Device-Independent Quantum Key Distribution

A device-independent quantum key distribution protocol implements the task of Quantum Key Distribution (QKD) without relying on any particular description of the underlying system. The protocol enables two parties, Alice and Bob, to establish a classical secret key by distributing an entangled quantum state and checking for the violation of a \underline{Bell inequality} in order to certify the security. The output of the protocol is a classical secret key which is completely unknown to any third party, namely an eavesdropper.

Tags: Two Party, Quantum Enhanced Classical Functionality, Specific Task,Quantum Key Distribution, BB84 QKD,

Assumptions

• We assume the existence of an authenticated public classical channel between the two parties
• We assume synchronous network between parties
• We assume security from coherent attacks

Outline

A DIQKD protocol is composed by the following steps:

• Distribution: For each round of the distribution phase:
  • Alice uses the source to prepare a maximally entangled state and send half of the state to Bob.
  • Upon receiving the state, Bob announces that he received it, and they both use their respective devices to measure the quantum systems. They record their output in a string of bits.
• A second phase where Alice and Bob publicly exchange classical information in order to perform error correction, where they correct their strings generating the raw keys, and parameter estimation, where they estimate the parameters of interest. At the end of this phase Alice and Bob are supposed to share the same $n$-bit string and have an estimate of how much knowledge an eavesdropper might have about their raw key.
• In the final phase, Alice and Bob perform privacy amplification, where the not fully secure ${\displaystyle n}$-bit strings are mapped into smaller strings ${\displaystyle K_{A}}$ and ${\displaystyle K_{B}}$, which represents the final keys of Alice and Bob respectively.

Hardware Requirements

• Network Stage: Entanglement Distribution
• Relevant Network Parameters: ${\displaystyle \epsilon _{T},\epsilon _{M}}$ (see Entanglement Distribution)
• Distribution of Bell pairs, and measurement in three different bases (two basis on Alice's side and three basis on Bob's side).
• Minimum number of rounds ranging from ${\displaystyle {\mathcal {O}}(10^{6})}$ to ${\displaystyle {\mathcal {O}}(10^{12})}$ depending on the network parameters, for commonly used secure parameters.
• ${\displaystyle QBER\leq 0.071}$, taking a depolarizing model as benchmark. Parameters satisfying ${\displaystyle \epsilon _{T}+\epsilon _{M}\leq 0.071}$ are sufficient.
• Authenticated classical channel.
• Random number generator.

Notations Used

• ${\displaystyle n}$ expected number of rounds
• ${\displaystyle l}$ final key length
• ${\displaystyle \gamma }$ fraction of test rounds
• ${\displaystyle Q}$ quantum bit error rate
• ${\displaystyle \beta }$ CHSH violation
• ${\displaystyle \omega _{exp}}$ expected winning probability on the CHSH game in an honest implementation
• ${\displaystyle \delta _{est}}$ width of the statistical interval for the Bell test
• ${\displaystyle \delta _{con}}$ confidence interval for the Bell test
• ${\displaystyle \epsilon _{s}}$ smoothing parameter
• ${\displaystyle \epsilon _{EC},\epsilon '_{EC}}$ error probabilities of the error correction protocol
• ${\displaystyle \epsilon _{EA}}$ error probability of Bell violation estimation.
• ${\displaystyle \epsilon _{con}}$ error probability of Bell violation estimation.
• ${\displaystyle \epsilon _{PA}}$ error probability of the privacy amplification protocol
• ${\displaystyle {\mbox{leak}}_{EC}}$ leakage in the error correction protocol

Properties

Either Protocol (see Pseudo-code) abort with probability higher than ${\displaystyle 1-(\epsilon _{EA}+\epsilon _{EC})}$, or it generates a ${\displaystyle (2\epsilon _{EC}+\epsilon _{PA}+\epsilon _{s})}$-correct-and-secret key of length
Failed to parse (syntax error): {\displaystyle l\geq& \frac{{n}}{\bar{s}}\eta_{opt} -\frac{{n}}{\bar{s}}h(\omega_{exp}-\delta_{est}) -\sqrt{\frac{{n}}{\bar{s}}}\nu_1 -\mbox{leak}_{EC} }
Failed to parse (unknown function "\de"): {\displaystyle \quad -3\log\de{1-\sqrt{1-\de{\frac{\epsilon_s}{4(\epsilon_{EA} + \epsilon_{EC})}}^2}}+2\log\de{\frac{1}{2\epsilon_{PA}}}}
where ${\displaystyle {\mbox{leak}}_{EC}}$ is the leakage due to error correction step and the functions ${\displaystyle {\bar {s}}}$, ${\displaystyle \eta _{opt}}$, ${\displaystyle \nu _{1}}$ and ${\displaystyle \nu _{2}}$ are specified in Table below. The security parameters of the error correction protocol, ${\displaystyle \epsilon _{EC}}$ and ${\displaystyle \epsilon '_{EC}}$, mean that if the error correction step in Protocol 1 does not abort, then ${\displaystyle K_{A}=K_{B}}$ with probability at least ${\displaystyle 1-\epsilon _{EC}}$, and for an honest implementation, the error correction protocol aborts with probability at most ${\displaystyle \epsilon '_{EC}+\epsilon _{EC}}$.

Pseudo Code

• Input:${\displaystyle n,\gamma ,\epsilon _{\rm {PA}},\epsilon _{\rm {PE}},\epsilon _{\rm {EC}},\epsilon '_{\rm {EC}},Q_{Z}}$
• Output:${\displaystyle K_{A},K_{B}}$

Stage 1 Distribution and measurement

1. For i=1,2,...,n
   1. Sender chooses random bits ${\displaystyle X_{i}\epsilon \{0,1\}}$ and ${\displaystyle A_{i}\epsilon _{R}\{0,1\}}$ such that ${\displaystyle P(X_{i}=1)=\gamma }$
   2. Sender prepares ${\displaystyle H^{X_{i}}|A_{i}\rangle }$ and sends it to Bob
   3. Receiver announces receiving a state
   4. Receiver chooses bit ${\displaystyle Y_{i}\in _{R}\{0,1\}}$ such that ${\displaystyle P(Y_{i}=1)=\gamma }$
   5. Receiver measures ${\displaystyle H^{X_{i}}|A_{i}\rangle }$ in basis ${\displaystyle \{H^{Y_{i}}|0\rangle ,H^{Y_{i}}|1\rangle \}}$ with outcome ${\displaystyle B_{i}}$

• At this stage Sender holds strings ${\displaystyle X_{1}^{n},A_{1}^{n}}$ and Receiver ${\displaystyle Y_{1}^{n},B_{1}^{n}}$, all of length ${\displaystyle n}$

Stage 2 Sifting

1. Alice and Bob publicly announce ${\displaystyle X_{1}^{n},Y_{1}^{n}}$
2. For i=1,2,....,n
   1. If ${\displaystyle X_{i}=Y_{i}}$
      1. ${\displaystyle A_{1}^{n'}=A_{1}^{n'}.}$append</math>(A_i)</math>
      2. ${\displaystyle B_{1}^{n'}=B_{1}^{n'}.}$append${\displaystyle (B_{i})}$
      3. ${\displaystyle X_{1}^{n'}=X_{1}^{n'}.}$append${\displaystyle (X_{i})}$
      4. ${\displaystyle Y_{1}^{n'}=Y_{1}^{n'}.}$append${\displaystyle (Y_{i})}$

• Now Sender holds strings ${\displaystyle X_{1}^{n'},A_{1}^{n'}}$ and Receiver ${\displaystyle Y_{1}^{n'},B_{1}^{n'}}$, all of length ${\displaystyle n'\leq n}$

Stage 3 Parameter estimation

1. For ${\displaystyle i=1,...,n}$
   1. size${\displaystyle Q}$ = 0
   2. If{${\displaystyle X_{i}=Y_{i}=1}$
      1. Sender and Receiver publicly announce ${\displaystyle A_{i},B_{i}}$
      2. Sender and Receiver compute ${\displaystyle Q_{i}=1-\delta _{A_{i}B_{i}}}$, where ${\displaystyle \delta _{A_{i}B_{i}}}$ is the Kronecker delta
   3. size${\displaystyle Q}$ += 1\;

• Both Sender and Receiver, each, compute ${\displaystyle Q_{X}={\frac {1}{{\text{size}}Q}}\sum _{i=1}^{n'}Q_{i}}$
  

Stage 4 Error correction

• ${\displaystyle C(\cdot ,\cdot )}$ is an error correction subroutine determined by the previously estimated value of ${\displaystyle Q_{Z}}$ and with error parameters ${\displaystyle \epsilon '_{\rm {EC}}}$ and ${\displaystyle \epsilon _{\rm {EC}}}$

1. Both Sender and Receiver run ${\displaystyle C(A_{1}^{n'},B_{1}^{n'})}$.
2. Receiver obtains ${\displaystyle {\tilde {B}}_{1}^{n'}}$

Stage 5 Privacy amplification

• ${\displaystyle PA(\cdot ,\cdot )}$ is a privacy amplification subroutine determined by the size ${\displaystyle \ell }$, computed from equation for key length ${\displaystyle \ell }$ (see Properties), and with secrecy parameter ${\displaystyle \epsilon _{\rm {PA}}}$

1. Sender and Receiver run $PA(A_1^{n'},\tilde{B}_1^{n'})$ and obtain secret keys $K_A, K_B$\;

Further Information

1. BB(1984) introduces the BB84 protocol, as the name says, by Charles Bennett and Gilles Brassard.
2. TL(2017) The derivation of the key length in Properties, combines the techniques developed in this article and minimum leakage error correcting codes.
3. GL03 gives an extended analysis of the BB84 in the finite regime.
4. Sifting: the BB84 protocol can also be described in a symmetric way. This means that the inputs ${\displaystyle 0}$ and ${\displaystyle 1}$ are chosen with the same probability. In that case only ${\displaystyle 1/2}$ of the generated bits are discarded during the sifting process. Indeed, in the symmetric protocol, Alice and Bob measure in the same basis in about half of the rounds.
5. LCA05 the asymmetric protocol was introduced to make this more efficient protocol presented in this article.
6. A post-processing of the key using 2-way classical communication, denoted Advantage distillation, can increase the QBER tolarance up to ${\displaystyle 18.9\%}$ (3).
7. We remark that in Pseudo Code, the QBER in the ${\displaystyle Z}$ basis is not estimated during the protocol. Instead Alice and Bob make use of a previous estimate for the value of ${\displaystyle Q_{Z}}$ and the error correction step, Step 4 in the pseudo-code, will make sure that this estimation is correct. Indeed, if the real QBER is higher than the estimated value ${\displaystyle Q_{Z}}$, Pseudo Code will abort in the Step 4 with very high probability.
8. The BB84 can be equivalently implemented by distributing EPR pairs and Alice and Bob making measurements in the ${\displaystyle Z}$ and ${\displaystyle X}$ basis, however this required a entanglement distribution network stage.