Quantum cryptography with finite resources: unconditional security bound for discrete-variable protocols with one-way post-processing
aa r X i v : . [ qu a n t - ph ] J un Quantum cryptography with finite resources: unconditional security bound fordiscrete-variable protocols with one-way post-processing
Valerio Scarani and Renato Renner Centre for Quantum Technologies and Department of Physics,National University of Singapore, 3 Science Drive 2, Singapore 117543, Singapore Institute for Theoretical Physics, ETH Zurich, 8093 Z¨urich, Switzerland (Dated: October 29, 2018)We derive a bound for the security of QKD with finite resources under one-way post-processing,based on a definition of security that is composable and has an operational meaning. While ourproof relies on the assumption of collective attacks, unconditional security follows immediately forstandard protocols like Bennett-Brassard 1984 and six-states. For single-qubit implementations ofsuch protocols, we find that the secret key rate becomes positive when at least N ∼ signalsare exchanged and processed. For any other discrete-variable protocol, unconditional security canbe obtained using the exponential de Finetti theorem, but the additional overhead leads to verypessimistic estimates. Introduction.
Quantum cryptography, or more exactlyquantum key distribution (QKD), allows to distribute asecure key between two authorized partners, Alice andBob, connected by a quantum channel and a public au-thenticated classical channel [1, 2, 3]. First proposed in1984 by Bennett and Brassard (BB84, [4]) and in 1991by Ekert [5], QKD is the first offspring of quantum infor-mation science to reach the level of applied physics andeven commercial products. On the theoretical side, mucheffort has been devoted to derive rigorous bounds for se-curity. However, almost all the available security boundshold true only if infinitely long keys are produced andprocessed. In contrast, a practical QKD scheme can onlyuse finite resources — for instance, Alice and Bob havelimited computational power, and they can only commu-nicate a finite number of (qu)bits, resulting in keys offinite length.The security of finite-length keys has been studied firstin [6] and later in [7, 8] for the BB84 protocol, as wellas in [9] for a larger class of protocols. The applicabilityof these results is, however, limited: Ref. [9] considersonly a restricted class of attacks; in Refs [6, 7, 8], the un-derlying notion of security is not composable [10], whichmeans that the generated keys are not secure enough tobe used in applications, e.g., for encryption (more be-low). A more recent work [11], which focuses on a prac-tical implementation of BB84 and has already been usedin an experiment [12], uses a definition of security whichis probably composable, although the issue is not dis-cussed. In this Letter, we provide a security bound fordiscrete-variable QKD protocols with finite resources andwith respect to a composable security definition, based onthe formalism developed by one of us [13]. As first casestudies, we apply it to BB84 and to the six-states proto-col [14, 15] when implemented with single qubits.
Definition of security.
In the existing literature onQKD, not only the analysis, but also the very defini-tion of security is mostly limited to the asymptotic case;and we therefore need to revisit it here. Most gener- ally, the security of a key K can be parametrized by its deviation ε from a perfect key , which is defined as a uni-formly distributed bit string whose value is completelyindependent of the adversary’s knowledge. In an asymp-totic scenario, a key K of length ℓ is commonly said to be secure if this deviation ε tends to zero as ℓ increases. Inthe non-asymptotic scenario studied here, however, thedeviation ε is always finite. This makes it necessary toattribute an operational interpretation to the parameter ε . Only then it is possible to choose a meaningful secu-rity threshold (i.e., an upper bound for ε ) reflecting thelevel of security we are aiming at. Another practicallyrelevant requirement that we need to take into accountis composability of the security definition. Composabilityguarantees that a key generated by a QKD protocol cansafely be used in applications, e.g., as a one-time-pad formessage encryption. Although this requirement is obvi-ously crucial for practice, it is not met by most securitydefinitions considered in the literature [10].In contrast to that, the results derived in this Letterare formulated in terms of a security definition that meetsboth requirements, i.e., it is composable and, in addition,the parameter ε has an operational interpretation. Thedefinition we use was proposed in [16, 17]: for any ε ≥ K is said to be ε -secure with respect to an adversary E if the joint state ρ KE satisfies12 (cid:13)(cid:13) ρ KE − τ K ⊗ ρ E (cid:13)(cid:13) ≤ ε , (1)where τ K is the completely mixed state on K . The pa-rameter ε can be seen as the maximum probability that K differs from a perfect key (i.e., a fully random bitstring) [16]. Equivalently, ε can be interpreted as the maximum failure probability , where failure means that“something went wrong”, e.g., that an adversary mighthave gained some information on K . From this perspec-tive, it is also easy to understand why the definition iscomposable. In fact, the failure probability of any cryp-tosystem that uses a perfect secret key only increases by(at most) ε if the perfect key is replaced by an ε -securekey. In particular, because one-time pad encryption witha perfect key has failure probability 0 (the ciphertextgives zero information about the message), it follows thatone-time-pad encryption based on an ε -secure key re-mains perfectly confidential, except with probability atmost ε . Protocol.
A QKD protocol starts with the distribu-tion of quantum signals. In this Letter, we take an entanglement-based view , that is, after this distributionstep, Alice and Bob share N (entangled) particle pairs,whose joint state we denote by ρ A N B N . Next, Alice andBob apply individual measurements to their particles toget classical data. For definiteness, we focus on protocolsthat use two-dimensional quantum systems (qubits) andvon Neumann measurements, resulting in N correlatedpairs of bits. Then, in a parameter estimation step, Aliceand Bob reveal a random sample consisting of m of thesepairs (using a public communication channel) which al-lows them to estimate the statistics λ ( a,b ) of their data,i.e., the relative frequency of the symbols. The protocolmay also specify a sifting phase, in which some items arediscarded.At this stage, both Alice and Bob hold a string of n ≤ N − m bits, called raw key , denoted by X n and Y n , respectively. These raw keys are generally only par-tially correlated and only partially secret. But—and thisis where quantum physics plays a role—the maximum in-formation that an eavesdropper Eve might have gainedduring the protocol, in the following denoted E n , can becomputed solely from the statistics λ ( a,b ) . This allowsAlice and Bob to transform the raw key pair into a fullysecure key K of length ℓ ≤ n , using some purely classicalprocedure, in the following called post-processing . In thisLetter, we focus on one-way post-processing consistingof two steps, called error correction (also known as in-formation reconciliation ) and privacy amplification . Forthe error correction, Alice sends some information on herraw key X n over the public channel, allowing Bob, whoalready knows Y n , to compute a guess for X n . Finally,privacy amplification is applied to turn X n into a fullysecure key K . This is typically done by two-universalhashing [24]. Asymptotic analysis.
The one-way protocol describedabove has been studied extensively over the past fewyears, mostly in an asymptotic scenario where the sizeof the raw key tends to infinity. In this case, a commonlyused figure of merit is the sifted key rate r ′ , defined asthe ratio r ′ := lim n →∞ ℓ ( n ) n between the number ℓ ( n ) ofgenerated key bits and the size n of the raw key. Devetakand Winter [18] have proved that, under the assumptionof collective attacks (see below), r ′ = H ( X | E ) − H ( X | Y ) , (2)where H ( . | . ) is the conditional von Neumann entropy,evaluated after the sifting step—note that, when both systems are classical as in H ( X | Y ), von Neumann en-tropy becomes Shannon entropy. The expression saysthat the sifted key rate r ′ is equal to the uncertaintythat Eve has on the raw key bits X , minus Bob’s uncer-tainty: a very intuitive statement after all. Multiplyingthe sifted key rate r ′ with the ratio nN of raw key bitsper signal gives the key rate per signal r , which is anindicator for the asymptotic performance of the overallprotocol. For many schemes, the ratio nN can be chosenarbitrarily close to one for sufficiently large N , because asmall fraction m << N of signals provides a sufficientlyaccurate parameter estimation; in this case, the key rateper signal r and the sifted key rate r ′ are asymptoticallyequal. Non-asymptotic analysis.
When the number N ofexchanged quantum signals is finite, the above consid-erations are no longer sufficient. For example, since n + m ≤ N , one has to find a trade-off between the lengthof the raw key n and the precision of parameter estima-tion, which depends on the sample size m . Imperfectparameter estimation is however not the only deviationfrom the asymptotic case. The performance of an errorcorrection procedure
EC might — and actually does inpractical realizations — perform worse than the theoret-ical limit. For our security analysis, the main charac-teristics of EC are the number of bits that need to betransmitted over the public channel (carrying informa-tion on X n ), in the following denoted leak EC , and theerror probability ε EC , i.e., the probability that Bob com-putes a wrong guess for X n . Finally, as discussed above, the security of a key generated from finite resources isalways finite : the length of the extractable secret keydepends on the desired security ε of the final key.Our goal is to find the generalization of (2) for QKDwith finite resources, and to use it to compute r for given( N, ε, leak EC , ε EC ) after optimizing over the choices ofother possible parameters. The analysis will be based onthe tools developed in [13]. It particular, it relies on ageneralization of the von Neumann entropy [25], called smooth min-entropy . For any bipartite density operator ρ AB and ε ≥
0, the smooth min-entropy H ε min ( A | B ) isdefined as the maximum, taken over all density operators¯ ρ AB that are ε -close to ρ AB , of the quantity H min ( A | B ) := − log min { λ > ∃ σ B : ¯ ρ AB ≤ λ id A ⊗ σ B } where id A denotes the identity operator on subspace A and σ B is any density operator on subspace B . The sig-nificance of the smooth min-entropy stems from the factthat it characterizes the number of uniform bits that canbe extracted by privacy amplification.As a starting point, a formula for the number of finalkey bits ℓ can be obtained as a straightforward general-ization of Lemma 6.4.1 in [13]: Lemma 1.
The key agreement protocol described above generates an ε -secure key if, for some ¯ ε ≥ , ℓ ≤ H ¯ ε min ( X n | E n ) − leak EC − ε − ¯ ε − ε EC ) . (3)Lemma 1 shows explicitly the two-step nature of one-way post-processing: for error correction, Alice has tosend a bit string C of length leak EC to Bob over the publicchannel, hence, reducing Eve’s uncertainty by the sameamount. Privacy amplification then extracts a key whoselength roughly corresponds to Eve’s uncertainty aftererror correction, which is given by H ¯ ε min ( X n | CE n ) ≥ H ¯ ε min ( X n | E n ) − leak EC [26].To go further, we have to evaluate the smooth min-entropy H ¯ ε min ( X n | E n ). This evaluation is easy in thecase of collective attacks, i.e., under the assumption thatAlice and Bob (in an entanglement-based view) initiallyshare a state of the form ρ A N B N = ( σ ¯ A ¯ B ) ⊗ N with σ ¯ A ¯ B a two-qubit state. Indeed, in this case one can also as-sume ρ X n E n = ( σ ¯ X ¯ E ) ⊗ n without loss of generality, sinceall purifications of ρ AB are equivalent under a local uni-tary operation by Eve, and there exists clearly a purifica-tion with that property. However, the statistics λ ( a,b ) ac-quired during parameter estimation generally only gives apartial characterization of σ ¯ X ¯ E . Lemma 2 below [27] pro-vides a lower bound on H ¯ ε min ( X n | E n ), given that σ ¯ X ¯ E iscontained in a set Γ compatible with the statistics λ ( a,b ) ,except with probability ¯ ε ′ . Lemma 2.
For any ¯ ε > ¯ ε ′ , the smooth min-entropy ofthe state ρ X n E n described above is lower bounded by H ¯ ε min ( X n | E n ) ≥ n (cid:0) min σ ¯ X ¯ E ∈ Γ H ( ¯ X | ¯ E ) − δ (cid:1) (4) where δ := 7 q log (2 / (¯ ε − ¯ ε ′ )) n . The description of the set of states Γ takes into accountthe fact that the parameter estimation has been madeon a sample of finite size m . A quantitative version ofthe law of large numbers (see e.g. Theorem 12.2.1 andLemma 12.6.1 in [23]) yields the following statement: Lemma 3.
If the statistics λ m are obtained by measure-ments of m samples of σ according to a POVM with d outcomes then, for any ¯ ε ′ > , σ is contained in the set Γ ξ = (cid:26) σ : k λ m − λ ∞ ( σ ) k ≤ ξ := q / ¯ ε ′ )+ d ln( m +1) m (cid:27) except with probability ¯ ε ′ , where λ ∞ ( σ ) denotes the prob-ability distribution defined by the POVM applied to σ . The three Lemmas together yield the desired general-ization of (2): r ′ = H ξ ( X | E ) − (cid:0) leak EC + ∆ (cid:1) /n (5)with H ξ ( X | E ) = min σ ¯ X ¯ E ∈ Γ ξ H ( ¯ X | ¯ E ) and ∆ =2 log / [2( ε − ¯ ε − ε EC )] + 7 p n log (2 / (¯ ε − ¯ ε ′ )). We re-call that ( N, ε, leak EC , ε EC ) are parameters of the proto-col implementation, while n , m , ¯ ε and ¯ ε ′ must be cho-sen as to maximize r = ( n/N ) r ′ under the constraints n + m ≤ N and ε − ε EC > ¯ ε > ¯ ε ′ ≥
0. In general, (5) is valid only for collective attacks be-cause of the estimate (4) of H ¯ ε min ( X n | E n ). However, ithas been proved that the assumption of collective attackscan be made without loss of generality for the BB84 andthe six-states protocols [19, 20] (see open issues for thediscussion of a more general approach based on the ex-ponential de Finetti theorem [13, 21]). To illustrate thebound (5), we move on to derive the explicit expressionsof H ξ ( X | E ). BB84.
We consider an asymmetric version of BB84[22]: the key is obtained from measurements in one basis B chosen both by Alice and Bob with probability p ; thecomplementary basis B , chosen with probability p =1 − p is used for parameter estimation. So n = N p and m = N p , while 2 N p p signals are discarded in sifting.The computation of H ξ ( X | E ) can be done in full alongthe usual lines, see e.g. Appendix A of [3]. More directly,notice that, in this term, the only finite-key effect is theimperfection of the statistics. Knowing the asymptoticvalue H ( ¯ X | ¯ E ) = 1 − h ( e ) where e is the error rate inthe basis B ( phase error ), it is obvious that the worst-case estimate of λ ( a,b ) ≡ e is ˜ e = e + ξ ( m, d = 2)because the POVM has two outcomes (same vs differentbits). Therefore H ξ ( X | E ) = 1 − h (˜ e ) . (6) Six-states.
We consider an asymmetric version of thesix-states protocol: the key is obtained from measure-ments in one basis B chosen both by Alice and Bobwith probability p ; the complementary bases B and B , chosen with equal probability q = − p , are usedfor parameter estimation. Sifting yields n = N p and m = m = N q while the remaining signals are dis-carded. Similarly as above, the asymptotic formula (for e = e , a case that minimizes it) can be immediatelytranslated into H ξ ( X | E ) = (1 − ˜ e ) (cid:20) − h (cid:18) − ˜ e − ˜ e / − ˜ e (cid:19)(cid:21) (7)with ˜ e = e + ξ ( m , d = 2) and ˜ e = e + ξ ( n, d = 2),because e is estimated on the n bits of the raw key. Plots.
For an a priori estimate of our bounds, wehave supposed as usual that parameter estimation yields e = e ≡ Q ; imperfect EC has been characterized byleak EC /n = 1 . h ( Q ) and ε EC = 10 − based on the per-formances of real codes [28]. The optimization was donenumerically; in particular, the optimal value of p wasfound to be approximately n b ( N/N ) − / , N being thesmallest N such that r > n b = 2 for BB84 and 3 forsix-states. The results are shown in Fig. 1. The slightdifference between the two protocols is due to the factthat six-states estimates more parameters than BB84:the rates are in principle higher because the bound onEve’s information is tighter, but, for short keys, moresignals must be devoted to the estimation. These plots r Q = 0.5%Q = 2.5%Q = 5%Q = 7.5%
FIG. 1: (color online) Lower bound for the key rate r asa function of the number of exchanged quantum signals N ,for the BB84 (full lines) and the six-states protocol (dashedlines); values: ε = 10 − , ε EC = 10 − , leak EC /n = 1 . h ( Q ),and several Q = e = e . do not depend very critically on the value ε ; in particular,even for ε ≥ − our bounds are tighter than those com-puted in [9] for a limited class of attacks on the six-statesprotocol. Open issues.—
We point out two directions for futurework.
First:
The results we have presented here are notnecessarily tight: better estimates might lead to moreoptimistic bounds on the security. Lemmas 1–3 can beshown to be optimal up to an additive term of the orderlog 1 /ε . So basically there is room for improvement onlyin the performance of error correction schemes. Second:
Formula (5) has been derived under the assumption ofcollective attacks and provides full security for the BB84and the six-states protocols only thanks to specific sym-metries [19, 20]. To get a fully general statement, onemight invoke a quantum version of de Finetti’s represen-tation theorem as proposed in [21], which, in the asymp-totic case, implies that security against general attacksfollows from security against collective attacks. Thistechnique, however, gives rise to additional deviations(see Theorem 6.5.1 of [13] for explicit formulae) whichare significant in a non-asymptotic scenario and lead tovery pessimistic bounds. To improve them, a tighter vari-ant of de Finetti’s theorem, or some new ideas, might berequired.
Acknowledgments. — We thank J.-C. Boileau, M.Hayashi, N. L¨utkenhaus and other participants to theworkshop “Tropical QKD” (Waterloo, Canada, June2007) for clarifying discussions. This work is supportedby the National Research Foundation and Ministry of Ed-ucation, Singapore, by HP Labs Bristol, and by the Euro-pean Union through the projects SECOQC and SCALA. [1] N. Gisin, G. Ribordy, W. Tittel, H. Zbinden, Rev. Mod.Phys. , 145 (2002).[2] M. Duˇsek, N. L¨utkenhaus, M. Hendrych, Progress in Op-tics, Edt. E. Wolf (Elsevier) vol. 49, 381 (2007).[3] V. Scarani, H. Bechmann-Pasquinucci, N.J. Cerf, M.Duˇsek, N. L¨utkenhaus, M. Peev, arXiv:0802.4155v1[4] C. H. Bennett, G. Brassard, in Proceedings IEEE Int.Conf. on Computers, Systems and Signal Processing,Bangalore, India (IEEE, New York, 1984), pp. 175-179.[5] A. K. Ekert, Phys.. Rev. Lett., , 661 (1991).[6] H. Inamori, N. L¨utkenhaus, D. Mayers, Eur. J. Phys. D , 599 (2007), and quant-ph/0107017.[7] S. Watanabe, R. Matsumoto, T. Uyematsu,quant-ph/0412070v4 [the finite-key results do notappear in the published version: Int. J. Quant. Inf. ,935 (2006)].[8] M. Hayashi, Phys. Rev. A , 022307 (2006).[9] T. Meyer, H. Kampermann, M. Kleinmann, D. Bruß,Phys. Rev. A , 042340 (2006).[10] R. K¨onig, R. Renner, A. Bariska, and U. Maurer, Phys.Rev. Lett. , 140502, (2007).[11] M. Hayashi, Phys. Rev. A , 012329 (2007).[12] J. Hasegawa et al. , arXiv:0705.3081. For Q ≈
5% and ε = 2 − , they obtained r ≈
2% (4100 secret bits fromeach raw key block of n ≈ N = 10 bit) instead of the r ≈
43% predicted by the asymptotic bound.[13] R. Renner,
Security of Quantum Key Distribution , PhDthesis, Diss. ETH No 16242, quant-ph/0512258.[14] D. Bruß, Phys. Rev. Lett. , 3018 (1998).[15] H. Bechmann-Pasquinucci, N. Gisin, Phys. Rev. A ,4238 (1999).[16] R. Renner and R. K¨onig, in Second Theory of Cryptog-raphy Conference TCC (Springer, 2005), vol. 3378 of
Lecture Notes in Computer Science , pp. 407–425, andquant-ph/0403133.[17] M. Ben-Or, M. Horodecki, D. W. Leung, D. Mayers, andJ. Oppenheim, in
Second Theory of Cryptography Confer-ence TCC (Springer, 2005), vol. 3378 of
Lecture Notes inComputer Science , pp. 386–406, and quant-ph/0409078.[18] I. Devetak and A. Winter, Proc. R. Soc. Lond. A ,207 (2005).[19] D. Gottesman, H.-K. Lo, IEEE Trans. Inf. Theory ,457 (2003).[20] B. Kraus, N. Gisin, R. Renner, Phys. Rev. Lett. ,080501 (2005); R. Renner, N. Gisin, B. Kraus, Phys. Rev.A , 012332 (2005).[21] R. Renner, Nature Physics , 645 (2007).[22] H.-K. Lo, H. F. Chau, M. Ardehali, J. Cryptology ,133 (2005), and quant-ph/9803007.[23] T.M. Cover, J.A. Thomas, Elements of Information The-ory , Wiley Series in Telecommunications (Wiley, NewYork, 1991).[24] J. L. Carter, M. N. Wegman, Journal of Computer andSystem Sciences , 143 (1979); M. N. Wegman, J. L.Carter, idem , 265 (1981)[25] The conditional von Neumann entropy evaluated fora density operator σ AB can be expressed asymptot-ically in terms of the smooth min-entropy evaluatedfor i.i.d. states ρ A n B n = σ ⊗ NAB , i.e., H ( A | B ) σ AB =lim ε → lim N →∞ n H ε min ( A n | B n ).[26] If privacy amplification is applied to individual blocks rather than to the overall raw key, then expression (3)needs to be evaluated for each of the blocks separately.[27] Lemma 2 is a Corollary 3.3.7 of [13]; we correct a typo(the “1” under the square root must be also divided by n ) and set d = 2 as we are assuming that X nn