BB84 Quantum Key Distribution

This example protocol implements the task of Quantum Key Distribution (QKD). The protocol enables two parties to establish a classical secret key by preparing and measuring qubits. The output of the protocol is a classical secret key which is completely unknown to any third party, namely an eavesdropper.

Assumptions

• Network: we assume the existence of an authenticated public classical channel between Alice and Bob.
• Timing: we assume that the network is synchronous.

Outline

The protocol shares a classical key between two parties, Alice and Bob. The BB84 quantum key distribution protocol consists of the following steps:

• Distribution: This step involves preparation, exchange and measurement of quantum states. For each round of the distribution phase, Alice randomly chooses a basis (a pair of orthogonal states) out of two available bases (X and Z). She then randomly chooses one of the two states and prepares the corresponding quantum state in the chosen basis. She sends the prepared state to Bob. Upon receiving the state, Bob announces that he received the state and randomly chooses to measure in the either of the two available bases (X or Z). The outcomes of the measurements give Bob a string of classical bits. The two parties repeat the above procedure ${\displaystyle n}$ times so that at the end of the distribution phase each of them holds an ${\displaystyle n}$-bit string.
• Sifting: Alice and Bob publicly announce their choices of basis and compare them. They discard the rounds in which Bob measured in a different basis than the one prepared by Alice.
• Parameter estimation: Alice and Bob use a fraction of the remaining rounds (in which both measured in the same basis) in order to estimate the quantum bit error rate (QBER).
• Error correction: Alice and Bob choose a classical error correcting code and publicly communicate in order to correct their string of bits. At the end of this phase Alice and Bob hold the same bit-string.
• Privacy amplification: Alice and Bob use an extractor on the previously established string to generate a smaller but completely secret string of bits, which is the final key.

Requirements

• Network Stage: Prepare and Measure
• Relevant Network Parameters: transmission error ${\displaystyle \epsilon _{T}}$, measurement error ${\displaystyle \epsilon _{M}}$ (see Prepare and Measure)
• Benchmark values:
• Minimum number of rounds ranging from ${\displaystyle {\mathcal {O}}(10^{2})}$ to ${\displaystyle {\mathcal {O}}(10^{5})}$ depending on the network parameters ${\displaystyle \epsilon _{T},\epsilon _{M}}$, for commonly used security parameters.
• ${\displaystyle QBER\leq 0.11}$, taking a depolarizing model as benchmark. Parameters satisfying ${\displaystyle \epsilon _{T}+\epsilon _{M}\leq 0.11}$ are sufficient to asymptotically get positive secret key rate.
• requires random number generator.

Notation

• ${\displaystyle n}$ number of total rounds of the protocol.
• ${\displaystyle \ell }$ size of the secret key.
• ${\displaystyle X_{i},Y_{i}}$ bits of input of Alice and Bob, respectively, that define the measurement basis.
• ${\displaystyle A_{i},B_{i}}$ bits of output of Alice and Bob, respectively.
• ${\displaystyle Z_{1}^{n}}$ is a shorthand notation for the string ${\displaystyle Z_{1},\ldots ,Z_{n}}$.
• ${\displaystyle K_{A},K_{B}}$ final key of Alice and Bob, respectively.
• ${\displaystyle Q_{X}}$ is the quantum bit error rate QBER in the ${\displaystyle X}$ basis.
• ${\displaystyle Q_{Z}}$ is the quantum bit error rate QBER in the ${\displaystyle Z}$ basis estimated prior to the protocol.
• ${\displaystyle H}$ is the Hadamard gate. ${\displaystyle H^{0}=I,H^{1}=H}$.
• ${\displaystyle \gamma }$ is the probability that Alice (Bob) prepares (measures) a qubit in the ${\displaystyle X}$ basis.
• ${\displaystyle \epsilon _{\rm {EC}}}$, ${\displaystyle \epsilon '_{\rm {EC}}}$ are the error probabilities of the error correction protocol.
• ${\displaystyle \epsilon _{\rm {PA}}}$ is the error probability of the privacy amplification protocol.
• ${\displaystyle \epsilon _{\rm {PE}}}$ is the error probability of the parameter estimation.

Properties

The protocol implements ${\displaystyle (n,\epsilon _{\rm {corr}},\epsilon _{\rm {sec}},\ell )}$-QKD, which means that it generates an ${\displaystyle \epsilon _{\rm {corr}}}$-correct, ${\displaystyle \epsilon _{\rm {sec}}}$-secret key of length ${\displaystyle \ell }$ in ${\displaystyle n}$ rounds. The security parameters of this protocol are given by ${\displaystyle \epsilon _{\rm {corr}}=\epsilon _{\rm {EC}},\ \epsilon _{\rm {sec}}=\epsilon _{\rm {PA}}+\epsilon _{\rm {PE}},}$ and the amount of key ${\displaystyle \ell }$ that is generated is given by
{\displaystyle {\begin{aligned}\ell \geq &(1-\gamma )^{2}n(1-h(Q_{X}+\nu )-h(Q_{Z}))\\&-{\sqrt {(1-\gamma )^{2}n}}{\big (}4\log(2{\sqrt {2}}+1)({\sqrt {\log {\frac {2}{\epsilon _{\rm {PE}}^{2}}}}}+{\sqrt {\log {\frac {8}{{\epsilon '}_{\rm {EC}}^{2}}}}}))\\&-\log({\frac {8}{{\epsilon '}_{\rm {EC}}^{2}}}+{\frac {2}{2-\epsilon '_{\rm {EC}}}})-\log({\frac {1}{\epsilon _{\rm {EC}}}})-2\log({\frac {1}{2\epsilon _{\rm {PA}}}})\end{aligned}}}
where ${\displaystyle \nu ={\sqrt {{\frac {(1+\gamma ^{2}n)((1-\gamma )^{2}+\gamma ^{2})}{(1-\gamma )^{2}\gamma ^{4}n^{2}}}\log({\frac {1}{\epsilon _{\rm {PE}}}}}})}$ and ${\displaystyle h(\cdot )}$ is the binary entropy function.

In the above equation for key length, the parameters ${\displaystyle \epsilon _{\rm {EC}}}$ and ${\displaystyle \epsilon '_{\rm {EC}}}$ are error probabilities of the classical error correction subroutine. At the end of the error correction step, if the protocol does not abort, then Alice and Bob share equal strings of bits with probability at least ${\displaystyle 1-\epsilon _{\rm {EC}}}$. The parameter ${\displaystyle \epsilon '_{\rm {EC}}}$ is related with the completeness of the error correction subroutine, namely that for an honest implementation, the error correction protocol aborts with probability at most ${\displaystyle \epsilon '_{\rm {EC}}+\epsilon _{\rm {EC}}}$. The parameter ${\displaystyle \epsilon _{\rm {PA}}}$ is the error probability of the privacy amplification subroutine and ${\displaystyle \epsilon _{\rm {PE}}}$ is the error probability of the parameter estimation subroutine used to estimate ${\displaystyle Q_{X}}$ (see Quantum Key Distribution for the precise security definition).

Protocol Description

• Input:${\displaystyle n,\gamma ,\epsilon _{\rm {PA}},\epsilon _{\rm {PE}},\epsilon _{\rm {EC}},\epsilon '_{\rm {EC}},Q_{Z}}$
• Output:${\displaystyle K_{A},K_{B}}$

1. Distribution and measurement

1. For ${\displaystyle i=1,...,n}$
1. Alice chooses random bits ${\displaystyle X_{i}\in \{0,1\}}$ and ${\displaystyle A_{i}\in _{R}\{0,1\}}$ such that ${\displaystyle P(X_{i}=1)=\gamma }$
2. Alice prepares ${\displaystyle H^{X_{i}}|A_{i}\rangle }$ and sends it to Bob
3. Bob announces receiving a state
4. Bob chooses bit ${\displaystyle Y_{i}\in _{R}\{0,1\}}$ such that ${\displaystyle P(Y_{i}=1)=\gamma }$
5. Bob measures ${\displaystyle H^{X_{i}}|A_{i}\rangle }$ in basis ${\displaystyle \{H^{Y_{i}}|0\rangle ,H^{Y_{i}}|1\rangle \}}$ with outcome ${\displaystyle B_{i}}$

At this stage Alice holds strings ${\displaystyle X_{1}^{n},A_{1}^{n}}$ and Bob ${\displaystyle Y_{1}^{n},B_{1}^{n}}$, all of length ${\displaystyle n}$.

2. Sifting

1. Alice and Bob publicly announce ${\displaystyle X_{1}^{n},Y_{1}^{n}}$
2. For ${\displaystyle i=1,...,n}$
1. If ${\displaystyle X_{i}=Y_{i}}$
1. ${\displaystyle A_{1}^{n'}=A_{1}^{n'}.}$append${\displaystyle (A_{i})}$
2. ${\displaystyle B_{1}^{n'}=B_{1}^{n'}.}$append${\displaystyle (B_{i})}$
3. ${\displaystyle X_{1}^{n'}=X_{1}^{n'}.}$append${\displaystyle (X_{i})}$
4. ${\displaystyle Y_{1}^{n'}=Y_{1}^{n'}.}$append${\displaystyle (Y_{i})}$

Now Alice holds strings ${\displaystyle X_{1}^{n'},A_{1}^{n'}}$ and Bob ${\displaystyle Y_{1}^{n'},B_{1}^{n'}}$, all of length ${\displaystyle n'\leq n}$.

3. Parameter estimation

1. Set size${\displaystyle Q}$ = 0
2. For ${\displaystyle i=1,...,n'}$
1. If ${\displaystyle X_{i}=Y_{i}=1}$
1. Alice and Bob publicly announce ${\displaystyle A_{i},B_{i}}$
2. Alice and Bob compute ${\displaystyle Q_{i}=1-\delta _{A_{i}B_{i}}}$, where ${\displaystyle \delta _{A_{i}B_{i}}}$ is the Kronecker delta
2. size${\displaystyle Q}$ += 1;
3. Both Alice and Bob, each, compute ${\displaystyle Q_{X}={\frac {1}{{\text{size}}Q}}\sum _{i=1}^{n'}Q_{i}}$

4. Error correction

${\displaystyle C(\cdot ,\cdot )}$ is an error correction subroutine (see [9]) determined by the previously estimated value of ${\displaystyle Q_{Z}}$ and with error parameters ${\displaystyle \epsilon '_{\rm {EC}}}$ and ${\displaystyle \epsilon _{\rm {EC}}}$

1. Both Alice and Bob run ${\displaystyle C(A_{1}^{n'},B_{1}^{n'})}$.
2. Bob obtains ${\displaystyle {\tilde {B}}_{1}^{n'}}$

5. Privacy amplification

${\displaystyle PA(\cdot ,\cdot )}$ is a privacy amplification subroutine (see [10]) determined by the size ${\displaystyle \ell }$, computed from equation for key length ${\displaystyle \ell }$ (see Properties), and with secrecy parameter ${\displaystyle \epsilon _{\rm {PA}}}$

1. Alice and Bob run ${\displaystyle PA(A_{1}^{n'},{\tilde {B}}_{1}^{n'})}$ and obtain secret keys ${\displaystyle K_{A},K_{B}}$;

Further Information

1. BB(1984) introduces the BB84 protocol, as the name says, by Charles Bennett and Gilles Brassard.
2. TL(2017) The derivation of the key length in Properties, combines the techniques developed in this article and minimum leakage error correcting codes.
3. GL03 gives an extended analysis of the BB84 in the finite regime.
4. Sifting: the BB84 protocol can also be described in a symmetric way. This means that the inputs $\displaystyle 0$ and ${\displaystyle 1}$ are chosen with the same probability. In that case only ${\displaystyle 1/2}$ of the generated bits are discarded during the sifting process. Indeed, in the symmetric protocol, Alice and Bob measure in the same basis in about half of the rounds.
5. LCA05 the asymmetric protocol was introduced to make this more efficient protocol presented in this article.
6. A post-processing of the key using 2-way classical communication, denoted Advantage distillation, can increase the QBER tolerance up to ${\displaystyle 18.9\%}$ (3).
7. We remark that in Pseudo Code, the QBER in the ${\displaystyle Z}$ basis is not estimated during the protocol. Instead Alice and Bob make use of a previous estimate for the value of ${\displaystyle Q_{Z}}$ and the error correction step, Step 4 in the pseudo-code, will make sure that this estimation is correct. Indeed, if the real QBER is higher than the estimated value ${\displaystyle Q_{Z}}$, Pseudo Code will abort in the Step 4 with very high probability.
8. The BB84 can be equivalently implemented by distributing EPR pairs and Alice and Bob making measurements in the ${\displaystyle Z}$ and ${\displaystyle X}$ basis, however this required a entanglement distribution network stage.
9. Secret-Key Reconciliation by Public Discussion
10. Security of Quantum Key Distribution
contributed by Bas Dirke, Victoria Lipinska, Gláucia Murta and Jérémy Ribeiro