Key-Rate Bound of a Semi-Quantum Protocol Using an Entropic Uncertainty Relation
In this paper we present a new proof technique for semi-quantum key distribution protocols which makes use of a quantum entropic uncertainty relation to bound an adversary’s information. Our new technique provides a more optimistic key-rate bound than previous work relying only on noise statistics (as opposed to using additional mismatched measurements which increase the noise tolerance of this protocol, but at the cost of requiring four times the amount of measurement data). Our new technique may hold application in the proof of security of other semi-quantum protocols or protocols relying on two-way quantum communication.
Quantum Key Distribution (QKD) protocols allow for the establishment of a secret key between two parties Alice () and Bob () which is secure even against an all-powerful adversary Eve () - that is, an adversary bounded only by the laws of physics and not by any computational assumptions as is required when using classical communication only. Numerous QKD protocols have been proposed, many with rigorous proofs of unconditional security. The reader is referred to  for a general survey.
However, these QKD protocols, and their security analysis, require both and to be “quantum capable.” Namely, both and must be equipped with devices capable of manipulating quantum resources in certain, arbitrary, ways (e.g., preparing and measuring qubits in certain bases). In 2007, Boyer et al., in  introduced the semi-quantum model of cryptography whereby only was required to be quantum while was allowed to be very limited and “classical” in his capabilities. These semi-quantum key distribution (SQKD) protocols are interesting to study theoretically as they attempt to answer the question “ how quantum does a protocol need to be to gain an advantage over its classical counterpart?” There are also potential practical benefits to studying these protocols: for example, ’s device could be cheaper to manufacture; alternatively, one can consider designing a QKD infrastructure more robust to technical failure - indeed, if a device ever breaks down, one may switch to a “semi-quantum” mode and continue secure operations until the device is fully repaired.
SQKD protocols, however, require a two-way quantum communication channel (one which allows to send qubits to who then sends qubits back to ) greatly increasing the complexity of their security analysis. Though several SQKD protocols have been proposed (see [2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12] for a few), until 2015, most were proven only to be robust - a notion introduced in  which says any attack which causes to gain non-zero information on the key must induce a disturbance which can be detected with non-zero probability. Some authors considered security against individual attacks  (attacks whereby is forced to measure her quantum ancilla before the protocol concludes). It wasn’t until 2015, that rigorous proofs of security became available in [14, 15, 16].
In a recent work , we showed that the original SQKD protocol of Boyer et al., has a noise tolerance of - exactly the same as the fully-quantum BB84 protocol. Our result in , however, required the use of numerous measurements, including mismatched measurements [18, 19]. Ultimately, to compute the key-rate of the Boyer et al., protocol, using our technique in that paper, one must look at over 12 different measurement statistics and then evaluate a series of lengthy equations. (Indeed, our key-rate equation for the SQKD protocol spanned numerous pages!)
In this work, we revisit this semi-quantum protocol and derive a simpler, and far more elegant (in the author’s opinion) proof of security using a quantum uncertainty bound to evaluate the von Neumann entropy of the resulting quantum system. Our new bound does not use mismatched measurements (only error rates) and, so, the noise tolerance is not as high as in ; however our new result is higher than previous best-known results for this protocol without mismatched measurements. Furthermore, the technique we present here may be simpler to adapt to other SQKD protocols than the technique using mismatched measurements - especially for higher-dimensional protocols (such as ) where the technique of mismatched measurements can become intractable.
There are several contributions made in this work, many of which we expect would hold great application outside the scope of this paper. First, we show that for any semi-quantum protocol, it is sufficient to consider a restricted form of collective attack. Second, we show an entirely new approach to proving security of semi-quantum protocols; we show how to convert a particular SQKD protocol into an equivalent entanglement based version and we derive a new key-rate bound which does not require the use of numerous mismatched measurement statistics and which produces a higher noise tolerance than previous work without these statistics (along with a far simpler key-rate expression). Note that, in , a technique of converting certain two-way QKD protocols into equivalent entanglement based versions was shown; however their result could only be applied to protocols where ’s output is independent of his input averaged over all of his operations - this property is sadly lacking in the semi-quantum model and so a new method is required which we introduce in this paper. Third, our proof shows a new and interesting application of a quantum uncertainty bound to the semi-quantum model of cryptography and also an interesting application of a continuity bound on conditional von Neumann entropy which may be of great use when proving security of new protocols in the semi-quantum model (or, more generally, for protocols relying on a two-way channel which may not hold certain symmetry properties).
We assume the reader is familiar with basic quantum information theory and so here we will only introduce our notation and a few general concepts; for a general survey see . The computational basis is defined to be while the Hadamard basis is , where .
We denote by to be the Shannon entropy of . If and are random variables, then is the conditional Shannon entropy of conditioned on . By we mean the binary entropy function: . All logarithms in this paper are base two.
A density operator is a Hermitian positive semi-definite operator of unit trace. If is a density operator acting on Hilbert space , we often write . In this case, we write to mean the operator resulting from tracing out ; i.e., . Similarly when the operator acts on larger systems. We also will write to denote .
Given density operator we write to mean the von Neumann entropy of . We write to mean the conditional von Neumann entropy: . If the context is clear, we will forgo writing the subscript “.”
Given an operator , we write to mean the trace norm of . If is Hermitian and finite dimensional, then , where are the eigenvalues of .
If , then we write to mean the conjugate transpose of . Also, we define . Finally, we write to mean .
I-B (S)QKD Security
A (S)QKD protocol operates in two stages: first a quantum communication stage whereby users utilize the communication resources available to them (typically a quantum channel and an authenticated classical channel) to establish a raw-key which is a string of ’s and ’s which is partially correlated and partially secret. In general, this yields a classical-classical-quantum state of the form:
where the and register represent and ’s raw-key respectively, while (which is not necessarily of unit trace) represents the state of ’s memory in the event and have a raw-key of and respectively. Following the quantum communication stage, a classical stage consisting of error correction and privacy amplification is run producing a secret key of size bits which may then be used for other cryptographic protocols.
An important question is, given certain observations on ’s attack (e.g., the error rate), how large is ? For collective attacks (attacks whereby performs the same attack operation each iteration however is free to postpone measurement of her ancilla until any future time of her choice), Equation 1 takes on the simpler form:
in which case the Devetak-Winter key-rate expression  may be employed which states:
where the infimum is over all collective attacks which induce the observed noise statistics. Computing a bound on this expression is the key critical element of any (S)QKD security proof .
Ii The Protocol
The protocol we consider is the original SQKD protocol of Boyer et al., introduced in [2, 3]. This protocol, being a semi-quantum one, assumes that is fully quantum in that she can prepare and measure qubits in arbitrary bases; however is classical in that he can only directly work with the computational basis. In more detail, a SQKD protocol utilizes a two-way quantum channel. We call the channel connecting to the forward channel and the channel connecting to the reverse channel. Each iteration of the quantum communication stage, will prepare and send a qubit. is then restricted to choosing between two operations: Measure and Resend or to Reflect. If he chooses Measure and Resend, he will subject the incoming qubit to a basis measurement and prepare a new qubit in the same state he observed (i.e., if his measurement result is , for , he will send a qubit back to ); if he chooses Reflect he will completely disconnect from the quantum channel, allowing the qubit to pass through his lab undisturbed, and return to (in essence, if chooses Reflect, is “talking to herself”).
The protocol we consider, and which we denote as , operates as follows:
chooses to send a qubit of the form , , , or , choosing randomly.
will choose to Measure and Resend or to Reflect. If he chooses Measure and Resend he will save his measurement result in a classical register to serve as his potential raw-key bit for this iteration.
will measure in the same basis she originally used to send.
will disclose her choice of basis; will disclose his choice of operation (Measure and Resend or Reflect). This is done using an authenticated classical channel.
If used the basis and if chose to Measure and Resend, then they will use this iteration to contribute towards their raw-key. will use her initial preparation choice as her key bit (equivalently, she may use her measurement result at the end - our security analysis will apply to both cases). Other iterations, along with a suitably sized random subset of these “raw-key” iterations, may be used to estimate the error rate in the channel. In particular, and may estimate the basis error rate in the forward, reverse, and joint channel. They may also observe the basis error rate in the joint channel (but not the forward or reverse separately since is unable to prepare or measure in the basis).
It is not difficult to see that the protocol is correct. We analyze its security by determining a new lower-bound on the Devetak-Winter key-rate expression (Equation 2) for this protocol.
Iii Security Proof
We prove security against collective attacks in this paper - we will comment on general attacks later. Collective attacks are those where applies the same attack operation each iteration of the protocol, but is free to postpone measurement of her ancilla until any future time of her choice. In the semi-quantum model, where an attacker has two opportunities to attack a qubit each iteration, a collective attack is a pair of unitary operators , each acting on the Hilbert space (here is the two-dimensional space modeling the qubit “transit” space while is ’s quantum ancilla). The operator is applied in the Forward channel (as a qubit travels from to ) while is applied in the Reverse channel (when the qubit returns from to ).
Our proof of security follows three steps. First, we will prove that for any semi-quantum protocol, it is sufficient to consider a particular “restricted” collective attack which is easier to analyze mathematically, but does not cause to lose attack power. Second, using this result, we show how to convert the protocol of interest into a mathematically equivalent entanglement based version . Third, we use a quantum uncertainty bound and a continuity bound on conditional entropy to analyze the entanglement based version - security of the SQKD protocol will then follow. See Figure 1.
Iii-a Restricted Attacks
In , we showed that for any single-state SQKD protocol (i.e., those where is restricted to sending a single, publicly known, qubit state each iteration, typically ), to prove security against collective attacks it is sufficient to consider security against a “restricted” attack whereby Eve, in the forward channel, need only bias Bob’s measurement result; in the reverse channel, she applies an arbitrary unitary operator. That is, it is not required that she perform an arbitrary unitary operator in the forward channel, entangling the qubit with her private quantum memory. Such attacks are easier to analyze - and have been used in [15, 16] to show security of several different single-state protocols - however, as shown in , the result is only correct for single state protocols. The original SQKD protocol of Boyer et al., which we are considering in this work (i.e., ), is a multi-state protocol, one where prepares different states each iteration, choosing randomly each time. However, it remained an open question as to whether or not some other form of restricted attack might be constructed for multi-state protocols. We answer this question in the affirmative.
Let be an orthonormal basis. A multi-state restricted collective attack with respect to is a tuple , where ; subject to the restriction that ; and is a unitary operator acting on . The attack consists of the following actions:
When first captures the qubit from in the forward channel, she applies the operator , acting on which acts as follows:
Note that it is not difficult to see, considering the restrictions on the values and , that is an isometry and may therefore be easily extended to a unitary operator; thus this is an operation can perform within the laws of quantum physics.
When the qubit returns from (on its way back to in the reverse channel), captures it again, and applies the unitary operator .
When the context is clear, we will simply call the above attack a restricted attack as opposed to its longer title. The following theorem proves that it is sufficient to consider these restricted attacks when proving security of any semi-quantum protocol against arbitrary collective attacks.
Let be an arbitrary orthonormal basis. For every collective attack , there exists a restricted attack such that, for any SQKD protocol with quantum and classical , the following are true:
and cannot distinguish between attack and .
’s final quantum system is the same regardless of whether she used or .
The key-rate is equal under both attacks.
Let be given and fix a collective attack , where is a unitary operator applied in the forward channel while is a unitary operator applied in the reverse. We will construct a restricted attack satisfying the required conditions. Without loss of generality, we may assume ’s system is cleared to some “zero” state at the start of the attack. In this case, we may write ’s action on basis states as follows:
where (any phase may be absorbed into the vectors ) and the are arbitrary normalized (though not necessarily orthogonal) states in . Let and for our restricted attack.
Unitarity of imposes the following condition:
Let and for our restricted attack (this clearly satisfies the required restrictions on and ). Now, first consider the case that (the case when for one or both will be considered afterwards). Let be the operator acting on states in as follows:
We claim that is an isometry. First, it is clear that each is normalized. Indeed:
where, above, we used the fact that . A similar computation yields . What remains to be shown is that . But this is clear:
and similarly for . We conclude, therefore, that is an isometry which may be extended to a unitary operator (its action on states not shown above is irrelevant). In the following, we will assume is simply unitary.
To simplify notation in the remainder of this proof, let . By linearity of , it follows that:
Let . We claim that , as constructed above, is the desired restricted attack. (Note, we are still assuming for the time being, that .)
We first consider the case where ’s sent state is pure; for mixed states the result will follow immediately due to linearity of the operations. On any particular iteration of the protocol, let be the state prepared and sent by . These and are potentially known only to (i.e., may choose, each iteration, to send a randomly prepared state in which case the and are chosen randomly). Let be the state of the qubit as it arrives to if uses the restricted attack as constructed above. Let be the state if uses the collective attack . These are both easily computed:
At this point, will either Measure and Resend (saving his measurement result in a private register) or Reflect. We first consider the case where he chooses Measure and Resend. Let be the result of this operation in the restricted attack case and the result in the general collective attack case. These density operators are found to be:
where . At this point, if is using the restricted attack, she will now apply the operator . However, ’s action of evolves the state to:
Thus, it is clear that and so the resulting quantum state is identical regardless of whether used the restricted attack or the collective attack (, , and ’s systems are identical regardless).
We now consider the case when reflects. Let be the state of the system when the qubit leaves ’s lab and used the restricted attack; let be the state of the system if uses the collective attack. That is: and , where and are defined in Equations 6 and 7. It is trivial to show that and so the result holds in the case reflects.
In the above, we assumed that for both . However, if for one or both , then (if ) or (if ) never appear in the state following ’s application of . Note also that, if then, it must hold that for some (and a similar statement may be made if ); this phase change will be done by in the forward direction and there is no need to “create” the state later in the reverse, only the state (if , then and so there is no need to “create” the state later, only change the phase which is done by ). Thus, ’s action on these states ( or ) may be arbitrary and we need not define the corresponding . It is clear, then, that may be made a unitary operator, and the rest of the proof follows as above.
We conclude, therefore, that regardless of or ’s choices, the state of the quantum system for all three parties is the same whether used or (meaning the resulting density operator describing the joint systems are equal). Thus the view from , , and ’s point of view are identical in both cases; furthermore, the key-rate computation (Equation 2) will also be identical in both cases. ∎
Thus, to prove security of any SQKD protocol, it is sufficient to consider only a restricted collective attack - security against general collective attacks will follow from that. In the next section, we will show how this result may be used for a particular protocol to convert it into an equivalent entanglement based version from which a quantum uncertainty bound may be used to compute the key-rate.
Note that the choice of basis is irrelevant to the attacker. Thus, when analyzing the security of a SQKD protocol using this result, one is free to choose a basis that simplifies the analysis and computations. In the remainder of this paper, our proof assumes . Also note that our proof would hold even for protocols where performs a CNOT gate (acting on and his private register) instead of a projective basis measurement when he chooses Measure and Resend; mathematically, the two operations will be identical in this case, and the proof above follows through identically.
Before concluding this section, we point out a simplification of our definition if we assume ’s attack is symmetric. This is an assumption often made in quantum security proofs and can even be enforced by the parties. In particular, if the basis error induced by ’s attack in the forward channel can be parameterized by a single variable (i.e., the probability of an flipping to a in the forward channel is ), and if we work with respect to the basis (i.e., ), then the restricted attack adopts a far simpler form:
A symmetric restricted collective attack is a tuple , where , , and is a unitary operator acting on . This attack follows the same process as in Definition III.1, setting .
It is not difficult to see that if is a symmetric attack (i.e., ), then it must hold that .
Iii-B An Entanglement Based Protocol
Our conversion from the prepare-and-measure protocol to an equivalent, entanglement based one, follows several reductions. Our goal in this section is to construct a new protocol whereby (who is no longer classical) prepares quantum states and sends them to (who is still quantum). However, by analyzing the security of this new protocol, we will show security of the SQKD protocol .
First, note that ’s Measure and Resend operation may be equivalently modeled as a CNOT gate acting on the qubit and an empty register private to . Of course, his Reflect operation may be modeled as the identity operation. Thus, when analyzing we may instead analyze the case where applies a unitary operation acting on the qubit and a register private to him. Second, we may assume that , instead of preparing and sending a random state of the form , , , or , will instead prepare a Bell state of the form , sending one particle to while keeping the other particle in her private lab. Standard arguments apply to show that security of this new protocol (which we denote by ) implies security of the prepare and measure one . Furthermore, Theorem 1 still applies (see the comment after the proof). It is clear that, if we prove security of then security of will follow.
Now, consider the following protocol which we denote by , whose quantum communication stage consists of:
prepares the state if he wishes to “Reflect” otherwise he prepares the state if he wishes to “Measure and Resend” (he will chose the operation randomly each iteration). The two qubits and are sent to Alice. Note that the terminology “Measure and Resend” and “Reflect” no longer has any real meaning in this protocol.
receives both particles and and will measure each in the basis or the basis, choosing randomly.
If chooses to Measure and Resend and if uses the basis, they may use their results as their raw-key bit (we assume is used as ’s raw-key bit, though our analysis below would be symmetric if were used instead). Other iterations, along with a random subset of these “raw-key” iterations, may be used for error estimation in the obvious way.
We give the ability to control the setting of and which can only increase her power (and, as a consequence, also gives us partial device independence - indeed, one can consider the scenario that manufactured the device is using and programmed in a particular and value). A collective attack against this protocol, thus, is a setting for (the value of course) and a unitary operator acting on two qubits and and ’s private quantum memory.
While is not a “true” entanglement-based version (as is making a choice between two pure states), it would not be difficult to make it one simply by increasing the dimension of ’s space with an extra qubit (which, after measuring, would determine his choice of Measure and Resend or Reflect). However, as it turns out, the protocol as described will be sufficient to complete our security analysis of the prepare-and-measure protocol.
We claim that, if is secure, then so is (in which case, so is ). In particular, we will show that, for any attack against , there exists an attack against which exactly replicates the resulting quantum system. In particular, given an attack against , we will construct an attack against which first “rewinds” the forward channel attack simulating the system had initially sent a qubit as opposed to . Informally, as an example, if sends a in the register (which he never does - it is always a pair of qubits but this is simply for illustration), then we construct an attack which causes to receive a or in her register with the same probabilities as if she had sent a or a and happened to measure a if they were running . Furthermore, ’s memory will be in the same state in both cases. Thus, we will “rewind” the forward channel for to simulate the scenario where sends a qubit first instead of sending a qubit first. The only thing cannot “rewind” is the probability of observing certain outcomes in - thus the need for her to set the value of during device construction.
Let be a collective attack used against and let be the density operator describing a single iteration of this protocol when uses this attack. Then, there exists an attack against such that, if is the resulting density operator when running using attack , it holds that assuming the probability that chooses Measure and Resend in is the same as in (and thus the probability of choosing Reflect is also the same in both protocols).
Let be a collective attack against . Since Theorem 1 applies, there exists an equivalent restricted attack consisting of the forward operator as described in Equation 3. We construct the desired attack against .
Consider the following operator Rw to be used against in order to “rewind” the forward channel attack. The action of this operator is:
where and are the states resulting from the application of (see Equations 4 and 5). We claim that Rw is an isometry (and thus can be extended to a unitary operation). This is not difficult to see: let and . It is clear that . Furthermore:
and similarly . Thus, Rw is an isometry from . We abuse notation from here and assume Rw is a unitary operator (its action on other states may be arbitrary).
Now, consider the following attack against : , where (and, so, ). We claim this is the desired attack. Indeed, if chooses to Reflect in , then the state of the system after the qubit leaves ’s lab, but before applies is:
where the order of the systems on the right-hand-side of the above expression are: (note is un-entangled from the above system). At this point, has control only of the subspace.
On the other hand, if chooses Reflect in , then the state of the system after applies Rw but before finishing the attack with , is:
from which it is clear that . With , will then apply (acting on ) to and then forward the system to Alice; with , will apply the same (also acting on the subspace ) to and forwards both and to Alice. Regardless, we find the quantum system held by all three parties to be equal.
The case when chooses to Measure and Resend is similar. Indeed, in this case, consider the state before applies for :
And, the case for after applies Rw but before is:
Again, we conclude the two systems will be the same after application of . The final density operator will then be a mixture of the two pure states. Assuming the probability that chooses to Measure and Resend in is equal to the probability he chooses this option in (and thus, the probability of choosing Reflect is also equal in both protocols) the resulting density operators will be identical. ∎
Notice that, when attacking , has control of both and (which she does not when attacking ). Thus, she has possibly more attack strategies against . However, for every attack against , there exists an equivalent attack against . Thus, to prove security of (and thus , our goal), it suffices to analyze as has potentially more attack capabilities against the latter. Indeed, we have the following “chain:”
where is the protocol but with restricted to attacks of the form .
Iii-C Final Key-Rate Bound
Consider the protocol introduced in the previous subsection. There are two “modes” to it: either chooses to Measure and Resend (with probability ) or he chooses to Reflect (with probability - not that these terms have the same meaning as their wording implies. A single iteration of the protocol, then, may be written as the density operator:
and and are the (pure) states in the event chooses Measure and Resend or Reflect respectively. Now, only those iterations where chooses Measure and Resend are used for key distillation and, so, to compute the key-rate of this protocol, we need to compute where we use to denote the result of measuring her register in the basis (recall uses only for her key distillation). However, we will first analyze and use this to bound the entropy in .
It was shown in , that for any density operator acting on a tripartite Hilbert space , that if and make measurements in the or basis, then:
where we use (respectively ) to denote the register storing the result of a (respectively ) basis measurement on the system. Using this, we may easily prove the following:
Let be the state of the system if chooses Reflect in protocol and let be the error rate in the basis between registers and . Then:
Note that is completely independent of the system; i.e., . Thus, we may simply consider the state resulting from tracing out which acts on the tripartite system . Using the uncertainty relation described above (see Equation 12), replacing with (thus, in a way, we are imagining as two people - one who holds the register and the other who holds the register - of course in real life they are one individual), we have:
where the last inequality follows from the fact that measurements can only increase entropy. ∎
We will use the conditional entropy of to compute a bound on the entropy in , thus giving us our desired key-rate computation. For the following result, we will assume a symmetric attack in that the observed basis noise is equal in both forward and reverse channels; this is only to make the algebra more amicable - analyzing an asymmetric channel would follow the same process, just with slightly more, yet trivial, algebra.
Before we continue, however, we require one lemma which, though straight-forward to show, we include for completeness:
Let . Then:
Recall that the trace norm is invariant to unitary changes in basis. We decompose and as:
where and . Furthermore, we may assume (any alternative phase of or may be absorbed into the corresponding basis vector). In this basis, we have:
the eigenvalues of which are:
Writing , with , we have the following identities (which follows from the decomposition of and ):
Substituting these into yields:
The Cauchy-Schwarz inequality forces , so the square-root is real. In fact, by the Cauchy-Schwarz inequality:
Now: . If , then, using Equation 17 and letting (thus ):
Alternatively, if :
Of course completing the proof. ∎
Finally, we prove the following theorem which bounds the von Neumann entropy in allowing us to compute the key-rate of this SQKD protocol.
Given and as defined above in Equation 11, let be the error rate in the basis observed on a single channel (we assume both channels have the same basis error rate). Also, let be defined as:
Then, assuming ’s attack is symmetric and of the form , where acts on and Rw is a “rewind” operator as discussed earlier, it holds that , where:
Let be an arbitrary attack operator used against (this is an isometry from to ). Also, let be two Bell states. Without loss of generality, we may write ’s action as:
where the states and are arbitrary, not necessarily normalized nor orthogonal, states in . The density operator (which is the state of the system when chooses Reflect in protocol and measures both her qubits in the basis - an operation denoted by below) when faced with this attack is found to be:
Likewise, we may compute , the density operator for those iterations where chooses Measure and Resend (note that, below, we define ):