sign in sign up
<<
Home , Quantum key distribution

Processing manuscript No. (will be inserted by the editor)

Qutrit-based semi-quantum distribution protocol

Hasnaa Hajji · Morad El Baz

the date of receipt and acceptance should be inserted later

Abstract This article provides the unconditional security of a semi quantum key distribution (SQKD) protocol based on 3-dimensional quantum states. By deriving a lower bound for the key rate, in the asymptotic scenario, as a function of the ’s noise, we find that this protocol has improved secret key rate with much more tolerance for noise compared to the previous 2-dimensional SQKD protocol. Our results highlight that, similar to the fully quantum key distribution protocol, increasing the dimension of the system can increase the noise tolerance in the semi-quantum key distribution, as well. Keywords Quantum , Semi-Quantum key distribution, , Security analysis.

1 Introduction

In 2007 Boyer [1] suggested a semi quantum key distribution protocol (SQKD) which enables two parties to establish a secret and secure key using principles of . In this scheme, Alice, the sender of the quantum√ information, transmits quantum in the computation basis {|0i, |1i} or the conjugate basis, {|±i = 1/ 2(|0i ± |1i} to, Bob, the receiver, who is restricted to performing one of two operations:

– Measure and Resend: measuring the received in the computation basis and resending his result to Alice. (i.e Bob will generate the state he measured and resends it towards Alice) – Reflect: Ignoring the quantum and reflecting it back to Alice, learning nothing about its state in the process. Since Bob is limited to the above operations, he is typically referred to as a classical user. SQKD protocols require a two-way quantum communication channel, which allows a quantum bit to travel from Alice to Bob and then back. This gives, Eve, the attacker, two opportunities to interact with the quantum bit, thus substantially increasing the complexity of the security analysis. For this reason, up until 2015, most security proofs for SQKD protocols focused on the notion of robustness(see [1],[2],[3],[4],[5],[6],[7],[10]). In 2015, Krawec [11] gave the proof of the unconditional security of Boyer’s original SQKD protocol. Then, in 2017, arXiv:2101.02583v1 [quant-ph] 7 Jan 2021 Krawec [13] also proved that a SQKD protocol can tolerate the same noise level as the fully quantum BB84 protocol. Besides, in 2016 Zhang et al. demonstrated the unconditional security of the SQKD protocol using less than four quantum states[12]. Due to the interesting features of the semi-quantum protocols, researchers have shown great enthusiasm on it and absorbed it into traditional tasks such as [17,19,18], private comparison [20,21,22], and direct communication [14,15,16]. All these works have been carried out based on two level systems: qubits, as the fundamental unit of quantum information. Independently of this, high dimensional systems (qudits) have attracted much attention with many the- oretical proposals and experimental realizations [33]. They offer advantages ranging from withstanding high channel noise levels, to possible implementation in the fundamental tests of quantum mechanics. As a result of the dimension increase, and quantum information processing in general, gets more efficient

ESMaR, Faculty of Sciences, Mohammed V University in Rabat, Morocco. E-mail: hasnaa [email protected] · [email protected] 2 Hasnaa Hajji, Morad El Baz with qudits, as one can achieve the same computational dimension employing fewer qudits [34]. High dimen- sional quantum key distribution was introduced [28], realized experimentally [31] and was shown to increase the channel capacity and thus the key generation rate [32]. This paper introduces a generalized scheme of the SQKD protocol from [1] based on the use of three-dimensional quantum states: . The use of qurtits, the simplest system capable of exhibiting quantum contextuality [33], has been proven to carry more information and have greater resistance to noise than qubits. Encouraged by this, we use the technique developed in [11] to produce an expression for the key rate of this protocol, in the asymptotic scenario, as a function of the quantum channel’s noise. The rest of the paper is organized as follows: the next section, introduces some preliminaries about SQKD. Section 3 describes the SQKD protocol using qutrits as information carriers. Section 4 presents a security analysis of our proposal while results and discussions are given in section 5. A conclusion with some perspectives are given at the end of the paper.

2 Preliminaries

In this section we some notations and definitions that will be used throughout the paper.

2.1 Entropy of the shared states:

Let ρ be a density operator, i.e. a Hermitian positive semi-definite operator of unit trace, acting on some finite dimensional Hilbert space H. If ρ is acting on a bipartite space HA ⊗ HB, we often write it as ρAB; in this case, ρB means the reduced resulting from tracing out over subsystem A i.e. the partial trace: ρB = trAρAB. S(AB) denotes the von Neumann entropy of ρAB:

X S(AB) = S(ρAB) = −tr (ρAB log3 ρAB) = − λi log3 λi (1) i where the λi’s are the eigenvalues of ρAB. Note that, since our protocol is based on qutrits, we use the base three logarithm instead of base two, as is customary the case, when dealing with qubits. Similarly, S(B) denotes the von Neumann entropy of ρB. We also write S(A|B) to mean the conditional von Neumann entropy [30], namely

S(A|B) = S(AB) − S(B) = S(ρAB) − S(ρB). (2)

We use H(p1, p2, . . . , pn) to represent the classical Shannon entropy of the probability distribution {p1, p2, . . . , pn}: P H(p1, p2, . . . , pn) = − i pi log pi. Unless otherwise specified all logarithms in this paper are base three.

Lemma 1 Given a finite dimensional Hilbert space H = HC ⊗ HE, let {|1iC ,..., |niC } be an orthonormal basis of HC . Consider the following density operator acting on H:

n X (j) ρ = pj|jihj|C ⊗ σE , (3) j=1

P (i) where pi = 1, pi ≥ 0, and each σE is a Hermitian positive semi-definite operator of unit trace acting on HE. Then the von Neumann entropy of ρ is

n X (i) S(ρ) = H(p1, p2, . . . , pn) + pjS(σE ). (4) j=1

For a proof of this Lemma, one may refer to the book [30]. Qutrit-based semi-quantum key distribution protocol 3

Fig. 1 A symmetric ternary channel, where a trit i from the input X has a probability p to be flipped into trit j in the output Y (i 6= j = 0, 1, 2).

2.2 Qutrit bases:

Let {|0i, |1i, |2i} be the unit vectors of the basis A of a three dimensional Hilbert space (the state space of a qutrit system). Alternative choices of bases would be the T basis, given by vectors {|00i, |10i, |20i}:

0 1 2iπ |0 i = √ (e 3 |0i + |1i + |2i), 3 0 1 2iπ |1 i = √ (|0i + e 3 |1i + |2i), (5) 3 0 1 2iπ |2 i = √ (|0i + |1i + e 3 |2i), 3

and the K basis, given by vectors {|000i, |100i, |200i}:

1 |000i = √ (|0i + |1i + |2i), 3 00 1 2iπ −2iπ |1 i = √ (|0i + e 3 |1i + e 3 |2i), (6) 3 00 1 −2iπ 2iπ |2 i = √ (|0i + e 3 |1i + e 3 |2i). 3

It is worthwhile noting that other choices of bases are possible [28], however we restrict ourselves to these two bases as they are the natural choice when extending the usual two in qubits based protocols such as BB84 [29] or the semi-quantum ones [1]. It turns out (see section 4) that these two choices are those leading to optimal results in terms of security or key rate.

2.3 (S)QKD security

Any key distribution protocol, being quantum or semi-quantum, operates in two stages. The first, called the quantum communication stage, performs several iterations to agree on a so-called raw key of size N bits. Following this, a classical stage consisting of error correction and privacy amplification is run, resulting in a secret key of size l(N) ≤ N (see [26] for more information on these, now standard, processes). The key rate, r, in the asymptotic scenario is defined as [8,9]

l(N) r = lim . (7) N→∞ N

Based on the observed parameters, we wish to evaluate the key rate expression under a particular attack scenario. Namely, we will consider a symmetric attack modeled by a ternary channel as depicted in Fig. 1. A noisy quantum channel modeled as a ternary channel with parameter is simply the map :

ξ(ρ) = (1 − 3Q)ρ + QI, (8) where I is the identity operator. 4 Hasnaa Hajji, Morad El Baz

3 The Protocol

The protocol we consider in this paper is an extension of the based semi-quantum key distribution (SQKD) protocol introduced in [1] to a three dimensional case (qutrits). Two natural choices (5, 6) for the two bases that Alice is allowed to use emerge as a result of working with qutrits instead of qubits; we study both versions of the protocol. Let Φ1 (respectively Φ2) be the set of six states in the bases A and T (respectively A and K) from which Alice may choose the state to send to Bob:

 0 0 0 Φ1 = |0i, |1i, |2i, |0 i, |1 i, |2 i , (9)  00 00 00 Φ2 = |0i, |1i, |2i, |0 i, |1 i, |2 i . (10)

The steps of the protocol being the same, independently of the choice of bases, we present the protocol in what follows and we delay the distinction between the two cases, to the discussion of the security and the key rate in section 4, for which the choice of bases is crucial.

Fig. 2 3-dimensional SQKD protocol: The fully quantum user, Alice, prepares one of six states from the set φ1,sends it to the classical user, Bob, through the forward channel. Bob either ignores the qutrit and returns it to Alice (R) or performs a measurement on the basis A (M). Through the reverse channel, He sends the measured state to Alice who measures it in the same basis she prepared it initially (A or T basis)

Quantum Communication Stage: The quantum communication stage of the protocol repeats the following single iteration until a sufficiently large raw key is established:

1. Alice, the fully quantum capable user, randomly prepares a qutrit in a state from the set Φi, where i = 1, 2 depending on the version of the protocol adopted. This qutrit is then sent to Bob. 2. Bob, being the classical user, is restricted to randomly choosing to either reflect the qutrit (R) or to measure it in the basis A and then re-sending it in the measured state 1 (henceforward denoted operation M). In this last case, Bob saves the result of his measurement as his potential raw key. However he does not, yet, reveal his choice of operation (R or M). 3. Upon receiving her qutrit back from Bob, Alice will measure it in the same basis she originally used to prepare it in, in step 1. Classical Communication Stage: 4. Using an authenticated classical channel, Alice reveals her choice of basis while Bob reveals his choice of operation (M or R). – If Alice chose the A basis to encode her qutrit and Bob chose to measure and resend it (M), they keep their respective results to form their respective version of the raw key. – Using a randomly chosen sample of this raw key, divulge their measurement results to estimate the noise level in the channel. They may also observe the noise in the K or T (depending on the set chosen for the protocol Φ1 or Φ2) using those iterations where Alice chose to encode her qutrit in the K or a T basis, respectively, while Bob chose to reflect it. 5. Assuming the channel noise is low enough, Alice and Bob perform error correction and privacy amplification, resulting in a secret key.

1 Bob’s qualification as a classical user stems from his inability to use (measure and/or prepare states in) more than one basis, unlike Alice, the fully quantum user, capable of using both the A and K bases (or the A and T bases, based on the version of the protocol adopted). Qutrit-based semi-quantum key distribution protocol 5

4 Security proof against collective attacks

The security of (S)QKD protocols against sophisticated attacks is among the most important issues in quantum . In this section we prove the security of our protocol against a very important class of attacks called collective attacks. In conjunction with that, we bound the von Neumann entropy and the key rate. The final results depend on the choice of the alternative basis Alice uses to encode her qubits, the K or T basis. Both cases will be treated and compared.

4.1 Collective attacks

In collective attacks Eve keeps her ancillary states (or probes) in a till receiving all classical data including error-correction and privacy amplification data, and performs the optimal measurement on her ancillary states (or probes) to learn the maximal information on the final key. Assuming collective attacks, we may employ the Devetak-Winter [8] key rate equation:

r = inf[S(B|E) − H(B|A)], (11) which states that the key rate is the difference between Eve’s uncertainty on Bob’s raw key, S(B|E) (which, for a successful protocol, should be high) and Alice’s uncertainty of Bob’s key, H(B|A) (which should be low). The infimum is over all collective attacks that induce the observed error rates. From this, our main focus in this work is to determine a lower bound on our protocol’s key rate. To do so, we will first describe the quantum system after one successful iteration of the protocol. As is generally the case with the security analysis of any (S)QKD protocol, we assume that Eve is powerful enough to control the natural noise and without loss of generality, we may assume that her ancilla is in some initial state |0iE. Eve’s most general attack comprises two unitary operations: UF attacking qutrits as they go from Alice to Bob (the forward direction) and UR as they go back from Bob to Alice (the reverse direction). So in the collective attack, the state |ai ⊗ |0iE, where |ai is the qutrit’ state sent by Alice to Bob, will be subjected, in the forward channel, to Eve’s unitary transformation operators UF and will yield

UF |0i ⊗ |0iE −−→|0, e0i + |1, e1i + |2, e2i,

UF |1i ⊗ |0iE −−→|0, e3i + |1, e4i + |2, e5i, (12)

UF |2i ⊗ |0iE −−→|0, e6i + |1, e7i + |2, e8i.

On the backward channel, Bob’s qutrit state will be altered by the operation UR and will yield the final global state as follows

UR 0 1 2 |i, eji −−→|0, ei,ji + |1, ei,ji + |2, ei,ji, (13)

k where i = 0, 1, 2, j = 0, 1,..., 8. The vectors |eii and |ei,ji are Eve’s ancillary states, not necessarily normalized nor orthogonal, after the attack on the forward channel and reverse channel respectively. However, due to the unitarity of UF and UR we have

he0|e0i + he1|e1i + he2|e2i = he3|e3i + he4|e4i + he5|e5i = he6|e6i + he7|e7i + he8|e8i = 1, (14)

he0|e3i + he1|e4i + he2|e5i = he3|e6i + he4|e7i + he5|e8i = he0|e6i + he1|e7i + he2|e8i = 0. (15)

Following Eve’s attack, and conditioning on an iteration being used to contribute towards the raw key (i.e Alice sent |0i , |1i or |2i with probability 1/3 each and Bob measured it and resent it), the density operator 6 Hasnaa Hajji, Morad El Baz

describing Bob and Eve’s system after Alice’s measurement is 1  ρ = |0ih0| ⊗ | ihe0 | + |e1 ihe1 | + | ihe2 | + |e0 ihe0 | BE 3 B 0,0 0,0 0,0 0,0 0,0 0,0 0,3 0,3 1 1 2 2 0 0 1 1 2 2  + |e0,3ihe0,3| + |e0,3ihe0,3| + |e0,6ihe0,6| + |e0,6ihe0,6| + |e0,6ihe0,6| 1  + |1ih1| ⊗ |e0 ihe0 | + |e1 ihe1 | + |e2 ihe2 | + |e0 ihe0 | 3 B 1,1 1,1 1,1 1,1 1,1 1,1 1,4 1,4 1 1 2 2 0 0 1 1 2 2  + |e1,4ihe1,4| + |e1,4ihe1,4| + |e1,7ihe1,7| + |e1,7ihe1,7| + |e1,7ihe1,7| 1  + |2ih2| ⊗ |e0 ihe0 | + |e1 ihe1 | + |e2 ihe2 | + |e0 ihe0 | 3 B 2,2 2,2 2,2 2,2 2,2 2,2 2,5 2,5 1 1 2 2 0 0 1 1 2 2  + |e2,5ihe2,5| + |e2,5ihe2,5| + |e2,8ihe2,8| + |e2,8ihe2,8| + |e2,8ihe2,8| . (16)

This state will be used next, to bound the von Neumann entropy in equation (11).

4.2 Bounding the von Neumann entropy

Our goal in the remainder of the security proof is to bound the von Neumann Entropy S(B|E). However, due to the higher dimension of the system, this might prove to be a difficult task. To overcome this, we will employ a technique proposed in [27] and also used in [11]. This technique requires to condition on an additional random variable C, in order to simplify the entropy computations. Owing to the strong sub-additivity of the von Neumann entropy, for any tripartite system, it holds that

S(B|E) ≥ S(B|EC) =⇒ S(B|E) − H(B|A) ≥ S(B|EC) − H(B|A), (17) thus supplying us with a lower bound on the key rate of this protocol. The system, c, we append will be in a four-dimensional space, spanned by {|c, 0i, |c, 1i, |w, 1i, |w, 2i} where |c, iihc, i| is the event that Alice and Bob’s raw key bits match (i.e. are correct), and that the qutrit sent from Alice was flipped i times, while |w, iihw, i| denotes the event where their raw key bits don’t match (i.e. are wrong). Incorporating this system, we can rewrite the global state system (16) as 1 ρ = |0ih0| ⊗ (|e0 ihe0 | ⊗ |c, 0ihc, 0| + |e1 ihe1 | ⊗ |w, 1ihw, 1| + |e2 ihe2 | ⊗ |w, 1ihw, 1| BEC 3 B 0,0 0,0 0,0 0,0 0,0 0,0 0 0 1 1 2 2 + |e0,3ihe0,3| ⊗ |c, 1ihc, 1| + |e0,3ihe0,3| ⊗ |w, 2ihw, 2| + |e0,3ihe0,3| ⊗ |w, 2ihw, 2| 0 0 1 1 2 2 + |e0,6ihe0,6| ⊗ |c, 1ihc, 1| + |e0,6ihe0,6| ⊗ |w, 2ihw, 2| + |e0,6ihe0,6| ⊗ |w, 2ihw, 2|) 1 + |1ih1| ⊗ (|e0 ihe0 | ⊗ |w, 2ihw, 2| + |e1 ihe1 | ⊗ |c, 1ihc, 1| + |e2 ihe2 | ⊗ |w, 2ihw, 2| 3 B 1,1 1,1 1,1 1,1 1,1 1,1 0 0 1 1 2 2 + |e1,4ihe1,4| ⊗ |w, 1ihw, 1| + |e1,4ihe1,4| ⊗ |c, 0ihc, 0| + |e1,4ihe1,4| ⊗ |w, 1ihw, 1| 0 0 1 1 2 2 + |e1,7ihe1,7| ⊗ |w, 2ihw, 2| + |e1,7ihe1,7| ⊗ |c, 1ihc, 1| + |e1,7ihe1,7| ⊗ |w, 2ihw, 2|) 1 + |2ih2| ⊗ (|e0 ihe0 | ⊗ |w, 2ihw, 2| + |e1 ihe1 | ⊗ |w, 2ihw, 2| + |e2 ihe2 | ⊗ |c, 1ihc, 1| 3 B 2,2 2,2 2,2 2,2 2,2 2,2 0 0 1 1 2 2 + |e2,5ihe2,5| ⊗ |w, 2ihw, 2| + |e2,5ihe2,5| ⊗ |w, 2ihw, 2| + |e2,5ihe2,5| ⊗ |c, 1ihc, 1| 0 0 1 1 2 2 + |e2,8ihe2,8| ⊗ |w, 1ihw, 1| + |e2,8ihe2,8| ⊗ |w, 1ihw, 1| + |e2,8ihe2,8| ⊗ |c, 0ihc, 0|). (18)

Let pi,j,k denote the probability that Alice initially sends the state |ii, Bob finds the results |ji when measuring it and Alice finds |ki when measuring the qutrit returned by Bob. If there is no noise in the A basis (which is what we are going to assume for now), it should hold that p0,0,0 = p1,1,1 = p2,2,2 = 1. These a a probabilities can be used to estimate the value heb,c|eb,ci as follows:

0 0 0 0 0 0 p0,0,0 = he0,0|e0,0i p1,0,0 = he0,3|e0,3i p2,0,0 = he0,6|e0,6i

1 1 1 1 1 1 p0,0,1 = he0,0|e0,0i p1,0,1 = he0,3|e0,3i p2,0,1 = he0,6|e0,6i 2 2 2 2 2 2 p0,0,2 = he0,0|e0,0i p1,0,2 = he0,3|e0,3i p2,0,2 = he0,6|e0,6i Qutrit-based semi-quantum key distribution protocol 7

0 0 0 0 0 0 p0,1,0 = he1,1|e1,1i p1,1,0 = he1,4|e1,4i p2,1,0 = he1,7|e1,7i

1 1 1 1 1 1 p0,1,1 = he1,1|e1,1i p1,1,1 = he1,4|e1,4i p2,1,1 = he1,7|e1,7i

2 2 2 2 2 2 p0,1,2 = he1,1|e1,1i p1,1,2 = he1,4|e1,4i p2,1,2 = he1,7|e1,7i

0 0 0 0 0 0 p0,2,0 = he2,2|e2,2i p1,2,0 = he2,5|e2,5i p2,2,0 = he2,8|e2,8i

1 1 1 1 1 1 p0,2,1 = he2,2|e2,2i p1,2,1 = he2,5|e2,5i p2,2,1 = he2,8|e2,8i

2 2 2 2 2 2 p0,2,2 = he2,2|e2,2i p1,2,2 = he2,5|e2,5i p2,2,2 = he2,8|e2,8i. (19)

Given ρBEC , we may easily compute S(B|EC) = S(BEC) − S(EC) now using the above notations. Indeed, it is easy to see that

1 1 1 S(BEC) = S(ρ ) = H( p , p , ..., p ). (20) BEC 3 0,0,0 3 0,0,1 3 2,2,2 Next, to compute S(EC), let us introduce the following notations

0 0 1 1 2 2 σ1 = |e0,0ihe0,0| + |e1,4ihe1,4| + |e2,8ihe2,8| 0 0 0 0 1 1 1 1 2 2 2 2 σ2 = |e0,3ihe0,3| + |e0,6ihe0,6| + |e1,1ihe1,1| + |e1,7ihe1,7| + |e2,2ihe2,2| + |e2,5ihe2,5| 1 1 2 2 0 0 2 2 0 0 1 1 σ3 = |e0,0ihe0,0| + |e0,0ihe0,0| + |e1,4ihe1,4| + |e1,4ihe1,4| + |e2,8ihe2,8| + |e2,8ihe2,8| 1 1 2 2 1 1 2 2 0 0 2 2 σ4 = |e0,3ihe0,3| + |e0,3ihe0,3| + |e0,6ihe0,6| + |e0,6ihe0,6| + |e1,1ihe1,1| + |e1,1ihe1,1| 0 0 2 2 0 0 1 1 0 0 1 1 +|e1,7ihe1,7| + |e1,7ihe1,7| + |e2,2ihe2,2| + |e2,2ihe2,2| + |e2,5ihe2,5| + |e2,5ihe2,5| (21)

Furthermore, we define tj = trσj > 0, for all j = 1, 2, 3, 4 with t1 representing the total probability that there is no error between Alice and Bob in both channels (forward and backward), t2 the total probability that there is an error in the forward channel, t3 the total probability that there is an error in the backward channel and t4 is the total probability that there is an error in both channels (forward and backward). We can write the normalized, positive, semi-definite operators now asσ ˜j = σj/tj. Using this notations, tracing out Bob’s state from the density operator ρBEC in (18) yields 1 1 1 1 ρ = ( t σ˜ ) ⊗ |c, 0ihc, 0| + ( t σ˜ ) ⊗ |c, 1ihc, 1| + ( t σ˜ ) ⊗ |w, 1ihw, 1| + ( t σ˜ ) ⊗ |w, 2ihw, 2|. (22) EC 3 1 1 3 2 2 3 3 3 3 4 4

Applying Lemma 1 at this point will allow us to write S(EC) as

4 1 1 1 X S(EC) = S(ρ ) = H( t , ..., t ) + t S(σ ˜ ). (23) EC 3 1 3 4 3 j j j=1

A lower bound on the key rate equation (11), requires an upper bound on S(EC), which we can find easily using (23): 1 1 1 1  1 1 S(EC) ≤ H t , t , t , t + (t + t + t ) + t S(σ ˜ ). (24) 3 1 3 2 3 3 3 4 3 2 3 4 3 1 1

Evidently if the noise of the quantum channel is low, then pi,j,k should be low except for p0,0,0, p1,1,1 and p2,2,2 that should be high. Next we introduce a new basis {|ai, |bi, |ci} and without loss of generality, we write

0 |e0,0i = χ|ai + σ|bi + ρ|ci, 1 √ |e1,4i = p1,1,1|ci, (25) 2 √ |e2,8i = p2,2,2|ci, (26)

where ha|ai = hb|bi = hc|ci = 1, ha|bi = hb|ci = ha|ci = 0, and χ, σ, ρ ∈ C. This further implies

2 2 2 0 0 |χ| + |σ| + |ρ| = he0,0|e0,0i = p0,0,0. 8 Hasnaa Hajji, Morad El Baz

In this basis, we may writeσ ˜1 as

 |χ|2 χσ∗ χρ∗  1 ∗ 2 ∗ σ˜1 =  σχ |σ| σρ  . p0,0,0 + p1,1,1 + p2,2,2 ∗ ∗ 2 ρχ ρσ p1,1,1 + p2,2,2 + |ρ|

After some algebraic manipulation, the eigenvalues ofσ ˜1, denoted λ˜0, λ˜1 and λ˜2 can be found:

λ˜0 = 0, (27)

q 2 2 2 1 4p + p0,0,0 − 2p0,0,0p1,1,1 + p1,1,1 − 2p0,0,0p2,2,2 − 2p1,1,1p2,2,2 + p2,2,2 λ˜1 = + , (28) 2 2(p0,0,0 + p1,1,1 + p2,2,2) q 2 2 2 1 4p + p0,0,0 − 2p0,0,0p1,1,1 + p1,1,1 − 2p0,0,0p2,2,2 − 2p1,1,1p2,2,2 + p2,2,2 λ˜2 = − , (29) 2 2(p0,0,0 + p1,1,1 + p2,2,2)

0 1 2 0 2 2 1 2 2 where p = |he0,0|e1,4i| + |he0,0|e2,8i| + |he1,4|e2,8i| . Incorporating everything together yields the following upper bound on S(EC)

1 1 1 1  1 1 S(EC) ≤ H t , t , t , t + (t + t + t ) + t S(λ˜ ) + S(λ˜ ) . (30) 3 1 3 2 3 3 3 4 3 2 3 4 3 1 1 2 At first glance, estimating this upper bound based on the expressions of the eigenvalues (28,29) depend on the values pi,j,k but also on the quantity p which cannot be directly observed. However, by using the error rate in the alternative basis (T or K depending on the protocol adopted), Alice and Bob may determine bounds on these quantities.

4.3 Estimating the T basis noise:

In order to estimate the channel noise in the basis T we need to bound the quantity p defined above. For this, we will consider those iterations where Alice choose to encode her qutrit in the basis T (i.e. she sends the state |00i, |10i or |20i), Bob chooses to reflect, and Alice measures in the basis T . First, we note that the inner product is bounded as follows

0 1 2 2 0 1 |he0,0|e1,4i| ≥ Re (he0,0|e1,4i), and similarly for the others, 0 2 2 2 0 2 |he0,0|e2,8i| ≥ Re (he0,0|e2,8i) and 1 2 2 2 1 2 |he1,4|e2,8i| ≥ Re (he1,4|e2,8i). 2 0 1 2 0 2 2 1 2 To upper-bound S(EC) requires a lower bound on the quantities Re (he0,0|e1,4i)+Re (he0,0|e2,8i)+Re (he1,4|e2,8i). Since Bob chooses the operation R, the two way quantum channel becomes, essentially, a one way channel with Eve attacking through the unitary operator V = URUF . As before, assuming, without loss of generality, that Eve’s ancilla is cleared to the zero state |0iE, thus her action on basis states can be described as follows:

V |0, 0i = UR(|0, e0i + |1, e1i + |2, e2i) 0 0 0 1 1 1 2 2 2 = |0i ⊗ (|e0,0i + |e1,1i + |e2,2i) +|1i ⊗ (|e0,0i + |e1,1i + |e2,2i) +|2i ⊗ (|e0,0i + |e1,1i + |e2,2i) | {z } | {z } | {z } |f0i |f1i |f2i

= |0, f0i + |1, f1i + |2, f2i; (31)

V |1, 0i = UR(|0, e3i + |1, e4i + |2, e5i) 0 0 0 1 1 1 2 2 2 = |0i ⊗ (|e0,3i + |e1,4i + |e2,5i) + |1i ⊗ (|e0,3i + |e1,4i + |e2,5i) + |2i ⊗ (|e0,3i + |e1,4i + |e2,5i)

= |0, f3i + |1, f4i + |2, f5i; (32) Qutrit-based semi-quantum key distribution protocol 9

V |2, 0i = UR(|0, e6i + |1, e7i + |2, e8i) 0 0 0 1 1 1 2 2 2 = |0i ⊗ (|e0,6i + |e1,7i + |e2,8i) + |1i ⊗ (|e0,6i + |e1,7i + |e2,8i) + |2i ⊗ (|e0,6i + |e1,7i + |e2,8i)

= |0, f6i + |1, f7i + |2, f8i. (33)

The unitarity of UF and UR allows to obtain

hf0|f0i + hf1|f1i + hf2|f2i = hf3|f3i + hf4|f4i + hf5|f5i = hf6|f6i + hf7|f7i + hf8|f8i = 1, (34)

hf0|f3i + hf1|f4i + hf2|f5i = hf3|f6i + hf4|f7i + hf5|f8i = hf0|f6i + hf1|f7i + hf2|f8i = 0.

On the other hand, using its linearity we can describe the action of V on the basis T :

0 0 0 0 V |0 , 0i = |0 , g0i + |1 , g1i + |2 , g2i, 0 0 0 0 V |1 , 0i = |0 , g3i + |1 , g4i + |2 , g5i, (35) 0 0 0 0 V |2 , 0i = |0 , g6i + |1 , g7i + |2 , g8i.

Here we have introduced the following states

1 2iπ 2iπ −2iπ −2iπ |g i = (|f i + e 3 |f i + e 3 |f i + e 3 |f i + |f i + |f i + e 3 |f i + |f i + |f i) 0 3 0 1 2 3 4 5 6 7 8 1 2iπ 2iπ −2iπ −2iπ |g i = (e 3 |f i + |f i + e 3 |f i + |f i + e 3 |f i + |f i + |f i + e 3 |f i + |f i) 1 3 0 1 2 3 4 5 6 7 8 1 2iπ 2iπ −2iπ −2iπ |g i = (e 3 |f i + e 3 |f i + |f i + |f i + |f i + e 3 |f i + |f i + |f i + e 3 |f i) 2 3 0 1 2 3 4 5 6 7 8 1 −2iπ 2iπ 2iπ −2iπ |g i = (e 3 |f i + |f i + |f i + |f i + e 3 |f i + e 3 |f i + e 3 |f i + |f i + |f i) 3 3 0 1 2 3 4 5 6 7 8 1 −2iπ 2iπ 2iπ −2iπ |g i = (|f i + e 3 |f i + |f i + e 3 |f i + |f i + e 3 |f i + |f i + e 3 |f i + |f i) (36) 4 3 0 1 2 3 4 5 6 7 8 1 −2iπ 2iπ 2iπ −2iπ |g i = (|f i + |f i + e 3 |f i + e 3 |f i + e 3 |f i + |f i + |f i + |f i + e 3 |f i) 5 3 0 1 2 3 4 5 6 7 8 1 −2iπ −2iπ 2iπ 2iπ |g i = (e 3 |f i + |f i + |f i + e 3 |f i + |f i + |f i + |f i + e 3 |f i + e 3 |f i) 6 3 0 1 2 3 4 5 6 7 8 1 −2iπ −2iπ 2iπ 2iπ |g i = (|f i + e 3 |f i + |f i + |f i + e 3 |f i + |f i + e 3 |f i + |f i + e 3 |f i) 7 3 0 1 2 3 4 5 6 7 8 1 −2iπ −2iπ 2iπ 2iπ |g i = (|f i + |f i + e 3 |f i + |f i + |f i + e 3 |f i + e 3 |f i + e 3 |f i + |f i) 8 3 0 1 2 3 4 5 6 7 8

0 0 Consider hg1|g1i the probability that Alice measures |1 i if she originally sent |0 i (i.e. the probability p0010 ) 0 0 and hg2|g2i the probability that Alice measures |2 i if she originally sent |0 i (i.e. the probability p0020 ). hg3|g3i, hg5|g5i, hg6|g6i, and hg7|g7i may be defined in a similar manner, namely by using respectively p1000 , p1020 , p2000 , and p2010 . These quantities, which Alice will estimate in the parameter estimation stage, represent the error Eve’s attack induces in the T basis. These expressions are cumbersome, and are displayed in equations (A.46-A.51) in appendix A. Introducing the following notation

( 2 X if Xφ ≥ 0 S = φ1 1 , (37) 0 otherwise where 0 1 0 2 1 2 Xφ1 = Re(he0,0|e1,4i) + Re(he0,0|e2,8i) + Re(he1,4|e2,8i), (38) 0 1 using the lower bound, on this last quantity, derived in (A.52) in appendix A and the fact that p = |he0,0|e1,4i+ 0 2 1 2 2 he0,0|e2,8i + he1,4|e2,8i| ≥ S, allow us to lower bound p thus upper bound the von Neumann entropy S(EC) and ultimately allow us to find a lower bound on the conditional entropy S(B|EC) in (17). 10 Hasnaa Hajji, Morad El Baz

4.4 Estimating the K basis noise:

In case the protocol is carried out with Alice allowed to choosing her states from set Φ2, the noise in the K basis can be estimated following the same procedure as in the previous subsection. As a matter of fact, the quantity 0 1 2 0 2 2 1 2 2 p = |he0,0|e1,4i| + |he0,0|e2,8i| + |he1,4|e2,8i| can be bound by considering those instances where Alice initially sends, then measures in the K basis while Bob chooses to reflect the qutrit. In this case, Bob’s operation is essentially the identity operator, and Eve’s action is again the unitary operation V = URUF . Using the linearity of V and the actions of the operators UF and UR (12,13) we write Eve’s effect on the K basis’ states and get equations similar to (31-33) (recall that Eve’s ancilla is cleared to the zero state |0iE):

00 00 00 00 V |0 , 0i = |0 , h0i + |1 , h1i + |2 , h2i, 00 00 00 00 V |1 , 0i = |0 , h3i + |1 , h4i + |2 , h5i, (39) 00 00 00 00 V |2 , 0i = |0 , h6i + |1 , h7i + |2 , h8i, where:

1 −2iπ 2iπ −2iπ 2iπ −2iπ 2iπ |h i = (|f i + e 3 |f i + e 3 |f i + |f i + e 3 |f i + e 3 |f i + |f i + e 3 |f i + e 3 |f i) 1 3 0 1 2 3 4 5 6 7 8 1 2iπ −2iπ 2iπ −2iπ 2iπ −2iπ |h i = (|f i + e 3 |f i + e 3 |f i + |f i + e 3 |f i + e 3 |f i + |f i + e 3 |f i + e 3 |f i) 2 3 0 1 2 3 4 5 6 7 8 1 2iπ 2iπ 2iπ −2iπ −2iπ −2iπ |h3i = (|f0i + |f1i + |f2i + e 3 |f3i + e 3 |f4i + e 3 |f5i + e 3 |f6i + e 3 |f7i + e 3 |f8i) 3 (40) 1 2iπ −2iπ 2iπ −2iπ −2iπ 2iπ |h i = (|f i + e 3 |f i + e 3 |f i + e 3 |f i + e 3 |f i + |f i + e 3 |f i + |f i + e 3 |f i) 5 3 0 1 2 3 4 5 6 7 8 1 −2iπ −2iπ −2iπ 2iπ 2iπ 2iπ |h i = (|f i + |f i + |f i + e 3 |f i + e 3 |f i + e 3 |f i + e 3 |f i + e 3 |f i + e 3 |f i) 6 3 0 1 2 3 4 5 6 7 8 1 −2iπ 2iπ −2iπ 2iπ 2iπ −2iπ |h i = (|f i + e 3 |f i + e 3 |f i + e 3 |f i + e 3 |f i + |f i + e 3 |f i + |f i + e 3 |f i) 7 3 0 1 2 3 4 5 6 7 8

here we have omitted showing |h0i, |h4i and |h8i as they are irrelevant for the calculations afterwards.  00 00 Alone the same lines as in the previous subsection we introduce the probabilities pi00j00 for i , j = 000, 100, 200 , the probability that Alice measures the returned qutrit in the state |j00i when she originally prepared it in the state |i00i. The expressions of these probabilities are given by equations (B.53-B.58) in appendix B. Introducing notation adapted for this protocol as

( 2 X if Xφ ≥ 0 S = φ2 2 , (41) 0 otherwise with 0 1 0 2 1 2 Xφ2 = Re(he0,0|e1,4i) + Re(he0,0|e2,8i) + Re(he1,4|e2,8i). (42) The lower bound on this quantity is shown in equation (B.59) in appendix B and this allow us to place a lower bound on the conditional entropy S(B|EC) in (17).

4.5 Final Key Rate Bound

After parameter estimation, computing H(B|A) = H(B,A) − H(A), is straightforward. Indeed, let p(b, a) be the probability that Bob’s trit is b while Alice’s is a. These probabilities are given by

1 2 2 p(0, 0) = (p + p + p ) p(0, 1) = (p + p + p ) p(0, 2) = (p + p + p ) 3 000 100 200 3 001 101 201 3 002 102 202 2 1 2 p(1, 0) = (p + p + p ) p(1, 1) = (p + p + p ) p(1, 2) = (p + p + p ) (43) 3 010 110 210 3 011 111 211 3 012 112 212 2 2 1 p(2, 0) = (p + p + p ) p(2, 1) = (p + p + p ) p(2, 2) = (p + p + p ) 3 020 120 220 3 021 121 221 3 022 122 222 Qutrit-based semi-quantum key distribution protocol 11

Also, let pA(0) be the probability that Alice’s trit is zero, pA(1) and pA(2) be the probability that it is one, and two respectively. Then we have 1 2 2 2 1 2 1 2 2 p (0) = p + p + p + p + p + p + p + p + p A 3 000 3 010 3 020 3 110 3 100 3 120 3 200 3 210 3 220 2 1 2 2 1 2 2 1 2 p (1) = p + p + p + p + p + p + p + p + p (44) A 3 001 3 011 3 021 3 101 3 111 3 121 3 201 3 211 3 221 2 2 1 2 2 1 2 2 1 p (2) = p + p + p + p + p + p + p + p + p A 3 002 3 012 3 022 3 102 3 112 3 122 3 202 3 212 3 222 Putting everything together, the key rate bound is found to be 1 1 1 1 1 1 1  1 r ≥H( p , p , ..., p ) − H t , t , t , t − (t + t + t ) 3 0,0,0 3 0,0,1 3 2,2,2 3 1 3 2 3 3 3 4 3 2 3 4 1 (45) − t H(λ˜ ) + H(λ˜ ) + H(p (0), p (1), p (2)) 3 1 1 2 A A A − H(p(0, 0), p(0, 1), p(0, 2), p(1, 0), p(1, 1), p(1, 2), p(2, 0), p(2, 1), p(2, 2)).

In this equation, the λ˜’s from equations (28) and (29) are functions of S, depending only on the parameters that Alice and Bob will estimate.

4.6 General Attacks

In the above, we considered only one attack termed as a collective attack. However, the protocol considered in this paper may be made permutation invariant, by permuting the raw key using a random permutation chosen publicly. In this context, the security of a (S)QKD scheme against general attacks follows directly from its security against collective attacks (see [24,25] ). Thus, in the asymptotic scenario, our key rate bound will still be the same.

4.7 Results and discussion

To evaluate the key-rate (45), we consider two common forms of channel attacks (noise), independent channel and dependent channel. For the former, we assume that Qindep = 2Q(2−3Q)(i.e. the T or K basis noise observed when the qutrit travels through both channels whenever Bob chooses Reflect). In the later, the observed T or K basis noise is simply Q (i.e. Qdep = Q ). The behavior of the lower bound of the key rate r as a function of the parameter Q for the 3-dimensional SQKD protocol, when Alice is choosing her qutrit states from the set Φ2, is shown in Figure 3. In the first case (the independent channel) the key rate is positive for all Q≤ 3%. In the second case (the dependent channel), the key rate remains positive for all Q≤ 4.2%. The same behavior when Alice chooses her states from the set Φ1, is shown in Figure 4. In this graph, we observe that the maximal noise tolerance for a dependent channel is 19.1% and it drops to 6.1% for an independent channel. Interestingly, the Φ1-SQKD protocol gives higher key rate than the Φ2-SQKD protocol. Moreover, when QT = Q, the noise tolerance of our protocol is higher than the 5.34% allowed by the 2-dimensional SQKD protocol [11]. It is also higher than the noise tolerance of the QKD protocol which can tolerate up to 15% noise [23]. This shows that the high dimensional advantage, known for fully quantum protocols, carries also to the semi-quantum models.

5 Conclusions

It has been identified that in Quantum key distribution, higher dimension not only enhances the key rate but it is also known to be more resilient to errors. Motivated by this we try to understand whether this is the case for Semi quantum key distribution protocols as well. In this direction, we presented a security analysis of a 3-dimensional semi quantum protocol based on two mutually unbiased bases. In this paper, we have provided a proof of unconditional security for a semi-quantum key distribution protocol based on 3-dimensional quantum states using the technique of conditioning on the additional random 12

Fig. 3 Lower bound on the key rate for the Φ2-SQKD pro- Fig. 4 The key rate for the Φ1-SQKD protocol as a func- tocol as a function of the noise Q. The dashed line represents tion of the noise Q. For the dashed line, We consider QT = the independent channel, whereas the solid line shows the 2Q(2−3Q) (independent channel), whereas for the solid line, dependent channel. we consider QT = Q (dependent channel)

variable. We have proved the security of the protocol against collective attacks and argued that it is valid for more general attacks. Moreover, we have derived a lower bound on the key rate, in the asymptotic scenario, as function only of the quantum channel’s noise (a parameter that may be estimated by Alice and Bob). In order to evaluate its lower bound we have considered the most common forms of channels; namely the independent channel and dependent channel. Our results show that 3d-SQKD undoubtedly provides better security than the original qubit SQKD. Thus, similar to the fully quantum key distribution protocol, moving to higher dimensions is advantageous in the case of semi-quantum key distribution protocol. It will be interesting to study how the protocol carries out if we move to even higher dimensions and considering a d-dimensional version of the protocol.

Acknowledgements

This work has been supported by the National Center for Scientific and Technical Research (CNRST). The authors would like to thank W. O. Krawec for fruitful discussions and help on his original work.

Appendices

A Bounding the entropy in the T basis

From equation (36) one can find the expressions of the quantities pi0j0 :

p0010 =hg1|g1i 1 1 = + Re(hf3|f1i + hf5|f1i + hf6|f1i + hf8|f1i + hf1|f3i + hf5|f3i + hf8|f3i + hf1|f5i 3 9 + hf3|f5i + hf6|f5i + hf1|f6i + hf5|f6i + hf8|f6i + hf1|f8i + hf3|f8i + hf6|f8i + hf2|f0i + hf0|f2i) 1 −2iπ + e 3 Re(hf0|f1i + hf2|f1i + hf2|f3i + hf0|f5i + hf2|f6i + hf0|f8i + hf4|f0i + hf7|f0i (A.46) 9 + hf4f2i + hf7|f2i + hf3|f4i + hf5|f4i + hf6|f4i + hf8|f4i + hf3|f7i + hf5|f7i + hf6|f7i + hf8|f7i) 1 2iπ + e 3 Re(hf4|f3i + hf7|f3i + hf4|f5i + hf7|f5i + hf4|f6i + hf7|f6i + hf4|f8i + hf7|f8i + hf1|f0i 9 + hf5|f0i + hf8|f0i + hf1|f2i + hf3|f2i + hf6|f2i + hf0|f4i + hf2|f4i + hf0|f7i + hf2|f7i) 13

p0020 =hg2|g2i 1 1 = + Re(hf1|f0i + hf0|f1i + hf3|f2i + hf4|f2i + hf6|f2i + hf7|f2i + hf2|f3i + hf4|f3i 3 9 + hf7|f3i + hf2|f4i + hf3|f4i + hf6|f4i + hf2|f6i + hf4|f6i + hf7|f6i + hf2|f7i + hf3|f7i + hf6|f7i) 1 2iπ + e 3 Re(hf2|f0i + hf4|f0i + hf7|f0i + hf2|f1i + hf3|f1i + hf6|f1i + hf5|f3i + hf8|f3i (A.47) 9 + hf5f4i + hf8|f4i + hf0|f5i + hf1|f5i + hf5|f6i + hf8|f6i + hf5|f7i + hf8|f7i + hf0|f8i + hf1|f8i) 1 −2iπ + e 3 Re(hf5|f0i + hf8|f0i + hf5|f1i + hf8|f1i + hf0|f2i + hf1|f2i + hf1|f3i + hf0|f4i + hf3|f5i 9 + hf4|f5i + hf6|f5i + hf7|f5i + hf1|f6i + hf0|f7i + hf3|f8i + hf4|f8i + hf6|f8i + hf7|f8i)

p1000 =hg3|g3i 1 1 = + Re(hf2|f1i + hf3|f1i + hf8|f1i + hf1|f2i + hf3|f2i + hf7|f2i + hf1|f3i + hf2|f3i 3 9 + hf7|f3i + hf8|f3i + hf5|f4i + hf4|f5i + hf2|f7i + hf3|f7i + hf8|f7i + hf1|f8i + hf3|f8i + hf7|f8i) 1 −2iπ + e 3 Re(hf1|f0i + hf2|f0i + hf7|f0i + hf8|f0i + hf5|f1i + hf4|f2i + hf4|f3i + hf5|f3i (A.48) 9 + hf0|f4i + hf6|f4i + hf0|f5i + hf6|f5i + hf1|f6i + hf2|f6i + hf7|f6i + hf8|f6i + hf5|f7i + hf4|f8i) 1 2iπ + e 3 Re(hf4|f0i + hf5|f0i + hf0|f1i + hf6|f1i + hf0|f2i + hf6|f2i + hf2|f4i + hf3|f4i + hf8|f4i 9 + hf1|f5i + hf3|f5i + hf7|f5i + hf4|f6i + hf5|f6i + hf0|f7i + hf6|f7i + hf0|f8i + hf6|f8i)

p1020 =hg5|g5i 1 1 = + Re(hf1|f0i + hf5|f0i + hf7|f0i + hf0|f1i + hf5|f1i + hf6|f1i + hf4|f3i + hf3|f4i + hf0|f5i + hf1|f5i 3 9 + hf6|f5i + hf7|f5i + hf1|f6i + hf5|f6i + hf7|f6i + hf0|f7i + hf5|f7i + hf6|f7i) 1 −2iπ + e 3 Re(hf4|f0i + hf3|f1i + hf0|f2i + hf1|f2i + hf6|f2i + hf7|f2i + hf2|f3i + hf8|f3i (A.49) 9 + hf2|f4i + hf8|f4i + hf3|f5i + hf4|f5i + hf4|f6i + hf3|f7i + hf0|f8i + hf1|f8i + hf6|f8i + hf7|f8i) 1 2iπ + e 3 Re(hf2|f0i + hf8|f0i + hf2|f1i + hf8|f1i + hf3|f2i + hf4|f2i + hf1|f3i + hf5|f3i + hf7|f3i 9 + hf0|f4i + hf5|f4i + hf6|f4i + hf2|f6i + hf8|f6i + hf2|f7i + hf8|f7i + hf3|f8i + hf4|f8i)

p2000 =hg6|g6i 1 1 = + Re(hf2|f1i + hf5|f1i + hf6|f1i + hf1|f2i + hf4|f2i + hf6|f2i + hf2|f4i + hf5|f4i 3 9 + hf6|f4i + hf1|f5i + hf4|f5i + hf6|f5i + hf1|f6i + hf2|f6i + hf4|f6i + hf5|f6i + hf8|f7i + hf7|f8i) 1 −2iπ + e 3 Re(hf1|f0i + hf2|f0i + hf4|f0i + hf5|f0i + hf8|f1i + hf7|f2i + hf1|f3i + hf2|f3i (A.50) 9 + hf4|f3i + hf5|f3i + hf8|f4i + hf7|f5i + hf7|f6i + hf8|f6i + hf0|f7i + hf3|f7i + hf0|f8i + hf3|f8i) 1 2iπ + e 3 Re(hf7|f0i + hf8|f0i + hf0|f1i + hf3|f1i + hf0|f2i + hf3|f2i + hf7|f3i + hf8|f3i + hf0|f4i + hf3|f4i 9 + hf0|f5i + hf3|f5i + hf0|f6i + hf1|f7i + hf2|f7i + hf5|f7i + hf6|f7i + hf1|f8i + hf2|f8i + hf4|f8i + hf6|f8i)

p2010 =hg7|g7i 1 1 = + Re(hf2|f0i + hf5|f0i + hf7|f0i + hf0|f2i + hf3|f2i + hf7|f2i + hf0|f3i + hf2|f3i + hf5|f3i + hf7|f3i 3 9 + hf1|f4i + hf0|f5i + hf2|f5i + hf3|f5i + hf7|f5i + hf8|f6i + hf0|f7i + hf2|f7i + hf3|f7i + hf5|f7i + hf6|f8i) 1 −2iπ + e 3 Re(hf8|f0i + hf0|f1i + hf2|f1i + hf3|f1i + hf5|f1i + hf6|f2i + hf8|f3i + hf0|f4i (A.51) 9 + hf2|f4i + hf3|f4i + hf5|f4i + hf6|f5i + hf1|f6i + hf4|f6i + hf6|f7i + hf8|f7i + hf1|f8i + hf4|f8i) 1 2iπ + e 3 Re(hf1|f0i + hf4|f0i + hf6|f1i + hf8|f1i + hf1|f2i + hf4|f2i + hf1|f3i + hf4|f3i + hf6|f4i 9 + hf8|f4i + hf1|f5i + hf4|f5i + hf2|f6i + hf5|f6i + hf7|f6i + hf0|f8i + hf3|f8i + hf7|f8i) 14

From this, and after some algebraic manipulation, it follows from Cauchy-Schwarz’s inequality that the quantity Xφ1 = 0 1 0 2 1 2 Re(he0,0|e1,4i) + Re(he0,0|e2,8i) + Re(he1,4|e2,8i) can bounded as follows

3 X ≥ 3 − (p 0 0 + p 0 0 + p 0 0 + p 0 0 + p 0 0 + p 0 0 ) φ1 2 0 1 0 2 1 0 1 2 2 0 2 1 1 √ √ √ √ √ + ( p001p102 + p011p102 + p021p102 + p001p112 + p011p112 2 √ √ √ √ √ + p021p112 + p001p122 + p011p122 + p021p122 + p001p200 √ √ √ √ √ + p011p200 + p021p200 + p001p210 + p011p210 + p021p210 √ √ √ √ √ + p001p220 + p011p220 + p021p220 + p002p100 + p012p100 √ √ √ √ √ + p022p100 + p002p110 + p012p110 + p022p110 + p002p120 √ √ √ √ √ + p012p120 + p022p120 + p002p201 + p012p201 + p022p201 √ √ √ √ √ + p002p211 + p012p211 + p022p211 + p002p221 + p012p221 √ √ √ √ √ (A.52) + p022p221 + p100p201 + p110p201 + p120p201 + p100p211 √ √ √ √ √ + p110p211 + p120p211 + p100p221 + p110p221 + p120p221 √ √ √ √ √ + p102p200 + p112p200 + p122p200 + p102p210 + p112p210 √ √ √ √ + p122p210 + p102p220 + p112p220 + p122p220) √ √ √ √ √ − ( p000p101 + p010p101 + p020p101 + p010p111 + p020p111 √ √ √ √ √ + p000p121 + p010p121 + p020p121 + p000p202 + p010p202 √ √ √ √ √ + p020p202 + p000p212 + p010p212 + p020p212 + p010p222 √ √ √ √ √ + p020p222 + p101p202 + p111p202 + p121p202 + p101p212 √ √ √ √ + p111p212 + p121p212 + p101p222 + p121p222).

B Bounding the entropy in the K basis

From equation (40) one can find the expressions of the quantities pi00j00 :

p000100 =hh1|h1i 1 1 2iπ = + e 3 Re(hf1|f0i + hf4|f0i + hf7|f0i + hf2|f1i + hf5|f1i + hf8|f1i + hf0|f2i + hf3|f2i 3 9 + hf6f2i + hf1|f3i + hf4|f3i + hf7|f3i + hf2|f4i + hf5|f4i + hf8|f4i + hf0|f5i + hf3|f5i + hf6|f5i

+ hf1|f6i + hf4|f6i + hf7|f6i + hf2|f7i + hf5|f7i + hf8|f7i + hf0|f8i + hf3|f8i + hf6|f8i) (B.53) 1 −2iπ + e 3 Re(hf2|f0i + hf5|f0i + hf8|f0i + hf0|f1i + hf3|f1i + hf6|f1i + hf1|f2i + hf4|f2i + hf7|f2i 9 + hf2|f3i + hf5|f3i + hf8|f3i + hf0|f4i + hf3|f4i + hf6|f4i + hf1|f5i + hf4|f5i + hf7|f5i

+ hf2|f6i + hf5|f6i + hf8|f6i + hf0|f7i + hf3|f7i + hf6|f7i + hf1|f8i + hf4|f8i + hf7|f8i)

p000200 =hh2|h2i 1 1 2iπ = + e 3 Re(hf2|f0i + hf5|f0i + hf8|f0i + hf0|f1i + hf3|f1i + hf6|f1i + hf1|f2i + hf4|f2i + hf7|f2i 3 9 + hf2|f3i + hf5|f3i + hf8|f3i + hf0|f4i + hf3|f4i + hf6|f4i + hf1|f5i + hf4|f5i + hf7|f5i

+ hf2|f6i + hf5|f6i + hf8|f6i + hf0|f7i + hf3|f7i + hf6|f7i + hf1|f8i + hf4|f8i + hf7|f8i) (B.54) 1 −2iπ + e 3 Re(hf1|f0i + hf4|f0i + hf7|f0i + hf2|f1i + hf5|f1i + hf8|f1i + hf0|f2i + hf3|f2i 9 + hf6f2i + hf1|f3i + hf4|f3i + hf7|f3i + hf2|f4i + hf5|f4i + hf8|f4i + hf0|f5i + hf3|f5i + hf6|f5i

+ hf1|f6i + hf4|f6i + hf7|f6i + hf2|f7i + hf5|f7i + hf8|f7i + hf0|f8i + hf3|f8i + hf6|f8i)

p100000 =hh3|h3i 1 1 = + Re(hf1|f0i + hf2|f0i + hf0|f1i + hf2|f1i + hf0|f2i + hf1|f2i + hf4|f3i + hf5|f3i 3 9 + hf3|f4i + hf5|f4i + hf3|f5i + hf4|f5i + hf7|f6i + hf8|f6i + hf6|f7i + hf8|f7i + hf6|f8i + hf7|f8i) 1 −2iπ + e 3 Re(hf4|f0i + hf5|f0i + hf3|f1i + hf5|f1i + hf3|f2i + hf4|f2i + hf7|f3i + hf8|f3i (B.55) 9 + hf6|f4i + hf8|f4i + hf6|f5i + hf7|f5i + hf1|f6i + hf2|f6i + hf0|f7i + hf2|f7i + hf0|f8i + hf1|f8i) 1 2iπ + e 3 Re(hf7|f0i + hf8|f0i + hf6|f1i + hf8|f1i + hf6|f2i + hf7|f2i + hf1|f3i + hf2|f3i + hf0|f4i 9 + hf2|f4i + hf0|f5i + hf1|f5i + hf4|f6i + hf5|f6i + hf3|f7i + hf5|f7i + hf4|f8i + hf3|f8i 15

p100200 =hh5|h5i 1 1 = + Re(hf5|f0i + hf7|f0i + hf3|f1i + hf8|f1i + hf4|f2i + hf6|f2i + hf1|f3i + hf8|f3i + hf2|f4i + hf6|f4i 3 9 + hf0|f5i + hf7|f5i + hf2|f6i + hf4|f6i + hf0|f7i + hf5|f7i + hf1|f8i + hf3|f8i) 1 −2iπ + e 3 Re(hf1|f0i + hf8|f0i + hf2|f1i + hf6|f1i + hf0|f2i + hf7|f2i + hf2|f3i + hf4|f3i (B.56) 9 + hf0|f4i + hf5|f4i + hf1|f5i + hf3|f5i + hf5|f6i + hf7|f6i + hf3|f7i + hf8|f7i + hf4|f8i + hf6|f8i) 1 2iπ + e 3 Re(hf2|f0i + hf4|f0i + hf0|f1i + hf5|f1i + hf1|f2i + hf3|f2i + hf5|f3i + hf7|f3i + hf3|f4i 9 + hf8|f4i + hf4|f5i + hf6|f5i + hf1|f6i + hf8|f6i + hf2|f7i + hf6|f7i + hf0|f8i + hf7|f8i)

p200000 =hh6|h6i 1 1 = + Re(hf2|f1i + hf5|f3i + hf0|f1i + hf1|f2i + hf4|f3i + hf0|f2i + hf2|f0i + hf5|f4i 3 9 + hf3|f4i + hf1|f0i + hf4|f5i + hf3|f5i + hf7|f6i + hf8|f6i + hf6|f7i + hf6|f8i + hf8|f7i + hf7|f8i) 1 2iπ + e 3 Re(hf1|f6i + hf2|f6i + hf4|f0i + hf5|f0i + hf1|f8i + hf2|f7i + hf3|f1i + hf3|f2i 9 + hf4|f2i + hf5|f1i + hf4|f8i + hf5|f7i + hf6|f4i + hf6|f5i + hf0|f7i + hf7|f3i + hf0|f8i + hf8|f3i) 1 −2iπ + e 3 Re(hf7|f0i + hf8|f0i + hf6|f1i + hf1|f3i + hf6|f2i + hf2|f3i + hf3|f7i + hf3|f8i + hf0|f4i + hf2|f4i 9 + hf0|f5i + hf1|f5i + hf4|f6i + hf5|f6i + hf7|f2i + hf5|f7i + hf8|f1i + hf4|f8i) (B.57)

p200100 =hh7|h7i 1 1 = + Re(hf5|f0i + hf7|f0i + hf3|f1i + hf8|f1i + hf4|f2i + hf6|f2i + hf1|f3i + hf8|f3i + hf2|f4i + hf6|f4i 3 9 + hf0|f5i + hf7|f5i + hf2|f6i + hf4|f6i + hf0|f7i + hf5|f7i + hf1|f8i + hf3|f8i 1 2iπ + e 3 Re(hf1|f0i + hf8|f0i + hf2|f1i + hf6|f1i + hf0|f2i + hf7|f2i + hf2|f3i + hf4|f3i (B.58) 9 + hf0|f4i + hf5|f4i + hf1|f5i + hf3|f5i + hf5|f6i + hf7|f6i + hf3|f7i + hf8|f7i + hf6|f8i + hf4|f8i) 1 −2iπ + e 3 Re(hf2|f0i + hf4|f0i + hf0|f1i + hf5|f1i + hf1|f2i + hf3|f2i + hf5|f3i + hf7|f3i + hf3|f4i 9 + hf8|f4i + hf4|f5i + hf6|f5i + hf1|f6i + hf8|f6i + hf2|f7i + hf6|f7i + hf0|f8i + hf7|f8i)

0 1 0 2 1 2 Using the Cauchy-Schwarz inequality, we may bound the quantity Xφ2 = Re(he0,0|e1,4i) + Re(he0,0|e2,8i) + Re(he1,4|e2,8i) as follows 3 X ≥3 − (p 00 00 + p 00 00 + p 00 00 + p 00 00 + p 00 00 + p 00 00 φ2 2 0 1 0 2 1 0 1 2 2 0 2 1 √ √ √ √ √ √ − ( p001p102 + p011p102 + p021p102 + p001p112 + p011p112 + p021p112 √ √ √ √ √ √ + p001p122 + p011p122 + p021p122 + p001p200 + p011p200 + p021p200 √ √ √ √ √ √ + p001p210 + p011p210 + p021p210 + p001p220 + p011p220 + p021p220 √ √ √ √ √ √ + p002p100 + p012p100 + p022p100 + p002p110 + p012p110 + p022p110 √ √ √ √ √ √ + p002p120 + p012p120 + p022p120 + p002p201 + p012p201 + p022p201 √ √ √ √ √ √ + p002p211 + p012p211 + p022p211 + p002p221 + p012p221 + p022p221 (B.59) √ √ √ √ √ √ + p100p201 + p110p201 + p120p201 + p100p211 + p110p211 + p120p211 √ √ √ √ √ √ + p100p221 + p110p221 + p120p221 + p102p200 + p112p200 + p122p200 √ √ √ √ √ √ + p102p210 + p112p210 + p122p210 + p102p220 + p112p220 + p122p220) √ √ √ √ √ √ − ( p000p101 + p010p101 + p020p101 + p010p111 + p020p111 + p000p121 √ √ √ √ √ √ + p010p121 + p020p121 + p000p202 + p010p202 + p020p202 + p000p212 √ √ √ √ √ √ + p010p212 + p020p212 + p010p222 + p020p222 + p101p202 + p111p202 √ √ √ √ √ √ + p121p202 + p101p212 + p111p212 + p121p212 + p101p222 + p121p222).

References

1. Boyer, M., Kenigsberg, D., Mor, T.: Quantum key distribution with classical Bob. Phys. Rev. Lett. 99, 647 140501 (2007) 16

2. Boyer, M., Gelles, R., Kenigsberg, D., Mor, T.: Semiquantum key distribution. Phys. Rev.A 79, 032341(2009) 3. Zou, X., Qiu, D., Li, L., Wu, L., Li, L.: Semiquantum-key distribution using less than four quantum states. Phys. Rev. A 79, 052312 (2009) 4. Krawec, W. O.: Restricted attacks on semi-quantum key distribution protocols. Quantum Inf. Process. 13, 2417-2436 (2014) 5. Wang, J., Zhang, S., Zhang, Q., Tang, C.: Semiquantum key distribution using entangled states. Chin. Phys. Lett. 28, 100301 (2011) 6. Hua, L., Cai, Q. Y.: Quantum key distribution with classical alice. Int. J. Quantum Inf. 6, 1195-1202 (2008) 7. Zou, X., Qiu, D., Zhang, S., Mateus, P.: Semiquantum key distribution without invoking the classical party’s measurement capability. Quantum Inf. Process. 14, 2981-2996 (2015) 8. Devetak, I., Winter, A.: Distillation of secret key and entanglement from quantum states. Proc. R. Soc. A: Math., Phys. Eng. Sci. 461 (2005) 9. Renner, R., Gisin, N., Kraus, B.: Information-theoretic security proof for quantum-key-distribution protocols. Phys. Rev. A, 72, 012332(2005) 10. Yu, K. F., Yang, C. W., Liao, C. H., Hwang, T.: Authenticated semi-quantum key distribution protocol using bell states. Quantum Inf. Process. 13, 1457-1465 (2014) 11. Krawec, W. O. Security proof of a semi-quantum key distribution protocol. IEEE International Symposium on Information Theory (ISIT). IEEE, 686-690(2015) 12. Zhang, W., Qiu, D.: A single-state semi-quantum key distribution protocol and its security proof. arXiv:1612.03087[quant- ph] (2016) 13. Krawec, W. O.: Quantum key distribution with mismatched measurements over arbitrary channels. Quantum Inf. Comput. 16 (2017) 14. Shukla, C., Thapliyal, K., Pathak, A.: Semi-quantum communication: Protocols for key agreement, controlled secure direct communication and dialogue. Quantum Inf. Process. 13, 1457-1465 (2014) 15. Zou, X., Qiu, D.: Three-step semiquantum secure direct communication protocol. Sci. Phys. Mech. Astron. 57 (2014) 16. Luo, Y.P., Hwang, T.: Authenticated Semi-quantum Direct Communication Protocols using Bell States. Quantum Inf. Process. 15, 947-958 (2016) 17. Yang, C.W., Hwang, T.: Efficient key construction on semi-quantum secret sharing protocols. Int. J. Quantum Inf. 11(05), 1350052 (2013) 18. Li, Q., Chan, W.H., Long, D.Y.: Semiquantum secret sharing using entangled states. Phys. Rev. A 82, 022303 (2010) 19. Yu, K.F., Gu, J., Hwang, T., Gope, P.: Multi-party semi-quantum key distribution convertible multi-party semi-quantum secret sharing. Quantum Inf. Process. 16, 194 (2017) 20. Thapliyal, K., Sharma, R.D., Pathak, A.: Orthogonal-state-based and semi-quantum protocols for quantum private com- parison in noisy environment. Int. J. Quantum Inf. 16, 1850047 (2018) 21. Chou,W.H., Hwang, T., Gu, J.: Semi-quantum private comparison protocol under an almost-dishonest third party. arXiv:quant-ph/1607.07961 (2016) 22. Yan-Feng, L.: Semi-quantum private comparison using single . Int. J. Theor. Phys. 57, 3048-3055 (2018) 23. Br´adler,K., Mirhosseini, M., Fickler, R., Broadbent, A., Boyd, R.: Finite-key security analysis for multilevel quantum key distribution. New J. Phys. 18, 073030 (2016) 24. Christandl,M., K¨onig,R., Renner, R.: Postselection technique for quantum channels with applications to quantum cryp- tography. Phys. Rev. Lett. 102, 020504 (2009) 25. Renner, R.: Symmetry of large physical systems implies independence of subsystems. Nat. Phys. 3, 645-649 (2007) 26. Scarani, V., Bechmann-Pasquinucci, H., Cerf, N.J., Duˇsek,M.,L¨utkenhaus, N., Peev,M.: The security of practical quantum key distribution. Rev. Mod. Phys. 81, 1301-1350 (2009) 27. Christandl, M., Renner, R.: . A Generic Security Proof for Quantum Key Distribution. ArXiv preprint quant- ph/0402131 (2004) 28. Bechmann-Pasquinucci, H., Peres, A.: Quantum Cryptography with 3-State Systems. Phys. Rev. Lett. 85, 3313-3316 (2000) 29. Bennett, C.H., Brassard, G.: Quantum cryptography: public key distribution and coin tossing. Inroceedings of IEEE Inter- national Conference on Computers. Systems and Signal Processing, pp.175-179. IEEE, (1984) 30. Nielsen, M.A., Chuang, I.L.: Quantum Computation and Quantum Information: 10th Anniversary Edition, 10th edn. Cambridge University Press, Cambridge (2011) 31. Bouchard, F., Heshami, K., England, D., Fickler, R., Boyd, R.W., Englert, B.G., S´anchez-Soto, L.L., Karimi, E.: Experi- mental investigation of high-dimensional quantum key distribution protocols with twisted photons. Quantum 2, 111 (2018). 32. Cui, Z.X., Zhong, W., Zhou, L., Sheng, Y.B.: Measurement-device-independent quantum key distribution with hyper- encoding. Sci. China Phys. Mech. Astron. 62(11), 110311 (2019) 33. Peres, A.: Quantum Theory: Concepts and Methods, vol. 57. Springer, Berlin (2006) 34. Wang, Y., Hu, Z., Sanders, B.C., Kais, S.: Qudits and high-dimensional quantum computing. arXiv preprint arXiv:2008.00959 (2020)