Device-Independent Quantum Key Distribution: Difference between revisions

From Quantum Protocol Zoo
Jump to navigation Jump to search
No edit summary
 
(63 intermediate revisions by 4 users not shown)
Line 1: Line 1:
This [https://arxiv.org/abs/1811.07983 example protocol] implements the task of [[Quantum Key Distribution]] (QKD) without relying on any particular description of the underlying hardware system. The protocol enables two parties to establish a classical secret key by distributing an entangled quantum state and checking for the violation of a [[Bell inequality]] in order to certify the security. The output of the protocol is a classical secret key which is completely unknown to any third party, namely an eavesdropper.


A device-independent quantum key distribution protocol implements the task of [[Quantum Key Distribution]] (QKD) without relying on any particular description of the underlying system. The protocol enables two parties, Alice and Bob, to establish a classical secret key by distributing an entangled quantum state and checking for the violation of a [[Bell inequality]] in order to certify the security. The output of the protocol is a classical secret key which is completely unknown to any third party, namely an eavesdropper.
'''Tags:''' [[:Category:Two Party Protocols|Two Party]], [[:Category:Quantum Enhanced Classical Functionality|Quantum Enhanced Classical Functionality]], [[:Category:Specific Task|Specific Task]],[[Quantum Key Distribution]], [[BB84 Quantum Key Distribution|BB84 QKD]], [[Category:Multi Party Protocols]] [[Category:Quantum Enhanced Classical Functionality]][[Category:Specific Task]][[Category:Entanglement Distribution Network stage]]
 
'''Tags:''' [[:Category:Two Party Protocols|Two Party]], [[:Category:Quantum Enhanced Classical Functionality|Quantum Enhanced Classical Functionality]], [[:Category:Specific Task|Specific Task]],[[Quantum Key Distribution]], [[BB84 Quantum Key Distribution|BB84 QKD]], [[Category:Multi Party Protocols]] [[Category:Quantum Enhanced Classical Functionality]][[Category:Specific Task]][[Category:Entanglement Distribution Network Stage]]
==Assumptions==
==Assumptions==
* We assume the existence of an authenticated public classical channel between the two parties
* '''Network:''' we assume the existence of an authenticated public classical channel between Alice and Bob.
* We assume synchronous network between parties
* '''Timing:''' we assume that the network is synchronous.
* We assume security from [[coherent attacks]]
* '''Adversarial model:''' [[coherent attacks]].


==Outline==
==Outline==
A DIQKD protocol is composed by the following steps:
A DIQKD protocol is composed by the following steps:
*'''Distribution:''' For each round of the distribution phase:
* The first phase of the protocol is called distribution. For each round of this phase:
** Alice uses the source to prepare a maximally entangled state and send half of the state to Bob.
** Alice uses the source to prepare a maximally entangled state and send half of the state to Bob.
** Upon receiving the state, Bob announces that he received it, and they both use their respective devices to measure the quantum systems. They record their output in a string of bits.
** Upon receiving the state, Bob announces that he received it, and they both use their respective devices to measure the quantum systems. They record their output in a string of bits.
A second phase where Alice and Bob publicly exchange classical information in order to perform [[error correction]], where they correct their strings generating the raw keys, and [[parameter estimation]], where they estimate the parameters of interest. At the end of this phase Alice and Bob are supposed to share the same $n$-bit string and have an estimate of how much knowledge an eavesdropper might have about their raw key.
The second phase is when Alice and Bob publicly exchange classical information in order to perform [[error correction]], where they correct their strings generating the raw keys, and [[parameter estimation]], where they estimate the parameters of interest. At the end of this phase Alice and Bob are supposed to share the same <math>n</math>-bit string and have an estimate of how much knowledge an eavesdropper might have about their raw key.
* In the final phase, Alice and Bob perform [[privacy amplification]], where the not fully secure <math>n</math>-bit strings are mapped into smaller strings <math>K_A</math> and <math>K_B</math>, which represents the final keys of Alice and Bob respectively.
* In the final phase, Alice and Bob perform [[privacy amplification]], where the not fully secure <math>n</math>-bit strings are mapped into smaller strings <math>K_A</math> and <math>K_B</math>, which represents the final keys of Alice and Bob respectively.


==Hardware Requirements ==
==Requirements ==
*'''Network Stage:''' [[:Category: Entanglement Distribution Network Stage|Entanglement Distribution]]
*'''Network Stage:''' [[:Category:Entanglement Distribution Network stage| Entanglement Distribution]][[Category:Entanglement Distribution Network stage]]
*'''Relevant Network Parameters:''' <math>\epsilon_T, \epsilon_M</math> (see [[:Category: Entanglement Distribution Network Stage|Entanglement Distribution]])
*'''Relevant Network Parameters:''' transmission error <math>\epsilon_T</math>, measurement error <math>\epsilon_M</math> (see [[:Category:Entanglement Distribution Network stage| Entanglement Distribution]]).
*'''Benchmark values:'''
** Minimum number of rounds ranging from <math>\mathcal{O}(10^6)</math> to <math>\mathcal{O}(10^{12})</math> depending on the network parameters<math>\epsilon_T,\epsilon_M</math>, for commonly used security parameters.
** <math>QBER \leq 0.071</math>, taking a depolarizing model as benchmark. Parameters satisfying <math>\epsilon_T+\epsilon_M\leq 0.071</math> are sufficient to asymptotically get positive secret key rate.
* Distribution of Bell pairs, and measurement in three different bases (two basis on Alice's side and three basis on Bob's side).
* Distribution of Bell pairs, and measurement in three different bases (two basis on Alice's side and three basis on Bob's side).
* Minimum number of rounds ranging from <math>\mathcal{O}(10^6)</math> to <math>\mathcal{O}(10^{12})</math> depending on the network parameters, for commonly used secure parameters.
* Requires [[random number generator]].
* <math>QBER \leq 0.071</math>, taking a depolarizing model as benchmark. Parameters satisfying <math>\epsilon_T+\epsilon_M\leq 0.071</math> are sufficient.
 
* [[Authenticated classical channel]].
==Knowledge Graph==
* [[Random number generator]].
 
{{graph}}


==Notations Used==
==Notation==
* <math>n</math> expected number of rounds
* <math>n</math> expected number of rounds
* The total number of rounds <math>n</math> is divided in to <math>m</math> blocks of size upper-bounded by <math>s_{\max}</math>.
* <math>l</math> final key length  
* <math>l</math> final key length  
* <math>\gamma</math> fraction of test rounds  
* <math>\gamma</math> fraction of test rounds  
Line 40: Line 44:
* <math>\epsilon_{PA}</math> error probability of the privacy amplification protocol  
* <math>\epsilon_{PA}</math> error probability of the privacy amplification protocol  
* <math>\mbox{leak}_{EC}</math> leakage in the error correction protocol
* <math>\mbox{leak}_{EC}</math> leakage in the error correction protocol
* For any registers <math>(Z_i)_{i \in \mathbb{N}}</math>, we use <math>Z_j^k,\ (j\leq k)</math> as a shorthand notation for the string <math>Z_j,\ldots,Z_k</math>.
==Properties==
==Properties==
Either Protocol (see [[Device Independent Quantum Key Distribution#Pseudo-code|Pseudo-code]]) abort with probability higher than <math>1-(\epsilon_{EA}+\epsilon_{EC})</math>, or it generates a</br>
Either the protocol (see [[Device Independent Quantum Key Distribution#Pseudocode|Pseudocode]]) aborts with probability higher than <math>1-(\epsilon_{EA}+\epsilon_{EC})</math>, or it generates a</br>
<math>(2\epsilon_{EC}+\epsilon_{PA}+\epsilon_s)</math>-correct-and-secret key  of length</br>
<math>(2\epsilon_{EC}+\epsilon_{PA}+\epsilon_s)</math>-correct-and-secret key  of length [[Device-Independent Quantum Key Distribution #References| [7] ]]</br>
<math>l\geq \frac{{n}}{\bar{s}}\eta_{opt} -\frac{{n}}{\bar{s}}h(\omega_{exp}-\delta_{est}) -\sqrt{\frac{{n}}{\bar{s}}}\nu_1  -\mbox{leak}_{EC}</math></br>
<math>
<math>-3\log\Bigg(1-\sqrt{1-\Bigg(\frac{\epsilon_s}{4(\epsilon_{EA} + \epsilon_{EC})}\Bigg)^2}\Bigg)+2\log\Bigg(\frac{1}{2\epsilon_{PA}}\Bigg)</math>,</br>
\begin{align}
where <math>\mbox{leak}_{EC}</math> is the leakage due to error correction step and the functions <math>\bar{s}</math>, <math>\eta_{opt}</math>, <math>\nu_1</math> and <math>\nu_2</math> are specified in below.
l\geq \frac{{n}}{\bar{s}}\eta_{opt} -\frac{{n}}{\bar{s}}h(\omega_{exp}-\delta_{est}) -\sqrt{\frac{{n}}{\bar{s}}}\nu_1  -\mbox{leak}_{EC} -3\log\Bigg(1-\sqrt{1-\Bigg(\frac{\epsilon_s}{4(\epsilon_{EA} + \epsilon_{EC})}\Bigg)^2}\Bigg)+2\log\Bigg(\frac{1}{2\epsilon_{PA}}\Bigg),
The security parameters of the error correction protocol, <math>\epsilon_{EC}</math> and <math>\epsilon'_{EC}</math>, mean that if the error correction step in Protocol 1 does not abort, then <math>K_A=K_B</math> with probability at least <math>1-\epsilon_{EC}</math>, and for an honest implementation, the error correction protocol aborts with probability at most <math>\epsilon'_{EC}+\epsilon_{EC}</math>.
\end{align}
</math></br>
where <math>\mbox{leak}_{EC}</math> is the leakage due to error correction step and the functions <math>\bar{s}</math>, <math>\eta_{opt}</math>, <math>\nu_1</math> and <math>\nu_2</math> are specified below.
The security parameters of the error correction protocol, <math>\epsilon_{EC}</math> and <math>\epsilon'_{EC}</math>, mean that if the error correction step of the protocol (see below) does not abort, then <math>K_A=K_B</math> with probability at least <math>1-\epsilon_{EC}</math>, and for an honest implementation, the error correction protocol aborts with probability at most <math>\epsilon'_{EC}+\epsilon_{EC}</math>.  
*<math>\bar{s}=\frac{1-(1-\gamma)^{\left\lceil \frac{1}{\gamma} \right\rceil}}{\gamma}</math>
*<math>\bar{s}=\frac{1-(1-\gamma)^{\left\lceil \frac{1}{\gamma} \right\rceil}}{\gamma}</math>
*<math>\eta_{opt}=\max_{\frac{3}{4}<\frac{{p}_t(1)}{1-(1-\gamma)^{s_{max}}}<\frac{2+\sqrt{2}}{4}} \De{F_{\min}(\vec{p},\vec{p}_t)-\frac{1}{\sqrt{m}}\nu_2}</math>
*<math>\eta_{opt}=\max_{\frac{3}{4}<\frac{{p}_t(1)}{1-(1-\gamma)^{s_{max}}}<\frac{2+\sqrt{2}}{4}} \Bigg(F_{\min}(\vec{p},\vec{p}_t)-\frac{1}{\sqrt{m}}\nu_2\Bigg)</math>
*<math>F_{\min}(\vec{p},\vec{p}_t) = \frac{d}{d {p}(1)}g(\vec{p}) \Big|_{\vec{p}_t}\cdot {p}(1)+\de{ g(\vec{p}_t)- \frac{d}{d{p}(1)}g(\vec{p})\Big|_{\vec{p}_t}\cdot {p}_t(1) }</math>
*<math>F_{\min}(\vec{p},\vec{p}_t) = \frac{d}{d {p}(1)}g(\vec{p}) \Big|_{\vec{p}_t}\cdot {p}(1)+\Bigg( g(\vec{p}_t)- \frac{d}{d{p}(1)}g(\vec{p})|_{\vec{p}_t}\cdot {p}_t(1) \Bigg)</math>
*<math>g({\vec{p}}) = {s}\De{1-h\de{\frac{1}{2}+\frac{1}{2}\sqrt{16\frac{{p}(1)}{1-(1-\gamma)^{s_{max}}}\de{\frac{{p}(1)}{1-(1-\gamma)^{s_{max}}} -1}+3 } }}</math>
*<math>g({\vec{p}}) = {s}\Bigg(1-h\Bigg(\frac{1}{2}+\frac{1}{2}\sqrt{16\frac{{p}(1)}{1-(1-\gamma)^{s_{max}}}\Bigg(\frac{{p}(1)}{1-(1-\gamma)^{s_{max}}} -1\Bigg)+3} \Bigg)\Bigg)</math>
*<math>\nu_2 =2 \de{\log\de{1+2\cdot 2^{s_{\max}}3}+\left\lceil \frac{d}{d{p}(1)}g(\vec{p})\big|_{\vec{p}_t}\right\rceil}\sqrt{1-2\log \epsilon_s}</math>
*<math>\nu_2 =2 \Bigg(\log(1+6\cdot 2^{s_{\max}}})+\left\lceil \frac{d}{d{p}(1)}g(\vec{p})\big|_{\vec{p}_t}\right\rceil\Bigg)\sqrt{1-2\log \epsilon_s </math>
*<math>\nu_1=2 \de{\log 7 +\left\lceil\frac{|h'(\omega_{exp}+\delta_{est})|}{1-(1-\gamma)^{s_{\max}}}\right\rceil}\sqrt{1-2\log\epsilon_s}</math>
*<math>\nu_1=2 \Big(\log 7 +\left\lceil\frac{|h'(\omega_{exp}+\delta_{est})|}{1-(1-\gamma)^{s_{\max}}}\right\rceil\Big)\sqrt{1-2\log\epsilon_s}</math>


==Pseudo Code==
==Protocol Description==
*'''Input:'''<math>n, \gamma, \epsilon_{\rm PA},\epsilon_{\rm PE},\epsilon_{\rm EC},\epsilon'_{\rm EC},Q_Z</math>
*'''Input: '''<math> n, \delta</math></br>
*'''Output:'''<math>K_A, K_B</math>
*'''Output: '''<math> K_A, K_B</math></br>
<u>'''Stage 1'''</u> Distribution and measurement
'''1.''' Distribution and measurement</br>
#For i=1,2,...,n
#'''For''' every block <math> j \in [m]</math>
##  Sender chooses random bits <math>X_i\epsilon\{0,1\}</math> and <math>A_i\epsilon_R\{0,1\}</math> such that <math>P(X_i=1)=\gamma</math>
##Set <math>i=0</math> and <math>C_j=\bot</math>.
## Sender prepares <math>H^{X_i}|A_i\rangle</math> and sends it to Bob
##'''While''' <math>i \leq s_{max}</math>
## Receiver announces receiving a state
###Set <math>i=i+1</math>
## Receiver chooses bit <math>Y_i\in_R\{0,1\}</math> such that <math>P(Y_i=1)=\gamma</math>
### Alice and Bob choose a random bit <math>T_i \in \{0,1\}</math> such that <math>P(T_i=1)=\gamma</math>.
## Receiver measures <math>H^{X_i}|A_i\rangle</math> in basis <math>\{H^{Y_i}|0\rangle, H^{Y_i}|1\rangle\}</math> with outcome <math>B_i</math>
### '''If''' <math>T_i=0</math> '''then''' Alice and Bob choose inputs <math>(X_i, Y_i)=(0,2)</math>.
 
### '''Else''' they choose  <math>X_i ,Y_i \in \{0,1\}</math>.
*At this stage Sender holds strings <math>X_1^n, A_1^n</math> and Receiver <math>Y_1^n, B_1^n</math>, all of length <math>n</math>
### Alice and Bob use their devices with the respective inputs and record their outputs, <math>A_i</math> and <math>B_i</math> respectively.
<u>'''Stage 2'''</u> Sifting 
### '''If''' <math>T_i=1</math> they  set <math>i=s_{max}+1</math>.</br>
#Alice and Bob publicly announce <math>X_1^n, Y_1^n</math>
''At this point Alice holds strings <math>X_1^n, A_1^n</math> and Bob <math>Y_1^n, B_1^n</math>, all of length <math>n</math>.''
#For i=1,2,....,n
## If <math>X_i=Y_i</math>
### <math>A_1^{n'} = A_1^{n'}.</math>append</math>(A_i)</math>
### <math>B_1^{n'} = B_1^{n'}.</math>append<math>(B_i)</math>
### <math>X_1^{n'} = X_1^{n'}.</math>append<math>(X_i)</math>
### <math>Y_1^{n'} = Y_1^{n'}.</math>append<math>(Y_i)</math>
*Now Sender holds strings <math>X_1^{n'}, A_1^{n'}</math> and Receiver <math>Y_1^{n'}, B_1^{n'}</math>, all of length <math>n'\leq n</math>
<u>'''Stage 3'''</u> Parameter estimation
#For <math>i=1,...,n</math>
## size<math>Q</math> = 0
## If{<math>X_i = Y_i = 1</math>
### Sender and Receiver publicly announce <math>A_i, B_i</math>
### Sender and Receiver compute <math>Q_i = 1 - \delta_{A_iB_i}</math>, where <math>\delta_{A_iB_i}</math> is the Kronecker delta
## size<math>Q</math> += 1\;


*Both Sender and Receiver, each, compute <math>Q_X = \frac{1}{\text{size}Q} \sum_{i=1}^{n'}Q_i</math></br>
'''2.''' Error Correction
<u>'''Stage 4'''</u> Error correction
 
*''<math>C(\cdot,\cdot)</math> is an error correction subroutine determined by the previously estimated value of <math>Q_Z</math> and with error parameters  <math>\epsilon'_{\rm EC}</math> and <math>\epsilon_{\rm EC}</math>
''Alice and Bob apply the error correction protocol <math>EC</math> (see [[BB84 Quantum Key Distribution #References| [5]]]) , communicating script <math>O_{EC}</math> in the process. ''
#Both Sender and Receiver run <math>C(A_1^{n'},B_1^{n'})</math>''.  
# '''If''' <math>EC</math> aborts, they abort the protocol
#Receiver obtains <math>\tilde{B}_1^{n'}</math>
# '''Else''' they obtain raw keys <math>\tilde{A}_1^n</math> and <math>\tilde{B}_1^n</math>.
<u>'''Stage 5'''</u> Privacy amplification
*''<math>PA(\cdot,\cdot)</math> is a privacy amplification subroutine determined by the size <math>\ell</math>, computed from equation for key length <math>\ell</math> (see [[Quantum Key Distribution#Properties|Properties]]), and with secrecy parameter <math>\epsilon_{\rm PA}</math>''
'''3.''' Parameter estimation
#Sender and Receiver run $PA(A_1^{n'},\tilde{B}_1^{n'})$ and obtain secret keys $K_A, K_B$\;
 
#Using <math>B_1^n</math> and <math>\tilde{B}_1^n</math>, Bob sets <math>C_i</math>
##'''If''' <math>T_i=1</math>  and <math>A_i\oplus B_i=X_i\cdot Y_i</math> '''then''' <math>C_i=1</math>  
##'''If''' <math>T_i=1</math>  and <math>A_i\oplus B_i\neq X_i\cdot Y_i</math> '''then''' <math>C_i=0</math>
## '''If''' <math>T_i=0</math> '''then''' <math>C_i=\bot</math>
# Bob aborts '''If''' <math>\sum_j C_{j}<m\times (\omega_{exp}-\delta_{est})(1-(1-\gamma)^{s_{\max}})</math>, i.e., if they do not achieve the expected violation.
''For the summation in 3.2 we use the convention that <math>\forall x\in \{0,1,\bot\},\ x+\bot=\bot+x=x</math>, that is <math>\bot</math> acts as <math>0</math> with respect to the addition.''
 
'''4.''' Privacy amplification
 
<math>PA(\cdot,\cdot)</math> ''is a privacy amplification subroutine'' (see [[BB84 Quantum Key Distribution #References| [6]]])
# Alice and Bob run <math>PA(A_1^{n'},\tilde{B}_1^{n'})</math> and obtain secret keys <math>K_A, K_B</math>;


==Further Information==
==Further Information==
# [https://core.ac.uk/download/pdf/82447194.pdf BB(1984)] introduces the BB84 protocol, as the name says, by Charles Bennett and Gilles Brassard.
 
# [https://quantum-journal.org/papers/q-2017-07-14-14/ TL(2017)] The derivation of the key length in [[BB84 Quantum Key Distribution#Properties|Properties]], combines the techniques developed in this article and minimum leakage error correcting codes.
 
# [https://tspace.library.utoronto.ca/bitstream/1807/10010/1/Lo_6438_2610.pdf GL03] gives an extended analysis of the BB84 in the finite regime.
#[https://doi.org/10.1103/PhysRevLett.98.230501 Acín et al. (2007)] gives the first security proof of device-independent QKD against [[collective attacks]].
# Sifting: the BB84 protocol can also be described in a symmetric way. This means that the inputs <math>0</math> and <math>1</math> are chosen with the same probability. In that case only <math>1/2</math> of the generated bits are discarded during the sifting process. Indeed, in the symmetric protocol, Alice and Bob measure in the same basis in about half of the rounds.  
#[https://doi.org/10.1103/PhysRevLett.113.140501 Vazirani and Vidick (2014)] gives the first security proof of device-independent QKD against [[coherent attacks]].
# [https://dl.acm.org/citation.cfm?id=1058094 LCA05] the asymmetric protocol was introduced to make this more efficient protocol presented in this article.
#[https://www.nature.com/articles/s41467-017-02307-4 Arnon-Friedman et al. (2018)] &  [https://epubs.siam.org/doi/10.1137/18M1174726 Arnon-Friedman et al. (2019)] simplify and tighten security proofs of device-independent QKD against [[coherent attacks]].
# A post-processing of the key using 2-way classical communication, denoted [[Advantage distillation]], can increase the QBER tolarance  up to <math>18.9\%</math> (3).
#[https://arxiv.org/abs/1903.10535 Tan et al. (2019)] shows that post-processing of the key using 2-way classical communication, denoted [[advantage distillation]], can increase the QBER tolerance up to <math>9.1\%</math>.
# We remark that in [[BB84 Quantum Key Distribution#Pseudo Code|Pseudo Code]], the QBER in the <math>Z</math> basis is not estimated during the protocol. Instead Alice and Bob make use of a previous estimate for the value of <math>Q_Z</math> and the error correction step, Step 4 in the pseudo-code, will make sure that this estimation is correct. Indeed, if the real QBER is higher than the estimated value <math>Q_Z</math>, [[BB84 Quantum Key Distribution#Pseudo Code|Pseudo Code]] will abort in the Step 4 with very high probability.
#[https://doi.org/10.1007/3-540-48285-7_35 Secret-Key Reconciliation by Public Discussion]
# The BB84 can be equivalently implemented by distributing [[EPR pairs]] and Alice and Bob making measurements in the <math>Z</math> and <math>X</math> basis, however this required a [[entanglement distribution]] network stage.
#[https://arxiv.org/abs/quant-ph/0512258 Security of Quantum Key Distribution]
#[https://arxiv.org/abs/1811.07983.pdf Towards a realization of device-independent quantum key distribution]
 
<div style='text-align: right;'>''contributed by Gláucia Murta''</div>

Latest revision as of 15:36, 4 November 2019

This example protocol implements the task of Quantum Key Distribution (QKD) without relying on any particular description of the underlying hardware system. The protocol enables two parties to establish a classical secret key by distributing an entangled quantum state and checking for the violation of a Bell inequality in order to certify the security. The output of the protocol is a classical secret key which is completely unknown to any third party, namely an eavesdropper.

Tags: Two Party, Quantum Enhanced Classical Functionality, Specific Task,Quantum Key Distribution, BB84 QKD,

Assumptions[edit]

  • Network: we assume the existence of an authenticated public classical channel between Alice and Bob.
  • Timing: we assume that the network is synchronous.
  • Adversarial model: coherent attacks.

Outline[edit]

A DIQKD protocol is composed by the following steps:

  • The first phase of the protocol is called distribution. For each round of this phase:
    • Alice uses the source to prepare a maximally entangled state and send half of the state to Bob.
    • Upon receiving the state, Bob announces that he received it, and they both use their respective devices to measure the quantum systems. They record their output in a string of bits.
  • The second phase is when Alice and Bob publicly exchange classical information in order to perform error correction, where they correct their strings generating the raw keys, and parameter estimation, where they estimate the parameters of interest. At the end of this phase Alice and Bob are supposed to share the same -bit string and have an estimate of how much knowledge an eavesdropper might have about their raw key.
  • In the final phase, Alice and Bob perform privacy amplification, where the not fully secure -bit strings are mapped into smaller strings and , which represents the final keys of Alice and Bob respectively.

Requirements[edit]

  • Network Stage: Entanglement Distribution
  • Relevant Network Parameters: transmission error , measurement error (see Entanglement Distribution).
  • Benchmark values:
    • Minimum number of rounds ranging from to depending on the network parameters, for commonly used security parameters.
    • , taking a depolarizing model as benchmark. Parameters satisfying are sufficient to asymptotically get positive secret key rate.
  • Distribution of Bell pairs, and measurement in three different bases (two basis on Alice's side and three basis on Bob's side).
  • Requires random number generator.

Knowledge Graph[edit]

Notation[edit]

  • expected number of rounds
  • The total number of rounds is divided in to blocks of size upper-bounded by .
  • final key length
  • fraction of test rounds
  • quantum bit error rate
  • CHSH violation
  • expected winning probability on the CHSH game in an honest implementation
  • width of the statistical interval for the Bell test
  • confidence interval for the Bell test
  • smoothing parameter
  • error probabilities of the error correction protocol
  • error probability of Bell violation estimation.
  • error probability of Bell violation estimation.
  • error probability of the privacy amplification protocol
  • leakage in the error correction protocol
  • For any registers , we use as a shorthand notation for the string .

Properties[edit]

Either the protocol (see Pseudocode) aborts with probability higher than , or it generates a
-correct-and-secret key of length [7]

where is the leakage due to error correction step and the functions , , and are specified below. The security parameters of the error correction protocol, and , mean that if the error correction step of the protocol (see below) does not abort, then with probability at least , and for an honest implementation, the error correction protocol aborts with probability at most .

Protocol Description[edit]

  • Input:
  • Output:

1. Distribution and measurement

  1. For every block
    1. Set and .
    2. While
      1. Set
      2. Alice and Bob choose a random bit such that .
      3. If then Alice and Bob choose inputs .
      4. Else they choose .
      5. Alice and Bob use their devices with the respective inputs and record their outputs, and respectively.
      6. If they set .

At this point Alice holds strings and Bob , all of length .

2. Error Correction

Alice and Bob apply the error correction protocol (see [5]) , communicating script in the process.

  1. If aborts, they abort the protocol
  2. Else they obtain raw keys and .

3. Parameter estimation

  1. Using and , Bob sets
    1. If and then
    2. If and then
    3. If then
  2. Bob aborts If , i.e., if they do not achieve the expected violation.

For the summation in 3.2 we use the convention that , that is acts as with respect to the addition.

4. Privacy amplification

is a privacy amplification subroutine (see [6])

  1. Alice and Bob run and obtain secret keys ;

Further Information[edit]

  1. Acín et al. (2007) gives the first security proof of device-independent QKD against collective attacks.
  2. Vazirani and Vidick (2014) gives the first security proof of device-independent QKD against coherent attacks.
  3. Arnon-Friedman et al. (2018) & Arnon-Friedman et al. (2019) simplify and tighten security proofs of device-independent QKD against coherent attacks.
  4. Tan et al. (2019) shows that post-processing of the key using 2-way classical communication, denoted advantage distillation, can increase the QBER tolerance up to .
  5. Secret-Key Reconciliation by Public Discussion
  6. Security of Quantum Key Distribution
  7. Towards a realization of device-independent quantum key distribution
contributed by Gláucia Murta