Editing Device-Independent Quantum Key Distribution


A device-independent quantum key distribution protocol implements the task of [[Quantum Key Distribution]] (QKD) without relying on any particular description of the underlying system. The protocol enables two parties, Alice and Bob, to establish a classical secret key by distributing an entangled quantum state and checking for the violation of a [[Bell inequality]] in order to certify the security. The output of the protocol is a classical secret key which is completely unknown to any third party, namely an eavesdropper. 

'''Tags:''' [[:Category:Two Party Protocols|Two Party]], [[:Category:Quantum Enhanced Classical Functionality|Quantum Enhanced Classical Functionality]], [[:Category:Specific Task|Specific Task]],[[Quantum Key Distribution]], [[BB84 Quantum Key Distribution|BB84 QKD]], [[Category:Multi Party Protocols]] [[Category:Quantum Enhanced Classical Functionality]][[Category:Specific Task]][[Category:Entanglement Distribution Network Stage]]
==Assumptions==
* '''Network:''' we assume the existence of an authenticated public classical channel between Alice and Bob.
* '''Timing:''' we assume that the network is synchronous.
* '''Adversarial model:''' [[coherent attacks]].

==Outline==
A DIQKD protocol is composed by the following steps:
* The first phase of the protocol is called distribution. For each round of this phase:
** Alice uses the source to prepare a maximally entangled state and send half of the state to Bob.
** Upon receiving the state, Bob announces that he received it, and they both use their respective devices to measure the quantum systems. They record their output in a string of bits.
*  The second phase is when Alice and Bob publicly exchange classical information in order to perform [[error correction]], where they correct their strings generating the raw keys, and [[parameter estimation]], where they estimate the parameters of interest. At the end of this phase Alice and Bob are supposed to share the same <math>n</math>-bit string and have an estimate of how much knowledge an eavesdropper might have about their raw key.
* In the final phase, Alice and Bob perform [[privacy amplification]], where the not fully secure <math>n</math>-bit strings are mapped into smaller strings <math>K_A</math> and <math>K_B</math>, which represents the final keys of Alice and Bob respectively.

==Hardware Requirements ==
*'''Network Stage:''' [[:Category: Entanglement Distribution Network Stage|Entanglement Distribution]]
*'''Relevant Network Parameters:''' <math>\epsilon_T, \epsilon_M</math> (see [[:Category: Entanglement Distribution Network Stage|Entanglement Distribution]]).
*'''Benchmark values:'''
** Minimum number of rounds ranging from <math>\mathcal{O}(10^6)</math> to <math>\mathcal{O}(10^{12})</math> depending on the network parameters, for commonly used secure parameters.
** <math>QBER \leq 0.071</math>, taking a depolarizing model as benchmark. Parameters satisfying <math>\epsilon_T+\epsilon_M\leq 0.071</math> are sufficient.
* Distribution of Bell pairs, and measurement in three different bases (two basis on Alice's side and three basis on Bob's side).
* Requires [[random number generator]].

==Notation==
* <math>n</math> expected number of rounds
* <math>l</math> final key length 
* <math>\gamma</math> fraction of test rounds 
* <math>Q</math> quantum bit error rate
* <math>\beta</math> CHSH violation 
* <math>\omega_{exp}</math>  expected winning probability on the CHSH game in an honest implementation 
* <math>\delta_{est}</math> width of the statistical interval for the Bell test
* <math>\delta_{con}</math> confidence interval for the Bell test 
* <math>\epsilon_s</math> smoothing parameter 
* <math>\epsilon_{EC},\epsilon'_{EC}</math> error probabilities of the error correction protocol 
* <math>\epsilon_{EA}</math> error probability of Bell violation estimation.
* <math>\epsilon_{con}</math> error probability of Bell violation estimation.
* <math>\epsilon_{PA}</math> error probability of the privacy amplification protocol 
* <math>\mbox{leak}_{EC}</math> leakage in the error correction protocol
==Properties==
Either the protocol (see [[Device Independent Quantum Key Distribution#Pseudocode|Pseudocode]]) aborts with probability higher than <math>1-(\epsilon_{EA}+\epsilon_{EC})</math>, or it generates a</br>
<math>(2\epsilon_{EC}+\epsilon_{PA}+\epsilon_s)</math>-correct-and-secret key  of length</br>
<math>
\begin{align}
l\geq \frac{{n}}{\bar{s}}\eta_{opt} -\frac{{n}}{\bar{s}}h(\omega_{exp}-\delta_{est}) -\sqrt{\frac{{n}}{\bar{s}}}\nu_1  -\mbox{leak}_{EC}  -3\log\Bigg(1-\sqrt{1-\Bigg(\frac{\epsilon_s}{4(\epsilon_{EA} + \epsilon_{EC})}\Bigg)^2}\Bigg)+2\log\Bigg(\frac{1}{2\epsilon_{PA}}\Bigg),
\end{align}
</math></br>
where <math>\mbox{leak}_{EC}</math> is the leakage due to error correction step and the functions <math>\bar{s}</math>, <math>\eta_{opt}</math>, <math>\nu_1</math> and <math>\nu_2</math> are specified below.
The security parameters of the error correction protocol, <math>\epsilon_{EC}</math> and <math>\epsilon'_{EC}</math>, mean that if the error correction step of the protocol (see below) does not abort, then <math>K_A=K_B</math> with probability at least <math>1-\epsilon_{EC}</math>, and for an honest implementation, the error correction protocol aborts with probability at most <math>\epsilon'_{EC}+\epsilon_{EC}</math>. 
*<math>\bar{s}=\frac{1-(1-\gamma)^{\left\lceil \frac{1}{\gamma} \right\rceil}}{\gamma}</math>
*<math>\eta_{opt}=\max_{\frac{3}{4}<\frac{{p}_t(1)}{1-(1-\gamma)^{s_{max}}}<\frac{2+\sqrt{2}}{4}} \Bigg(F_{\min}(\vec{p},\vec{p}_t)-\frac{1}{\sqrt{m}}\nu_2\Bigg)</math>
*<math>F_{\min}(\vec{p},\vec{p}_t) = \frac{d}{d {p}(1)}g(\vec{p}) \Big|_{\vec{p}_t}\cdot {p}(1)+\Bigg( g(\vec{p}_t)- \frac{d}{d{p}(1)}g(\vec{p})|_{\vec{p}_t}\cdot {p}_t(1) \Bigg)</math>
*<math>g({\vec{p}}) = {s}\Bigg(1-h\Bigg(\frac{1}{2}+\frac{1}{2}\sqrt{16\frac{{p}(1)}{1-(1-\gamma)^{s_{max}}}\Bigg(\frac{{p}(1)}{1-(1-\gamma)^{s_{max}}} -1\Bigg)+3} \Bigg)\Bigg)</math>
*<math>\nu_2 =2 \Bigg(\log(1+6\cdot 2^{s_{\max}}})+\left\lceil \frac{d}{d{p}(1)}g(\vec{p})\big|_{\vec{p}_t}\right\rceil\Bigg)\sqrt{1-2\log \epsilon_s </math>
*<math>\nu_1=2 \Big(\log 7 +\left\lceil\frac{|h'(\omega_{exp}+\delta_{est})|}{1-(1-\gamma)^{s_{\max}}}\right\rceil\Big)\sqrt{1-2\log\epsilon_s}</math>

==Pseudocode==
*'''Input: '''<math> n, \delta</math></br>
*'''Output: '''<math> K_A, K_B</math></br>
'''1.''' Distribution and measurement</br>	
#'''For''' every block <math> j \in [m]</math>
##Set <math>i=0</math> and <math>C_j=\bot</math>.
##'''While''' <math>i \leq s_{max}</math>
###Set <math>i=i+1</math>
### Alice and Bob choose a random bit <math>T_i \in \{0,1\}</math> such that <math>P(T_i=1)=\gamma</math>.
### '''If''' <math>T_i=0</math> '''then''' Alice and Bob choose inputs <math>(X_i, Y_i)=(0,2)</math>. 
### '''Else''' they choose  <math>X_i ,Y_i \in \{0,1\}</math>  (the observables for the CHSH test).
### Alice and Bob use their devices with the respective inputs and record their outputs, <math>A_i</math> and <math>B_i</math> respectively.	
### '''If''' <math>T_i=1</math> they  set <math>i=s_{max}+1</math>.</br>
''At this point Alice holds strings <math>X_1^n, A_1^n</math> and Bob <math>Y_1^n, B_1^n</math>, all of length <math>n</math>.''

'''2.''' Error Correction

''Alice and Bob apply the error correction protocol <math>EC</math>, communicating script <math>O_{EC}</math> in the process. ''
# '''If''' <math>EC</math> aborts, they abort the protocol
# '''Else''' they obtain raw keys <math>\tilde{A}_1^n</math> and <math>\tilde{B}_1^n</math>.
	
'''3.''' Parameter estimation

#Using <math>B_1^n</math> and <math>\tilde{B}_1^n</math>, Bob sets <math>C_i</math>
##'''If''' <math>T_i=1</math>  and <math>A_i\oplus B_i=X_i\cdot Y_i</math> '''then''' <math>C_i=1</math> 
##'''If''' <math>T_i=1</math>  and <math>A_i\oplus B_i=X_i\cdot Y_i</math> '''then''' <math>C_i=0</math>
## '''If''' <math>T_i=1</math>  and <math>A_i\oplus B_i=X_i\cdot Y_i</math> '''then''' <math>C_i=\bot</math>
# He aborts '''If''' <math>\sum_j C_{j}<m\times (\omega_{exp}-\delta_{est})(1-(1-\gamma)^{s_{\max}})</math>, i.e., if they do not achieve the expected violation. 

'''4.''' Privacy amplification

<math>PA(\cdot,\cdot)</math> ''is a privacy amplification subroutine''
# Alice and Bob run <math>PA(A_1^{n'},\tilde{B}_1^{n'})</math> and obtain secret keys <math>K_A, K_B</math>;

==Further Information==


#[https://doi.org/10.1103/PhysRevLett.98.230501 Acín et al. (2007)] gives the first security proof of device-independent QKD against [[collective attacks]].
#[https://doi.org/10.1103/PhysRevLett.113.140501 Vazirani and Vidick (2014)] gives the first security proof of  device-independent QKD against [[coherent attacks]].
#[https://www.nature.com/articles/s41467-017-02307-4 Arnon-Friedman et al. (2018)] &   [https://epubs.siam.org/doi/10.1137/18M1174726 Arnon-Friedman et al. (2019)] simplify and tighten security proofs of device-independent QKD against [[coherent attacks]].
#[https://arxiv.org/abs/1903.10535 Tan et al. (2019)] shows that post-processing of the key using 2-way classical communication, denoted [[advantage distillation]], can increase the QBER tolerance up to <math>9.1\%</math>.

<div style='text-align: right;'>''contributed by Gláucia Murta''</div>