aa r X i v : . [ qu a n t - ph ] J a n Improved Asymptotic Key Rate of the B92 Protocol
Ryutaroh Matsumoto ∗∗ Department of Communications and Integrated Systems, Tokyo Institute of Technology, 152-8550 Japan
Abstract —We analyze the asymptotic key rate of the singlephoton B92 protocol by using Renner’s security analysis given in2005. The new analysis shows that the B92 protocol can securelygenerate key at 6.5% depolarizing rate, while the previousanalyses cannot guarantee the secure key generation at 4.2%depolarizing rate.
I. I ntroduction
The B92 quantum-key-distribution (QKD) protocol [2] hasremained less popular than the famous BB84 protocol [1],while both protocols provide the unconditional security. Oneplausible reason for the unpopularity is that the B92 is weakerto the channel noise than the BB84. Specifically, the BB84with the standard one-way information reconciliation can gen-erate secure key over the depolarizing channel at depolarizingrate 16.5%, while the previous security analyses of the B92cannot guarantee the secure key generation at depolarizing rate3.5% [8], 3.7% [4] or 4.2% [7].The conventional security analyses of the B92 [4], [7],[8] involved many inequalities, and the tightness of thoseinequalities was not explicitly discussed. We cannot excludethe possibility that the B92 protocol can securely generatekey at depolarizing rates over 4.2%. On the other hand, theasymptotic secure key rate in [7], [6] is expressed as theminimum of conditional quantum entropy over a certain setof bipartite quantum states. By using the convex optimizationtechnique, we can completely remove careful manipulation ofmany inequalities, which could underestimate the secure keyrate. In this paper we reformulate the asymptotic secure keyrate formula as a convex optimization problem, and computethe rate without any manipulation of inequalities directly bya numerical optimization procedure. As a result, we showthat the B92 protocol [2] without noisy preprocessing [7] cansecurely generate key at 6.5% depolarizing rate.II. N ew S ecurity A nalysis of the B92 P rotocol
In this section, we present a new formula for the asymptotickey rate of the B92 protocol, based on Renner’s securityargument [6]. Firstly, we fix notations. Let {| i , | i} be somefixed orthonormal basis of a qubit. In the B92 protocol [2],Alice sends the quantum state | ϕ j i = β | i + ( − j α | i , (1)for j = ,
1, where β = √ − α , and 0 < α < / √
2. Forconvenience of presentation, we also define | ¯ ϕ j i = α | i − ( − j β | i . We can see that {| ϕ j i , | ¯ ϕ j i} forms an orthonormal basis of aqubit. On the other hand, we can express a qubit channel asfollows. Define the three Pauli matrices σ x , σ y , and σ z asusual. Then a qubit density matrix ρ can be expressed as [5] ρ = (cid:16) I + x σ x + y σ y + z σ z (cid:17) , where x , y , z ∈ R and x + y + z ≤
1. The vector ( x , y , z )is called a Bloch vector. The qubit channel E B from Alice toBob can be expressed as a map between Bloch vectors by zxy R zxy + ~ t , (2)where R = R zz R zx R zy R xz R xx R xy R yz R yx R yy , ~ t = t z t x t y . (3)Define | Ψ i = | i A | ϕ i B + | i A | ϕ i B √ . As in [8], we also define the four POVM F = | ¯ ϕ ih ¯ ϕ | / , (4) F = | ¯ ϕ ih ¯ ϕ | / , (5) F ¯0 = | ϕ ih ϕ | / , (6) F ¯1 = | ϕ ih ϕ | / . (7)After passing the quantum channel E B from Alice to Bob, | Ψ ih Ψ | becomes ρ , AB = ( I ⊗ E B ) | Ψ ih Ψ | . (8)In a quantum key distribution protocol, the state change E B is caused by Eve’s cloning of the transmitted qubits to herquantum memory. The content of Eve’s quantum memory ismathematically described by the purification | Φ , ABE i of ρ , AB .Let ρ , ABE = | Φ , ABE ih Φ , ABE | .In addition to Eve’s quantum memory, she also knows thecontent of public communication over the classical publicchannel between Alice and Bob. For each transmitted qubitfrom Alice to Bob, the public communication consists of 1-bitinformation indicating whether Bob discards his received qubitor not. We also have to take it into account. We shall representthe public communication by a classical random variable P that becomes 1 if Bob discards his qubit and 0 otherwise. So, P = F or F , and P = F ¯0 or F ¯1 .On the other hand, in the B92 protocol, Bob performs themeasurement specified by Eqs. (4)–(7). Alice and Bob keepheir a qubit if and only if its measurement outcome is F or F . Otherwise it is discarded and is not used for generationof secret key. This is mathematically equivalent to set Alice’sbit to 0 if the measurement outcomes is F ¯0 or F ¯1 . Therefore,from Eve’s perspective on Alice’s classical bit, the joint statebetween Alice and Bob after the selection by measurementoutcomes is equivalent to ρ , ABEP = ( I A ⊗ p F ⊗ I E ρ , ABE I A ⊗ p F ⊗ I E + I A ⊗ p F ⊗ I E ρ , ABE I A ⊗ p F ⊗ I E ) ⊗ | i P h | P + | i A h | A ⊗ ( p F ¯0 ⊗ I E Tr A [ ρ , ABE ] p F ¯0 ⊗ I E + p F ¯1 ⊗ I E Tr A [ ρ , ABE ] p F ¯1 ⊗ I E ) ⊗ | i P h | P . Observe that the state change from ρ , ABE to ρ , ABEP is a trace-preserving completely positive map.
Remark 1:
Alternatively, by using the more usual approachto model a quantum state after selective measurement, one canalso regard the quantum state after having Bob’s measurementoutcome F or F as1( F + F )Tr A [ ρ , AB ] ( I A ⊗ p F ⊗ I E ρ , ABE I A ⊗ p F ⊗ I E + I A ⊗ p F ⊗ I E ρ , ABE I A ⊗ p F ⊗ I E ) ⊗ | i P h | P . The motivation behind using our alternative formulation (9) isto prove later the convexity of the quantum conditional entropy(9) in terms of the parameters given in Eq. (3), so that we canuse the convex optimization technique to find the minimumvalue of Eq. (9).In order to calculate the key rate, we need to consider Eve’sambiguity on Alice’s classical bit [7], [6] defined as follows.Let ρ , XEP = X j = , | j i A h j | A ⊗ I EP Tr B [ ρ , ABEP ] | j i A h j | A ⊗ I EP . Eve’s ambiguity on Alice’s classical bit S ( X | EP ) is defined as S ( X | EP ) = S ( ρ , XEP ) − S ( ρ , EP ) , (9)where ρ , EP = Tr A [ ρ , XEP ], and S ( · ) denotes the von Neumannentropy.In order to calculate the amount of public communicationrequired for information reconciliation, we define the jointrandom variables ( X ′ , Y ′ ) as X ′ = j if the transmitted qubit is | ϕ j i , Y ′ = k if the measurement outcome is F k , (10)under the condition that the measurement outcome is either F or F . Observe the di ff erence between X and X ′ . X ′ is notdefined but X is defined to be 0 when Bob’s measurementoutcome is either F ¯0 or F ¯1 .We shall show the asymptotic key rate per single transmittedqubit that is neither announced for the channel estimation nordiscarded due to the measurement outcome being F ¯0 or F ¯1 .Note that Eq. (9) is Eve’s ambiguity per a qubit that is notannounced for the channel estimation but can be discarded . The probability of the measurement outcome being F or F is Tr[ ρ , AB ( I A ⊗ ( F + F ))] . So we can see that Eve’s ambiguity per single transmittedqubit that is neither announced for the channel estimation nordiscarded is S ( X | EP )Tr[ ρ , AB ( I ⊗ ( F + F ))] . By [7], [6] the asymptotic key rate is S ( X | EP )Tr[ ρ , AB ( I ⊗ ( F + F ))] − H ( X ′ | Y ′ ) . (11)Note that the above formula assumes that Alice and Bobknows the channel between them. In the BB92 protocol, wecannot estimate all the parameters of the channel. We canonly estimate part of them. In Eq. (11) we can asymptoticallydetermine the true values of Tr[ ρ , AB ( I ⊗ ( F + F ))] and H ( X ′ | Y ′ ). On the other hand we cannot know the true value of S ( X | EP ). Therefore, we need to calculate the minimum value(i.e. the worst-case) of S ( X | EP ) over all the possible quantumchannel E B between them.One can compute the minimum of S ( X | EP ) as follows. Ob-serve first that S ( X | EP ) is a function of the channel parametersEq. (3) of E B . By the almost same argument as [9, Remark11] one sees that S ( X | EP ) is a convex function of the channelparameters Eq. (3). Moreover, we see that the minimum of S ( X | EP ) is attained when R xy = R yx = R yz = R zy = t y = S ( X | EP ) by the convexoptimization [3]. III. N umerical R esult We consider the depolarizing channel E q with depolarizingrate q . The definition of q follows [8]. For a qubit densitymatrix ρ , we have E q ( ρ ) = (1 − q ) ρ + ( q / I × . With such achannel E q , R and ~ t in Eq. (2) are given by R = − q / − q /
30 0 1 − q / , ~ t = ~ . Define ρ , AB , q = ( I ⊗ E q ) | Ψ ih Ψ | . Over E q with infinitely many qubits, the asymptotic key rateis given by min S ( X | EP )Tr[ ρ , AB ( I ⊗ ( F + F ))] − H ( X ′ | Y ′ ) , (12)where the minimum is taken over the set of parameters in Eq.(3) such that Tr[( | ih | ⊗ F + | ih | ⊗ F ) ρ , AB ] = Tr[( | ih | ⊗ F + | ih | ⊗ F ) ρ , AB , q ] , (13)Tr[( | ih | ⊗ F + | ih | ⊗ F ) ρ , AB ] = Tr[( | ih | ⊗ F + | ih | ⊗ F ) ρ , AB , q ] . (14) k e y r a t e depolarizing rateProposed Fig. 1. Asymptotic Key Rate: The conventional methods [4], [7], [8] cannotgenerate key at depolarizing rate above 4.2% and they are not plotted.
We also required that parameters in Eq. (3) represent acompletely positive map. We stress that we do not restrictthe range of minimization to the depolarizing or the Paulichannels. The minimization is carried out over the set of allthe qubit channels with (13) and (14).The FindMinimum function in Mathematica 8.04 was usedfor the minimization. The program source code and thecomputation results are included in this eprint.We only considered α = .
39 and did not optimized thevalue of α in Eq. (1). The key rate is plotted in Fig. 1. Theconvex optimization did not converge in 10 iterations whenthe depolarizing rate ≤ . ≥ . onclusion In this paper, we reformulated the secure key rate formulaof the B92 protocol as a convex optimization. We have notresorted to skillful manipulation of inequalities, and the securekey rate is computed simply by a numerical optimizationprocedure. The result shows that the B92 protocol can securelygenerate key at significantly higher depolarizing rates thanprevious security analyzes.A cknowledgment
The author would like to thank K. Azuma, G. Kato, K.Tamaki and T. Tsurumaru for helpful discussions. This re-search is partly supported by NICT and JSPS.R eferences [1] C. H. Bennett and G. Brassard, “Quantum cryptography: Public keydistribution and coin tossing,” in
Proc. IEEE Intl. Conf. on Computers,Systems, and Signal Processing , 1984, pp. 175–179.[2] C. H. Bennett, “Quantum cryptography using any two nonorthogonalstates,”
Phys. Rev. Lett. , vol. 68, no. 21, pp. 3121–3124, May 1992.[3] S. Boyd and L. Vandenberghe,
Convex Optimization . CambridgeUniversity Press, 2004.[4] M. Christandl, R. Renner, and A. Ekert, “A generic security proof forquantum key distribution,” Mar. 2004, arXiv:quant-ph / Quantum Computation and QuantumInformation . Cambridge, UK: Cambridge University Press, 2000. [6] R. Renner, “Security of quantum key distribution,”