A Two-way QKD Protocol Outperforming One-way Protocols at Low QBER - PowerPoint PPT Presentation

A Two-way QKD Protocol Outperforming One-way Protocols at Low QBER Jari Lietzén, Roope Vehkalahti, Olav Tirkkonen Department of Communications and Networking 8.6.2020

Content ◮ Basics of Quantum Key Distribution protocols ◮ Contribution of our paper ◮ System model ◮ BB84 QKD Protocol ◮ Classical channel model for information reconciliation ◮ One-way protocols ◮ Two-way protocols ◮ One-way QKD protocol by Lütkenhaus ◮ Key rate bounds for one-way and two-way protocols ◮ Two-way Protocol with Parity Bit Reconciliation ◮ Numerical performance analysis ◮ Conclusions 2PPR J. Lietzén 2/28

Basics of Quantum Key Distribution protocols Quantum key distribution (QKD) ◮ Generate keys of a priori unknown bits in absolute security ◮ Security is guaranteed by laws of nature, not hypothesis on problem hardness ◮ QKD is used to generate and distribute a secret key, not to transmit any message data ◮ Alice and Bob want to share a secret key ◮ Eve is an eavesdropper 2PPR J. Lietzén 3/28

Contribution of our paper We consider a QKD system where the eavesdropper can only perform individual quantum attacks. We are working on top of the QKD system using only classical random variables. Under this assumption we introduce our new two-way QKD protocol that is able to outperform all known two-way QKD protocols at low quantum bit error rate (QBER) values. The secret key rate of our protocol is higher than the information theoretical bound limiting the performance of any one-way protocol. 2PPR J. Lietzén 4/28

System model A l i c e B o b Public channel Quantum channel ◮ Alice and Bob are using the classical Bennet and Brassard QKD protocol (BB84) ◮ Quantum channel is imperfect but we can detect eavesdropping attempts ◮ Public channel is authenticated and error free, but the content is available to Eve 2PPR J. Lietzén 5/28

BB84 QKD Protocol ◮ Alice measures the polarization of n photons in a randomly selected base ( {� , ↔} or ↔ ↔ { , } ) and sends the photons to Bob ◮ Bob measures the polarization of the received photons also in random basis ◮ Same basis ⇒ same result; different basis ⇒ random result ◮ Alice and Bob compare the basis they have chosen and discard the measurements that were done in different basis, this is called the sifting phase ◮ Eve will perform a quantum attack to the transmitted photons ◮ Eve is assumed to attack each photon individually and always by the same method ◮ After Eve’s measurement the system is modelled in terms of classical random variables and a probability density function (pdf) p ( X , Y , Z ) , where Z represents Eve’s measurement results and possible side information 2PPR J. Lietzén 6/28

Classical channel model for information reconciliation Throughout we assume that X is the random vector Alice has, Y is Bob’s vector and Z Eve’s. Furthermore ◮ Eve knows perfectly the probability density function p ( X , Y , Z ) , and ◮ for every realization of x and y Eve knows the locations of errors in Bob’s word y . Eve’s information of X can now be measured in terms of collision probability between X and Z . At the beginning of the algorithm Alice and Bob know the transition probability p and an upper bound ( p col ) for the average bit collision probability. 2PPR J. Lietzén 7/28

Classical channel model for information reconciliation, continue... The related finite valued length n random vectors X , Y and Z satisfy the following conditions. 1. X is a random vector with i.i.d binary random variables with equal probabilities for 1 and 0 . 2. Random vector Y corresponds to X received through a binary symmetric channel (BSC) with transition probability p . 3. Random vector Z is a sequence of independent identical random variables and for every x and z , p ( x | z ) = � n i = 1 p ( x i | z i ) . If these random vectors are presenting the vectors after sifting, then Condition 2 follows from Eve’s attacks being symmetric and Condition 3 from the attacks being individual. 2PPR J. Lietzén 8/28

One-way protocols A one-way protocol takes Alice’s bit string as a raw key and the differences in Bob’s bit string are corrected as the protocol is run. In principle, only one-way communication is needed for error correction and key distillation in these protocols. At the beginning Alice has a length n bit vector x and Bob has an erroneous version y . ◮ Alice and Bob communicate through the public channel and try to correct the errors in Bob’s vector y ◮ Eve can listen, but not alter, this communication ◮ After the error correction Bob’s codeword can be modelled as a random vector Y ′ , where P ( X � = Y ′ ) < ǫ , for some predetermined ǫ ◮ Alice and Bob can now estimate how much information Eve has of X 2PPR J. Lietzén 9/28

One-way protocols, continue... ◮ Alice and Bob use a randomly selected 2-universal hash function to map their vectors x and y ′ to length n fin bit-vectors k and k ′ ◮ The probability density function is now p ′ ( K , K ′ , Z ′ ) , where Z ′ represents Eve’s original random variable Z and all the additional data she have managed to acquire ◮ The one-way protocol achieves a key rate R if for every ǫ we can find n ( ǫ ) so that for all n > n ( ǫ ) we have that ◮ P ( K � = K ′ ) < ǫ , ◮ I ( K ; Z ′ ) < ǫ , and n fin n ≥ R − ǫ . ◮ 2PPR J. Lietzén 10/28

Two-way protocols The secret key rate of a two-way protocol is defined similarly, but the process does not begin with an error correction phase. ◮ Alice and Bob use two-way classical communication and simply agree on key words k and k ′ ◮ The corresponding random variables satisfy ◮ P ( K � = K ′ ) < ǫ , ◮ I ( K ; Z ′ ) < ǫ , and ◮ I ( K ′ ; Z ′ ) < ǫ . 2PPR J. Lietzén 11/28

One-way QKD protocol by Lütkenhaus ◮ We are using the one-way protocol presented by Lütkenhaus 1 ) as part of our new two-way protocol ◮ The protocol was originally presented as a standalone one-way protocol to be performed after the sifting phase. ◮ Lütkenhaus presented his one-way error correction and privacy amplification protocol in 1999. 1 ) N. Lütkenhaus, "Estimates for practical quantum cryptography," Phys. Rev. A , vol. 59, pp. 3301-3319, May 1999. 2PPR J. Lietzén 12/28

One-way QKD protocol: Secret key rate The protocol here is not about key generation but about key growing. The long term achievable key rate is measured by taking into account how much previously generated key we are using when generating new key. After the error correction phase we have to reduce Eve’s information of the corrected key to at most 1 bit by selecting n fin = − n log 2 ( p col ) . (1) The achievable secret key rate now becomes R 0 ≥ − log 2 ( p col ) − h ( p ) , (2) where the term h ( p ) describes the amount of previously generated key the protocol consumes. 2PPR J. Lietzén 13/28

Key rate bounds for one-way and two-way protocols 1 ◮ The key rate of all one-way protocols is One-way bound GL B-step upper bounded by a general information One-way limit 0.8 Two-way limit theoretic bound ◮ One B-step from Gottesman and Lo 2 ) is 0.6 Key rate shown for comparison, under individual 0.4 attack model ◮ As far as we know, no two-way protocol 0.2 exists that would break the one-way bound 0 for low QBER values, e.g. below 10 % . 0 0.05 0.1 0.15 0.2 0.25 Error rate 2 ) D. Gottesman and H.-K. Lo, "Proof of security of quantum key distribution with two-way classical communications," IEEE Transactions on Information Theory , vol. 49, no. 2, pp. 457-475, Feb 2003. 2PPR J. Lietzén 14/28

Two-way Protocol with Parity Bit Reconciliation The novel Two-way Protocol with Parity bit Reconciliation (2PPR) uses a secrecy distillation method to select the portions of the sifted bits with less errors. The secret key is collected from parity bits and not from Alice’s original string. The protocol is run for several rounds, each round consisting the steps illustrated on the next slides. 2PPR J. Lietzén 15/28

2PPR: Step 1 Alice Bob p in x in f in 0 1 1 1 0 1 0 0 1 0 0 1 Sifted bits 0 1 1 1 0 1 0 1 1 0 0 1 1 0 1 0 1 1 Parity bits 1 0 1 1 1 1 ◮ Bit strings of length f in are divided in to two bit blocks ◮ Initial error ( p in ) and collision ( x in ) probabilities are known ◮ Alice and Bob calculate parity bits 2PPR J. Lietzén 16/28

2PPR: Step 2 Alice Bob p in x in f in 0 1 1 1 0 1 0 0 1 0 0 1 Sifted bits 0 1 1 1 0 1 0 1 1 0 0 1 1 0 1 0 1 1 Parity bits 1 0 1 1 1 1 OTP p par Reduncancy bits ◮ Alice calculates parity bit error probability p par ◮ Alice sends Bob redundancy bits over the public channel ◮ Redundancy bits are encrypted using one-time pad (OTP) 2PPR J. Lietzén 17/28

2PPR: Step 3 Alice Bob 0 1 1 1 0 1 0 0 1 0 0 1 0 1 1 1 0 1 0 1 1 0 0 1 Sifted bits 1 0 1 0 1 1 1 0 1 1 1 1 Parity bits OTP p par Reduncancy bits 1 0 1 0 1 1 1 0 1 0 1 1 Corrected parity bits ◮ Bob uses redundancy bits to correct his parity bits 2PPR J. Lietzén 18/28

2PPR: Step 4 Alice Bob 1 0 1 0 1 1 Parity bits 1 0 1 1 1 1 OTP p par Reduncancy bits 1 0 1 0 1 1 1 0 1 0 1 1 Corrected parity bits 0 1 1 1 0 1 0 1 1 0 0 1 Sifted bits ◮ Bob uses corrected parity bits to locate erroneous blocks 2PPR J. Lietzén 19/28