Picture-Perfect Quantum Key Distribution

Home , Alice and Bob, Quantum key distribution

Picture-perfect Quantum Key Distribution

Aleks Kissinger1, Sean Tull2, and Bas Westerbaan1

1Institute for Computing and Information Sciences, Radboud University Nijmegen 2Department of Computer Science, University of Oxford

We provide a new way to bound the se- Such schemes form part of the program of post- curity of quantum key distribution using quantum cryptography [6]. only two high-level, diagrammatic features On the other hand Bennett and Brassard proof quantum processes: the compositional posed a completely different unauthenticated key behavior of complementary measurements agreement protocol, now called BB84 [5], whose and the essential uniqueness of purifica- security is not based on a mathematical prob- tion. We begin by demonstrating a proof lem, but on physical assumptions on quantum in the simplest case, where the eavesdrop- mechanical systems. In this protocol Alice needs per doesn’t noticeably disturb the chan- to be able to send Bob qubits. In most implemen- nel at all and has no quantum memory. tations, like [31], this is done by sending photons We then show how this approach extends over a fiber optic cable, where the qubits are en- straightforwardly to account for an eaves- coded in the polarization of the photons. After dropper with quantum memory and the BB84 other variations have been proposed, no- presence of noise. tably E91 [15], and they are all indiscriminately referred to as Quantum Key Distribution (QKD). 1 Introduction In their original paper, Bennett and Brassard give a short argument for the security of BB84. Traditionally in cryptography, parties use pre- Feeling this proof was not satisfactory, subse- shared keys to communicate securely. In 1976 quent authors have proposed more meticulous Diffie and Hellman introduced the first key agree- proofs, for instance [22]. However, this added ment protocol that allows two parties, say Alice rigor came at the cost of complexity, prompting and Bob, to securely establish a key over an in- Shor and Preskill to publish a ‘simple proof’ [29]. secure channel [14]. There are two caveats to its This did not settle the matter: many subsequent security. First, it’s an unauthenticated key agree- publications have appeared on the security of ment protocol,1 and second, its security hinges on BB84 and its variants, differing not only in lev- the difficulty of computing discrete logarithms. els of rigor vs. simplicity, but also in the physi- Famously, Shor showed in 1994 [28] that a (large- cal assumptions and the efficiency of the proto- scale stable) quantum computer is able to calcu- col itself (e.g. qubits required per bit of shared late discrete logarithms with ease, breaking Diffie key) [2,4, 16, 19–21, 23–26]. and Hellman’s original scheme. The present paper contributes another proof There are other key agreement protocols whose to the mix, whose primary aim is simplicity. It arXiv:1704.08668v3 [quant-ph] 19 Jul 2017 security is based on mathematical problems is quite different from those that came before, which are believed to be difficult, even for quan- in that we adopt a purely graphical notation tum computers. An example is NewHope [3,7]. and rely on techniques which arose in categor- Aleks Kissinger: [email protected] ical quantum mechanics [1] and the diagram- Sean Tull: [email protected] matic approach to quantum theory [11]. We will Bas Westerbaan: [email protected] show that two high-level features of quantum processes–namely the behavior of complemen- 1An attacker Eve that can intercept and modify all communication between Alice and Bob, can simply im- tary measurements under composition [10] and personate Bob and perform all the steps Bob would. Now the essential uniqueness of purification of quan- Alice thinks she established a shared key with Bob, where tum channels [9]–suffice to show that there exists in reality she established a shared key with Eve. no quantum process with which an eavesdropper

1 can undetectably extract information about Al- holds. We remove the second limitation in Sec- ice and Bob’s shared key. tion5 by showing the same graphical proof from We begin by briefly reviewing the graphical Section3 goes through, thanks to the continuity notation for quantum processes, including de- properties of purification and diagram rewriting, pictions of purification and complementary mea- if we replace equality by -closeness in the com- surements. In Section3, we describe a version of pletely bounded norm (written ‘ ··· =ε ··· ’). This cb BB84 in this notation and give a one-line version enables us to give a security bound for the QKD of a proof of correctness which already appears in protocol comparable to the one suggested in [17]. the literature [11, 13], but makes the (unreason- In particular, the fact that Eve’s process disturbs ably) strong assumption that Eve is only allowed the channel very little can be formulated as: to measure and re-prepare in the Z and X bases. Our first main result removes this assumption, allowing Eve to perform any quantum process to (attempt to) extract information from Alice and ε ε Φ = Φ = Bob’s channel: cb cb

Bob ... Eve

Φ √ This implies that Eve’s process is within N of

Alice a separable one: ... We then formulate the condition that Eve’s chan- √ nel remains undetected by means of two equa- N ε Φ = ρ tions, corresponding to the cases where Alice and cb Bob’s measurement choices agree:

for some constant N depending only on the dimension of Alice and Bob’s system. Φ = Φ =

2 Preliminaries Using the behavior of complementary measure- Throughout the paper, we will use string di- ments, we show that this implies that Eve’s chan- agram notation for linear maps and channels. nel separates: [11] Systems are depicted as wires and maps as

Bob ... Eve Bob ... Eve boxes. To make it clear whether we are work- ing with linear maps between Hilbert spaces or Φ = ρ completely positive maps (CP-maps), we will depict finite-dimensional Hilbert spaces H,K,... as Alice Alice thin wires and the associated spaces of operators ...... B(H), B(K),... as thick wires. While already much more general than previ- A linear map V : H → K and CP-map ous graphical proofs, this still makes two very Φ: B(H) → B(K) (for Hilbert spaces H,K) are strong assumptions. First, it assumes that Eve depicted respectively as: performs the same process each time Alice and Bob use their channel. Second, it assumes all equalities are exact, so it offers no guarantees in K B(K) the presence of noise. V Φ We remove the first limitation in Section4 H B(H) by allowing Eve to maintain an arbitrarily large quantum memory between usages of the chan- We omit wire labels if they are irrelevant or clear nel, and show that the separation argument still from context. Compositions of maps is depicted

2 by plugging boxes together vertically: 2.1 Puriﬁcation The linear map that sends ρ ∈ B(H) to its trace B(L) L is a CP-map Tr : B(H) → C, which we draw as V Ψ a ‘ground’ symbol: V ◦ U =: K Ψ ◦ Φ =: B(K) Tr = U Φ H Using this notation, we can express the prop- B(H) erty of a CP-map being trace-preserving as follows: and tensor products by putting boxes side-by- side: Φ =

H0 K0 B(H0) B(K0)

U ⊗V =: U V Φ⊗Ψ =: Φ Ψ Furthermore, any linear map U : H → K in- duces a CP-map Ub : B(H) → B(K) via: H K B(H) B(K) Ub(ρ) = U ρ U † (1) Similarly, maps between tensor products such as We call a CP-map pure if it is of the form of (1). U : H → K ⊗ L or Φ: B(H) → B(K) ⊗ B(L) We call this method of turning a linear map into are depicted as boxes with multiple input/output a pure CP-map doubling. wires: An important theorem about CP-maps is that

K L B(K) B(L) any CP-map can be represented in an essentially unique manner, by means of a pure CP-map and U Φ the trace. H B(H) Theorem 2.1 (Stinespring / puriﬁcation, U : H → K ⊗ L Φ: B(H) → B(K ⊗ L) [8, 30]). For any completely positive map Φ: B(H) → B(K) there is a Hilbert space L and where we identify B(H) ⊗ B(K) =∼ B(H ⊗ K). linear map V : H → K ⊗ L with Identity linear maps/CP-maps are represented as ‘plain wires’: Φ = Vb (2)

1H =: H 1B(H) =: B(H) Moreover, for any (other) linear map V 0 : H → K ⊗L satisfying (2), there is a unitary U : L → L since U ◦ 1H = 1K ◦ U = U and similarly for CP- such that: maps. The trivial system C is depicted as ‘no wire’, since H ⊗ =∼ H and B(H) ⊗ =∼ B(H). C C U Regarding vectors as linear maps v : C → H and V 0 = positive operators as CP-maps ρ : C → B(H), we V can depict vectors |ψi ∈ H and quantum states in ρ ∈ B(H) respectively as maps from 0 to 1 wire: 2.2 Spiders and decoherence H B(H) To each orthonormal basis (ONB) {|ii} of a ψ ρ (ﬁnite-dimensional) Hilbert space H, we asso- ciate a family of linear maps called spiders as Similarly, we can depict linear functionals follows: hψ| : H → C and CP-maps of the form e: B(H) → C as maps from 1 to 0 wires: n ... n := = X |i . . . ii hi . . . i| e m ψ ... | {z } | {z } i n m H B(H) m

3 where a spider with zero legs is a complex number That is, it projects a positive matrix written with D, the dimension of the Hilbert space. respect to the ONB {|ii} ⊂ H to its diagonal Different ONBs induce different spiders, and entries: furthermore an ONB is uniquely fixed by its fam- ρij 7→ δijρii ily of spiders [12]. Adjacent spiders associated The fact that this CP-map is trace-preserving fol- with the same ONB fuse together. That is, for lows from (4): k ≥ 1, we have:

n1 n2 (4) = = ...... n1 + n2 ... k and idempotence from spider-fusion and (4): ... = (3) ...... (4) ... m1 + m2 = = = = =

m1 m2

We write the doubled spiders as follows: If dim(H) = n, decoherence gives a rank-n pro- 2 ...... jector in the n -dimensional space B(H), hence n n we can split this projector using the following lin- m := 7→ dm := ...... ear maps:

These CP-maps, which satisfy the same fusion H B(H) m = e = law, are called quantum spiders. Examining the B(H) H concrete expression: where: n n n † dm(ρ) := ( m) ρ ( m) m (|iihj|) := δij |ii e (|ii) := |iihi| = X |i . . . ii hi . . . i| ρ |j . . . ji hj . . . j| | {z } | {z } | {z } | {z } Then we have: ij n m m n we see that: = and = (5) n X Tr ( dm(ρ)) = hi . . . i| ρ |i . . . ii | {z } | {z } i m m Treating B(H) itself as a Hilbert space using the Hilbert-Schmidt inner product hU|V i := Hence, such a map is trace-preserving whenever Tr (U †V ), one can easily verify that m = it has exactly one input: (e )†. These maps have a straightforward operational ... interpretation which will play a role in the fol- = (4) lowing sections. The ﬁrst, m , sends a quantum state to a classical probability distribution, One derived map which will be particularly whose entries are the Born rule probabilities as- important in the sequel is the decoherence map, sociated with an ONB measurement of {|ii}: 2 which arises from tracing out one output of d1: h1| ρ |1i  .  m (ρ) =  .  d = := hn| ρ |ni Hence, we can think of it as a map from a quantum space B(H) to a classical space of probabil- Concretely: ity distributions in H (treated simply as a vec- d (ρ) = X |iihi| ρ |iihi| tor space), representing the act measuring in the i given basis.

4 classical 2.3 Complementary spiders quantum We can study the interaction of distinct ONBs on the same Hilbert space by introducing distinct Conversely, e sends a classical value (or dis- families of spiders. From hence forth, we will ﬁx tribution over classical values) to an encoding of two ONBs {|zii}, {|xii} of a Hilbert space H of that value as a quantum state: dimension D, and let: quantum n ... n X classical m := = |zi . . . zii hzi . . . zi| ... | {z } | {z } i n m Hence, it represents the act of encoding a classical m value with respect to an ONB of quantum states. With these interpretations in mind, the left n ... equation in (5) gives an operational reading for n X m := = |xi . . . xii hxi . . . xi| decoherence. Namely, it arises from measuring a ... | {z } | {z } i n m quantum system, followed by re-preparing it in m the same basis. Furthermore, certain spiders take on a spe- Consequently, we let: cial meaning as operations on classical systems. Namely, m (|ziihzj|) := δij |zii e (|zii) := |ziihzi| m (|xiihxj|) := δij |xii e (|xii) := |xiihxi| = X |iiihi| (6) i Two ONBs are said to be mutually unbiased or is the process which copies a classical value, complementary whenever any member of one basis gives equal probabilities to all outcomes of a X = hi| (7) measurement with respect to the other, i.e. we i 2 1 have |hzi|xji| = D , for all i, j. We can also is deleting (a.k.a. marginalisation), and express this property succinctly in terms of the measurement/encoding maps associated with a 1 1 X pair of spiders. D = D |ii (8) i Theorem 2.2 ([11]). Two ONBs are mutu- is the uniform probability distribution. Note that ally unbiased if and only if their measure- (7) and (8) are the classical analogue to the ment/encoding maps satisfy the following equa- trace and the maximally mixed state, respec- tion: tively. Since (6) is a cloning (i.e. broadcasting) = 1 (9) operation, it has no quantum analogue. D The ﬁnal spider-derived map we will use is a non-demolition measurement: Proof. Precomposing the LHS of (9) with |zii and post-composing with hxj| yields:

:= † hxj| m e |zii = (e |xji) (e |zii)

= Tr (|x ihx | |z ihz |) = |hz |x i|2 This map captures the process where we perform j j i i i j an ONB measurement (which produces classical By deﬁnition of spiders, performing the same data) but also leave the quantum system intact. 1 pre- and post-composition on the RHS yields D , Alternatively, we can read the RHS above liter- which completes the proof. ally as performing a (demolition) measurement, copying the measurement outcome, and using Rather than resorting to measurement and en- one of the copies to re-prepare the quantum sys- coding maps, we can also express mutual unbi- tem. asedness directly in terms of spiders with the help

5 of an additional linear map, called the antipode again with equal probability. With probability associated with a pair of spiders: 1/2 their choices agree and the bit is perfectly transmitted: X s := = hzi|xji |xjihzi| Bob Bob ij = = Theorem 2.3 ([10]). Two ONBs are mutually Alice Alice unbiased if and only if their associated spiders Otherwise, Bob receives a random bit, with no satisfy the following equation: information conveyed:

s = 1 (10) Bob Bob D 1 1 = D = D Alice Alice Proof. Follows similarly to the proof of Theo- rem 2.2. Pre-composing the LHS of (10) with To agree on a shared key with average size n, Al- |zii and post-composing with hxj| yields: ice and Bob go through the previous routine 4n times. Then Alice and Bob announce the bases 2 hxj| s |zii hxj|zii = hzi|xjihxj|zii = |hxj|zii| they used for encoding and measuring respectively and discard those bits where the bases dis- Whereas pre- and post-composing on the RHS agree. On average 2n bits remain. To check for again yields 1 . D trouble, Alice randomly picks n of the remaining Remark 2.4. The two conditions for unbiased- bits and announces their value to Bob. If there ness given by Theorems 2.2 and 2.3 are related is any mismatch on these check-bits, Alice and to each other via the (basis-dependent) isomor- Bob abort. If not, Alice and Bob are left with phism B(H) =∼ H ⊗ H: (on average) n bits. Suppose that an eavesdropper Eve intercepts a X ∼ X ρij |zjihzi| ←→ ρij |zii ⊗ |zji transmitted qubit in attempt to extract informa- ij ij tion. Eve does not know which basis Alice used to encode her bit, so let us first assume Eve adopts Since the above isomorphism is defined with re- a naive strategy whereby she randomly decides spect to the -basis, the map s corrects the - to perform a non-demolition measurement with spider to account for this basis-dependence: respect to Z or X. Alice and Bob will ignore any bits for which ∼ ∼ ←→ ←→ their basis choices differ, so we need only consider s the case where they match. If Alice and Bob Remark 2.5. The map s is called an antipode both choose Z, and Eve chooses (correctly) to because equation (10) is the antipode law for a also measure in Z: Hopf algebra. If the spiders associated with a pair of mutually unbiased bases satisfy the other (5) three Hopf algebra laws, they are called strongly := = complementary bases, which are special mutually unbiased bases which always arise from finite abelian groups via Fourier transform [11]. she indeed receives a perfect copy of Alice’s bit. On the other hand, if she guesses wrong, and 3 Key Distribution Protocol measures X: Alice chooses a random bit and encodes this bit as a qubit using either the Z or X basis with (9) equal probability. She sends the qubit to Bob. = 1 = 1 := D2 D2 Independently, Bob chooses to perform either a Z or X basis measurement on the qubit he received,

6 Eve and Bob both receive a random bit, com- By purifying Φ, we can without loss of generality pletely uncorrelated to Alice’s original bit. Alice assume that Eve’s map Φ is pure, say with Φ = and Bob’s communication will be similarly dis- Vb . The left-hand side of (12) states that: rupted when they both measure X but Eve measures Z. In a longer run, these disruptions will be detected by Alice and Bob using the check-bits, giving away Eve’s presence. = = (13) ψb Now let us consider the case where Eve can Vb apply any operation to attempt to extract some information about Alice’s bit. That is, show applies some quantum channel Φ: B(H) → B(H ⊗ for any normalized pure state ψ of E ⊗ H. By E), where H is the Hilbert space of the qubit and essential uniqueness of puriﬁcation, we conclude E is that of some other system possessed by Eve: that:

Bob ... Eve U V Φ = ψ (14)

Alice ... In order for Eve’s intervention to remain unde- for some unitary U on H ⊗ E ⊗ H. Hence: tected in either case where Alice and Bob’s measurements agree, Eve’s channel must satisfy the U following equations: V = (15) ψ

Φ = Φ = (11) Using the spider laws (3), it follows that:

V V = = We now prove that, in this scenario, Eve cannot V V possibly extract any information. That is, her channel separates. (16) The same equations also hold for the gray spiders Theorem 3.1. For any Φ satisfying (11) for with the same reasoning starting with the right- complementary ONBs / we have: hand side of (12). But together these imply that

B(H) B(E) B(H) B(E) V separates, since:

Φ = ρ s (3) (10) 1 B(H) B(H) V = D = V V for some state ρ of B(E).

Proof. By precomposing measurement maps and postcomposing encoding maps, we ﬁnd V V V (16) (10) (3) = = 1 = 1 s D D

Φ = Φ = (12) (where for a qubit we have D = 2). Hence Φ separates as well.

7 The simple nature of the graphical proof makes along with analogous equations for all of the re- clear several immediate generalizations. Firstly, maining 2n − 1 variations of basis and position. the same protocol and proof may be applied ap- In particular the one for the ﬁrst bit becomes: ply whether Alice and Bob are sharing a qubit or a qudit for arbitrary (ﬁnite) Hilbert space dimension D, on which Alice and Bob must simply choose any pair of complementary orthonormal bases. Φ =

ρ ...... 4 Eavesdroppers with memory The same equation holds for the gray spiders A very strong assumption in the previous deriva- also. From cancellativity of the tensor product, tion was that Eve performs the same channel ev- we conclude that Φ◦(id⊗ρ) satisﬁes the require- ery time in attempts to extra information from ments of Theorem 3.1, and so separates as: Alice’s string of bits. Suppose now that Eve may now vary her behavior depending on the qubits she has received previously. That is, she may now make use of a quantum memory that persists be- Φ = ρ0 tween individual steps of the protocol. Her channel is now of the form Φ: B(H ⊗E) → B(H ⊗E), ρ with an extra input into which is passed the output from the previous intercepted qubit. She ini- tially prepares her auxiliary system in some state for some state ρ0 of B(E). Returning to the re- ρ. Then Eve’s procedure, during n transmissions quirement (18), the same argument again with between Alice and Bob, amounts to the channel n − 1 instances of Φ and ρ0 replacing ρ shows that Φ0 : B(H⊗n) → B(H⊗n ⊗ E) given by: Φ◦(id⊗ρ0) itself separates. Repeating this argument inductively reveals that Φ itself separates,

B(H) B(H) B(H) B(E) and thus Eve again receives no information. ...

B(H) B(H) B(H) B(E) Φ ......

0 5 Noise-tolerance Φ := Φ ... The proofs we have just seen might be pleasing, B(H) B(H) B(H) Φ but they do not give us a priori confidence in ... ρ the security of QKD: it might be the case that B(H) B(H) B(H) with only a minute disturbance, Eve might ex- (17) tract a lot of information. We will see in this (As Eve can keep a counter in E, this setting section that this is not the case: the equational is as general as if we would allow Eve a differ- proof also leads to a polynomial bound on the ent Φ : B(H ⊗ E) → B(H ⊗ E) for each trans- n distance of Eve’s channel from a separable one mitted qubit.) by the amount of disturbance. The key is an As before, for Eve’s interference to remain approximate version of essential uniqueness of completely undetected, we must have that: purifications due to Kretschmann, Schlingemann and Werner [17, 18]: ...

Φ0 = ... Theorem 5.1 (Continuity of Stinespring Dila- tion). [17, Theorem 1] Let V ,V : A → B ⊗ E be ... 1 2 (18) linear maps. Then:

8 Theorem 5.2 (Noise Tolerance). There is a constant N, depending only on the dimension of Al- 2 ice and Bob’s system, such that whenever U inf − V2 U V1 ∞

ε ε Φ = Φ = (20) cb cb

≤ Vc1 − Vc2 cb

we have that U ≤ 2 inf − V2 U V1 ∞ √ N ε Φ = ρ (21) cb where the inﬁma are taken over all unitaries U : E → E. for some state ρ of B(E).

Here k · k∞ denotes the usual operator norm Proof. From the upper bound of Theorem 5.1, and k · kcb the completely bounded norm of super operators which is defined via the sup-norm on it suffices to prove that there is such a constant super-operators: N for which any purification Vb of Eve’s channel satisfies: kV k∞ := sup kV ψk kΦk∞ := sup kΦ(T )k∞ kψk≤1 kT k≤1 √ N ε V = 1 V (22) kΦkcb := sup kidMn ⊗ Φk∞ D n∈N The operator norm (on operators) and cb- norm (on super operators) satisfy the following This follows from the proof of Theorem 3.1, by rules. repeatedly applying the rule (19) to replace each strict equation in the proof by an approximate kf ◦ gk ≤ kfk kgk kf ⊗ gk = kfk kgk kidk = 1 one. At each step one only picks up linear factors from the norms of other maps featuring in each The regular sup-norm on super operators does diagram. Inspecting the proof, one can see that not satisfy the middle rule. For brevity, we will these are independent of Eve’s system or channel. write In more detail, let Vb be a purification of Eve’s channel. Then the left hand side of (20) says ε 0 0 V = V ⇔ kV − V k∞ ≤ ε precisely that the two sides of (13) are within ε ε 0 0 in the completely bounded norm, for any such T = T ⇔ kT − T kcb ≤ ε. cb pure state ψ. By Theorem 5.1, there is then a unitary U such that the two sides of (14) are The compositional rules for the operator norm √ within 2 ε. Applying two copies of 1 as in allow us to lift approximate equations between √ 0 (15), we obtain equation (15) up to 2 ε|| 1||2. sub-diagrams to those between full diagrams, us- 0 This ensures that (16) holds up to a constant ing the rule: √ factor in ε dependent only on the norms of the n m maps. Similarly so does the same equation R R for the gray spider. kRkkSkε The final steps of the proof now follow just as =ε =⇒ = (19) V W V W before. Again at each step we simply replace a strict equation by one up to a constant factor in S S √ ε, dependent only on the white and gray spiders, using the rule (19).

9 Taking the distance of Eve’s channel from a to extend such exact diagrammatic arguments separable channel as a measure of how much in- to approximate ones. We call this technique ε- formation she can extra from Alice’s bit, we see bounded diagrammatic reasoning. It should be that, as expected, the amount of information is applicable to many further quantum protocols, bounded by how much Eve disturbs the commu- allowing the intuitive diagrammatic approach to nication between Alice and Bob. quantum information theory developed in [11] to We conclude this section with a few caveats: be used to make physically reasonable and robust arguments, such as required for security proto- 1. The bound applies if the systems of Al- cols. ice, Bob and Eve can be modeled by finite- dimensional Hilbert spaces and their interaction as a completely positive map be- Acknowledgments We thank Hans Maassen, tween their tensor products. For other ap- Sam Staton, Bram Westerbaan and John van de plications these assumptions are untenable, Wetering for insightful discussion. We would also see e.g. [33] and [27]. There is, however, like to thank the anonymous QPL referees for no clear indication that for quantum in- their useful feedback on a short abstract sum- formation arguments these assumptions are marising this work. invalid. Nonetheless it’s of interest how This work is supported by the ERC un- far these arguments generalize. Interac- der the European Union’s Seventh Frame- tions between arbitrary (possibly infinite- work Programme (FP7/2007-2013) / ERC dimensional) von Neumann algebras admit grant no 320571 and an EPSRC Studentship a Stinespring-like dilation [32], but no con- OUCL/2014/SET. tinuity result is known. 2. Like the proof in Section3, the proof above References assumes Eve performs the same operation every time. This should be extended to in- [1] S. Abramsky and B. Coecke. A cat- corporate memory as in Section4. egorical semantics of quantum protocols. In Proceedings of the 19th Annual IEEE 3. The random sampling (check-bits) on its Symposium on Logic in Computer Science own does not guarantee the bound (20). (LICS), pages 415–425. IEEE Computer So- Renner solves the analogous problem with ciety, 2004. DOI: 10.1109/lics.2004.1319636. some effort by showing the resulting com- arXiv:quant-ph/0402130. bined state of Alice, Bob and Eve may be [2] A. Ac´ın, N. Brunner, N. Gisin, S. Mas- assumed to be approximately symmetric un- sar, S. Pironio, and V. Scarani. Device- der permutations of the bits in the run [24]. independent security of quantum cryptogra- A similar method may apply here. phy against collective attacks. Physical Re- view Letters, 98(23):230501, 2007. 6 Outlook [3] E. Alkim, L. Ducas, T. Pöppelmann, and P. Schwabe. Post-quantum key exchange We saw how to derive a bound on the security of — a new hope. IACR Cryptology ePrint QKD using the diagrammatic behavior of com- Archive, 2015:1092, 2015. plementary observables and continuity of Stine- [4] M. Ben-Or, M. Horodecki, D. W. Leung, spring. Whether the protocol ensures the as- D. Mayers, and J. Oppenheim. The univer- sumed bound (20) and how the conclusion (21) is sal composable security of quantum key dis- related to the more common quantities like mu- tribution. In Theory of Cryptography Con- tual information and the secret-key rate, we leave ference, pages 386–406. Springer, 2005. open to future research. [5] C. H. Bennett and G. Brassard. Quantum In closing we note that, in the current lit- cryptography: Public key distribution and erature, diagrammatic arguments have typically coin tossing. In Proceedings of IEEE Inter- only been used for exact reasoning about quan- national Conference on Computers, Systems tum processes. Our proof of Theorem 5.2 sug- and Signal Processing, pages 175–179. IEEE, gests a general strategy of using the rule (19) 1984. DOI: 10.1016/j.tcs.2014.05.025.

10 [6] D. J. Bernstein, J. Buchmann, and E. Dah- representation. IEEE transactions on infor- men. Post-quantum cryptography. Springer mation theory, 54(4):1708–1717, 2008. DOI: Science & Business Media, 2009. 10.1109/tit.2008.917696. [7] M. Braithwaite. Experimenting with [18] D. Kretschmann, D. Schlingemann, and Post-Quantum Cryptography, 2016 R. F. Werner. A continuity theorem for (accessed April 7, 2017). https: stinespring’s dilation. Journal of Functional //security.googleblog.com/2016/ Analysis, 255(8):1889–1904, 2008. DOI: 07/experimenting-with-post-quantum. 10.1016/j.jfa.2008.07.023. html. [19] H.-K. Lo and H. F. Chau. Unconditional se- [8] G. Chiribella, G. M. D’Ariano, and curity of quantum key distribution over ar- P. Perinotti. Probabilistic theories with pu- bitrarily long distances. science, 283(5410): rification. Physical Review A, 81(6):062348, 2050–2056, 1999. 2010. DOI: 10.1103/physreva.81.062348. [20] N. Lütkenhaus. Security against individual [9] G. Chiribella, G. M. D’Ariano, and attacks for realistic quantum key distribu- P. Perinotti. Quantum from Principles, tion. Physical Review A, 61(5):052304, 2000. pages 171–221. Springer, Dordrecht, 2016. [21] Ø. Marøy, L. Lydersen, and J. Skaar. Secu- ISBN 978-94-017-7303-4. DOI: 10.1007/978- rity of quantum key distribution with arbi- 94-017-7303-4˙6. trary individual imperfections. Physical Re- [10] B. Coecke and R. Duncan. Interacting quan- view A, 82(3):032337, 2010. tum observables: categorical algebra and di- [22] D. Mayers. Unconditional security in agrammatics. New Journal of Physics, 13: quantum cryptography. Journal of the 043016, 2011. arXiv:quant-ph/09064725. ACM (JACM), 48(3):351–406, 2001. DOI: [11] B. Coecke and A. Kissinger. Picturing 10.1145/382780.382781. Quantum Processes. Cambridge University Press, 2014. DOI: 10.1017/9781316219317. [23] T. Moroder, M. Curty, and N. Lütkenhaus. One-way quantum key distribution: Simple [12] B. Coecke, D. Pavlović,and J. Vicary. A upper bound on the secret key rate. Physical new description of orthogonal bases. Math- Review A, 74(5):052301, 2006. ematical Structures in Computer Science, 2011. DOI: 10.1017/S0960129512000047. [24] R. Renner. Security of quantum key dis- arXiv:quant-ph/0810.1037. tribution. International Journal of Quan- [13] B. Coecke, Q. Wang, B. Wang, Y. Wang, tum Information, 6(01):1–127, 2008. DOI: and Q. Zhang. Graphical calculus for quan- 10.1142/S0219749908003256. tum key distribution (extended abstract). [25] V. Scarani and R. Renner. Quantum Electronic Notes in Theoretical Computer cryptography with finite resources: Un- Science, 270(2):231–249, 2011. conditional security bound for discrete- [14] W. Diffie and M. Hellman. New directions in variable protocols with one-way postprocess- cryptography. IEEE transactions on Infor- ing. Physical review letters, 100(20):200501, mation Theory, 22(6):644–654, 1976. DOI: 2008. 10.1109/TIT.1976.1055638. [26] V. Scarani, H. Bechmann-Pasquinucci, N. J. [15] A. K. Ekert. Quantum cryptography based Cerf, M. Duˇsek, N. Lütkenhaus, and on Bell’s theorem. Physical Review Letters, M. Peev. The security of practical quantum 67(6):661–663, 1991. ISSN 1079-7114. DOI: key distribution. Reviews of modern physics, 10.1103/physrevlett.67.661. 81(3):1301, 2009. [16] B. Kraus, N. Gisin, and R. Renner. Lower [27] A. Shaji and E. C. G. Sudarshan. Who’s and upper bounds on the secret-key rate afraid of not completely positive maps? for quantum key distribution protocols us- Physics Letters A, 341(1):48–54, 2005. DOI: ing one-way classical communication. Phys- 10.1016/j.physleta.2005.04.029. ical review letters, 95(8):080501, 2005. [28] P. W. Shor. Algorithms for quantum com- [17] D. Kretschmann, D. Schlingemann, and putation: discrete logarithms and factor- R. F. Werner. The information-disturbance ing. In Foundations of Computer Science, tradeoff and the continuity of stinespring’s 1994 Proceedings., 35th Annual Symposium

11 on, pages 124–134. IEEE, 1994. DOI: 10.1109/sfcs.1994.365700. [29] P. W. Shor and J. Preskill. Simple proof of security of the bb84 quantum key distribution protocol. Physical review letters, 85(2): 441, 2000. DOI: 10.1103/physrevlett.85.441. [30] W. F. Stinespring. Positive functions on c*- algebras. Proceedings of the American Math- ematical Society, 6(2):211–216, 1955. DOI: 10.1090/s0002-9939-1955-0069403-4. [31] D. Stucki, N. Gisin, O. Guinnard, G. Ri- bordy, and H. Zbinden. Quantum key distribution over 67 km with a plug&play system. New Journal of Physics, 4(1):41, 2002. DOI: 10.1088/1367-2630/4/1/341. [32] A. Westerbaan and B. Westerbaan. Paschke dilations. In Proceedings of the 13th In- ternational Conference in Quantum Physics and Logic (QPL), volume 236 of Elec- tronic Proceedings in Theoretical Computer Science, pages 229–244, 2017. DOI: 10.4204/eptcs.236.15. [33] J. Yngvason. The role of type iii factors in quantum ﬁeld theory. Reports on Mathe- matical Physics, 55(1):135–147, 2005. DOI: 10.1016/s0034-4877(05)80009-6.