BB84 protocol was introduced in Bennett and Brassard’s seminal paper in 1984 [BB84].
Later on, many papers [SP00,KP03,Ren05,Koa09,TL17] analyzed the security of BB84.
However, the description of BB84 protocols in these papers have slight difference. For example, [KP03, Koa09] require that the error syndrome for information reconciliation must be encrypted while [SP00, Ren05,TL17] does not require it. For clarity, we intro-duce BB84 protocol in this section and the security proof will follows the description and notation in this section.
BB84 protocol is composed of three stages: state preparation (SP), parameter esti-mation (PE) and inforesti-mation reconciliation and privacy amplification (IP).
State Preparation In the SP stage, Alice uniformly sends one of the qubits |0⟩ , |1⟩ , |+⟩ , |−⟩
at random. Since Bob does not know which state Alice sent, he measures the each re-ceived qubit in the Z basis or X basis both with probability 12. Precisely, Alice uniformly chooses a random string sA ∈ {0, 1}(4+η)nfor the bit values and another random string hA ∈ {0, 1}(4+η)nfor the bases that she encodes. Then, she sends (4 + η)n qubits in the state HhAXsA|0⟩⊗(4+η)n.
Bob also uniformly chooses a random string hB ∈ {0, 1}(4+η)n for the bases that he measures. The (4+η)-bit measurement result is denoted by sB, where sB[i] = 0 represents
|0⟩ or |+⟩ and sB[i] = 1 represents|1⟩ or |+⟩. After Bob measuring all (4 + η)n qubits, he announces the fact. This step is crucial since parameter estimation should not start until the SP stage is end.
Parameter Estimation The goal of PE stage is to estimate the disturbance of the po-tential adversary. Conceptually, Alice and Bob randomly choose a subset of the qubits and compare the results publicly. However, if Bob chooses a different basis that Alice encodes, the measurement result will be uniformly random. In this case, the result is not faithful and gives no information about the disturbance. Therefore, they only keep those qubits that they encode and measure in the same bases. This step is known as sifting. To
do it, Alice announces the bases hA. Then, Bob computes the indices that they use the same bases; that is the set
T0 ={i ∈ [(4 + η)n] : hA[i] = hB[i]}.
To make the final key long enough, they abort the protocol if |T0| < 2n. This is the reason why Alice sends (4 + η)n qubits rather than 4n qubits. With these extra ηn qubits, the probability of |T0| < 2n is negligible.
When the protocol is aborted, they set the flag register F in the state |rej⟩ ⟨rej| and their key registers in the state |⊥⟩ ⟨⊥|. The final output is KA=⊥ and KB =⊥ and they restart the protocol. Note that what do we mean by “Alice and Bob abort the protocol” is
“they abort this round of communication.” They abort the quantum and classical informa-tion they have already shared and the local randomness they have generated. Then, they restart from the beginning of the protocol.
If |T0| ≥ 2n, Bob randomly chooses a subset Tsift ⊆ T0 such that |Tsift| = 2n to notify Alice which qubits are encoded in the same basis. They do the random sampling test among these 2n qubits. Alice randomly chooses a subset Tcheck ⊂ Tsift such that
|Tcheck| = n. She announces Tcheck and sA[i] for all i ∈ Tcheck. With this information, Bob can calculate the number of the disagreement db. Because the qubits belong to Tsift
are encoded and measured in the same bases, there should not be any disagreement if the channel has no disturbance. Consequently, db gives an estimation of the disturbance of the channel.
Information Reconciliation and Privacy Amplification The goal of information rec-onciliation is to make Alice and Bob to have a same string. To simplify the security proof, we will realize the information reconciliation by a random linear code as we introduce in Section2.5. However, any other method that can achieve the goal with a security guaran-tee can be applied in the QKD protocol.
Let Tdata = Tsift\Tcheck ={t1,· · · , tn} be the set of indices that are not used in the ran-dom sampling test. We define sA,data = sA[t1]∥ · · · ∥sA[tn] and sB,data = sB[t1]∥ · · · ∥sB[tn]
to be Alice’s and Bob’s raw keys before information reconciliation. Alice sets kA,IR = sA,dataas her reconciliated key.
Alice chooses a parameter mIR. She runs the algorithm . (kA,IR, mIR) and gets a matrix HIR and the syndrome r. She announces HIR and r. With the matrix HIR and the error syndrome r, Bob sets his reconciliated key kB,IR = . (sB,data, HIR, r). In Section2.5, we know that kB,IRwill equal to kA,IRwith high probability.
Because Eve may have some partial information about kA,IR and kB,IR, the goal of privacy amplification is to reduce Eve’s information. To achieve the goal, Alice chooses a parameter mPA and set ℓfin = n− mIR− mPA. Then, she randomly chooses a full rank ℓfin-by-n matrix Hfinsuch that the rows of Hfinare linearly independent to the rows of HIR. She announces Hfin.
Finally, Alice and Bob compute their own final keys kA,fin = HfinkA,IR and kB,fin = HfinkB,IRrespectively. The output of BB84 protocol is KA = kA,fin and KB = kB,fin.
BB84 protocol is summarized as follow.
BB84 Protocol Alice and Bob agree on a security parameter n.
State Preparation
SP1 Alice randomly generates two strings sA, hA ∈ {0, 1}(4+η)n. Bob randomly generates a string hB ∈ {0, 1}(4+η)n.
SP2 Alice sends (4+η)n qubits to Bob where the i-th qubit is in the state Hh[i]Xs[i]|0⟩
through the quantum channel.
SP3 When receiving the i-th qubit, Bob measures it in the Z basis if hB[i] = 0 and in the X basis if hB[i] = 1. Bob records the measurement results. Let sB ∈ {0, 1}(4+η)ndenote Bob’s measurement results.
SP4 After all the measurements, Bob announces the fact that he is done.
Parameter Estimation
PE1 Alice announces hA.
PE2 Bob calculates the set T0 = {i ∈ [(4 + η)n] : hA[i] = hB[i]}. If |T0| < 2n, they abort the protocol. Otherwise, Bob randomly chooses a subset Tsift ⊆ T0 such that |Tsift| = 2n. Bob announces Tsift.
PE3 Alice randomly chooses a subset Tcheck ⊂ Tsift such that |Tcheck| = n. She announces Tcheck.
PE4 Alice announces sA[i] for all i∈ Tcheck.
PE5 Bob calculates the number db of the disagreement, sA[i] ̸= sB[i] for all i ∈ Tcheck. Let eb = dnb. If eb ≥ δth, they abort the protocol. Otherwise, the protocol proceeds.
Information Reconciliation and Privacy Amplification
IP1 Suppose Tdata = Tsift\ Tcheck. Alice sets kA,IR = sA,dataas her reconciliated key.
IP2 Alice runs the algorithm . (kA,IR, mIR) and gets a matrix HIR and the syndrome r. Let CIRto be the linear code corresponding to HIR. She announces HIR and r.
IP3 With HIRand r, Bob computes his reconciliated key kB,IR = . (sB,data, HIR, r).
IP4 Alice randomly chooses a full rank ℓfin-by-n matrix Hfin such that the rows of Hfin are linearly independent to the rows of HIR. She announces Hfin.
IP5 Alice and Bob compute their own final keys kA,fin = HfinkA,IR and kB,fin = HfinkB,IRrespectively.
The final output of BB84 protocol is KA= kA,finand KB = kB,fin.
Chapter 4
A Complete Proof of BB84
In this Chapter, we give a complete proof of BB84 by complementary argument. An im-portant feature of this argument is that we argue the correctness and the secrecy separately.
In Section 4.1, we reduce the security of BB84 to an entanglement-based protocol
5, which will be easier to analyze. Then, we analyze parameter estimation in Section 4.2. Here, we get the correctness of 5 and a guarantee about the X measurement outcomes, which plays a crucial role in the next section.
Section4.3is the core of the proof and we want to show the secrecy of 5. In Section 4.3.1, we reduce the secrecy of 5to a complementary protocol 1. In 1, Bob measures his system in the X basis so that he will not get a valid key in the end. Thus, the correctness does not hold in 1 and we only have the guarantee of secrecy. Then, we reduce the secrecy of 1to 5 which is easier to analyze. In Section4.3.2, we show the secrecy of 5.
Finally, we get the composable security of BB84 by combining the correctness and the secrecy in Section4.4.
4.1 Reduction to A Virtual Protocol
In this section, we will introduce 5 hybrid protocols. The goal of this section is to reduce the security of BB84 to an entanglement-based protocol 5. To paraphrase, if we can show that 5 is ϵ-secure, then BB84 is also ϵ-secure due to the reduction.
Hybrid Protocol 1: Alice prepares the state by EPR pairs. In BB84, Alice generates sA, hA ∈ {0, 1}(4+η)n first and sends qubits in {|0⟩ , |1⟩ , |+⟩ , |−⟩} according to sAand hA. In 1, Alice generates hA∈ {0, 1}(4+η)nand (4+η)n EPR pairs |Φ+⟩ = √12(|00⟩+
|11⟩). She applies the Hadamard gates to the second qubits of the EPR pairs according to hA. Then, she measures the EPR pairs in the Z basis and gets the measurement outcome sA.
Hybrid Protocol 1 ( 1) State Preparation
SP1 Alice randomly generates an (4 + η)n-bit strings hA ∈ {0, 1}(4+η)n. Bob also randomly generates an (4 + η)n-bit string hB ∈ {0, 1}(4+η)n.
SP2 Alice prepares the state |Φ+⟩⊗(4+η)n, where |Φ+⟩ = √12(|00⟩ + |11⟩). She applies the Hadamard gates to the second qubits of the EPR pairs according to hA, that is, (I ⊗ H)hA|Φ+⟩⊗(4+η)n.
SP3 For all i ∈ {1, · · · , (4 + η)n}, Alice measures the first qubit of the i-th EPR pair in the Z basis and sends the second qubit of each EPR pair to Bob. Let sA∈ {0, 1}(4+η)nbe the measurement outcomes.
SP4 After receiving (4+η)n qubits, Bob applies the Hadamard gates to these qubits according to hB. Then, he measures all the (4 + η)n qubits in the Z basis and let sB ∈ {0, 1}(4+η)nbe the measurement outcomes.
SP5 After all measurements, Bob announces the fact that he is done.
Parameter Estimation
PE1 to PE5 are the same as BB84.
Information Reconciliation and Privacy Amplification IP1 to IP5 are the same as BB84.
Lemma 4.1. BB84 and 1 are equivalent.
Proof. First note that applying a Hadamard gate before a Z measurement is the same as directly doing a X measurement. Expressing by quantum circuit notation, that is
H Z
✌✌
✌ =
X
✌✌
✌ .
If we measure the EPR pair in the Z basis, the result will be Z = 1 with probability12 and Z =−1 with probability 12. The same also goes for X basis. Thus, the distribution of the binary string sAin 1is the same as sAin BB84.
In 1, for all i ∈ {1, · · · , (4 + η)n}, the post-measurement state of the second qubit of the i-th EPR pair is Hh[i]Xs[i]|0⟩. Thus, what state that Alice sends through the quantum channel at SP3 in 1 is exactly the same as BB84. Because Alice actually prepares the same states in both protocols and all the other steps are the same, the two protocols are equivalent.
Hybrid Protocol 2: Alice defers her measurement. In 1, Alice measures the EPR pair before sending the second qubit of each pair to Bob. In 2, Alice defers the mea-surement after Bob received them.
Hybrid Protocol 2 ( 2) State Preparation
• SP1 and SP2 are the same as 1.
SP3 Alice does not measure EPR pairs. Instead, she directly sends the second qubit of each EPR pair to Bob.
SP4 After receiving (4+η)n qubits, Bob applies the Hadamard gates to these qubits according to hB. Then, he measures all the (4 + η)n qubits in the Z basis and let sB ∈ {0, 1}(4+η)nbe the measurement outcomes.
SP5 After the measurements, Bob announces the fact that he is done.
SP6 Alice measures all her remaining system in the Z basis. Let sA ∈ {0, 1}(4+η)n
be the measurement outcomes.
Parameter Estimation
PE1 to PE5 are the same as 1.
Information Reconciliation and Privacy Amplification IP1 to IP5 are the same as 1.
Lemma 4.2. 1 and 2are equivalent.
Proof. Because Eve has no access to Alice’s system, Alice’s measurement operator com-mutes with Eve’s unitary operators or measurement operators. Thus, in the equivalence game, the distinguisher D cannot tell apart the timing that Alice measures the first qubits of EPR pairs. Therefore, the two protocols are equivalent.
Hybrid Protocol 3: Alice announces the bases her used. Alice and Bob now are shar-ing the EPR pairs. Because Bob can store the received qubits in his quantum memory and measure them after Alice announces her bases, he does not have to “guess” the bases.
Thus, in the new protocol, 3, Bob does not apply Hadamard gates and measure the qubits in the SP stage. Instead, he chooses his bases hB such that hB = hAafter Alice announces hA. Then he measures the received qubits.
In this case, |T0| is always (4 + η)n so Bob does not have to calculate it. Also, 3
is impossible to be aborted due to |T0| at PE1 and PE2. 3is summarized as follow.
Hybrid Protocol 3 ( 3) State Preparation
SP1 Alice randomly generates an (4 + η)n-bit strings hA ∈ {0, 1}(4+η)n. Bob does not generate hBnow.
SP2 Alice prepare the state |Φ+⟩⊗(4+η)n. She applies the Hadamard gates to the second qubits of the EPR pairs according to hA; that is, (I ⊗H)hA|Φ+⟩⊗(4+η)n. SP3 Alice directly sends the second qubit of each EPR pair to Bob.
SP4 After receiving (4 + η)n qubits, Bob announces the fact that he receives the qubits. He does not apply Hadamard gates or measure the qubits now.
SP5 Alice measures all her remaining system in the Z basis. Let sA ∈ {0, 1}(4+η)n be the measurement outcomes.
Parameter Estimation
PE1 Alice announces hA.
PE2 Bob sets hB = hA and applies the Hadamard gates to the receiving qubits according to hB. Then, he measures all the (4 + η)n qubits in the Z basis and let sB ∈ {0, 1}(4+η)nbe the measurement outcomes.
PE3 Bob randomly chooses a subset Tsift ⊆ [(4 + η)n] with |Tsift| = 2n. Bob an-nounces Tsift.
PE4 Alice randomly chooses a subset Tcheck⊂ Tsiftwith |Tcheck| = n. She announces Tcheck.
PE5 Alice announces sA[i] for all i∈ Tcheck.
PE6 Bob calculates the number db of the disagreement, sA[i] ̸= sB[i] for all i ∈ Tcheck. Let eb = dnb. If eb ≥ δ, they abort the protocol. Otherwise, the protocol proceeds.
Information Reconciliation and Privacy Amplification IP1 to IP5 are the same as 2.
Before proving the relation between 2 and 3, we prove a revelant claim.
Claim 4.3. The probability that |T0| < 2n in 2is 2−O(nη2).
Proof. The probability that |T0| < 2n is
where Equation (4.2) comes from 2an
bn
3 ≤ 2anH(b/a) for all a ∈ (0, 1], b ∈ [0, 1] such that a ≥ b; Equation (4.3) comes from H(x) ≤ 1 − 2(x − 12)2 for x ∈ [0, 1]; Equation (4.5) comes from η ∈ [0, 1].
Lemma 4.4. If 3is ϵ-secure, then 2is (ϵ + 2 · 2−O(nη2))-secure.
Proof. Let’s consider the equivalence game
2, 3(D). 2 behaves exactly the same as 3 if |T0| ≥ 2n in 2. The only case that the distinguisher D has the advantage to tell 2apart from 3is when he sees the protocol aborted at PE2. Thus, for any distinguisher D we have
Pr2
2, 3(D) = 13
≤ 1 2 +1
2Pr ( 2 is aborted at PE2) . (4.8) Because 2 is aborted at PE2 only if |T0| < 2n, Equation (4.8) becomes
Pr2
with the probability 12(1 + ϵ). However, Equation (4.9) gives an upperbound to ϵ. Conse-quently, we have
∥ ( 2,A) − ( 3,A)∥tr ≤ 2−O(nη2).
Given two quantum states ρ, σ, tracing out the same subsystems only reduce the trace distance. Also, if we append the same state to ρ and σ (for example: χ ⊗ ρ and χ ⊗ σ), the trace distance remains the same. That is what we do in the ideal world. Thus, if we consider the states of 2 and 3 in the ideal world, we have
∥ ( 2,A) − ( 3,A)∥tr ≤ ∥ ( 2,A) − ( 3,A)∥tr ≤ 2−O(nη2).
By assumption, 3 is ϵ-secure, so ∥ ( 3,A) − ( 3,A)∥tr ≤ ϵ. Finally, we combine all the results by triangle inequality and we get
∥ ( 2,A) − ( 2,A)∥tr ≤ ∥ ( 2,A) − ( 3,A)∥tr
+∥ ( 3,A) − ( 3,A)∥tr +∥ ( 3,A) − ( 2,A)∥tr
≤ 2−O(nη2)+ ϵ + 2−O(nη2).
Hybrid Protocol 4: Alice only sends 2n EPR pairs. In 3, Alice sends (4 + η)n qubits to Bob and Bob has to choose a subset Tsift. In 4, Alice only sends 2n qubits to Bob. Thus, in this case, Bob does not have to choose the set Tsift.
Hybrid Protocol 4 ( 4) State Preparation
SP1 Alice randomly generates an 2n-bit strings hA∈ {0, 1}2n.
SP2 Alice prepare the state |Φ+⟩⊗2n. She applies the Hadamard gates to the second
qubits of the EPR pairs according to hA; that is, (I ⊗ H)hA|Φ+⟩⊗2n. SP3 Alice directly sends the second qubit of each EPR pair to Bob.
SP4 After receiving 2n qubits, Bob announces the fact that he receives the qubits.
SP5 Alice measures all her remaining system in the Z basis. Let sA ∈ {0, 1}2n be the measurement outcomes.
Parameter Estimation
PE1 Alice announces hA.
PE2 Bob sets hB = hA and applies the Hadamard gates to the receiving qubits according to hB. Then, he measures all 2n qubits in the Z basis and let sB ∈ {0, 1}2n be the measurement outcomes.
PE3 Alice randomly chooses a subset Tcheck ⊂ [2n] such that |Tcheck| = n. She announces Tcheck.
PE4 Alice announces sA[i] for all i∈ Tcheck.
PE5 Bob calculates the number db of the disagreement, sA[i] ̸= sB[i] for all i ∈ Tcheck. Let eb = dnb. If eb ≥ δ, they abort the protocol. Otherwise, the protocol proceeds.
Information Reconciliation and Privacy Amplification IP1 to IP5 are the same as 3.
Lemma 4.5. If 4is ϵ-secure, then 3is also ϵ-secure.
Proof. Consider a virtual protocol that is the same as 3except that Bob chooses and announces the subset Tsift ⊆ [(4+η)n] at the beginning. Because this change gives the adversary more power, so it would only make the security worse. Thus, if is ϵ-secure, then 3 is also ϵ-secure.
Suppose A is an adversary attacks on and A′is an adversary attacks on 4. Next, we are going to show that as long as A achieves ∥ ( ,A) − ( ,A)∥tr = ϵ,
A′ can also achieves ∥ ( 4,A′)− ( 4,A′)∥tr = ϵ. Hence, the security level of is better than 4.
When receiving the 2n qubits in 4, A′prepares (2 + η)n EPR pairs and fills them into the 2n qubits that Alice sent according to Tsift. Then, A′ applies the same attack as A does in the virtual protocol. Finally, A′only sends those qubits in Tsift to Bob so Bob will only receive 2n qubits. Note that Alice and Bob never use those qubits not in Tsift, so it does not matter A′ or Bob discard those qubits not in Tsift. That is, A′ can perfectly reproduce A’s attack. Thus, if the 4 is ϵ-secure, then the virtual protocol is also ϵ-secure.
Hybrid Protocol 5: Alice and Bob defer the measurement on data until IR. In 4, Alice and Bob measure all the 2n qubits in the PE stage. Thus, the input of the IP stage is two classical strings. In 5, they only measure those qubits in Tcheckduring the PE stage. Those qubits in Tdataremain in the quantum state after the PE stage. Let A and B denote the Alice’s and Bob’s quantum registers for the qubits in Tdata, respectively.1
Hybrid Protocol 5 ( 5) State Preparation
SP1 to SP4 are the same as 4. Alice does not do SP5.
Parameter Estimation
PE1 Alice announces hA.
PE2 Bob sets hB = hA and applies the Hadamard gates to the receiving qubits according to hB. He does not measure them now.
PE3 Alice randomly chooses a subset Tcheck ⊂ [2n] such that |Tcheck| = n. She announces Tcheck.
PE4 For all i ∈ Tcheck, both Alice and Bob measure the i-th qubit of their systems in the Z basis. Let sA,checkand sB,checkbe the n-bit measurement outcomes of
1Note that KAand KBare the key registers for the final key, which are different from A and B.
Alice and Bob respectively. Alice announces sA,check.
PE5 Bob calculates the number dbof the disagreement, sA,check[i]̸= sB,check[i] for all i∈ [n]. Let eb = dnb. If eb ≥ δ, they abort the protocol. Otherwise, the protocol proceeds.
Information Reconciliation and Privacy Amplification
IP1 Let register A and register B be two n-qubit quantum states of Alice’s and Bob’s systems which are not used for parameter estimation. Alice and Bob measure A and B in the Z basis and get n-bit strings sA,dataand sB,datarespectively. Alice sets her reconciliated key kA,IR = sA,data.
• IP2 to IP5 are the same as 4.
Lemma 4.6. 4 and 5are equivalent.
Proof. Note that in the 4, Alice announces sA[i] for i∈ Tcheckafter Tcheckis announced.
Also, Bob compares sA,check[i]̸= sB,check[i] for i∈ Tcheckafter Tcheckis announced. Thus, the protocol works the same if the measurement is defered until Tcheck is announced.
Because the distinguisher D has no access to Alice’s and Bob’s devices, D can not distinguish the order of the measurement and the choosing of Tcheck. Similarly, Alice and Bob do not use those qubits Tdata before the IP stage, so the measurement can be defered to the beginning of the IP stage without noticing by D. Thus, two protocols are equivalent.
Combining Lemma 4.1,4.2,4.4,4.5,4.6, we can conclude the relation between BB84 and 5.
Corollary 4.7. If 5 is ϵ-secure, then BB84 is (ϵ + 2 · 2−O(nη2))-secure.