Cryptography is the science of protecting the security and correctness of data against adversaries. One of the most important cryptographic problems is the problem of encryption – namely, of transferring a secret message from a sender to a receiver. Two main encryption methods are used today:
In symmetric-key cryptography, the same secret key is used for both the sender and the receiver: the sender uses the secret key for encrypting his or her message, and the receiver uses the same secret key for decrypting the message. Examples of symmetric-key ciphers include the Advanced Encryption Standard (AES) AESbook
, the older Data Encryption Standard (DES), and one-time pad (“Vernam cipher”).
In public-key cryptography diffie_hellman76 , a public key (known to everyone) and a secret key (known only to the receiver) are used: the sender uses the public key for encrypting his or her message, and the receiver uses the secret key for decrypting the message. Examples of public-key ciphers include RSA rsa and elliptic curve cryptography.
One of the main problems with current public-key cryptography is that its security is not formally proved. Moreover, its security relies on the computational hardness of specific computational problems, such as integer factorization and discrete logarithm (that can both be efficiently solved on a quantum computer, by using Shor’s factorization algorithm shor94 ; therefore, if a scalable quantum computer is successfully built in the future, the security of many public-key ciphers, including RSA and elliptic curve cryptography, will be broken). Symmetric-key cryptography requires a secret key to be shared in advance between the sender and the receiver (in other words, if the sender and the receiver want to share a secret message, they must share a secret key beforehand). Moreover, no security proofs for many current symmetric-key ciphers, such as AES and DES, are known (even if one is allowed to rely on the computational hardness of problems), and unconditional security proofs against computationally-unlimited adversaries are impossible unless the secret key is used only once and is at least as long as the secret message shannon_secrecy49 .
The one-time pad (symmetric-key) cipher, that, given a message and a secret key of the same length, defines the encrypted message to be (and then decryption can be performed by computing ), is fully and unconditionally secure against any adversary shannon_secrecy49 – namely, even if the adversary Eve intercepts the encrypted message , she gains no information about the original message (assuming that she has no information about the secret key ). This means that, for obtaining perfect secrecy, all that is needed is an efficient way for sharing a random secret key between the sender and the receiver; unfortunately, “classical key distribution” cannot be achieved in a fully secure way if the adversary can listen to all the communication between Alice and Bob.
Quantum key distribution (QKD) protocols take advantage of the laws of quantum mechanics for achieving fully and unconditionally secure key distribution, so that their resulting final key can later be used by other cryptographic primitives (e.g., one-time pad encryption). Most of the QKD protocols have security proofs applicable even against adversaries whose only limitations are the laws of nature (and who are otherwise capable of solving any computational problem and of performing any physically-allowed operation). The two parties (the first party is usually named “Alice”, and the second party is usually named “Bob”) want to create a shared random key, and they use an insecure quantum channel and an unjammable classical channel (to which the adversary may listen, but not interfere). The adversary (eavesdropper), Eve, tries to get as much information as she can on the final shared key. The first and most important QKD protocol is BB84 BB84 , that uses four possible quantum states (see details below), and it has been proven fully and unconditionally secure.
Boyer, Gelles, and Mor BGM09 discussed the security of BB84 against collective attacks. The class of the “collective attacks” BM97a ; BM97b ; BBBGM02 is an important and powerful subclass of the joint attacks; the class of the “joint attacks” includes all the theoretical attacks allowed by quantum physics. BGM09 improved the security proof of Biham, Boyer, Brassard, van de Graaf, and Mor BBBGM02 against collective attacks, by using some techniques of Biham, Boyer, Boykin, Mor, and Roychowdhury BBBMR06 (that proved security against joint attacks). In this paper, too, we restrict the analysis to collective attacks, because security against collective attacks is conjectured (and, in some security notions, proved renner_thesis08 ; MRR09 ) to imply security against joint attacks. In addition, proving security against collective attacks is much simpler than proving security against joint attacks.
Other QKD protocols, either similar to BB84 or ones that use different approaches, have also been suggested, and in some cases have also been proven fully secure. In particular, the “three-state protocol” Mor98 uses only three quantum states, and it has been proven secure mor98_sec1 ; mor98_sec2 ; mor98_sec3 ; the “classical Bob” protocol cbob07 is a two-way protocol such that only Alice has quantum capabilities and Bob has only classical capabilities, and it has been proven robust cbob07 and secure cbob_security15 ; and the “classical Alice” protocol calice09 is similar to “classical Bob” with Alice being the classical participant instead of Bob, and it has been proven robust calice09comment .
The above QKD protocols are all “Discrete-Variable” protocols. Two other classes of QKD protocols, “Continuous-Variable” protocols and “Distributed-Phase-Reference” protocols, have also been suggested; their security proofs are still weaker than the security proofs of “Discrete-Variable” protocols (see sec_practical09 for details).
QKD protocols can be used as a subroutine (secure key distribution) of more complicated cryptographic protocols. In other words, they can be integrated into a system in order to improve its security: see SML10 for more details about this integration.
In many QKD protocols, including BB84, Alice and Bob exchange several types of bits (encoded as quantum systems, usually qubits): INFO bits, that are secret bits shared by Alice and Bob and are used for generating the final key (via classical processes of error correction and privacy amplification); and TEST bits, that are publicly exposed by Alice and Bob (by using the classical channel) and are used for estimating the error rate. In BB84, each bit is sent from Alice to Bob in a random basis (thebasis or the basis).
In this paper, we extend the analysis of BB84 done in BGM09 and prove the security of a QKD protocol we shall name BB84-INFO-. This protocol is almost identical to BB84, except that all its INFO bits are in the basis. In other words, the basis is used only for testing. The bits are thus partitioned into three disjoint sets: INFO, TEST-Z, and TEST-X. The sizes of these sets are arbitrary ( INFO bits, TEST-Z bits, and TEST-X bits).
We note that, while this paper follows a line of research that mainly discusses a specific approach of security proof for BB84 and similar protocols (this approach, notably, considers finite-key effects and not only the asymptotic error rate), many other approaches have also been suggested: see for example bb84_sec_mayers ; bb84_sec_SP ; renner_thesis08 ; bb84_sec_renner .
In contrast to the line of research adopted here (of BM97a ; BM97b ; BBBGM02 ; BBBMR06 ; BGM09 ), in which a classical information-theoretical analysis caused problems with composability (see definition in renner_thesis08 and in Subsection 1.1), in this paper we suggest a method to prove a fully composable security: we calculate the trace distance between any two density matrices Eve may hold, instead of calculating the classical mutual information between Eve and the final key (as done in those previous papers). This method is implemented in this paper for proving the fully composable security of BB84-INFO- against collective attacks; it also directly applies to the BB84 security proof in BGM09 against collective attacks, proving the fully composable security of BB84 against collective attacks. It may be extended in the future to show that the BB84 security proof of BBBMR06 proves the fully composable security of BB84 against joint attacks.
The “qubit space”, , is a -dimensional Hilbert space. The states form an orthonormal basis of , called “the computational basis” or “the basis”. The states and form another orthonormal basis of , called “the basis”. Those two bases are said to be conjugate bases.
In this paper, we denote bit strings (of bits, with being some integer) by a bold letter (e.g., with ); and we refer to those bit strings as elements of – that is, as elements of a
-dimensional vector space over the field, where addition of two vectors corresponds to a XOR operation between them. The number of -bits in a bit string is denoted by , and the Hamming distance between two strings and is .
1.1 Security Definitions of Quantum Key Distribution
Originally, a QKD protocol was defined to be secure if the (classical) mutual information between Eve’s information and the final key, maximized over all the possible attack strategies and measurements by Eve, is exponentially small in the number of qubits, . Examples of security proofs of BB84 that use this security definition are bb84_sec_mayers ; BBBMR06 ; bb84_sec_SP . Those security proofs used the observation that one cannot analyze the classical data held by Eve before privacy amplification (as done in BBCM95 ), but must analyze the quantum state held by Eve BMS96 . In other words, they assumed that Eve could keep her quantum state until the end of the protocol, and only then choose the optimal measurement (based on all the data she observed) and perform the measurement.
Later, it was noticed that this security definition may not be “composable”. In other words, the final key is secure if Eve measures the quantum state she holds at the end of the QKD protocol, but the proof does not apply to cryptographic applications (e.g., encryption) of the final key: Eve might gain non-negligible information after the key is used, even though her information on the key itself was negligible. This means that the proof is not sufficient for practical purposes. In particular, those applications may be insecure if Eve keeps her quantum state until Alice and Bob use the key (thus giving Eve some new information) and only then measures.
Therefore, a new notion of “(composable) full security” was defined BHLMO05 ; bb84_sec_renner ; renner_thesis08 by using the trace distance between quantum states, following universal composability definitions for non-quantum cryptography compos01_universal ; compos00 . Intuitively, this notion means that the final joint quantum state of Alice, Bob, and Eve at the end of the protocol is very close (namely, the trace distance is exponentially small in ) to their final state at the end of an ideal key distribution protocol, that distributes a completely random and secret
final key to both Alice and Bob. In other words, if a QKD protocol is secure, then except with an exponentially small probability, one of the two following events happens: the protocol is aborted,or
the secret key generated by the protocol is the same as a perfect key that is uniformly distributed (i.e., each possible key having the same probability), is the same for both parties, and is independent of the adversary’s information.
Formally, is defined as the final quantum state of Alice, Bob, and Eve at the end of the protocol (with Alice’s and Bob’s states being simply the “classical” states and , where and are bit strings that are the final keys held by Alice and Bob, respectively (note that usually ); and with Eve’s state including both her quantum probe and the classical information published in the unjammable classical channel); is defined as the complete mixture of all the possible keys that are the same for Alice and Bob (namely, if the set of possible final keys is , then ); and is defined as the partial trace of over the system . For the QKD protocol to be fully (and composably) secure, it is required that
where is exponentially small in . Intuitively, is the actual joint state of Alice, Bob, and Eve at the end of the QKD protocol; is the ideal final state of Alice and Bob (an equal mixture of all the possible final keys, that is completely uncorrelated with Eve and is the same for Alice and Bob); and is the state of Eve, uncorrelated with the states of Alice and Bob. Note that cases in which the protocol is aborted are represented by the zero operator: see (renner_thesis08, , Subsection 6.1.2) for details.
2 Full Definition of the Protocol “BB84-INFO-”
Below we formally define all the steps of the BB84-INFO- protocol, as used in this paper.
Before the protocol, Alice and Bob choose some shared (and public) parameters: numbers , , and (we denote ), error thresholds and , an parity check matrix (corresponding to a linear error-correcting code ), and an privacy amplification matrix (representing a linear key-generation function). It is required that all the rows of the matrices and put together are linearly independent.
Alice randomly chooses a partition of the bits by randomly choosing three -bit strings that satisfy , and . Thus, partitions the set of indexes into three disjoint sets:
(INFO bits, where ) of size ;
(TEST-Z bits, where ) of size ; and
(TEST-X bits, where ) of size .
Alice randomly chooses an -bit string and sends the qubit states , one after the other, to Bob using the quantum channel. Notice that Alice uses the basis for sending the INFO and TEST-Z bits, and that she uses the basis for sending the TEST-X bits. Bob keeps each received qubit in quantum memory, not measuring it yet111 Here we assume that Bob has a quantum memory and can delay his measurement. In practical implementations, Bob usually cannot do that, but is assumed to measure in a randomly-chosen basis ( or ), so that Alice and Bob later discard the qubits measured in the wrong basis. In that case, we need to assume that Alice sends more than qubits, so that qubits are finally detected by Bob and measured in the correct basis..
Alice sends to Bob over the classical channel the bit string . Bob measures each of the qubits he saved in the correct basis (namely, when measuring the -th qubit, he measures it in the basis if , and he measures it in the basis if ).
The bit string measured by Bob is denoted by . If there is no noise and no eavesdropping, then .
Alice sends to Bob over the classical channel the bit string . The INFO bits (that will be used for creating the final key) are the bits with , while the TEST-Z and TEST-X bits (that will be used for testing) are the bits with . We denote the substrings of that correspond to the INFO bits by and , respectively.
Alice and Bob both publish the bit values they have for all the TEST-Z and TEST-X bits, and they compare the bit values. If more than TEST-Z bits are different between Alice and Bob or more than TEST-X bits are different between them, they abort the protocol. We note that and (the pre-agreed error thresholds) are the maximal allowed error rates on the TEST-Z and TEST-X bits, respectively – namely, in each basis ( and ) separately.
The values of the remaining bits (the INFO bits, with 1) are kept in secret by Alice and Bob. The bit string of Alice is denoted , and the bit string of Bob is denoted .
Alice sends to Bob the syndrome of (with respect to the error-correcting code and to its corresponding parity check matrix ), that consists of bits and is defined as . By using , Bob corrects the errors in his string (so that it is the same as ).
The final key consists of bits and is defined as . Both Alice and Bob compute it.
The protocol is defined similarly to BB84 (and to its description in BGM09 ), except that it uses the generalized bit numbers , , and (numbers of INFO, TEST-Z, and TEST-X bits, respectively); that it uses the partition for dividing the -bit string into three disjoint sets of indexes (, , and ); and that it uses two separate thresholds ( and ) instead of one ().
3 Proof of Security for the BB84-INFO- Protocol Against Collective Attacks
3.1 The General Collective Attack of Eve
Before the QKD protocol is performed (and, thus, independently of and ), Eve chooses some collective attack to perform. A collective attack is bitwise: it attacks each qubit separately, by using a separate probe (ancillary state). Each probe is attached by Eve to the quantum state, and Eve saves it in a quantum memory. Eve can keep her quantum probes indefinitely, even after the final key is used by Alice and Bob; and she can perform, at any time of her choice, an optimal measurement of all her probes together, chosen based on all the information she has at the time of the measurement (including the classical information sent during the protocol, and including the information she acquires when Alice and Bob use the key).
Given the -th qubit sent from Alice to Bob (), Eve attaches a probe state and applies some unitary operator of her choice to the compound system . Then, Eve keeps to herself (in a quantum memory) the subsystem , which is her probe state; and sends to Bob the subsystem , which is the qubit sent from Alice to Bob (which may have been modified by her attack ).
The most general collective attack of Eve on the -th qubit, represented in the orthonormal basis , is
where , , , and are non-normalized states in Eve’s probe system attached to the -th qubit.
We thus notice that Eve can modify the original product state of the compound system, , into an entangled state (e.g., ). Eve’s attack may thus cause Bob’s state to become entangled with her probe. On the one hand, this may give Eve some information on Bob’s state; on the other hand, this causes disturbance that may be detected by Bob. The security proof shows that the information obtained by Eve and the disturbance caused by Eve are inherently correlated: this is the basic reason QKD protocols are secure.
3.2 Results from Bgm09
The security proof of BB84-INFO- against collective attacks is very similar to the security proof of BB84 itself against collective attacks, that was detailed in BGM09 . Most parts of the proof are not affected at all by the changes made to BB84 to get the BB84-INFO- protocol (changes detailed in Section 2 of the current paper), because those parts assume fixed strings and , and because the attack is collective (so the analysis is restricted to the INFO bits).
Therefore, the reader is referred to the proof in Section 2 and Subsections 3.1 to 3.5 of BGM09 , that applies to BB84-INFO- without any changes (except changing the total number of bits, , to , which does not affect the proof at all), and that will not be repeated here.
We denote the rows of the error-correction parity check matrix as the vectors in , and the rows of the privacy amplification matrix as the vectors . We also define, for every , ; and we define
For a -bit final key , we define to be the state of Eve corresponding to the final key , given that she knows . Thus,
where is Eve’s state after the attack, given that Alice sent the INFO bit string encoded in the bases . The state , that is a lift-up of (which means that is a partial trace of ), was also defined in BGM09 .
In the end of Subsection 3.5 of BGM09 , it was found that (in the case of a -bit final key, i.e., )
is a random variable whose value is the-bit string of errors on the INFO bits; is a random variable whose value is the -bit string of bases of the INFO bits; is the bit-flipped string of ; and (and, in general, ) was defined above.
3.3 Bounding the Differences Between Eve’s States
We define : namely, is the XOR of the -bit string sent by Alice and of the -bit string measured by Bob. For all indexes , if and only if Bob’s -th bit value is different from the -th bit sent by Alice. The partition divides the bits into INFO bits, TEST-Z bits, and TEST-X bits. The corresponding substrings of the error string are (the string of errors on the INFO bits), (the string of errors on the TEST-Z bits), and (the string of errors on the TEST-X bits). The random variables that correspond to , , and are denoted by , , and , respectively.
We define to be a random variable whose value is the string of errors on the INFO bits if Alice had encoded and sent the INFO bits in the basis (instead of the basis dictated by the protocol). In those notations, inequality (7) reads as
using the fact that Eve’s attack is collective, so the qubits are attacked independently, and, therefore, the errors on the INFO bits are independent of the errors on the TEST-Z and TEST-X bits (namely, of and ).
As explained in BGM09 , inequality (8) was not derived for the actual attack applied by Eve, but for a virtual flat attack (that depends on and therefore could not have been applied by Eve). That flat attack gives the same states and as given by the original attack , and it gives a lower (or the same) error rate in the conjugate basis. Therefore, inequality (8) holds for the original attack , too. This means that, starting from this point, all our results apply to the original attack rather than to the flat attack.
So far, we have discussed a -bit key. We will now discuss a general -bit key . We define to be the state of Eve corresponding to the final key , given that she knows :
For any two keys of bits,
We define the key , for , to consist of the first bits of and the last bits of . This means that , , and differs from at most on a single bit (the -th bit).
First, we find a bound on : since differs from at most on a single bit (the -th bit, given by the formula ), we can use the same proof that gave us inequality (8), attaching the other (identical) key bits to of the original proof; and we find that
where we define as , and .
Now we notice that is the Hamming distance between and some vector in , which means that with and . The properties of Hamming distance assure us that is at least for some . Therefore, we find that .
The result implies that if then . Therefore, inequality (11) implies
Now we use the triangle inequality for norms to find
as we wanted. ∎
The value we want to bound is the expected value (namely, the average) of the trace distance between two states of Eve corresponding to two final keys. However, we should take into account that if the test fails, no final key is generated, and the distance between all of Eve’s states becomes for any purpose. We thus define the random variable for any two final keys :
We need to bound the expected value , that is given by:
where is a random variable whose value is the error rate on the INFO bits if they had been encoded in the basis, is a random variable whose value is the error rate on the TEST-Z bits, and is a random variable whose value is the error rate on the TEST-X bits.
3.4 Proof of Security
We will now prove the right-hand-side of (18) to be exponentially small in .
As said earlier, the random variable corresponds to the bit string of errors on the INFO bits if they had been encoded in the basis. The TEST-X bits are also encoded in the basis, and the random variable corresponds to the bit string of errors on those bits. Therefore, we can treat the selection of the indexes of the INFO bits and the TEST-X bits as a random sampling (after the numbers , , and and the indexes of the TEST-Z bits have all already been chosen) and use Hoeffding’s theorem (that is described in Appendix A of BGM09 ).
Therefore, for each bit string that consists of the errors in the INFO and TEST-X bits if the INFO bits had been encoded in the basis, we apply Hoeffding’s theorem: namely, we take a sample of size without replacement from the population (this corresponds to the random selection of the indexes of the INFO bits and the TEST-X bits, as defined above, given that the indexes of the TEST-Z bits have already been chosen). Let be the average of the sample (this is exactly the error rate on the INFO bits, assuming, again, that the INFO bits had been encoded in the basis); and let be the expectancy of (this is exactly the error rate on the INFO bits and TEST-X bits together). Then is equivalent to , and, therefore, to . This means that the conditions and rewrite to
which implies , which is equivalent to . Using Hoeffding’s theorem (from Appendix A of BGM09 ), we get:
In the above discussion, we have actually proved the following Theorem:
Let us be given , , and, for infinitely many values of , a family such that and . Then for any and such that , and for any and two -bit final keys , the distance between Eve’s states corresponding to and satisfies the following bound:
In Subsection 3.7 we explain why the vectors required by this Theorem exist.
We note that the quantity bounds the expected values of the Shannon Distinguishability and of the mutual information between Eve and the final key, as done in BGM09 and BBBMR06 , which is sufficient for proving non-composable security; but it also avoids composability problems: Eve is not required to measure immediately after the protocol ends, but she is allowed to wait until she gets more information. In Subsection 3.6 we use this bound for proving a fully composable security.
Security itself is not sufficient; we also need the key to be reliable (namely, to be the same for Alice and Bob). This means that we should make sure that the number of errors on the INFO bits is less than the maximal number of errors that can be corrected by the error-correcting code. We demand that our error-correcting code can correct errors (we explain in Subsection 3.7 why this demand is satisfied). Therefore, reliability of the final key with exponentially small probability of failure is guaranteed by the following inequality: (as said, corresponds to the actual bit string of errors on the INFO bits in the protocol, when they are encoded in the basis)
This inequality is proved by an argument similar to the one used in Subsection 3.4: the selection of the indexes of the INFO bits and the TEST-Z bits is a random partition of bits into two subsets of sizes and , respectively (assuming that the indexes of the TEST-X bits have already been chosen), and thus it corresponds to Hoeffding’s sampling.
3.6 Proof of Fully Composable Security
We now prove that the BB84-INFO- protocol satisfies the definition of composable security for a QKD protocol: namely, that it satisfies equation (1) presented in Subsection 1.1. We prove that the expression is exponentially small in , with being the actual joint state of Alice, Bob, and Eve; being an ideal (random, secret, and shared) key distributed to Alice and Bob; and being the partial trace of over the system .
To make reading easier, we use the following notations, where is the bit string sent by Alice, is the bit string received by Bob, and is the string of errors:
In other words, consists of all the TEST-Z and TEST-X bits of Alice and Bob; and is the random variable representing the result of the test.
According to the above definitions, the states and are
where is defined to be Eve’s quantum state if Alice sends the INFO string in the bases and Bob gets the INFO string . All the other states actually represent classical information: subsystems and represent the final keys held by Alice () and Bob (, that is obtained from , , and ), and subsystem represents the information published in the unjammable classical channel during the protocol (this information is known to Alice, Bob, and Eve) – namely, (all the test bits), (the partition), and (the syndrome).
We note that in the definition of , we sum only over the events in which the test is passed (namely, in which the protocol is not aborted by Alice and Bob): in such cases, an -bit key is generated. The cases in which the protocol aborts do not exist in the sum – namely, they are represented by the zero operator, as required by the definition of composable security (see Subsection 1.1 and (renner_thesis08, , Subsection 6.1.2)). Thus, is a non-normalized state, and is the probability that the test is passed.
To help us bound the trace distance, we define the following intermediate state:
This state is identical to , except that Bob holds the Alice’s final key () instead of his own calculated final key (). In particular, the similarity between and means, by definition, that and are the same state: namely, .
Under the same conditions as Theorem 3, it holds that