arXiv:0906.5241v1 [quant-ph] 29 Jun 2009 ORA FSLCE OISI UNU ELECTRONICS QUANTUM IN TOPICS SELECTED OF JOURNAL nrywl edsrbd h osblt ffehkygener key and fresh binary of for possibility demonstrated The is described. consider be of states will coherent energy with schemes detect generation transm quantum key information of KCQ classical to basis for this the approach theory on communication new communication that developed and keyed is A noise, KCQ, generated. and quantum called be in be security can to that cryptography of key quantum amplificatio fresh measure privacy show of of amount is gener indispensable possibility the It the limits an finding described. probability of be is probability will optimal key attacker’s generation the key that fresh for ations ncnrt nt i-eghprotocols. i throughout bit-length emphasis wi finite The schemes concrete BB84. these on with of compared issues and discussed security The attacks. heterodyne nomto-hoei Security Information-theoretic ue cec n h eateto hsc n srnm,N Astronomy, [email protected] e-mail: and USA Physics 60208 of IL, Department Evanston, the University, and Science puter qua the KCQ from distinct that totally Note gen- principle in systems. key is optical physical generation key practical of hoped in adoption is methods the It eration facilitate signals. strong would that of KCQ use is that the possib protocols advantages makes other which QKD principle, among receiver type quantum poin BB84 optimal crucial the to The estimation contrast sets. level intrusion universa signal in single all KCQ a approach which for of KCQ in optimal world This of is classical process. use a observation generation explicit in exist the the not to in does communication due key (keyed generation secret KCQ key a [8] noise) [7]. approach quantum [6], new set in optima signal this the the delivers call of We that knowledge receiver creation on quantum depends advantage performance a for of structure principle the receiver quantum protocols. optimal such carry for level to intrusion need the the of and estimation involved trace out signals be microscopic can [5]. small which of the [4], most protocols applications, before type BB84 realistic available utilizing concrete in were problems various generation are classic There although key examples, of [1] well-known variants most scenarios its the and are quantum BB84 [3] The o of [2], attacker. protocol ciphertexts an (QKD) and different distribution user key the the from by observations derived signal is which creation, T oaeP uni ihteDprmn fEetia Engineer Electrical of Department the with is Yuen P. Horace Abstract ne Terms Index hspprpooe e praht K i the via QKD to approach new a proposes paper This e ewe w sr i h rcs fadvantage of process fresh the a via of users generation two possible between the key studies paper HIS Tefnaetlscrt n fcec consider- efficiency and security fundamental —The e eeain onain n New a and Foundations Generation: Key Qatmcytgah,KyGeneration, Key cryptography, —Quantum .I I. NTRODUCTION a eoitda osqec of consequence a as omitted be may N aydtcinssesunder systems detection -ary unu Approach Quantum thwestern.edu n n Com- and ing orthwestern n the and n oaeP Yuen P. Horace IvtdPaper) (Invited ission. ntum ation lbe ll ated able to d ion in al le n s r t l l : , httecrflfruaindsrbdi hspprwould paper this hoped in is described It reading. formulation careful careful pape demands the this and cryptology, wordy that in be papers to theoretical tends some in mathema mechanism As purely th to ones. crypto from addition the in arises principles when that physical involves especially [13] cryptology, [12], of kind physical, nature conceptual intuitive different nor a mathematical of purely neither generation. often key KCQ of approach from new fur far this of are basis of the presented development constitute an schemes merely of and new developed cryptosystems fully the being that realistic issues Note of on length. are operation throughout bit protocols the focus We type in appendices. important BB84 the concrete in situation in discussed The security given. be theoretical will of wit remarks comparison concluding a among Some discussed BB84. be o protoco will and security loss generation of of Effects key aspects attack. a heterodyne universal the of haveunder characteristics to shown and desirable described be many then will CPPM called scheme the utilizing coherent-stat of and The follow. meaning generation the key. αη key secret as KCQ shared well a of via principles as generation key tho security of fresh especially of of issues possibility discussed, measure foundational be proper will The on general context. in is generation familiar the key illustrates a which BB84, in to involved similarity close its to due reali for elaborated be protocols. will finite issues usu security secur the appropriate The for of guarantee. measure inadequacies be single-number the any to or exhibit key has entropy will channel” of paper type authentic process This BB84 “public the in created. a and during where KCQ key protocols in secret both QKD necessary shared is a which compounded of generation is generati use problem key the The all extremely by quantum. in an or occurs clearly classical it is protocols, and This issue cryptography. foundational h of serious security context usual theoretic the what the information in clear significance of made and been measures never meaning quantitative has empirical it or info sequence, all operational or bit none a of has on limits it the mation in – except However, possess [11]. conventional nology may to according attacker security theoretic the information information system other althoug connected. encryption, closely direct are KCQ implementations is which their [10], [9], [8], Y-00 os admzddrc nrpinpooo lhEa( AlphaEta protocol encryption direct randomized noise hspprdaswt uteise fmn aeswihare which facets many of issues subtle with deals paper This presented be first will generation key qubit KCQ of case The of independent statistically definition, by is, key fresh A e eeainshm speetdnx sadfeetway different a as next presented is scheme generation key αη ietecyto cee generalized A scheme. encryption direct αη termi- sues tical ther The ther or ) stic ave but ity on se al r- h y h e e 1 r l JOURNAL OF SELECTED TOPICS IN QUANTUM ELECTRONICS 2 facilitate further discussions and developments of this subtle, complicated subject of physical key generation. ρ k 1 X x II. KCQ QUBIT KEY GENERATION Mod Alice data Kr Consider two users A (Alice) and B (Bob) and an attacker E (I) Ks (II) ENC (Eve) in a standard 4-state single-photon BB84 cryptosystem, 0 1 key in which each data bit is represented by one of two possible Channel Ks bases of a qubit, say the vertical and horizontal states 1 , ENC | i key 3 and the diagonal states 2 , 4 . In standard BB84, the Bob Kr | i | i | i 0 X choice of basis is revealed after Bob makes his measurements, Demod and the mismatched ones are discarded. It has been suggested [14] that some advantages obtain when a secret key is used Fig. 1. The qb-KCQ scheme. Left – Two bases, I and II. Right – Overall encryption involves modulation with bases determined by a running key Kr for basis determination with usual intrusion level estimation generated from a seed key K via an encryption mechanism denoted by the and the resulting protocol is also secure against joint attacks box ENC. [15]. Clearly, no key can be generated after subtracting the basis determination secret key if a fresh key is used for each qubit. It was proposed in refs. [14], [15] that a long m- bit secret key is to be used in a longer n-qubit sequence Next, we show that the seed key has complete information- with repetition. However, even if such use does not affect theoretic security against ciphertext-only attacks. We use the average information that Eve may obtain, it gives rise upper case for random variables and lower case for the k to such an unfavorable distribution that security is seriously specific values they take. Let ρx be the quantum state compromised. This is because with a probability 1/2, Eve corresponding to data sequence x = x xn and running 1 ··· can guess correctly the basis of a whole block of n/m qubits key k1 kn. For attacking the seed key K or running key ··· k k by selecting the qubits where the same secret bit is used Kr, the quantum ciphertext reduces to ρ = Px pxρx where 3 repetitively. For a numerical illustration, let n = 10 and px is the apriori probability of x. In our KCQ approach, m = 102. Then with a probability 2−15 0.3 10−4, Eve we grant a full copy of the quantum state to Eve for the can successfully launch an opaque (intercept/resend)∼ × attack purpose of bounding her information [17]. By an optimal that gives full information at the dangerous 15% level [2] on measurement on the qubits, Eve’s probability of correctly the total bit sequence while yielding no error to the users. In identifying K may be obtained via ρk. Since each qubit general, the strong correlation from such repetitive use would is modulated by its own corresponding data bit, we have seriously affect the appropriate quantitative security level, and ρk = ρk1 ρkn . For uniform data commonly assumed for x x1 ⊗···⊗ xn the effect of such guessing attacks on some portion of the key generation, the Xi are independent, identically distributed data bit-sequence has not been accounted for with or without (i.i.d.) Bernoulli random variables with equal probabilities. ki privacy amplification included. Thus each ρ = Ii/2 after averaging over xi for any value k n This problem is alleviated when a seed key K is first passed of ki, with resulting ρ = Ni=1 Ii/2 completely independent through a pseudo-random number generator (PRNG) to yield of k. So Eve can obtain no information on Kr or K at all a running key Kr that is used for basis determination, as even if she possesses a full copy of the quantum signal. We indicated in Fig. 1. In practice, any standard cipher running summarize: in the stream-cipher mode [16] can be used as a PRNG. Even a LFSR (linear feedback shift register) is good in the present Lemma 1: The key K is completely hidden from attack in situation. A LFSR with openly known (minimal) connection the qubit key generation scheme of Fig. 1. polynomial and initial state K generates a “pseudo-random” output with period 2|K| [16]. When a LFSR is used as a Next, we quantify the minimum security level against (classical) stream cipher, it is insecure against known-plaintext collective attacks on the random data, for which Eve is attack [16], in which Eve would obtain the seed key from assumed to have a full copy of the quantum signal. By the running key which is itself obtained from the input data “collective attack” we mean the situation where Eve performs and the output bits. However, there is no such attack in key a constant qubit-by-qubit measurement on her (fictitious) full generation where Alice picks his data bits randomly. In an copy in the absence of any knowledge on K or Kr, but may attack where Eve guesses the key before measurement, the employ collective classical processing of the measurement system is undermined completely with a probability of 2−|K|. results to take into account correlations induced by K. This Since it is practically easy to have K 103 or larger in a is analogous but different from the usual “collective attacks” stream cipher, such a guessing attack| would| ∼ have a much lower in BB84, because there is no question of probe setting in the probability of success compared to, say, the guessing attack present case. Since the term “individual attack” in BB84 does Eve may launch by guessing the message authentication key not include collective classical processing, our use of the used to create the public channel needed in BB84. In contrast term “collective attack” is appropriate and allows the further to the case without a PRNG, no subset of the data is vulnerable generalization to joint measurements in the most general case to a guessing attack that would correctly obtain a subset of the of “joint attacks” [18] . Whatever the terminology, K or Kr key with a high probability. is actually never revealed to Eve so that all her knowledge JOURNAL OF SELECTED TOPICS IN QUANTUM ELECTRONICS 3
of the data must come from her quantum measurements. In particular, as long as pc is below the threshold 0.15, Practically, so long as Eve does not have long-term quantum the users could employ an error correcting code with∼ rate R memory, she would need to measure the qubits even if she such that could obtain Kr at a future time. 1 h2(pc) >R> 1 h2(0.15), (1) Nevertheless, solely for the purpose of lower bounding − − where h ( ) is the binary entropy function and 1 h ( ) is Eve’s information which is difficult to estimate otherwise 2 · − 2 · because of the correlations introduced by K among the qubits, the capacity of the corresponding (BSC) channel. The second inequality in (1) ensures that Eve could not get at the data here we conceptually grant Eve the actual K, and hence Kr, after she made her measurements. Our KCQ principle of key because the code rate R exceeds her capacity. Under the first generation via optimal quantum receiver performance with inequality in (1) or a tighter one for concrete codes, the users can correct the channel errors and generate fresh key at a linear versus without knowledge of Kr is easily seen to work here: Even with a full copy of the quantum state Eve is bound rate under collective attacks as described in Section III.E. to make errors in contrast to the users. Indeed, her optimal For concrete protocols there is the general problem of assur- measurement can be found by parametrizing an arbitrary ing that the side information Eve has on the error correction orthogonal basis which she measures, and optimizing the and privacy amplification procedures would not allow her to parameters assuming that K is later granted to her before she obtain too much information on the generated key G. Under makes the bit decision. It is readily shown that general POVM the (unrealistic) assumption that only individual classical pro- measurements reduce to orthogonal ones in this optimum cessing of each qubit measurement result is made, which is binary quantum decision problem on a qubit. Not surprisingly, the i.i.d. assumption underlying many BB84 security analyses, her optimal error rate is 0.15 and is obtained via the Eve’s Renyi entropy, Shannon entropy, and error rate are “Breidbart” basis [19] well-known∼ in BB84, for which one simply related. Quantitative results can then be easily stated as basis vector bisects the angle between 1 and 2 or 2 and usual. For collective and general attacks there is the problem 3 depending on the bit assignment, and| i also in| i this case| i by of estimating the Renyi entropy for applying the privacy |thei basis obtained by rotating the Breidbart basis by π/4. amplification theorem [21]. With intrusion level estimation in A key verification phase is to be added in a complete concrete BB84 protocols this Renyi entropy estimate has never protocol after error correction and privacy amplification, as been carried out, while in Renner’s approach [22], [23] other discussed in Section IV B. It does not matter what Eve did in entropies are bounded in an unconditional security analysis to her interference during the protocol execution as long as the be discussed elsewhere. The problem is much alleviated for generated key G is verified. Since her information is bounded KCQ protocols for which a single quantum copy is already with a full copy of the quantum state already granted to her, granted to Eve for quantitatively bounding her information there is no need for intrusion level estimation to ascertain her with no need of intrusion level estimation. In particular, all information as a function of her disturbance. the side information from error correction is accounted for by The above scheme may be generalized in many obvious the second inequality of (1). ways. One is to allow M possible bases on the qubit Bloch The complete key generation protocol, to be called qb-KCQ, sphere. This would increase security without compromising is given schematically as follows: efficiency as in the BB84 case, because there is no mismatched (i) Alice sends a sequence of n random bits by a sequence qubits to throw away and there is no need to communicate of n qubit product states, each chosen randomly among openly what bases were measured. It is readily shown that two orthogonal bases via a running key Kr generated by in the limit M , Eve’s error rate goes to the maximum using a PRNG on a seed key K shared by Bob. value 1/2 for collective→ ∞ attacks [8]. Also, the scheme evidently (ii) An error control and privacy amplification procedure is works in the same way for Ekert type protocols that involve employed by the users to correct their channel errors and shared entangled pairs. Furthermore, the same principle may obtain a final generated key G, while assuring , e.g. under be employed for coherent-state systems with considerable (1), that even after all the associated side information and number of photons [8], [20], as discussed in Sections V-VI. a full copy of the quantum state is granted to Eve, errors In the present approach, error correction may be carried out remain for her so she has little information on G. by a forward error correcting code and the resulting perfor- (iii) The users employ key verification as in message authen- mance analysis is not burdened by the need to consider Eve’s tication to verify that they share the same G. probe and whether she may hold it with quantum memory. The above protocol can be easily modified for performing If the channel is estimated to have an error rate pc below direct data encryption. Instead of randomly chosen bits, Alice 15%, advantage is created against collective attacks as shown sends the data out as in (i) with error control coding but no above, and the existence of a protocol that yields a net key privacy amplification. The key verification (iii) becomes just generation rate may be carried out asymptotically in the usual the usual message authentication. Note that this approach is way. This channel error rate estimation is not for advantage not possible with BB84 or its secret-key modification in refs creation because the KCQ principle already guarantees the [14], [15], the former because of key sifting, the latter because users’ advantage over Eve. It is for correcting the users’ of the serious security breach of Eve getting correctly a whole channel noise and can be carried out at any time in contrast block of n/m data bits with probability 1/2 described above. to intrusion level estimation. Such a channel characterization In sum, the specific features of qb-KCQ not obtained in the is always needed in any communication line. corresponding single-photon BB84 key generation are: JOURNAL OF SELECTED TOPICS IN QUANTUM ELECTRONICS 4
B (1) Efficiency is increased in that there are no wasted qubits A, an observed random variable Yn for B that leads and no need for public communication except for key to a better error performance than that obtained by E E verification, while security is increased, especially for from her observed random variable Yn and all her side large number of possible bases. information. (2) No intrusion level estimation is required, thus no false- 2) Error Correction: alarm problem or any statistical fluctuation problem asso- The users agree on a generated string that is free of error ciated with such estimation. with high probability if E is absent. (3) The security/efficiency analysis is unaffected even for a 3) Privacy Distillation: multi-photon source whose output state is diagonal in the The users derive from the generated string a generated photon-number representation, as a full copy of the single- key G on which E’s error probability profile satisfies a photon state is already granted to Eve for bounding her given security level. information. (4) The security/efficiency quantification is similarly extended The index n above measures the number of channel output to realistic lossy situations, while new analysis not yet B E performed is otherwise needed to take into account, e.g., uses. In a quantum protocol, Yn and Yn are obtained from attacks based on approximate probabilistic cloning [24]. quantum measurements on the quantum signal space accessi- (5) The security/efficiency analysis is also similarly extended ble to B and E. The term “advantage distillation” has been used to include any side information for a finite-n protocol, previously [2] for the situation in which the above advantage with no question of holding onto the probes. is created by postdetection selection of data by B. That is (6) There are practical advantages in reducing the number of one possible way to create advantage classically as described random data bits needed by Alice and photon counters by Maurer [26] and the Yuen-Kim protocol [27]. Note that a needed by Bob in an experimental implementation. shared secret key between the users is needed for this approach (7) Direct encryption without going through key generation with public discussion exactly as in BB84 type protocols, for first may be employed, which is impossible for BB84. message authentication during key generation to thwart man- (8) Sensitivity to device imperfections is reduced in the large in-the-middle attack. M case. Eve’s conditional probability distribution (CPD) is the prob- On the other hand, security analysis of this scheme has not ability distribution of the different possible data values that she been extensively studied as in BB84. However, the security would obtain by processing whatever is in her possession. In the case of classical continuous signals, say a real-valued ran- issues of all key generation schemes are subtle as discussed E E dom vector yn which E observes, she can obtain from this yn in detail in the following sections III-IV. n the different probabilities pi,i 1, ,N = 2 1 N ∈ { ··· } ≡ − for the possible N n-bit data sequences xi that A transmitted III. FUNDAMENTALS OF KEY GENERATION E via the signal. Indeed, pi p(xi yn ), which can be computed This section describes the basic principles underlying all ≡ | E from the conditional probability p(y xi) and the data a priori key generation schemes, classical as well as quantum. The n | probability p(xi). condition of fresh key generation will be first described using In the quantum case, a measurement has to be first selected the conventional entropy or mutual information criterion. The E by Eve on her probe or copy with result Yn . The pi’s are acute problem of finding operationally meaningful quantitative E obtained accordingly where now p(y xi) = trΠyn ρxi where security criteria is then discussed in detail. This problem has n | Π n constitutes the measurement PO(V)M [6], [7] and ρ i not been previously treated in the literature except briefly in y x is{ the}x -dependent state in Eve’s possession. Note that Eve’s ref [25] but it affects quantum and classical protocols alike. i CPD p is indeed conditional not only on all the relevant Indeed the problem is so severe that whenever a shared secret i system{ parameters,} but also on her specific measurement result key is needed for the key generation protocol, it is not clear in yE. what meaningful security sense a fresh key has been generated. n In the above privacy distillation step, classical processing is On the other hand, KCQ, BB84 and its variants, as well as B used by B to distill G from Yn . On the other hand, Eve obtains classical protocols with public discussion all rely on shared E from Y an estimate Gˆ of G with a whole CPD pi on all its secret key. This issue will be elaborated in section IV after we n { } describe in this section how a concrete key generation scheme possible values. The term “privacy amplification” is standard works in general under the criterion of Eve’s optimal success in the QKD literature when the Shannon or Renyi entropy ˆ probability of finding the generated key. criterion is used to measure how well G approximates G [21]. In Section III.D it will be shown that a necessary criterion is p1, Eve’s optimal probability of getting Gˆ = G. In either A. Conditions for Fresh Key Generation case and in general, “privacy” cannot be “amplified” but only A classical or quantum protocol that generates a key with distilled or concentrated by processing, exactly as in the case information theoretic security would consist of three logical of quantum entanglement distillation. However, as in the case steps: of the term “QKD”, we will use “privacy amplification” to 1) Advantage Creation denote the usual privacy distillation procedure and sometimes The users A and B create a communication situation even all such, for convenience. Note that steps (ii) and (iii) A between themselves with input data sequence Xn from are often combined in a single extraction step, as in the case JOURNAL OF SELECTED TOPICS IN QUANTUM ELECTRONICS 5 of many QKD security proofs, though conceptually and in under (5). In arriving at (7) it is assumed that the key K is concrete implementations they are distinct steps and goals. not to be used in any other way so it has to be subtracted We give the usual entropy description of advantage cre- in counting how many fresh key bits are generated. Key ation before discussing the more appropriate CPD one. The generation is impossible when YE = YB from (6) and (8). situations described by information measures instead of prob- abilities are often quantitatively meaningful only asymptoti- B. Security Measure and p cally, except in the all or none limits. Thus we omit the n- 1 dependence and use XA, YB , YE to denote the data chosen by Let us consider the issue of security measure on the A and the observations B and E make. Advantage is created generated key G in a key generation system. Eve’s Shan- in entropy terms if and only if the conditional entropies obey non entropy HE(G), or equivalently her mutual information H(XA YE)
A general security measure on pi would include not just Lemma 2: { } −l n −l but also the probabilities of various subsets of the bits in p 2 [ n 1] for I /n 2 . p1 1 log2(2 −1) E ≥ − − ≤ G, which are not determined by p1. Some measure on the n 1 closeness of these probabilities to the uniform is needed. Since n 1 < n , it is very small compared U log2(2 −1) − n2 to 2−l for any l n and moderate n. Thus, we have To appreciate the importance of such probabilities, consider ≤ the following probability distribution on the n-bit G. One −l −l p1 2 for IE /n 2 . (10) subsequence, say the first m bits, 1 m n , occurs with a ∼ ∼ probability p independently of the rest.≤ Assuming≤ the rest is −l If a constraint on p1 is first imposed instead, p1 2 , the uniformly distributed, we have for L =2n−m, q =1, the ≤ Pi i smallest IE is given by (10) while the information limit on E following distribution on the 2n possible values of G:- is only a weak guarantee as given by the following 1 p 1 p pq , , pqL, − , , − . (13) 1 ··· 2n 2n−m ··· 2n 2n−m Lemma 3: − − −l HE(G) l for p1 2 . (11) Under the constraint IE /n p1 for given p1, it follows from ≥ ≤ (13) that Eve could determine≤ the first m bits with a probability Proof: From the (Schur) concavity of H, the minimum l n HE under given p1 occurs at p1 = = pm = 2 for p p1 (14) l ··· ∼ m m =2 ,pm+1 = = pN =0. ··· assuming 2n 2m and p m/n. Equation (14) shows that ≫ 1 ≤ −l a smaller subsequence of may possibly be determined with Lemma 3 tells the obvious fact that under p1 = 2 , all G but l bits of G could be completely known to Eve. This does higher probability than the maximum p1 of the whole n-bit not suggest that p1 is not a good measure for key generation, sequence, in linear proportion to its size. Its possible disastrous because in a specific problem such as the ones in section II and effect on security is illustrated numerically in Appendix A. section VII, the other pi are either explicitly known or readily One useful measure that would yield meaningful bounds on estimated. In particular, it is usually clear that there are many the subsequence probabilities of G is uniformly ǫ-randomness. not totally known bits in G. However, it is also clear that p1 A uniformly ǫ-random n-bit string G is one for which by itself is not generally sufficient and it is useful to have a 1 n pi ǫn, N =2 . (15) bound on IE that would rule out this disastrous possibility. | − N |≤ JOURNAL OF SELECTED TOPICS IN QUANTUM ELECTRONICS 7
That is, all the probabilities of the different sequences deviate as follows. Alice picks a code with rate R for transmitting the from the uniform probability 1/N by at most ǫn. A more data that satisfies (17) that B can decode in practice. From the manageable single-number criterion similar to (15) may be Shannon channel coding theorem [30], Bob’s error probability used, the usual variational distance δ(G, U) between G and can be made exponentially small in n, the number of channel the uniformly distributed U, uses. From the “Strong Converse” to the Coding Theorem [31], N Eve’s error probability 1 p1 is bounded by 1 1 − δ(G, U)= X pi . (16) −nEs(R) 2 | − N | p1 e , (18) i=1 ≤ It can be readily shown that if δ(G, U) ǫ, the probability for an exponent Es(R) that can in principle be evaluated for ≤ given p(XA YE ). For the qb-KCQ scheme of section II, the p of getting any m-bit subsequence correctly is bounded by | 1 exponent Es(R) in (18) for collective attacks can be explic- p ǫ + 2m . ≤ itly evaluated and will be presented elsewhere. This Es(R) gives a linear key generation rate which is nonzero when D. Privacy Amplification and p 1 R > I(XA; YE). As discussed in the last subsection, hopefully B There is another great significance of p1 on G – it de- an n-sequence Yn can be compressed to an nEs(R)-sequence termines the length of a uniformly random string that can that is nearly uniformly random. be extracted from G by privacy distillation of any kind. This generalizes to the finite n case without I’s as follows. A This is relevant if G is the bit string B has before privacy Let Xn be sent in a coded/modulated system so that it can be −l B distillation instead of the final generated key. For p1 =2 , no recovered with sufficiently small error probability via Yn . Let ˜ −l A distilled key G can be obtained from G which has p1 < 2 . the optimal error 1 p1 that Eve can obtain on Xn satisfies −l − This is because distillation is obtained by an openly known p1 2 . Then an l-bit G could be generated between A and map D : 0, 1 n 0, 1 m that maps the n-bit G to an B from≤ an algorithm that compresses XA to a nearly uniform { } → { } n m( E ρE ) E %x Ul E Yn A K K K Ch i ρk Ul Vl Xn x B K K K ˆ B ˆB ˆ B ρk Ul Vl Xn B %x Yn Fig. 2. General keyed communication in quantum noise. in a properly designed system. Note that K bits have to be subtracted from the generated key | | As a consequence, this approach makes possible the de- in the key generation rate. A net fresh key still results in the velopment of an efficient key generation protocol over long- situations of sections II, V-VI where a linear key generation is distance telecomm fibers using commercial optical technology. obtained for a fixed K under constant measurement attacks. A final key verification step is needed in KCQ protocols. For In general, it is part of the performance/security analysis to the purpose of assuring the same key is agreed upon for future ascertain the efficiency of key generation. use, this step is recommended for all key generation protocols including BB84. For KCQ protocols, where no intrusion level C. Security Approaches for KCQ Key Generation estimation is carried out, it is needed to make sure that E has In analyzing the security of KCQ key generation schemes, not messed up the key generation process so that A and B have we typically grant a full copy of the quantum signal at the different versions of the generated key G. This verification step transmitter to Eve for the purpose of bounding the information can be achieved by any message authentication method [16] and performance she could possibly obtain in any attack. We including ones that are not keyed. There can be no man-in- did it in Section II on qubit key generation. Realistically, Eve the-middle attack in KCQ protocols because there is no public may or may not be able to obtain such a full copy. In the exchange and Eve cannot get G from A without knowing K. process of doing so, say in the qubit case, she may introduce Eve could not tell more about XA other than what she could large errors that would prevent a key from being generated find out from her copy. Her disruption may lead to different and such failure would be detected in the key verification step. versions of XA for A and B, which is to be detected by the On the other hand, for coherent-state signals in the presence verification step. If she disrupted, but A and B still get the of large transmission loss, she could actually accomplish that same agreed key, she does not know anything more about the physically with no disruption to the protocol. It does not really generated key anyway, in contrast to protocols that involve matter which is the case from our security analysis viewpoint, public exchange. Schematically, a complete KCQ protocol as we are merely bounding her achievable performance with corresponding to the communication situation of Fig. 2 may this ploy. be summarized as follows. A question arises to whether Eve is supposed to know the shared secret key K at some later time. If she does and she Generic KCQ Protocol: has sufficient quantum memory, the generated key G would be (i) A picks a random bit sequence Um, encodes and mod- completely compromised under the above ploy of granting her ulates the corresponding n qubits or n qumodes as in Fig. 2, one full copy of the quantum signal. If there is not sufficient with a total secret key K shared with B. quantum memory, which is surely the case for at least the (ii) From K, advantage creation is achieved via the different intermediate future as no realistic quantum memory of just 1 error performance obtainable by B and E who does and does sec long is even in sight, she would have to make a quantum not know K at the time of their quantum measurements. measurement before she knows the key. Under such a situation, (iii) Privacy distillation may be applied to generate a net key key generation is possible unless she launches a key guessing G on which E has an error probability profile that satisfies the attack and hits on the correct k value. security goal. It is our contention that there is little reason to worry about (iv) A and B verify that they agree on a common G. the case where Eve would know K at any time. Having JOURNAL OF SELECTED TOPICS IN QUANTUM ELECTRONICS 10 a presumably secret key betrayed is an altogether different energy. The use of homodyne/heterodyne detection in quantum problem that occurs in every situation involving such secret. cryptography was suggested in [33], and in conjunction with In the following, we will just use this as an additional ploy coherent states in [34]. In most of the current experimental to bound Eve’s performance. As will be seen, its use leads to developments [2] of QKD, coherent states are employed in a realistically useless bound for binary detection in section V BB84 type protocols that are limited in energy to 0.1 but still a very strong bound for the N-ary CPPM of Section photon, if only because of the photon-number splitting∼ attack VI. that E can launch near the transmitter [35], [36]. With KCQ, It may be observed that the situation is different with respect we will in this and the next section show that much larger to the message authentication key in BB84 type protocols. If energy can be employed, line amplifiers and pre-amplifiers can that key is not known during protocol execution, its knowledge be used, and conventional optical technology on the sources, is useless after the key is generated even with indefinite modulators, and detectors can be utilized. Furthermore, direct quantum memory. But as we remarked, there is no reason encryption coherent-state KCQ in what is called the αη why Eve would know K ever. It may be emphasized in this scheme has already been experimentally demonstrated [9], connection that there is no known-plaintext attack on the key [37], which will integrate smoothly with the corresponding in key generation. The data are secretly chosen by A with no key generation schemes. regard to inputs from others. The usual description of a single coherent state already Other than the guessing attacks, Eve’s optimal quantum joint involves an infinite dimensional space, referred to as a qumode. k attack on the data could be formulated as follows. Let ρx be Similar to the qubit case in Fig. 1, we may consider M A the quantum state for a K-value k and X value x, thus possible coherent states αl in a single-mode realization, k | i ρx = k pkρx. The optimal quantum detector that leads to P n 2πl p for Eve is an N-ary digital detection problem, N = 2 . αl = α (cos θl + i sin θl), θl = , l 1, ..., M], (20) 1 0 M ∈{ If the resulting p1 can be upper bounded in the form p1 −l ≤ 2 2πl 2 , the possibility and meaning of key generation has been where α0 is the energy (photon number) in the state, and M discussed in Section III. Similarly, one may consider individual is the angle between two neighboring states. In a two-mode or collective constant quantum measurement attacks, in which realization, the states are products of two coherent states a reasonable measurement is chosen for each qubit or qumode 2πl in the signal state space, and find the optimal joint classical α0 cos θl 1 α0 sin θl 2 , θi = , l 1, ..., M , (21) detector performance from such measurement results. They | i | i M ∈{ } may be regarded as the correspondents of joint and collective The qumodes may be those associated with polarization, time, attacks on BB84. In view of the great empirical difficulty of frequency, or any type of classical mode. Any two opposite measurement across more than one or two modes, the resulting states on the circle form the basis states of a phase reversal key generation thereby has clear practical significance. In my keying (antipodal) signal set, which are nearly orthogonal for view, its significance is even greater than that of a more general α0 3. There are M/2 possible bases. The optimal quantum ≥ security analysis that is based on highly idealized model that phase measurement [7], [38] yields a root-mean-square phase never corresponds to reality. Further discussion on such issues error ∆θ 1/α0. Thus, on a bit-by-bit situation, when ∼ E are given in Section VIII. M α0, the probability of error P 1/2 when the basis is ≫ b ∼ In the following two sections, we would analyze the per- not known which has been confirmed numerically [39], while formance of coherent-state KCQ systems assuming a fixed P B exp( α2) 0 when the basis is known. b ∼ − 0 → measurement is made on each mode under collective attacks. The use of this scheme for direct encryption has been Their performance under joint attacks are difficult to obtain extensively studied theoretically [8], [28], [29], [40] and and yet to be derived, but they are of great interest because experimentally [9], [37], [39]. It is called αη or Y-00 quantum these systems can be empirically implemented in a regime noise randomized scheme. It can be used for key generation with much higher effective key generation rate than other QKD as follows. systems. When the key is unknown to Eve, the general quantum Eve may attack the data via attacking the key first. A measurement she could make in principle to cover all possible separate key security analysis has to be performed on each signal sets is heterodyning or phase measurement on each specific KCQ protocol. The key is perfectly secure for the qb- qumode. Assuming this (or any other) individual attack, Eve A E KCQ scheme of section II, and also for the CPPM scheme of could determine her whole CPD of p(xn yn ) for the data A | E section VI when p1 is properly adjusted. Additional analysis n-sequence Xn sent by A with her measurement result yn on the binary scheme of section V is needed to tell the extent where each yE,i 1 n is a complex number. As discussed i ∈ − of modification required for key security. in Section IV.B, a whole copy of the signal is to be granted to Eve for obtaining this CPD for the purpose of security analysis. The presumably nearly optimal individual measurement for the V. KCQ COHERENT-STATE KEY GENERATION WITH αη signal set (20) or (21) for large M is the optimal phase BINARY DETECTION A B measurement. The best estimate of xn from yn is a classical In this section we describe the use of KCQ on qumodes, N-ary detection problem with N = 2n that would provide quantum modes with infinite-dimensional Hilbert state spaces, Eve’s best p1 of her CPD. Fresh key generation is possible if −|K| for key generation via coherent states of intermediate or large for some n, p1 < 2 assuming it is essentially error-free JOURNAL OF SELECTED TOPICS IN QUANTUM ELECTRONICS 11 for B, which may be achieved without coding as indicated VI. KCQ COHERENT-STATE KEY GENERATION WITH above. However, no rigorous result has yet been obtained in N -ARY DETECTION this problem. The above limitation on the binary detection advantage of an On the other hand, that fresh key generation must be optimal quantum receiver versus heterodyne can be overcome possible under such attacks can be seen from the performance in N-ary detection. The use of N-ary systems, in fact, is one bound obtained by granting Eve the value of K after the form of coding. As will be seen in the following, it indeed individual qumode measurements. In that situation, Eve could corresponds to driving the system at a rate between B’s and E’s use the key value to solve the binary decision problem on mutual information with respect to A as in (17). Amazingly, E each of the qumodes from each yi she got. In contrast, B for the particular CPPM (Coherent Pulse Position Modulation) could use the optimal binary quantum receiver or a close ap- system we now turn, such a rate choice by A can make IE go proximation thereof to determine the data bit of each qumode. to zero with a flat error profile and also with (full) information- For the discrimination of two equally likely coherent states theoretic security against known plaintext attack on the key. α0 , α0 , the optimum quantum receiver yields an error This can be proved against the universal heterodyne attack, {| i¯|− i} het rate Pb that may be compared to the heterodyne result Pb and is possibly true against more general attacks. ph 2 and the phase measurement result Pb , with S = α0, An N-ary coherent-state pulse position modulation system has the following signal set for N possible messages, 1 −4S het 1 −S ph 1 −2S P¯b = e , P e , P e (22) φi = 0 1 α0 i 0 N , i 1, ..., N . (23) 4 b ∼ 2 b ∼ 2 | i | i · · · | i · · · | i ∈{ } In (23), each φi is in N qumodes all of which are in the | i Here, S measures the average number of photons received in vacuum state except the ith mode, which is in a coherent the detector and (22) applies in the so-called quantum-limited state α0 i. The corresponding classical signals are orthogonal | i detection regime— unity detector quantum efficiency, infinite pulse position modulated if each mode is from a different detector bandwith, all device noise suppressed. Under (22) and time segment, but generally the modes can be of any type. dropping the factors in front of the exponentials for a numer- For brevity, we retain the term ‘pulse position’ even through ical estimate of the bit-error rate (BER), which is required to ‘general mode position’ is more appropriate. be 10−9 per use in a typical communication application, we The photon counting as well as heterodyne error perfor- ≤ ¯ −12 het −3 ph −6 mance of (23) are well known [41]. The block error rate from have, for S 10, Pb 10 , Pb 10 , Pb 10 . If the data arrives∼ at a rate∼ of 1 Gbps, the∼ user B is likely∼ to have direct detection is exponential optimum for large N. 9 3 10 error-free bits in 1 sec, while E would have 10 errors dir 1 −S −S 9 ∼ P = (1 )e , P¯e e . (24) among her 10 bits with the optimum phase measurement. e − N → Presumably, the users can then generate 103 secure key The optimum block error rate P¯ for (23) is known exactly [6], bits by eliminating E’s information. Thus,∼ in principle, αη in e and given by (24) asymptotically. In contrast, for large N the its original form is capable of secure key generation against heterodyne block error rate P het approaches 1 exponentially collective attacks that employs the optimal phase measurement e in n = log N, which is a general consequence of the on each qumode even if Eve knows afterwards. 2 K Strong Converse to the Channel Coding Theorem as discussed There is an N-ary quantum detection problem for finding in section III.E. For the present Gaussian channel case for Eve’s (averaged) p1 under joint attack, the performance of heterodyne receivers, explicit lower bound on the block error which would provide the security level under joint attacks. het rate Pe , conditioned on any transmitted i, can be obtained The αη key generation scheme in the form (20) or (21) in the form (p. 382 of [30]) that, for any y, allows a direct attack on its key by Eve similar to the case of P het > (1 [Φ(y)]n)Φ(y √2S), (25) direct encryption. This problem can be solved by additional e − − randomization called DSR [8], [40] which we would not go where Φ is the normalized Gaussian distribution. By choosing into here. y > √2n, (25) yields explicitly P het 1 exponentially in e → It may be mentioned that for binary detection of coherent n for any given S. It is a main characteristic of classical states, the optimal quantum receiver performance cannot be orthogonal or simplex signals in additive white Gaussian noise better than that of heterodyning by 6 dB in energy or error that whenever an error is made, it is equally likely to be exponent. The antipodal signals of αη lead to exponentially decoded by the optimal receiver to any of the N 1 other − optimal BER under energy constraint on binary coherent-state messages [42]. Thus, under the condition P het 1, the CPD e → signals, which cannot be improved by bandwidth utilization has pi =1/N for i 2. ≥ [8]. The proofs of these statements will be omitted for brevity. The KCQ qumode key generation scheme CPPM works This leads us to consider N-ary systems in the following. as follows. Consider N = 2n possible n-bit sequences, and On the other hand, it should be emphasized that since (22) possible coherent-states provides just a bound, presumably rather weak when Eve does N ′ ψi = j=1 αij j , i,j 1 N (26) not know K, there is much value in determining Eve’s p1 in | i ⊗ | i ∈ − such cases when the signals are moderately strong in the range in correspondence with φi of (23). For simplicity, one may 3 4 2 2 {| i} S 10 10 as in the experimental implementation of αη set Pj αij = α0 = S for every i. Let fk be a one- direct∼ encryption.− to-one map| | between| | (23) and (26) indexed by a key K. As JOURNAL OF SELECTED TOPICS IN QUANTUM ELECTRONICS 12 an example of physical realization, the connection between tion from a variety of viewpoints. No quantitative comparison (23) and (26) could be through a set of N beam-splitters with will be attempted due to insufficient quantitative details in both transmission coefficients √ηm for complex numbers ηm, m cases on these issues. ∈ 1 N, determined by k. Such a physical realization combines − the αij of (26) coherently through the ηm’s, and is represented A. Unconditional Security by a unitary transformation between the two N-tensor product It is often taken to be true that BB84 type protocols offer state spaces N H and N H′ for the input and the output. i=1 i i=1 i unconditional security in an information-theoretic sense, with The states ψ⊗ of (26) are⊗ used to modulate the data i by A, i at least asymptotic proofs supplied for the case of ideal and B demodulates| i by first applying f to transform it to φ k i devices. Some problems were raised concerning such proofs of (23) and then use direct detection on each of the N modes| i in [8] (App. A) which would not be entered into here. In H . i any event, as discussed in ref. [28], asymptotic existence Without knowing f or η so that there are both amplitude k m proof has no practical implication in cryptology since one and phase uncertainties for each m, it is expected that an needs to analyze the security of specific finite-n cryptosystems. attacker can do very little better than heterodyne on all the H′ i Here, I would like to emphasize that quantitative information modes, which is equivalent to heterodyne on all the H modes, i theoretic security of a bit sequence has yet to be made precise and then apply the different f ’s on the classical measurement k while being operationally significant. As discussed in Sections result. As presented above, by making N large one can then III, IV, and the appendices of this paper, the usual mutual make not only p = 2−l for any l but E’s error profile is 1 information I or variational distance δ or their quantum in fact nearly uniform, with p = (1 2−l)/(N 1) for E E 1 counterparts employed in the QKD literature is not a sufficient i 2 . This happens whenever yE leads− to an error− from n security guarantee except in an extreme region that appears to the≥ decision rule that minimizes the average error [42], which have little hope in ever getting realized practically. Smallness is asymptotically certain in the situation under consideration. of the other measure p , the attacker Eve’s optimal probability Thus, if we choose the system parameters so that p = p , 1 1 i of getting the entire key generated, is a necessary security Eve would have uniformly random CPD’s for all yE and k. n feature. Clearly a 0.1% leak of I is totally unacceptable – As a consequence, the system is not only completely secure E See Appendix A. On the other hand, no KCQ scheme security against ciphertext-only attack on the key but also fully secure under joint attack has yet to be studied. against known-plaintext attacks. There is no need for further Actually, as we further substantiate in the following, the privacy distillation. Also, in contrast to the binary detection practical significance of such “unconditional security” is over- case, the data is secure even if Eve has the key K after her rated, both because of intrinsic protocol modeling limitation heterodyne measurement. We summarize: and the futuristic technology granted to the attacker. It is not Against E’s universal heterodyne attack, the N-ary CPPM important to grant Eve the ability to have indefinite quantum KCQ protocol can be made secure with key generation rate memory while none of one second long is in sight. Similarly, n = log N per use and uniform CPD to Eve. 2 there is no known experimental way to entangle three or more However, it is difficult to estimate p closely and in the 1 qubits or qumodes close to a given prescription. In comparison, absence of such estimate, this one case difference among 2n it appears much easier for Eve to just break into a protected is either taken to be unimportant or additional DSR is needed office to get some of the secrets by brute force. to assure a fully uniform error profile. Security under composition is another issue for both KCQ The CPPM scheme is also ideal for direct data encryption and BB84 assuming Eve has the required quantum memory. because it automatically produces (a near) uniform error pro- The purported solution for BB84 in ref. [44] is not valid as file on E. Unfortunately, as in a classical orthogonal signaling indicated in Appendix B. scheme, large N in CPPM means exponential growth of bandwidth, not to mention growth in physical complexity. Indeed, (24) itself is an infinite-bandwidth limit result for large B. Device Imperfections N. On the other hand, it is known [43] that if the signal-to- It has been well known that device imperfections could quantum noise per unit bandwidth is small, coherent-state di- be exploited by Eve to seriously compromise a BB84 type rect detection systems do have larger capacity than heterodyne protocol. Some seemingly irrelevant imperfections have been ones. Thus, it may be expected that properly designed error shown to be disastrous, beginning with the spectral defect of correcting codes, usually employed for bandlimited systems detectors pointed out in [45] to the recent time-shift attack for such reasons, could be developed to retain much of the [46], [47], [48] that have been experimentally demonstrated CPPM advantage for a large given bandwidth. I would like to [49]. In combination with the inevitable loss of an optical emphasize again that sections V-VI are sketchy introductions system, it was recently claimed that no loss more than a factor to some main ideas and possibilities of KCQ key generation of 2 can be tolerated for “loophole free” security [50]. On the with significant energy coherent states. Many details are yet other hand, for KCQ key generation such as αη or CPPM to be developed. discussed in sections VI-VII of this paper, there is no such sensitivity to device imperfection. The intuitive reason is clear: VII. COMPARISON WITH BB84 BB84 type systems operate with a very small signal level and We will briefly compare qualitatively KCQ key generation thus are sensitive to small system parameter variations but with BB84 type protocols which involve intrusion level estima- KCQ may operate with much stronger signals. JOURNAL OF SELECTED TOPICS IN QUANTUM ELECTRONICS 13 C. Sensitivity and Protocol Efficiency D. Effect of Loss The performance of a key generation scheme for useful real- The usual linear loss is extremely detrimental to quantum life application is gauged not only by its security level, but effects [43] and is also difficult to handle in physical cryp- also its efficiency in at least two senses to be elaborated in tosystems. Eve should be presumed to be able to attack much the following. For a protocol to be useful the two efficiencies closer to the transmitter than Bob at the users’ receiver. In cannot be too low. protocols with intrusion level estimation, it is customarily assumed that Eve could replace the resulting transmission link The first type of efficiency that should be considered is with a lossless one, the reason being that she could utilize protocol efficiency, denoted by P , which has not been treated eff free-space lossless links instead of fibers. In KCQ protocols in the QKD literature. It can be defined as the probability without intrusion level estimation, Eve may gain a large energy that the protocol is not aborted for a given channel and a advantage compared to Bob which has to be exceeded for fresh fixed security level in the absence of an attacker E. It is key generation. essential to consider the robustness of P with respect to eff Even for ideal devices it is not clear what kind of security channel parameter fluctuation, e.g., how sensitive P is to eff proof has been supplied for a purely lossy BB84 system for small changes in channel parameter λ which may denote, c what kind of specific protocol. Is the so-called “twirling” e.g., the independent qubit noise rate of any kind. In practice, needed for security? Against what kind of channel replacement λ is known only approximately for a variety of reasons, and c attack? We have these questions not just for coherent-state imperfection in the system can never be entirely eliminated. systems but also single-photon ones, which are not answered If P is sensitive to such small changes, the protocol may eff by the decoy state technique [55]. We also have these questions be practically useless as it may be aborted almost all the just according to the usual security measures adopted, not time. Sensitivity issues are crucial in engineering design, and including p or other measures discussed in this paper. there are examples of ‘supersensitive’ ideal system whose 1 The effect of pure loss and loss plus device imperfections performance drops dramatically in the presence of small im- may be very detrimental [50] and must be fully quantified for perfection. Classical examples include detection in nonwhite both KCQ and BB84 type protocols with a proper criterion. Gaussian noise [51] and image resolution beyond the diffrac- Note that coherent or squeezed states of considerable energy tion limit [52]. Superposition of ‘macroscopic’ quantum states cannot be used in BB84 type protocols to alleviate loss, due is supersensitive to loss [53]. This crucial sensitivity issue is to the signal discrimination attack Eve may launch near the one of fundamental principle, not mere state of technology. It transmitter. Such attack is thwarted in KCQ protocols by the has thus far received little attention in the field of quantum shared secret key. information. Our qumode KCQ key generation protocols are robust to E. System Integration and Implementation channel parameter fluctuations as the case of a conventional optical communication line. On the other hand, e.g., the It is difficult to implement BB84 type cryptosystems close to reverse reconciliation protocol in [54], which supposedly can the protocol prescription due to the high performance devices operate in any loss, is supersensitive in high loss. Let η be required. In contrast, KCQ qumode protocols require only the transmittance so that η 1 corresponds to the high loss off-the-shelf optical technology. Furthermore, conventional situation. In the presence of≪ a small additive noise of η/2 amplifiers can be used on them up to a certain number [8], [37] photons in the system, the protocol becomes insecure because depending on the system. They can also be readily integrated the noise induced by the attacker cannot be distinguished from with existing optical networks. All of these are difficult with excess noise. Note that high security level often decreases Peff the weak-signal BB84 type protocols. and it is important to quantify the tradeoff. Secondly, even when the scheme is not supersensitive, VIII. CONCLUSION the sensitivity level has to be quantified in a QKD scheme Physical cryptography, including KCQ direct encryption as involving intrusion level estimation in a complete protocol well as BB84 and KCQ key generation, employs secrecy with quantifiable security, for the following reason that has protection mechanisms at the physical signal level away from not been discussed in the literature. A stopping rule for the the bit level at the application layer end of a communication protocol has to be adopted to stop the key generation process link. It cannot be attacked from such end and Eve has to after it was aborted for a certain threshold number of times physically intercept the transmission link with sophisticated in a given time interval. If the threshold is set too low, the technology in order to launch any meaningful attack. This protocol may be aborted too often by statistical fluctuation automatically rules out “petty thefts” and constitutes a sig- or un-modeled random disturbance and become inefficient. nificant security advantage compared to standard techniques, If it is indefinitely large, Eve may launch a very strong similar to digital versus analog wireless rf transmissions. Apart attack although it causes much disturbance. In any case, Eve from the possibility of rigorous security proofs, which has could raise her possible information by counting on the users’ to be tempered by the corresponding problem of adequate repeated trials and launch a stronger attack than otherwise. physical modeling, physical cryptography offers a totally new A complete quantification cannot be obtained without an way of securing privacy different from all the standard high- explicit stopping rule. Such a rule would affect the quantitative rate cryptographic techniques in use. It is a “new paradigm” efficiency of the protocol. in cryptology. JOURNAL OF SELECTED TOPICS IN QUANTUM ELECTRONICS 14 A major implication of our KCQ approach to BB84 type the more appropriate measure. For cryptographic security, it approach is that a PRNG should be used to generate a running is clear that the worst case also should be considered, as key that determines the users’ choice of basis as described in it typically was in various QKD considerations. Using the Section II. This should be done even when intrusion level Markov inequality (19) to handle the randomness in IE would −2λn estimation is still employed to retain some BB84 feature for a induce a much more stringent requirement IE 2 than weak signal or qubit protocol. There are many resulting advan- (27). ≤ tages both from a practical implementation and a theoretical Assume IE(yn) satisfies (27), we have seen in Section security analysis point of view. III.B that Eve’s maximum probability of getting the whole −λ(n+log n) The KCQ approach itself seems to hold great promise. G correctly could be as big as p1 2 from Under universal heterodyne attack, we have shown that in (10). Also, from (13), Eve’s maximum∼ probability of getting principle fresh key generation is quite possible in the CPPM a fraction 0 < f 1 of the n bits in G correctly is −λ(n+log n)≤ system of Section VI with respect to the attacker’s total p1(f) 2 /f. These are adequately small if λ 1 probability profile. for the∼n-bit G. For λ 1 or even λ 0.5, it is not clear∼ in Finally, it is well to recall that we still need to develop a what sense G is close≪ to an n-bit uniformly∼ random string. meaningful and sufficiently strong security measure that can be The problem is especially acute when G is used to serve as usefully estimated and achieved in concrete realistic protocols. one-time pad key. At best, it is a λn-bit ‘nearly uniform’ string and calling it an n-bit fresh key is an unwarranted APPENDIX A exaggeration. INADEQUACY OF EXPONENTIALLY SMALL INFORMATION What are the possible λ’s one can obtain, in principle as FOR EVE well as in practice? There are few theoretical papers [56], [57], The strongest theoretical security claims (proofs) that have [58], [59], [60] that give an explicit expression for λ, none been offered thus far in QKD is that Eve’s total mutual of which gives it a sufficiently explicit form to tell readily information on the n-bit generated key G is exponentially whether λ 1 can be achieved with what system parameters. ∼ small in n in various BB84 type protocols. Here we will The situation is a lot worse in practice. The best reported 6 show in what ways this claim is insufficient for operationally IE/n appears to be that of ref. [61] for n up to 10 bits −9 −3 meaningful security guarantee. The criterion of vaiational with IE /n 2 10 . Many possible disastrous breaches ∼ ∼ distance from a uniform string instead of mutual information of security are not ruled out with such numbers. In addition is quantitatively similar and discussed in Appendix B. We to the possibility of Eve’s getting the whole 106 bits G with −3 5 are not talking here about the composition problem or issues p1 10 , from (13) some 10% of G or 10 bits may possibly ∼ of system modeling. It is purely the quantitative security be obtained with probability 10p 10−2, or some 104 bits of ∼ guarantee within the system model. G with probability 100p 10−1, in addition to 103 bits with ∼ Let IE = n HE(G) be Eve’s total information on the probability 1. n-bit generated− key G. The well known quantitative claim is that for large enough n, APPENDIX B −λn IE 2 (27) PROBLEMOFTHE VARIATIONAL DISTANCE SECURITY ≤ MEASURE for some function λ of the system parameters. This IE is an average over various random parameters. If we let ri In Section III and Appendix A, we showed that Eve’s mutual be the possible values of such parameters with probability information IE is not a good measure of security on an n- −λn distribution p(ri), the IE in (27) is of the form bit string G unless IE/n 2 for a sufficiently large λ. In addition to I , the variational∼ distance δ of Eve’s condi- I = p(r )I (r ) (28) E E E X i E i tional probability distribution (CPD) from the uniform random i −n n variable U with p(ui)=2 ,i 1 N,N = 2 , may be where IE is Eve’s information for a given ri. In particular, it is used as security measure. By definition,∈ − the variation distance E averaged over Eve’s observations yn that gives her a specific (or statistical distance or Kolmogorov distance) between two E conditional probability distribution (CPD) pi ,pi = p(gi yn ) distributions P and Q over a set is for i 1 N,N = 2n. Thus, for a given{ value} of average| N I =∈I −in (28) satisfying (27), there is at least one but 1 E 0 δ(P,Q)= X P (i) Q(i) . (29) generally many values of yE with I (y ) I( p ) = 2 | − | n E n i i∈N E ≡ { } IE (p(gi y )) that exceeds I . A reasonable guess would be | n 0 that roughly half of the times IE (yn) exceeds its average We will show that the distance δE = δ(G, U) between Eve’s value I0. For these values of yn, the constraint (27) would CPD and the uniform distribution U also has a problem. −n not apply, i.e., IE(yn) > I 2 . Without an estimate of It was suggested that δE is a good measure of security 0 ≤ the probability on this set of yn values, the security guarantee because δ(P,Q) “can be interpreted as the probability that two is somewhat shaky. random experiments described by P and Q respectively, are This point between average versus worst case also occurs different” [22], [62] , an interpretation repeated in refs. [44], in almost all “computational” problems, say on the average [63]. The justification for the interpretation is given by lemma versus worst case complexity, the latter usually taken to be 1 in refs [62], [63] which states that for any two distributions JOURNAL OF SELECTED TOPICS IN QUANTUM ELECTRONICS 15 P,Q for two random variables X and X′, there exists a joint [6] H. Yuen, R. Kennedy, M. Lax, IEEE Trans. IT 21 (1975) 125-134. [7] C.W. Helstrom, Quantum Detection and Estimation Theory, Academic distribution PXX′ that gives P,Q as marginals with Press, New York (1976). Pr[X = X′]= δ(P,Q). (30) [8] H.P. Yuen, arxiv.org:quant-ph/0311061 (2003). 6 [9] E. Corndorf, C. Liang, G.S. Kanter, P. Kumar, and H.P. Yuen, Phys. Rev. A 71, pp. 062326, 2005. However, to the extent it makes sense to talk about such [10] O. Hirota, M. Sohma, M. Fuse, and K. Kato, Phys. Rev. A. 72 (2005) a joint distribution, the interpretation would obtain only if 022335; quant-ph/0507043. “there exists” is replaced by “for every”. This is because [11] The term ‘key expansion’ is often used in conventional cryptography to denote a (session) key derived from a master key, which does not since there is no knowledge on such joint distribution, one possess (perfect) forward secrecy in the sense that its randomness is cannot assume the most favorable case via “there exists” for derived entirely from that of the master key. Such a key is not fresh security guarantee or for general interpretation. Indeed, it is – it does not possess randomness statistically independent of the master key. We opt for the term ‘key generation’ to signify that the key generated not clear at all what realistic meaning can be given or claimed is statistically independent of any secret key used during the generation for the realization of such a joint distribution, other than the process. independent case PXX′ = P Q. In such case, even if both P [12] H.P. Yuen, in Quantum Communications, Computing and Measurement, · ed. by O. Hirota et al, Plenum, New York, pp. 17-23, 1997. and Q are the same uniform distribution so that δ(P,Q)=0, [13] H.P. Yuen, in Mathematical Sciences (in Japanese), no. 508, Oct 2005, ′ 1 we have Pr[X = X ]=1 N and the two sides of (30) are pp. 35-40; also in quant-ph 0510069, 2005. almost as far apart6 as it could− be since both are between 0 and [14] W.-Y. Hwang, I.G. Koh, and Y.D. Han, Phys. Lett. A 244, 489 (1998). [15] W.-Y. Hwang, X.-B. Wang, K. Matsumoto, J. Kim, H.-W. Lee, Phys. 1. This provides a counter-example to the interpretation. Rev. A 67, 012302 (2003). As a numerical measure, δE suffers the same p1 problem [16] See, e.g., A.J. Menezes, P.C. van Oorschot and S.A. Vanstone, Handbook as IE from the fact that of Applied Cryptography, CRC Press, 1997. [17] She is given only a single copy, not a “cloning machine” that does not −l 1 exist according to the principles of quantum mechanics. In single-photon δE =2 , (31) − N BB84, one such copy is enough to completely undermine its security. [18] Note that just non-identical qubit-by qubit probes is already classified −l −l 1−2 as a joint attack in the BB84 context. when Eve’s CPD has p1 =2 ,p2 = = . See Section ··· N−1 [19] C.H. Bennett, F. Bessette, G. Brassard, L. Salvail and J. Smolin, J. III.B and Appendix A. When l is not close to n, the security Cryptol. 5, 3 (1992). risk of a δE guarantee may be tremendous for any n l [20] H.P. Yuen, P. Kumar, E. Corndorf and R. Nair, Phys. Lett. A 346, 1 ≫ (2005). exactly as in the case of the IE guarantee. [21] C.H. Bennett, G. Brassard, C. Crepeau, and U.M. Maurer, 41, 1915-1923 However, the subset probability guarantee of δE is better (1995) than that of IE. As stated in section III.C, the incremental [22] R. Renner, J. Quant. Inf. 6, 1 (2008); also arxiv.org: quant-ph/0512258. probability from uniform for any m-bit subsequence is no [23] V. Scarani and R. Renner, Phys. Rev. Lett. 100, 200501 (2008). −m [24] J. Fiurasek, Phys. Rev. A 70, 032308 (2004). more than ǫ for δE ǫ. On the other hand, for ǫ 2 , the ≤ ≫ [25] H.P. Yuen in: O. Hirota, J.H. Shapiro, M. Sasaki (Eds.), Proceedings of generated key G is still far from perfect. the QCMC, NICT Press, 2006, p. 163. [26] U.M. Maurer, IEEE Trans. Infor. Theory 45, 499-514 (1993). In contrast to IE which can be bounded via Holevo’s [27] H.P. Yuen and A.J. Kim, Phys. Lett. A 241, 135-138 (1998). inequality, there is no known way to guarantee δE ǫ for all ≤ [28] H.P. Yuen, R. Nair, E. Corndorf, G. Kanter, and P. Kumar, Quantum possible measurements from Eve. In [23], [44] a strong claim Inform. and Comp. 6 (7) p. 561, 2006; also quant-ph 0509091. is made on a quantum quantity d that if d ǫ the generated [29] R. Nair, H.P. Yuen, E. Corndorf, T. Eguchi, and P. Kumar, Phys. Rev. ≤ A 74, p. 052309, 2006; also quant-ph 0603263. key G is disentangled from Eve’s probe and identical to U [30] R.G. Gallager, Information Theory and Reliable Communication, Wiley, except with probability ǫ. However, the claim was incorrectly 1968. drawn on the basis of (30) in these references. Accordingly, [31] A.J. Viterbi and J.K. Omura, Principles of Digital Communication and Coding, McGraw-Hill, 1979. the universal property of such a key as well as the quantitative [32] T.M. Cover and J.A. Thomas, Elements of Information Theory, Wiley, security significance of d do not follow as consequences. These 1991. issues will be discussed in detail in another paper. [33] H.P. Yuen, in Proc 1995 NASA Conference on Squeezed States, 363-368 (1996). [34] H.P. Yuen, in Quantum Communications, Computing, and Measurement ACKNOWLEDGMENT 2, eds. P. Kumar et al, Kluwer Academic/Plenum Publishers, N.Y. (2000). [35] H.P. Yuen, Quant. Semiclass. Opt. 8, p. 939 (1996). I would like to thank E. Corndorf, W.Y. Hwang, P. Kumar, [36] B.A. Slutsky, R. Rao, P.-C. Sun, and Y. Fainman, Phys. Rev. A 57, J. Myers, and R. Nair for useful discussions. This work was 2383-2398 (1998). supported by DARPA and AFOSR. [37] C. Liang, G.S. Kanter, E. Corndorf, and P. Kumar, Photonics Tech. Lett. 17, pp. 1573-1575 (2005). [38] M.J.W. Hall and I.G. Fuss, J. Quant. Optics. 3, 147 (1991). REFERENCES [39] G. Barbosa, E. Corndorf, P. Kumar, and H.P. Yuen, Phys. Rev. Lett. 90, 227901-4 (2003). [1] C.H. Bennett and G. Brassard, in Proc. IEEE Int. Conf. on Computers, [40] H.P. Yuen and R. Nair, Phys. Lett. A 364 (2)p. 112 (2007); also Systems, and Signal Processing, Bangalore, India (IEEE, Los Alamitos, quant-ph/0608028. CA), 175-179 (1984). [41] R.M. Gagliardi and S. Karp, Optical Communication, Wiley, 1995. [2] A general review can be found in N. Gisin, G. Ribordy, W. Tittel, H. [42] A.J. Viterbi, Principles of Coherent Communication, Wiley, 1966, Zbinden, Rev. Mod. Phys. 74, 145-195 (2002). p. 226. [3] The term “BB84 type protocols” would be used to cover variants [43] H.P. Yuen, in Quantum Squeezing, edited by P.D. Drummond and Z. including Ekert protocols that employ quantum entanglement explicitly. Ficek, Springer Verlag (2004) pp. 227-261, also in quant-ph/0109054. From the point of view of this paper, the key feature of such protocols is [44] R. Konig, R. Renner, A. Bariska, and U. Maurer, Phys. Rev. Lett. 98, that intrusion level estimation via public exchange is used to bring about 140502 (2007). security. [45] J.M. Myers, in E.J.H. Donkor, A.R. Pirich, and H.E. Brandt eds, [4] A.D. Wyner, Bell Syst. Tech. J. 54, 1335-1387 (1975). Quantum Information and Computation III, Proceedings of the SPIE [5] I. Csisz´ar and J. K¨orner, IEEE Trans. Infor. Theory IT-24, 339-348 (1978). v. 5815 (SPIE, Belingham, WA) , p. 205. JOURNAL OF SELECTED TOPICS IN QUANTUM ELECTRONICS 16 [46] J.M. Myers and F.H. Madjid, J. Opt. B: Qaunt. Semiclass. Opt., 4 (2002), p. 5109-5116, See Section 4.2 in particular. [47] V. Makarov, A. Anisimov, and J. Skaar, Phys. Rev. A 74, 022313 (2006). [48] B. Qi, C.-H.F. Fung, H.-K. Lo, and X. Ma, Quant. Inform. and Comput. 7, 073 (2007). [49] Y. Zhao, C.-H.F. Fung, B. Qi, C. Chen, and H.-K. Lo, Phys. Rev. A 78, 042333 (2008). [50] X. Ma, T. Moroder, and N. Lutkenhaus, arXiv:0812.4301 [51] H.L. Van Trees, Detection, Estimation, and Modulation Theory, Part I, Wiley (1968). [52] J.W. Goodman, Introduction to Fourier Optics, McGraw Hill (1968). [53] See, e.g. , A.O. Caldeira and A.J. Leggett, Phys. Rev. A 31, 1059 (1985). [54] F. Grosshans, G. Van Assche, J. Wegner, R. Broui, N.J. Cerf, and P. Grangier, Nature 421, 238-241 (2003). [55] W.-Y. Hwang, Phys. Rev. Lett., 91, 057901 (2003). [56] H. Inamori, N. Lutkenhaus, and D. Mayers, quant-ph/0107017. [57] M. Hamada, J. Phys. A: Math. Gen. 37, 8303 (2004). [58] E. Biham, M. Boyer, P.O. Boykin, and V. Roychowdhury, J. Cryptology 19, 381-439 (2006); also arxiv.org: quant-ph/9912053. [59] M. Hayashi, Phys. Rev. A 74, 022307 (2006). [60] M. Hayashi, Phys. Rev. A 76, 012329 (2007). [61] J. Hasegawa, M. Hayashi, T. Hiroshima, A. Tomita, Asian Conference on Quantum Information Science 2007, Shiran-kaikan, Kyoto, Sep.3-6, 2007 [62] R. Renner, and R. Konig, Second Theory of Cryptography Conference (TCC), Lecture Notes in Computer Science, vol. 3378 (Springer, New York, 2005), pp. 407-425. [63] R. Konig, U. Maurer, and R. Renner, IEEE Trans. Inform. Theory 51 (2005), p. 2381-2401. Horace P. Yuen is Professor of Electrical Engineering and Computer Science and Professor of Physics and Astronomy at Northwestern University. He received his degrees in Electrical Engineering from Massachusetts Institute of Technology. His technical research interest are mainly in the areas of communication and cryptography, especially those with quantum effects. He is a recipient of the 2008 IEEE/LEOS Quantum Electronics Award, the 1996 International Quantum Communication Award, a Fellow of the American Physical Society, and a senior member of the IEEE. Several of his papers are collected in various special volumes, including “One Hundred Years of Physical Review” which was published by the American Physical Society in 1993.