thebb84protocol - université de montréal

Michel Boyer, December 22, 2005, הטכניון (Technion) Security of QKD - p. 1/33

SECURITY OF QUANTUM KEY DISTRIBUTION

the BB84 protocol

MICHEL BOYER

Dept. IRO, Université de Montréal

http://www.iro.umontreal.ca/∼boyer

http://www.iro.umontreal.ca/~boyer


SYMMETRIC KEY CRYPTO

➧DEFINITION

➧ONE TIME PAD

➧PROBLEMS AND A SOLUTION

THE BB84 PROTOCOL

CODES

EVE’S ATTACK

INFO VS. DISTURBANCE

REFERENCES





➧DEFINITION

➧ONE TIME PAD


THE BB84 PROTOCOL

CODES

EVE’S ATTACK


REFERENCES


DEFINITION

To send a secret message



➧DEFINITION

➧ONE TIME PAD


THE BB84 PROTOCOL

CODES

EVE’S ATTACK


REFERENCES


DEFINITION


■ Brute force method◆ put the message in a safe and send◆ the unlock key is a copy of the lock key◆ make sure the addressee gets the package◆ make sure he can open the safe and no one else



➧DEFINITION

➧ONE TIME PAD


THE BB84 PROTOCOL

CODES

EVE’S ATTACK


REFERENCES


DEFINITION



■ Informational method: encrypt (code) and decrypt (decode)◆ M = Set of possible messages, K is set of keys◆ E : M ×K →M encryption function◆ D : M ×K →M decryption function◆ M′ = E(M,k) is message M encrypted with key k◆ D(M′,k) = D(E(M,k),k) = M.



➧DEFINITION

➧ONE TIME PAD


THE BB84 PROTOCOL

CODES

EVE’S ATTACK


REFERENCES


DEFINITION



■ Informational method: encrypt (code) and decrypt (decode)◆ M = Set of possible messages, K is set of keys◆ E : M ×K →M encryption function◆ D : M ×K →M decryption function◆ M′ = E(M,k) is message M encrypted with key k◆ D(M′,k) = D(E(M,k),k) = M.

■ M′ should give as little information on M as possible if k is

unknown.



➧DEFINITION

➧ONE TIME PAD


THE BB84 PROTOCOL

CODES

EVE’S ATTACK


REFERENCES


ONE TIME PAD


■ Encryption and decryption function:

◆ M ⊆K = {0,1}n , P[k] =1

2n

◆ E(M,k) = M⊕k◆ D(M′,k) = M′⊕k

■ Properties◆ D(E(M,k),k) = (M⊕k)⊕k = M⊕ (k ⊕k) = M⊕0n = M

◆ P[M | M′] =1

|M |.

◆ Knowledge of M′ gives no information on M if k is unknown.

■ We could also use K =M ⊆ {0,1}n .

■ Or M =K ⊆ G (group), E(M,k) = Mk and D(M′,k) = M′k−1.

■ This is the only provably unconditionally secure protocol known.



➧DEFINITION

➧ONE TIME PAD


THE BB84 PROTOCOL

CODES

EVE’S ATTACK


REFERENCES


PROBLEMS AND A SOLUTION



➧DEFINITION

➧ONE TIME PAD


THE BB84 PROTOCOL

CODES

EVE’S ATTACK


REFERENCES



■ Limitations◆ keys of one time pads are as long as messages◆ they can be used only once◆ classical communication channels can be tapped in silence◆ trusted couriers are expensive (can they be trusted?)



➧DEFINITION

➧ONE TIME PAD


THE BB84 PROTOCOL

CODES

EVE’S ATTACK


REFERENCES



■ Limitations◆ keys of one time pads are as long as messages◆ they can be used only once◆ classical communication channels can be tapped in silence◆ trusted couriers are expensive (can they be trusted?)

■ A solution: going quantum◆ bits can be encoded using conjugate bases◆ decoding requires knowledge of those bases◆ quantum channels cannot be tapped without inducing noise◆ the bases are told publicly once the encoded bits are received◆ the owner of the encoded bits can decode them◆ eavesdroppers get exponentially small information◆ this holds even with publicly known error correction data.



THE BB84 PROTOCOL

➧ THE PLAYERS

➧ THE BB84 STATES

➧ A FIRST PROTOCOL

➧GOOD & BAD

CODES

EVE’S ATTACK


REFERENCES


THE BB84 PROTOCOL



THE BB84 PROTOCOL

➧ THE PLAYERS

➧ THE BB84 STATES


➧GOOD & BAD

CODES

EVE’S ATTACK


REFERENCES


THE PLAYERS



THE BB84 PROTOCOL

➧ THE PLAYERS

➧ THE BB84 STATES


➧GOOD & BAD

CODES

EVE’S ATTACK


REFERENCES


THE PLAYERS

■ Alice and Bob



THE BB84 PROTOCOL

➧ THE PLAYERS

➧ THE BB84 STATES


➧GOOD & BAD

CODES

EVE’S ATTACK


REFERENCES


THE PLAYERS

■ Alice and Bob: they want to share a key



THE BB84 PROTOCOL

➧ THE PLAYERS

➧ THE BB84 STATES


➧GOOD & BAD

CODES

EVE’S ATTACK


REFERENCES


THE PLAYERS


◆ Alice can prepare qubits



THE BB84 PROTOCOL

➧ THE PLAYERS

➧ THE BB84 STATES


➧GOOD & BAD

CODES

EVE’S ATTACK


REFERENCES


THE PLAYERS



◆ she can send them to Bob via a quantum channel



THE BB84 PROTOCOL

➧ THE PLAYERS

➧ THE BB84 STATES


➧GOOD & BAD

CODES

EVE’S ATTACK


REFERENCES


THE PLAYERS




◆ Bob can apply H or not and measure a qubit



THE BB84 PROTOCOL

➧ THE PLAYERS

➧ THE BB84 STATES


➧GOOD & BAD

CODES

EVE’S ATTACK


REFERENCES


THE PLAYERS





◆ we assume he can also memorize qubits



THE BB84 PROTOCOL

➧ THE PLAYERS

➧ THE BB84 STATES


➧GOOD & BAD

CODES

EVE’S ATTACK


REFERENCES


THE PLAYERS






◆ they also use a good public classical channel



THE BB84 PROTOCOL

➧ THE PLAYERS

➧ THE BB84 STATES


➧GOOD & BAD

CODES

EVE’S ATTACK


REFERENCES


THE PLAYERS







■ Eve (the eavesdropper) wants to know the key and can



THE BB84 PROTOCOL

➧ THE PLAYERS

➧ THE BB84 STATES


➧GOOD & BAD

CODES

EVE’S ATTACK


REFERENCES


THE PLAYERS








◆ do whatever quantum mechanics allows



THE BB84 PROTOCOL

➧ THE PLAYERS

➧ THE BB84 STATES


➧GOOD & BAD

CODES

EVE’S ATTACK


REFERENCES


THE PLAYERS









◆ read all data on the classical channel



THE BB84 PROTOCOL

➧ THE PLAYERS

➧ THE BB84 STATES


➧GOOD & BAD

CODES

EVE’S ATTACK


REFERENCES


THE PLAYERS










◆ catch the qubits sent by Alice



THE BB84 PROTOCOL

➧ THE PLAYERS

➧ THE BB84 STATES


➧GOOD & BAD

CODES

EVE’S ATTACK


REFERENCES


THE PLAYERS











◆ attach them a probing device



THE BB84 PROTOCOL

➧ THE PLAYERS

➧ THE BB84 STATES


➧GOOD & BAD

CODES

EVE’S ATTACK


REFERENCES


THE PLAYERS











◆ attach them a probing device

◆ wait to choose the optimal way of measuring it



THE BB84 PROTOCOL

➧ THE PLAYERS

➧ THE BB84 STATES


➧GOOD & BAD

CODES

EVE’S ATTACK


REFERENCES


THE BB84 STATES

■ Those are the states Alice sends to Bob

■ They are: |0⟩, |1⟩, H |0⟩, H |1⟩

■ H |0⟩ = |+⟩ =1p

2

[

|0⟩+ |1⟩]

and

H |1⟩ = |−⟩ =1p

2

[

|0⟩− |1⟩]

■ Measuring in the standard basis { |0⟩, |1⟩}◆ state |0⟩ gives 0 with probability 1

◆ state |1⟩ gives 1 with probability 1

◆ state |+⟩ gives a random bit [p(0) = 1/2, p(1) = 1/2]

◆ state |−⟩ gives a random bit [p(0) = 1/2, p(1) = 1/2]

■ H |+⟩ = |0⟩ and H |−⟩ = |1⟩



THE BB84 PROTOCOL

➧ THE PLAYERS

➧ THE BB84 STATES


➧GOOD & BAD

CODES

EVE’S ATTACK


REFERENCES


A FIRST PROTOCOL

■ Notations

◆ H0 = I, H1 = H◆ Hb = Hb1 ⊗ . . .⊗Hb2n if b = b1 . . .b2n .

■ Alice selects randomly i,b ∈ {0,1}2n and s ∈ {0,1}2n with |s| = n.

■ She sends Bob Hb |i⟩■ When Bob has them all, she announces publicly b and s

■ Bob applies Hb to his state and measures

■ If there is no noise he recovers i

■ Bob and Alice publicly check for errors on the bits with b j = 0

■ The key is the parity of the bits i j for which b j = 1



THE BB84 PROTOCOL

➧ THE PLAYERS

➧ THE BB84 STATES


➧GOOD & BAD

CODES

EVE’S ATTACK


REFERENCES


GOOD & BAD

■ Good thing:

◆ to know the key, Eve has to guess all b j s.t. s j = 1

◆ to be undetected, she has to guess the b j s.t. s j = 0

◆ . . . or be lucky with Bob’s random outputs

■ Bad thing:

◆ the quantum channel cannot be noisy

◆ the key has just one bit



THE BB84 PROTOCOL

CODES

➧BITSTRINGS AS VECTORS

➧BINARY CODES

➧ ERROR CORRECTION

➧PRIVACY AMPLIFICATION

➧BB84 WITH CODES

EVE’S ATTACK


REFERENCES


CODES



THE BB84 PROTOCOL

CODES


➧BINARY CODES



➧BB84 WITH CODES

EVE’S ATTACK


REFERENCES


BITSTRINGS AS VECTORS

■ {0,1} identified with the two element field F2



THE BB84 PROTOCOL

CODES


➧BINARY CODES



➧BB84 WITH CODES

EVE’S ATTACK


REFERENCES




■ The sum + is the sum modulo 2, i.e. ⊕ (exclusive or)



THE BB84 PROTOCOL

CODES


➧BINARY CODES



➧BB84 WITH CODES

EVE’S ATTACK


REFERENCES





■ x = x1x2 . . . xn identified with [x1, x2, . . . , xn] ∈ Fn2



THE BB84 PROTOCOL

CODES


➧BINARY CODES



➧BB84 WITH CODES

EVE’S ATTACK


REFERENCES






■ Linear maps Fn2 → Fm

2

◆ m×n matrix A acting on columns xT 7→ AxT

◆ m×n matrix A acting or rows x 7→ xAT



THE BB84 PROTOCOL

CODES


➧BINARY CODES



➧BB84 WITH CODES

EVE’S ATTACK


REFERENCES







2



■ Example: select bits 2, 3 and 6 from i = i1i2i3i4i5i6

PsiT =

0 1 0 0 0 0

0 0 1 0 0 0

0 0 0 0 0 1

i1

i2

i3

i4

i5

i6

=

i2

i3

i6



THE BB84 PROTOCOL

CODES


➧BINARY CODES



➧BB84 WITH CODES

EVE’S ATTACK


REFERENCES







2




PsiT =

0 1 0 0 0 0

0 0 1 0 0 0

0 0 0 0 0 1

i1

i2

i3

i4

i5

i6

=

i2

i3

i6

■ Row representation i2i3i6 = iPTs



THE BB84 PROTOCOL

CODES


➧BINARY CODES



➧BB84 WITH CODES

EVE’S ATTACK


REFERENCES







2




PsiT =

0 1 0 0 0 0

0 0 1 0 0 0

0 0 0 0 0 1

i1

i2

i3

i4

i5

i6

=

i2

i3

i6

■ Row representation i2i3i6 = iPTs

■ Similarly i1i4i5 = iPTs



THE BB84 PROTOCOL

CODES


➧BINARY CODES



➧BB84 WITH CODES

EVE’S ATTACK


REFERENCES


BINARY CODES

Notation |x| = Hamming weight of x = number of ones in x.

■ C is a binary (n,n − r,d) linear code if◆ C ⊆ Fn

2 is a F2 linear subspace◆ dimC = n − r (dimension over F2)◆ min

{

|x| : x ∈ C∧x 6= 0}

= d

■ This implies

(x ∈ C ∧ |x| < d) ⇒ x = 0 (1)

■ C is a (n,n − r,d) code iV there is a n × r matrix PC of full rank

such that

C = {x ∈ Fn2 | xPT

C = 0} (2)

■ PC is called parity check matrix for code C



THE BB84 PROTOCOL

CODES


➧BINARY CODES



➧BB84 WITH CODES

EVE’S ATTACK


REFERENCES


ERROR CORRECTION

■ Alice encoded i ∈ {0,1}2n , Bob measured j ∈ {0,1}2n

■ Alice announced publictly s; let x = iPTs , y = jPT

s

■ The error is e = y−x

■ We assume that 2|e| < d (less than d/2 bit flips)

■ Alice announces publicly PC (n × r bits) and ξ= xPTC (r bits)

2|e| < d (3)

ePTC = (y−x)PT

C = yPTC −ξ (4)

There is a unique solution e. Proof: if e and e′ were two solutions

(e−e′)PTC = 0 by (4)

e−e′ ∈ C by (2) (5)

|e−e′| < d by (3) and |e−e′| ≤ |e|+ |e′| < d (6)

e−e′ = 0 by (5), (6) and (1)

■ Bob finds e and x = y+e



THE BB84 PROTOCOL

CODES


➧BINARY CODES



➧BB84 WITH CODES

EVE’S ATTACK


REFERENCES


PRIVACY AMPLIFICATION

Problem:

■ ξ= xPTC gives out r bits of information on x

■ we want m secret bits (m = size of the key)

■ how do we get them?



THE BB84 PROTOCOL

CODES


➧BINARY CODES



➧BB84 WITH CODES

EVE’S ATTACK


REFERENCES



Problem:




Solution:

■ let v1,. . . , vr be the (linearly independent) rows of PC

■ extend this set to a basis v1, . . . , vn of Fn2

■ take PK with rows vr+1, . . . , vr+m

■ κ= xPTK is a good key



THE BB84 PROTOCOL

CODES


➧BINARY CODES



➧BB84 WITH CODES

EVE’S ATTACK


REFERENCES



Problem:




Solution:





Why?



THE BB84 PROTOCOL

CODES


➧BINARY CODES



➧BB84 WITH CODES

EVE’S ATTACK


REFERENCES



Problem:




Solution:





Why?

■ choose m = n − r



THE BB84 PROTOCOL

CODES


➧BINARY CODES



➧BB84 WITH CODES

EVE’S ATTACK


REFERENCES



Problem:




Solution:





Why?


■ x → [ξ,κ] is an isomorphism between Fn2 and Fr

2 ×Fn−r2

■ ξ and κ are independent



THE BB84 PROTOCOL

CODES


➧BINARY CODES



➧BB84 WITH CODES

EVE’S ATTACK


REFERENCES



Problem:




Solution:





Why?


■ x → [ξ,κ] is an isomorphism between Fn2 and Fr

2 ×Fn−r2

■ ξ and κ are independent

PK is called privacy amplification matrix.



THE BB84 PROTOCOL

CODES


➧BINARY CODES



➧BB84 WITH CODES

EVE’S ATTACK


REFERENCES


BB84 WITH CODES

We assume 0 < pa < 1 (maximum error rate) fixed in advance.

Announce = tell on a public secure channel

1. Alice randomly selects i,b ∈ F2n2 and sends Bob Hb |i⟩

2. Bob keeps them in quantum memory and announces when he

has them all

3. Alice randomly chooses s ∈ F2n2 such that |s| = n and announces

b, s, is = iPTs

.

4. Bob applies Hb to his state and measures, gettinga j ∈ F2n2 .

5. If |is + js| > npa (unacceptable error rate) the protocol aborts.

6. Alice announces PC, PK and ξ (where ξ= xPTC and x = iPT

s )

7. Bob uses ξ to recover x and get the key κ= xPTK

aTo simplify our proof, Bob also announces js = jPTs

.



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS

➧MUTUAL INFORMATION

➧ ACCESSIBLE INFORMATION

➧CASE |K| = 2


REFERENCES


EVE’S ATTACK



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES


PROBING

■ Probing a quantum state |φ⟩ ∈H is

◆ attaching it an ancilla |a⟩ ∈H′ to get |φ⟩⊗ |a⟩

◆ applying a unitary A to |φ⟩⊗ |a⟩ ∈H ⊗H′

◆ letting go the subsystem in H

◆ keeping the subsystem in H′ for further

measurement

■ A collective attack probes qubits independently.

■ In a joint or general attack, Hb |i⟩ is probed globally



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES


PARTIAL TRACES

If ρ is a state on a bipartite system AB and

ρ=∑

i , j

ρAi ⊗ρB

j

then the state induced on A and on B are respectively

ρA =∑

i , j

tr[

ρBj

]

ρAi ρB =

∑

i , j

tr[

ρAi

]

ρBj

When given state |Ψ⟩ we take ρ= |Ψ⟩⟨Ψ|.

Note: tr[

|φ⟩⟨ψ|]

= ⟨ψ |φ⟩.



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES


EVE’S STATES

■ Let |ib⟩ = Hb |i⟩, |jb⟩ = Hb |j⟩ and A be Eve’s attack

A |0E⟩ |ib⟩ =∑

j

|Ebi,j⟩ |j

b⟩

■ Given b and s, when Eve learns is, js, and ξ, she is left

with 2m non normalized operators

ρκ =∑

i,j

|Ebi,j⟩⟨E

bi,j|

where the sum is over the i, j such that

◆ is, js are equal resp. to Eve’s and Bob’s test bits

◆ isPTC = ξ

◆ isPTK =κ

■ She now measures to optimize her information on κ.



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES


MEASUREMENTS

General procedure to measure



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES


MEASUREMENTS


■ given |φ⟩ attach an ancilla to get |0⟩ |φ⟩



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES


MEASUREMENTS


■ given |φ⟩ attach an ancilla to get |0⟩ |φ⟩■ apply a unitary transform A

A |0⟩ |φ⟩ =∑

m

|m⟩⊗Am |φ⟩



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES


MEASUREMENTS



A |0⟩ |φ⟩ =∑

m

|m⟩⊗Am |φ⟩

■ A unitary translates as∑

m

A†m Am = I



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES


MEASUREMENTS



A |0⟩ |φ⟩ =∑

m

|m⟩⊗Am |φ⟩


m

A†m Am = I

■ For a density operator: |0⟩⟨0|⊗ρ 7→∑

mm′|m⟩⟨m′|⊗AmρA†

m′



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES


MEASUREMENTS



A |0⟩ |φ⟩ =∑

m

|m⟩⊗Am |φ⟩


m

A†m Am = I



m′

◆ measure the ancilla



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES


MEASUREMENTS



A |0⟩ |φ⟩ =∑

m

|m⟩⊗Am |φ⟩


m

A†m Am = I



m′

◆ measure the ancilla◆ get m with probability p(m | ρ) = tr[AmρA†

m ]



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES


MEASUREMENTS



A |0⟩ |φ⟩ =∑

m

|m⟩⊗Am |φ⟩


m

A†m Am = I



m′


m ]

◆ resulting stateAmρA†

m

p(m | ρ)



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES


MEASUREMENTS



A |0⟩ |φ⟩ =∑

m

|m⟩⊗Am |φ⟩


m

A†m Am = I



m′


m ]


m

p(m | ρ)

■ Let Om = A†m Am then



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES


MEASUREMENTS



A |0⟩ |φ⟩ =∑

m

|m⟩⊗Am |φ⟩


m

A†m Am = I



m′


m ]


m

p(m | ρ)


◆ Om is hermitian positive,∑

m Om = I (POVM condition)



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES


MEASUREMENTS



A |0⟩ |φ⟩ =∑

m

|m⟩⊗Am |φ⟩


m

A†m Am = I



m′


m ]


m

p(m | ρ)


◆ Om is hermitian positive,∑

m Om = I (POVM condition)

◆ p[m | ρ] = tr[AmρA†m] = tr[A†

m Amρ] = tr[Omρ]



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES


MUTUAL INFORMATION

Given random variables X, Y, p(x) = P[X = x], p(y) = P[Y = y],

p(x, y) = P[X = x,Y = y], and lg = log2, their mutual information is

I(X;Y) =∑

x,y

p(x, y) lg

(

p(x, y)

p(x)p(y)

)

■ I(X;Y) = 0 if and only if X and Y are independent

■ I(X;Y) = 0 if knowing X reveals nothing about Y

■ I(X;Y) = H(X)+H(Y)−H(X,Y)≥ 0

■ I(X;X) = H(X)



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES


ACCESSIBLE INFORMATION

■ Input: ρκ with probability pκ with κ ∈ K

■ Problem: guess κ



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES





■ If ρκ are d ×d matrices let E be a set with d 2 elements



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES






◆ if O = (Oe)e∈E is a POVM



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES







◆ then pO (e |κ) = tr[Oeρκ]



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES








◆ pO (e,κ) = pO (e |κ)p(κ)



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES








◆ pO (e,κ) = pO (e |κ)p(κ)

◆ IO (K;E) measures how much info on K the outputs

in E give



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES








◆ pO (e,κ) = pO (e |κ)p(κ)

◆ IO (K;E) measures how much info on K the outputs

in E give

■ accessible information on κ = maxO

IO (K;E)



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES


CASE |K| = 2

Theorem. If ρ̂0 and ρ̂1 are equally likely and O is any POVM

IO (K;E) ≤1

2tr

∣

∣ρ̂0 − ρ̂1

∣

∣ (7)



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES


CASE |K| = 2


IO (K;E) ≤1

2tr

∣

∣ρ̂0 − ρ̂1

∣

∣ (7)

Proof. Let ρ̂0 − ρ̂1 =∑

i λi |φi ⟩⟨φi |; note: 1−H(p, q) ≤ |p −q |.

IO (K;E) = H(K)−HO (K | E) = 1−∑

e

HO (K | e)pO (e)



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES


CASE |K| = 2


IO (K;E) ≤1

2tr

∣

∣ρ̂0 − ρ̂1

∣

∣ (7)



IO (K;E) = H(K)−HO (K | E) = 1−∑

e

HO (K | e)pO (e)

=∑

e

[

1−H(pO (κ= 0 | e), pO (κ= 1 | e)]

pO (e)

≤∑

e

∣

∣pO (κ= 0 | e)−pO (κ= 1 | e)∣

∣pO (e) =∑

e

∣

∣pO (0,e)−pO (1,e)∣

∣

=1

2

∑

e

∣

∣tr[

Oe (ρ0 −ρ1)]∣

∣=1

2

∑

e

∣

∣

∣

∣

∣

tr

[

Oe

∑

i

λi |φi ⟩⟨φi |]∣

∣

∣

∣

∣



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES


CASE |K| = 2


IO (K;E) ≤1

2tr

∣

∣ρ̂0 − ρ̂1

∣

∣ (7)



IO (K;E) = H(K)−HO (K | E) = 1−∑

e

HO (K | e)pO (e)

=∑

e

[

1−H(pO (κ= 0 | e), pO (κ= 1 | e)]

pO (e)

≤∑

e

∣

∣pO (κ= 0 | e)−pO (κ= 1 | e)∣

∣pO (e) =∑

e

∣

∣pO (0,e)−pO (1,e)∣

∣

=1

2

∑

e

∣

∣tr[

Oe (ρ0 −ρ1)]∣

∣=1

2

∑

e

∣

∣

∣

∣

∣

tr

[

Oe

∑

i


∣

∣

∣

∣

=1

2

∑

e

∣

∣

∣

∣

∣

∑

i

λi tr[

⟨φi |Oe |φi ⟩]

∣

∣

∣

∣

∣



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES


CASE |K| = 2


IO (K;E) ≤1

2tr

∣

∣ρ̂0 − ρ̂1

∣

∣ (7)



IO (K;E) = H(K)−HO (K | E) = 1−∑

e

HO (K | e)pO (e)

=∑

e

[

1−H(pO (κ= 0 | e), pO (κ= 1 | e)]

pO (e)

≤∑

e

∣

∣pO (κ= 0 | e)−pO (κ= 1 | e)∣

∣pO (e) =∑

e

∣

∣pO (0,e)−pO (1,e)∣

∣

=1

2

∑

e

∣

∣tr[

Oe (ρ0 −ρ1)]∣

∣=1

2

∑

e

∣

∣

∣

∣

∣

tr

[

Oe

∑

i


∣

∣

∣

∣

=1

2

∑

e

∣

∣

∣

∣

∣

∑

i

λi tr[


∣

∣

∣

∣

∣

≤1

2

∑

i ,e

|λi |⟨φi |Oe |φi ⟩



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES


CASE |K| = 2


IO (K;E) ≤1

2tr

∣

∣ρ̂0 − ρ̂1

∣

∣ (7)



IO (K;E) = H(K)−HO (K | E) = 1−∑

e

HO (K | e)pO (e)

=∑

e

[

1−H(pO (κ= 0 | e), pO (κ= 1 | e)]

pO (e)

≤∑

e

∣

∣pO (κ= 0 | e)−pO (κ= 1 | e)∣

∣pO (e) =∑

e

∣

∣pO (0,e)−pO (1,e)∣

∣

=1

2

∑

e

∣

∣tr[

Oe (ρ0 −ρ1)]∣

∣=1

2

∑

e

∣

∣

∣

∣

∣

tr

[

Oe

∑

i


∣

∣

∣

∣

=1

2

∑

e

∣

∣

∣

∣

∣

∑

i

λi tr[


∣

∣

∣

∣

∣

≤1

2

∑

i ,e

|λi |⟨φi |Oe |φi ⟩ =1

2

∑

i

|λi |



THE BB84 PROTOCOL

CODES

EVE’S ATTACK

➧PROBING

➧PARTIAL TRACES

➧ EVE’S STATES

➧MEASUREMENTS



➧CASE |K| = 2


REFERENCES


CASE |K| = 2


IO (K;E) ≤1

2tr

∣

∣ρ̂0 − ρ̂1

∣

∣ (7)



IO (K;E) = H(K)−HO (K | E) = 1−∑

e

HO (K | e)pO (e)

=∑

e

[

1−H(pO (κ= 0 | e), pO (κ= 1 | e)]

pO (e)

≤∑

e

∣

∣pO (κ= 0 | e)−pO (κ= 1 | e)∣

∣pO (e) =∑

e

∣

∣pO (0,e)−pO (1,e)∣

∣

=1

2

∑

e

∣

∣tr[

Oe (ρ0 −ρ1)]∣

∣=1

2

∑

e

∣

∣

∣

∣

∣

tr

[

Oe

∑

i


∣

∣

∣

∣

=1

2

∑

e

∣

∣

∣

∣

∣

∑

i

λi tr[


∣

∣

∣

∣

∣

≤1

2

∑

i ,e

|λi |⟨φi |Oe |φi ⟩ =1

2

∑

i

|λi | =1

2tr

∣

∣ρ̂0 − ρ̂1

∣

∣



THE BB84 PROTOCOL

CODES

EVE’S ATTACK


➧ ATTACKING ONE QBIT

➧ EVE’S INFORMATION

➧METHOD

➧ THE BIHAM BASIS

➧ THE BOUND

➧HOEFFDING’S THEOREM

➧ SECURE CODES

REFERENCES





ATTACKING ONE QBIT

U |0E⟩ |0b⟩ = |Eb00⟩ |0

b⟩+ |Eb01⟩ |1

b⟩ = |φb0⟩ U |0E⟩ |1b⟩ = |Eb

10⟩ |0b⟩+ |Eb

11⟩ |1b⟩



ATTACKING ONE QBIT

U |0E⟩ |0b⟩ = |Eb00⟩ |0

b⟩+ |Eb01⟩ |1

b⟩ = |φb0⟩ U |0E⟩ |1b⟩ = |Eb

10⟩ |0b⟩+ |Eb

11⟩ |1b⟩

ρb0 = |Eb

00⟩⟨Eb00|+ |Eb

01⟩⟨Eb01| ρb

1 = |Eb10⟩⟨E

b10|+ |Eb

11⟩⟨Eb11|



ATTACKING ONE QBIT

U |0E⟩ |0b⟩ = |Eb00⟩ |0

b⟩+ |Eb01⟩ |1

b⟩ = |φb0⟩ U |0E⟩ |1b⟩ = |Eb

10⟩ |0b⟩+ |Eb

11⟩ |1b⟩

ρb0 = |Eb

00⟩⟨Eb00|+ |Eb

01⟩⟨Eb01| ρb

1 = |Eb10⟩⟨E

b10|+ |Eb

11⟩⟨Eb11|

pbe = ⟨Eb

01 | Eb01⟩

1

2+⟨Eb

10 | Eb10⟩

1

2p b̄

e =1

2

[

1−Re(

⟨Eb00 | Eb

11⟩+⟨Eb10 | Eb

01⟩)]



ATTACKING ONE QBIT

U |0E⟩ |0b⟩ = |Eb00⟩ |0

b⟩+ |Eb01⟩ |1

b⟩ = |φb0⟩ U |0E⟩ |1b⟩ = |Eb

10⟩ |0b⟩+ |Eb

11⟩ |1b⟩

ρb0 = |Eb

00⟩⟨Eb00|+ |Eb

01⟩⟨Eb01| ρb

1 = |Eb10⟩⟨E

b10|+ |Eb

11⟩⟨Eb11|

pbe = ⟨Eb

01 | Eb01⟩

1

2+⟨Eb

10 | Eb10⟩

1

2p b̄

e =1

2

[

1−Re(

⟨Eb00 | Eb

11⟩+⟨Eb10 | Eb

01⟩)]

If we let |ψ0⟩ = |Eb00⟩ |0⟩+ |Eb

01⟩ |1⟩ then ρ0 = trE[ |ψ0⟩⟨ψ0|]If we let |ψ1⟩ = e iθ |Eb

11⟩ |0⟩+e iθ |Eb10⟩ |1⟩ then ρ1 = trE[ |ψ1⟩⟨ψ1|].



ATTACKING ONE QBIT

U |0E⟩ |0b⟩ = |Eb00⟩ |0

b⟩+ |Eb01⟩ |1

b⟩ = |φb0⟩ U |0E⟩ |1b⟩ = |Eb

10⟩ |0b⟩+ |Eb

11⟩ |1b⟩

ρb0 = |Eb

00⟩⟨Eb00|+ |Eb

01⟩⟨Eb01| ρb

1 = |Eb10⟩⟨E

b10|+ |Eb

11⟩⟨Eb11|

pbe = ⟨Eb

01 | Eb01⟩

1

2+⟨Eb

10 | Eb10⟩

1

2p b̄

e =1

2

[

1−Re(

⟨Eb00 | Eb

11⟩+⟨Eb10 | Eb

01⟩)]

If we let |ψ0⟩ = |Eb00⟩ |0⟩+ |Eb



Take θ s.t. ⟨ψ0 |ψ1⟩ = cos(2α) ∈ R+.



ATTACKING ONE QBIT

U |0E⟩ |0b⟩ = |Eb00⟩ |0

b⟩+ |Eb01⟩ |1

b⟩ = |φb0⟩ U |0E⟩ |1b⟩ = |Eb

10⟩ |0b⟩+ |Eb

11⟩ |1b⟩

ρb0 = |Eb

00⟩⟨Eb00|+ |Eb

01⟩⟨Eb01| ρb

1 = |Eb10⟩⟨E

b10|+ |Eb

11⟩⟨Eb11|

pbe = ⟨Eb

01 | Eb01⟩

1

2+⟨Eb

10 | Eb10⟩

1

2p b̄

e =1

2

[

1−Re(

⟨Eb00 | Eb

11⟩+⟨Eb10 | Eb

01⟩)]

If we let |ψ0⟩ = |Eb00⟩ |0⟩+ |Eb



Take θ s.t. ⟨ψ0 |ψ1⟩ = cos(2α) ∈ R+. 1−2p b̄e ≤ cos(2α) = 1−2sin2(α)



ATTACKING ONE QBIT

U |0E⟩ |0b⟩ = |Eb00⟩ |0

b⟩+ |Eb01⟩ |1

b⟩ = |φb0⟩ U |0E⟩ |1b⟩ = |Eb

10⟩ |0b⟩+ |Eb

11⟩ |1b⟩

ρb0 = |Eb

00⟩⟨Eb00|+ |Eb

01⟩⟨Eb01| ρb

1 = |Eb10⟩⟨E

b10|+ |Eb

11⟩⟨Eb11|

pbe = ⟨Eb

01 | Eb01⟩

1

2+⟨Eb

10 | Eb10⟩

1

2p b̄

e =1

2

[

1−Re(

⟨Eb00 | Eb

11⟩+⟨Eb10 | Eb

01⟩)]

If we let |ψ0⟩ = |Eb00⟩ |0⟩+ |Eb



Take θ s.t. ⟨ψ0 |ψ1⟩ = cos(2α) ∈ R+. 1−2p b̄e ≤ cos(2α) = 1−2sin2(α) sin(α) ≤

√

p b̄e



ATTACKING ONE QBIT

U |0E⟩ |0b⟩ = |Eb00⟩ |0

b⟩+ |Eb01⟩ |1

b⟩ = |φb0⟩ U |0E⟩ |1b⟩ = |Eb

10⟩ |0b⟩+ |Eb

11⟩ |1b⟩

ρb0 = |Eb

00⟩⟨Eb00|+ |Eb

01⟩⟨Eb01| ρb

1 = |Eb10⟩⟨E

b10|+ |Eb

11⟩⟨Eb11|

pbe = ⟨Eb

01 | Eb01⟩

1

2+⟨Eb

10 | Eb10⟩

1

2p b̄

e =1

2

[

1−Re(

⟨Eb00 | Eb

11⟩+⟨Eb10 | Eb

01⟩)]

If we let |ψ0⟩ = |Eb00⟩ |0⟩+ |Eb




√

p b̄e

Let |ψ0⟩ = cos(α) |0′⟩+ sin(α) |1′⟩, |ψ1⟩ = cos(α) |0′⟩− sin(α) |1′⟩



ATTACKING ONE QBIT

U |0E⟩ |0b⟩ = |Eb00⟩ |0

b⟩+ |Eb01⟩ |1

b⟩ = |φb0⟩ U |0E⟩ |1b⟩ = |Eb

10⟩ |0b⟩+ |Eb

11⟩ |1b⟩

ρb0 = |Eb

00⟩⟨Eb00|+ |Eb

01⟩⟨Eb01| ρb

1 = |Eb10⟩⟨E

b10|+ |Eb

11⟩⟨Eb11|

pbe = ⟨Eb

01 | Eb01⟩

1

2+⟨Eb

10 | Eb10⟩

1

2p b̄

e =1

2

[

1−Re(

⟨Eb00 | Eb

11⟩+⟨Eb10 | Eb

01⟩)]

If we let |ψ0⟩ = |Eb00⟩ |0⟩+ |Eb




√

p b̄e


SD(ρ0,ρ1) ≤ SD(ψ0,ψ1) ≤ 12

∣

∣

∣ |ψ0⟩⟨ψ0|− |ψ1⟩⟨ψ1|∣

∣

∣= cos(α)sin(α)∣

∣

∣ |0′⟩⟨1′|+ |1′⟩⟨0′|∣

∣

∣



ATTACKING ONE QBIT

U |0E⟩ |0b⟩ = |Eb00⟩ |0

b⟩+ |Eb01⟩ |1

b⟩ = |φb0⟩ U |0E⟩ |1b⟩ = |Eb

10⟩ |0b⟩+ |Eb

11⟩ |1b⟩

ρb0 = |Eb

00⟩⟨Eb00|+ |Eb

01⟩⟨Eb01| ρb

1 = |Eb10⟩⟨E

b10|+ |Eb

11⟩⟨Eb11|

pbe = ⟨Eb

01 | Eb01⟩

1

2+⟨Eb

10 | Eb10⟩

1

2p b̄

e =1

2

[

1−Re(

⟨Eb00 | Eb

11⟩+⟨Eb10 | Eb

01⟩)]

If we let |ψ0⟩ = |Eb00⟩ |0⟩+ |Eb




√

p b̄e


SD(ρ0,ρ1) ≤ SD(ψ0,ψ1) ≤ 12

∣

∣

∣ |ψ0⟩⟨ψ0|− |ψ1⟩⟨ψ1|∣

∣

∣= cos(α)sin(α)∣

∣

∣ |0′⟩⟨1′|+ |1′⟩⟨0′|∣

∣

∣

SD(ρ0,ρ1) ≤ 2

√

p b̄e



THE BB84 PROTOCOL

CODES

EVE’S ATTACK




➧METHOD

➧ THE BIHAM BASIS

➧ THE BOUND


➧ SECURE CODES

REFERENCES


EVE’S INFORMATION

■ We want a similar result for Eve’s information on κ for BB84 with

codes.

■ If Eve keeps the state sent by Alice and sends random info to

Bob, she gets full information whenever the test passes.

■ To average Eve’s information, we need to take into account when

the test fails

■ For each b,s, is, js,ξ there is an accessible information from the

(ρκ)κ∈K; we denote it I(K;E | b,s, is, js,ξ)

■ Let

I(pa )(K;E | b,s,ξ, is, js) =

I(K;E | b,s,ξ, is, js) if|is + js|

n≤ pa

0 otherwise(8)

■ Eve’s information ⟨I(pa )

Eve⟩ is the expectancy of I(pa ) over all the

parameters b,s,ξ, is, js.

■ ⟨I(pa )

Eve⟩ is what is bounded in [BBBMR].



THE BB84 PROTOCOL

CODES

EVE’S ATTACK




➧METHOD

➧ THE BIHAM BASIS

➧ THE BOUND


➧ SECURE CODES

REFERENCES


METHOD

■ Use I((K1, . . . ,Km);E | ξ . . .) ≤∑m

j=1I(K j ;E | K1, . . . ,K j−1,ξ . . .)

■ Establish a bound for I(K j ;E | k1, . . . ,k j−1,ξ, . . .)

■ i.e for I(K j ;E | ξ′, . . .) with ξ′ = ξk1 . . .k j−1 a r + j −1 bit syndrome

for the code having parity matrix with lines v1, . . . , vr+ j−1.

■ The problem has been reduced to 1-bit keys. Eve’s non

normalized operators are

ρk =∑

i,j

|Ebi,j⟩⟨E

bi,j|

where the sum is over the i, j such that◆ is, js are equal resp. to Eve’s and Bob’s test bits◆ isPT

C = ξ

◆ is ·vr+1 = k



THE BB84 PROTOCOL

CODES

EVE’S ATTACK




➧METHOD

➧ THE BIHAM BASIS

➧ THE BOUND


➧ SECURE CODES

REFERENCES


THE BIHAM BASIS

■ Let is, js,b,s,ξ be fixed.



THE BB84 PROTOCOL

CODES

EVE’S ATTACK




➧METHOD

➧ THE BIHAM BASIS

➧ THE BOUND


➧ SECURE CODES

REFERENCES


THE BIHAM BASIS


■ Vr = ⟨v1, . . . vr ⟩ and Vcr = ⟨vr+1, . . . , vn⟩ with v1, . . . , vn basis of Fn

2



THE BB84 PROTOCOL

CODES

EVE’S ATTACK




➧METHOD

➧ THE BIHAM BASIS

➧ THE BOUND


➧ SECURE CODES

REFERENCES


THE BIHAM BASIS



2

■ Let the attack be symmetric i.e.

⟨Ebi+m,j+m | Eb

i′+m,j′+m⟩ = (−1)(i+j+i′+j′)·m⟨Ebij | Eb

i′j′⟩



THE BB84 PROTOCOL

CODES

EVE’S ATTACK




➧METHOD

➧ THE BIHAM BASIS

➧ THE BOUND


➧ SECURE CODES

REFERENCES


THE BIHAM BASIS



2


⟨Ebi+m,j+m | Eb


i′j′⟩

■ Let CI be the error random variable on information bits is + js.



THE BB84 PROTOCOL

CODES

EVE’S ATTACK




➧METHOD

➧ THE BIHAM BASIS

➧ THE BOUND


➧ SECURE CODES

REFERENCES


THE BIHAM BASIS



2


⟨Ebi+m,j+m | Eb


i′j′⟩


■ Then there are vectors |ηc⟩ (c ∈ {0,1}n) of Eve’s probe space s.t.



THE BB84 PROTOCOL

CODES

EVE’S ATTACK




➧METHOD

➧ THE BIHAM BASIS

➧ THE BOUND


➧ SECURE CODES

REFERENCES


THE BIHAM BASIS



2


⟨Ebi+m,j+m | Eb


i′j′⟩



◆ |ηc⟩ = |ηc′⟩ if c+c′ ∈ Vr



THE BB84 PROTOCOL

CODES

EVE’S ATTACK




➧METHOD

➧ THE BIHAM BASIS

➧ THE BOUND


➧ SECURE CODES

REFERENCES


THE BIHAM BASIS



2


⟨Ebi+m,j+m | Eb


i′j′⟩



◆ |ηc⟩ = |ηc′⟩ if c+c′ ∈ Vr

◆ ⟨ηc | ηc′⟩ = 0 if c+c′ ∉ Vr



THE BB84 PROTOCOL

CODES

EVE’S ATTACK




➧METHOD

➧ THE BIHAM BASIS

➧ THE BOUND


➧ SECURE CODES

REFERENCES


THE BIHAM BASIS



2


⟨Ebi+m,j+m | Eb


i′j′⟩



◆ |ηc⟩ = |ηc′⟩ if c+c′ ∈ Vr

◆ ⟨ηc | ηc′⟩ = 0 if c+c′ ∉ Vr

◆ ⟨ηc | ηc⟩ = P[CI ∈ c+Vr , js | is,b+s,s]



THE BB84 PROTOCOL

CODES

EVE’S ATTACK




➧METHOD

➧ THE BIHAM BASIS

➧ THE BOUND


➧ SECURE CODES

REFERENCES


THE BIHAM BASIS



2


⟨Ebi+m,j+m | Eb


i′j′⟩



◆ |ηc⟩ = |ηc′⟩ if c+c′ ∈ Vr

◆ ⟨ηc | ηc′⟩ = 0 if c+c′ ∉ Vr


◆ If ρ̃k = |V⊥r+1|

∑

c′∈Vcr

{

|ηc′ ⟩⟨ηc′ |+ (−1)k |ηc′⟩⟨ηc′+vr+1|}

then

tr[ρ̃k ] = ρk .



THE BB84 PROTOCOL

CODES

EVE’S ATTACK




➧METHOD

➧ THE BIHAM BASIS

➧ THE BOUND


➧ SECURE CODES

REFERENCES


THE BIHAM BASIS



2


⟨Ebi+m,j+m | Eb


i′j′⟩



◆ |ηc⟩ = |ηc′⟩ if c+c′ ∈ Vr

◆ ⟨ηc | ηc′⟩ = 0 if c+c′ ∉ Vr


◆ If ρ̃k = |V⊥r+1|

∑

c′∈Vcr

{

|ηc′ ⟩⟨ηc′ |+ (−1)k |ηc′⟩⟨ηc′+vr+1|}

then

tr[ρ̃k ] = ρk .

◆ tr∣

∣ρ̃0 − ρ̃1

∣

∣≤ 2

√

P[

|CI| ≥dr,1

2 | is, js,b+s,s]



THE BB84 PROTOCOL

CODES

EVE’S ATTACK




➧METHOD

➧ THE BIHAM BASIS

➧ THE BOUND


➧ SECURE CODES

REFERENCES


THE BOUND

Theorem. If v1, . . . , vr are the lines of PC, vr+1, . . . , vr+m those of

PK , and if dr,m = dH

(

⟨v1, . . . , vr ⟩, ⟨vr+1, . . . , vr+m⟩− {0})

where dH is

the minimum Hamming distance between the two sets (spans) then

⟨I(pa )

Eve⟩ ≤ 2m

√

P

[

( |CI|n

≥dr,m

2n

)

∧( |CT|

n≤ pa

)

]

(9)

where|CT|

nis the error rate on test bits (determined by s) and

|CI|n

is

the error rate on information bits (determined by s).

Proof.

■ Given by Biham bases for symmetric attacks.

■ Reduction of general attacks to symmetric attacks [BBBMR]

■ Direct proof for non symmetric collective attacks in [BGM].



THE BB84 PROTOCOL

CODES

EVE’S ATTACK




➧METHOD

➧ THE BIHAM BASIS

➧ THE BOUND


➧ SECURE CODES

REFERENCES


HOEFFDING’S THEOREM

Theorem (HoeVding 1963). Let X1, ...,Xn be either

1. independent random variables with finite first and second

moments such that ai ≤ Xi ≤ bi (1 ≤ i ≤ n)

2. or a random sample of size n without replacement taken from a

population c1, ...cN s.t. ai ≤ ci ≤ bi (1 ≤ i ≤ N)

let X = (X1 + ...+Xn)/n and µ= E[X] be the expectancy of X then for

any ǫ> 0

Pr[

X−µ≥ ǫ]

≤ e−2n2ǫ2/∑n

i=1(bi −ai )2

In the same way Pr[

µ−X ≥ ǫ]

≤ e−2n2ǫ2/∑n

i=1(bi −ai )2

. In case (2), µ is

nothing else than the average of all the ci . This theorem can be

found in [Hoef63].



THE BB84 PROTOCOL

CODES

EVE’S ATTACK




➧METHOD

➧ THE BIHAM BASIS

➧ THE BOUND


➧ SECURE CODES

REFERENCES


SECURE CODES

Theorem. Let us be given δ> 0, R > 0 and, for infinitely many

values of n, a family {vn1 , . . . , vn

rn+mn} of linearly independent vectors

in Fn2 such that δ≤ drn ,mn

nand

mn

n≤ R. Then for any pa > 0 and

ǫsec > 0 such that pa +ǫsec ≤ δ2

, Eve’s accessible information satisfies

the following bound.

⟨I(pa )Eve ⟩ ≤ 2Rne−

ǫ2sec4 n

All we need to guarantee security is thus vectors {vn1 , . . . , vn

rn+mn}

satisfying the conditions of the theorem. Such families were proven

to exist in [BBBMR].

Codes providing both security and reliability are then proven to

exist in [BBBMR].



REFERENCES

[BBBGM] E. BIHAM, M. BOYER, G. BRASSARD, J. VAN DE GRAAF, AND T. MOR,

Security of quantum key distribution against all collective attacks,

Algorithmica, 34 (2002).

[BBBMR] E. BIHAM, M. BOYER, P. O. BOYKIN, T. MOR AND V. ROYCHOWDHURY, A

proof of the security of quantum key distribution, Journal of Cryptology,

(2006).

[BGM] M. BOYER, R. GELLES, AND T. MOR Security of BB84 against collective

attacks, In preparation.

[Hoef63] W. HOEFFDING, Probability inequalities for sums of bounded random

variables, J. Amer. Stat. Assoc., 58 (1963), pp. 13–20.


thebb84protocol - université de montréal

Documents