Quantum Protocol Zoo

Editing Device-Independent Quantum Key Distribution

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
This [https://arxiv.org/abs/1811.07983 example protocol] implements the task of [[Quantum Key Distribution]] (QKD) without relying on any particular description of the underlying hardware system. The protocol enables two parties to establish a classical secret key by distributing an entangled quantum state and checking for the violation of a [[Bell inequality]] in order to certify the security. The output of the protocol is a classical secret key which is completely unknown to any third party, namely an eavesdropper.


'''Tags:''' [[:Category:Two Party Protocols|Two Party]], [[:Category:Quantum Enhanced Classical Functionality|Quantum Enhanced Classical Functionality]], [[:Category:Specific Task|Specific Task]],[[Quantum Key Distribution]], [[BB84 Quantum Key Distribution|BB84 QKD]], [[Category:Multi Party Protocols]] [[Category:Quantum Enhanced Classical Functionality]][[Category:Specific Task]][[Category:Entanglement Distribution Network stage]]
A device-independent quantum key distribution protocol implements the task of [[Quantum Key Distribution]] (QKD) without relying on any particular description of the underlying system. The protocol enables two parties, Alice and Bob, to establish a classical secret key by distributing an entangled quantum state and checking for the violation of a [[Bell inequality]] in order to certify the security. The output of the protocol is a classical secret key which is completely unknown to any third party, namely an eavesdropper.
 
'''Tags:''' [[:Category:Two Party Protocols|Two Party]], [[:Category:Quantum Enhanced Classical Functionality|Quantum Enhanced Classical Functionality]], [[:Category:Specific Task|Specific Task]],[[Quantum Key Distribution]], [[BB84 Quantum Key Distribution|BB84 QKD]], [[Category:Multi Party Protocols]] [[Category:Quantum Enhanced Classical Functionality]][[Category:Specific Task]][[Category:Entanglement Distribution Network Stage]]
==Assumptions==
==Assumptions==
* '''Network:''' we assume the existence of an authenticated public classical channel between Alice and Bob.
* We assume the existence of an authenticated public classical channel between the two parties
* '''Timing:''' we assume that the network is synchronous.
* We assume synchronous network between parties
* '''Adversarial model:''' [[coherent attacks]].
* We assume security from [[coherent attacks]]


==Outline==
==Outline==
A DIQKD protocol is composed by the following steps:
A DIQKD protocol is composed by the following steps:
* The first phase of the protocol is called distribution. For each round of this phase:
* The first phase of the protocol is the distribution. For each round of this phase:
** Alice uses the source to prepare a maximally entangled state and send half of the state to Bob.
** Alice uses the source to prepare a maximally entangled state and send half of the state to Bob.
** Upon receiving the state, Bob announces that he received it, and they both use their respective devices to measure the quantum systems. They record their output in a string of bits.
** Upon receiving the state, Bob announces that he received it, and they both use their respective devices to measure the quantum systems. They record their output in a string of bits.
Line 15: Line 16:
* In the final phase, Alice and Bob perform [[privacy amplification]], where the not fully secure <math>n</math>-bit strings are mapped into smaller strings <math>K_A</math> and <math>K_B</math>, which represents the final keys of Alice and Bob respectively.
* In the final phase, Alice and Bob perform [[privacy amplification]], where the not fully secure <math>n</math>-bit strings are mapped into smaller strings <math>K_A</math> and <math>K_B</math>, which represents the final keys of Alice and Bob respectively.


==Requirements ==
==Hardware Requirements ==
*'''Network Stage:''' [[:Category:Entanglement Distribution Network stage| Entanglement Distribution]][[Category:Entanglement Distribution Network stage]]
*'''Network Stage:''' [[:Category: Entanglement Distribution Network Stage|Entanglement Distribution]]
*'''Relevant Network Parameters:''' transmission error <math>\epsilon_T</math>, measurement error <math>\epsilon_M</math> (see [[:Category:Entanglement Distribution Network stage| Entanglement Distribution]]).
*'''Relevant Network Parameters:''' <math>\epsilon_T, \epsilon_M</math> (see [[:Category: Entanglement Distribution Network Stage|Entanglement Distribution]])
*'''Benchmark values:'''
** Minimum number of rounds ranging from <math>\mathcal{O}(10^6)</math> to <math>\mathcal{O}(10^{12})</math> depending on the network parameters<math>\epsilon_T,\epsilon_M</math>, for commonly used security parameters.
** <math>QBER \leq 0.071</math>, taking a depolarizing model as benchmark. Parameters satisfying <math>\epsilon_T+\epsilon_M\leq 0.071</math> are sufficient to asymptotically get positive secret key rate.
* Distribution of Bell pairs, and measurement in three different bases (two basis on Alice's side and three basis on Bob's side).
* Distribution of Bell pairs, and measurement in three different bases (two basis on Alice's side and three basis on Bob's side).
* Requires [[random number generator]].
* Minimum number of rounds ranging from <math>\mathcal{O}(10^6)</math> to <math>\mathcal{O}(10^{12})</math> depending on the network parameters, for commonly used secure parameters.
 
* <math>QBER \leq 0.071</math>, taking a depolarizing model as benchmark. Parameters satisfying <math>\epsilon_T+\epsilon_M\leq 0.071</math> are sufficient.
==Knowledge Graph==
* [[Authenticated classical channel]].
 
* [[Random number generator]].
{{graph}}


==Notation==
==Notation==
* <math>n</math> expected number of rounds
* <math>n</math> expected number of rounds
* The total number of rounds <math>n</math> is divided in to <math>m</math> blocks of size upper-bounded by <math>s_{\max}</math>.
* <math>l</math> final key length  
* <math>l</math> final key length  
* <math>\gamma</math> fraction of test rounds  
* <math>\gamma</math> fraction of test rounds  
Line 44: Line 40:
* <math>\epsilon_{PA}</math> error probability of the privacy amplification protocol  
* <math>\epsilon_{PA}</math> error probability of the privacy amplification protocol  
* <math>\mbox{leak}_{EC}</math> leakage in the error correction protocol
* <math>\mbox{leak}_{EC}</math> leakage in the error correction protocol
* For any registers <math>(Z_i)_{i \in \mathbb{N}}</math>, we use <math>Z_j^k,\ (j\leq k)</math> as a shorthand notation for the string <math>Z_j,\ldots,Z_k</math>.
==Properties==
==Properties==
Either the protocol (see [[Device Independent Quantum Key Distribution#Pseudocode|Pseudocode]]) aborts with probability higher than <math>1-(\epsilon_{EA}+\epsilon_{EC})</math>, or it generates a</br>
Either Protocol (see [[Device Independent Quantum Key Distribution#Pseudocode|Pseudocode]]) abort with probability higher than <math>1-(\epsilon_{EA}+\epsilon_{EC})</math>, or it generates a</br>
<math>(2\epsilon_{EC}+\epsilon_{PA}+\epsilon_s)</math>-correct-and-secret key  of length [[Device-Independent Quantum Key Distribution #References| [7] ]]</br>
<math>(2\epsilon_{EC}+\epsilon_{PA}+\epsilon_s)</math>-correct-and-secret key  of length</br>
<math>
<math>
\begin{align}
\begin{align}
Line 54: Line 48:
\end{align}
\end{align}
</math></br>
</math></br>
where <math>\mbox{leak}_{EC}</math> is the leakage due to error correction step and the functions <math>\bar{s}</math>, <math>\eta_{opt}</math>, <math>\nu_1</math> and <math>\nu_2</math> are specified below.
where <math>\mbox{leak}_{EC}</math> is the leakage due to error correction step and the functions <math>\bar{s}</math>, <math>\eta_{opt}</math>, <math>\nu_1</math> and <math>\nu_2</math> are specified in below.
The security parameters of the error correction protocol, <math>\epsilon_{EC}</math> and <math>\epsilon'_{EC}</math>, mean that if the error correction step of the protocol (see below) does not abort, then <math>K_A=K_B</math> with probability at least <math>1-\epsilon_{EC}</math>, and for an honest implementation, the error correction protocol aborts with probability at most <math>\epsilon'_{EC}+\epsilon_{EC}</math>.  
The security parameters of the error correction protocol, <math>\epsilon_{EC}</math> and <math>\epsilon'_{EC}</math>, mean that if the error correction step of the protocol (see below) does not abort, then <math>K_A=K_B</math> with probability at least <math>1-\epsilon_{EC}</math>, and for an honest implementation, the error correction protocol aborts with probability at most <math>\epsilon'_{EC}+\epsilon_{EC}</math>.
*<math>\bar{s}=\frac{1-(1-\gamma)^{\left\lceil \frac{1}{\gamma} \right\rceil}}{\gamma}</math>
*<math>\bar{s}=\frac{1-(1-\gamma)^{\left\lceil \frac{1}{\gamma} \right\rceil}}{\gamma}</math>
*<math>\eta_{opt}=\max_{\frac{3}{4}<\frac{{p}_t(1)}{1-(1-\gamma)^{s_{max}}}<\frac{2+\sqrt{2}}{4}} \Bigg(F_{\min}(\vec{p},\vec{p}_t)-\frac{1}{\sqrt{m}}\nu_2\Bigg)</math>
*<math>\eta_{opt}=\max_{\frac{3}{4}<\frac{{p}_t(1)}{1-(1-\gamma)^{s_{max}}}<\frac{2+\sqrt{2}}{4}} \Bigg(F_{\min}(\vec{p},\vec{p}_t)-\frac{1}{\sqrt{m}}\nu_2\Bigg)</math>
*<math>F_{\min}(\vec{p},\vec{p}_t) = \frac{d}{d {p}(1)}g(\vec{p}) \Big|_{\vec{p}_t}\cdot {p}(1)+\Bigg( g(\vec{p}_t)- \frac{d}{d{p}(1)}g(\vec{p})|_{\vec{p}_t}\cdot {p}_t(1) \Bigg)</math>
*<math>F_{\min}(\vec{p},\vec{p}_t) = \frac{d}{d {p}(1)}g(\vec{p}) \Big|_{\vec{p}_t}\cdot {p}(1)+\Bigg( g(\vec{p}_t)- \frac{d}{d{p}(1)}g(\vec{p})|_{\vec{p}_t}\cdot {p}_t(1) \Bigg)</math>
*<math>g({\vec{p}}) = {s}\Bigg(1-h\Bigg(\frac{1}{2}+\frac{1}{2}\sqrt{16\frac{{p}(1)}{1-(1-\gamma)^{s_{max}}}\Bigg(\frac{{p}(1)}{1-(1-\gamma)^{s_{max}}} -1\Bigg)+3} \Bigg)\Bigg)</math>
*<math>g({\vec{p}}) = {s}\Bigg(1-h\Big(\frac{1}{2}+\frac{1}{2}\sqrt{16\frac{{p}(1)}{1-(1-\gamma)^{s_{max}}}\Bigg(\frac{{p}(1)}{1-(1-\gamma)^{s_{max}}} -1}+3 )\Bigg)</math>
*<math>\nu_2 =2 \Bigg(\log(1+6\cdot 2^{s_{\max}}})+\left\lceil \frac{d}{d{p}(1)}g(\vec{p})\big|_{\vec{p}_t}\right\rceil\Bigg)\sqrt{1-2\log \epsilon_s </math>
*<math>\nu_2 =2 \Big(\log\Bigg(1+2\cdot 2^{s_{\max}}3}+\left\lceil \frac{d}{d{p}(1)}g(\vec{p})\big|_{\vec{p}_t}\right\rceil\Bigg)\sqrt{1-2\log \epsilon_s)</math>
*<math>\nu_1=2 \Big(\log 7 +\left\lceil\frac{|h'(\omega_{exp}+\delta_{est})|}{1-(1-\gamma)^{s_{\max}}}\right\rceil\Big)\sqrt{1-2\log\epsilon_s}</math>
*<math>\nu_1=2 \Big(\log 7 +\left\lceil\frac{|h'(\omega_{exp}+\delta_{est})|}{1-(1-\gamma)^{s_{\max}}}\right\rceil\Big)\sqrt{1-2\log\epsilon_s}</math>


==Protocol Description==
==Pseudocode==
*'''Input: '''<math> n, \delta</math></br>
*'''Input: '''<math> n, \delta</math></br>
*'''Output: '''<math> K_A, K_B</math></br>
*'''Output: '''<math> K_A, K_B</math></br>
Line 73: Line 67:
### Alice and Bob choose a random bit <math>T_i \in \{0,1\}</math> such that <math>P(T_i=1)=\gamma</math>.
### Alice and Bob choose a random bit <math>T_i \in \{0,1\}</math> such that <math>P(T_i=1)=\gamma</math>.
### '''If''' <math>T_i=0</math> '''then''' Alice and Bob choose inputs <math>(X_i, Y_i)=(0,2)</math>.  
### '''If''' <math>T_i=0</math> '''then''' Alice and Bob choose inputs <math>(X_i, Y_i)=(0,2)</math>.  
### '''Else''' they choose  <math>X_i ,Y_i \in \{0,1\}</math>.
### '''Else''' they choose  <math>X_i ,Y_i \in \{0,1\}</math> (the observables for the CHSH test).
### Alice and Bob use their devices with the respective inputs and record their outputs, <math>A_i</math> and <math>B_i</math> respectively.
### Alice and Bob use their devices with the respective inputs and record their outputs, <math>A_i</math> and <math>B_i</math> respectively.
### '''If''' <math>T_i=1</math> they  set <math>i=s_{max}+1</math>.</br>
### '''If''' <math>T_i=1</math> they  set <math>i=s_{max}+1</math>.
''At this point Alice holds strings <math>X_1^n, A_1^n</math> and Bob <math>Y_1^n, B_1^n</math>, all of length <math>n</math>.''
*''At this point Alice holds strings <math>X_1^n, A_1^n</math> and Bob <math>Y_1^n, B_1^n</math>, all of length <math>n</math>.''
 
'''2.''' Error Correction


''Alice and Bob apply the error correction protocol <math>EC</math> (see [[BB84 Quantum Key Distribution #References| [5]]]) , communicating script <math>O_{EC}</math> in the process. ''
'''2.''' Error Correction</br>
* ''Alice and Bob apply the error correction protocol <math>EC</math>, communicating script <math>O_{EC}</math> in the process. ''
# '''If''' <math>EC</math> aborts, they abort the protocol
# '''If''' <math>EC</math> aborts, they abort the protocol
# '''Else''' they obtain raw keys <math>\tilde{A}_1^n</math> and <math>\tilde{B}_1^n</math>.
# '''Else''' they obtain raw keys <math>\tilde{A}_1^n</math> and <math>\tilde{B}_1^n</math>.
'''3.''' Parameter estimation
'''3.''' Parameter estimation</br>
 
#Using <math>B_1^n</math> and <math>\tilde{B}_1^n</math>, Bob sets <math>C_i</math>
#Using <math>B_1^n</math> and <math>\tilde{B}_1^n</math>, Bob sets <math>C_i</math>
##'''If''' <math>T_i=1</math>  and <math>A_i\oplus B_i=X_i\cdot Y_i</math> '''then''' <math>C_i=1</math>  
##'''If''' <math>T_i=1</math>  and <math>A_i\oplus B_i=X_i\cdot Y_i</math> '''then''' <math>C_i=1</math>  
##'''If''' <math>T_i=1</math>  and <math>A_i\oplus B_i\neq X_i\cdot Y_i</math> '''then''' <math>C_i=0</math>
##'''If''' <math>T_i=1</math>  and <math>A_i\oplus B_i=X_i\cdot Y_i</math> '''then''' <math>C_i=0</math>
## '''If''' <math>T_i=0</math>  '''then''' <math>C_i=\bot</math>
## '''If''' <math>T_i=1</math>  and <math>A_i\oplus B_i=X_i\cdot Y_i</math> '''then''' <math>C_i=\bot</math>
# Bob aborts '''If''' <math>\sum_j C_{j}<m\times (\omega_{exp}-\delta_{est})(1-(1-\gamma)^{s_{\max}})</math>, i.e., if they do not achieve the expected violation.  
# He aborts '''If''' <math>\sum_j C_{j}<m\times (\omega_{exp}-\delta_{est})(1-(1-\gamma)^{s_{\max}})</math>, i.e., if they do not achieve the expected violation.  
''For the summation in 3.2 we use the convention that <math>\forall x\in \{0,1,\bot\},\ x+\bot=\bot+x=x</math>, that is <math>\bot</math> acts as <math>0</math> with respect to the addition.''
'''4.''' Privacy amplification</br>
 
*<math>PA(\cdot,\cdot)</math> ''is a privacy amplification subroutine''
'''4.''' Privacy amplification
 
<math>PA(\cdot,\cdot)</math> ''is a privacy amplification subroutine'' (see [[BB84 Quantum Key Distribution #References| [6]]])
# Alice and Bob run <math>PA(A_1^{n'},\tilde{B}_1^{n'})</math> and obtain secret keys <math>K_A, K_B</math>;
# Alice and Bob run <math>PA(A_1^{n'},\tilde{B}_1^{n'})</math> and obtain secret keys <math>K_A, K_B</math>;


==Further Information==
==Further Information==
#[https://doi.org/10.1103/PhysRevLett.98.230501 Acín et al. (2007)] gives the first security proof of device-independent QKD against [[collective attacks]].
#[https://doi.org/10.1103/PhysRevLett.113.140501 Vazirani and Vidick (2014)] gives the first security proof of  device-independent QKD against [[coherent attacks]].
#[https://www.nature.com/articles/s41467-017-02307-4 Arnon-Friedman et al. (2018)] &  [https://epubs.siam.org/doi/10.1137/18M1174726 Arnon-Friedman et al. (2019)] simplify and tighten security proofs of device-independent QKD against [[coherent attacks]].
#[https://arxiv.org/abs/1903.10535 Tan et al. (2019)] shows that post-processing of the key using 2-way classical communication, denoted [[advantage distillation]], can increase the QBER tolerance up to <math>9.1\%</math>.
#[https://doi.org/10.1007/3-540-48285-7_35 Secret-Key Reconciliation by Public Discussion]
#[https://arxiv.org/abs/quant-ph/0512258 Security of Quantum Key Distribution]
#[https://arxiv.org/abs/1811.07983.pdf Towards a realization of device-independent quantum key distribution]


<div style='text-align: right;'>''contributed by Gláucia Murta''</div>
<div style='text-align: right;'>''contributed by Gláucia Murta''</div>
Please note that all contributions to Quantum Protocol Zoo may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see Quantum Protocol Zoo:Copyrights for details). Do not submit copyrighted work without permission!

To protect the wiki against automated edit spam, we kindly ask you to solve the following CAPTCHA:

Cancel Editing help (opens in new window)

Template used on this page:

Retrieved from "https://wiki.veriqloud.fr/index.php?title=Device-Independent_Quantum_Key_Distribution"