Upper Bound of Collective Attacks on Quantum Key Distribution
aa r X i v : . [ c s . CR ] O c t Upper Bound of Collective Attacks on Quantum Key Distribution
Wei Li , , and Shengmei Zhao , ∗ Nanjing University of Posts and Telecommunications,Institute of Signal Processing and Transmission, Nanjing, 210003, China. Nanjing University of Posts and Telecommunications,Key Lab Broadband Wireless Communication and Sensor Network,Ministy of Education, Nanjing, 210003, China. and National Laboratory of Solid State Microstructures,Nanjing University, Nanjing 210093, China. (Dated: October 9, 2019)
Abstract
Evaluating the theoretical limit of the amount of information Eve can steal from a quantum keydistribution protocol under given conditions is one of the most important things that need to bedone in security proof. In addition to source loopholes and detection loopholes, channel attacks areconsidered to be the main ways of information leakage, while collective attacks are considered tobe the most powerful active channel attacks. Here we deduce in detail the capability limit of Eve’scollective attack, the most powerful attack scheme in channel attacks, in non-entangled quantumkey distribution, like BB84 and measurement-device-independent protocols, and entangled quan-tum key distribution, like device-independent protocol, in which collective attack is composed ofquantum weak measurement and quantum unambiguous state discrimination detection. The theo-retical results show that collective attacks are equivalent in entangled and non-entangled quantumkey distribution protocols. We also find that compared with the loose bond on Eve’s attack pro-vided by security proof based on entanglement purification, the security proof against collectiveattacks not only improves the system’s tolerable bit error rate, but also improves the key rate. ∗ [email protected] . INTRODUCTION Security proof is one of the most important components of quantum key distribution(QKD)[1–5]. It is not only used to evaluate the validity of a protocol, but also to givethe maximum key rate that the protocol can extract. A QKD protocol is considered to besecure in this case that after the two communication parties, Alice and Bob, complete thetransmission and measurement of quantum states and all post-processing, the probabilityof eavesdropper Eve acquiring their shared key tends to be exponentially infinitesimal. Thesecurity of QKD can be divided into two categories. The first category belongs to secu-rity loopholes, such as imperfect light source[6–11] and detection loopholes[11–17]. Underappropriate attack schemes, the information of shared keys between Alice and Bob canbe eavesdropped almost entirely. At present, many approaches have been proposed to closethese loopholes, such as decoy-state protocol for imperfect light source[18–20], measurement-device-independent (MDI)-QKD protocols for detection loopholes[21–24].The other category of QKD security is the channel-side leakage of information intro-duced by imperfect devices in the transmission and measurement of quantum states, suchas the beam-splitting (BS) attack caused by the attenuation of quantum states[25], and thecollective attack scheme introduced by finite bit error rate (BER)[26–28]. The amount ofinformation lost by channel-side attacks will determine the amount of information neededfor secret amplification and the maximum tolerable BER by QKD. BS attack is a passiveattack scheme in which the attenuated photon states can be considered to be interceptedand stored by Eve. The amount of information eavesdropped by Eve is determined by thejoint measurement probability between Eve and Alice and Bob. In contrast with BS attack,collective attack is an active attack scheme. Eve uses weak measurement technology toobtain as much information as possible about the shared quantum states between Alice andBob under certain perturbations. The security proof based on entanglement purification hasgiven the general loose bound of information consumed by secret amplification. Althoughthe security against collective attacks in the BB84 and B92 protocols[26, 27] has been proved,there is no corresponding expression of the general bound. Furthermore, the Holove quantityprovided by DI-QKD security proof against collective attacks is not improved compared withthe entanglement purification protocol[28]. However, after knowing Eve’s attack strategy,a tighter bound for information leakage should be obtained. We already know that QKD2rotocols based on single-photon and entangled states have equivalence. Like entanglementpurification protocols, we need to give the general expression of Holove quantity betweenEve and Alice and Bob under the collective attack for all QKDs.In this paper, we will evaluate the performance of Eve’s collective attacks on differentkinds of QKDs by deducing the Holove quantity and the tolerable maximum bit error rate.Firstly, we derive the maximum amount of information that Eve can steal using collectiveattack in non-entangled QKD. Eve’s collective attack consists of quantum weak measurementand quantum unambiguous state discrimination detection. Eve can perform any quantumoperation, and any operation of Eve only needs to obey quantum mechanics. Next, we extendEve’s collective attack to entangled QKD systems, and give the generality of collective attackin these two kinds of QKD systems.
II. COLLECTIVE ATTACK IN NON-ENTANGLED QKD PROTOCOLS
Collective attack is currently considered to be the most powerful channel attack scheme.In collective attack, Eve attaches his quantum state to each of the states transmitted be-tween Alice and Bob independently. Eve performs a weak measurement operation on thejoint quantum states to entangle his state with the joint system of Alice and Bob. Evethen stores his quantum state and re-sends the quantum state transmitted between Aliceand Bob. After Alice and Bob have completed state measurement and announcement ofmeasurement base, Eve then makes unambiguous state discrimination (USD) measurementson the corresponding quantum state stored by him to obtain the shared information be-tween Alice and Bob. We first show collective attacks in non-entangled two-dimensionalQKD protocols, such as BB84- and MDI-QKDs. These conclusions are then extended tothe entanglement-based QKD protocol.
A. Weak measurement
Assume that the quantum state space in QKD protocol is formed by orthogonal basisvectors | p i and | q i which can interact with Eve’s system without any crossing, and the bases3 IG. 1. Schematic illustration of Eve’s collective attack on BB84-QKD. Alice randomly preparesa quantum state from two mutually unbiased bases and sends it to Bob. Bob randomly choosesthe measurement basis to measure quantum states. Eve uses weak measurements to implementcollective attack on the quantum states transmitted in the channel. The bit error rate caused bythis attack cannot exceed the agreed value of Alice and Bob. in Z space and X space can be written as | i = a | p i + b | q i , | i = b | p i − a | q i , | + i = √
22 [( a + b ) | p i − ( a − b ) | q i ] , | + i = √
22 [( a − b ) | p i + ( a + b ) | q i ] , (1)where a and b are the normalization constants that satisfy a + b = 1. In BB84, as shownin Fig. 1, Alice prepares these two sets of mutually-unbiased-bases (MUBs) with equalprobabilities and sends them to Bob. Eve has a powerful attack capability in the collectiveattack scheme, any operation by Eve should only be restricted to the principle of quantummechanics. Eve is free to change the values of a and b in Eqs. (1). Assume that Eve’s initialquantum state is | E i , the weak measurement on the joint system is represented by a unitaryoperator U , U | p i | E i = | α p i | E p i ,U | q i | E i = | β q i | E q i , (2)where | α p i and | β q i are obtained by rotating α and β degrees of | p i and | q i in a two-dimensional plane under weak measurements, respectively, | E p i and | E q i are the corre-sponding states stored by Eve, all the phase terms generated by the interaction are includedin | E p i and | E q i . The unitary of operator U leads to the following equality h p | q i h E | E i = 0 = h E | h q | U + U | q i | E i = h α p | β q i h E p | E q i . (3)In general, | E p i and | E q i are not necessary to be orthogonal to each other. Thus for anyquantum states | α p i and | β q i , we have h α p | β q i = 0, which means that | p i and | q i are rotated4t the same angle under weak measurement. After the unitary operation, Eve can reverse-rotate | α p i and | β q i at the same angle to reduce the perturbation, T | p i | E i = RU | p i | E i = | p i | E p i ,T | q i | E i = RU | q i | E i = | q i | E q i . (4)Then the weak measurement on the states in Z bases can be written as T | i | E i = √ p , | i | E , i + √ p , | i | E , i ,T | i | E i = √ p , | i | E , i + √ p , | i | E , i , (5)where | E , i , | E , i , | E , i and | E , i are the normalized states stored by Eve, and theirexpressions are | E , i = a | E p i + b | E q i p − a b (1 − |h E p | E q i| cos θ ) , | E , i = b | E p i + a | E q i p − a b (1 − |h E p | E q i| cos θ ) , | E , i = | E , i = ab ( | E p i − | E q i ) p a b (1 − |h E p | E q i| cos θ ) , (6)where θ is the phase difference between | E p i and | E q i . The corresponding transition prob-abilities p , , p , , p , and p , are p , = p , = 1 − a b (1 − |h E p | E q i| cos θ ) ,p , = p , = 2 a b (1 − |h E p | E q i| cos θ ) . (7)The weak measurement on the states in Z bases can be written as T | + i | E i = √ p + , + | + i | E + , + i + √ p + , − |−i | E + , − i ,T |−i | E i = √ p − , + | + i | E − , + i + √ p − , − |−i | E − , − i , (8)where | E + , + i , | E + , − i , | E − , + i and | E + , + i are the normalized states stored by Eve, and theirexpressions are | E + , + i = ( a + b ) | E p i + ( a − b ) | E q i q − (1 − a b ) (1 − |h E p | E q i| cos θ ) , | E − , − i = ( a − b ) | E p i + ( a + b ) | E q i q − (1 − a b ) (1 − |h E p | E q i| cos θ ) , | E + , − i = | E − , + i = ( a − b ) ( | E q − E p i ) q (1 − a b ) (1 − |h E p | E q i| cos θ ) , (9)5nd p + , + , p + , − , p − , + and p − , − are the corresponding transition probabilities which satisfy p + , + = p − , − = 1 − (cid:0) − a b (cid:1) (1 − |h E p | E q i| cos θ ) ,p + , − = p − , + = 12 (cid:0) − a b (cid:1) (1 − |h E p | E q i| cos θ ) . (10)From Eqs. (5) and (8), we can see that after the weak measurement performed by Eve,Eve’s system is entangled with the state transmitted between Alice and Bob. From Bob’spoint of view, the quantum state he receives is ρ = 14 [( p , + p , ) ρ + ( p , + p , ) ρ + ( p + , + + p − , + ) ρ + + ( p + , − + p − , − ) ρ − ] . (11)In this case, the BER caused by weak measurement is p e = 14 ( p , + p , + p − , + + p + , − ) , (12)After substituting Eqs. (7) and (10) into Eqs. (12), we can get p e ≥
14 (1 − |h E p | E q i| cos θ ) . (13)It can be seen from Eqs. (13) that the BER p e is independent of the values of a and b , andonly depends on the inner product between | E p i and | E q i . Here |h E p | E q i| denotes the degreeof discrimination between | E p i and | E q i . The smaller the value of |h E p | E q i| , the higher theprobability that Eve could distinguish | E p i and | E q i . As can be seen from Eqs. (13), whenthe BER of the system p e is determined, θ = 0 is the best way to help Eve get informationfrom Alice and Bob. B. Unambiguous state discrimination
After Alice and Bob have announced their selected bases, Eve makes appropriate mea-surements on his stored quantum states to infer Alice’s information. The dependence ofEve’s stored states on | E p i and | E p i is shown in Fig. 2. Quantum states | E , i , | E , i , | E + , − i and | E − , + i are in the direction of | E p i − | E p i , | E , i , | E , i and | E + , − i , | E − , + i aresymmetrically located on each side of | E p i + | E p i , respectively. There is an interesting mu-tually exclusive relationship between the angle of | E , i , | E , i relative to | E p i + | E p i andthe angle of | E + , + i , | E − , − i relative to | E p i + | E p i . For example, when | E , i , | E , i are far6 IG. 2. Schematic illustration of the quantum USD measurement of Eve’s collective attack in(a) Z -basis and (b) X -basis representations. The states | E , i , | E , i and | E + , − i , | E − , + i aresymmetrically located on each side of | E p i + | E p i , and | E , i , | E , i , | E + , − i and | E − , + i are in thedirection of | E p i − | E p i . After Alice and Bob announce their bases publicly, Eve performs thequantum USD measurement on his stored state which is entangled with an auxiliary bit. Aftermeasuring the auxiliary bit, Eve measures his stored state along the direction of (a) E and E in Z basis, and of (b) E + and E − in Y basis. from the direction of | E p i + | E p i , the magnitude of | E , i and | E , i will decrease, mean-while | E + , + i , | E − , − i will be near the direction of | E p i + | E p i , and the magnitude of | E + , − i , | E − , + i will increase. In the extreme case, when | E , i , | E , i are equal to | E p i and | E p i , themagnitude of | E , i and | E , i is zero. At this time, | E + , + i , | E − , − i will be strictly in thedirection of | E p i + | E p i , and the magnitude of | E + , − i , | E − , + i will reach the maximum value q (1 − h E p | E q i ).Here we set the value of a to cos α and b to sin α . After hearing the basis chosen byAlice and Bob, Eve should make a unambiguous discrimination between | E , i and | E , i or | E + , + i and | E − , − i to infer the state sent by Alice. The best known option for Eve is to usequantum USD measurements, which increases the detection probability from 1 − h x | y i − h x | y i for non-orthogonal states | x i , | y i [29]. Supposethat at one moment, the base chosen by Alice and Bob is Z , Eve entangles an auxiliary bitwith | E , i or | E , i through weak measurements[29–31]. After measuring the state of theauxiliary bit, Eve chooses two orthogonal measurements E and E to measure the quantumstates collapsed from | E , i and | E , i , as shown in Fig. 1(a). In the plane formed by | E p i and | E p i , the angles of the two measurements E and E from the direction of | E p i − | E p i π π α is between 0 and π | E , i and | E , i . It should be noted that in the above quantum USDmeasurements, | E , i and | E , i are not affected by auxiliary bits.If the state sent by Alice is | i , the probability that Eve could guess right Alice’s bitunder USD measurement is p r = p , (1 − h E , | E , i ) + 12 p , , (14)the probability that Eve could guess wrong Alice’s bit is p e = 12 p , . (15)The guessing probabilities for p r and p e can also be obtained in the same way. So on the Z basis, Eve’s quantum USD measurement matrix is p z = A z p r A z p e A z p e A z p r A z , (16)where the normalization constant A z is equal to 4 p e − p e sin α , and p r = p r , p e = p e .Thus under Z base, through collective attack, the Holove quantity between Eve and Aliceand Bob χ z ( E : A, B ) is χ z ( E : AB ) = A z (cid:20) − H (cid:18) p r A z , p e A z (cid:19)(cid:21) , (17)where H ( x, y ) = − x log x − y log y . Similarly, under X base, the Holove quantity betweenEve and Alice and Bob under collective attack through quantum USD measurement is χ x ( E : AB ) = A x (cid:20) − H (cid:18) p r + A x , p e + A x (cid:19)(cid:21) , (18)where the normalization constant A x is equal to 2 p e (cid:0) α (cid:1) . Then the total Holovequantity χ ( E : A, B ) is χ ( E : AB ) = 12 [ χ z ( E : AB ) + χ x ( E : AB )] . (19)Fig. 3 shows the simulation result of the dependence of the total Holove quantity χ ( E : AB ) on α . We can see that when the value of α is an integer multiple of π χ ( E : AB )takes the maximum value 2 p e . When the value of α is 0, | E , i and | E , i are located in8 IG. 3. Dependence of the Holove quantity χ ( E ; AB ) on α . When α is an integer multiple of π χ ( E ; AB ) takes the maximun value 2 p e . the direction of | E p i and | E q i , the amplitudes of | E , i and | E , i are both 0, the BER in Z -base is 0, the maximum information Eve can obtain on Z basis is 4 p e . However, for X basis, | E + , + i and | E − , − i are both in the direction of | E p i + | E p i , | E + , − i and | E − , + i are in thedirection of | E p i − | E p i , regardless of what quantum state Alice sends, Eve stores the samemixed state, the BER in X -base is 2 p e . In this case, the amount of information Eve canobtain is 0. When the value of α is π X -base and Z -base under collectiveattack is completely opposite. In order to balance the BERs on X -and Z -bases, Eve wouldbe better off doing the following collective attack operation ρ ABE = 12
T ρ φ ρ E T + + 12 T Hρ φ ρ E H + T + , (20)where ρ E = | E i h E | is the state controlled by Eve and ρ φ = | φ i h φ | is the state sent by Alice, H is a Hadamard operator, which is used to exchange X and Z bases.The collective attack scheme derived from BB84 protocol can also be applied to MDI-QKD. In MDI-QKD, as shown in Fig. 4, Alice and Bob randomly prepare quantum statesaccording to two sets of MUBs agreed beforehand and send them along two identical opticalfibers to the third party, Charlie, for Bell-state measurement (BSM). The BERs on the twochannels are p ( e A ) and p ( e B ), respectively. For symmetric MDI-QKD, the BER satisfies p ( e A ) ≈ p ( e B ). When the value of BER is small enough, the total BER p ( e ) of the system isapproximately p ( e A ) + p ( e B ). Eve can execute collective attacks on two channels separately,and the total amount of information obtained is r ≤ p ( e A ) + p ( e B )). In MDI-QKD, Eve9 IG. 4. Schematic illustration of Eve’s collective attack performed on MDI-QKD. Alice and Bobrandomly prepare their states according to the pre-agreed two MUBs, then send them throught twoidentical fibers to the third party, Charlie, for BSM. The BER p ( e A ), p ( e B ) in the two channels areidentical. Eve implements collective attack on the two states with two auxiliary bits, the quantumoperations operated on the two channels are strongly correlated. could execute the following collective attack operation ρ ABE = 12
T ρ AB ρ E T + + 12 T Hρ AB ρ E H + T + , (21)where T = T A T B is the joint weak measurement operator on channels A and B , H = H A H B is the joint Hadamard operator on states sent by Alice and Bob. In order to obtain theinformation definitely, the weak measurements T A and T B on both sides need to satisfy thecondition α A = α B , where α is the angle shown in Fig. 2. III. COLLECTIVE ATTACK IN ENTANGLED QKD PROTOCOLS
Entangled QKD protocols, such as DI-QKD[28], single-photon entanglement basedphase-matching-QKD[32], and non-entangled QKD protocols, such as BB84-QKD[33], MDI-QKD[21] and twin-field (TF)-QKD[34], have many inherent links. Both of these two kindsof QKD protocols need to select two MUBs to prepare quantum states. The final sharedkey is extracted after announcing the selected base through a trusted public channel. Thesecurity proof of non-entangled QKD protocol sometimes uses the method of entanglementdistillation[2]. The time reversal relationship between MDI-QKD and DI-QKD is satisfied.Therefore, we have reason to believe that there are similarities between collective attacks innon-entangled QKD protocol and those in entangled QKD protocol. Whether in Fock-space10
IG. 5. Schematic illustration of Eve’s collective attack on DI-QKD. The third party, Charlie,prepares a Bell state and sends the two parts through two identical channels to Alice and Bob.Eve implements collective attack on the two entangled state with two auxiliary bits. based MDI-QKD or wave-space entanglement-based DI-QKD, BSM is an effective methodto close the detection loopholes. However, in the conventional QKD protocol based ontwo-photon entanglement, detection loopholes is one of the main factors limiting its prac-ticability. Because the collective attack is a channel attack scheme, we temporarily ignorethe information leak caused by the detection-side loopholes.Fig. 5 shows a brief experimental schematic of DI-QKD. The third party, Charlie, whocontrols the entanglement resources, sends the two parts of the entanglement to Alice andBob respectively over two identical channels. Since a Bell state is symmetrical or anti-symmetrical in conjugate spaces, Alice and Bob can select two sets of MUBs (or conjugatemeasurement bases) to measure the quantum states they receive. After announcing themeasurement basis publicly, they randomly select some measurement data to constructBell-inequality to infer the degree of entanglement and BER of the system. Like the non-entangled QKD protocol, the bit error rate of the system is Eve’s operating space for col-lective attacks.Suppose that in an entangled QKD protocol, a third party, Charlie, prepares the Bellstate (cid:12)(cid:12) Φ + AB (cid:11) Z = √ [ | i A | i B + | i A | i B ]. Alice and Bob choose measurement operators σ Z and σ X in Z basis and √ ( σ Z + σ X ) and √ ( σ Z − σ X ) in X basis. Eve attaches his state | E A i | E B i to each of the Bell state (cid:12)(cid:12) Φ + AB (cid:11) independently, then performs a weak measurementoperation on the joint state to entangle his state with the joint system of Alice and Bob.11n a worse case, Charlie is Eve’s puppet, and Eve can instruct Charlie to prepare three-body quantum states as he wishes. These two versions of collective attack are equivalent.In collective attack scheme, Eve’s controllable range includes the light source and the twochannels, while Alice and Bob’s detection sides are isolated from Eve. Alice and Bob extractthe key on Z -basis and Z -basis from the same Bell state, the transformation relations ofBell states in X and Z bases can be expressed as follows (cid:12)(cid:12) Φ + AB (cid:11) Z = (cid:12)(cid:12) Φ + AB (cid:11) X , (cid:12)(cid:12) Φ − AB (cid:11) Z = (cid:12)(cid:12) Ψ + AB (cid:11) X , (cid:12)(cid:12) Ψ + AB (cid:11) Z = (cid:12)(cid:12) Φ − AB (cid:11) X , (cid:12)(cid:12) Ψ − AB (cid:11) Z = − (cid:12)(cid:12) Ψ + AB (cid:11) X . (22)By substituting Eqs. (5) and (8) into triplet state (cid:12)(cid:12) Φ + AB (cid:11) Z , we obtain collective attacks onentangled QKD under Z - and X -base representations T AB (cid:12)(cid:12) Φ + AB (cid:11) Z | E A i | E B i = √
22 [ | E i AB | i A | i B + | E i AB | i A | i B + | E i AB | i A | i B + | E i AB | i A | i B ] ,T AB (cid:12)(cid:12) Φ + AB (cid:11) X | E A i | E B i = √
22 [ | E ++ i AB | + i A | + i B + | E −− i AB |−i A |−i B + | E + − i AB | + i A |−i B + | E − + i AB |−i A | + i B ] , (23)where the states in Eve’s hands have the following expressions | E i AB = a | E p i A | E p i B + b | E q i A | E q i B , | E i AB = b | E p i A | E p i B + a | E q i A | E q i B , | E i AB = | E i AB = ab (cid:0) | E p i A | E p i B − | E q i A | E q i B (cid:1) , | E ++ i AB = 12 (cid:0) ( a + b ) | E p i A | E p i B + ( a − b ) | E q i A | E q i B (cid:1) , | E + − i AB = 12 (cid:0) ( a − b ) | E p i A | E p i B + ( a + b ) | E q i A | E q i B (cid:1) , | E − + i AB = | E −− i AB = 12 (cid:0) a − b (cid:1) (cid:0) | E p i A | E p i B − | E q i A | E q i B (cid:1) . (24)From Eqs. (24) we can see that the quantum states in Eve’s hands in Z and X basesare the same as those in Eve’s hands, in Eqs. (6) and (9), under collective attack in non-entangled QKD. | E i AB , | E i AB and | E i AB are symmetrically located on each side of | E p i A | E p i B + | E q i A | E q i B , | E i AB , | E i AB and | E + − i AB , | E − + i AB are in the direction of | E p i A | E p i B −| E q i A | E q i B . Thus the same quantum USD measurements for collective attackscan be applied here. Just like the collective attack scheme in BB84 protocol, Eve can stealthe maximum amount of information when α is an integer multiple of π (cid:12)(cid:12) Φ + AB (cid:11) Z using a joint operator consisting of a weak measurementoperator and a reverse rotation operator for α = 0, T AB (cid:12)(cid:12) Φ + AB (cid:11) Z | E A i | E B i = √
22 [ | i A | i B | E i A | E i B + | i A | i B | E i A | E i B ] . (25)As both (cid:12)(cid:12) E (cid:11) A and (cid:12)(cid:12) E (cid:11) B are in Eve’s hand, it will be of Eve’s convenience to set thejoint state | E i A | E i B to | E i , and the joint state | E i A | E i B to | E i . As in Fig. 1, wechoose two orthogonal directions | E p i + | E q i and | E p i + | E q i according to | E p i and | E q i ,here we construct a pair of normalized orthogonal bases | E ⊥ i and (cid:12)(cid:12) E k (cid:11) | E ⊥ i = 1 p h E | E i ) [ | E i + | E i ] , (cid:12)(cid:12) E k (cid:11) = 1 p − h E | E i ) [ | E i − | E i ] . (26)So by substituting Eqs. (26) into Eqs. (25), we get the three-body joint state | Ψ ABE i = √
22 [ | i A | i B | E i + | i A | i B | E i ]= √ hp h E | E i | E ⊥ i (cid:12)(cid:12) Φ + AB (cid:11) Z + p − h E | E i (cid:12)(cid:12) E k (cid:11) (cid:12)(cid:12) Φ − AB (cid:11) Z i . (27)Therefore, according to Eqs. (25, 26, 27), we can see that when Alice and Bob measurein Z basis, the BER of the system is 0, and the maximum amount of information that Evecan obtain based on quantum USD measurement is 1 − h E | E i . While in X basis, whatAlice and Bob receive is the mixed state ρ AB = 1 + h E | E i (cid:12)(cid:12) Φ + AB (cid:11) X (cid:10) Φ + AB (cid:12)(cid:12) + 1 − h E | E i (cid:12)(cid:12) Ψ + AB (cid:11) X (cid:10) Ψ + AB (cid:12)(cid:12) . (28)In this case, the state of Eve and the joint state of Alice and Bob will be disentangled, Evewill not steal any information, and the BER measured in X basis is 1 − h E | E i Z basis and half on the X basis, thenthe total BER of the system is p e = 1 − h E | E i X and Z bases,Eve can perform the following collective attack ρ ABE = 12 (cid:2) T AB (cid:12)(cid:12) Φ + AB (cid:11) Z (cid:10) Φ + AB (cid:12)(cid:12) T + AB + H AB T AB (cid:12)(cid:12) Φ + AB (cid:11) Z (cid:10) Φ + AB (cid:12)(cid:12) T + AB H + AB (cid:3) , (29)where H AB is the joint Hadamard operator used to exchange X and Z bases. It should benoted here that because operators T AB and H AB do not commute, Eve should first performthe weak measurement operation T AB and then carry out the joint Hadamard transform H AB X -base. Just like the non-entangled QKD protocol,the maximum amount of information that Eve can steal by collective attack on the entangledQKD protocol is 2 p e .Finally, we compare the system key rate and the maximum tolerable BER obtainedby security proof based on entanglement purification and security proof against collectiveattacks in the non-entangled QKD and entangled QKD. The secrete key rate of a QKD islower bounded by r ≥ I ( A ; B ) − χ ( E ; AB ) , (30)where I ( A ; B ) = 1 − H ( p e ) is the mutual information between Alice and Bob, the con-straints of the system’s tolerable BER is r >
0. In this discussion, we temporarily ignoreall detection loopholes and the impact of post-processing. In entanglement purification pro-tocol, the Holove quantity χ ( E ; AB ) between Eve and Alice and Bob in a non-entangledQKD, like BB84- and MDI-QKD, is H ( p e )[1, 2], the maximum tolerable BER is 11%. Whilein collective attack scheme, we demonstrate that the maximum value of χ ( E ; AB ). Whenthe BER is less than 0 .
5, we have H ( p e ) > p e , which means that Eve can actually stealless information. The maximum tolerable BER in the security proof against collective at-tack increases to 17%. In entangled QKDs, Eve’s eavesdropping is monitored by testing theviolation of Bell’s inequality. Under the collective attack like Eqs. (29), the Bell functionsatisfies S = 2 √ − p e ). Quantum non-localized correlation between Alice and Bob re-quires S >
2. The maximum tolerable BER in a entangled QKD based on the security proofagainst collective attack is 14 . IV. CONCLUSION
In this paper, we deduce the maximum amount of information Eve can steal throughcollective attacks for different QKD protocols. We find that in different QKD protocols,including non-entangled and entangled QKDs, Eve’s collective attacks scheme based onquantum weak measurement are equivalent. Among these attacks, the maximum amount ofinformation Eve can steal is 2 p e . This proof not only enhances the maximum bit error ratetolerated by the system, but also enhances the maximum key rate that can be extracted.14his work not only gives a clear lower bound for the key rate of security proof against allcollective-attacks, but also helps us to have a more comprehensive and deeper understandingof collective attacks in different kinds of QKDs. ACKNOWLEDGMENTS
This work is supported by Young fund of Jiangsu Natural Science Foundation of China(SJ216025), National fund incubation project (NY217024), the National Natural ScienceFoundation of China (No. 61871234), Scientific Research Foundation of Nanjing Universityof Posts and Telecommunications (NY215034), the open subject of National Laboratory ofSolid State Microstructures of Nanjing University (M31021). [1] H.-K. Lo and H. F. Chau, science , 2050 (1999).[2] P. W. Shor and J. Preskill, Physical review letters , 441 (2000).[3] D. Mayers, Journal of the ACM (JACM) , 351 (2001).[4] D. Gottesman, H.-K. Lo, N. Lutkenhaus, and J. Preskill, in International Symposium onIn-formation Theory, 2004. ISIT 2004. Proceedings. (IEEE, 2004) p. 136.[5] S. Pirandola, U. L. Andersen, L. Banchi, M. Berta, D. Bunandar, R. Colbeck, D. Englund,T. Gehring, C. Lupo, C. Ottaviani, et al. , arXiv: Quantum Physics (2019).[6] F. Xu, B. Qi, and H. Lo, New Journal of Physics , 113026 (2010).[7] Y. Tang, H. Yin, X. Ma, C. F. Fung, Y. Liu, H. Yong, T. Chen, C. Peng, Z. Chen, andJ. Pan, Physical Review A (2013).[8] N. Gisin, S. Fasel, B. Kraus, H. Zbinden, and G. Ribordy, Physical Review A , 022320(2006).[9] N. Jain, E. Anisimova, I. Khan, V. Makarov, C. Marquardt, and G. Leuchs, New Journal ofPhysics , 123030 (2014).[10] G. Brassard, N. Lutkenhaus, T. Mor, and B. C. Sanders, Physical Review Letters , 1330(2000).[11] N. Lutkenhaus, Physical Review A , 052304 (2000).[12] N. Lutkenhaus, Physical Review A , 3301 (1999).
13] I. Gerhardt, Q. Liu, A. Lamaslinares, J. Skaar, C. Kurtsiefer, and V. Makarov, NatureCommunications , 349 (2011).[14] V. Makarov, A. Anisimov, and J. Skaar, Physical Review A , 022313 (2006).[15] B. Qi, C. F. Fung, H. Lo, and X. Ma, Quantum Information & Computation , 73 (2007).[16] L. Lydersen, M. K. Akhlaghi, A. H. Majedi, J. Skaar, and V. Makarov, New Journal ofPhysics , 113042 (2011).[17] L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, Nature Photonics , 686 (2010).[18] W. Hwang, Physical Review Letters , 057901 (2003).[19] X. Wang, Physical Review Letters , 230503 (2005).[20] H. Lo, X. Ma, and K. Chen, Physical Review Letters , 230504 (2005).[21] H. Lo, M. Curty, and B. Qi, Physical Review Letters , 130503 (2012).[22] K. Tamaki, H. Lo, C. F. Fung, and B. Qi, Physical Review A (2012).[23] X. Ma and M. Razavi, Physical Review A (2012).[24] S. L. Braunstein and S. Pirandola, Physical Review Letters , 130502 (2012).[25] X. Ma, P. Zeng, and H. Zhou, Physical Review X (2018).[26] E. Biham and T. Mor, Physical Review Letters , 2256 (1997).[27] E. Biham, M. Boyer, G. Brassard, J. V. De Graaf, and T. Mor, Algorithmica , 372 (2002).[28] A. Acin, N. Brunner, N. Gisin, S. Massar, S. Pironio, and V. Scarani, Physical Review Letters , 230501 (2007).[29] D. Dieks, Physics Letters A , 303 (1988).[30] I. D. Ivanovic, Physics Letters A , 257 (1987).[31] G. Jaeger and A. Shimony, Physics Letters A , 83 (1995).[32] W. Li, L. Wang, and S. Zhao, arXiv: Quantum Physics (2019).[33] C. H. Bennett and G. Brassard, Theoretical Computer Science (2011).[34] M. Lucamarini, Z. L. Yuan, J. F. Dynes, and A. J. Shields, Nature , 400 (2018)., 400 (2018).