量子密鑰分發的安全性證明之分析與比較

(1)

國立臺灣大學電機資訊學院電機工程學系碩士論文

Department of Electrical Engineering

College of Electrical Engineering and Computer Science

National Taiwan University Master Thesis

量子密鑰分發的安全性證明之分析與比較 Analysis and Comparison of Security Proofs

of Quantum Key Distribution

鍾豪 Hao Chung

指導教授：鄭振牟博士

Advisor: Chen-Mou Cheng, Ph.D.

中華民國 107 年 7 月 July, 2018

(2)

(3)

(4)

(5)

摘要

量子密鑰分發(quantum key distribution, QKD) 是一種不需任何計算

性假設(computational assumption) 即可使通訊雙方擁有相同且安全的

私鑰的密碼學演算法。雖然BB84 為最早提出的 QKD 協定，但它容

易實作，且與decoy-method 搭配之下，目前仍是實務上可安全使用的

QKD 協定。

在本論文中，我們針對BB84 協定做了完整的安全性證明。一個完

整的安全性證明，應包含「定義」、「假設」、「數學證明」三個部份。

本論文對於安全性定義給予完整的介紹，並詳細分析所有證明當中所

用到的假設，最後證明 BB84 協定在假設之下可以滿足安全性定義。

此外，除了少數證明與QKD 沒有直接關聯的數學定理之外，安全性

證明的每一個步驟均有解釋，而非直接引用其它論文的結果。對於剛

接觸QKD 的學生，或是其它領域的研究者而言，本論文能作為認識

QKD 安全性證明的入門磚及參考。

本篇使用的證明手法主要根基於 [SP00] 與 [Koa09] 兩篇論文。首

先，我們利用 [SP00] 所提出的方法，將 BB84 協定的安全性化約 (reduce) 至糾纏態粹取協定上，並使用錯誤更正碼來描述協定過程。接

著，再使用 [Koa09] 當中使用的技巧，利用不確定性原理 (uncertainty

principle) 來分析糾纏態粹取協定的安全性。證明過程中，我們在兩個

地方做出改良。第一，[SP00] 當中的化約過程是利用兩協定的「等價」

關係來論證。在本論文中，我們利用當代密碼學中 indistinguishable

game 的方式嚴謹定義「等價」這個概念。本論文實際將該定義應用在安全性證明當中，並針對化約過程中的參數損失給予嚴謹的分析。第

(6)

二，Koashi 的證明 [Koa09] 要求通訊雙方在後處理 (post-processing) 的

通訊上需使用單次密碼本(one-time pad) 加密。本論文證明即使雙方在

後處理的通訊保持公開，BB84 協定仍然安全。

關鍵字：量子密鑰分發、安全性證明、BB84

(7)

Abstract

Quantum key distribution (QKD) allows two parties to have a shared secret key without relying on any computational assumption. While BB84 is the oldest QKD protocol, it is easy to implement and compatible with decoy- method, which makes it secure in the practical world.

In this thesis, we give a complete and self-contained security proof of BB84 protocol. By complete, we mean that we give a comprehensive introduction to all the building blocks of a security proof. We recall the formal security definition of QKD, analyze all the necesary assumptions and give a proof to show that BB84 attains the security definition. By self-contained, we mean that we analyze the security of BB84 step-by-step without outsourcing to other papers, except some mathematical facts whose proofs are not directly related to the main context. We believe that our treatment makes it easier to understand the security proof of QKD, especially for students and researchers from different backgrounds.

Our work combines the proofs in [SP00] and [Koa09]. We reduce the security of BB84 to an entanglement-based protocol and describe the protocol by error correction codes, which were introduced in [SP00]. Then, we analyze the security of the entanglement-based protocol by uncertainty principle, which is the essential part of the proof in [Koa09]. Along the proof, we make two improvements. First, in [SP00], the reduction is argued by the “equivalence” between two protocols. We formulate the notion of equivalence by an indistinguishable game, which fits the language of modern cryptography.

(8)

We apply the new definition of equivalence to the proof and analyze the parameter loss in the reduction. Second, the proof in [Koa09] requires that the post-processing in the BB84 protocol must be encrypted by one-time pad.

We remove this requirement and show that BB84 remains secure if the post- processing is done in public.

Keywords: Quantum Key Distribution, Security Proof, BB84

(9)

誌謝

首先我要感謝我的指導老師鄭振牟教授：在我剛踏入電腦科學這個領域時，耐心地和我討論如何選擇碩士班的領域，最後給了我認識量子密碼學的機緣。

在兩年的碩士班生涯中，我最要感謝的是我的共同指導老師，鐘楷閔博士。老師手把手地帶我從一個不知理論研究為何物的毛頭小子，

到現在終於完成這篇論文。我很感謝能擁有這麼一位亦師亦友的導師。作為老師，我們可以討論一整個下午，就為了釐清一個卡住的問

題。無論是上台報告、讀paper、寫論文，老師的提問與建議總能讓我

突破思考上的盲點。作為朋友，老師就像一位大學長一樣，可以一起

閒聊各種「meta level」的問題。

我要感謝賴青沂博士，在我碩士班的過程中，時時與我分享他的學習歷程，幫助我在探索量子資訊的研究上更快地成長。此外，過去的兩年中，超級認真地幫我批改我的研究筆記及論文草稿。每一次改回來的筆記都是滿滿的紅字，但我也在這一來一往間，認識了許多論文寫作的技巧。

感謝陳君明教授，帶我認識密碼學領域中實務的面向，而且給我舞台，讓我在課堂上及校外可以分享量子密碼學。感謝鄭老師實驗室的同伴們：博鈞學長、世群學長、遠哲、昱嘉、昱維、克烜、瑞智、宇唐、紘賢，一起修課、出去玩，然後不斷地吃光實驗室的零食。感謝

鐘老師實驗室的同伴們：彥霖、紀寧、教勛、JJ、大白、惇頤，一起

研究密碼學、複雜度理論、量子計算，一起討論理論研究，少了大家一起讀書，自己念起來一定很痛苦吧。感謝暑期課程的老師們：陳昱

(10)

圻老師、王姿月老師及孫嘉梁老師，用心規畫那麼棒的課程。

謝謝爸爸、媽媽，終於把兒子養到碩士畢業了！謝謝你們在成長過程中，讓我自由發展各式各樣的興趣。雖然有時不免會擔心我，但總是接受且支持我跳來跳去各種跨領域的選擇。

最後，謝謝我的女朋友芝雲，謝謝妳總是支持著我的夢想，和我一起規畫未來，有妳真好。

(11)

List of Notation

General

s[i] the i-th bit of the string s M [i] the i-th row of the matrix M wt(s) Hamming weight of the string s

d(s, s^′) Hamming distance between the string s and s^′ H2 binary Shannon entropy

(p) function that indicates the truth value of a proposition p F (ρ, σ) the fidelity between ρ and σ

∥ρ − σ∥tr the trace distance between ρ and σ

X Pauli X operator

Z Pauli Z operator

H Hadamard gate

X^s !n

i=1X^s[i](the same goes for Z and H)

|Φ⁺⟩ EPR pair: ^√¹

2(|00⟩ + |11⟩)

(14)

Quantum Registers

A Alice’s quantum register which not used for parameter estimation B Bob’s quantum register which not used for parameter estimation

F flag register

C quantum register of all classical information E quantum register of adversaries

KA Alice’s key register (note that A and KAare different) KB Bob’s key register (note that B and KB are different)

(15)

Parameters and Functions of QKD

n security parameter

η parameter for the number of qubits sending over the quantum channel δth threshold for parameter estimation

ϵPE tolerance for parameter estimation ϵIR tolerance for information reconciliation ϵPA tolerance for privacy amplification

mIR length of the error syndrome for information reconciliation

mPA length of the error syndrome for privacy amplification (only used in the security proof)

ℓfin length of the final key

C^n,k the set of all [n, k] linear code overZ² CIR the linear code for information reconciliation HIR the parity check matrix of CIR

C_PA^⊥ the linear code for privacy amplification H_PA^⊥ the parity check matrix of C_PA^⊥

r error syndrome for information reconciliation Hfin the matrix for distilling the final key

kA,fin Alice’s final key kB,fin Bob’s final key

. encoding function of information reconciliation . decoding function of information reconciliation

QKD security experiment of real world QKD security experiment of ideal world

(16)

(17)

Chapter 1 Introduction

1.1 Key Distribution

In many cryptographic applications, we need the involved parties to establish a shared secret key in the beginning. For example, to send a confidential message over the internet, we may encrypt it by AES-128. In order to do it, we need the sender and the receiver to have 128 secret bits beforehand, so they run a key distribution protocol before AES-128.

However, Peter Shor [Sho94] showed that the discrete logarithm over natural numbers and the factoring problem can be solved by a quantum computer in polynomial-time. Later on, Proos and Zalka [PZ03] showed that the the discrete logarithms problem over elliptic curves can also be solved by a quantum computer efficiently. Consequently, most of the key distribution protocols we use nowadays, such as RSA, Diffie-Hellman key exchange, ECDH, are vulnerable if large-scaled quantum computers are built.

Post-quantum cryptography is a research field studying classical¹ cryptographic algorithms that resist the adversaries with quantum power. The development of quantum computers motivates the National Institute of Standards and Technology (NIST) in the US to start the standardization of post-quantum cryptography. The standardization includes digital signature, public-key encryption, and key-establishment algorithms. The drafts come all over the world and the submission deadline was on November 30, 2017. All the

1In this thesis, classical refers to not quantum.

(18)

candidates will be examinated in 3 to 5 years before the final standard is chosen.²

1.2 Quantum Key Distribution

On the other side, the power of quantumness allows us to make a stronger cryptographic primitive. Quantum key distribution (QKD) allows two parties to have a shared secret key without relying on any computational assumption, which is also resistent to the quantum adversaries.

The first QKD protocol was proposed by Bennett and Brassard [BB84], which is now called “BB84 protocol.” The first implementation of BB84 was demonstrated by Bennett et.al.[BBB⁺92]. After BB84, various protocols were proposed [Ben92, BBM92] while the security of them all rely on a perfect single photon source, which is not pragmatic for implementation. To deal with this problem, the decoy-state protocol [Hwa03, LMC05]

provides a way to monitor the disturbance of the adversaries under the assumption that the source is a coherent state.

To have the security, all the protocols above still need an assumption that the sources and the detectors work ideally. However, several attacks [ZFQ⁺08, LWW⁺10] showed that the detectors at the receiver side could be vulnerable. Measurement device independent (MDI) QKD [LCQ12] allows two parties to have a secure key even all the detectors are controlled by the adversaries. Can we go a further step by removing the assumption about the sources? The answer is yes. Device independent (DI) QKD [MY98, VV14]

removes even the assumption about the source³.

Although DI-QKD still stays in theoretical works and has no implementation so far, some protocols are becoming mature for applications. In the academic side, it was demonstrated that the transmitting distance can be achieved at 404 km by MDI-QKD [YCY⁺16].

Commercially, many companies⁴such as ID Quantique, MagiQ, QuintessenceLabs, Toshiba,

2The details and all the candidates can be found at the official website:

3Comparing to MDI-QKD, DI-QKD needs extra assumptions that two parties are spatially isolated and detectors do not leak the information.

4

(19)

and so on, devote in the development of QKD by using decoy-BB84 or coherent one-way, etc. CLAVIS3 made by ID Quantique achieves 3 kbit/s for 50 km [IDQ15] and Toshiba claims that they have a prototype achieving 13.7 Mbit/s for 10 km⁵.

In addition, QKD networks, which allow distributing secret keys between financial, military and government units, have been built in many countries, such as USA [ECP⁺05], Vienna [PPA⁺09], Japan [SFI⁺11] and South Africa [MP10]. In 2016, the longest QKD network, China Quantum Secure Backbone Project, is completed. It connects 32 trusted nodes from Beijing to Shanghai and the total length of the fiber is up to 2000 kilometers.

Distance is the main issue of the fiber QKD. In 2016, China launched the first QKD satellite, Micius. It successfully delivered entangled photons over 1200km [YCL⁺17]

and conducted a decoy QKD protocol with key rate 1.1 kbit/s [LCL⁺17]. There are many QKD satellite projects are in preparation [BAL17].

To sum up, while quantum computers are still far from practical use, QKD has become a feasible solution to key distribution. In the next section, we discuss another important issue of QKD: the security proof.

1.3 Security Proof

What is the security proof? And why is it important? In Katz and Lindell’s book [KL14], they give a vivid description of the age without security proofs.

Constructing good codes, or breaking existing ones, relied on creativity and a developed sense of how codes work. There was little theory to rely on and, for a long time, no working definition of what constitutes a good code. (page 1.)

Schemes were designed in an ad hoc manner and evaluated based on their perceived complexity or cleverness. A scheme would be analyzed to see if any attacks could be found; if so, the scheme would be “patched”to thwart that attack, and the process repeated. Although there may have been agreement

5

(20)

that some schemes were not secure (as evidenced by an especially damaging attack), there was no agreed-upon notion of what requirements a “secure”

scheme should satisfy, and no way to give evidence that any specific scheme was secure. (page 16.)

Throughout history, many ciphers that are conceived to be safe are ultimately broken, including the famous Nazi cipher, Enigma, in the world war two. It was not until 1980s that the cryptographers finally pinned down the notion of a security proof.

A complete security proof consists of definitions, assumptions and mathematical proofs.

The formal definitions characterize what secure means and what a cryptographic primitive should achieve. Then, most of the cryptographic primitives rely on some mathematical hard problems or some environment factors. All the assumptions about these problems or factors should be clarify. Finally, a rigorous mathematical proof gives an unbreakable guarantee that no attack will succeed with respect to the given definitions and assumptions.

To formally define the security of QKD and to give a proof are not easy tasks. Al- thogh the first QKD protocol was proposed in 1984 [BB84], it has no security proof until Mayers gave one in 1996 [May96]. The precise security definition even came later. In the early development of QKD, the security was defined in terms of the mutual information, which does not guarantee the security against the general attack [KRBM07].⁶ The correct definition, composable security, was proposed in [BOHL⁺05, RK05], which is stated in terms of trace distance. Fortunately, the early proofs that give a tight bound on Fidelity can be extended to the composable security easily.

To date, the security of BB84 protocol has been discussed by many papers from different aspects. As pointed out in [SBPC⁺09], there are three main techniques to prove the security of QKD.

1. By uncertainty principle. The technique was proposed by Mayers in his first proof [May96]. Later on, Mayers’ proof was simplfied by Koashi and Preskill [KP03, Koa05]. Finally, the proof was extended to the composable security by Koashi [Koa09].

6The detailed discussion is in Section3.1.

(21)

2. By entanglement distillation. Lo and Chau [LC99] proposed a new QKD proto- col based entanglement distillation and showed its security. Then, Shor and Preskill [SP00] showed that BB84 is secure if and only if the entanglement distillation protocol (EDP) is secure. This technique is so powerful that it is adopted in many proofs for different protocols [GLLP04,LMC05,LCQ12].

3. By entropic relations. Renner [Ren05] introduced the notion of smooth min-entropy and max-entropy and gave a security proof for BB84 protocol by using entropic ar- guement and quantum version of de Finetti’s theorem. Tomamichel and Leverrier [TL17] gave a self-contained review for this kind of technique.

1.4 Contributions

The main contribution of this thesis is that we give a complete and self-contained security proof of BB84 protocol. By complete, we mean that we give a comprehensive introduction to all the building blocks of a security proof. We recall the formal security definition of QKD and some related properties in Section3.1. We discuss all the necesary assumptions in Section3.3. In Chapter4, we give a complete security proof to show that BB84 attains the security definition.

By self-contained, we mean that we analyze the security of BB84 step-by-step without outsourcing to other papers, except some mathematical facts whose proofs are not directly relate to the main context. We only assume that the readers are familiar with basic quantum information. We believe that our treatment can make it easier to understand the security proof of QKD, especially for the students and the researchers from different backgrounds.

Along the proof, we make two little improvements. First, we formally define the notion of “equivalence.” In [SP00], the reduction is argued by the equivalence between two protocols. Koashi also used a similar argument in his proof [Koa09]. However, we notice that the equivalence in the two papers are different. Shor and Preskill’s equivalence fits the definition of security while Koashi’s equivalence only fits the definition of secrecy.⁷ We

7The formal definitions of security and secrecy are given in Section3.1.

(22)

formulate the equivalence by an indistinguishable game, which fits the language of modern cryptography. We apply the new definition of equivalence into the proof and analyze the parameter loss in the reduction.

Second, in most of the security proofs [SP00,GLLP04,Ren05], the post-processing⁸ can be done in public. However, Koashi’s proof [Koa09] requires that the post-processing should be encrypted by one-time pad. It is costly since Alice and Bob must have a long secret string beforehand. In Section4.3, we adopt the argument in [Koa09] and show that the technique based on uncertainty principle can also be applied to the case that the post-processing is done without encryption.

1.5 Outline of the Thesis

In Chapter2, we give a brief introduction to quantum information and linear correction code, especially the properties we need. Some notation that will be used in this thesis is presented in Section2.1.

In Chapter3, we formally introduce our security model. We start from the abstraction of QKD. Then, we introduce the formal definition of the composable security. In Section 3.2, we formally define the notion of “equivalence” by an indistinguishable game. In Section 3.3, we discuss the assumptions we need. The complete description of BB84 protocol is given in Section3.4.

A complete security proof is given in Chapter4. First, in Section 4.1, we reduce the BB84 protocol to an entanglement-based protocol, which is easier to analyze. Then, the correctness and the parameter estimation are analyzed in Section4.2. Finally, a security analysis based on the uncertainty principle (complementary argument), which is the essential part of the proof, is given in Section 4.3. The security of BB84 is concluded in Section4.4.

In Chapter5, we conclude the results we get in this thesis and discuss some prospective works in the future.

8In this thesis, post-processing refers to parameter estimation, information reconciliation and privacy amplification. These three steps will be introduced in Section3.4.

(23)

Chapter 2 Preliminaries

2.1 Notation

Suppose s, s^′ are two binary strings. We denote the i-th bit of s by s[i]. We define wt(s) to be the Hamming weight of s and d(s, s^′) to be the Hamming distance between s and s^′. We also define s ⊕ s^′to be the bit-wise XOR of s and s^′.

Suppose M is an m-by-n matrix and s ∈ {0, 1}ⁿ is an n-bit string. Then we define M s to an m-bit string such that s is treated as a column vector and M s is calculated by matrix multiplication. We denote the i-th row of M by M[i].

Suppose p is a positive real number. We define [p] to be a set of positive integers by [p] ={x ∈ N : x ≤ ⌊p⌋}. The number of the elements in a set T is denoted by |T |.

We define H₂ to be the binary Shannon entropy by

H₂(x) =−x log x − (1 − x) log(1 − x).

We define to be a function that indicates the truth value of a proposition p by

(p) =

⎧⎪

⎨

⎪⎩

1, if p is true;

0, if p is false.

A function f from the natural numbers to the non-negative reals is called negligible if for every positive polynomial p, there exists an integer N such that for all integers n > N, it

(24)

holds that f(n) < _p(n)¹ . In this thesis, “the statement holds with high probability” means

“there exists a negligible function f(n) such that the statement holds with probability 1− f(n), where n is the security parameter¹.”

In this thesis, Alice and Bob refer to the two parties who want to establish a shared secret key and Eve refers to an adversary of the QKD protocol.

2.2 Quantum States and Operations

A quantum register (or a quantum system) is a physical object that can store quantum information. The content of a quantum register is called a quantum state. A quantum state is modelled by a density operator, which is a positive semidefinite operator with unit trace.

In this thesis, quantum registers are denoted by capital letters, such as A, B, F , and so on. The quantum states of quantum registers are denoted by Greek letters with a subscript to indicate the registers, such as ρ_A, σB, and so on. The Hilbert space of a quantum register A is denoted byHA. The Hilbert space HAB of a joint quantum register AB is the tensor product of the Hilbert spaces of each subsystems; that is, HAB =HA⊗ HB.

We write D(H) to denote the set of density matrices acting on some Hilbert space H.

Also, we define D_≤(H) to be the set of subnormalzed density matrices acting on H; that is, the set of positive semidefinite operators acting H with trace at most one.

We define the notation:

|+⟩ = 1

√2(|0⟩ + |1⟩) and |−⟩ = 1

√2(|0⟩ − |1⟩).

The Pauli X gate, the Pauli Z gate and the Hadamard gate H are defined by

X =

⎡

⎢⎣0 1 1 0

⎤

⎥⎦ , Z =

⎡

⎢⎣1 0 0 −1

⎤

⎥⎦ and H = 1

√2

⎡

⎢⎣1 1 1 −1

⎤

⎥⎦ .

1Security parameter will be introduced in Section3.1.

(25)

Given a n-bit binary string s and an operator U, we define

U^s= ,n

i=1

U^s[i].

2.3 Trace Distance and Fidelity

2.3.1 Trace Distance

The trace distance of two states ρ and σ, denoted as ∥ρ − σ∥tr, is defined by

∥ρ − σ∥tr = 1

2∥ρ − σ∥1, where ∥M∥¹ = Tr-√

M^†M.

is the Schatten 1-norm of M. The trace distance is a metric.

That is, given a Hilbert space H, for all ρ, σ, τ ∈ D(H), we have ∥ρ − σ∥tr =∥σ − ρ∥tr;

∥ρ − σ∥tr = 0 if and only if ρ = σ; and the triangle inequality holds:

∥ρ − τ∥tr ≤ ∥ρ − σ∥tr+∥σ − τ∥tr.

Let {ρⁱ} and {σⁱ} be two sets of density operators and/

ipi = 1 where 0 ≤ pⁱ ≤ 1 for all i. The trace distance is jointly convex,

00 00 0

1

i

piρi−1

i

piσi

00 00 0tr

≤1

i

pi∥ρi− σi∥tr.

2.3.2 Fidelity

The fidelity of two states ρ and σ, F (ρ, σ), is defined as

F (ρ, σ) =2

∥√ ρ√

σ∥1

32

. (2.1)

(26)

If ρ is a pure state |ψ⟩ ⟨ψ|, then the calculation of the fidelity can be simplified by

F (|ψ⟩ ⟨ψ| , σ) = 4

Tr56

|ψ⟩ ⟨ψ| σ6

|ψ⟩ ⟨ψ|

72

=- Tr6

|ψ⟩ ⟨ψ|σ|ψ⟩ ⟨ψ|.2

=-6

⟨ψ|σ|ψ⟩Tr(|ψ⟩ ⟨ψ|).2

=-6

⟨ψ|σ|ψ⟩.2

=⟨ψ|σ|ψ⟩ ,

where the second and the third equation comes from6

|ψ⟩ ⟨ψ| = |ψ⟩ ⟨ψ|. An operational meaning of the fidelity can be seen from the calculation above. The term ⟨ψ|σ|ψ⟩ is the probability of getting |ψ⟩ as the result if we measure σ by the POVM: {|ψ⟩ ⟨ψ| , I −

|ψ⟩ ⟨ψ|}.²

An important property of the fidelity is given by Uhlmann’s theorem.

Lemma 2.1 (Uhlmann’s theorem). Suppose ρ and σ are states of a quantum system Q.

Introduce a second quantum system R which is a copy of Q. Then,

F (ρ, σ) = max

|φ⟩ |⟨ψ|φ⟩|²,

where |ψ⟩ is any fixed purification of ρ and the maximization is over all purifications of σ.

With Uhlmann’s theorem, we can prove a corollary which will be essential in our security proof.

Corollary 2.2. Suppose ρ_A is a reduced density operator of ρ_AB. Suppose ρ_A and σ_A have fidelity F (ρ_A, σA) ≥ ϵ. Then there exists σAB with Tr_B(σAB) = σA such that F (ρ_AB, σ_AB)≥ ϵ.

Proof. Let |ψ⟩ABR be a purification of ρ_AB, which is also a purification of ρ_A. Because F (ρA, σA)≥ ϵ, by Uhlmann’s theorem, we can find a purification |φ⟩ABRof σAsuch that

2Some literatures define the fidelity by6

F (·, ·) such as the famous textbook [NC00]. But many QKD security proofs [SP00,Koa09] adopt the definition as Equation (2.1). Here we follow the convention.

(27)

| ⟨ψ|φ⟩ |² ≥ ϵ. Let σAB = TrR(|φ⟩ ⟨φ|). Because tracing out a subsystem will not reduce the fidelity, we have

F (ρAB, σAB)≥ | ⟨ψ|φ⟩ |² ≥ ϵ.

Finally, the relation between the trace distance and the fidelity is given by the following lemma.

Lemma 2.3. For all ρ, σ ∈ D(H), it holds that 1−6

F (ρ, σ)≤ ∥ρ − σ∥tr ≤6

1− F (ρ, σ).

2.4 Linear Code

LetF be a field. An [n, k] linear code C over F is a k-dimensional subspace of Fⁿ. In this thesis, we only focus onF = Z². There are two common ways to represent a linear code:

generator matrices and parity check matrices. A generator matrix for an [n, k] linear code C is any n-by-k matrix G whose columns form a basis of C. In general, there may be many generator matrices for a linear code. The other way to represent a linear code is by parity check matrices. A parity check matrix H for an [n, k] linear code C is a full rank (n− k)-by-n matrix such that for all x ∈ C,

Hx = 0.

In other words, the null space of H is C.

The dual code of C is denoted by C^⊥. The code C^⊥ consists of all the codewords c such that c is orthogonal to all the codewords of C. Suppose C^′is a linear code such that C^′ ⊆ C^⊥and H^′is a parity check matrix of C^′. Then, it can be shown that the rows of H^′ are orthogonal to the rows of H.

The existence of good codes is given by Gilbert-Varshamov bound: as n goes to in-

(28)

finity, these exists an [n, k] code protecting against arbitrary t errors such that

k

n ≥ 1 − H² 42t

n 7

.

In practice, if the positions of the errors are uniformly distributed, there exists a code with higher code rate protecting against t errors in random positions with high probability.

However, in the cryptographic use, we cannot generally assume the errors are uniformly distributed. Fortunately, the assumption holds if we apply a random permutation before decoding. This can be done if we randomly choose a linear code from all the possible codes. This property has been used in the proofs in [SP00,KP03]. For completeness, we restate the proposition here.

Proposition 2.4. Suppose Cn,kis the set of all [n, k] linear code overZ². If we randomly choose a code C from Cn,k, then for all ϵ > 0, C can protect against t errors with proba- bility 1 − 2^−nϵand the code rate of C satisfies

k

n = 1− H² 4t

n 7

− ϵ.

Proof. The key idea comes from the random hashing [BDSW96]. Given an arbitrary n-bit string x ∈ {0, 1}ⁿ\ {0}, there are exactly ¹₂ · 2ⁿn-bit strings whose inner product with x is zero. That is,

|{s ∈ {0, 1}ⁿ: s· x = 0(mod 2)}| = 1 2· 2ⁿ.

Thus, if we uniformly choose a string s from {0, 1}ⁿ, then Pr(s · x = 0) = ¹₂. In general, suppose we have an (n−k)-by-n matrix M whose rows are uniformly chosen from {0, 1}ⁿ. Then, for all x, x^′ ∈ {0, 1}ⁿsuch that x − x^′ ̸= 0, we have

Pr (M(x − x^′) = 0) = 41

2 7n−k

,

where the probability is over the randomness of M.

Now, suppose we want to know whether x = x^′ for some x, x^′ ∈ {0, 1}ⁿ. We already know that Mx = Mx^′ and we want to check x = x^′ by one more parity bit check. If we

(29)

uniformly choose a string s from {0, 1}ⁿand compute s · x and s · x^′, then the probability that we find they are different is only ¹₂ conditioned on x ̸= x^′. However, if s is linearly dependent of the rows of M, then s · x must equal to s · x^′. In this case, choosing s is useless.

It is more clever that we only choose s from n-bit strings which are linearly independent of the rows of M. In this case, we have a better chance to find s·x ̸= s·x^′conditioned on x ̸= x^′. That is the case we use a parity check matrix H of a random code C rather than a randomly generated matrix M. Thus, for all x, x^′ ∈ {0, 1}ⁿ such that x ̸= x^′, we have

Pr (H(x − x^′) = 0)≤ 41

2 7n−k

. (2.2)

Suppose x is a codeword of C and the corrupted codeword is y = x + e. Assume the number of errors is at most t so we have wt(e) ≤ t. Let E be the set of all possible errors and we have |E| ≤2_n

t

3. The decoder first comoputes

r = Hy = Hx + He = He.

If there is only one e^′ ∈ E such that He^′ = r, the decoder decides e^′ as the error and correct it. In this case, the error-correction is always successful. If there are two strings e₁, e₂ ∈ E such that He1 = He₂ = r, the decoder randomly chooses one of them.

However, the probability that such event happens is

Pr2

He1 = He∨ He2 = He∨ · · · ∨ He|E|−1 = He3

≤

|E|−11

i=1

Pr (He_i = He)≤ (|E|−1) 41

2 7n−k

,

where e₁, e2,· · · , e|E|−1are all the elements of E\{e}. Choosing n−k = n2 H2

2_t

n

3+ ϵ3 , the probability that error-correction fails is at most

(|E| − 1) 41

2 7n−k

≤ 4n

t 7 41

2 7n−k

≤ 2^nH²(n^t)2⁻ⁿ(^H²(n^t)^+ϵ) = 2^−nϵ,

where the second inequality comes from2_n

λn

3≤ 2^nH²^(λ) (Lemma2.6). Because n − k =

(30)

n2 H2

2_t

n

3+ ϵ3

, we have the code rate

k

n = 1− H² 4t

n 7

− ϵ.

2.5 Information Reconciliation

Now, let us consider a situation similar to the error correction. Suppose Alice has a secret string s_A and Bob has another secret string s_B. Given that the Hamming distance between two strings is small, could they agree on a same string without revealing too much information about it? The answer is yes. A solution is doing error correction over a public channel, which is known as information reconciliation. In this section, we realize information reconciliation by a linear error correction code.

Let Cn,kbe the set of all [n, k] linear code overZ². Alice chooses a parameter m and randomly chooses a linear code C from Cn,n−m where n = |sA|. Let H to be a parity check matrix of C. She computes the error syndrome r = Hs_A and announces H and r in a public channel. Formally, we define . (s_A, m) to be an algorithm takes as input a string sAand a parameter m as follow:

. (sA, m) Input: a string s_Aand a parameter m

1. Randomly choose a linear code C from C|sA|,|sA|−m. Let H to be a parity check matrix of H.

2. Compute the error syndrome r = Hs_A. Output: a matrix H and the syndrome r

On the Bob’s side, we first define T (s, m) to be the set

T (s, m) = {t ∈ {0, 1}ⁿ : d(s, t) < m} .

(31)

With the error syndrome r, Bob tries to find a string s ∈ T (sB, m) such that Hs = r.

If there is only one s ∈ T (sB, m) satisfies Hs = r, he sets his reconciliated string as s. If there are several strings s1,· · · , s^x ∈ T (s^B, m) such that Hs1 = · · · = Hs^x = r, Bob randomly chooses one of them as his reconciliated string. If Bob cannot find any string s ∈ T (sB, m) such that Hs = r, he just sets the string 0ⁿ as his reconciliated string. Formally, we define . (sB, H, r) to be an algorithm takes as input a string sB, a matrix H and a syndrome r as follow:

. (sB, H, r) Input: a string sB, a matrix H and a syndrome r

1. Find a set of string S = {s ∈ T (sB, m) : Hs = r}.

2. If |S| = 1, choose the only element in S as reconciliated string. If |S| ≥ 2, randomly choose an element in S as reconciliated string. If |S| = 0, choose 0^|s^B^|as reconciliated string.

Output: a reconciliated string s

If the Hamming distance between s_Aand s_Bis not too big, the probability that Alice and Bob reach the same reconciliated string is given by the following proposition.

Proposition 2.5. Suppose s_Aand s_Bare two n-bit strings such that d(s_A, sB) < δn. Then, for all ϵ > 0, if we choose m = nH₂(δ) + nϵ and H, r are the outputs of . (sA, m), we have s_A= . (s_B, H, r) with probability 1− 2^−nϵ.

Proof. Because d(sA, sB) < δn, sAmust lie in T (sB, δn). As we have shown in the proof of Proposition2.4, because H is the parity check matrix of a random code, the probability that there exists another string s_x ∈ T (sB, m) such that sx̸= sAand Hs_x = HsA = r is

Pr2

Hs1 = HsA∨ Hs² = HsA∨ · · · ∨ Hs|T (sB,δn)|−1= HsA

3

≤

|T (sB1,δn)|−1 i=1

Pr (Hsi = HsA)≤ (|T (s^B, δn)| − 1) 41

2 7m

, (2.3)

(32)

where s₁, s2,· · · , s|T (sB,δn)|−1are all the elements of T (s_B, δn)\{sA}. Because |T (sB, δn)| = 2_n

δn

3 ≤ 2^nH²^(δ)(Lemma2.6), Equation (2.3) can be bounded by

(|T (sB, δn)| − 1) 41

2 7m

≤ 2^nH²^(δ)2^−nH²^(δ)^−nϵ= 2^−nϵ.

We have completed the proof.

2.6 Useful Mathematical Relations

Lemma 2.6. For all N ∈ N, λ ∈ [0, 1], it holds that 1

N + 12^{N H(λ)} ≤ 4N

λN 7

≤ 2^{N H(λ)}.

Proof. Because the logarithm is a strictly increasing function, it is sufficient to show that

− log(N + 1) + NH(λ) ≤ log 4N

λN 7

≤ NH(λ).

By Stirling’s approximation log x! ∼ x log x − x +¹₂log(2πx), we have

log 4 N

λN 7

= log N !− log(λN)! − log(N − λN)!

= N log N− N + 1

2log(2πN) − λN log λN + λN − 1

2log(2πλN)

− (N − λN) log(N − λN) + (N − λN) − 1

2log(2π(N − λN))

= N log N− λN log λN − (N − λN) log(N − λN) + 1

2log 1

2πλ(N − λN)

≤ N log N − λN log λN − (N − λN) log(N − λN) (2.4)

= (N− λN) log N − λN log λ − (N − λN) log N − (N − λN) log(1 − λ)

=−Nλ log λ − N(1 − λ) log(1 − λ)

= N H(λ),

where Equation (2.4) comes from that¹₂log_2πλ(N¹_−λN)is negative when N is large enough.

(33)

On the other hand, because − log(N + 1) < ¹₂log_2πλ(N¹_−λN)when N is large enough, we have

log 4 N

λN 7

= N log N− λN log λN − (N − λN) log(N − λN) + 1

2log 1

2πλ(N − λN)

≥ N log N − λN log λN − (N − λN) log(N − λN) − log(N + 1)

=− log(N + 1) + NH(λ).

Thus, we have proved

1

N + 12^{N H(λ)} ≤ 4N

λN 7

≤ 2^{N H(λ)}.

Lemma 2.7 ([Ser74, Corollary 1.1]). Suppose we have a list of values x₁,· · · , xN ∈ R which are not necessarily distinct. We draw a sample of size n without replacement and denote these n sample results by a sequence of random variables X₁,· · · , Xn. We assume x1,· · · , x^N are not all the same so that maxixi − minⁱxi ̸= 0. Let Sⁿ = /n

i=1Xi and µ = _N¹ /N

i=1xi. Then, for all t > 0, it holds that

Pr (S_n− nµ ≥ nt) ≤ e^−2t²^(N−n+1)(maxi xi−mini xi)^nN .

Lemma 2.8 (Random Sampling Test). Suppose s1and s2are two N-bit binary strings. If we randomly choose a subset S ⊂ {1, · · · , N} of size |S| = k. Let S^! ={1, · · · , N} \ S and n = N − k. Then, for all 0 < ϵ, δ < 1, it holds that,

Pr

⎛

⎝1

i∈S

(s1[i]̸= s2[i])≤ δk ∧1

i∈S^!

(s1[i]̸= s2[i])≥ (δ + ϵ)n

⎞

⎠ ≤ e^−2ϵ²^{N (k+1)}^nk2 ,

where the probability is over all the choices of S.

Proof. This proof mainly follows the proof of Lemma 6 in [TL17]. First, we consider the

(34)

case s₁ = s2 and we have

Pr

⎛

⎝1

i∈S^!

(s1[i]̸= s²[i])≥ (δ + ϵ)n

⎞

⎠ = 0,

so the inequality holds trivially.

Now we deal with the case s1 ̸= s². Note that if an event A implies another event B, then Pr(A) ≤ Pr(B). Similarly, because the event

1

i∈S

(s1[i]̸= s2[i])≤ δk ∧1

i∈S^!

(s1[i]̸= s2[i])≥ (δ + ϵ)n

implies the event

1 k

1

i∈S

(s1[i]̸= s²[i]) + ϵ≤ 1 n

1

i∈S^!

(s1[i]̸= s²[i]) ,

we have

Pr

⎛

⎝1

i∈S

(s₁[i]̸= s2[i])≤ δk ∧1

i∈S^!

(s₁[i]̸= s2[i])≥ (δ + ϵ)n

⎞

⎠

≤ Pr

⎛

⎝1 k

1

i∈S

(s1[i]̸= s²[i]) + ϵ≤ 1 n

1

i∈S^!

(s1[i]̸= s²[i])

⎞

⎠ . (2.5)

Let µ(s₁, s2) = _N¹ /N

i=1 (s1[i]̸= s2[i]). Then, we have 1

k 1

i∈S

(s1[i]̸= s²[i]) = 1 k

⎛

⎝Nµ(s1, s2)−1

i∈S^!

(s1[i]̸= s²[i])

⎞

⎠ .

(35)

Thus, the right hand side of the Equation (2.5) can be written as

Pr

⎛

⎝1 k

1

i∈S

(s₁[i]̸= s2[i]) + ϵ≤ 1 n

1

i∈S^!

(s₁[i]̸= s2[i])

⎞

⎠

= Pr

⎛

⎝1 k

⎛

⎝Nµ(s1, s2)−1

i∈S^!

(s1[i]̸= s2[i])

⎞

⎠ + ϵ ≤ 1 n

1

i∈S^!

(s1[i]̸= s2[i])

⎞

⎠

= Pr

⎛

⎝Nµ(s₁, s₂) + kϵ≤ k + n n

1

i∈S^!

(s₁[i]̸= s2[i])

⎞

⎠

= Pr

⎛

⎝1 n

1

i∈S^!

(s1[i]̸= s2[i])≥ µ(s1, s2) + kϵ N

⎞

⎠ . (2.6)

Now we paraphrase the random sampling test in terms of Lemma2.7. For i = 1, · · · , N, let xi = (s1[i]̸= s²[i]). Because we deal with the case s1 ̸= s², we have maxixi − minixi = 1. Because choosing the set S is equivalent to choosing its complement S^!, we let X₁,· · · , Xnbe n draws from x₁,· · · , xN according to the set S^!. Let S_n =/

i∈S^!xi

and t = ^kϵ_N. Then, combining Equation (2.6) and Lemma2.7, we have

Pr 41

nS_n ≥ µ(s1, s₂) + kϵ N

7

≤ e⁻²(^kϵN)²N−n+1^nN = e^−2ϵ²^{N (k+1)}^nk2 .

(36)

(37)

Chapter 3 QKD Model and Security

In this chapter, we formally introduce our security model and the proof in Chapter4will follow this model. In Section3.1, we introduce the security definition. In particular, the composable security, the final security criterion we need, is defined in Section3.1.2. Then, in Section3.1.3, we define two properties, correctness and secrecy, and we show that the combination of the correctness and the secrecy implies the composable security.

In Section 3.2, we define the equivalence game, which will be useful in the security proof. In Section3.3, we discuss all the assumptions we need and the analysis in Chapter 4will base on these assumptions. In Section3.4, we formally describe BB84 protocol.

3.1 Security Definition

3.1.1 Abstraction

In order to define the security, we need to describe what QKD is formally. In this section, we give an abstraction of QKD, including the input and output of the protocol and the resources of the involved parties, without specifying any detailed steps of the protocol.

In this thesis, we only focus on “two-party key distribution.” We remark that there exist some schemes that allow multi-parties to establish a shared secret key simultaneously, but this is beyond the scope of this thesis.

A QKD protocol takes a security parameter n as input. The security parameter decides

(38)

the key space K which is the set of binary strings that the protocol may generate. It also decides other parameters that the protocol uses. Suppose Alice and Bob are the two parties who want to establish a shared secret key |k⟩ ∈ K¹. Alice and Bob are given a quantum channel and a classical channel between them².

The protocol could be accepted or rejected. In the case of acceptance, Alice gets a key kA ∈ K and Bob gets a key kB ∈ K. In the case of rejection, they always set their key registers in a fixed state |⊥⟩, where ⊥ is a pre-determined value not in the key space K.

Let KA be Alice’s key register and KB be Bob’s key register. We formally define QKD as follow.

Definition 3.1 (Quantum key distribution). A quantum key distribution (QKD) protocol is an interactive algorithm, run by two parties Alice and Bob³, that takes as input a security parameter n and outputs a key k_A ∈ K ∪ {⊥} in KAand a key k_B ∈ K ∪ {⊥} in KB. It is required that if there is no attack, Alice’s and Bob’s key registers should be

1

|K|

1

k∈K

|k⟩ ⟨k|_K_A ⊗ |k⟩ ⟨k|_K_B, (3.1)

with high probability.

Note that Equation (3.1) implies that when Alice and Bob accept the protocol and KA

and K_Bhave the same value with high probability, where k is uniformly distributed.

3.1.2 Composable Security

In the early development of QKD, the security was defined in terms of the mutual information I(S; W ) between the generated key S and the classical measurement outcome W of the adversary’s system, where both S and W are classical random variables [LC99, SP00,NC00,GLLP04]. However, the definition in terms of the mutual information does

1For consistency, we write the key as a quantum state |k⟩. But note that the generated key is classical.

2Why do we consider classical and quantum channels separately given that the classical channels is just a special case of quantum channels? The reason is that we could give the adversaries different power over the different channels. Usually, we allow the adversaries to do any attack, such as intercepting or tampering, over the quantum channel but allow the adversaries only to eavesdrop the classical channel.

3Alice and Bob are just the nicknames of the two parties who want to have a shared secret key.

(39)

not guarantee the security against the general attack. It asks the adversary to do the measurement at the end of the QKD protocol, which makes the definition not “composable”

(the secret key remains secure when it is employed as a resource in other cryptographic system). Konig et.al.showed that small mutual information does not guarantee the com- posable security [KRBM07].

The definition of composable security was proposed in [BOHL⁺05,RK05], which is stated in terms of trace distance. Here we restate the definition by a thought experiment, which is easier to interpret the operational meaning of the definition. The definition we state is equivalent to the ones proposed in [BOHL⁺05,RK05].

We define some notation for the experiment. Let K_A and K_B be Alice’s and Bob’s key registers respectively. Let C be the register for all the classical information that Al- ice and Bob send over the classical channel and let F be the flag that indicates acception or rejection. Let E be the quantum system of the adversaries. Recall that K is the key space decided by the security parameter n. We define K⁺ = K ∪ {⊥}. Let HC and HF be the Hilbert space of all the classical information and flag respectively. Note that HF is 2-dimensional. Let HE be the Hilbert space of the quantum system of the adversaries. To sum up, the register K_A⊗ KB⊗ F ⊗ C ⊗ E represents a quantum state lies in D (K⁺⊗ K⁺⊗ H^F ⊗ H^C ⊗ H^E).

QKD security experiment. In the experiment, there is a distinguisher D whose goal is to guess which world he is in. In the real world, Alice and Bob run the QKD protocol Q and try to get the key in their key registers KA and K_B. The adversary A can both control the quantum and classical channels. Let Sprotocol be the set of all QKD protocols and Sadversarybe the set of all possible adversaries. Let

: Sprotocol× S^adversary → D2

K⁺⊗ K⁺⊗ H^F ⊗ H^C ⊗ H^E3

be a function whose output is the final state of the whole real world when the protocol Q is run under the attack of A.

In the ideal world, Alice and Bob’s generated key registers are replaced with an ideal

(40)

key. Specifically, the state in K_A⊗ KB is replaced with _|K|¹ /

k∈K|k⟩ ⟨k|KA ⊗ |k⟩ ⟨k|KB

if F = |acc⟩ ⟨acc| and replaced with |⊥⟩ ⟨⊥|KA ⊗ |⊥⟩ ⟨⊥|KB if F = |rej⟩ ⟨rej|. Let

: Sprotocol× S^adversary → D2

K⁺⊗ K⁺⊗ HF ⊗ HC ⊗ HE

3

be a function whose output is the final state of the whole ideal world when the protocol Q is run under the attack of A.

In the end of the experiment, D will get the state (Q, A) with probability ¹₂ and (Q, A) with probability ¹₂. The distinguisher D outputs a bit b = 0 if he guesses he is in the real world or b = 1 if he guesses he is in the ideal world.

Definition 3.2 (secure QKD). A QKD protocol Q is called ϵ-secure if for any adversary A and for any distinguisher D, it holds that

|Pr (D( (Q, A)) = 1) − Pr(D( (Q, A)) = 1)| ≤ ϵ.

The trace distance has the operational meaning: if ∥ρ − σ∥tr = ϵ, then the maximum probability of distinguishing them is ¹₂(1 + ϵ). Thus, a QKD protocolQ is ϵ-secure if and only if for any adversary A, we have

∥ (Q, A) − (Q, A)∥tr ≤ ϵ.

Now we analyze the final states in the real world and the ideal world further. Suppose Pr(kA, kB) is the probability that KA = kA and KB = kB in the state (Q, A). The probability p_acc that Alice and Bob accept the protocol is p_acc = /

kA,kB∈KPr(k_A, kB)⁴ and the probability p_rej that they reject is p_rej = 1− pacc. Let ρ⁽_CE^⊥) be the normalized state of C, E registers conditioned on rejection. Also let ρ^(k_CE^A^,k^B⁾be the normalized state of C, E registers conditioned on K_A = k_A and K_B = k_B. The states (Q, A) and

4Note that the summation excludes kA, kB =⊥.

(41)

(Q, A) can be written as classical-quantum states:

(Q, A) = prej|⊥, ⊥⟩ ⟨⊥, ⊥|K_AK_B ⊗ |rej⟩ ⟨rej| ⊗ ρ⁽CE^⊥)

+ 1

kA,kB∈K

-Pr(k_A, kB)|kA, kB⟩ ⟨kA, kB|_K_A_K_B ⊗ |acc⟩ ⟨acc|_F ⊗ ρ^(kCE^A^,k^B⁾

. (3.2)

and

(Q, A) = prej|⊥, ⊥⟩ ⟨⊥, ⊥|_K_A_K_B ⊗ |rej⟩ ⟨rej| ⊗ ρ⁽CE^⊥)

+

< 1

|K|

1

k∈K

|k, k⟩ ⟨k, k|_K_A_K_B ⊗ |acc⟩ ⟨acc|_F

=

⊗ 1

kA,kB∈K

Pr(k_A, kB)ρ^(k_CE^A^,k^B⁾. (3.3)

Suppose ρ_K_A_K_B_{F CE} = (Q, A). Let

ρ^∧acc_K_A_K_B_{F CE} = 1

kA,kB∈K

Pr(k_A, k_B)-

|kA, k_B⟩ ⟨kA, k_B|KAKB ⊗ |acc⟩ ⟨acc|F ⊗ ρ^(kCE^A^,k^B⁾

.

be the subnormalized state that Alice and Bob accept the protocol. By the convexity of the trace distance, we have

∥ (Q, A) − (Q, A)∥tr

≤ p^rej000|⊥, ⊥⟩ ⟨⊥, ⊥|KAKB ⊗ |rej⟩ ⟨rej| ⊗ ρ⁽CE^⊥)− |⊥, ⊥⟩ ⟨⊥, ⊥|KAKB ⊗ |rej⟩ ⟨rej| ⊗ ρ⁽CE^⊥)

00 0tr

+ p_acc0

0ρ^∧acc_K_A_K_B_{F CE} − χKAKB ⊗ ρ^∧accF CE

00

tr

= pacc

00ρ^∧acc_K_A_K_B_{F CE}− χKAKB ⊗ ρ^∧accF CE

00

tr,

where ρ^∧acc_{F CE} = Tr_K_A_K_B(ρ^∧acc_K_A_K_B_{F CE}) and χ_K_A_K_B = _|K|¹ /

k∈K|k⟩ ⟨k|KA⊗ |k⟩ ⟨k|KB. That is, because the states of the two worlds must be the same when rejection, we only need to care about the state in the case of acceptance. Thus, we have the following corollary.

Corollary 3.3. Suppose Q is a QKD protocol and ρKAKBF CE = (Q, A). If for any adversary A, the inequality

00ρ^∧acc_K_A_K_B_{F CE}− χKAKB ⊗ ρ^∧accF CE

00

tr ≤ ϵ

量子密鑰分發的安全性證明之分析與比較

Department of Electrical Engineering

College of Electrical Engineering and Computer Science

National Taiwan University Master Thesis

摘要

Abstract

誌謝

Contents

List of Notation

Chapter 1 Introduction

1.1 Key Distribution

1.2 Quantum Key Distribution

1.3 Security Proof

1.4 Contributions

1.5 Outline of the Thesis

Chapter 2

Preliminaries

2.1 Notation

2.2 Quantum States and Operations

2.3 Trace Distance and Fidelity

2.3.1 Trace Distance

2.3.2 Fidelity

2.4 Linear Code

2.5 Information Reconciliation

2.6 Useful Mathematical Relations

Chapter 3

QKD Model and Security

3.1 Security Definition

3.1.1 Abstraction

3.1.2 Composable Security