we may observe.

Note that and are both observable parameters. Indeed, let be the probability that measures (for ) if initially sent . This is one of the few statistics and actually can estimate and is, in fact, the only observable noise statistic in the forward channel (they cannot measure, for example, when ). It is not difficult to see, from Equation 3, that and . Note that, by definition of the restricted attack, it is sufficient to consider non-negative [22].

As mentioned, the users cannot directly observe and . However, they can estimate it by considering , the probability that measures if initially sent (this is something that may be observed). Note that, from Equation 4, we have:

 pA→Ba,1 =||q1α|e⟩+q3β|0⟩||2 (9)

Of course, . We are constrained by the fact that (since, for the restricted attack, each are non-negative real numbers [22]). We therefore have the following solution for , looking for the smallest positive root of the above quadratic equation, assuming (which it will be in our evaluations):

 1≥q3≥1β(√pA→Ba,1−α√pA→B0,1). (10)

We therefore have values, or bounds, for all (note that ). It is clear that we may observe , and . Indeed, let denote the probability that ’s measurement observes “” conditioned on the event initially sent and chose Measure and Resend and actually observed . Of course, , and . It is not difficult to see, then, that where is the POVM parameter as described in Protocol 1; as discussed, we assume . By unitarity we also have . Similarly, we have and . To simplify notation, at this point we will assume a symmetric attack and define the following:

 pA→A0,0,0=p⋅(1−QR) pA→A0,1,0=p⋅QR

(Note we use to denote the noise in the Reverse channel, from to .)

This assumption that the observable noise is symmetric in this manner (which may be enforced by and and is a common assumption in (S)QKD security proofs) is not necessary, and our analysis below follows without it; we only use this to simplify notation. Note that, if there is no noise in the forward channel (in which case is technically undefined since we are conditioning on an event which never occurs), then and never show up in any of our computations and so we may define arbitrarily; thus we assume in this case regardless.

We also claim may be observed. Consider the case that sends , chooses Measure and Resend and observes . From Equation 4, we see the state collapses to:

 |0⟩(q0α|0⟩E+q2β|f⟩E)√pA→Ba,0.

After Eve attacks the returning qubit, the state is found to be (before measures):

 |0,g3⟩+|1,g2⟩√pA→Ba,0.

Then, it follows that when measures we have: . Furthermore, due to unitarity of Eve’s attack, it holds that . Repeating the above analysis conditioning on observing , we conclude:

 =pA→Ba,0pA→Aa,0,0p=pA→Ba,0(1−QR) (11) =pA→Ba,0⎛⎝1−pA→Aa,0,0p⎞⎠=pA→Ba,0QR =pA→Ba,1pA→Aa,1,0p=pA→Ba,1QR =pA→Ba,1⎛⎝1−pA→Aa,1,0p⎞⎠=pA→Ba,1(1−QR).

Note that, above, we assumed and . This symmetry assumption (which also may be enforced by the users) is not necessary but only done to simplify our notation. Also, as before, if, for instance, , then and technically never appear in and so they may be arbitrary; in this case we may simply define . Similarly for the case if .

Finally, to compute our bound on , we will also need to compute the inner product appearing in the function, namely . As we are interested in the worst-case, we actually want to find a lower-bound on this inner-product (which, as can be seen from Equation 2, minimizes ). It is not difficult to see that:

 (12)

where, above, we used the fact that .

We thus reduced the problem to bounding . To attain this, we must look at several more statistics. First, consider . Expanding yields:

 ⇒ +q21α2QR−pA→Ba,1pA→Aa,1,0/p=0.

Above, we used the fact that , for some (this follows from the Cauchy-Schwarz inequality). Solving the above quadratic, and taking the maximal root over all (note that represents the probability of a flipping to a , however this noise value is not observable and so we can only bound it based on values we can observe), we find:

 ≤1q3β(q1α√QR+√pA→Ba,1pA→Aa,1,0/p) (13) =1q3β(q1α√QR+√pA→Ba,1QR)

Similarly, we can bound by considering . Solving the resulting quadratic, we find:

 (14)

We now have upper-bounds on the “hidden” noise of the channel.

Next, let us consider the statistic which we use to denote the probability that, conditioning on the event sends , chooses to Reflect, and chooses to measure using POVM (see Protocol 1), that the outcome of this measurement is “”.

It is straight-forward (though slightly tedious) algebra, to find that:

 URF|a⟩=|a⟩(|Va,0,a⟩+|Va,1,a⟩)+|¯a⟩|E¯a⟩, (15)

where:

 |Va,0,a⟩ =q0α2|e0⟩+q2αβ|f2⟩+q0αβ|e1⟩+q2β2|f3⟩ (16) |Va,1,a⟩ =q1α2|f0⟩+q3αβ|e2⟩+q1αβ|f1⟩+q3β2|e3⟩, (17)

and where is a sub-normalized vector in , the exact state of which may be found by tracing the action of linear operator , though its state is irrelevant to our discussion. From this, we find:

 pA→Aa,R,a=p|||Va,0,a⟩+|Va,1,a⟩||2 (18)

At this point, we must consider additional mismatched measurements. Consider which we use to denote the probability that, conditioning on sending , choosing Measure and Resend and actually observing , and choosing to measure, that she receives outcome “”. To compute this probability, we trace the evolution of the qubit as it travels:

 |a⟩ →|0⟩(q0α|0⟩+q2β|f⟩)√pA→Ba,0 →q0α(|0,e0⟩+|1,e1⟩)+q2β(|0,f2⟩+|1,f3⟩)√pA→Ba,0 =|a⟩|Va,0,a⟩√pA→Ba,0+|¯a⟩|E′⟩E,

where is some irrelevant, sub-normalized, state in ’s ancilla. Note that, from the above expression, the choice of notation for is clear and we find:

 (19)

Repeating the above but considering the event when observes , we find:

 (20)

Substituting this into Equation 18 and also expanding , we find:

 pA→Aa,R,a =pA→Ba,0pA→Aa,0,a+pA→Ba,1pA→Aa,1,a (21)

(Note that, above, we used the fact that .) We may simplify the above equation slightly by taking advantage of the unitarity of . Namely, we have the following restrictions (see Equation 5):

Using this, Equation 21 becomes:

 pA→Aa,R,a =pA→Ba,0pA→Aa,0,a+pA→Ba,1pA→Aa,1,a (22)

Consider the following inner-product:

Then the above equation for simplifies to:

 pA→Aa,R,a =pA→Ba,0pA→Aa,0,a+pA→Ba,1pA→Aa,1,a (23)

Solving for the term involving (which is the quantity we are currently interested in bounding) yields:

 (24) =12p(pA→Aa,R,a−pA→Ba,0pA→Aa,0,a−pA→Ba,1pA→Aa,1,a)

where:

 χ

and do not have sufficient quantum capabilities to fully bound ; however we can bound it based on what we already know and using the Cauchy-Schwarz inequality, namely:

 |χ| ≤q0q1α3β[(1−QR)+QR] (25)

(Note that, above, we used the fact that and .) Upper-bounds on and were already derived in Equations 13 and 14.

Finally, we claim and can observe by considering the statistic ; that is, the probability that ’s measurement produces outcome “” conditioned on the event she initially sent and chose Reflect. Indeed, tracing the qubit in this case, it is not difficult to see that:

 URF|a⟩=|0⟩(|g1⟩+|g3⟩)+|1⟩(|g0⟩+|g2⟩),

from which we attain:

 pA→Aa,R,0 =p|||g1⟩+|g3⟩||2 (26)

Since are all observable (see Equation 11), this completes our bound.

This completes our lower-bound on . To summarize, given as input along with those observable statistics as utilized above, one must simply minimize Equation 8 over all , , and , as enforced by Equations 10, 13, and 14. For any particular choice of these values, one may compute a bound on from Equation 25; one may also compute a bound on using Equation 24. This then allows one to bound , using Equation 12 which gives a possible value of . Minimizing over , , and gives a worst-case lower-bound on over all attacks which induce the observed statistics. This is a simple minimization problem allowing one to evaluate the key-rate numerically.

Note that if (i.e., the protocol is classical), then it is easy to check that Equation 24 becomes simply , regardless of the choice of (i.e., Eve may set this inner-product arbitrarily and Equation 24 will be satisfied). It is also clear that . Thus, Eve may set in this case resulting in the entropy as expected. That is, in the classical case, Eve has no uncertainty on and ’s raw key and so the protocol is insecure. The interesting question is what happens when ?

To finish the key-rate computation (and answer this question), we also need , however this value is easily found:

 H(A|B) (27) =H⎛⎝pA→B0,02,pA→B0,12,pA→Ba,12,pA→Ba,02⎞⎠ −H⎛⎝pA→B0,0+pA→Ba,02⎞⎠

thus completing the key-rate computation.

## Iv Evaluation

To evaluate our protocol, and more importantly to see the effect of on the secure key-rate, we must put values to those observable statistics and . We will assume a symmetric attack parameterized by noise values (in the forward channel), (in the reverse), and (for the “loop” channel when reflects), where:

 pA→B0,0=1−QF pA→B0,1=QF pA→A0,0,0/p=1−QR pA→A0,1,0/p=QR pA→Aa,0,0/p=1−QR pA→Aa,1,0/p=QR pA→Aa,R,a/p=1−QX.

and where , the maximal allowed value as discussed earlier.

To put values to the mismatched events, we model the channel as a depolarization channel, a common approach when evaluating (S)QKD protocols. This is not a requirement of our security proof of course, simply a way to put realistic (i.e., physically realizable) numbers to the observable parameters in order to evaluate the key-rate. A depolarization channel with parameter is simply the map:

 EQ(ρ)=(1−2Q)ρ+Q⋅I.

From this, we find:

 pA→Ba,0 =(1−2QF)α2+QF pA→Ba,1 =(1−2QF)β2+QF pA→Aa,0,a/p =(1−2QR)α2+QR pA→Aa,1,a/p =(1−2QR)β2+QR pA→Aa,R,0/p =(1−2QZ)α2+QZ.

As expected, the noise tolerance of this protocol is low, however we are able to attain positive key-rates as shown in Figures 1, 2, and 3. It is clear from these figures that the forward channel noise is the most important statistic - indeed, as shown in Figure 1, the protocol can tolerate a high level of reverse and “loop” noise (approaching ). However, as shown in Figure 3, if the forward channel increases too much (even by a small amount), there are only a few choices for where a positive key-rate can be attained (and that key-rate is still low). Unless the reverse channel noise is very large, the optimal choice for ranged between and for those evaluations we performed. For small and high and , as in Figure 1, the optimal value of is slightly lower, ranging between and .

Despite the low noise tolerance, we still consider this a positive, and interesting, result as this protocol was designed specifically to smoothly transform from classical to quantum communication and to allow research in investigating how this affects secure communication. Of course, our key-rate is a lower bound, so the actual security rate can only be higher. Further studying this would make interesting future work.

## V Comments on Further Restrictions

One natural question for future work is: can the requirements of this protocol be reduced even further? That is, can have even more restrictions placed on her quantum abilities? One clear direction is to attempt to remove ’s POVM and replace it with a single basis measurement, measuring in the basis (where ). However, this removes certain key statistics that we relied on in our security proof. While we attempted to analyze this protocol, a full security proof remains elusive.

We do, however, conjecture that this even more restricted protocol is secure. To provide at least some evidence in support of this, we were able to analyze a particular intercept-resend attack and show that the protocol is secure against this. The attack we consider is one which induces no additional noise in the channel (that is, it is undetectable). To remain hidden from and , Eve simply measures the reverse channel in the basis (the same basis uses, thus will have the same information as does from the reverse channel - but, importantly, not the forward channel). If this measurement results in outcome , guesses the raw key bit is ; otherwise she guesses it is (note that if this guess is always correct and so, in that case, the protocol is insecure as expected). We compute the values for which we use to denote the probability that ’s raw key bit is and ’s guess is assuming she uses this attack. From this we can compute the key-rate equation for any .

The attack schematic is shown in Figure 4; the key-rate for various is shown in Figure 5. We notice that the key-rate is positive for all (of course it is insecure if or ). The optimal choice for in this event is (contrast this with the “full” protocol we analyzed in this paper where the optimal was usually around ). Also note the asymmetry in the key-rate graph.

Of course this is only showing some evidence that this further restriction (i.e., removing ’s ability to use POVM as we considered in our protocol in this work) may result in a secure protocol. A complete analysis we leave as interesting future work.

## Vi Closing Remarks

In this paper, we developed a new SQKD protocol with a tuneable parameter allowing one to gauge the effect of the secure communication rate, based on “how quantum” the protocol is. When is set to zero, the communication is purely classical and thus the protocol is insecure. As increases, security can be attained for certain optimal choices and for certain channels. Studying the protocol further may help to shed light on the “gap” between quantum and classical secure communication. Furthermore, our proof approach may be applicable to other (S)QKD protocols where users are highly restricted in their quantum capabilities (either intentionally or due, perhaps, to hardware faults).

Many interesting future problems remain open. Obviously the noise tolerance of our protocol is very low - though, we stress that we are only interested in this protocol from a theoretical perspective and in discovering when, or even if, this protocol can be secure (and our answer is in the affirmative). However, it would be interesting to try to improve on this. Our bound may be improved by attempting to bound all terms appearing in Equation 7 (we only used the lower bound from Equation 8). Other mismatched statistics may help here. Also, studying the effect of against different forms of attacks (e.g., practical intercept-resend attacks) may also be highly beneficial and interesting.

Another interesting question is whether we can reduce the resource requirements of the users even further. As commented on in the previous section, we attempted to analyze the case where ’s measurement capabilities are further reduced than what we used in this paper; so far, however, a full proof of security in that case remains an open problem.

Acknowledgments: AG would like to acknowledge the support of National Science Foundation grant number 1659764, which supported her during a summer REU at the University of Connecticut. WK and HI are partially supported by the NSF under grant number 1812070.

## References

• [1] M. Boyer, D. Kenigsberg, and T. Mor, “Quantum key distribution with classical bob,” Phys. Rev. Lett., vol. 99, p. 140501, Oct 2007.
• [2] W. O. Krawec, “Quantum key distribution with mismatched measurements over arbitrary channels,” Quantum Information and Computation, vol. 17, no. 3 and 4, pp. 209–241, 2017.
• [3] V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dušek, N. Lütkenhaus, and M. Peev, “The security of practical quantum key distribution,” Rev. Mod. Phys., vol. 81, pp. 1301–1350, Sep 2009.
• [4] R. Renner, N. Gisin, and B. Kraus, “Information-theoretic security proof for quantum-key-distribution protocols,” Phys. Rev. A, vol. 72, p. 012332, Jul 2005. [Online]. Available: http://link.aps.org/doi/10.1103/PhysRevA.72.012332
• [5] M. Christandl, R. Konig, and R. Renner, “Postselection technique for quantum channels with applications to quantum cryptography,” Phys. Rev. Lett., vol. 102, p. 020504, Jan 2009.
• [6] R. Renner, “Symmetry of large physical systems implies independence of subsystems,” Nature Physics, vol. 3, no. 9, pp. 645–649, 2007.
• [7] I. Devetak and A. Winter, “Distillation of secret key and entanglement from quantum states,” Proc. of the Royal Society A: Math., Physical and Engineering Science, vol. 461, no. 2053, pp. 207–235, 2005.
• [8] S. M. Barnett, B. Huttner, and S. J. Phoenix, “Eavesdropping strategies and rejected-data protocols in quantum cryptography,” Journal of Modern Optics, vol. 40, no. 12, pp. 2501–2513, 1993.
• [9] S. Watanabe, R. Matsumoto, and T. Uyematsu, “Tomography increases key rates of quantum-key-distribution protocols,” Physical Review A, vol. 78, no. 4, p. 042316, 2008.
• [10] M. Boyer, R. Gelles, D. Kenigsberg, and T. Mor, “Semiquantum key distribution,” Phys. Rev. A, vol. 79, p. 032341, Mar 2009.
• [11] X. Zou, D. Qiu, L. Li, L. Wu, and L. Li, “Semiquantum-key distribution using less than four quantum states,” Phys. Rev. A, vol. 79, p. 052312, May 2009.
• [12] W. O. Krawec, “Restricted attacks on semi-quantum key distribution protocols,” Quantum Information Processing, vol. 13, no. 11, pp. 2417–2436, 2014.
• [13] W. Jian, Z. Sheng, Z. Quan, and T. Chao-Jing, “Semiquantum key distribution using entangled states,” Chinese Physics Letters, vol. 28, no. 10, p. 100301, 2011.
• [14] H. Lu and Q.-Y. Cai, “Quantum key distribution with classical alice,” International Journal of Quantum Information, vol. 6, no. 06, pp. 1195–1202, 2008.
• [15] X. Zou, D. Qiu, S. Zhang, and P. Mateus, “Semiquantum key distribution without invoking the classical party’s measurement capability,” Quantum Information Processing, vol. 14, no. 8, pp. 2981–2996, 2015.
• [16] M. Boyer, M. Katz, R. Liss, and T. Mor, “Experimentally feasible protocol for semiquantum key distribution,” Phys. Rev. A, vol. 96, p. 062335, Dec 2017. [Online]. Available: https://link.aps.org/doi/10.1103/PhysRevA.96.062335
• [17] W. O. Krawec, “Security proof of a semi-quantum key distribution protocol,” in Information Theory (ISIT), 2015 IEEE International Symposium on.   IEEE, 2015, pp. 686–690.
• [18] W. Zhang, D. Qiu, X. Zou, and P. Mateus, “A single-state semi-quantum key distribution protocol and its security proof,” arXiv preprint arXiv:1612.03087, 2016.
• [19] H.-K. Lo, H.-F. Chau, and M. Ardehali, “Efficient quantum key distribution scheme and a proof of its unconditional security,” Journal of Cryptology, vol. 18, no. 2, pp. 133–165, 2005.
• [20] Y.-g. Tan, H. Lu, and Q.-y. Cai, “Comment on Òquantum key distribution with classical bobÓ,” Phys. Rev. Lett., vol. 102, p. 098901, Mar 2009. [Online]. Available: http://link.aps.org/doi/10.1103/PhysRevLett.102.098901
• [21] M. Boyer, D. Kenigsberg, and T. Mor, “Boyer, kenigsberg, and mor reply:,” Phys. Rev. Lett., vol. 102, p. 098902, Mar 2009. [Online]. Available: http://link.aps.org/doi/10.1103/PhysRevLett.102.098902
• [22] W. O. Krawec, “Key-rate bound of a semi-quantum protocol using an entropic uncertainty relation,” in 2018 IEEE International Symposium on Information Theory (ISIT), June 2018, pp. 2669–2673.
You are adding the first comment!
How to quickly get a good reply:
• Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
• Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
• Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minimum 40 characters and the title a minimum of 5 characters