Abstract
The BB84 quantum key distribution protocol is semi device independent in the sense that it can be shown to be secure if just one of the users' devices is restricted to a qubit Hilbert space. Here, we derive an analytic lower bound on the asymptotic secret key rate for the entanglement-based version of BB84 assuming only that one of the users performs unknown qubit POVMs. The result holds against the class of collective attacks and reduces to the well known Shor–Preskill key rate for correlations corresponding to the ideal BB84 correlations mixed with any amount of random noise.
Export citation and abstract BibTeX RIS
Original content from this work may be used under the terms of the Creative Commons Attribution 3.0 licence. Any further distribution of this work must maintain attribution to the author(s) and the title of the work, journal citation and DOI.
1. BB84 and device independence
Quantum key distribution (QKD) [1, 2] protocols allow cooperating users to generate cryptographic keys in such a way that unauthorised eavesdropping can be detected. This is achieved by exploiting features of quantum physics, such as the general inability to measure a quantum state without disturbing it, in a way that guarantees that any attempt at eavesdropping on the protocol will introduce detectable errors.
One of a QKD protocol's differentiating features is the degree to which it is device independent [3–5] i.e., the extent to which the protocol can be proved secure independently of assumptions about the internal functioning of the devices in the physical setup. This is of practical interest as device-independent protocols are intrinsically more robust, ensuring that both unintended and maliciously introduced implementation faults are detected automatically. Protocols can range from fully characterised (the exact quantum state preparations and/or measurements must be known) to fully device independent (security is established based only on the detection of Bell-nonlocal [6, 7] correlations, independently of the mechanism that produced them). Between these extremes, partially device-independent protocols have also been proposed in which only some of the devices are fully characterised [8–10] and in which only a Hilbert space dimension bound is assumed for the source of quantum states [11, 12].
The BB84 protocol [13] was originally introduced as a fully characterised protocol. A commonly considered prepare-and-measure version runs as follows. One user ('Alice') generates a string of random bits that she wishes to transmit to another distant user ('Bob'). Alice sequentially encodes each bit onto one of two corresponding orthogonal eigenstates and which she transmits to Bob. In order to be able to detect eavesdropping, Alice inserts instances of the eigenstates and , with , at some random locations in the sequence of quantum states to be transmitted to Bob. Bob measures most of the states he receives from Alice in the basis and the remaining minority of cases in the basis. Afterwards, the record of cases where Alice and Bob used mismatched bases (Alice prepared a state and Bob measured or vice versa) are discarded. The cases where Alice and Bob both used the basis and a randomly chosen subset of cases where they both used the basis are used to estimate the x- and z-basis error rates and and then likewise discarded. Finally, if the error rates are not too high, classical postprocessing allows a (generally shorter) secret key to be generated with the relative errors between Alice's and Bob's versions corrected and with any knowledge of the key by an adversary effectively erased.
There is also an entanglement-based version of BB84, in which a central source prepares and distributes entangled states which Alice, as well as Bob, measures in the and bases. In this case, the initial bitstring is obtained from the measurement results rather than from a separate randomness generation procedure. Since Alice's or measurement can be thought of as effectively preparing a state for Bob [14], there is some equivalence between the two versions of the protocol. In particular, in both versions, one-way classical postprocessing allows a secret key to be extracted at an asymptotic rate given by the Shor–Preskill key rate [15],
where is the binary entropy function, depending on the error rates and .
Since its original proposal, it has become apparent that the BB84 protocol exhibits a significant degree of device independence. BB84 was first found to be one-sided device independent, i.e., the explicit characterisation of one of the devices can be dropped. This was already indicated by some early security results [16–18] for the prepare-and-measure version of BB84 which do not explicitly depend on Bob's measurements, and later analyses [19, 20] found that the Shor–Preskill key-rate bound (1) still holds at the one-sided-device-independent level if Alice's source prepares the and eigenstates (in the prepare-and-measure version) or just one of the users measures in the and bases (in the entanglement-based version).
Recent analyses have started to exploit results from the mismatched bases cases, which are usually discarded, in order to improve the security certification [21, 22], and some authors have further pointed out that this can reduce the level of characterisation required to just a dimension bound for one of the devices. In [23] it was first shown that the Shor–Preskill rate still holds if no correlations are observed in the mismatched bases cases assuming that Alice performs unknown projective qubit measurements. A similar result was recovered numerically in [24] for general qubit POVMs on Alice's side, assuming that Bob also performs qubit measurements. The prepare-and-measure version of BB84 was also studied numerically in [25] at a similar level of device independence, where Alice's source prepares unknown pure qubit states and Bob performs unknown projective qubit measurements.
Here, we study the BB84 protocol in this semi-device-independent scenario (borrowing the name from [11]), where we assume only that Alice's device acts on a two-dimensional Hilbert space. The main result will be an analytic lower bound on the asymptotic secret key rate for the entanglement-based version of BB84 where we allow Alice's measurements to be arbitrary qubit POVMs and Bob's measurements are left uncharacterised. The result holds against the class of collective attacks [17] (i.e., assuming that Alice's and Bob's measurements are always performed on the same entangled state), which is known to imply unconditional security at least if the measurements are memoryless and if the Hilbert-space dimension is bounded [26].
The qubit device assumption is taken here to mean that Alice's result depends only on the measurement of a qubit state. In particular, similar to [27, 28], we assume that Alice's measurement result does not depend on additional classical information that could also be available to Bob's device (so-called 'shared randomness' [11]). This is necessary as the ideal (entanglement-based) BB84 correlations can be simulated with two shared classical random bits—a special case of what an adversary could prepare with a shared classical bit and an entangled qubit which is completely insecure from a cryptographic perspective. A consequence is that, unusually for a QKD security result, any (nontrivial) lower bound on the key rate cannot be a convex function of the probabilities P(ab ∣ uv) at this level of device independence.
2. Scenario and main result
In the entanglement-based version of the BB84 protocol, Alice and Bob share a state on some Hilbert space , on which they can perform POVMs and indexed by measurement choices and yielding results with probability
In the semi-device-independent level of security that we consider, we assume that . The state and measurements are otherwise treated as unknown. Setting and , a convenient summary of the probabilities that we will use is given by the eight parameters
with . Note that and here are related to the more conventional z- and x-basis error rates and by .
The full security analysis of the protocol will be undertaken in the next section, but it is worth already sketching a result for the special case where Alice performs rank-one projective measurements since one can be derived directly from the Shor–Preskill rate. In this scenario, where Alice's z and x measurements simply project into orthogonal bases and , essentially the only relevant parameter differentiating the measurements is the Bloch-sphere angle between them. For some suitable basis conjugate to , we may write
where and φ is the (unknown) Bloch-sphere angle between and . Setting , linearity of the quantum expectation value implies the relation
The conjugate 'w basis' introduced here is useful because the (one-sided-device-independent) Shor–Preskill key rate applies to it. Introducing, for convenience, the function
(related to the binary entropy by ), the Shor–Preskill rate can be expressed as
From here, it is a simple matter to obtain a key-rate bound depending only on the observed correlations. From the relation (7) between the correlators, we obtain
which rearranges to
As long as , this implies the lower bound
for the key rate.
More generally, it is clear that the key-rate bound (12) cannot hold against arbitrary POVMs on Alice's side. A simple counterexample is that if we allow Alice to perform the degenerate projective measurement , it is possible for Alice and Bob to obtain the result deterministically (which is completely insecure) while observing the correlations and (for which (12) would imply r = 1). Of course, this particular pathological case is easily detected since Alice and Bob could notice that they keep getting the same measurement results. In terms of the parameterisation given above, we thus do not expect (12) to still apply if .
There is a significant parameter range in which the rate (12) still holds, though. The main result of this article is that the asymptotic rate (12) still applies, at least against collective attacks, if the correlations satisfy and
This is proved in the next section. As a special case, we recover the Shor–Preskill rate
if there are no correlations in the mismatched bases cases (so that ) and if the latter constraint reduces to (which is necessary to certify a nonzero key rate anyway) if Alice's and Bob's marginal results are equiprobable (so that ).
In principle, the derivation given in the next section could be pursued further in order to derive a lower bound for the key rate in the case that the condition (13) is not satisfied. There is an easier way of getting a result for this case, though. Since the condition (13) and key rate (12) are device independent on Bob's side, we can simply apply the result they would imply if Bob's measurement operator were scaled down to for some scaling factor 0 ≤λ ≤1. This way, we can use the modified bound
taking for λ the highest number between zero and one satisfying
3. Proof of main result
3.1. Problem definition
In the worst-case scenario, Alice, Bob, and the adversary Eve share a purification , prepared by Eve, of the state responsible for the observed correlations according to (2). When Alice measures u=z, the system in is projected to the (unnormalised) state
or
depending, respectively, on whether Alice gets the result a = 0 or a = 1. (We will in general write, e.g., Ψ as a shorthand for the density operator associated to some pure state .) The normalisations of these states are related to the probabilities with which they are prepared according to and . The correlation between Alice's result a and the state available to Eve is summarised by the classical-quantum state
in terms of Eve's parts and of the possible density operators ρ and .
We consider the case where the key is extracted from the measurement results. In this case, the one-way asymptotic key rate secure against collective attacks is lower bounded by the Devetak–Winter rate [29], which can be expressed as the difference of two entropies
In (20), is the Shannon entropy of Alice's outcome conditioned on Bob's and can either be computed directly or approximated by . The main problem, and the main goal of this section, is to derive a lower bound for the conditional von Neumann entropy , which is given by
where , when computed on the classical-quantum state (19).
The derivation followed in the remainder of this section uses a few mathematical tools (two of which are minor restatements of results in [30]) which are presented here as lemmas. Proofs for these are supplied as appendices to this article.
3.2. General proof outline
The starting point is the following relation for the conditional von Neumann entropy, which simplifies the problem to that of lower bounding the fidelity between the marginal states available to Eve.
Lemma 1. The conditional von Neumann entropy, computed on the classical-quantum state , is lower bounded by
in terms of the fidelity between and . Furthermore, for fixed , the right-hand side of (22) is convex in and is minimised with .
Here, we take the fidelity to be defined by , where denotes the trace norm of an operator A, for (generally unnormalised) density operators ρ and σ. Note that the minimisation of (22) at allows the bound for the von Neumann entropy to be simplified to
though this step is optional, since is an observed parameter.
The approach we follow involves reducing the problem to considering pure states. To this end, we introduce orthonormal bases , , in which Alice's (qubit Hermitian) POVM elements are diagonal. In these bases, Alice's POVMs can be expressed as convex sums
of the four projective measurements , , , and for convex coefficients satisfying and . (Here, and are shorthand for and , and and denote the identity and null operators on .)
Concentrating on the z measurement, we can express the entangled state as
for (unnormalised and not necessarily orthogonal) states . The fidelity between Eve's parts and of the states and introduced this way can, according to the following relation, be bounded in terms of an operator on Bob's Hilbert space.
Lemma 2. The fidelity between Eve's partial traces and of the pure states and satisfies
where and .
We approach the problem of lower bounding in the following way. Similar to (25), we express the entangled state as
for the measurement. In an appropriate phase convention, the diagonalising bases are related by
for some angle φ. From this and requiring that (25) and (27) are the same state, we extract
Introducing the correlators
for the pure states and
for the operator W appearing in lemma 2, the relations (30) and (31) imply
and applying the Cauchy–Schwarz inequality and rearranging, we obtain
similar the outline of the previous section. Finally, since is the difference of two POVM elements, it satisfies the operator inequalities this allows to be used as a lower bound on the trace norm of :
from which we finally obtain
The remaining problem is to convert (38) into a lower bound on depending on the observed parameters Au, Bv, and Euv which can be used in lemma 1 (or (23)). Part of the problem is to relate these parameters to the pure-state versions and appearing in (38). From the POVM decomposition (24) we can deduce
which will allow the to be related to the Euvs and Bvs. For the z measurement, we will also need to be able to relate the fidelity in (38) to . For this, we will need the following general bound for the fidelity between mixtures of two states.
Lemma 3. Let , , , and be (not necessarily normalised) density operators related by
for parameters . Then,
3.3. Alice's POVM
The measurement is the simplest to handle, since it is not used for key generation, so we deal with it first. Rewriting the decomposition (39) for as
with and , the triangle inequality and the constraint together imply
which rearranges to
If then the only way that (45) can be satisfied is if and if . In this case can safely be substituted in place of in the pure-state fidelity bound (38). Otherwise, it is perfectly possible for the measurement POVM decomposition (43) to be satisfied with . In the following, we will assume that , since (38) becomes trivial otherwise.
3.4. Alice's POVM
The POVM decomposition (24) implies that the states ρ and prepared on are related to α and by
In general, the decomposition (24) for POVMs is not unique, so we have some freedom to choose a decomposition which will simplify the problem of turning the fidelity bound
into a lower bound for depending on observed parameters Au, Bv, and Euv. Specifically, the identity
implies that one of the POVMs or can always be eliminated, meaning we can assume that one of and in (24) is zero without loss of generality.
We proceed in two steps, first considering mixtures of the measurements and , before accounting for a contribution from one of the measurements or . In anticipation, and assuming a contribution from for example, we re-express (46) and (47) as
where the nonnegative parameters p, , q, are related to the by , , , and and satisfy .
For the contribution from and , we set
and, applying lemma 3 and the pure-state fidelity bound (48), we have
Introducing the correlator
related to by , and using that ,
or
which shows that allowing mixtures of the measurements and alone will not affect the key-rate formula.
Finally, we account for the effect of a contribution from one of the degenerate measurements or . Assuming first a contribution from , according to (50) and (51) and using that , ρ and are related to the states and defined above by
Applying lemma 3 again,
Inserting the lower bound (57) for and recognising that
the lower bound for becomes
The observed parameters
and
are related to by
Rearranging for and inserting in (62), we obtain
or, subtracting from both sides,
By following similar reasoning starting from the decomposition
assuming a contribution from instead of , we obtain the same result as (67) except with the sign changes and . The worst of the two bounds obtained this way is
The multiplicative factor is nonnegative, so the right-hand side of (70) is nonnegative if
Finally, since we are assuming , the term is nonnegative and is maximised with p = 1. This implies that (71) is satisfied for all if it is satisfied for p = 1, i.e., if
which is the condition given in the previous section. If this condition is met then the lower bound
can be used for the fidelity in lemma 1.
4. Conclusion
The preceding section proves that the key rate asymptotically secure against collective attacks for BB84 is lower bounded by
if and if the condition (72) is satisfied. This is never less than the simpler bound (12) claimed in section 2. If (72) is not satisfied, device independence on Bob's side still allows the main result to be used with the replacements and , with the scaling factor λ determined by (16) above. Together, these give a general semi-device-independent security result for the BB84 protocol against collective (and possibly [26] more general) attacks. The traditional set of assumptions used to prove the security of the BB84 protocol can thus be relaxed to a significant degree. It is still necessary to trust that one of the users' measurements are restricted to a two-dimensional Hilbert space, but exact knowledge of the measurements beyond this is not required.
In the scenario considered, aside from the qubit restriction on Alice's side, Alice's and Bob's measurements were allowed to be arbitrary POVMs. One could go further, similar to [27, 28], and imagine that Eve may have more detailed knowledge of the measurements. Specifically, the approach followed in this article could probably be modified to allow Eve to know the indices i and j in decompositions of the form and for the POVM elements, although the resulting key rate will probably not include the Shor–Preskill rate as a special case if the adversary is granted this extra power.
Finally, the main result was derived for the entanglement-based version of BB84. It is likely that a similar result should hold for the prepare-and-measure BB84 variant assuming a source which is restricted to emitting qubit states, which was tested in a recent implementation [31]. Adapting the approach followed here for the prepare-and-measure scenario is thus an obvious problem for future work.
Acknowledgments
Stefano Pironio suggested it would be interesting to study BB84 as a semi-device-independent protocol back in early 2013 and offered helpful criticism of a draft of this article. This work is supported by the Spanish MINECO (Severo Ochoa grant SEV-2015-0522 and FOQUS FIS2013-46768-P), the Generalitat de Catalunya (SGR 875), the Fundació Privada Cellex, and the EU project QITBOX.
Appendix
A.1. Proof of lemma 1
The conditional von Neumann entropy satisfies for any extension of Eve's Hilbert space . We use this to replace the (unnormalised) density operators and appearing in the classical-quantum state (19) with purifications and by Uhlmann's theorem (which still holds for unnormalised states), these can be chosen such that . We this way obtain
where
are the eigenvalues of . Recognising that
we obtain
which is the lower bound claimed in the statement of lemma 1.
The right-hand side of (78) has the form
where we treat y as a fixed parameter and x should satisfy . We show that this function is convex by lower bounding its second derivative. First, the first and second derivatives of ϕ are
and
Applying the product rule, the first and second derivatives of f are
and
Using that , the last term can be replaced with
so that
which shows that f is convex. Noticing that (or just that f is an even function) implies that x = 0 is the global minimum.
A.2. Proof of lemma 2
A basic property of the trace norm is that for some unitary operator ; furthermore, since is Hermitian, can also be taken to be Hermitian. From here and using that ,
The final line follows, by Uhlmann's theorem, from noticing that and are purifications of and .
A.3. Proof of lemma 3
We introduce purifications and of and such that . In terms of these, note that
where and are orthonormal bases, are purifications of ρ and σ. Using Uhlmann's theorem and expanding, the fidelity between ρ and σ is lower bounded by
where U and T are the matrices of elements and . By exploiting the freedom to choose the bases and , U can be made to be any 2 × 2 unitary matrix. Maximising the right-hand side over U, we obtain
with
in which we inserted that .
In general, the trace norm of a 2 × 2 matrix is given by
where
are respectively the trace of and the root of its determinant. Applying this to obtain an explicit expression for the trace norm of (91) and using that produces the result