Proof of Security of a High-Capacity Quantum Key Distribution Protocol

Page 1

arXiv:quant-ph/0512231v2 23 Jan 2006
Proof of Security of a High-Capacity Quantum Key Distribution Protocol
Xiaowei Zhang1, Kai Wen1and Gui Lu Long1,2
1Key Laboratory for Quantum Information and Measurements and Department of Physics,
Tsinghua University, Beijing 100084, P. R. China
2Key Laboratory of Atomics and Molecular Nanosciences,
Tsinghua University, Beijing 100084, P R China
(Dated: February 1, 2008)
We prove the security of a high-capacity quantum key distribution protocol over noisy channels.
By using entanglement purification protocol, we construct a modified version of the protocol in
which we separate it into two consecutive stages. We prove their securities respectively and hence
the security of the whole protocol.
PACS numbers: 03.67.Dd,03.67.Hk
I. INTRODUCTION
Security has been one of the most important concerns
ever since people began to communicate. Many classical
cryptographic protocols are based on the computational
infeasibility of some mathematical problems such as the
factorization of large composite numbers, which will be
solved in a quantum computer using Shor’s algorithm[1].
Quantum cryptography, on the other hand, relies on the
principles of quantum mechanics, especially the uncer-
tainty principle and the no-cloning theorem[2], therefore
is provably secure. The quantum cryptography has cap-
tured more and more attention. It is mainly used in es-
tablishing secrete key between two parties. The scheme is
as follows: two participants, commonly called Alice and
Bob, share a quantum channel. They transmit quan-
tum states (generally refer to as qubits) which encode
classical information, and measure the qubits in certain
bases to get key code. Since interference introduced by
the eavesdropper, commonly known as Eve, will disturb
quantum states and can be detected, Alice and Bob will
share their messages while leaking little information to
Eve. Many quantum key distribution protocols (QKD)
have been proposed since the first protocol[3] published
by Bennet and Brassard, for instance in protocols in Refs.
[4, 5, 6, 7, 8, 9, 10, 11].
Security and efficiency are two principal factors in
QKD protocols. Since both the channel noise and eaves-
dropping can disturb the quantum states, a good defini-
tion of security requires a distinct differentiation between
them. One parameter of security serves this purpose.
Denoted as the tolerable bit error rate, it is defined as
follows: below this threshold, a QKD is secure by us-
ing quantum error correction and privacy amplification.
The fast development of QKD protocols requires explicit
proof of their securities over noisy channels. Mayers’s[12]
and Biham’s[13] work reach this end by complex cal-
culation. A different approach, by using entanglement
purification protocols (EPP) which can purify the EPR
pairs by sacrificing some of them[14], was proposed[15].
After that, many proofs with this basic idea have been
given[8, 16, 17, 18].
Efficiency is also an important parameter of QKD pro-
tocols. In this paper, we will concentrate on a theoret-
ically high-capacity QKD protocol[9].
achieved by adopting EPR pair which encodes 2 classical
bits.
The high-capacity protocol transmits an EPR sequence
in two steps, one particle sequence at a time, thus is pro-
tected against eavesdropping in ideal quantum channel
(that is, channel without noise).
error-resistant in noisy quantum channels, we apply the
method of Shor and Preskill[16] and add an EPP to the
protocol to construct a modified version so as to prove
its security. Our paper is organized as follows: in section
II, we specify the notations used in this paper. In sec-
tion III, we briefly review the high-capacity protocol and
outline the proof of security in ideal situations. In sec-
tion IV, we add security check procedures to the original
protocol and prove the first stage of the modified version
is secure. In section V, we prove the security of the sec-
ond stage of the modified high-capacity protocol. Then
we prove that this modified version is equivalent to the
original one and give a brief summary in section VI.
Its efficiency is
In order to make it
II.NOTATION
The notations used here are mostly the same as that
of the high-capacity protocol[9] and that of the Shor and
Preskill’s[16].
Bell bases are the four maximally entangled states:
|Φ±? =
1
√2(|00? ± |11?),|Ψ±? =
1
√2(|01? ± |10?).
(1)
We use |Φ+?, |Φ−?, |Ψ+? and |Ψ−? to represent 00, 01,
10 and 11 respectively.
The three Pauli matrices are:
σx=
?
0
1
1
0
?
,σy=
?
0
i
−i
0
?
,σz=
?
1
0
0
−1
?
.
(2)
They are used in the error checking process.
The Hadamard transform, H, is of the form:
H =
1
√2
?
1
1
1
−1
?
.
(3)

Page 2

2
It interchanges the basis |0?, |1? and |+?, |−?, where
|+? =
we will see in section IV, after randomly performs the
Hadamard gate, bit flip errors and phase flip errors would
be uncorrelated.
We introduce the Calderbank-Shor-Steane(CSS) code
in the entanglement purification process, a CSS code[16]
is defined as follows: C1and C2are two classical binary
codes which satisfy
1
√2(|0? + |1?) and |−? =
1
√2(|0? − |1?). In what
{0} ⊂ C2⊂ C1⊂ Fn
2is the binary space of n bits. C1and C⊥
correct up to t bit errors. A basis of the CSS code can
be built as follows, for v ∈ C1, define the vector
1
|C2|1/2
2
(4)
where Fn
2can
v →
?
ω∈C2
|v + ω? (5)
Notice that when v1−v2⊂ C2, they give the same code.
So the CSS code corresponds to the coset of C2 in C1.
Let H1and H2be the parity check matrix for the code
C1and C⊥
row r ∈ H1and σ[r]
can correct up to t bit errors.
2respectively. Then by measuring σ[r]
x for each row r ∈ H2, the CSS code
z for each
III. REVIEW OF THE HIGH-CAPACITY
PROTOCOL
The key point of the high-capacity protocol is that it
uses each EPR pair to encode 2 bits of key code. By
building an ordered EPR sequence and sending each half
in two steps from Alice to Bob, Alice and Bob can protect
their communication against most eavesdropping attacks.
Here we outline the high-capacity protocol[9].
Protocol 1: Theoretical efficient high-capacity Protocol
1. Alice produces an ordered N EPR pair sequence:
[(P1(1), P1(2)), (P2(1), P2(2)), ..., (Pi(1), Pi(2)),
..., (PN(1), PN(2))].
2. Then Alice takes one particle from each EPR pair
to form two ordered EPR partner particle se-
quences:[P1(1), P2(1), ..., PN(1)] and [P1(2),
P2(2), ..., PN(2)]. Alice sends to Bob one ordered
EPR partner particle sequence: [P1(2), P2(2), ...,
PN(2)].
3. After Bob receiving the ordered EPR partner par-
ticle sequence, randomly he chooses a sufficiently
large subset of his sequence and performs measure-
ment on the particles in the subset randomly in of
the two measuring-basis σzor σx. The result of this
measurement will be either 0 or 1. Bob stores the
rest of the particles of his EPR particle sequence.
4. Then Bob tells Alice through a classical channel his
reception of the particle sequence and the particles
that he has chosen to measure in a certain direction.
5. (First eavesdropping check.)
Bob, Alice then performs measurement on the part-
ner subset of those particles whose partner has been
measured by Bob. They then publicly compare
their results of these measurements to check eaves-
dropping.
After hearing from
6. If they are certain that there is no eavesdropping,
then Alice sends Bob the remaining EPR particle
sequence: [P1(1), P2(1), ..., PN(1)].
7. After Bob receives these N particles, he first drops
the particles that have been measured, then takes
one particle from each particle sequence in order
and performs Bell-basis measurement on them. He
records the results of the measurements.
8. (Second eavesdropping check.)
choose a sufficiently large subset of these Bell-basis
measurement results to determine if the QKD is
successful. If the error rate in this check is below a
certain threshold, then the results are taken as raw
key.
Alice and Bob
Unlike many other QKD protocols[3, 4, 5], in which
an EPR pair is used to encode one key bit, the high-
capacity protocol here encodes two bits, thus the capacity
is doubled.
As discussed in the original paper[9], this protocol is
secure in quantum channels without noise.
IV. THE FIRST STAGE OF THE MODIFIED
HIGH-CAPACITY PROTOCOL
From the review of the high-capacity protocol, we see
that it is an efficient protocol, but a critical questions
remains: how can this protocol protect against quantum
channel noise? In other words, how can Bob distinguish
between channel noise and eavesdropping, and can cor-
rect bit errors when necessary?
In this section, we add entanglement purification steps
to the first stage of the high-capacity protocol and prove
its security over noisy channels.
Protocol 2: Secure high-capacity Protocol(stage 1)
1. Alice produces an ordered N EPR pair sequence
according to a quaternary string a. More specifi-
cally, she creates |Φ+?, |Φ−?, |Ψ+? or |Ψ−? when
the corresponding ai = 0,1,2 or 3.
[(P1(1), P1(2)), (P2(1), P2(2)), ..., (Pi(1), Pi(2)),
..., (PN(1), PN(2))].
Thus build
2. Then Alice takes one particle from each EPR pair
to form two ordered EPR partner particle se-
quences:[P1(1), P2(1), ..., PN(1)] and [P1(2),
P2(2), ..., PN(2)]. She retains the first sequence.
3. Alice randomly chooses the bases of the second half
of the EPR pairs. More specifically, Alice selects a
random N binary string b and applies Hadamard

Page 3

3
transformation on Pi(2) when the corresponding
ith bit is 1.
4. Alice sends the second EPR sequence to Bob.
5. Bob receives the N qubits and publicly announces
the reception.
6. Alice randomly chooses n(n < N) bits as checking
bits and leaves the rest N − n bits unchanged.
7. Alice then tells Bob the bit string b and which n
bits are checking bits.
8. Bob performs Hadamard transformation on the
qubits where the corresponding components of a
are 1. They measure the n checking qubits in
|0?,|1? bases, if too many outcomes disagree, they
abort the protocol.
9. Alice and Bob applies a CSS code and makes σ[r]
according to each row r ∈ H1 and σ[r′]
to each row r′∈ H2to their EPR particles. They
compute the syndromes and make corrections in
order that they obtain k(k < N −n) nearly perfect
EPR pairs.
z
x
according
The above protocol is the first stage of the modified
version of the high-capacity protocol. We employ CSS
code here to purify the entangled states. Notice that the
vector space C1and C⊥
commutes. The measurement computes the error syn-
drome for bit flip and phase flip respectively, then after
the measurement, Alice and Bob can obtain k perfect
EPR pairs.
We next show that the bit and phase errors are un-
correlated. As noted by Lo and Chau[8], for a quantum
channel, the error rate can be expressed by a density ma-
trix diag(a,b,c,d), in which a, b, c and d represent the
probabilities of zero errors, bit flip errors, phase flip errors
and both bit and phase flip errors. As noted in section II,
the Hadamard transformation interchanges the basis |0?,
|1? and |+?, |−?, so it changes bit flip error to phase flip
error and vice versa. When N is large enough, there is
a high probability to haveN
21 in the binary string b, so
there are almost half Hadamard transforms operating on
the EPR pairs. Averaging over the two cases of Identity
and Hadamard, the effective density matrix shared by
Alice and Bob after the operation is diag(a,b+c
From this matrix, we can see that the Hadamard trans-
formation makes the bit flip error and the phase flip error
with equal probability and uncorrelated.
Because this modified high-capacity protocol uses CSS
code, it can successfully correct quantum state which dif-
fers from the input state (we denoted as |ψ?) less than
t bit flip errors and t phase flip errors. Since all the
measurements in this protocol commute under the Bell
states, we can use the classical method to calculate the
fidelity of the purified k EPR pairs. In the transmission,
2are orthogonal, so σ[r]
z and σ[r′]
x
2,b+c
2,d).
the error rates for the check bits and code bits are al-
most the same. And because Eve doesn’t know anything
about the check bits and the code bits, her interference is
also the same to these two sets. Then as (N − n) → ∞,
we can use classical probability theory to calculate the
fidelity, which will yield F(ρ,ψ) ≥ 1 − 2−s.
Applying the Lemma 1 and 2 of Lo and Chau[15], we
know that if Alice and Bob share a state with fidelity
greater than 1−2−swith input state ρ, then Eve’s mutual
information with the key would be exponentially small, so
the first stage of the modified version of the high-capacity
protocol is safe.
V.THE SECOND STAGE OF THE MODIFIED
HIGH-CAPACITY PROTOCOL
In this section, we prove that the second stage of the
protocol is secure too. This stage can be seen as a repe-
tition of the first stage, with a some variation as we list
below.
Protocol 2: Secure high-capacity Protocol(stage 2)
10. Alice has one ordered half of k perfect EPR particle
sequence: [P′
corresponding sequence: [P′
1(1), P′
2(1), ..., P′
k(1)] and Bob has the
1(2), P′
2(2), ..., P′
k(2)].
11. Alice randomly chooses the bases of her own halves
of the EPR pairs. To be more specific, Alice selects
a random k binary string b′and applies Hadamard
gates on Pi(1) when the corresponding ith bit is 1.
12. Alice sends her EPR sequence to Bob.
13. After receiving the sequence, Bob publicly an-
nounces this fact.
14. Alice then tells Bob the binary string b′.
15. Bob selects a sufficiently large subset among his
EPR pairs and measures them according to b′, if
too many results inconsistent, he aborts the com-
munication.
16. Bob performs entanglement purification in the
same way as in stage 1 to the remaining EPR pairs
to obtain m perfect EPR pairs.
17. Bob performs Bell-basis measurement to obtain the
secret key.
The proof of security of the stage 2 of protocol 2 is
similar to that of stage 1. So as discussed above, Eve can
know nothing about the pure EPR pairs in Bob’s hand,
then it is obvious that stage 2 is also unconditionally
secure.
Combining the previous two stages together, we will
see that by adding entanglement purification protocol to
the high-capacity protocol will protect it against quan-
tum channel noise.

Page 4

4
VI. CONCLUSION AND FURTHER
DISCUSSION
We have given the security proof of the high-capacity
QKD protocol by using the Shor-Preskill method. The
proof is divided into two stages. When the error rate is
below the threshold value, 11% for the one-way commu-
nication protocol as is true in our case, Alice and Bob
can still obtain a secure key by using entanglement pu-
rification.
This work is supported by the National Fundamental
Research Program Grant No. 001CB309308, China Na-
tional Natural Science Foundation Grant No. 10325521,
60433050, and the SRFDP program of Education Min-
istry of China.
[1] P. W. Shor, Algorithms for quantum computation: dis-
crete logarithms and factoring, in Proceedings, 35thAn-
nual Symposium on Foundations of Computer Science,
IEEE Press, Los Alamitos, CA, (1994).
[2] W. K. Wooters and W. H. Zurek, Nature 299, 802-803,
(1982).
[3] C. H. Bennet and G. Brassard, in Proceedings of the IEEE
International Conference on Computers, Systems and
Signal Processing, Bangalore, India, IEEE, New York,
(1984), pp. 175-179.
[4] A. Eken, Phys. Rev. Lett. 67, 661 (1991).
[5] C. H. Bennet, G. Brassard, and N. D. Mermin, Phys.
Rev. Lett. 68, 557 (1992)
[6] C. H. Bennett. Phys. Rev. Lett. 68, 3121 (1992).
[7] L. Goldenberg and L. Vaidman, Phys. Rev. Lett. 75, 1239
(1995).
[8] D. Bruβ, Phys. Rev. Lett. 81, 3018 (1998).
[9] G. L. Long and X. S. Liu, Phys. Pev. A 65, 032302 (2002)
[10] F. G. Deng and G. L. Long, Phys. Rev. A 68, 042315
(2003).
[11] F. G. Deng and G. L. Long, Phys. Rev. A 70, 012311
(2004).
[12] D. Mayers, in Advances in Cryptology-Proceedings of
Crypto ’96, Springer-Verlag, New York (1996), p.343.
[13] E. Biham, M. Boyer, P. O. Boykin, T. Mor and
V.Roychowdhury, in Proceedings of the Thirty-Second
Annual ACM Symposium on Theory of Computing, ACM
Press, New York (2000), p.715.
[14] C. H. Bennett, D. P. DiVincenzo, J. A. Smolin and
W. K. Wootters, Phys. Rev. A 54, 3824-3851 (1996);
quant-ph/9604024.
[15] H.-K. Lo and H. F. Chau, Science 283, 2050 (1999).
[16] P. W. Shor and J. Preskill, Phys. Rev. Lett. 85, 441
(2000).
[17] D. Gottesman and H.-K. Lo, IEEE Trans. Inf. Theory
49, 457 (2003); quant-ph/0105121.
[18] H. F. Chau, Phys. Rev. A 66, 060302(R) (2002);
quant-ph/0205060.