Security Against Collective Attacks of a Modified BB84 QKD Protocol with Information only in One Basis
Michel Boyer, Rotem Liss, Tal Mor

TL;DR
This paper proves that a modified BB84 quantum key distribution protocol, which sends information only in one basis and tests in both, maintains security against collective attacks, with some trade-offs in testing bits.
Contribution
It demonstrates the security of a modified BB84 protocol against collective attacks without classical information-theoretical analysis, improving understanding of protocol robustness.
Findings
The modified protocol is as secure as the original BB84 against collective attacks.
It requires more bits for testing than the original protocol.
The security proof avoids classical information-theoretical issues with composability.
Abstract
The Quantum Key Distribution (QKD) protocol BB84 has been proven secure against several important types of attacks: the collective attacks and the joint attacks. Here we analyze the security of a modified BB84 protocol, for which information is sent only in the z basis while testing is done in both the z and the x bases, against collective attacks. The proof follows the framework of a previous paper (Boyer, Gelles, and Mor, 2009), but it avoids the classical information-theoretical analysis that caused problems with composability. We show that this modified BB84 protocol is as secure against collective attacks as the original BB84 protocol, and that it requires more bits for testing.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Security Against Collective Attacks of a Modified BB84 QKD
Protocol with Information only in One Basis
Michel Boyer
Département IRO, Université de Montréal, Montréal (Québec) H3C 3J7, Canada
Rotem Liss
Tal Mor
Computer Science Department, Technion, Haifa 3200003, Israel
Abstract
The Quantum Key Distribution (QKD) protocol BB84 has been proven secure against several important types of attacks: the collective attacks and the joint attacks. Here we analyze the security of a modified BB84 protocol, for which information is sent only in the basis while testing is done in both the and the bases, against collective attacks. The proof follows the framework of a previous paper Boyer et al. (2009), but it avoids the classical information-theoretical analysis that caused problems with composability. We show that this modified BB84 protocol is as secure against collective attacks as the original BB84 protocol, and that it requires more bits for testing.
I Introduction
Quantum Key Distribution (QKD) protocols take advantage of the laws of quantum mechanics, and most of them can be proven secure even against powerful adversaries limited only by the laws of physics. The two parties (Alice and Bob) want to create a shared random key, using an insecure quantum channel and an unjammable classical channel (to which the adversary may listen, but not interfere). The adversary (eavesdropper), Eve, tries to get as much information as she can on the final shared key. The first and most important QKD protocol is BB84 Bennett and Brassard (1984).
Boyer, Gelles, and Mor Boyer et al. (2009) discussed the security of the BB84 protocol against collective attacks. Collective attacks Biham and Mor (1997a, b); Biham et al. (2002) are a subclass of the joint attacks; joint attacks are the most powerful theoretical attacks. Boyer et al. (2009) improved the security proof of Biham, Boyer, Brassard, van de Graaf, and Mor Biham et al. (2002) against collective attacks, by using some techniques of Biham, Boyer, Boykin, Mor, and Roychowdhury Biham et al. (2006) (that proved security against joint attacks). In this paper, too, we restrict the analysis to collective attacks, because security against collective attacks is conjectured (and, in some security notions, proved Renner (2008); Christandl et al. (2009)) to imply security against joint attacks. In addition, proving security against collective attacks is much simpler than proving security against joint attacks.
In many QKD protocols, including BB84, Alice and Bob exchange several types of bits (encoded as quantum systems, usually qubits): INFO bits, that are secret bits shared by Alice and Bob and are used for generating the final key (via classical processes of error correction and privacy amplification); and TEST bits, that are publicly exposed by Alice and Bob (by using the classical channel) and are used for estimating the error rate. In BB84, each bit is sent from Alice to Bob in a random basis (the basis or the basis).
In this paper, we extend the analysis of BB84 done in Boyer et al. (2009) and prove the security of a QKD protocol we shall name BB84-INFO-. This protocol is almost identical to BB84, except that all its INFO bits are in the basis. In other words, the basis is used only for testing. The bits are thus partitioned into three disjoint sets: INFO, TEST-Z, and TEST-X. The sizes of these sets are arbitrary ( INFO bits, TEST-Z bits, and TEST-X bits).
We note that, while this paper follows a line of research that mainly discusses a specific approach of security proof for BB84 and similar protocols (this approach, notably, considers finite-key effects and not only the asymptotic error rate), many other approaches have also been suggested: see for example Mayers (2001); Shor and Preskill (2000); Renner (2008); Renner et al. (2005).
In contrast to the line of research adopted here (of Biham and Mor (1997a, b); Biham et al. (2002, 2006); Boyer et al. (2009)), in which a classical information-theoretical analysis caused problems with composability (see definition in Renner (2008)), in this paper we suggest a method to avoid those problems: we calculate the trace distance between any two density matrices Eve may hold, instead of calculating the classical mutual information between Eve and the final key (as done in those previous papers). This method is implemented in this paper for the proof of BB84-INFO-; it also directly applies to the BB84 security proof in Boyer et al. (2009), and it may be extended in the future to show that the BB84 security proofs of Boyer et al. (2009), Biham et al. (2002), and Biham et al. (2006) prove the composable security of BB84.
The “qubit space”, , is a -dimensional Hilbert space. The states form an orthonormal basis of , called “the computational basis” or “the basis”. The states and form another orthonormal basis of , called “the basis”. Those two bases are said to be conjugate bases.
In this paper, bit strings of some length are denoted by a bold letter (e.g., with ) and are identified to elements of the -dimensional -vector space , where and the addition of two vectors corresponds to a XOR operation. The number of -bits in a bit string is denoted by , and the Hamming distance between two strings and is .
II Formal Description
of the BB84-INFO- Protocol
Below we describe the BB84-INFO- protocol used in this paper.
Alice and Bob pre-agree on numbers , , and (we denote ), on error thresholds and , on a linear error-correcting code with an parity check matrix , and on a linear key-generation function (privacy amplification) represented by an matrix . It is required that all the rows of the matrices and put together are linearly independent. 2. 2.
Alice randomly chooses a partition of the bits by randomly choosing three -bit strings that satisfy , and . thus partitions the set of indexes into three disjoint sets:
- •
(INFO bits, where ) of size ;
- •
(TEST-Z bits, where ) of size ; and
- •
(TEST-X bits, where ) of size . 3. 3.
Alice randomly chooses an -bit string , and sends the qubit states , one after the other, to Bob using the quantum channel. Notice that the INFO and TEST-Z bits are encoded in the basis, while the TEST-X bits are encoded in the basis. Bob keeps each received qubit in quantum memory, not measuring it yet 111 Here we assume that Bob has a quantum memory and can delay his measurement. In practical implementations, Bob usually cannot do that, but is assumed to measure in a randomly-chosen basis ( or ), so that Alice and Bob later discard the qubits measured in the wrong basis. We assume that Alice sends more than qubits, so that qubits are finally detected by Bob and measured in the correct basis.. 4. 4.
Alice publicly sends to Bob the string . Bob measures each saved qubit in the correct basis (namely, if then he measures the -th qubit in the basis, and if then he measures it in the basis).
The bit string measured by Bob is denoted by . If there is no noise and no eavesdropping, then . 5. 5.
Alice publicly sends to Bob the string . The INFO bits, used for generating the final key, are the bits with , while the TEST-Z and TEST-X bits are the bits with . The substrings of that correspond to the INFO bits are denoted by and . 6. 6.
Alice and Bob both publish their values of all the TEST-Z and TEST-X bits, and compare the bit values. If more than of the TEST-Z bits are different between Alice and Bob or more than of the TEST-X bits are different between them, they abort the protocol. We note that and (the pre-agreed error thresholds) are the maximal allowed error rates on the TEST-Z and TEST-X bits, respectively – namely, in each basis ( and ) separately. 7. 7.
Alice and Bob keep the values of the remaining bits (the INFO bits, with ) secret. The bit string of Alice is denoted , and the bit string of Bob is denoted . 8. 8.
Alice sends to Bob the -bit string , that is called the syndrome of (with respect to the error-correcting code and to its corresponding parity check matrix ). By using , Bob corrects the errors in his string (so that it is the same as ). 9. 9.
Alice and Bob compute the -bit final key .
The protocol is defined similarly to BB84 (and to its description in Boyer et al. (2009)), except that it uses the generalized bit numbers , , and (numbers of INFO, TEST-Z, and TEST-X bits, respectively); that it uses the partition for dividing the -bit string into three disjoint sets of indexes (, , and ); and that it uses two separate thresholds ( and ) instead of one ().
III Security Proof of BB84-INFO- Against Collective Attacks
III.1 Results from Boyer et al. (2009)
The security proof of BB84-INFO- against collective attacks is very similar to the security proof of BB84 itself against collective attacks, that was detailed in Boyer et al. (2009). Most parts of the proof are not affected at all by the changes made to BB84 to get the BB84-INFO- protocol (changes detailed in Section II of the current paper), because those parts assume fixed strings and , and because the attack is collective (so the analysis is restricted to the INFO bits).
Therefore, the reader is referred to the proof in Section 2 and Subsections 3.1 to 3.5 of Boyer et al. (2009), that applies to BB84-INFO- without any changes (except changing the total number of bits, , to , which does not affect the proof at all), and that will not be repeated here.
We denote the rows of the error-correction parity check matrix as the vectors in , and the rows of the privacy amplification matrix as the vectors . We also define, for every , ; and we define
[TABLE]
For a -bit final key , we define to be the state of Eve corresponding to the final key , given that she knows . Thus,
[TABLE]
where is Eve’s state after the attack, given that Alice sent the INFO bits encoded in the bases . We also defined in Boyer et al. (2009) the state , that is a lift-up of (which means that is a partial trace of ).
In the end of Subsection 3.5 of Boyer et al. (2009), it was found that (in the case of a -bit final key, i.e., )
[TABLE]
where is the random variable corresponding to the -bit string of errors on the INFO bits; is the random variable corresponding to the -bit string of bases of the INFO bits; is the bit-flipped string of ; and (and, in general, ) was defined above.
Now, according to (Nielsen and Chuang, 2010, Theorem 9.2 and page 407), and using the fact that is a partial trace of , we find that . From this result and from inequality (3) we deduce that
[TABLE]
III.2 Bounding the Differences Between Eve’s States
We define : namely, is the XOR of the -bit string sent by Alice and of the -bit string measured by Bob. For each index , if and only if Bob’s -th bit value is different from the -th bit sent by Alice. The partition divides the bits into INFO bits, TEST-Z bits, and TEST-X bits. The corresponding substrings of the error string are (the string of errors on the INFO bits), (the string of errors on the TEST-Z bits), and (the string of errors on the TEST-X bits). The random variables that correspond to , , and are denoted by , , and , respectively.
We define to be the random variable corresponding to the string of errors on the INFO bits if Alice had encoded and sent the INFO bits in the basis (instead of the basis dictated by the protocol). In those notations, inequality (4) reads as
[TABLE]
using the fact that Eve’s attack is collective, so the qubits are attacked independently, and, therefore, the errors on the INFO bits are independent of the errors on the TEST-Z and TEST-X bits (namely, of and ).
As described in Boyer et al. (2009), inequality (5) was not derived for the actual attack applied by Eve, but for a virtual flat attack (that depends on and therefore could not have been applied by Eve). That flat attack gives the same states and as the original attack , and gives a lower (or the same) error rate in the conjugate basis. Therefore, inequality (5) also holds for the original attack . This means that, from now on, all our results apply to the original attack and not the flat attack.
So far, we have discussed a -bit key. We will now discuss a general -bit key . We define to be the state of Eve corresponding to the final key , given that she knows :
[TABLE]
Proposition 1**.**
For any two -bit keys ,
[TABLE]
Proof.
We define the key , for , to consist of the first bits of and the last bits of . This means that , , and differs from at most on a single bit (the -th bit).
First, we find a bound on : since differs from at most on a single bit (the -th bit, given by the formula ), we can use the same proof that gave us inequality (5), attaching the other (identical) key bits to of the original proof; and we find that:
[TABLE]
where we define as , and .
Now we notice that is the Hamming distance between and some vector in , which means that with and . The properties of Hamming distance assure us that is at least for some . Therefore, we find that .
The result implies that if then . Therefore, inequality (8) implies
[TABLE]
Now we use the triangle inequality for norms to find
[TABLE]
∎
The value we want to bound is the expected value of difference between two states of Eve corresponding to two final keys. However, we should take into account that if the test fails, no final key is generated, and the difference between all of Eve’s states becomes [math] for any purpose. We thus define the random variable for any two final keys :
[TABLE]
We need to bound the expected value , that is given by:
[TABLE]
Theorem 2**.**
[TABLE]
where is the random variable corresponding to the error rate on the INFO bits if they had been encoded in the basis, is the random variable corresponding to the error rate on the TEST-Z bits, and is the random variable corresponding to the error rate on the TEST-X bits.
Proof.
We use the convexity of , namely, the fact that for all satisfying and , it holds that . We find that:
[TABLE]
∎
III.3 Proof of Security
Following Boyer et al. (2009) and Biham et al. (2006), we choose matrices and such that the inequality is satisfied for some (we will explain in Subsection III.5 why this is possible). This means that
[TABLE]
We will now prove the right-hand-side of (III.3) to be exponentially small in .
As said earlier, the random variable corresponds to the bit string of errors on the INFO bits if they had been encoded in the basis. The TEST-X bits are also encoded in the basis, and the random variable corresponds to the bit string of errors on those bits. Therefore, we can treat the selection of the INFO bits and of the TEST-X bits as a random sampling (after the numbers , , and and the TEST-Z bits have all already been chosen), and use Hoeffding’s theorem (that is described in Appendix A of Boyer et al. (2009)).
Therefore, for each bit string that consists of the errors in the INFO and TEST-X bits if the INFO bits had been encoded in the basis, we apply Hoeffding’s theorem: namely, we take a sample of size without replacement from the population (this corresponds to the random selection of the INFO bits and the TEST-X bits, as defined above, given that the TEST-Z bits have already been chosen). Let be the average of the sample (this is exactly the error rate on the INFO bits, assuming, again, the INFO bits had been encoded in the basis); and let be the expectancy of (this is exactly the error rate on the INFO bits and TEST-X bits together). Then is equivalent to , and, therefore, to . This means that the conditions and rewrite to
[TABLE]
which implies , which is equivalent to . Using Hoeffding’s theorem (from Appendix A of Boyer et al. (2009)), we get:
[TABLE]
In the above discussion, we have actually proved the following Theorem:
Theorem 3**.**
Let us be given , , and, for infinitely many values of , a family of linearly independent vectors in such that and . Then for any and such that , and for any and two -bit final keys , Eve’s difference between her states corresponding to and satisfies the following bound:
[TABLE]
In Subsection III.5 we explain why this Theorem guarantees security.
We note that the quantity bounds the expected values of the Shannon Distinguishability and of the mutual information between Eve and the final key, as done in Boyer et al. (2009) and Biham et al. (2006), which is sufficient for proving non-composable security; but it also avoids composability problems: Eve is not required to measure immediately after the protocol ends, but she is allowed to wait until she gets more information; and equation (17) bounds the trace distance between any two of Eve’s possible states.
III.4 Reliability
Security itself is not sufficient; we also need the key to be reliable (namely, to be the same for Alice and Bob). This means that we should make sure that the number of errors on the INFO bits is less than the maximal number of errors that can be corrected by the error-correcting code. We demand that our error-correcting code can correct errors. Therefore, reliability of the final key with exponentially small probability of failure is guaranteed by the following inequality: (as said, corresponds to the actual bit string of errors on the INFO bits in the protocol, when they are encoded in the basis)
[TABLE]
This inequality is proved by an argument similar to the one used in Subsection III.3: the selection of the INFO bits and TEST-Z bits is a random partition of bits into two subsets of sizes and , respectively (assuming that the TEST-X bits have already been chosen), and thus it corresponds to Hoeffding’s sampling.
III.5 Security, Reliability,
and Error Rate Threshold
According to Theorem 3 and to the discussion in Subsection III.4, to get both security and reliability we only need vectors satisfying both the conditions of the Theorem (distance ) and the reliability condition (the ability to correct errors). Such families were proven to exist in Appendix E of Biham et al. (2006), giving the bit-rate:
[TABLE]
where .
Note that we use here the error thresholds for security and for reliability. This is possible, because in Biham et al. (2006) those conditions (security and reliability) on the codes are discussed separately.
To get the asymptotic error rate thresholds, we require , and we get the condition:
[TABLE]
The secure asymptotic error rate thresholds zone is shown in Figure 1 (it is below the curve), assuming that is negligible. Note the trade-off between the error rates and . Also note that in the case , we get the same threshold as BB84 (Biham et al. (2006) and Boyer et al. (2009)), which is 7.56%.
IV Conclusion
In this paper, we have analyzed the security of the BB84-INFO- protocol against any collective attack. We have discovered that the results of BB84 hold very similarly for BB84-INFO-, with only two exceptions:
The error rates must be separately checked to be below the thresholds and for the TEST-Z and TEST-X bits, respectively, while in BB84 the error rate threshold applies to all the TEST bits together. 2. 2.
The exponents of Eve’s information (security) and of the failure probability of the error-correcting code (reliability) are different than in Boyer et al. (2009), because different numbers of test bits are now allowed ( and are arbitrary). This implies that the exponents may decrease more slowly (or more quickly) as a function of . However, if we choose (thus sending qubits from Alice to Bob), then we get exactly the same exponents as in Boyer et al. (2009).
The asymptotic error rate thresholds found in this paper are more flexible than in BB84, because they allow us to tolerate a higher threshold for a specific basis (say, the basis) if we demand a lower threshold for the other basis (). If we choose the same error rate threshold for both bases, then the asymptotic bound is 7.56%, exactly the bound found for BB84 in Biham et al. (2006) and Boyer et al. (2009).
We conclude that even if we change the BB84 protocol to have INFO bits only in the basis, this does not harm its security and reliability (at least against collective attacks). This does not even change the asymptotic error rate threshold, and allows more flexibility when choosing the thresholds for both bases. The only drawbacks of this change are the need to check the error rate for the two bases separately, and the need to either send more qubits ( qubits in total, rather than ) or get a slower exponential decrease of the exponents required for security and reliability.
We thus find that the feature of BB84, that both bases are used for information, is not very important for security and reliability, and that BB84-INFO- (that lacks this feature) is almost as useful as BB84. This may have important implications on the security and reliability of other protocols that also only use one basis for information qubits, as done in some two-way protocols.
We also present a better approach for the proof, that uses a quantum distance between two states rather than the classical information. In Boyer et al. (2009), Biham et al. (2002), and Biham et al. (2006), the classical mutual information between Eve’s information (after an optimal measurement) and the final key was calculated (by using the trace distance between two quantum states); although we should note that in Boyer et al. (2009) and Biham et al. (2006), the trace distance was used for the proof of security of a single bit of the final key even when all other bits are given to Eve, and only the last stages of the proof discussed bounding the classical mutual information. In the current paper, on the other hand, we use the trace distance between the two quantum states until the end of the proof, which avoids composability problems that existed in the previous works.
Therefore, this proof makes a step towards making Boyer et al. (2009), Biham et al. (2002), and Biham et al. (2006) prove composable security of BB84 (namely, security even if Eve keeps her quantum states until she gets more information when Alice and Bob use the key, rather than measuring them in the end of the protocol). This approach also applies (similarly) to the BB84 security proof in Boyer et al. (2009).
Acknowledgements.
The work of TM and RL was partly supported by the Israeli MOD Research and Technology Unit.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1Boyer et al. (2009) Michel Boyer, Ran Gelles, and Tal Mor, “Security of the bennett-brassard quantum key distribution protocol against collective attacks,” Algorithms 2 , 790–807 (2009) . · doi ↗
- 2Bennett and Brassard (1984) Charles H Bennett and Gilles Brassard, “Quantum cryptography: Public key distribution and coin tossing,” in International Conference on Computers, Systems & Signal Processing, IEEE, 1984 (1984) pp. 175–179.
- 3Biham and Mor (1997 a) Eli Biham and Tal Mor, “Security of quantum cryptography against collective attacks,” Phys. Rev. Lett. 78 , 2256–2259 (1997 a) . · doi ↗
- 4Biham and Mor (1997 b) Eli Biham and Tal Mor, “Bounds on information and the security of quantum cryptography,” Phys. Rev. Lett. 79 , 4034–4037 (1997 b) . · doi ↗
- 5Biham et al. (2002) Eli Biham, Michel Boyer, Gilles Brassard, Jeroen van de Graaf, and Tal Mor, “Security of quantum key distribution against all collective attacks,” Algorithmica 34 , 372–388 (2002) . · doi ↗
- 6Biham et al. (2006) Eli Biham, Michel Boyer, Oscar P. Boykin, Tal Mor, and Vwani Roychowdhury, “A proof of the security of quantum key distribution,” J. Cryptol. 19 , 381–439 (2006) . · doi ↗
- 7Renner (2008) Renato Renner, “Security of quantum key distribution,” Int. J. Quantum Inf. 6 , 1–127 (2008) . · doi ↗
- 8Christandl et al. (2009) Matthias Christandl, Robert König, and Renato Renner, “Postselection technique for quantum channels with applications to quantum cryptography,” Phys. Rev. Lett. 102 , 020504 (2009) . · doi ↗
