PHYSICAL REVIEW LETTERS week ending PRL 97, 120405 (2006) 22 SEPTEMBER 2006
From Bell’s Theorem to Secure Quantum Key Distribution
Antonio Acı´n,1 Nicolas Gisin,2 and Lluis Masanes3 1ICFO—Institut de Ciencies Fotoniques, Mediterranean Technology Park, 08860 Castelldefels (Barcelona), Spain 2GAP-Optique, University of Geneva, 20 Rue de l’E´ cole de Me´decine, CH-1211 Geneva 4, Switzerland 3School of Mathematics, University of Bristol, Bristol BS8 1TW, United Kingdom (Received 21 October 2005; published 20 September 2006) The first step in any quantum key distribution (QKD) protocol consists of sequences of measurements that produce correlated classical data. We show that these correlation data must violate some Bell inequality in order to contain distillable secrecy, if not they could be produced by quantum measurements performed on a separable state of larger dimension. We introduce a new QKD protocol and prove its security against any individual attack by an adversary only limited by the no-signaling condition.
DOI: 10.1103/PhysRevLett.97.120405 PACS numbers: 03.65.Ud, 03.67.Dd
Since its invention in 1984 by Bennett and Brassard [1], mensions can correspond to ‘‘side channels,’’ i.e., to quantum key distribution (QKD) has led to a change of degrees of freedom coded accidentally. For example, in paradigm with respect to the existing classical crypto- photon-polarization coding, the wavelength could be acci- graphic schemes. While the latter ones base their security dentally correlated to the state of polarization. on mathematical assumptions, the security of QKD relies It is desirable to have key distribution schemes where on the fact that the devices of the legitimate parties, Alice assumption (ii) is not needed for the security. In such and Bob, and of the eavesdropper, Eve, are governed by schemes, Alice and Bob should just exploit a well- quantum physics. Then, security proofs of QKD schemes established physical principle to extract a key from some exploit well-established quantum features such as the no- observed correlation, P a; bjx; y , without having to care cloning theorem, or the monogamy (i.e., nonshareability) about the practical details needed for the correlation dis- of entanglement. The common structure in all these tribution [4]. Standard QKD proofs do not fit into this schemes is the following: Alice and Bob first establish desired picture. Indeed, an immediate necessary condition some correlation, for instance by performing some mea- for some correlation to be secure in this device- surements on a quantum state or, equivalently, by Alice independent scenario is that P a; bjx; y should not allow sending some quantum states that are later measured by a descriptionP in terms of local classical variables: Bob [2]. Next, exploiting the quantum formalism, Alice P a; bjx; y p P ajx; P bjy; . If not, the adver- and Bob bound Eve’s information and distill a secret key sary Eve may hold a copy of the ’s. This necessary by public communication. Formally, a correlation is a condition implies that the correlation P a; bjx; y must conditional probability distribution P a; bjx; y , where a violate a Bell inequality [5]. Thus, any security proof of and b are Alice and Bob’s output data, respectively, and x QKD in this more general scenario should make a direct and y are their choices of inputs. For instance, x and y use of quantum nonlocality [6,7]. Note that the correlation could be their choice of measurement settings and a and b corresponding to the well-known BB84 protocol [1] does the obtained results. not satisfy this condition. There is, however, an extra assumption in most of the In this Letter, we present a new 4-state QKD protocol existing QKD protocols: Alice and Bob know how the directly built from data violating the Clauser-Horne- correlation P a; bjx; y has been established. For example, Shimony-Holt (CHSH) Bell inequality [8]:
in a photon-polarization implementation of the Bennett- Brassard 1984 (BB84) protocol [1]. Alice knows she sends P a0 b0 P a0 b1 P a1 b0 P a1 b1 3; photons in two polarization bases, z and x, that are mea- (1) sured by Bob in the same bases. In other words, Alice and Bob trust their devices [3]. This often implicit assumption, where P aj bk P a b 0jx j; y k as discussed below, is crucial for the security of standard P a b 1jx j; y k . Hence we name our new pro- QKD. Therefore, all security proofs of QKD are based on tocol the CHSH protocol. Following the ideas introduced (i) the validity of the quantum formalism plus the assump- in [9], we demonstrate its security against any individual tion that (ii) the legitimate partners perfectly know how attack by any adversary only limited by the no-signaling their correlation is established, e.g., they know the dimen- condition. The no-signaling condition says that local prob- sions of the Hilbert space describing their quantum sys- abilities are independent of distant partner’s inputs, e.g., tems. Indeed, all the security proofs of existing QKD X
schemes heavily exploit the Hilbert-space artillery of quan- P ajx; y P a; bjx; y P ajx : (2) tum physics. Experimentally, additional Hilbert-space di- b
0031-9007=06=97(12)=120405(4) 120405-1 © 2006 The American Physical Society PHYSICAL REVIEW LETTERS week ending PRL 97, 120405 (2006) 22 SEPTEMBER 2006
This principle severely limits the set of possible correla- the ideal noise-free case, the correlation is not maximal: tions. For finite alphabets of inputs and outputs, the set of P~ a bjx; y < 1. In the sequence, we limit our analysis all these correlations is convex with a finite number of to isotropic raw correlations with visibility V, without loss extreme points; hence it is a polytope. of generality [15]:
The choice of the no-signaling principle for proving the 1 1
P a; bjx; y V a b xy V ; security of our protocol is twofold. First, it is perhaps the 2 1 4 (4) strongest physical principle. Actually, Eve could be supra- where r s 1 wheneverp the equality holds modulo 2, quantum, since there are nonsignaling correlations not and 0 otherwise. For V 1= 2, such correlations can be achievable using quantum states [10]. Second, it allows distributed by quantum physics (e.g., by a Werner state one to study key distribution based on physical assump- p with W 2V). For V>1=2 they violate the Bell in- tions beyond quantum physics, as shown in [9]. Indeed, equality (1), so there are no local variables that Eve could thanks to the seminal paper by Popescu and Rohrlich [10], hold. it was realized that one can study nonlocality without As usual, we conservatively assume that the distribution Hilbert space using the no-signaling principle. Several of the correlation is done by Eve. Any attack consists thus recent papers explore this new avenue [11–14]. of a three-party distribution P a; b; ejx; y; z whose mar- Before proceeding, let us illustrate on the BB84 protocol ginal is (4) the necessity of a Bell inequality violation for security. X Ideally, in the noise-free case, the BB84 correlation sat- P a; bjx; y P a; b; ejx; y; z isfies P a bjx y 1 and P a bjx y 1=2.If e such correlation results from measurements in the x and z X j j bases on qubit pairs, then the state of these two qubits is P e z P a; b x; y; z; e ; (5) e necessarily maximally entangled and security follows. However, the same correlation can also be reproduced by where for the second equality we used the no-signaling the four-qubit state: condition: Eve’s output e is independent of Alice and
1 Bob’s inputs x and y. Note that the no-signaling condition