A Two-way QKD Protocol Outperforming One-way Protocols at Low QBER - - PowerPoint PPT Presentation

A Two-way QKD Protocol Outperforming One-way Protocols at Low QBER

Jari Lietzén, Roope Vehkalahti, Olav Tirkkonen

Department of Communications and Networking 8.6.2020

2PPR

• J. Lietzén

2/28

Content

◮ Basics of Quantum Key Distribution protocols ◮ Contribution of our paper ◮ System model ◮ BB84 QKD Protocol ◮ Classical channel model for information reconciliation ◮ One-way protocols ◮ Two-way protocols ◮ One-way QKD protocol by Lütkenhaus ◮ Key rate bounds for one-way and two-way protocols ◮ Two-way Protocol with Parity Bit Reconciliation ◮ Numerical performance analysis ◮ Conclusions

2PPR

• J. Lietzén

3/28

Basics of Quantum Key Distribution protocols

Quantum key distribution (QKD)

◮ Generate keys of a priori unknown bits in absolute security ◮ Security is guaranteed by laws of nature, not hypothesis on problem hardness ◮ QKD is used to generate and distribute a secret key, not to transmit any message

data

◮ Alice and Bob want to share a secret key ◮ Eve is an eavesdropper

2PPR

• J. Lietzén

4/28

Contribution of our paper

We consider a QKD system where the eavesdropper can only perform individual quantum

• attacks. We are working on top of the QKD system using only classical random variables.

Under this assumption we introduce our new two-way QKD protocol that is able to

• utperform all known two-way QKD protocols at low quantum bit error rate (QBER)

values. The secret key rate of our protocol is higher than the information theoretical bound limiting the performance of any one-way protocol.

2PPR

• J. Lietzén

5/28

System model

Public channel Quantum channel

A l i c e B

• b

◮ Alice and Bob are using the classical Bennet and Brassard QKD protocol (BB84) ◮ Quantum channel is imperfect but we can detect eavesdropping attempts ◮ Public channel is authenticated and error free, but the content is available to Eve

2PPR

• J. Lietzén

6/28

BB84 QKD Protocol

◮ Alice measures the polarization of n photons in a randomly selected base ({, ↔} or { ↔ , ↔ }) and sends the photons to Bob ◮ Bob measures the polarization of the received photons also in random basis

◮ Same basis ⇒ same result; different basis ⇒ random result

◮ Alice and Bob compare the basis they have chosen and discard the measurements

that were done in different basis, this is called the sifting phase

◮ Eve will perform a quantum attack to the transmitted photons ◮ Eve is assumed to attack each photon individually and always by the same method ◮ After Eve’s measurement the system is modelled in terms of classical random

variables and a probability density function (pdf) p(X, Y, Z), where Z represents Eve’s measurement results and possible side information

2PPR

• J. Lietzén

7/28

Classical channel model for information reconciliation

Throughout we assume that X is the random vector Alice has, Y is Bob’s vector and Z Eve’s. Furthermore

◮ Eve knows perfectly the probability density function p(X, Y, Z), and ◮ for every realization of x and y Eve knows the locations of errors in Bob’s word y.

Eve’s information of X can now be measured in terms of collision probability between X and Z. At the beginning of the algorithm Alice and Bob know the transition probability p and an upper bound (pcol) for the average bit collision probability.

2PPR

• J. Lietzén

8/28

Classical channel model for information reconciliation, continue...

The related finite valued length n random vectors X, Y and Z satisfy the following conditions.

• 1. X is a random vector with i.i.d binary random variables with equal probabilities for 1

and 0.

• 2. Random vector Y corresponds to X received through a binary symmetric channel

(BSC) with transition probability p.

• 3. Random vector Z is a sequence of independent identical random variables and for

every x and z, p(x|z) = n

i=1 p(xi|zi).

If these random vectors are presenting the vectors after sifting, then Condition 2 follows from Eve’s attacks being symmetric and Condition 3 from the attacks being individual.

2PPR

• J. Lietzén

9/28

One-way protocols

A one-way protocol takes Alice’s bit string as a raw key and the differences in Bob’s bit string are corrected as the protocol is run. In principle, only one-way communication is needed for error correction and key distillation in these protocols. At the beginning Alice has a length n bit vector x and Bob has an erroneous version y.

◮ Alice and Bob communicate through the public channel and try to correct the errors

in Bob’s vector y

◮ Eve can listen, but not alter, this communication ◮ After the error correction Bob’s codeword can be modelled as a random vector Y′,

where P(X = Y′) < ǫ, for some predetermined ǫ

◮ Alice and Bob can now estimate how much information Eve has of X

2PPR

• J. Lietzén

10/28

One-way protocols, continue...

◮ Alice and Bob use a randomly selected 2-universal hash function to map their

vectors x and y′ to length nfin bit-vectors k and k′

◮ The probability density function is now p′(K, K′, Z′), where Z′ represents Eve’s

• riginal random variable Z and all the additional data she have managed to acquire

◮ The one-way protocol achieves a key rate R if for every ǫ we can find n(ǫ) so that for

all n > n(ǫ) we have that ◮ P(K = K′) < ǫ , ◮ I(K; Z′) < ǫ , and ◮

nfin n ≥ R − ǫ .

2PPR

• J. Lietzén

11/28

Two-way protocols

The secret key rate of a two-way protocol is defined similarly, but the process does not begin with an error correction phase.

◮ Alice and Bob use two-way classical communication and simply agree on key words k and k′ ◮ The corresponding random variables satisfy

◮ P(K = K′) < ǫ , ◮ I(K; Z′) < ǫ , and ◮ I(K′; Z′) < ǫ .

2PPR

• J. Lietzén

12/28

One-way QKD protocol by Lütkenhaus

◮ We are using the one-way protocol presented by Lütkenhaus1) as part of our new

two-way protocol

◮ The protocol was originally presented as a standalone one-way protocol to be

performed after the sifting phase.

◮ Lütkenhaus presented his one-way error correction and privacy amplification

protocol in 1999.

1) N. Lütkenhaus, "Estimates for practical quantum cryptography," Phys. Rev. A, vol. 59, pp. 3301-3319, May 1999.

2PPR

• J. Lietzén

13/28

One-way QKD protocol: Secret key rate

The protocol here is not about key generation but about key growing. The long term achievable key rate is measured by taking into account how much previously generated key we are using when generating new key. After the error correction phase we have to reduce Eve’s information of the corrected key to at most 1 bit by selecting

nfin = −n log2(pcol).

(1) The achievable secret key rate now becomes

R0 ≥ − log2(pcol) − h(p),

(2) where the term h(p) describes the amount of previously generated key the protocol consumes.

2PPR

• J. Lietzén

14/28

Key rate bounds for one-way and two-way protocols

◮ The key rate of all one-way protocols is

upper bounded by a general information theoretic bound

◮ One B-step from Gottesman and Lo2) is

shown for comparison, under individual attack model

◮ As far as we know, no two-way protocol

exists that would break the one-way bound for low QBER values, e.g. below 10%.

0.05 0.1 0.15 0.2 0.25 0.2 0.4 0.6 0.8 1 Error rate Key rate One-way bound GL B-step One-way limit Two-way limit

2) D. Gottesman and H.-K. Lo, "Proof of security of quantum key distribution with two-way classical communications,"

IEEE Transactions on Information Theory, vol. 49, no. 2, pp. 457-475, Feb 2003.

2PPR

• J. Lietzén

15/28

Two-way Protocol with Parity Bit Reconciliation

The novel Two-way Protocol with Parity bit Reconciliation (2PPR) uses a secrecy distillation method to select the portions of the sifted bits with less errors. The secret key is collected from parity bits and not from Alice’s original string. The protocol is run for several rounds, each round consisting the steps illustrated on the next slides.

2PPR

• J. Lietzén

16/28

2PPR: Step 1

Alice Bob

0 1 1 1 0 1 0 0 1 0 0 1 0 1 1 1 0 1 0 1 1 0 0 1

1 0 1 0 1 1

Parity bits

1 0 1 1 1 1 fin pin xin

Sifted bits

◮ Bit strings of length fin are divided in to two bit blocks ◮ Initial error (pin) and collision (xin) probabilities are known ◮ Alice and Bob calculate parity bits

2PPR

• J. Lietzén

17/28

2PPR: Step 2

Alice Bob

0 1 1 1 0 1 0 0 1 0 0 1 0 1 1 1 0 1 0 1 1 0 0 1

1 0 1 0 1 1

Parity bits

1 0 1 1 1 1 fin OTP ppar Reduncancy bits pin

Sifted bits

xin

◮ Alice calculates parity bit error probability ppar ◮ Alice sends Bob redundancy bits over the public channel ◮ Redundancy bits are encrypted using one-time pad (OTP)

2PPR

• J. Lietzén

18/28

2PPR: Step 3

Alice Bob

0 1 1 1 0 1 0 0 1 0 0 1 0 1 1 1 0 1 0 1 1 0 0 1

1 0 1 0 1 1

Parity bits

1 0 1 1 1 1 1 0 1 0 1 1 1 0 1 0 1 1

Corrected parity bits

OTP ppar Reduncancy bits

Sifted bits

◮ Bob uses redundancy bits to correct his parity bits

2PPR

• J. Lietzén

19/28

2PPR: Step 4

Alice Bob

1 0 1 0 1 1

Parity bits

1 0 1 1 1 1 1 0 1 0 1 1 1 0 1 0 1 1

Corrected parity bits

0 1 1 1 0 1 0 1 1 0 0 1

OTP ppar Reduncancy bits

Sifted bits

◮ Bob uses corrected parity bits to locate erroneous blocks

2PPR

• J. Lietzén

20/28

2PPR: Step 5

Alice Bob

1 0 1 0 1 1

Parity bits

1 0 1 1 1 1 1 0 1 0 1 1 1 0 1 0 1 1

Corrected parity bits

0 1 1 1 0 1 0 1 1 0 0 1 0 1 1 1 0 1 0 0 1 0 0 1

OTP ppar Reduncancy bits

Sifted bits

◮ Bob tells Alice the locations of erroneous blocks over the public channel ◮ Alice and Bob remove the erroneous blocks ◮ It was assumed at the beginning that Eve already knows the locations of errors in

Bob’s string, so Eve does not gain any new information

2PPR

• J. Lietzén

21/28

2PPR: Step 6

Alice Bob

1 0 1 0 1 1 1 0 1 0 1 1

Secret bits from parity bits Secret bits Secret bits

xin

◮ Error corrected parity bits are used as secret key bits ◮ Eve’s knowledge about the secret key bits is removed by using privacy amplification

(collision probability xin)

2PPR

• J. Lietzén

22/28

2PPR: Step 7

Alice Bob

0 1 1 1 0 1 1 0 0 1 0 1 1 1 0 1 1 0 0 1 0 1 1 0 0

Select randomly, but jointly,

• ne bit from each block.

0 1 1 0 0

Remaining bits

◮ From the remaining bits, Alice and Bob select randomly, but jointly one bit from each

block

◮ The other bit from each block is discarded

2PPR

• J. Lietzén

23/28

2PPR: Step 8

Alice Bob

Bits to next round

fout pout xout

0 1 1 1 0 1 1 0 0 1 0 1 1 1 0 1 1 0 0 1 0 1 1 0 0

Select randomly, but jointly,

• ne bit from each block.

0 1 1 0 0

Remaining bits

◮ fout bits are forwarded to the next protocol round ◮ The error (pout) and collision (xout) probabilities are calculated ◮ The pout and xout are used as input parameters pin and xin for the next protocol

round

2PPR

• J. Lietzén

24/28

Two-way Protocol with Parity Bit Reconciliation, continue...

◮ We use the knowledge that the parity bits between Alice and Bob are strongly

correlated and Alice only sends sufficient information to Bob that he can correct his parity bits

◮ This data is transmitted through the public channel secretly by using secret key from

previous rounds

◮ The secret key is collected from the error corrected parity bits and not from Alice’s

• riginal string

◮ In each round we are applying the one-way protocol of Lütkenhaus to reconcile the

parity bits

◮ The final secret key is then a concatenation of the parity bits collected in each round

2PPR

• J. Lietzén

25/28

2PPR: Secret key rate

During n rounds, the 2PPR protocol asymptotically achieves secret key rate

R =

n

• j=1

(f j

in/2) max

• − log2(xj

par) − h(pj par), 0

• .

(3) Here the cost of privacy amplification log2(xj

par) and cost of error correction h(pj par) are

based on collecting the secret key from the parity bits.

2PPR

• J. Lietzén

26/28

Numerical performance analysis

The key rate function of 2PPR does not allow easy analytic analysis due to its recursive

• nature. We have evaluated the performance of the 2PPR protocol by using numeric
• methods. For a given QBER, and the number of rounds, the recursion can be computed.

The 2PPR protocol

◮ is giving a positive key rate up to approximately 19.09% QBER, ◮ outperforms the theoretical upper bound for one-way protocols under the

assumption of individual quantum attacks, and

◮ can maintain higher key rate at low QBER values than any other two-way protocol.

2PPR

• J. Lietzén

27/28

Numerical performance analysis, continue...

Watanabe et al.3) demonstrated that a two-way protocol can achieve higher key rate than the best one-way protocol even under coherent quantum attacks. However, this protocol is not able to break the theoretical one-way protocol bound, while our 2PPR protocol outperforms the

• ne-way bound.

0.05 0.1 0.15 0.2 0.25 0.2 0.4 0.6 0.8 1 Error rate Key rate 2PPR One-way bound Watanabe et al. One-way limit Two-way limit 3) S. Watanabe, R. Matsumoto, T. Uyematsu, and Y. Kawano, "Key rate of quantum key distribution

with hashed two-way classical communication," Phys. Rev. A, vol. 76 p. 032312, Sep. 2007.

2PPR

• J. Lietzén

28/28

Conclusions

It has already been shown that a two-way protocol can reach higher QBER values than the one-way protocols. However, the key rates have been only on a modest level and usually below the rates achieved by using one-way protocols. We have shown that our two-way protocol 2PPR can outperform the information theoretic bound limiting all one-way protocols.