Guessing probability in quantum key distribution
Xiang-Bin Wang, Jing-Tao Wang, Ji-Qian Qin, Cong Jiang, Zong-Wen Yu

TL;DR
This paper introduces a new method to significantly tighten the upper bound on guessing probability in quantum key distribution, demonstrating that existing security measures are far more effective than previously believed.
Contribution
A simple and efficient approach to tighten the upper bound of guessing probability in quantum key distribution, improving previous bounds by thousands of orders of magnitude.
Findings
Upper bound of guessing probability can be tightened by thousands of orders of magnitude.
The new bound shows existing trace distance security is much stronger than previously assumed.
For a 10^{-9}-secure key, the bound is as low as 2*10^(-3277).
Abstract
On the basis of the existing trace distance result, we present a simple and efficient method to tighten the upper bound of the guessing probability. The guessing probability of the final key k can be upper bounded by the guessing probability of another key k', if k' can be mapped from the final key k. Compared with the known methods, our result is more tightened by thousands of orders of magnitude. For example, given a 10^{-9}-secure key from the sifted key, the upper bound of the guessing probability obtained using our method is 2*10^(-3277). This value is smaller than the existing result 10^(-9) by more than 3000 orders of magnitude. Our result shows that from the perspective of guessing probability, the performance of the existing trace distance security is actually much better than what was assumed in the past.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Guessing probability in quantum key distribution
Xiang-Bin Wang1,2,3∗, Jing-Tao Wang1∗, Ji-Qian Qin1, Cong Jiang1, Zong-Wen Yu1,4∗
1State Key Laboratory of Low Dimensional Quantum Physics, Department of Physics,
Tsinghua University, Beijing 100084, China
2Jinan Institute of Quantum technology, SAICT, Jinan 250101, China
3Shenzhen Institute for Quantum Science and Engineering, and Physics Department,
Southern University of Science and Technology, 518055 Shenzhen, China.
4Data Communication Science and Technology Research Institute, Beijing 100191, China
*∗*email: [email protected]; [email protected]; [email protected]
Abstract
On the basis of the existing trace distance result, we present a simple and efficient method to tighten the upper bound of the guessing probability. The guessing probability of the final key can be upper bounded by the guessing probability of another key , if can be mapped from the final key . Compared with the known methods, our result is more tightened by thousands of orders of magnitude. For example, given a -secure key from the sifted key, the upper bound of the guessing probability obtained using our method is . This value is smaller than the existing result by more than orders of magnitude. Our result shows that from the perspective of guessing probability, the performance of the existing trace distance security is actually much better than what was assumed in the past.
I Introduction
The first quantum key distribution (QKD) protocol has been proposed by Bennett and Brassard in 1984; the protocol was based on the fundamentals of quantum mechanics Bennett (1984). Since then, the security of QKD has always been the central issue in the quantum cryptographic field Renner (2008). Trace distance is a very important security criterion Curty et al. (2014); Tomamichel et al. (2012). It provides the universal composable security Ben-Or et al. (2005); Renner and König (2005), which can guarantee the security of key regardless of its application such as one-time pad (OTP). This is why many studies choose trace distance for the security criterion König et al. (2007); Tomamichel et al. (2012); Curty et al. (2014); Hayashi and Tsurumaru (2012).
In a classical practical cryptosystem, the impact of guessing probability on security is very important Alimomeni and Safavi-Naini (2012); Issa and Wagner (2017). Specifically, the key generated by the QKD protocol is not based on the presumed hardness of mathematical problems; thus, the eavesdropper Eve can only guess the final key via the measurement result of her probe. The guessing probability intuitively describes the probability that Eve can correctly guesses the final key, which can reflect the number of guesses that Eve requires to obtain the final key.
There are few studies on the guessing probability of QKD. Because there are more rigorous security criterions, such as the trace distance Ben-Or et al. (2005); Renner and König (2005), which gives the composable security. This makes the theoretical foundation for security of QKD crucially important. However, in the real application of QKD projects, customers often ask the question of guessing probability. The existing prior art results cannot give them a satisfactory upper bound Portmann and Renner (2014). Consequently, some people questioned the security of QKD by relying on the prior art results of guessing probability Yuen (2016). For example, according to the existing result Portmann and Renner (2014), the guessing probability of the -secure key is approximately if is approximately . From the perspective of guessing probability, the security of the value is equivalent to that of a perfect bits. The existing classical computer systems can easily crack such key. In practice, it is not unusual to request a much smaller guessing probability such as or . Therefore, it is beneficial to find a more tightened upper bound of guessing probability.
As an important criterion in cryptography, guessing probability alone cannot guarantee the security of the final key. However, the large value of the loose upper bound of the guessing probability does not indicate the insecurity of the final key Yuen (2016) because the value is not achievable by Eve, and one can find a more tightened value for the upper bound of the guessing probability. Here, by applying the trace distance criterion Renner (2008), we find such tightened bound. We show that the guessing probability is actually smaller than the existing bound values by many orders of magnitude if one takes the privacy amplification by Toeplitz matrix. This shows that the trace distance criterion Renner (2008) can actually produce a much better result than what was assumed previously in the viewpoint of guessing probability.
II Results
We consider the security definitions of a practical QKD protocol with finite size under the framework of composable security Canetti (2001); Müller-Quade and Renner (2009); Tomamichel et al. (2012); Curty et al. (2014). Suppose that Alice and Bob get two -bit sifted key strings, and . By performing an error correction and private amplification scheme, Alice gets a -bit key , and Bob gets an estimate key of from and . The protocol is -correct if . In general, the key of Alice can be correlated with an eavesdropper system, and the density matrix of Alice and Eve is . The protocol outputs an -secure key König et al. (2007), if
[TABLE]
where denotes the trace norm, is the fully mixed state of Alice’s system. The protocol is -secure if and satisfy , which means that it is -indistinguishable from a perfect protocol (which is correct and secret). Without any loss of generality, we consider the case of in this article.
We define the security level:
Definition 1
If key is -secure, the security level of key is .
For symbol clarity, we will use notation for the security level of key . With this definition, we can say that the key is -secure or that its security level is .
We define the guessing probability:
Definition 2
Let the final key generated by the QKD protocol be ; the guessing probability of is defined as the success probability of the attacker Eve guessing the final key via her measurement result and is denoted as .
Lemma 1
The guessing probability of -secure key with length is not larger than .
This is a conclusion from Ref. Portmann and Renner (2014). The proof has been already given in Ref. Portmann and Renner (2014); for the convenience of readers, we write the proof again in the Method section.
According to Lemma 1, the guessing probability of key can be divided into two parts; one part is related to the length of the key, the other part is related to the security level. Under the framework of universally composable security, when calculating the final key length, we often make the security level to be between , which is much bigger than because is often , or larger. Therefore, can be ignored and . However, the guessing probability of a secure key with a length of tens of bits can also reach this magnitude. Therefore, when the secure requirements are very high, it is clearly not enough for a key with a length of thousands of bits or even longer if the upper bound of guessing probability only stops at this magnitude. Therefore, we cannot simply use this formula alone to obtain the upper bound of the guessing probability. Fortunately, we have a much better way for tightening the bound. The approach will be presented below.
Lemma 2
If key can be mapped to string by a map that is known to Eve, then the guessing probability of cannot be larger than the guessing probability of string , i.e.,
[TABLE]
Here are the guessing probabilities of and , respectively.
Proof. This lemma is clear because when Eve can correctly guess , Eve can obtain by knowing the map . Otherwise, Eve can still correctly guess the with a probability not less than [math], i.e., .
Theorem 1
If the -secure key with a length can be mapped to the -secure key with length , the guessing probability of cannot be larger than , i.e.,
[TABLE]
Proof. This theorem actually requires two conditions:
i) the final key can be mapped to the string ,
ii) the string can be regarded as a -secure key.
Using the above-mentioned conditions, the proof is very simple. Given the condition i), we can apply Lemma 2 to obtain
[TABLE]
Given the condition ii), we can apply Lemma 1 to obtain
[TABLE]
where is the upper bound of . According to Eqs. (4) and (5), we can obtain
[TABLE]
This ends our proof of Theorem 1.
As discussed above, if the length of the final key and the string are very large, then and can be ignored. Meanwhile, if and , then . Thus, Theorem 1 can provide a tighter upper bound of guessing probability.
Using Theorem 1, it is now possible for us to obtain the upper bound of the guessing probability of the -secure key more tightly. Instead of directly applying Lemma 1, we choose to first map to a -bit string . If the string itself can be regarded as an -secure final key, we can apply Theorem 1 by calculating . In addition, we can obtain a much smaller upper bound of the guessing probability of if is very small and is not too small. Now, the remaining problems are to determine the map , to make sure that is another key that is -secure, and to calculate . We start our method with the hashing function in the key distillation.
Our hashing function. We use the key distillation with the random matrix. Denote as the random matrix with each element being randomly chosen to be either [math] or . In addition, we represent the -bit sifted string by a column vector, which contains elements. To obtain the -bit final key, we use the calculation . It can be easily confirmed that our random matrix belongs to the class of two-universal hashing function familyRenner (2008).
Suppose we have distilled out the -bit key from the -bit sifted key through hashing by our random matrix . We can map the -bit key into the -bit string by deleting the last bits from the key string . Clearly, this string mapped from can be also regarded as another final key distilled from the sift key by the random hashing matrix , which is a submatrix of . In summary, we have
[TABLE]
This means that is a string mapped from key . Moreover, can be regarded as another final key of length distilled from the sifted key . Because the two conditions in Theorem 1 are satisfied, according to Theorem 1, we can obtain a tightened upper bound of with Eq. (3) if we know the security level of key , i.e., the value of . Because our random matrix is a class of two-universal hashing function, the value depends on Tomamichel et al. (2012). The details are shown in the Method section and explain the calculation of for . Hence, in the QKD protocol that uses a random hashing matrix presented here, to obtain the upper bound of the guessing probability of the -bit final key , we can summarize the procedure above by the following scheme:
Scheme
- Given the -bit final key , we delete its last bits and obtain a string . 2) We regard as another possible final key that is -secure. Compute the value of with the input parameters and . 3) Calculate by Theorem 1 through Eq. (3).
Because in our scheme the value of is dependent on , as shown in the Method section, we can now replace by a functional form, . To obtain the tightened upper bound value of the guessing probability in scheme 1, we need to choose an appropriate value. In our calculation, we set the condition
[TABLE]
for the appropriate .
For any , we have ; however, for any , we have . In conclusion, if , . Therefore, in this study, we set , and obtain a tightened guessing probability .
Once we determine the value and the corresponding , we calculate by Eq. (3). Clearly, this is the upper bound of the guessing probability of the final key of length provided that
[TABLE]
Thus, we can actually use a more efficient scheme to obtain the upper bound of the guessing probability of key , as the following Theorem 2:
Theorem 2
In the QKD protocol, if the -bit final key is distilled from the sifted key using a random matrix , the guessing probability of can be upper bounded by
[TABLE]
where and satisfies
As shown in Fig. 1, the arrow between and indicates that the -secure -bit final key can be distilled from the -bit sifted key using a random matrix , i.e. . The arrow between and indicates that there exists a map that can map the key into , i.e., . The arrow between the sifted key and indicates that if a random hashing matrix is used to distill the final key, we have . Then if satisfies the condition in Theorem 2, a tightened guessing probability of can be obtained.
There are two important points need to be noticed. First, when applying our theorem to obtain the non-trivial upper bound of the guessing probability for the final key , we do not really need to transform to another string , and we only need the existence of a map that can map to mathematically. That is to say, we use the final key , but its guessing probability is calculated from the shorter key . As shown above, the existence has been proven. Second, in this study, we use the random matrix as a family of two-universal hash functions to distill the key to illustrate our conclusion more intuitively. Of course, we can also use the modified Toeplitz matrix Hayashi and Tsurumaru (2012) instead of the random matrix . Thus, the final key can be also mapped to the string , and the string can also be regarded as the -secure key. This means that the proposed theorem in this study still holds.
III Discussion
Table. 1 describes the upper bounds of the guessing probability calculated by different , where is the length of the total string that includes the sifted keys for key generation and the string used to do parameter estimation. In Table. 1, , and . Table. 1 shows that when , and the guessing probabilities obtained using the methods of Yuen (2016) and Portmann and Renner (2014) are approximately and . However, using our method, the guessing probability can be reduced to , which is more tightened by thousands of orders of magnitude than prior art methods. With an increase in the length of , the length of the final key also increases; however, the guessing probabilities in Yuen (2016) and Portmann and Renner (2014) almost remain unchanged. Compared with Yuen (2016) and Portmann and Renner (2014), the guessing probability obtained by our method is considerably reduced, which is more realistic and tighter. It should be noted that we calculate the case without the known-plaintext attack (KPA) in Table. 1. Now, we consider the case of KPA in QKD using our method. Suppose that Eve knows the bits of the final -bit key ; then, the guessing probability of the -secure key is . Now, the upper bound of the guessing probability of key is equal to that of an ideal -bit key.
Table. 2 compares the length of the -secure key and the length of -secure key when the total length of the sifted key is , and . This table shows that if only using Lemma 1 to obtain a smaller guessing probability, needs to be reduced. Accordingly, the length of the final key and the key rate will be considerably reduced. For example, from Table II, when , if the customer wants to reduce the guessing probability from to , the length of the key will become , and the key rate will become . This result is much lower than the original key length and the key rate . Using our result, there is actually no bit cost for a much smaller bound value of guessing probability. For example, when , we can upper bound the guessing probability by by setting . Thus, without reducing the value of , we can obtain a tightened upper bound of guessing probability of , as can be seen from Table. 1.
Our result shows that in terms of guessing probability, the performance of the existing trace distance security is much better than what has been assumed in the past. Incidentally, after the upper bound value was presented in Ref. Portmann and Renner (2014), a looser upper bound, for guessing probability was presented Yuen (2016). We emphasize that this looser upper bound does not in any sense challenge the validity of the existing security proof of QKD Portmann and Renner (2014). Although the large value of lower bound of Eve’s guessing probability can show insecurity, the large value of upper bound cannot show insecurity. If one does not make any effort, one can also obtain a large-value upper bound of for Eve’s guessing probability. Such value is correct for the upper bound but not meaningful. If any new upper bound is larger than that in the prior art result, it means that the ”new upper bound” is trivial and meaningless rather than the prior art result is invalid. Thus, the looser upper bound presented by Ref. Yuen (2016) only shows that Eve’s guessing probability of the key is smaller than . It does not conflict with more tightened results presented elsewhere.
In this study, our goal is to obtain a tightened guessing probability. On the basis of the existing secure criterion (Trace distance) and the general property of guessing probability, we propose a simple and efficient method to tighten the upper bound of the guessing probability. We find that the guessing probability of can be upper bounded by , where satisfies and . Specifically, a simple random matrix can be used to distill the final key. Compared with the prior art results, of which the upper bound of the guessing probability of the -secure key is approximately , our method provides a more tightened upper bound. Therefore, the loose upper bound for the guessing probability obtained in Ref. Yuen (2016) cannot be regarded as evidence to question the validity of existing the security proof of QKD.
IV Method
Proof of Lemma 1
Lemma 1
The guessing probability of the -secure key with length is not larger than .
This is a conclusion obtained from Ref. Portmann and Renner (2014). The proof has been already presented in Ref. Portmann and Renner (2014). Here, for the convenience of the reader, we write the proof again.
Proof. Let the -bit string be the -secure key in . The density matrix of Alice and Eve is and satisfies
[TABLE]
where is the fully mixed state in . Then we have
[TABLE]
Eve’s guessing probability of string is , and the maximum guessing probability is . Without any loss of generality, it is possible to assume that the maximum guessing probability is . Note that , then the following holds
[TABLE]
From Eqs.(11)-(13), we have ; thus, for the -bit -secure key , the guessing probability satisfies
[TABLE]
where is the upper bound of . This ends our proof of Lemma 1.
Calculation of
We consider the security definitions of a practical QKD protocol with a finite-size under the framework of composable security Canetti (2001); Müller-Quade and Renner (2009); Tomamichel et al. (2012). Suppose that Alice and Bob get two -bit sifted key strings. By performing an error correction and private amplification scheme, Alice get a -bit final key and Bob get an estimate of . The protocol is -correct if . In general, the key of Alice can be correlated with an eavesdropper system, and the density matrix of Alice and Eve is .
The protocol outputs an -secure key Canetti (2001), if
[TABLE]
where denotes the trace norm, is the fully mixed state of Alice’s system. The protocol is -secure if and satisfies , which means that it is -indistinguishable from an ideal protocol. Without any loss of generality, we consider the case of .
From Lemma 1, we can calculate given the -bit -secure key . In this situation, . However, in our method, we only know and , which are the length of the sifted key and . (The string itself can be also regarded as another final key distilled from the sifted key.) To get a tightened upper bound of the guessing probability of , we need to obtain the value of . According to Ref. Tomamichel et al. (2012), with and , the final key is -secure if satisfies the following equation:
[TABLE]
where , is the length of string used for parameter estimation, , denotes the binary Shannon entropy function, and represents the channel error tolerance. To obtain non-trivial results, we use equality in Eq. (16) to calculate the value of , given the input . Since is dependent on , we use notation for . Here, , if is given and we numerically find the value of by Eq. (16).
In our calculation, we choose specific a -value that satisfies
[TABLE]
In combination with Eq. (16),we obtain the following equation for the tightened value:
[TABLE]
and we can calculate the value of and then calculate the guessing probability by Eq. (8) in our main body text.
data availability
The data that support the findings of this study are available from the corresponding author upon reasonable request.
acknowledgement
We acknowledge the financial support in part by Ministration of Science and Technology of China through The National Key Research and Development Program of China grant No. 2017YFA0303901; National Natural Science Foundation of China grant No. 11474182, 11774198, 11974204 and U1738142.
author contributions
Xiang-Bin Wang developed the theory, Jing-Tao Wang and Ji-Qian Qin contributed equally to the calculation work, Cong Jiang and Zong-Wen Yu contributed to simulation work. All authors contributed to the manuscript.
Competing interests
The authors declare no competing interests.
Additional information
Correspondence and requests for materials should be addressed to X.-B.W., J.-T.W. or Z.-W.Y.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1Bennett (1984) Bennett, C., and Brassard, G.. Quantum cryptography: public key distribution and coin tossing. In Proc. IEEE International Conference on Computers, Systems, and Signal Processing , Bangalore, India, 175–179, (IEEE Press, New York, 1984).
- 2Renner (2008) Renner, R. Security of quantum key distribution. Int. J. Quantum Inf. 6 , 1 (2008).
- 3Curty et al. (2014) Curty, M., et al. Finite-key analysis for measurement-device-independent quantum key distribution. Nat. commun. 5 , 3732 (2014).
- 4Tomamichel et al. (2012) Tomamichel, M., Lim, C. C. W., Gisin, N., and Renner, R. Tight finite-key analysis for quantum cryptography. Nat. commun. 3 , 634 (2012).
- 5Ben-Or et al. (2005) Ben-Or, M., Horodecki, M., Leung, D. W., Mayers, D. and Oppenheim, J. In Theory of Cryptography Conference , 386–406 (Springer, 2005).
- 6Renner and König (2005) Renner, R. and König, R. In Theory of Cryptography Conference , 407–425 (Springer, 2005).
- 7König et al. (2007) König, R., Renner, R., Bariska, A. and Maurer, U. Small accessible quantum information does not imply security. Phys. Rev. Lett. 98 , 140502 (2007).
- 8Hayashi and Tsurumaru (2012) Hayashi, M. and Tsurumaru, T. Concise and tight security analysis of the Bennett-Brassard 1984 protocol with finite key lengths. N. J. Phys. 14 , 093014 (2012).
