Finite Key Analysis of the Extended B92 Protocol

01/16/2020 ∙ by Omar Amer, et al. ∙ University of Connecticut 0

In this paper we derive a key rate expression for the extended version of the B92 quantum key distribution protocol that takes into account, for the first time, the effects of operating with finite resources. With this expression, we conduct an analysis of the protocol in a variety of different noise and key-length settings, and compare to previous bounds on comparable protocols.



There are no comments yet.


page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Quantum Key Distribution is becoming an increasingly practically driven field of research [1][2]. As advances in this and other fields make commercial implementations of QKD devices more desirable, it is necessary that more work is done to understand the capabilities and limitations of these protocols in practice, as opposed to under ideal circumstances. The B92 protocol [3] has been well researched in the asymptotic setting, where it has been shown to be tolerant to up to noise in the channel [4]. An extended variant of B92 was proposed [5], in which, in addition to the two encoding, non-orthogonal states used in B92, Alice and Bob utilize two additional non-encoding, non-orthogonal states to achieve a tighter bound on Eve’s information. Analysis of the extended B92 protocol has shown it to be tolerant to up to noise in the asymptotic setting [5]. In this paper we will present what is, to our knowledge, the first analysis of the key rate for the extended B92 protocol in the finite key setting.

Our contributions are as follows: first, we conduct an information theoretic security analysis, assuming a collective attack, to evaluate the key rate of extended B92 in the finite key setting. We use our analysis to rigorously evaluate lower bounds on the key rate and noise tolerance of the protocol in a variety of different channel settings. We note that although we evaluate on depolarization channels, the equations we give hold for arbitrary channels. We will discuss general trends in the optimizing choices of protocol parameters, and, finally, we will compare our findings to the performance of other comparable protocols in the finite key setting.

I-a Notation


be a random variable, we will denote by

the Shannon entropy of . We will use both and to refer to the binary entropy function, and they should both be understood to be equal to .

Given a pure state we will use both and to mean , and if the context is clear we will often drop the subscript. Given a density operator we will write to mean the state obtained by taking the partial trace over the system of . By a classical quantum or CQ state, we will mean a quantum state that can be described by some for an orthonormal basis .

Given a density operator acting on , we will mean by the von-Neumann entropy of , equivalent to , where here and elsewhere in this paper is base unless otherwise stated. We will mean by the von-Neumann entropy of the register of conditioned on the register, where . Again, if the context is clear, we may drop the subscript.

Later we will evaluate key rates in a number of channel scenarios, all symmetric channels, by which we mean that the channel, parameterized by quantum noise level , can be described by the depolarization channel


In this work we build towards finding a lower bound of the key rate for the extended B92 protocol. To do this, we make use of the key rate equation, Equation 2, presented in [6], which states that in the finite realm, the key rate, , of a protocol, under collective attacks, can be calculated as below. We note that as we utilize a different sampling method than was used in [6]

, we must utilize a larger confidence interval than was used in

[6]. Our confidence interval, Equation 4, is derived from Hoeffding’s inequality. In [6] it was shown that for a protocol that has run for rounds, and resulted in raw key bits, the key rate , can be computed to be




with consisting of all which we could expect to induce statistics that differ by no more than

, except with some probability

, for any of statistics, each gathered over samples, for:


where we take as the number of bits leaked due to error correction of raw key bits for a given quantum bit error rate; are bits lost due to finite key effects; are user parameters that denote the security parameter of the key and the failure probability of error correction respectively; and , obeying constraints , can be be chosen so as to maximize the key rate.

To evaluate the von-Neumann entropy in Equation 3, we will additionally make use of the following theorem:

Theorem 1.

(From [7]): Let be a CQ state acting on that can be written as




Ii The Protocol and Key-Rate Computation

The protocol we analyze is actually a simplified version of the Extended B92 protocol that operates as follows. Alice and Bob utilize the bases and where and , is a publicly known parameter of the protocol, and . On an iteration of the protocol, with probability , also a parameter, this round is a key round, and Alice randomly prepares and transmits either the state or to Bob. Otherwise, with probability she sends state . Bob chooses to measure his received state in the Z or A basis with equal probability. At the end of a round, Alice notifies Bob if the round was a key round, and, if Bob measured either or , Bob notifies Alice that the round was conclusive, otherwise that it was inconclusive. On a conclusive key round, Alice’s key bit is 0 if she sent and 1 if she sent , and Bob’s key bit is 0 if he measured , and 1 if he measured . If a round is not conclusive, or not a key round, the results are used for channel tomography.

Following rounds of this protocol, Alice and Bob will share a correlated but noisy raw key string of length , as well as

samples that we will show can be used to estimate various channel statics, obtained from rounds that did not contribute to the key. At this point Alice and Bob follow standard post processing procedures, conducting error correction and privacy amplification to distill an

bit secret key [1][2].

In this section we model the state of the system at the end of a key round so that we may find a lower bound on , as is necessary to compute the key rate. To accomplish this, we also discuss how to estimate the parameters of Eve’s attack with statistics that are observed during the course of the protocol, as well as how to calculate the confidence interval that must be minimized over for each of those statistics in the finite case.

Ii-a Bounding the Conditional Entropy

To bound the quantity we must first compute a density operator for the system at the end of a key round. Because we are considering collective attacks, Eve’s attack can be modeled by unitary operator

, acting on a qubit and her ancillary space, initialized as

, as follows:

For ease of notation we will make explcit the action where


As we are interested in the entropy of Alice’s key, we condition on this round of the protocol being a key round. In which case Alice begins the protocol by preparing the transit space as either or , sending it into the channel, and storing her key bit in the register . Eve attacks with acting on , resulting in the joint state:

Bob now chooses to make a measurement of in either the Z or A basis, each with equal probability. Again conditioning on this round being a key round, he observes either or , corresponding to his key register being set as 1 or 0 respectively. Tracing out the spaces and after we condition on a conclusive measurement, we are left with:

where is a normalization term we will define shortly. In accordance with Theorem 1, we can then represent this state in the form given in Equation 5, with:


Ii-B Parameter Estimation

With an operator determined it remains to estimate the various inner products of Eve’s states as functions of the observable statistics we gather. It is trivial to find the following identities based on Eve’s attack operator:

Where denotes the probability of Bob measuring after Eve’s attack, conditioned on Alice sending the state .

Next we consider the information that can be gained by gathering mismatched statistics[7][8][9], gathered from rounds in which Alice and Bob chose to prepare and measure states in mismatched bases. For example, by computing the probability we are able to compute the quantity . Indeed, tracing the evolution of the qubit in that case, we find:


Similarly we can also find:


Through much the same method, utilizing the states given in Equations 6 and 15, we are able to find the following identity using .


With the last of our identities described, we can now apply Theorem 1 to find a lower bound on the entropy of Eve’s system to be:


where denotes indexing into any of the ordered sets given below, and


We note that all of the inner products above, with the exception of in Equation 21, can be estimated by the statistics gathered in this protocol, either having been made explicit in earlier discussion or, in the case of Equations 19 and 20, can be computed to be as we claim by further tracing of the evolution of the state. We can now compute the bound given in 18 by minimizing over the sole free variable, which itself can be bounded by Cauchy-Schwartz as with obtained by Equation 17.

Ii-C Finite Key Effects

To calculate the key rate in the finite case, we must account for uncertainty in our observed statistics, and consider all possible attacks Eve may have used that induce statistics within the relevant confidence interval, as given by Equation 4. Let each statistic have been sampled over samples, then, following the work done in [6], we find that to calculate a worst case bound on Eve’s information we must further minimize the entropy expression given in Equation 18, now replacing all observed used in parameter estimation with

save for , , and which we take to be equal to , , and respectively. This minimization results in a new worst case bound on Eve’s uncertainty, correct with probability , which we denote .

With , we can now calculate the finite key-length rate, with Equation 2, with the constraints discussed with Equation 2, though, for our purposes, are more concerned with evaluating the effective key rate,


rather than the key rate itself, where n is the number of raw key bits.

Iii Evaluation

With a key rate equation finalized, we now consider the key rates that are realizable at various noise and and signal size scenarios. We consider a symmetric channel, as defined in Equation 1 parameterized on quantum noise level , though we note the equations we have derived thus far hold for arbitrary channels. We calculate the expected number of samples that contribute to statistic , for a given and over rounds below:

where we use to denote the number of samples that contribute to the raw key. We also note that in practice these values would be observed, and we utilize these expressions only to calculate what they might be expected to be for the purposes of our evaluation.

We will conduct our analysis with to account for practical inefficiencies in error correction protocols, where QBER is the error rate of the raw key string, for which we will use a worst case upper bound of:



Further, in our analysis, we fix the user parameters and . Additionally, we fix the optimizable parameters and . Finally, we numerically optimized over and in each case to find an optimal effective key rate in various noise level and signal number.

Fig. 1: This figure depicts the effective key rate, optimized over and for quantum noise levels and evaluated at and for .
Fig. 2: This figure depicts the effective key rate, optimized over and for various , as well as the asymptotic case (the top line), as noise in the channel increases.
Fig. 3: This chart shows effective key rate as varies for a fixed at noise level for various . We found that while in the asymptotic case, the optimal approaches 0 as shown in [5], while in the finite case there is an advantage in optimizing over (and indeed over ) in each scenario


In Figure 1 we show the optimal effective key rate at various noise levels, increasing with , appearing to numerically approach the asymptotic bound (not shown) at each noise level. In Figure 2, we show the effective key rate for various as noise increases, where we can see an increasing effective key rate and noise tolerance as increases, again approaching the asymptotic bound.

In our analysis, we observed that the values of and that led to the optimal key rate (Equation 2) did not necessarily result in the optimal effective key rate. Additionally we observed that, as increased, the optimal decreased while the optimal increased, approaching the asymptotic optimal values of and respectively[5], as one might expect. Further, we found that for a given , the key rate varied with as shown by the curves in Figure 3, reaching no more than one positive maximum.

As this is the first analysis of extended B92 in the finite setting, we instead compare our results to the performance of standard B92 and BB84 in finite settings. As one might expect, our analysis shows that the extended variant of B92, which utilizes additional quantum states to better bound , results in higher noise tolerance and effective key rates in the finite setting than can be obtained with standard B92. Indeed, in [10], a recent analysis showed that with signals, standard B92 achieves a positive key rate up to at least noise while our analysis shows that extended B92 has a noise tolerance of at least . Conversely, while the work done in [6] shows that at noise BB84 can achieve positive key rates with as few as signals, we do not achieve positive rates at that noise until signals.

Iv Closing Remarks

In this work we have conducted, for the first time, a rigorous, information theoretic finite key-length analysis of a simplified version of the extended B92 protocol. We have bounded the key rate, under collective attacks, for arbitrary channels, and evaluated that bound in various noise scenarios under a symmetric channel. We have shown that the key rate can be improved by optimizing over and , and noted that the optimal choices for those parameters obey interesting trends.

Future areas of interest in this area include refactoring this analysis to utilize a single POVM for gathering statistics, so as to obtain a tighter confidence interval in Equation 4 as was done in [6]. Further, it may be possible to achieve higher key rates with a tighter bound on QBER than was given in Equation 24. An analysis of achievable key rates and optimal choices under arbitrary channels may also lead to interesting results, as would an investigation of where optimal values for and lie, which we held fixed in our optimization.