Security of Quantum Key Distribution Against All

Security of Quantum Key Distribution Against AllCollective Attacks

Ran GellesSubmitted for the course‘Seminar in QIP’(236806)

Computer Science, Technion IIT, [email protected]

September 8, 2005

Abstract

Quantum theory introduced us with new methods of keys exchange. The secu-rity of those methods, has been investigated in the last few years, reaching severaldifferent results. In this paper we shall review one of the security proofs against aspecific (though quite general) attack named the collectiveattack. This seminar isbased on the work of Eli Biham, Michel Boyer, Gilles Brassar,Jeroen van de Graffand Tal Mor [1].

1 Introduction

Quantum Information Processing, a computer-science field based on quantum mechan-ics is a true breakthrough, undermining computer capabilities, as we understand it today.This field introduced us with newefficientalgorithms for problems that are consideredhard to solve using classical computers, such as factoring large numbers or searchingun-sorted databases. Quantum computers are a real threat toclassical cryptology: fastersearching quantum-algorithms can bruteforce symmetric-encryption systems in order tofind its keys, while efficient factoring quantum-algorithmswould be able to break en-cryption systems (and other types of security-systems) based on public key technology.

However, new quantum-cryptology algorithms and protocolsare defined and researched.In 1984, Bennet and Brassard invented the BB84 quantum key distribution protocol [4],which gives a new method of agreeing on a secret key using "thequantum power" in orderto achieve security in the meanings of information theory (as opposed to ‘computationalsecurity’ of which a powerful enough enemy, who has unlimited computation power, canbreak).

1

Ran Gelles Seminar on QKD Security against Collective Attacks

This paper analyzes the security of the BB84 protocol against a specific attack namedthecollective attack. Section 2 explains the need of key distribution, introducing the classicalkey distribution methods and the BB84 protocol. Section 3 describes ways of attackingthe BB84 protocol, and Section 4 describes the security of the BB84 against the collectiveattack.

Remark: This paper assumes basic knowledge of quantum mechanics andquantuminformation processing. Further information about quantum basics (q-bits, Hilbert Space,density matrices, etc.) can be found in the textbook [3].

1.1 An Extremely Short Introduction to Quantum Computing

A q-bit |x〉 is a quantum information object which is a 2-level quantum mechanicalsystem. We shall consider the q-bit as a mathematical object, a 2-dimensional vector|x〉 = (x1, x2)

> over the complex numbers fieldC with inner product〈x|y〉 = x∗1y1+x∗2y2

(This inner product space is calledHilbert Space of 2 dimensions,H2).

The basic states, often called the computational basis, are|0〉 = (1 0)> and|1〉 = (0 1)>.Two bits |00〉 are the Kronecker multiplication of their vectors|0〉 ⊗ |0〉 = (1 0 0 0)>,placed in the respective 4-dim Hilbert spaceH2 ⊗H2.

1.2 Introduction to Linear Error Correcting Codes

Error-correction codes are used in order to transfer information over a noisy channel.Each information word is coded into a longer redundant ‘code-word’ in such manner thatthe information can be retrieved even when few bits of the codeword were received witherrors due to channel disturbance.

‘Linear Code’ is a code whose codewords form a linear vector space over some field.The code is usually defined by agenerator matrix,Gk×n whose rows form a basis of thecode. The coding process is simply multiplying thek-bits information wordu with G,receiving then-bits codewordc = uG.

The decoding is done by searching the information wordu′ that gives the nearest code-word to the received onec 1, according to specific distance functiond, i.e. decryptionis findingu′ s.t. d(u′G, c) is minimal. This distance function is usually a metric named‘Hamming distance’ which is defined as the number of bits thatdiffer between two words:dHamming(x, y) =

∑i xi ⊕ yi.

A relatively simple way to decrypt is by the ‘syndrome decryption method’. Everycode can be defined by aparity checkingmatrix, whose rows are orthogonal to thecode space, i.e.HG> = 0. Therefore, every codeword gives0 once multiplied inH

1Due to errors,c might differ from the sent codewordc.

2


(Hc> = HG>u> = 0). Every stringx in {0, 1}n which is not a codeword gives a non-zero results = Hx> 6= 0 which is called the syndrome. When the number of errorsis small enough, knowing the syndrome is the same as knowing exactly which bits areerroneous (i.e. error in specific bits gives the same syndrome, no matter which info-wordwas sent. This is due to the code linearity:Hx> = H(c + e)> = Hc> + He> = 0 + swheree is all-zeros except for those bits that were inverted by the channel2).

Affine Code. An Affine Code is non-linear code, that can be defined as{c + b | c ∈C, b 6∈ C} WhereC is a linear code andb is fixed. Encoding can be done by usingC ’sgenerator matrix:u 7→ uG+ b.

2 Key Distribution

In order to obtain privacy and security, a mutual secret mustbe shared between all theparties involved. This secret is referred as theKey. The key is the base for each and everycryptographic protocol (Encryption, Authentication, Digital Signature, Bit Commitment,etc.). Once the key is exposed, the legitimate users (Usually known as ‘Alice’ and ‘Bob’)are subject to the deeds of their evil opponent (‘Eve’) who can decrypt and read theirmessages, impersonate them or digitally sign contracts in their names.

2.1 The Need for Secure Key Distribution

How can Alice and Bob obtain the same secret without letting anyone else know it? IfAlice and Bob live in the same city, they can have a meeting once a week in which Alicecan pass Bob a disk containing the keys for the next week. But what can they do if Alicelives in Israel while Bob lives in Bangladesh?!

The young couple still have several solutions:

• Using trusted third party. Alice and Bob can be hepled by David. David is Bob’sbest friend who happens to be Alice’s brother. Luckily Davidis a steward in El-Al,and flies to Bangladesh at least once a month. Both Alice and Bob trust David,therefore he can be used as a "Trusted Third Party" who distributes the keys.

• Using small pre-obtained secret.Unfortunately, Most of the Alices have no stew-ard brother, so other solution must be reached. Let us say Boband Alice alreadyshare a small secret key (Kkey) (from the last visit of Bob in Israel). Alice and Bobcan useKkey in order to encrypt the weekly key (Kweek) and send it over the Net3.In the next week they can useKkey again to agree onKnext−week, or to useKweek

for encryptingKnext−week.

2All the computations in this section are over GF(2)3This method is known to be used by the German army in WW2, as themethod of agreeing on a key

for theEnigmacrypto-system

3


Question: If Alice and bob already share a key, why can’t theyuse it as the keyfor all their cryptographic protocols? The Answer is that the key is less secure themore you use it. Therefore you’d like to change your keys oncein a period, for younever know wether your key is exposed.

• Using Public Key Cryptography. Yet, Alice might wish to have a secure conver-sation with someone she met on the Internet, who never reached Israel. Thereforewe need a protocol which allows two users that share no secret, never met be-fore and can communicate only over insecure channels (e-mail, ICQ, IRC, etc.), toagree on a secret key without letting anyone but the authorized users to have anyinformation about the key.Is it possible?

2.2 Classical Protocols

In 1976, W. Diffie and M. Hellman published a novel solution tothe Key Agreementproblem [2]. Their article, named in the promising name ’NewDirections in Cryptog-raphy’, indeed opened a way to a field today referred asPublic Key Cryptography. TheDiffe-Hellman Key-Agreement4 protocol, allows two users, that never met before andshare no common secret data, to agree on a secret key using only classical insecure chan-nel.

The Diffie-Hellman Key Agreement protocol suffers from one main weakness: it is ex-posed to an attack calledMan in the middle Attack. An eavesdropper can impersonate alegitimate user, and run the protocol separately with Alice(who thinks it is Bob on theother side) and separately with Bob (who assumes Alice is on the other side). In thatway, Alice-Eve end the protocol with a secret keyKAE and Eve-Bob shareKEB. Everymessage sent by Alice to Bob (encrypted byKAE) is decrypted by Eve, read, encryptedbyKEB and sent to Bob. Alice and Bob have all the reasons to believe that they talk withone another, but in fact have no security.

This flaw can be solved using authenticated channel, given Alice and Bob share a smallsecret data in advance.

The security of the protocol is based on the hardness of the discrete-logarithm problem(AKA: DLOG ), i.e. the amount of time needed to findk, given gk mod p, for someprime p and a numberg ∈ {1 . . . p − 1} which is agenrator5. No polynomial-timealgorithm that solves the DLOG problem is known, and the problem is assumed to bea NP-problem which requires exponential time to solve6. Therefore, Diffie-Hellman isComputationally Secure, implying that an adversary with unlimited computing powerisable to break the protocol (Search all theα’s in {1 . . . p − 1} until you findα such that

4This protocol is sometimes called Key-Exchange protocol. One should pay attention that no key isexchanged or distributed by this protocol, but a new key, agreed on both sides, is generated.

5g is a generator if for everyα ∈ {1 . . . p − 1} there existβ such thatgβ = α mod p6The most efficient Algorithm known for DLOG is Gorodn93 whichruns in complexity of

exp(O((log p)1/3(log log p)2/3)).

4


gα ≡ gk). Nevertheless, the Diffie-Hellman security for daily use,considering today’stechnology, is considered pretty safe.

However, considering an opponent with quantum computing abilities might underminethe security of the classical protocols, as they are considered today. Quantum SearchAlgorithms, (such as [5]) shorten the search in non-sorted database from theO(N) clas-sical complexity into quantum-O(

√N) complexity. Other Algorithms ([6]) proves exis-

tence of polynomial time algorithms for the DLOG problem, and for the factoring prob-lem (used to break the RSA cryptosystem), whose best known classical algorithm (the

Quadratic Sieve Algorithm) complexity isO(e√

ln(n) ln(ln(n)))

.

2.3 Quantum Protocols

Quantum mechanics introduced various alternative cryptographic protocols, in whichInformation-theoretical Securityis assumed, rather than theComputational Security,which is proved in most of the classical protocols. The main principle standing behindall of those protocol, is using a quantum channel in order to pass random bits betweenAlice and Bob. Physics Laws ensure us that eavesdropping this channel forces disruptionof the transmitted bits. Once Alice and Bob identify channeldisruption, they know withhigh probability that eavesdropping has occurred, and abort the protocol.

The first to use this ability in order to obtain cryptographicprotocols were C. Bennetand G. Brassard [4]. In their article they proposed a Key Agreement protocol known asBB84, and a coin tossing protocol, which today is known to lack security.

2.3.1 Concept of Quantum Cryptography

The power of quantum cryptographic protocols is based on thefollowing fact: when in-formation is coded by non-orthogonal quantum states, it cannot be copied or read withoutrandomly changing the q-bit (see proof in Appendix A.). Those protocols use at least twosets of orthogonal quantum states. For example, single photon whose polarization direc-tions are 0 and 90 degrees (coding ’0’ and ’1’, respectively)is chosen to be the first set,while 45 and 135 degrees is the second set. Each of those sets is called a basis7.

Measuring those photons (usually by passing them through a polaroid filter after whicha detector is set), without the knowledge of the original basis they are set, results in twopossible options: (for the example, we shall measure in the {0,90} basis, e.g. by usingpolaroid filter with polarization axis of 0 degrees)

• Was the photon originated in the {0,90} basis, the measure gives us full informationof the photon state: If the detector ’beeped’ - the photon original polarization was0. No beep - the photon was set in 90 degrees (indicating ’1’ logical bit)

7Since it is a basis for the two-dimensions Hilbert space representing the photon’s polarization

5


Figure 1: Coding of single photon by polarization directions

• However, if the photon was in the {45,135} basis, no information at all is learnt,since this photon will pass the filter in probability ofcos2(45◦−0) or cos2(135◦−0)respectively, i.e. will pass with probability 1/2 and absorbed with probability 1/2,not matter of its original state (sincecos(x◦) = − cos(180◦ − x◦)).

The {0, 90} shall be denoted as theZ-basis, and {45,135} as theX -basis. Single photonswhose polarization is 0 degree and 90 degrees are denoted as|0〉z, |1〉z while photons with45 degrees and 135 degrees denoted|0〉x, |1〉x (figure 1).

2.3.2 BB84

The BB84 protocol consists of 4 main stages:

1. Sending Random Q-Bits. Alice chooses a randomninit-bit string and a random ba-sis for each bit (Z orX ). She then sends those q-bits to Bob. Bob, not knowing the basesAlice had made, measures the q-bits in bases he chooses randomly and independently.After measuring all the bits, Alice announces the bases she had used. Any bit measuredin a wrong basis is deleted. Since the probability to measurein the right basis is 1/2, weremain withnsifted ≈ 1

2ninit bits, which are calledthe sifted key.

Figure 2: Alice sending Bob random bits.

6


2. Error-rate Validation. Alice and Bob must check whether an eavesdropping at-tempt was made. As said, since Eve doesn’t know which bases Alice used, measur-ing Alice’s q-bits in a wrong basis will deform the bits causing Bob to measure ran-dom bits. In order to evaluate the error-rate, Alice and Bob comparenerr−test bits ofthe sifted key, chosen randomly out of thensifted bits. Those bits are compared byusing the public insecure channel, letting Eve know them. Ifthe evaluated error rate

perr−rate = # of erroneous bitsnerr−test

exceeds a pre-fixed ratepallowed, the protocol is aborted.

The remainingn bits8, denotedthe raw-keyare used to generate the final key (figure 3).

Figure 3: Obtaining raw-key out of Alice’s bit stream

3. Error Correction. The raw key cannot be used as the final key for two main reasons:i. Errors might have happened so Alice and Bob share different raw data;ii. Eve mighthave information about few of the bits of the raw key; The firstproblem can easily besolved by transmitting error-corection information, which helps Bob fix his errors andobtain the same key as Alice. The error correction information must not expose the rawkey bits themselves (since it is passed on the insecure channel, eavsdropped by Eve).Therefore, Alice and Bob can agree on systematic9 ECC, and pass between them onlythe parity bits.

4. Privacy Amplification. The Privacy Amplification (PA) stage is done in order tolower Eve’s knowledge of the final key, by averaging her knowledge on all the bits, bytakingxor of several bits of the raw-key (figure 4). Consider this situation: Eve "guessed"correctly the basis of the 1st bit (she has probability 1/2 todo so). Alice and Bob share10-bits raw key, of which they need only one. If they use the first bit as their final key(with probability of 1/10 to choose it) - they have zero security. However, if they buildtheir final 1-bit key by taking, say, 5 bits of the final key and operate axor on them - they

8Throughout this papern = nraw−key.9Systematic ECC maps thek-bits data wordu into the code wordu|s′, i.e. the data wordu concatenated

parity word (s′). The generator matrixG of such code is of the form (I | A), where I is thek × k identitymatrix.

7


achieve full security (since eve have no information about any other bit, so she have noinformation about thexor output).

Figure 4: Obtaining final key out of the raw key

3 Attacks on Quantum Key Distribution

In order to define security of a protocol (as well as attacks regarding on the protocol,regarding that security), one should state one’s works assumptions:

• Alice and Bob have labs that are perfectly secure.

• Alice sends Bob two-level quantum systems (q-bits), over quantum channel.

• They share a classical channel, authenticated but not private. Therefore, all theinformation on this channel can be heard by Eve, but she cannot change it, block itor send her own information, impersonating a legal user10.

• Eve cannot delay the q-bits sent to Bob for too long. She can let them throughunchanged, block them or perform unitary operation on them.If the q-bits are sentone by one, she must send the q-bit before Alice sends the nextone.

3.1 Kinds of Attacks

Eve’s attacks can be classified into several classes:

Individual Vs. Multibit This category indicates whether Eve attacks each q-bit on itsown, or does she attack several bits at a time. Individual attack is characterized by havinga probe for each q-bit, which is measured before the next q-bit arrives. In Multibit attacks

10This can be achieved by digitally signing messages. Therefore, we assume that Alice and Bob alreadyshare a small secret key used for authentication, using the BB84 protocol in order to achieve larger key.Thus, the protocol is in fact a key expansion protocol

8


the probe is influenced by several q-bits, or the measurements are done to several probesas a large quantum system.

Uncorrelated Vs. Correlated Eve’s Attack might be a constant unitary transform11

operated on q-bit and ancilla, as well as varying transform selected according to Eve’saccumulated information gained by attacking previous q-bits. When the unitary trans-form is selected according to previous data or when the attack depends on several bits,the attack is calledcorrelatedsince there is correlation between the attacked bits. Oth-erwise, the attack isuncorrelated(even if the transform is different from one q-bit toanother, say, by making random choice).

3.2 Famous attacks on QKD

Intercept/Resend. In this attack, the q-bits generated by Alice never reach Bob- theyare intercepted by Eve who can measure them or even block them. Eve then sends dif-ferent q-bits to Bob. Those q-bits can be generated according to Eve’s measurement orbe randomly picked. They can be independent q-bits, or entangled with Eve’s bits, (forexample, one q-bit out of an EPR-pair generated by Eve).

C-Not Attack. The C-Not attack is an example of individual uncorrelated attack inwhich Eve tries to "replicate" Alice’s q-bits before delivering it to Bob, using a C-NOTgate12,13. If cloning general q-bits was possible, Eve could succeed having informationabout this q-bits without introducing error. However, Eve cannot clone q-bits (AppendixA.). The Effect of using C-Not gate on Alice q-bits (and an ancilla) is the following: IfAlice’s q-bit is in theZ basis, Eve’s ancilla becomes equal to Alice’s q-bit.

|0〉z|0〉zE → |0〉z|0〉zE

|1〉z|0〉zE → |1〉z|1〉zE

However, If Alice’s q-bit is in theX basis, the gate entangles Alice bit and Eve’s ancilla(creating an EPR-pair13):

|0〉x|0〉zE → (|0〉z|0〉zE + |1〉z|1〉zE) /√

2

Measuring the first bit (in any basis) will give a random result.

11Quantum mechanics allows only unitary operations, for otherwise basic quantum mechanics laws failto work, such as sum of measurement probabilities must equal1.

12The Controlled-Not Gate has two inputs and two outputs. Its operation (in the computational basis,i.e.Z-basis) is inverting the second input whenever the first input is ’1’.

13More information in [3, Section 1.3].

9


Collective Attack. In this attack Eve attaches a probe to each q-bit that Alice passes,and performs unitary operation on them. Then she sends Bob the q-bit, and save the probein her memory. Eve collects all the probes, waits until the protocol ends and measuresall the probes together. Eve doesn’t measure immediately because she can measure in abetter way after she acquires the classical information of the protocol which is sent overthe insecure channel (e.g. the bases used, the bits of error-correction, etc.)

Joint Attack. The joint14 attack is the most general attack (therefore – the most power-ful) that can be made. In this attack Eve has a large set of entangled q-bits. Eve receivesall the q-bits that are sent to Bob, and performs an unitary operation on all the q-bits andprobes altogether. Next, she sends the q-bits to Bob, waits until she learns all the classicalinformation of the protocol and than she performs a measurement of her probes.

Attack Multibit CorrelatedIntecept/Resend - -C-Not - -Collective + -Joint + +

Table 1: Classification of famous Attacks

4 Security of BB84 against Collective Attack

Definition. Security criterion considered in this paper is the following:The probability that:Eve has non negligible information aboutfinal key bitsAND the protocol was correctly ended (i.e. was not aborted by exceeding allowed error-ratepallowed), is exponentially small.

One Should pay attention that other security criteria fail to work. For instance, the crite-rion Eve has negligible information, unless the protocol is abortedhas a simple counter-example [7]: Lets assume Eve was lucky to attack exactly thosenraw−key q-bits that willbe chosen by Alice and Bob to become the raw-key. Moreover, she guesses correctly thebases Alice uses. Using the C-Not attack (Section 3.2) Eve can duplicate those q-bits andhave full knowledge of Bob’s bits. True, the probability forthis to happen is2−2nraw−key

which is negligible, however Eve has the final key while the protocol was not aborted.

4.1 Collective Attack on BB84

In this section we shall mathematically formalize Eve’s Collective Attack. Without lossof generality, Eve initializes a multi q-bits ancilla in an arbitrary state|E〉. For every bit

14Also known asCoherentattack

10


|b〉 sent by Alice, Eve performs a unitary operationU on |E〉 ⊗ |b〉. U operation can bedefined:

|E〉|0〉z 7→ |E0,0〉|0〉z + |E0,1〉|1〉z ≡ |ϕz0〉

|E〉|1〉z 7→ |E1,0〉|0〉z + |E1,1〉|1〉z ≡ |ϕz1〉

Where|Ei,j〉 are non-normalized states, defining the the state of Eve’s probe after theoperation. They form 4 states which Eve needs to distinguishbetween in order to gaininformation. If |Ei,j〉 are orthogonal, Eve has all needed information by measuringherprobes. When she measures|Ei,j〉 she knows that Alice sent|i〉 and Bob measured|j〉.If those states are not orthogonal Eve has less information and if they are all equal (mostnon-orthogonal), Eve can learn no information for she will measure the same result, nomatter which q-bit Alice sent.

Example. To clarify the formalization, we show how to interpret the C-Notattack according to the above notation. In the C-Not attack,Eve’s initial state is|E〉 = |0〉z. U is defined as follows:

|0z〉E|0〉A 7→ |0z〉E|0〉A

|0z〉E|1〉A 7→ |1z〉E|1〉A

I.e. |E0,0〉 = |0〉z, |E0,1〉 = 0, |E1,0〉 = 0 and|E1,1〉 = |1〉z.

Most of the analysis regards the Eve-Bob Space (EBS) of thei-th transferred bit, whichis the Hilbert-spaceHEi ⊗ Hbi containing Eve’s probes and Bob’s q-bit. The densityoperator on this space shall be denotedρi15. If Alice sent|0〉z, Eve-Bob state is|ϕz

0〉 andρ0 = |ϕz

0〉〈ϕz0|. If she sent|1〉z we getρ1 = |ϕz

1〉〈ϕz1|. However, neither Eve nor Bob

knows whether Alice sent|0〉z or |1〉z16, so they have amixed-state: ρ = 12ρ0 + 1

2ρ1

Eve’s view (for thei-th bit) is given by tracing out Bob, receiving (whenZ basis is used)

ρE0 = TraceBob(ρ0) = |Ez

0,0〉〈Ez0,0| + |Ez

0,1〉〈Ez0,1|

when Alice sends|0〉z, and

ρE1 = TraceBob(ρ1) = |Ez

1,0〉〈Ez1,0| + |Ez

1,1〉〈Ez1,1|

when Alice sends|1〉z. All Eve has to do now in order to learn the bit that Alice sent,isto distinguish between the two states:ρE

0 andρE1 , instead of the quadruplets|Ei,j〉.

15When it is clear which specific bit the state relates to, the notationi will not be specified16If Alice uses theX basis, feel free to replace everyz with x. The analysis is quite the same. We will

consider the use ofX basis in Section 4.2.3. Until then, we assume Alice sends bits only in theZ basis.

11


4.2 Simplifying States Notation

4.2.1 Purifications

Given a stateρA of a quantum system A, it is possible to define a new system R, and apurestate|ζ〉 overHA ⊗HR, such thatρA = TraceR(|ζ〉〈ζ |). The state|ζ〉 is said to bea purificationof ρA. There exist infinite number of purifications for every givenstate [3,Section 2.5]. The purification is a mathematical tool which has only virtual existence,but it allows us to perform valid computations regarding thetraced-out state.

In the same manner, Eve’s viewρE has many states which are its purification to theEBS.The states|ϕ0〉 and|ϕ1〉 are only an example of such purification, not necessarily thebestone for our analysis. In this proof we try to bound Eve’s information by bounding theamount of information that can be retrieved by the purification. It seems that|ϕ0〉 and|ϕ1〉 give no practical bound. The purifications we use give a better information bound(in the aspects that are explained in section 4.3.1).

We shall use the following purifications:

|Ψz0〉 = |Ez

0,0〉|0〉z + |Ez0,1〉|1〉z

|Ψz1〉 = e−iθ

[|Ez

1,1〉|0〉z + |Ez1,0〉|1〉z

]

It is easy to proove that those purification yield the same reduced density matricesρE0 and

ρE1 , when tracing out Bob.

4.2.2 Basis change

|Ψz0〉 and |Ψz

1〉 form no basis, for they might not be orthogonal. However, it is quiteeasy to find a convenient basis for given states (for example,by using Gram-Schmidtprocedure [3, Section 2.1]). We define the following basis:

|0zH〉 = [|Ψz

0〉 + |Ψz1〉]/(2 cosαz)

|1zH〉 = [|Ψz

0〉 − |Ψz1〉]/(2 sinαz)

when θ is chosen in that manner that the overlap〈Ψz0|Ψz

1〉 is real, andcos(2αz) =〈Ψz

0|Ψz1〉. Using this notation we get:

|Ψz0〉 = cos(αz)|0z

H〉 + sin(αz)|1zH〉

|Ψz1〉 = cos(αz)|0z

H〉 − sin(αz)|1zH〉

Uniting those two definitions, according to the value of the bit b sent by Alice, we get:

|Ψzb〉 = cos(αz)|0z

H〉 + (−1)b sin(αz)|1zH〉

12


4.2.3 Shorter notation for multi-bit strings

Notation. Following is a summery of notation definitions used in this paper:

• We shall denote multi-bit strings with boldface fonts, suchas j and s. Thosestrings are vectors in{0, 1}n, wheren represents the number of bits in the raw-key (nraw−key).

• Thei-th bit of the stringswill be denotedsi ∈ {0, 1}.

• j · s denotes the scalar multiplication of those two strings overGF (2): j · s =∑ni=1 jisi mod 2.

• s⊕ j is the bitwise XOR of the stringssandj .

• The notation|s〉 represent the system composed of all the bits ofs, i.e. |s〉 =|s1〉 ⊗ · · · ⊗ |sn〉.

• The notationd is Cosine/Sinedistinguisher:

dsi=

{cos(αi), si = 0;sin(αi), si = 1.

Using the above,ds = ds1· · ·dsn

=∏n

i=1 dsi

Shorter State Notation. We have spoken about|Ψz0〉 or |Ψz

1〉, representing asingle bitover theEBS. We shall denote then-bits raw-key ass. The raw-key state is in fact aconcatenation ofn q-bits of the form|Ψi〉:

|Ψs〉 = |Ψzs1〉 ⊗ . . .⊗ |Ψz

sn〉 =

n⊗

i=1

|Ψzsi〉

=n⊗

i=1

[cos(αz)|0zH〉 + (−1)si sin(αz)|1z

H〉]

=n⊗

i=1

[d0|0zH〉 + (−1)sid1|1z

H〉]

=∑

j∈{0,1}n

dj(−1)s·j|jzH〉

Using theX basis. Up till now, Alice has sent all her q-bits in theZ basis, while in areal situation she chooses the bases randomly with equal probability, i.e. she usesZ basis50 percent of the times and theX basis 50 percent of the times. Most of the analysis isthe same, however it differs in a single point: Eve’s Attack.

We define Eve’s transformationU according to theZ basis. Since this attack is thesame for all the q-bits, without knowing their bases in advance, the sameU operates

13


on q-bits prepared in theX basis. Using the equalities|0〉x = (|0〉z + |1〉z)/√

2 and|1〉x = (|0〉z − |1〉z)/

√2 it is easy to understandU ’s effect on|0〉x and|1〉x:

|0〉x = (|0〉z + |1〉z)/√

2U7→ (|ϕz

0〉 + |ϕz1〉)/

√2 = |ϕx

0〉

|1〉x = (|0〉z − |1〉z)/√

2U7→ (|ϕz

0〉 − |ϕz1〉)/

√2 = |ϕx

1〉

Those states can be written in the following way as well:

|ϕx0〉 = |Ex

0,0〉|0〉x + |Ex0,1〉|1〉x

|ϕx1〉 = |Ex

1,0〉|0〉x + |Ex1,1〉|1〉x

where|Ei,jx〉 are defined using|Ei,j〉. For instance,|Ex

0,0〉 = 12(|Ez

0,0〉+ |Ez0,1〉+ |Ez

1,0〉+|Ez

1,1〉).

We continue defining the relevant states for theX basis as we did forZ basis:

|Ψx0〉 = |Ex

0,0〉|0〉x + |Ex0,1〉|1〉x

|Ψx1〉 = e−iσ

[|Ex

1,1〉|0〉x + |Ex1,0〉|1〉x

]

|Ψxb 〉 = cos(αx)|0x

H〉 + (−1)b sin(αx)|1xH〉

|0xH〉 = [|Ψx

0〉 + |Ψx1〉]/(2 cosαx)

|1xH〉 = [|Ψx

0〉 − |Ψx1〉]/(2 sinαx)

σ = Chosen such that〈Ψx0 |Ψx

1〉 is real

cos(2αx) = 〈Ψx0|Ψx

1〉

Putting it all Together. Alice sends a random strings of which the basis of each bitsi is randomly chosen. According the BB84 protocol, we reach the stage when Alicedeclares what bases she used, therefore we know for everysi its basis. Our preferredpurification of Eve’si-th probe and Bob’si-th bit state, is given by|Ψsi

〉17 over theEBS.The purification of the globaln-bits raw key is given by:

|Ψs〉 =n⊗

i=1

|Ψsi〉

=n⊗

i=1

[cos(αi)|0i

H〉 + (−1)si sin(αi)|1iH〉

]

=n⊗

i=1

[d0|0i

H〉 + (−1)sid1|1iH〉

]

=∑

j∈{0,1}n

dj(−1)s·j|jH〉

17In fact, it is either|Ψzsi〉 or |Ψx

si〉, but Eveknowswhich basis was used, so we can omit thex/z notation,

remembering to use the correct one.

14


(pay attention: we replaced thez/x notation withi, remembering to use the correct baseaccording to the specific bit, e.g. if the 2nd bit is in theX basis thenα2 = αx and|02

H〉 = |0xH〉)

According to this notation plus the equality(−1)j(−1)k = (−1)j⊕k, the purification ofthe raw-key density matrix is given by:

ρs = |Ψs〉〈Ψs| =∑

j,k∈{0,1}n

djdk(−1)s·(j⊕k) |j〉〈k| (1)

4.3 Security of 1 bit of the Raw Key

In order to analyze the amount of information that Eve can retrieve of 1 bit of the raw-key, we should introduce few concepts of information theory. Information theory wasborn in 1948 by Claude Shannon [8]. The theory quantifies information for uses ofcommunication and data compression.

4.3.1 Information and Distinguishability

Consider the following game: your friend, David, randomly chooses one of two possiblevalues (say: 0 or 1). Then he ‘sends’ you the value (say, over aclassical channel). Yourgoal is to find out David’s original value. In case there is no noise over the channel - thisgame is quite stupid for you can easily ‘read’ the value out ofthe channel, and alwayswin the game. Now consider the quantum version of the game: David chooses one stateout of two possible fixed and known quantum pure states (say|γ〉 and|δ〉), and sends itto you over a quantum channel. If|γ〉 and|δ〉 are orthogonal - you can win every turn:|γ〉,|δ〉 form a basis which you can use in order to measure the q-bit (and gain 1 bit ofinformation). However, If they are not orthogonal, you cannot know for sure, and yougain less then 1-bit of information.

The maximal information gain, given|γ〉 and|δ〉 is equal to theirmutual information18.There is no guarantee that you will actually learn this amount of information. You mightperform a measure that gives you less information than the accessible information. Weshall define this information by an function named ‘Shannon distinguishability’: giventwo equally likely states (density matrices)ρ0 andρ1

Accessible Information≡ SD(ρ0, ρ1)

Bounding the Distinguishability. If ρA0 andρA

1 are density matrices such thatρAi =

TraceB(ρi) (i.e. ρi is a purification ofρAi to a larger spaceHA⊗HB) than the information

that can be retrieved byρAi is bounded by the information that can be gained fromρi (this

is a special case of [1, Theorem 1])

SD(ρA0 , ρ

A1 ) ≤ SD(ρ0, ρ1) (2)

18i.e. the amount of information those two random variables have in common

15


This is quite intuitive, since all the measurements that youcan do on a small spaceHA

can be done as well on the larger spaceHA ⊗ HB, so it is only reasonable that if yourview is limited, you can access less information than the amount of information you couldaccessed having the full view (proof can be found in [1]).

Given ρi and a measurement, one can compute the Shannon distinguishability of thatspecific measurement19 using information theory formula. However, there is no knownway to calculate the maximal Shannon distinguishability information nor the measure-ment yielding this information. Nevertheless there are bounds for this information. Oneof the bounds is the Trace-Norm bound [1, Theorem 2]:

SD(ρ0, ρ1) ≤ 12Tr|ρ0 − ρ1| (3)

The Trace-Norm operator for Hermitian matrix A,Tr|A|, is the sum of the absolutevalues of the eigenvalues of A. This bound releases us of the need to find the optimalmeasurement.

4.3.2 Distinguishing 1-bit of the raw key

Since the BB84 protocol is complicated, composed of many stages, it is important toanalyze it in stages, seeing how each stage effects the security analysis. Now we shallsee how much information is accessible to Eve regarding one of the raw-key bits (WLOG:the first one).

In order to find the value of the first bit, Eve must distinguishbetween two possibledensity matricesρE

0 andρE1 , defined in Section 4.1 for theZ basis, but can easily be

transformed if the relevant basis isX . Using (2), (3) we get:

SD(ρE0 , ρ

E1 ) ≤ SD(ρ0, ρ1) ≤ 1

2Tr|ρ0 − ρ1|

Using the Simplified notation ofρs (for a single bit, based on Eq. (1)) we get:

ρ0 ≡ |Ψ0〉〈Ψ0| =∑

j,k∈{0,1}

djdk|j〉〈k| (4)

ρ1 ≡ |Ψ1〉〈Ψ1| =∑

j,k∈{0,1}

djdk(−1)j⊕k|j〉〈k|

And therefore:

12Tr|ρ0 − ρ1|

= 12Tr

∣∣∣2∑

j,k∈{0,1}j⊕k=1

djdk|j〉〈k|∣∣∣

= 12Tr

∣∣∣2∑

j∈{0,1}

djdj⊕1|j〉〈j⊕ 1|∣∣∣

19i.e. the amount of information gained by using this particular measurement

16


= 12Tr

∣∣∣2d0d1|0〉〈1|+ 2d1d0|1〉〈0|∣∣∣

= d0d1 + d1d0

(=

∑

j

djdj⊕1

)

= 2 sin(α) cos(α) = sin(2α)

We get

Mutual Information ≤ sin(2α)

=√

1 − cos2(2α)

=√

1 − |〈Ψ0|Ψ1〉|2 (5)

Example. Consider the C-Not Attack withU as defined in the example of sec-tion 4.1). Assume Alice prepared the attacked bit in theZ basis. We get:

|Ψ0〉 = |0〉|0〉|Ψ1〉 = |1〉|0〉

(pay attention, in this exampleθ = 0)

Thus,

ρ0 =

1 0 0 00 0 0 00 0 0 00 0 0 0

ρ1 =

0 0 0 00 0 0 00 0 1 00 0 0 0

And the information is bounded by:

12Tr|ρ0 − ρ1| = 1

2Tr

∣∣∣∣∣∣∣∣∣

1 0 0 00 0 0 00 0 −1 00 0 0 0

∣∣∣∣∣∣∣∣∣

= 12 (|(−1)| + 0 + 0 + |1|)

= 1 bit

Therefore, Eve’s information is, at much, one bit, and indeed - her probe is inthe exact state of Alice’s q-bit, so measuring in theZ basis will retrieve 1 bit ofinformation.Now we shall assume that Alice has used theX basis in order to prepare theq-bit. The properties of the C-NOT attack tell us that Eve causes maximal dis-turbance, and can gain no information about the bit (no-cloning theorem), formeasuring her bit gives a random measure, with equal probability for each re-sult. Thus, we expect the information bound to be "low"†.

†The bound is not proven to be a tight bound, therefore we can not expect is to equal zero,but we can expect it to be ‘almost zero’

17


First we representU attack to theX basis:

|0z〉E|0x〉AU7→ |0x〉E|0x〉A + |1x〉E|1x〉A

|0z〉E|1x〉AU7→ |0x〉E|1x〉A + |1x〉E|0x〉A

E.g. |E0,0〉x = |0〉x, |E0,1〉x = |1〉x, |E1,0〉x = |1〉x and|E1,1〉x = |0〉x. Usingthese results it is easy to complete the analysis in the same way done for theZbasis

|Ψ0〉 = |0〉|0〉 + |1〉|1〉|Ψ1〉 = |0〉|0〉 + |1〉|1〉††

pay attention we omit thex identifier, however, the|0〉 state is indeed|0〉x, and|Ψ0〉 is indeed|Ψ0〉x, etc.. Thus,

ρ0 =

1 0 0 10 0 0 00 0 0 01 0 0 1

ρ1 =

1 0 0 10 0 0 00 0 0 01 0 0 1

And the information is bounded by:

12Tr|ρ0 − ρ1| = 1

2Tr|0|= 0

Indeed we received that Eve’s information is bounded by 0 bits!

††σ = 0

4.4 Information Versus Disturbance

A true intuition about the security of this protocol cannot be acquired without under-standing the relation between information and disturbance. We can sum the relation inthis way: You can’t win them both(or to be more metaphoric, “eat one’s cake and haveit, too”):

The more information you gain, the more errors you make.

18


We now show that the information gained in one basis is proportional to the error intro-duced to the other basis. WLOG, we shall examine the error in theX basis versus theinformation gained about theZ basis q-bit, using a fixed (but arbitrary) unitary transfor-mationU .

Error, in this protocol, can happen in two possible ways: either Alice sent ’0’ and Bobmeasured ’1’ or Alice sent ’1’ while Bob measured ’0’. Eve’s states shall be|E0,1〉 or|E1,0〉 respectively. Since Alice sends ’0’ and ’1’ in equal probability, the averageerrorrate of Bob is given by:

pxe = 1

2[〈Ex0,1|Ex

0,1〉 + 〈Ex1,0|Ex

1,0〉]

If we expandpxe in the terms ofZ basis, usingU ’s linearity (as explained in 4.2.3) we

get:

pxe = 1

4

[〈Ez

0,0 −Ez1,1|Ez

0,0 − Ez1,1〉 + 〈Ez

1,0 −Ez0,1|Ez

1,0 − Ez0,1〉

]

= 14

[(〈Ez

0,0|Ez0,0〉 − 〈Ez

0,0|Ez1,1〉 − 〈Ez

1,1|Ez0,0〉 + 〈Ez

1,1|Ez1,1〉)

+ (〈Ez1,0|Ez

1,0〉 − 〈Ez0,1|Ez

1,0〉 − 〈Ez1,0|Ez

0,1〉 + 〈Ez0,1|Ez

0,1〉)]

The transformationU , being unitary, must preserve inner products (Eq. (19), in AppendixA.) so〈ϕz

0|ϕz0〉 = 〈ϕz

1|ϕz1〉 = 1:

〈Ez0,0|Ez

0,0〉 + 〈Ez0,1|Ez

0,1〉 = 1

〈Ez1,1|Ez

1,1〉 + 〈Ez1,0|Ez

1,0〉 = 1

〈Ez0,0|Ez

1,1〉 + 〈Ez1,1|Ez

0,0〉 = 2Re[〈Ez1,1|Ez

0,0〉] (algerbra..)

And we getpx

e = 12[1 − Re[〈Ez

0,0|Ez1,1〉 + 〈Ez

1,0|Ez0,1〉]]

UsingRe[α] ≤ |α| for every complexα we sum up with

pxe ≥ 1

2[1 − |〈Ez0,0|Ez

1,1〉 + 〈Ez1,0|Ez

0,1〉|] (6)

Be reminded that the information of Eve is bounded bysin(2αz) which equals√1 − |〈Ψz

0|Ψz1〉|2 (5). The overlap,|〈Ψz

0|Ψz1〉|, by its definition equals exactly|〈Ez

0,0|Ez1,1〉+

〈Ez1,0|Ez

0,1〉|, which leads to the Information versus Error proportion:

pxe ≥ 1

2[1 − |〈Ψz0|Ψz

1〉|]= 1

2[1 −√

(1 − sin2(2αz))]

= 12[1 − cos(2αz)]

= sin2(αz) (7)

19


In a dual way, the average error caused to Bob’s bit if prepared in theZ basis is propor-tional to the information that could be gained was the q-bit prepared in theX basis:

pze ≥ sin2(αx)

As explained in 2.3.2, The Average error rate computed by Bobis composed ofnerr−test

bits that are compared (publicly) with Alice’s same bits. The q-bits related to those bitswere prepared using both bases in equal probability. Thus, the average error probabilityof a single bit should bepe = 1

2(pz

e + pxe). Using2pe ≥ pz

e ≥ sin2(αx) and2pe ≥ pxe ≥

sin2(αz) we get:

2pe ≥ sin2(α) (8)

Whenα is the appropriateα according to the basis actually used by Alice.

In calculation, we have shown a correlation between the information (sin(α)) gainedby an eavesdropper to the error rate,pe ,caused by his eavesdropping. The higher in-formation gained, the higher error caused. Therefore, the security of this protocol laysin Alice’s and Bob’s ability to abort the protocol once the error rate (= the amount ofinformation leakage) is not negligible.

4.5 Security of 1 bit of the Final Key

In order to complete this analysis and bound the informationof 1-bit of thefinal-key, twoobstacles must be passed: the effect of Privacy Amplification (PA) and the exposure ofError-Correction (EC) Data. Both can be solved in a similar manner, since both basedon the use ofparity bits: the PA build the final-key bit as a parity bit of the raw-key, andthe EC data reveals several parity-bits of the raw-key, in order to correct errors in theraw-key.

Parity Bit Definition. Given an-bits strings∈ {0, 1}n and a maskw ∈ {0, 1}n, wedefine the parity bit ofs given by the maskw asb = s · w to be XOR of those bits ofsselected by the ones in the maskw, i.e. b =

∑i(si · wi) mod 2.

4.5.1 Dealing with Privacy Amplification

We shall start with the PA process (although it comes last in the BB84 protocol). AfterAlice and Bob finished correcting their raw-key, and now assume to share the same rawkey, Alice chooses a maskw according to which the final bit will be computed. She sendsthis mask to Bob over the public channel, so Eve knows the maskbeing used for the 1-bitfinal key. However, Eve doesn’t know their raw-key string (denoteds), neither the finalbit b = s · w. Out of the2n possibles strings, exactly half produceb = 0, and the otherb = 1 (given a specific, non-zero, maskw).

20


Since Eve doesn’t know whichs was used, and all thoses’s are equiprobable, they allcontribute to Eve’s density matrix. As before, we shall write two density matrices, thistime according to whether thefinal bit is ’0’ or ’1’. In other words: if the final bit is(WLOG) ’0’, for a given maskw, there are2n−1 possible stringss that Alice can send,all with equal probability. Thus:

ρw0 =

1

2n−1

∑

s: s·w=0

|Ψs〉〈Ψs|

ρw1 =

1

2n−1

∑

s: s·w=1

|Ψs〉〈Ψs|

The distinguishability of those two matrices, i.e. the amount of information gain ofthe final key bit, given one of these matrices, is given by this(proof is due to Eq. (1),Trigonometry equations and [1, Theorem 3]):

Eve’s Information ≤ 12Tr|ρw

0 − ρw1 |

= 12Tr

∣∣∣2∑

j,k∈{0,1}n

j⊕k=w

djdk|j〉〈k|∣∣∣

= 12Tr

∣∣∣2∑

j∈{0,1}n

djdj⊕w|j〉〈j⊕ w|∣∣∣

≤∑

j

djdj⊕w =∏

i: wi=1

sin(2αi)∏

i: wi=0

1

=∏

i: wi=1

sin(2αi)

The final result says the following: if the final bit is computed by making a XOR ofw bits20, the information is bounded by(sin(2α))w (whenα changes according to theappropriate basis). It agrees with our previous result thatthe information gain from everybit of theraw keyis bounded bysin(2α). Since the final bit is composed ofw bits of theraw-key and every bit contributes factor ofsin(2α), we conclude with the last result.

It is important to remind one of the implicit steps of this analysis: we have computedthe distinguishability betweenρw

0 andρw1 , which are purifications to Eve’s view into the

EBS. As before, we relied on the fact that the state in Eve’s handsrevealslessinformationthan any of its purifications to a larger space (in particular, theEBS).

4.5.2 Dealing with Error Correction

In order to retrieve the same error-free raw key, Bob must correct his erroneous bits. Thisis done by Alice sending EC data publicly to Bob. This data might leak information towhomever hears it (Eve..). A bound on the information concealed in these EC bits isaimed to be explained in this section.

20w is w’s hamming weight, i.e. the number of ’1’s inw.

21


We shall consider the following method of error correction:Alice choosesr independentstrings{vi ∈ {0, 1}n, i = 1..r} and sends Bobvi ands · vi for i = 1..r (wheres isAlice’s raw key). We shall denoteV = (v1, . . . , vr)

> to be ther × n matrix whose rowsarevi, andb to be the string{s · v1 = b1, . . . , s · vr = br}. In other words,sV > = b.

The use of those EC bits can be seen in two different ways:

i. vi can be viewed as the rows of a parity check matrix for a specificlinear codeC of lengthn. Bob has received an (perhaps) erroneous codewordsBob over thenon-linearaffinecode which is defined byC and the syndromeb.

ii. vi can be viewed as columns of a generator matrix of a specific systematic linear codeof lengthn+r. Bob received an (perhaps) erroneousn initial bits of the codeword,ands · vi are the finalr bits of the codeword.In both cases, the maximal amountof information leak is the same (since the information sent by Alice is the same inboth interpretations)

Option 1:

H = Vr×n

Linear − C = {x ∈ {0, 1}n | Hx = 0}Affine− C = Linear − C + b = {x+ b | Hx = 0}

s ∈ Affine− C

Option 2:

G =(I|V >

)

n×n+r

H = (V |I)n+r×n

C = {xG | x ∈ {0, 1}n }s|b ∈ C

Since{vi} and{bi = s · vi} are publicly known, the privacy amplification stringw mustbe independent of{vi}, or the final bit can be constructed out of the public information{bi}. Pay attention, that every parity bit ofs gives us 1 bit of information abouts. Forexample - if we know that thexor product of alls bits produce ’0’, we can "throw" halfof strings in{0, 1}n of which thexor gives ’1’.

Therefore, givenr independent parity bits ofs, namely{b1..br} and an independent stringw to use as the privacy amplification mask, we get only2n−r−1 suitable strings in{0, 1}n,i.e. only2n−r−1 strings gives the same parities{b1..br}, and the same final bit dictated byw. All of those possible strings are equiprobable and each contributes to Eve’s density

22


matrix. We get:

ρw,b0 =

1

2n−r−1

∑

s: s·w=0 andsV >=b

|Ψs〉〈Ψs| (9)

ρw,b1 =

1

2n−r−1

∑

s: s·w=1 andsV >=b

|Ψs〉〈Ψs| (10)

Example. Let n = 4, r = 2, v1 = 0110, v2 = 1001, w = 1110.For every set ofb and final bit, only2n−r−1 = 21 strings comply with the re-quirements. For instance, lets sayb1 = 1 andb2 = 0. The strings which complythe requirement and give a final bit ’0’ are only1011 and1101. The strings thatgive ’1’ as final bit are0010 and0100:

String b1 b2 Comply tob? final bit (according tow)0000 0 0 00001 0 1 00010 1 0

√1

0011 1 1 10100 1 0

√1

0101 1 1 10110 0 0 00111 0 1 01000 0 1 11001 0 0 11010 1 1 01011 1 0

√0

1100 1 1 01101 1 0

√0

1110 0 1 11111 0 0 1

Table 2: Division of space according to Error-Correction Code (ECC)information

4.6 Bounding Eve’s Information.

In order to know whether the final bit is ’0’ or ’1’, Eve must distinguish between twodensity matrices, whoseρw,b

0 andρw,b1 are purification to theEBS. Eve information is

thus bounded by the SD(ρw,b0 ,ρw,b

1 ), which according to [1] equals:

Eve’s Information ≤ 12Tr|ρ

w,b0 − ρw,b

1 | (11)

23


using (1), the equation(−1)x·y · (−1)x·z = (−1)x·(y⊕z) and the fact that the final key bitequalss · w we get:

= 12Tr

∣∣∣(−1)0ρw,b0 + (−1)1ρw,b

1

∣∣∣ (12)

= 12Tr

∣∣∣∣∣∣2−n+r+1

∑

j,k

djdk|j〉〈k|∑

s: sV >=b

(−1)s·(j⊕k⊕w)

∣∣∣∣∣∣(13)

This result is due to pair cancellation of all the elements ofwhich j⊕ k⊕w 6= 0. Definet ∈ {0, 1}r and denotevt =

∑ri=1 tivi . vt is a linear addition of EC strings{vi}, and

the parity bit it defines is the linear addition of the matching parity bits.

s · vt =r∑

i=1

s · tivi =r∑

i=1

tibi = t · b (14)

If j ⊕ k ⊕ w = vt then the exponent of Eq. 13 reduces tos · vt = t · b. Since this istrue, without dependence of the specifics, the coefficient of|j〉〈k| = |j〉〈j⊕w ⊕ vt| issummed up to be(−1)t·b2djdj⊕w⊗vt

. All the other coefficients are 0, since the elementsare canceled in pairs. Proof: there exist stringy 6= 0 s.t. (j⊕w⊕vt)y = 1 and for everti = 1..r, vi · y = 0. Every strings which holdssV > = b cancels the strings ⊕ y. It iseasy to make sure that(s⊗ y)V > = b. Thus the distinguishability:

≤ 12Tr

∣∣∣2∑

t∈{0,1}r

∑

j∈{0,1}n

djdj⊕w⊕vt(−1)t·b|j〉〈j⊕ w ⊕ vt|

∣∣∣ (15)

≤∑

t∈{0,1}r

∑

j∈{0,1}n

djdj⊕w⊕vt(16)

Now, for a specific biti, if (w ⊕ vt)i = 1 we getdjidji⊕1 = sin(α) cos(α), independent

of the value ofj , running over all thej ’s, each factor comes twice (once forj and oncefor j ⊕w ⊕ vt. It’s coefficient (i.e. the places where(w ⊕ vt)i = 1 are summed to one,because we getdji

dji⊕0 which is eithersin2(α) or cos2(α), however running on all thepossible values ofj ∈ {0, 1}n exactly half of the times aresin2(α) and the others arecos2(α), thus the coefficient sums to one:

≤∑

t∈{0,1}r

∏

i: (w⊕vt)i=1

2 sin(αi) cos(αi)∏

i: (w⊕vt)i=0

1 (17)

=∑

t∈{0,1}r

∏

i: (w⊕vt)i=1

sin(2αi) (18)

Eq. (18) completes the proof giving us Eve’s information of the final key bit. UsingEq. (8) we get the relation of error-rate to Eve’s information of the final key bit.

4.6.1 Information Bound

In the previous section we reached a bound on Eve’s information which is expressed bymeans of Eve’s attack, i.e.αi. Since Alice and Bob don’t know Eve’s attack, they can not

24


use Eq. (18) to bound the information leakage of their protocol. In this section we shallbound the information by the protocol parameters, which arechosen by Alice and Bob.

Using Eq. (18), Eq. (8) andsin(2α) ≤ 2 sin(α) we get:

Information ≤∑

t∈{0,1}r

∏

i: (w⊕vt)i=1

√8pe

This bound is yet not satisfactory, sincepe is not known by Alice and Bob. They canonly estimate its value byperr−rate, the average error rate of thenerr−test bits which arecompared in theerror-rate validationstage of BB84 (Section 2.3.2). It is claimed in [1]that we can use [9] to getProb[pe ≥ perr−test + 2δ] ≤ 2e−2nerr−testδ2

. Thus, except ofprobabilitypluck ≤ 2e−2nerr−testδ2

, we can boundpe by perr−test + 2δ, to achieve:

Information ≤∑

t∈{0,1}r

∏

i: (w⊕vt)i=1

√8perr−test + 16δ

In this boundall the parameters are chosen by Alice and Bob, or can be calculated bythem. Denotent to be the Hamming weight ofw ⊕ vt, to conclude with:

Information ≤∑

t∈{0,1}r

(8perr−test + 16δ)nt/2

4.6.2 Extending the Proof to Multiple Bits of the Final Key

Usually the BB84 protocol is used in order to exchange a long key, instead of a singlebit. The proof is trivially extended to deal withm bits, by selectingm PA stringsw1..wm

using each for a single bit. Those masks must be linearly independent and each must beindependent of the EC stringsV , i.e.W ∩ V = {0}.

25


5 Conclusion

Quantum Mechanics may change the cryptology world as we knowit by breaking thoseclassical protocols we have based on for the several last decades. Simultaneously, it givesus tools to build the next generation of cryptology.

The Key Distribution is one of the most basic and needed cryptographic protocol nowa-days. We have seen that the ‘classical’ key distribution protocols are insecure against anall-powerful enemy that have unlimited computation power,but are based on the practi-cal fact that breaking those protocols with nowadays technology (or with the near futuretechnology) is not feasible. Quantum Computers are the far-future technology that makesthe unfeasible possible.

We have seen the postulates of quantum mechanics that allow us building a quantumcryptology which is information secured, unbreakable evento an unlimited-power en-emy. We have seen the BB84 protocol which was the first to use those technics in orderto achieve a cryptographic protocol. We have seen differentkinds of attacks against quan-tum cryptologic protocols, and have analyzed the BB84 protocol against a very generalattack, the collective attack.

We have seen that the security of this protocol is resulted from the relation between theamount of information the enemy can gain and the error it introduces into the system. Wehave formulated a bound to this information, for a given error rate.

5.1 Open Questions and Further Research Questions

We have seen an analysis of the collective attack, which is not the most general attack, thejoint attack. The joint attack was studied by several researches, each choosing differentmethods and resulting a slightly different results. It is conjuncted that the collective attackdescribed in this paper, is in fact the most powerful joint attack.

Another question to be asked, is whether the bound shown in this paper is tight, and ifnot, how it can be improved. It is very probable that we can tighten the bound by a factorof 2. As pointed out in other footnotes, there are few more places where this bound isvery generous and can be tightened in potential.

Another question is what is the relation between Eve’s information and the bound wehave found. The bound is computed to a purification of Eve’s state, thus Eve haslessinformation than we assume. Can this gap be quantified? Can wemake a better bound bychoosing a different purification? We know that Eve’s view can be purified to a pure stateof which the information bound is maximal. What is theleast informative purificationfor a given state? Or we can look on Eve: Can we define Eve’s bestattack? Can wedefine an attack that achieve the information bound?

26


References

[1] Eli Biham, Michel Boyer, Gilles Brassar, Jeroen van de Graff and Tal Mor. Securityof Quantum Key Distribution against All Collective Attacks. Algoritmica, 34: 372–388, 2002.

[2] Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEETransactions on Information Theory, IT-22(6):644–654, November 1976.

[3] M. Nielsen and I. Chuang. Quantum Computation and Quantum Information.Cam-bridge University Press, 2000.

[4] Charles H. Bennett and Gilles Brassard. Quantum Cryptography: Public Key Distri-bution and Coin Tossing.International Conference on Computer, Systems & SignalProcessing, Bangalor India, 1984.

[5] Lov K. Grover. A fast quantum mechanical algorithm for database search.Pro-ceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing,212-219, 1996.

[6] Peter W. Shor. Polynomial-Time Algorithms for Prime Factorization and DiscreteLogarithms on a Quantum Computer. AT&T Bell Labs, 1996.

[7] Eli Biham, Michel Boyer, P. Oscar Boykin, Tal Mor and Vwani Roychowdhury.A proof of the Security of Quantum Key Distribution.Journal of cryptologymanuscript, [About to be published].

[8] C. E. Shannon. A mathematical theory of communication.Bell System TechnicalJournal, vol. 27, pp. 379-423 and 623-656, 1948.

[9] W. Hoeffding, Probability inequalities for sums of bounded random variables,J.Amer. Statist. Assoc.58, 13-20 (1963).

27


Appendix A. No-Cloning Theorem

Properties of polarized photons. We shall begin the explanation about the no-cloningtheorem by an example describing the behavior of photons (based on [4]). Polarizedphotons are produced by sending a light beam through a polaroid filter. The polarizationaxis is determined by the orientation of the filters (I’m surethe reader had done such anexperiment in his 8th grade, wearing "polarized glasses" whose lens are polaroid filters.The lens can be put one above the other. Now the teacher asks torotate one of the lens.When rotated to 90 degrees, the lens become opaque and transfer no light. when rotatedin another 90 degrees, the lens become transparent again..)

Figure 5: Polarization of Light

When photon with polarization axisα is passed through polaroid filter with axisβ itwill be absorbed with probabilitysin2(α − β) and transmitted through the filter withprobability cos2(α − β) = 1 − Prabsorbed. In particular: if the axes are parallel (α =β + 180◦k) the photon will never be absorbed, and if the axes are perpendicular (α =β + 45◦ + 180◦k), the photon will be absorbed with probability 1.

The interesting thing is, that if the two axes are not parallel nor perpendicular, no infor-mation aboutα can be learnt if one knows onlyβ: Photons that are not absorbed by theβ-polaroid filter are passed with polarization of exactlyβ!

Therefore, if photon is transferred in a polarization direction α or β, and all one has is adetector and two polaroid filters (one set toα axis and the other toβ), one cannot knowthe original axis of the photon, since usage of the polaroid filter changes the polarity ofthe photon. Therefore one can not reproduce other photons inthe original polarizationwithout having occasional errors.

Unitary transformation must preserve inner product. Proof:Unitary matrix holds:U †U = I 21, therefore:

〈φ|ψ〉U7→ 〈φU |Uψ〉 = φ†U †Uψ = φ†Iψ = 〈φ|ψ〉 (19)

21U † is the conjugate transpose ofU , i.e. U t∗

28


General Q-bit can not be cloned. Proof: Assume that cloning was possible, i.e. thereexist an unitary transformationU s.t. for every state|ψ〉, |φ〉:

|ψ〉|0〉U7→ |ψ〉|ψ〉

|φ〉|0〉U7→ |φ〉|φ〉

Then by (19) we get:

〈0φ|ψ0〉 = 〈φφ|ψψ〉〈0|0〉〈φ|ψ〉 = 〈φ|ψ〉〈φ|ψ〉

〈φ|ψ〉 = 〈φ|ψ〉2

⇓〈φ|ψ〉 = 1 or 〈φ|ψ〉 = 0

⇓|φ〉 = |ψ〉 or |φ〉 ⊥ |ψ〉

In contradiction to our assumption. QED.

29

Documents

Security of Quantum Key Distribution Against All