Security of the Bennett-Brassard Quantum Key Distribution Protocol against Collective Attacks

Abstract

The theoretical Quantum Key-Distribution scheme of Bennett and Brassard (BB84) has been proven secure against very strong attacks including the collective attacks and the joint attacks. Though the latter are the most general attacks, collective attacks are much easier to analyze, yet, they are conjectured to be as informative to the eavesdropper. Thus, collective attacks are likely to be useful in the analysis of many theoretical and practical schemes that are still lacking a proof of security, including practical BB84 schemes. We show how powerful tools developed in previous works for proving security against the joint attack, are simplified when applied to the security of BB84 against collective attacks whilst providing the same bounds on leaked information and the same error threshold.

1. Introduction

Quantum Theory allows us to have new cryptographic protocols of which we can prove security. Those protocols are secure against adversaries with unlimited power*. One of those protocols is the Quantum Key Distribution (QKD) protocol which is named BB84 after its inventors Bennett and Brassard [1]. In this protocol, two users (conventionally named Alice and Bob) wish to set up a common random key, using a quantum channel and a classical (insecure) authenticated channel. Their adversary (named Eve) is trying to eavesdrop on both of those channels in order to have as much information as possible about the agreed key.

The goal of Alice and Bob is to use a protocol that can be proven secure, potentially even un-conditionally secure, against powerful eavesdropping. In this paper we discuss the security of the BB84 protocol against the collective attacks [2,3,4], that form a subclass of the joint attacks (which are the most powerful theoretic attacks). This subclass is conjectured† to contain the strongest joint attacks and therefore, to be as informative to Eve as the joint attack [2,3]. In addition, analyzing the collective attack is much simpler than analyzing the joint attack. Thus, analyzing the collective attack might be highly relevant for practical setups of QKD where proving security is still a hard task.

We improve the analysis done in [4] to the BB84 scheme against all collective attacks. The analysis shown in [4] bounds the information in a non-optimal way which adds a factor of $2^r{2}^m$ to the information bound, where r is the amount of error-correction bits revealed during the protocol, and m is the final-key length. Our proof uses methods that are used in [5] for the joint attack, in order to achieve an optimized bound for the collective attack.

Let ${\mathcal{H}}_2$ be the 2-dimensional Hilbert space with standard (or computational) basis $|0^0\rangle ,|1^0\rangle$. Let $|0^1\rangle =\frac{1}{\sqrt{2}}[|0^0\rangle +|1^0\rangle ]$ and $|1^1\rangle =\frac{1}{\sqrt{2}}[|0^0\rangle -|1^0\rangle ]$; it is clear that $|0^1\rangle$, $|1^1\rangle$ is an orthonormal basis‡; it is called the Hadamard basis. The unitary map H such that $H|0^0\rangle =|0^1\rangle$ and $H|1^0\rangle =|1^1\rangle$ is called the Hadamard transform. Due to linearity, $H|0^1\rangle =\frac{1}{\sqrt{2}}[H|0^0\rangle +H|1^0\rangle ]=|0^0\rangle$ and similarly, $H|1^1\rangle =|1^0\rangle$ i.e. $H·H=I$ (the identity). Those bases are used for measurements in the BB84 scheme; measuring a state represented as the density matrix ρ in the b basis returns output 0 with probability $\langle 0^b|\rho |0^b\rangle$ and 1 with probability $\langle 1^b|\rho |1^b\rangle$. Thus if the state $|0^b\rangle$ (or $|1^b\rangle$) is measured in the b basis, it results with output 0 (1) with certainty. Yet, when $|0^b\rangle$ or $|1^b\rangle$ is measured in the $\overline{b}=1-b$ basis, the output is random, i.e. 0 with probability $1/2$ and 1 with probability $1/2$. This is the principle underlying the BB84 quantum key distribution protocol [1]. Alice sends Bob qubits (2-dimensional systems), each qubit in one of the four state $|i^b\rangle$ with $i,b\in \{0,1\}$. In order to send a bitstring $\mathbf{i}=i_1\dots i_t$ to Bob, Alice first draws randomly a bitstring $\mathbf{b}=b_1\dots b_t$ and then sends the state $|{\mathbf{i}}^{\mathbf{b}}\rangle =|i_1^{b_1}\rangle \dots |i_t^{b_t}\rangle =H^{\mathbf{b}}|\mathbf{i}\rangle$ where $H^{\mathbf{b}}=H^{b_1}\otimes \dots \otimes H^{b_t}$ and $|\mathbf{i}\rangle =|i_1\dots i_t\rangle$, with $H^0=I$ and $H^1=H$. In the conventional setting, Bob measures each qubit in one of those two bases, and whenever they used the same basis they obtain the same bit i. Using classical error correction and privacy amplification protocols, Alice and Bob reach a final key of length $m<t$ bits. In this paper, bitstrings of (an arbitrary) length t are denoted by a bold letter (e.g. we use below the $2n$ bits string $\mathbf{i}=i_1\dots i_{2n}$ with $i_1,\dots ,i_{2n}\in \{0,1\}$) and are identified to elements of the t-dimensional ${\mathbf{F}}_2$-vector space ${\mathbf{F}}_2^t$.

1.1. A Formal Description of the BB84 Protocol

Let us describe the BB84 protocol we shall use in this paper.

• Alice and Bob agree on a large number n, an error threshold $p_a$ and on a linear error-correction code C with parity check matrix $P_C$ of order $r\times n$. They agree as well on a linear key-generation function (privacy amplification) represented by a matrix $P_K$ of order $m\times n$. Those matrices can be publicly known beforehand or they can be determined during the protocol and sent over the classical channel. The $(r+m)\times n$ matrix whose rows are those of $P_C$ and $P_K$ put together is required to be of rank $r+m$.
• Alice randomly chooses $2n$-bit strings $\mathbf{i},\mathbf{b}\in {\mathbf{F}}_2^{2n}$, where ${\mathbf{F}}_2$ denotes the two element field, with elements $\{0,1\}$, i.e. the field of integers modulo 2. Alice encodes the state $|{\mathbf{i}}^{\mathbf{b}}\rangle =|i_1^{b_1}\rangle \dots |i_{2n}^{b_{2n}}\rangle$ and sends it to Bob over the quantum channel, one qubit at a time. Each time Bob receives a qubit he informs Alice, yet he doesn’t measure it§.
• Alice publicly sends Bob the string $\mathbf{b}$. Bob applies $H^{\mathbf{b}}=H^{b_1}\otimes \dots \otimes H^{b_{2n}}$ to his state, so that if Bob had the state $|{\mathbf{i}}^{\mathbf{b}}\rangle$, once he performs $H^{\mathbf{b}}$ he possesses the state $|\mathbf{i}\rangle =|i_1\dots i_{2n}\rangle$. Bob then measures these qubits in the computation basis.
  We denote by ${\mathbf{i}}^B$ the string measured by Bob. If there is no noise and no eavesdropping, he gets exactly the bitstring $\mathbf{i}$ sent by Alice.
• Alice randomly chooses n-bits that will be used to detect eavesdropping. This is done by choosing a $2n$-bit string that has exactly n ones. Formally, Alice chooses $\mathbf{s}\in {\mathbf{F}}_2^{2n}$ such that $\left|\mathbf{s}\right|=n$. Alice publicly sends Bob $\mathbf{s}$.
  The bits indexed by $j\in [1..2n]$ such that $s_j=0$ are used for testing, while the rest are used for generating the final key (via error correction and privacy amplification). We denote the appropriate substrings of $\mathbf{i},\mathbf{b}$ that are relevant for the testing by ${\mathbf{i}}_{\overline{\mathbf{s}}}$ and ${\mathbf{b}}_{\overline{\mathbf{s}}}$, while the substrings relevant for creating the key are denoted ${\mathbf{i}}_{\mathbf{s}}$ and ${\mathbf{b}}_{\mathbf{s}}$.
• For each $j\in [1..2n]$ such that $s_j=0$, Alice and Bob publish the value of the jth-bit. Bob and Alice compare those bit values, and if more than $n{p}_a$ bits mismatch, they abort the protocol. The pre-fixed protocol parameter $p_a$ is actually the ratio of allowed bit-flips on the testing bits.
• Alice and Bob keep the values of the remaining n bits secret. Alice’s string is denoted $\mathbf{x}={\mathbf{i}}_{\mathbf{s}}$ and named the information string. The corresponding bitstring on Bob’s side is denoted ${\mathbf{x}}^B$.
• Alice sends Bob the r-bit error-correction string $\xi =\mathbf{x}{P}_C^{\mathrm{T}}$ (where $P_C^{\mathrm{T}}$ is the transpose of the parity check matrix). Bob uses ξ to correct his string ${\mathbf{x}}^B$. The string ξ is called the syndrome of the string $\mathbf{x}$ (with regard to $P_C$).
• Alice and Bob compute the m-bit final key $\mathbf{k}=\mathbf{x}{P}_K^{\mathrm{T}}$.

2. Description of Eve’s attack and its properties

To each qubit $|{\varphi }_j\rangle$ ($j\in [1..2n]$) sent by Alice, Eve attaches a separate probe that we assume to be in a pure state $|0_j^E\rangle$ and applies a unitary transform $U_j$ to the composite system $|0_j^E\rangle |{\varphi }_j\rangle$. She then keeps her probes in a quantum memory for subsequent measurement and sends Bob his part of the system. For each qubit there is thus a particular Hilbert probe space, and a particular $U_j$; they are decided beforehand by Eve and are thus fixed for all possible choices of $\mathbf{i}$, $\mathbf{b}$ and $\mathbf{s}$.

2.1. Eve’s attack on a single qubit

Since the attack is bitwise, we now concentrate the analysis on some fixed qubit, drop momentarily the subindex j, and express the global effect of Eve’s action on this particular qubit with respect to the basis $|0^b\rangle$, $|1^b\rangle$:

$$\begin{array}{cc}\hfill U|0^E\rangle |0^b\rangle & =|E_{00}^b\rangle |0^b\rangle +|E_{01}^b\rangle |1^b\rangle =|{\varphi }_0^b\rangle \hfill \end{array}$$

(1)

$$\begin{array}{cc}\hfill U|0^E\rangle |1^b\rangle & =|E_{10}^b\rangle |0^b\rangle +|E_{11}^b\rangle |1^b\rangle =|{\varphi }_1^b\rangle ;\hfill \end{array}$$

(2)

$|E_{00}^b\rangle$, $|E_{01}^b\rangle$, $|E_{10}^b\rangle$ and $|E_{11}^b\rangle$ are vectors (“non normalized states”) in Eve’s Hilbert probe space corresponding to this particular qubit. Since U is unitary, $|{\varphi }_0^b\rangle$ and $|{\varphi }_1^b\rangle$ are of norm 1 and orthogonal. This means that

$$\begin{array}{cc}\hfill \langle E_{00}^b|E_{00}^b\rangle +\langle E_{01}^b|E_{01}^b\rangle & =1\hfill \end{array}$$

(3)

$$\begin{array}{cc}\hfill \langle E_{10}^b|E_{10}^b\rangle +\langle E_{11}^b|E_{11}^b\rangle & =1\hfill \end{array}$$

(4)

$$\begin{array}{cc}\hfill \langle E_{00}^b|E_{10}^b\rangle +\langle E_{01}^b|E_{11}^b\rangle & =0\langle E_{10}^b|E_{00}^b\rangle +\langle E_{11}^b|E_{01}^b\rangle =0\hfill \end{array}$$

(5)

2.2. Extending the attack to multiple qubits — the collective attack

For each qubit $j\in [1..2n]$, Eve applies the unitary $U_j$ on the space ${\mathcal{H}}_j^E\otimes {\mathcal{H}}_2$ where ${\mathcal{H}}_j^E$ is her probe space and ${\mathcal{H}}_2$ is the qubit space. Eve’s view expressed with respect to basis $b_j$ is obtained by tracing out Bob from the states ${|{\varphi }_0^{b_j}\rangle }_j$ and ${|{\varphi }_1^{b_j}\rangle }_j$, resulting with the respective density matrices

$$\begin{array}{cc}\hfill {\left({\rho }_0^{b_j}\right)}_j& ={|E_{00}^{b_j}\rangle }_j\langle E_{00}^{b_j}|+{|E_{01}^{b_j}\rangle }_j\langle E_{01}^{b_j}|\hfill \end{array}$$

(6)

$$\begin{array}{cc}\hfill {\left({\rho }_1^{b_j}\right)}_j& ={|E_{10}^{b_j}\rangle }_j\langle E_{10}^{b_j}|+{|E_{11}^{b_j}\rangle }_j\langle E_{11}^{b_j}|.\hfill \end{array}$$

(7)

If Alice sends the string $\mathbf{i}$ using bases $\mathbf{b}$, then Eve’s global state is the tensor product of all those states ${\left({\rho }_{i_j}^{b_j}\right)}_j$. After the test bits are revealed, Eve needs only those ${\left({\rho }_{i_j}^{b_j}\right)}_j$ for which $s_j=1$. The set $\{j\mid s_j=1\}$ has n elements; let us denote it $\{j_1,\dots ,j_n\}$, so that $s_{j_l}=1$ for $1\le l\le n$. Eve’s global state corresponding to $\mathbf{s}$, $\mathbf{b}$ and $\mathbf{x}$ can now be written

$${\rho }_{\mathbf{x}}^{{\mathbf{b}}_{\mathbf{s}}}={\left({\rho }_{i_{j_1}}^{b_{j_1}}\right)}_{j_1}\otimes \dots \otimes {\left({\rho }_{i_{j_n}}^{b_{j_n}}\right)}_{j_n}=\underset{l=1}{\overset{n}{⨂}}{\left({\rho }_{i_{j_l}}^{b_{j_l}}\right)}_{j_l}.$$

(8)

We can rewrite Eq. (8) using the n-bit strings $\mathbf{x}$ and ${\mathbf{b}}^{\prime }={\mathbf{b}}_{\mathbf{s}}$ with the index l running from 1 to n (instead of the $2n$ strings $\mathbf{i}$ and $\mathbf{b}$ indexed by $\{j_1,\dots ,j_n\}$),

$${\rho }_{\mathbf{x}}^{{\mathbf{b}}_{\mathbf{s}}}={\rho }_{\mathbf{x}}^{{\mathbf{b}}^{\prime }}={\rho }_{x_1}^{b_1^{\prime }}\otimes \dots \otimes {\rho }_{x_n}^{b_n^{\prime }}=\underset{l=1}{\overset{n}{⨂}}{\rho }_{x_l}^{b_l^{\prime }}.$$

(9)

It is the state ${\rho }_{\mathbf{x}}^{{\mathbf{b}}_{\mathbf{s}}}$ (or a mixture of such states) that Eve measures collectively to guess the string $\mathbf{x}$ (or directly the final key $\mathbf{k}$) once $\mathbf{b}$, $\mathbf{s}$ and the information for error correction and privacy amplification is known to her.

2.3. The probability of error

Assuming a qubit is attacked by U as defined by (1) and (2), an error occurs if Alice sends 0 and Bob measures 1 or if Alice sends 1 and Bob measures 0. Let k be the value measured by Bob, i the value sent by Alice for a specific qubit, and b the basis used by Alice to encode i. The probability of Bob measuring an error is then given by

$$p(k=1\mid i=0)p(i=0)+p(k=0\mid i=1)p(i=1)=\langle E_{01}^b|E_{01}^b\rangle \frac{1}{2}+\langle E_{10}^b|E_{10}^b\rangle \frac{1}{2},$$

and we denote

$$p_e^b\triangleq \frac{1}{2}\left[\langle E_{01}^b|E_{01}^b\rangle +\langle E_{10}^b|E_{10}^b\rangle \right].$$

(10)

2.4. The probability of error in the conjugate basis

We are now interested in $p_e^{\overline{b}}$ where $\overline{b}=1-b$ (i.e. $\overline{0}=1$ and $\overline{1}=0$) corresponds to the basis conjugate to that given by b. The attack U is always the one described by (1) and (2) in the b basis but, in order to calculate the probability or error when Alice encodes $i_j$ as $|i_j^{\overline{b}}\rangle$ instead of $|i_j^b\rangle$, we now need to express U in the $\overline{b}$ basis. From Equation (10), we know that the probability of error for this situation is given by

$$p_e^{\overline{b}}=\frac{1}{2}\left[\langle E_{01}^{\overline{b}}|E_{01}^{\overline{b}}\rangle +\langle E_{10}^{\overline{b}}|E_{10}^{\overline{b}}\rangle \right].$$

Using the fact that

$${|0\rangle }^{\overline{b}}=\frac{1}{\sqrt{2}}[|0^b\rangle +|1^b\rangle ],{|1\rangle }^{\overline{b}}=\frac{1}{\sqrt{2}}[|0^b\rangle -|1^b\rangle ]$$

and using the linearity of U, we deduce directly from (1) and (2) that

$$\begin{array}{c}\hfill U|0^E\rangle |0^{\overline{b}}\rangle =\frac{1}{\sqrt{2}}\left(|E_{00}^b\rangle +|E_{10}^b\rangle \right)|0^b\rangle +\frac{1}{\sqrt{2}}\left(|E_{01}^b\rangle +|E_{11}^b\rangle \right)|1^b\rangle ,\end{array}$$

(11)

$$\begin{array}{c}\hfill U|0^E\rangle |1^{\overline{b}}\rangle =\frac{1}{\sqrt{2}}\left(|E_{00}^b\rangle -|E_{10}^b\rangle \right)|0^b\rangle +\frac{1}{\sqrt{2}}\left(|E_{01}^b\rangle -|E_{11}^b\rangle \right)|1^b\rangle .\end{array}$$

(12)

Replacing $|0^b\rangle$ and $|1^b\rangle$ on the right-hand sides with their values in terms of $|0^{\overline{b}}\rangle$ and $|1^{\overline{b}}\rangle$ i.e. $|0^b\rangle =\frac{1}{\sqrt{2}}[|0^{\overline{b}}\rangle +|1^{\overline{b}}\rangle ]$ and $|1^b\rangle =\frac{1}{\sqrt{2}}[|0^{\overline{b}}\rangle -|1^{\overline{b}}\rangle ]$ we obtain

$$\begin{array}{cc}\hfill U|0^E\rangle |0^{\overline{b}}\rangle =& \phantom{+}\frac{1}{2}\left[|E_{00}^b\rangle +|E_{10}^b\rangle +|E_{01}^b\rangle +|E_{11}^b\rangle \right]|0^{\overline{b}}\rangle \hfill \\ \text{(13)}\hfill & & +\frac{1}{2}\left[\left(|E_{00}^b\rangle -|E_{11}^b\rangle \right)+\left(|E_{10}^b\rangle -|E_{01}^b\rangle \right)\right]|1^{\overline{b}}\rangle \hfill \hfill U|0^E\rangle |1^{\overline{b}}\rangle =& \phantom{+}\frac{1}{2}\left[\left(|E_{00}^b\rangle -|E_{11}^b\rangle \right)-\left(|E_{10}^b\rangle -|E_{01}^b\rangle \right)\right]|0^{\overline{b}}\rangle \hfill \\ \text{(14)}\hfill & & +\frac{1}{2}\left[|E_{00}^b\rangle -|E_{10}^b\rangle -|E_{01}^b\rangle +|E_{11}^b\rangle \right]|1^{\overline{b}}\rangle \hfill \end{array}$$

where the terms for $|E_{01}^{\overline{b}}\rangle$ and $|E_{10}^{\overline{b}}\rangle$ are parenthesized so that we can easily see that

$$\begin{array}{cc}\hfill p_e^{\overline{b}}& =\frac{1}{2}\left[\langle E_{01}^{\overline{b}}|E_{01}^{\overline{b}}\rangle +\langle E_{10}^{\overline{b}}|E_{10}^{\overline{b}}\rangle \right]\hfill \\ & =\frac{1}{4}\left[(\langle E_{00}^b|-\langle E_{11}^b|)(|E_{00}^b\rangle -|E_{11}^b\rangle )+(\langle E_{10}^b|-\langle E_{01}^b|)(|E_{10}^b\rangle -|E_{01}^b\rangle )\right].\hfill \end{array}$$

We expand this result by using the identities $\langle \varphi |\psi \rangle =\overline{\langle \psi |\varphi \rangle }$ and $z+\overline{z}=2\text{Re}\left(z\right)$ for $z\in \mathbf{C}$ (here the overline indicates the complex conjugate). Using equalities (3) and (4) we get

$$\begin{array}{cc}\hfill p_e^{\overline{b}}& =\frac{1}{4}\left[2-\langle E_{00}^b|E_{11}^b\rangle -\langle E_{11}^b|E_{00}^b\rangle -\langle E_{01}^b|E_{10}^b\rangle -\langle E_{10}^b|E_{01}^b\rangle \right]\hfill \\ \text{(15)}\hfill & \hfill p_e^{\overline{b}}& =\frac{1}{2}\left[1-\text{Re}\left(\langle E_{00}^b|E_{11}^b\rangle +\langle E_{01}^b|E_{10}^b\rangle \right)\right].\hfill \end{array}$$

This Formula will be used to connect the disturbance induced by Eve when Alice encodes in the ${\overline{b}}_j$ basis bits $i_j$ such that $s_j=1$ to the information Eve can get when Alice encodes them in the $b_j$ basis. Following the “Information versus Disturbance” [6] principle we will show that the more information Eve gets when the encoding is in the b basis, the more disturbance she causes when the bits are encoded and tested in the conjugate basis. Hence, we can bound Eve’s knowledge about the key by bounding the allowed error-rate in the protocol.

2.5. Flat attacks with respect to basis b

Assume now that Eve’s attack U is fixed, and that $P_e^{\overline{b}}$ is given by Eq. (15). We will present a virtual attack that is proven to be better for Eve, as it induces a smaller error-rate. This virtual attack cannot be executed by Eve since it requires knowledge of the basis b used by Alice (a knowledge that, of course, Eve does not have at the stage in which she chooses her transformation U). Still, the existence of such an attack that is proven to be better for Eve, allows us to derive bounds on Eve’s knowledge when the original attack (actually used by Eve) is applied.

Proposition 1.

For each attack U with ${\rho }_0^b$, ${\rho }_1^b$ and $p_e^b$ given by (6), (7) and (10), that satisfy

$$\begin{array}{cccc}\hfill \langle E_{00}^b|E_{11}^b\rangle +\langle E_{01}^b|E_{10}^b\rangle & =e^{i\theta }r\hfill & & \text{for}r\in {\mathbf{R}}_{+}\hfill \end{array}$$

(16)

there exists $U_b^{\prime }$ with the same ${\rho }_0^b$, ${\rho }_1^b$ and $p_e^b$ as U, which satisfy

$$\langle E_{00}^{\prime b}|E_{11}^{\prime b}\rangle +\langle E_{01}^{\prime b}|E_{10}^{\prime b}\rangle =r.$$

(17)

Proof.

Let $S_{\theta }^b:{\mathcal{H}}_2\to {\mathcal{H}}_2$ be defined by $S_{\theta }^b|0^b\rangle =|0^b\rangle$ and $S_{\theta }^b|1^b\rangle =e^{i\theta }|1^b\rangle$. $S_{\theta }^b$ is clearly unitary and consequently so is ${\mathbf{1}}_j^E\otimes S_{\theta }:{\mathcal{H}}_j^E\otimes {\mathcal{H}}_2\to {\mathcal{H}}_j^E\otimes {\mathcal{H}}_2$ where ${\mathbf{1}}_j^E$ is the identity on ${\mathcal{H}}_j^E$. Let $U_b^{\prime }=U({\mathbf{1}}_j^E\otimes S_{-\theta })$. $U_b^{\prime }$ is such that

$$\begin{array}{cc}\hfill U_b^{\prime }|0\rangle |0^b\rangle & =\phantom{e^{-i\theta }}|E_{00}^b\rangle |0^b\rangle +\phantom{e^{-i\theta }}|E_{01}^b\rangle |1^b\rangle =|{\varphi }_0^{\prime b}\rangle ,\hfill \end{array}$$

(18)

$$\begin{array}{cc}\hfill U_b^{\prime }|0\rangle |1^b\rangle & =e^{-i\theta }|E_{10}^b\rangle |0^b\rangle +e^{-i\theta }|E_{11}^b\rangle |1^b\rangle =|{\varphi }_1^{\prime b}\rangle .\hfill \end{array}$$

(19)

From those equalities it follows that ${\rho }_0^b$ and ${\rho }_1^b$ are left unchanged as can be seen from equations (6) and (7). In the same way, the right hand side of (10) is also clearly left unchanged and so $p_e^b$ is left unchanged. Finally

$$\begin{array}{cc}\hfill \langle E_{00}^{\prime b}|E_{11}^{\prime b}\rangle +\langle E_{01}^{\prime b}|E_{10}^{\prime b}\rangle & =\langle E_{00}^b|e^{-i\theta }{E}_{11}^b\rangle +\langle E_{01}^b|e^{-i\theta }{E}_{10}^b\rangle \hfill \\ \hfill \text{by (16)}& & =e^{-i\theta }{e}^{i\theta }r\hfill & =r.\hfill \end{array}$$

☐

The attack $U_b^{\prime }$ provides the same “view” ${\rho }_0^b$, ${\rho }_1^b$ to Eve, and the same probability of being detected if the b basis is used. However, from Eq. (15) we see that it reduces $p_e^{\overline{b}}$ to the minimum value (15) can take, because $\text{Re}\left(z\right)\le \left|z\right|$ for any $z\in \mathbf{C}$. This means that by replacing U by $U_b^{\prime }$ Eve’s probability of being detected had the other basis been chosen can only decrease; $U_b^{\prime }$ is thus better for Eve, since she needs to take into account all possible bases used by Alice. $U_b^{\prime }$ will be coined the “flat” attack associated to U with respect to basis b. Since Eve is not aware of the basis b used, the flat attack is merely a mathematical tool. Moreover it depends on b. However, by bounding Eve’s information when that basis is used we will eventually get a bound on Eve’s information under the original attack.

In the more general case of bitstrings, since Eve’s view comes from the tensor product of density matrices on individual qubits, using the flat attacks on all qubits does not change Eve’s global view, nor the probability of error in the b basis. A flat attack will thus be flat for each qubit. In a flat attack (one qubit case), there exist $r\in {\mathbf{R}}_{+}$ such that

$$\begin{array}{cc}& \langle E_{00}^b|E_{11}^b\rangle +\langle E_{01}^b|E_{10}^b\rangle =r,\hfill \end{array}$$

(20)

$$\begin{array}{cc}& p_e^{\overline{b}}=\frac{1}{2}(1-r).\hfill \end{array}$$

(21)

A short summary: we consider two possible cases for a specific qubit sent by Alice to Bob that is attacked by Eve with a flat unitary transform U:

(1)

Alice and Bob use the b basis. Eve’s attack causes a bit-flip with probability

$p_e^b=\frac{1}{2}\left[\langle E_{01}^b|E_{01}^b\rangle +\langle E_{10}^b|E_{10}^b\rangle \right]$.

(2)

However, if Alice and Bob use the $\overline{b}$ basis, Eve’s attack causes a bit-flip with probability $p_e^{\overline{b}}=\frac{1}{2}\left[1-\text{Re}\left(\langle E_{00}^b|E_{11}^b\rangle +\langle E_{01}^b|E_{10}^b\rangle \right)\right]=\frac{1}{2}(1-r)$.

2.6. A purification

We now assume the attack is flat, i.e. it satisfies equations (3)–(5), (20), and also, as a result, equation (21). Still working on a single qubit let us now define $|{\psi }_0^b\rangle$ and $|{\psi }_1^b\rangle$ as

$$\begin{array}{cccc}\hfill |{\psi }_0^b\rangle & =|E_{00}^b\rangle |0\rangle +|E_{01}^b\rangle |1\rangle ;\hfill & \hfill |{\psi }_1^b\rangle & =|E_{11}^b\rangle |0\rangle +|E_{10}^b\rangle |1\rangle .\hfill \end{array}$$

(22)

where the (normalized and orthogonal) states $|0\rangle$ and $|1\rangle$ live in some Hilbert space $\mathcal{H}$ that need not correspond to any physical reality (they are useful mathematical entities). If we trace states $|{\psi }_0^b\rangle \langle {\psi }_0^b|$ and $|{\psi }_1^b\rangle \langle {\psi }_1^b|$ over the span of $|0\rangle$ and $|1\rangle$ in $\mathcal{H}$, we get the states ${\rho }_0$ and ${\rho }_1$ respectively. The states $|{\psi }_0^b\rangle$ and $|{\psi }_1^b\rangle$ are thus called lift-ups of ${\rho }_0$ and ${\rho }_1$. Since they are also pure, they are said to be purifications of ${\rho }_0$ and ${\rho }_1$. Moreover they are normalized and by Eq. (20) their overlap is

$$\langle {\psi }_0^b|{\psi }_1^b\rangle =\langle E_{00}^b|E_{11}^b\rangle +\langle E_{01}^b|E_{10}^b\rangle =r.$$

(23)

This establishes a direct relation between the overlap of $|{\psi }_0^b\rangle$ and $|{\psi }_1^b\rangle$ and the probability of error $p_e^{\overline{b}}$. Since the overlap r is real and positive, with $0\le r\le 1$, there is an angle α such that

$$\begin{array}{ccc}\hfill cos\left(2\alpha \right)& =r=\langle {\psi }_0^b|{\psi }_1^b\rangle \hfill & \hfill 0\le \alpha \le \pi /4.\end{array}$$

As a consequence, we get

$$p_e^{\overline{b}}=\frac{1}{2}[1-cos\left(2\alpha \right)]={sin}^2\left(\alpha \right)\text{or}sin\left(\alpha \right)={\left(p_e^{\overline{b}}\right)}^{1/2}.$$

(24)

Since $\langle {\psi }_0^b|{\psi }_1^b\rangle$ is real, it is equal to $\langle {\psi }_1^b|{\psi }_0^b\rangle$ and consequently the (non normalized) states $|{\psi }_0^b\rangle +|{\psi }_1^b\rangle$ and $|{\psi }_0^b\rangle -|{\psi }_1^b\rangle$ are orthogonal and their norms are $\sqrt{2+2cos\left(2\alpha \right)}=2cos\left(\alpha \right)$ and $\sqrt{2-2cos\left(2\alpha \right)}=2sin\left(\alpha \right)$ respectively. We thus let

$$\begin{array}{cccc}\hfill |0_H^b\rangle & =\frac{1}{2cos\left(\alpha \right)}[|{\psi }_0^b\rangle +|{\psi }_1^b\rangle ];\hfill & \hfill |1_H^b\rangle & =\frac{1}{2sin\left(\alpha \right)}[|{\psi }_0^b\rangle -|{\psi }_1^b\rangle ].\hfill \end{array}$$

(25)

Using this basis, we can re-write the purification for $x\in \{0,1\}$, as

$$|{\psi }_x^b\rangle =cos\left(\alpha \right)|0_H^b\rangle +{(-1)}^{x}sin\left(\alpha \right)|1_H^b\rangle .$$

(26)

3. Proof of security of BB84 against collective attacks

3.1. Parity strings for the code and the key

We recall that bitstrings of length n are identified with elements of ${\mathbf{F}}_2^n$. Vector addition thus corresponds to component-wise sum modulo 2 and thus to the eXclusive-OR of the corresponding bitstrings. We denote $\mathbf{a}·\mathbf{b}$ the scalar product (modulo 2) of the two strings $\mathbf{a}$ and $\mathbf{b}$ of the same length, e.g., for n-bit strings, $\mathbf{a}·\mathbf{b}={\sum }_{i=1}^n{a}_i{b}_i=a_1{b}_1+\dots +a_n{b}_n$. Let $\{v_1,\dots ,v_n\}$ be a basis of ${\mathbf{F}}_2^n$. For any $r^{\prime }$ let $V_{r^{\prime }}$ denote the span of $\{v_1,\dots ,v_{r^{\prime }}\}$ and $V_{r^{\prime }}^c$ the span of $\{v_{r^{\prime }+1},\dots ,v_n\}$; it is clear that $V_{r^{\prime }}^{\phantom{c}}+V_{r^{\prime }}^c={\mathbf{F}}_2^n$; moreover, if we let $v,w\in V_{r^{\prime }}$ and $v^{\prime },w^{\prime }\in V_{r^{\prime }}^c$ then

$$v+v^{\prime }=w+w^{\prime }\Rightarrow v=w\text{and}{v}^{\prime }=w^{\prime }.$$

(27)

This property is normally summarized by saying that ${\mathbf{F}}_2^n$ is the direct sum of $V_{r^{\prime }}^{\phantom{c}}$ and $V_{r^{\prime }}^c$, i.e., $V_{r^{\prime }}^{\phantom{c}}+V_{r^{\prime }}^c={\mathbf{F}}_2^n$ and $V_{r^{\prime }}^{\phantom{c}}\cap V_{r^{\prime }}^c=\left\{0\right\}$.

The vectors $v_1,\dots ,v_r$ are used as the rows of $P_C$, the parity check matrix for the error correcting code which yields the syndrome $\xi =\mathbf{x}{P}_C^{\mathrm{T}}$; the vectors $v_{r+1},\dots ,v_{r+m}$ are used as the rows of a privacy amplification matrix $P_K$ such that if $\mathbf{x}$ is the string sent by Alice, then the m-bit key is $\mathbf{x}{P}_K^{\mathrm{T}}$. Let

$$d_{r,m}\triangleq \underset{r\le r^{\prime }<r+m}{min}{d}_H(v_{r^{\prime }+1},V_{r^{\prime }})=\underset{r\le r^{\prime }<r+m}{min}{d}_{r^{\prime },1}.$$

(28)

This parameter on which security depends relates in terms of Hamming distance the parity strings used to generate the key $\mathbf{k}$ to the parity strings used to generate the error correction information ξ. A large value of $d_{r,m}$ will be shown to imply little information for Eve on the key $\mathbf{k}$, given she knows ξ (Theorem 8).

3.2. The Shannon distinguishability

We shall use $\mathrm{SD}(\alpha ,\beta )$ as it is defined in [4,5] to denote the Shannon Distinguishability between the state (or density matrix) α and the state (or density matrix) β. Consider the following protocol: Sam chooses ‘0’ or ‘1’, randomly with equal probability. If Sam chooses ‘0’, he sends the state α over to Rachel. Otherwise, he sends β. $\mathrm{SD}(\alpha ,\beta )$ is by definition Rachel’s accessible information i.e. the maximum mutual information between Sam’s encoded bit and Rachel’s measurement of the state she received. Notice that when α and β are orthogonal (thus they form a basis), Rachel can always distinguish between them, and has information of exactly 1 bit about Sam’s chosen bit. On the other hand, if $\alpha =\beta$, Rachel can never distinguish between those states, and she has 0 bits of information. Important result of the error function are summarized in the following lemma:

Lemma 2.

(a) If ${\tilde{\rho }}_x$ is a lift-up of ${\rho }_x$ (where $x\in \{0,1\}$), then $SD({\rho }_0,{\rho }_1)\le SD({\tilde{\rho }}_0,{\tilde{\rho }}_1)$; (b) The Shannon Distinguishability of two states can be bounded by half the Trace Norm of their difference: $\mathrm{SD}({\rho }_0,{\rho }_1)\le \frac{1}{2}tr|{\rho }_0-{\rho }_1|$

Proof.

See [4, Theorem 1 and 2].

☐

3.3. Representing states for bitstrings

Let $\mathbf{s}$ be a fixed string of length $2n$ with a 1 in positions $j_1,\dots ,j_n$ corresponding to the n information bits. As in Eq. (9), given the basis string ${\mathbf{b}}^{\prime }=b_1^{\prime }\dots b_n^{\prime }=b_{j_1}\dots b_{j_n}$ and $\mathbf{x}=x_1\dots x_n=i_{j_1}\dots i_{j_n}$ we define the state $|{\psi }_{\mathbf{x}}^{{\mathbf{b}}^{\prime }}\rangle ={⨂}_{l=1}^n|{\psi }_{x_l}^{b_l^{\prime }}\rangle$. Using (26), we write the state as

$$|{\psi }_{\mathbf{x}}^{{\mathbf{b}}^{\prime }}\rangle =\underset{l=1}{\overset{n}{⨂}}\left[cos\left({\alpha }_l\right)|0_l\rangle +{(-1)}^{x_l}sin\left({\alpha }_l\right)|1_l\rangle \right],$$

(29)

where $|0_l\rangle$ and $|1_l\rangle$ represent the vectors $|0_H^{b_l^{\prime }}\rangle$ and $|1_H^{b_l^{\prime }}\rangle$ corresponding to the attack $U_{j_l}$ on the $j_l$-th qubit (the l-th information qubit). If for $\mathbf{c}=c_1\dots c_n\in {\{0,1\}}^n$ we define

$$\begin{array}{cccc}\hfill d_{\mathbf{c},l}& =\left\{\begin{array}{cc}cos\left({\alpha }_l\right)\hfill & \text{if}{c}_l=0\hfill \\ sin\left({\alpha }_l\right)\hfill & \text{if}{c}_l=1\hfill \end{array}\right.\hfill & \hfill d_{\mathbf{c}}& =d_{\mathbf{c},1}\dots d_{\mathbf{c},n}\hfill \end{array}$$

then

$$|{\psi }_{\mathbf{x}}^{{\mathbf{b}}^{\prime }}\rangle =\sum _{\mathbf{c}\in {\{0,1\}}^n}{d}_{\mathbf{c}}{(-1)}^{\mathbf{x}·\mathbf{c}}|\mathbf{c}\rangle$$

(30)

where $|\mathbf{c}\rangle$ stands for $|{\left(c_1\right)}_1\dots {\left(c_n\right)}_n\rangle$; for instance if $\mathbf{c}=0100$ then $|\mathbf{c}\rangle$ is $|0_1\rangle |1_2\rangle |0_3\rangle |0_4\rangle$ with $|0_l\rangle$ and $|1_l\rangle$ as defined above, and $d_{\mathbf{c}}=cos\left({\alpha }_1\right)sin\left({\alpha }_2\right)cos\left({\alpha }_3\right)cos\left({\alpha }_4\right)$. We notice that the factors of $d_{\mathbf{c}}^2$ can be interpreted as probabilities, and from (24) we deduce

$$\begin{array}{cc}\hfill d_{\mathbf{c},l}^2& =\left\{\begin{array}{cc}{cos}^2\left({\alpha }_l\right)=q_l^{\overline{b_l^{\prime }}}\hfill & \text{if}{c}_l=0\hfill \\ {sin}^2\left({\alpha }_l\right)=p_l^{\overline{b_l^{\prime }}}\hfill & \text{if}{c}_l=1\hfill \end{array}\right.\hfill \end{array}$$

where $p_l^{\overline{b_l^{\prime }}}$ is the probability of an error on the bit of index $j_l$ (the l-th information bit) when encoded and measured in the conjuguate basis and $q_l^{\overline{b_l^{\prime }}}=1-p_l^{\overline{b_l^{\prime }}}$ is the probability of no error on the same bit under the same conditions.

Due to the above, $d_{\mathbf{c}}^2$ is the probability of having exactly the error string $\mathbf{c}$ on the bits $i_j$ such that $s_j=1$ when those bits are encoded and measured in the other basis. Since, according to the protocol, the bits such that $s_j=1$ are the “information bits”, we will say, by abuse of language, that this is the probability of error on information bits. If we represent by ${\mathbf{C}}_I$ the random variable corresponding to the error in Bob’s measurement of the information bits, and by ${\mathbf{B}}_I$ the random variable giving the corresponding basis string chosen by Alice then we can write, for $\mathbf{c}\in {\{0,1\}}^n$, $\mathbf{b}\in {\{0,1\}}^{2n}$ and $\mathbf{s}\in {\{0,1\}}^{2n}$ such that $\left|\mathbf{s}\right|=n$,

$$d_{\mathbf{c}}^2=P[{\mathbf{C}}_I=\mathbf{c}\mid {\mathbf{B}}_I=\overline{{\mathbf{b}}_{\mathbf{s}}},\mathbf{s}]$$

(31)

where $\overline{{\mathbf{b}}_{\mathbf{s}}}=\overline{{\mathbf{b}}^{\prime }}=\overline{b_1^{\prime }}\dots \overline{b_n^{\prime }}$. This probability is not conditional on the syndrome ξ; all possible errors are taken into account here, even with values of $\mathbf{x}$ inconsistent with ξ.

3.4. Case of a one-bit key

We begin with proving the security of a 1-bit key, and then extend our proof to an arbitrary m-bit length key. This case corresponds to $m=1$ and the key (when not discarded) is $\mathbf{x}·v_{r+1}$ where $\mathbf{x}$ is the string sent by Alice (that is, $P_K$ has only one row, which equals $v_{r+1}$). Let $\xi =\mathbf{x}{P}_C^T$ be the r bit syndrome announced publicly by Alice and let us denote ${\widehat{\rho }}_0$ and ${\widehat{\rho }}_1$ Eve’s states corresponding to key 0 and key 1 respectively. Those states are obtained by normalizing the operators¶

$$\begin{array}{cc}\hfill {\rho }_k& =\sum _{\mathbf{x}|\begin{array}{c}\mathbf{x}{P}_C^T=\xi \\ \mathbf{x}·v_{r+1}=k\end{array}}{\rho }_{\mathbf{x}}^{{\mathbf{b}}^{\prime }}\hfill \end{array}$$

and, since $tr\left({\rho }_0\right)=tr\left({\rho }_1\right)=2^{n-r-1}$, ${\widehat{\rho }}_0$ and ${\widehat{\rho }}_1$ are equally likely, and

$$\begin{array}{cc}\hfill {\widehat{\rho }}_k& =\frac{1}{2^{n-r-1}}\sum _{\mathbf{x}|\begin{array}{c}\mathbf{x}{P}_C^T=\xi \\ \mathbf{x}·v_{r+1}=k\end{array}}{\rho }_{\mathbf{x}}^{{\mathbf{b}}^{\prime }}.\hfill \end{array}$$

(32)

Changing the attack to a flat one, does not change ${\rho }_{x_l}^{b_l^{\prime }}$, and therefore does not change ${\widehat{\rho }}_k$. Moreover, since $|{\psi }_{x_l}^{b_l^{\prime }}\rangle \langle {\psi }_{x_l}^{b_l^{\prime }}|$ as defined in Equation (26) is a purification of ${\rho }_{x_l}^{b_l^{\prime }}$, it follows that

$$\begin{array}{cc}\hfill {\tilde{\rho }}_k& =\frac{1}{2^{n-r-1}}\sum _{\mathbf{x}|\begin{array}{c}\mathbf{x}{P}_C^T=\xi \\ \mathbf{x}·v_{r+1}=k\end{array}}|{\psi }_{\mathbf{x}}^{{\mathbf{b}}^{\prime }}\rangle \langle {\psi }_{\mathbf{x}}^{{\mathbf{b}}^{\prime }}|\hfill \end{array}$$

(33)

is a lift-up of ${\widehat{\rho }}_k$. According to lemma 2, $\mathrm{SD}({\widehat{\rho }}_0,{\widehat{\rho }}_1)\le \mathrm{SD}({\tilde{\rho }}_0,{\tilde{\rho }}_1)$ and $\mathrm{SD}({\tilde{\rho }}_0,{\tilde{\rho }}_1)\le \frac{1}{2}tr|{\tilde{\rho }}_0-{\tilde{\rho }}_1|$ and thus

$$\mathrm{SD}({\widehat{\rho }}_0,{\widehat{\rho }}_1)\le \frac{1}{2}tr|{\tilde{\rho }}_0-{\tilde{\rho }}_1|.$$

(34)

3.5. Calculating and bounding the trace norm for one bit: the Biham basis.

We now wish to bound $\frac{1}{2}tr|{\tilde{\rho }}_0-{\tilde{\rho }}_1|$ according to the specific attack Eve has performed. Taking advantage of the fact that $V_{r^{\prime }}^{\phantom{c}}+V_{r^{\prime }}^c={\mathbf{F}}_2^n$ and $V_{r^{\prime }}^{\phantom{c}}\cap V_{r^{\prime }}^c=\left\{0\right\}$ (i.e. the sum is “direct”), equation (30) rewrites as

$$|{\psi }_{\mathbf{x}}^{{\mathbf{b}}^{\prime }}\rangle =\sum _{v\in V_r^c}{(-1)}^{\mathbf{x}·v}\sum _{v^{\prime }\in V_r}{(-1)}^{\mathbf{x}·v^{\prime }}{d}_{v+v^{\prime }}|v+v^{\prime }\rangle .$$

(35)

For each $\xi \in {\{0,1\}}^r$, let $i_{\xi }$ be a fixed n-bit string such that $i_{\xi }{P}_C^T=\xi$. By definition of the syndrome, $\xi =\mathbf{x}{P}_C^T$ and thus $(\mathbf{x}-\xi )P_C^T=0$, i.e. $(\mathbf{x}-i_{\xi })$ is a code word of C. Since every string $v^{\prime }$ in the dual code $C^{\perp }=V_r$ is orthogonal to every code word, we get that $v^{\prime }(\mathbf{x}-i_{\xi })=0$ and thus $v^{\prime }\mathbf{x}=v^{\prime }{i}_{\xi }$. It follows that

$$|{\psi }_{\mathbf{x}}^{{\mathbf{b}}^{\prime }}\rangle =\sum _{v\in V_r^c}{(-1)}^{\mathbf{x}·v}\sum _{v^{\prime }\in V_r}{(-1)}^{i_{\xi }·v^{\prime }}{d}_{v+v^{\prime }}|v+v^{\prime }\rangle .$$

If we define $|{\eta }_v\rangle ={\sum }_{v^{\prime }\in V_r}{(-1)}^{i_{\xi }·v^{\prime }}{d}_{v+v^{\prime }}|v+v^{\prime }\rangle$, we conclude with

$$|{\psi }_{\mathbf{x}}^{{\mathbf{b}}^{\prime }}\rangle =\sum _{v\in V_r^c}{(-1)}^{\mathbf{x}·v}|{\eta }_v\rangle .$$

(36)

Lemma 3.

The non normalized states $|{\eta }_v\rangle$ for $v\in V_r^c$ are orthogonal.

Proof.

$$\begin{array}{cc}\hfill \langle {\eta }_{v_1}|{\eta }_{v_2}\rangle & =\sum _{v_1^{\prime }\in V_r}{(-1)}^{i_{\xi }·v_1^{\prime }}\overline{d_{v+v^{\prime }}}\langle v_1+v_1^{\prime }|\sum _{v_2^{\prime }\in V_r}{(-1)}^{i_{\xi }·v_2^{\prime }}{d}_{v_2+v_2^{\prime }}|v_2+v_2^{\prime }\rangle .\hfill \end{array}$$

If $\langle v_1+v_1^{\prime }|v_2+v_2^{\prime }\rangle \ne 0$, then $v_1+v_1^{\prime }=v_2+v_2^{\prime }$ which, by (27), implies $v_1=v_2$ (and $v_1^{\prime }=v_2^{\prime }$).  ☐

The $|{\eta }_v\rangle$ thus provide an orthogonal (but not orthonormal) basis with which we can simply represent $|{\psi }_{\mathbf{x}}^{{\mathbf{b}}^{\prime }}\rangle$, as shown in (36).

Using (33) we get

$${\tilde{\rho }}_0-{\tilde{\rho }}_1=\frac{1}{2^{n-r-1}}\sum _{\mathbf{x}|\begin{array}{c}\mathbf{x}{P}_C^T=\xi \\ \mathbf{x}·v_{r+1}=0\end{array}}|{\psi }_{\mathbf{x}}^{{\mathbf{b}}^{\prime }}\rangle \langle {\psi }_{\mathbf{x}}^{{\mathbf{b}}^{\prime }}|-\frac{1}{2^{n-r-1}}\sum _{\mathbf{x}|\begin{array}{c}\mathbf{x}{P}_C^T=\xi \\ \mathbf{x}·v_{r+1}=1\end{array}}|{\psi }_{\mathbf{x}}^{{\mathbf{b}}^{\prime }}\rangle \langle {\psi }_{\mathbf{x}}^{{\mathbf{b}}^{\prime }}|.$$

The set of elements $\left\{\mathbf{x}\right|\mathbf{x}{P}_C^T=\xi \}$ is the code coset containing the string $i_{\xi }$, namely, $\{c+i_{\xi }|c\in C\}$, where for every different element c, the string $c+i_{\xi }$ represents a different possible $\mathbf{x}$. Moreover, the final key bit k can be written as $(c+i_{\xi })·v_{r+1}$ and using (36), we get

$$\begin{array}{cc}\hfill {\tilde{\rho }}_0-{\tilde{\rho }}_1& =\frac{1}{2^{n-r-1}}\sum _{c\in C}{(-1)}^{(c+i_{\xi })·v_{r+1}}|{\psi }_{c+i_{\xi }}^{{\mathbf{b}}^{\prime }}\rangle \langle {\psi }_{c+i_{\xi }}^{{\mathbf{b}}^{\prime }}|\hfill \\ & =\frac{1}{2^{n-r-1}}\sum _{c\in C}{(-1)}^{(c+i_{\xi })·v_{r+1}}\sum _{m\in V_r^c}{(-1)}^{(c+i_{\xi })·m}|{\eta }_m\rangle \sum _{m^{\prime }\in V_r^c}{(-1)}^{(c+i_{\xi })·m^{\prime }}\langle {\eta }_{m^{\prime }}|\hfill \end{array}$$

which can be written as

$${\tilde{\rho }}_0-{\tilde{\rho }}_1=\frac{1}{2^{n-r-1}}\sum _{m,m^{\prime }\in V_r^c}{(-1)}^{(m+m^{\prime }+v_{r+1})·i_{\xi }}\left(\sum _{c\in C}{(-1)}^{(m+m^{\prime }+v_{r+1})·c}\right)|{\eta }_m\rangle \langle {\eta }_{m^{\prime }}|.$$

(37)

Lemma 4.

For every Linear Code C,

$$\sum _{c\in C}{(-1)}^{c·w}=\left\{\begin{array}{cc}\left|C\right|& w\in C^{\perp }\\ 0& else,\end{array}\right.$$

Proof.

If $w\in C^{\perp }$ then $c·w=0$ for every $c\in C$ by the definition of $C^{\perp }$. Otherwise, let $\left\{{\beta }_1\dots {\beta }_k\right\}$ be a basis of C over ${\mathbf{F}}_2$. Every codeword $c\in C$ can be written in a unique way as a linear combination $c={\alpha }_1{\beta }_1+\dots +{\alpha }_k{\beta }_k$ with $({\alpha }_1,\dots ,{\alpha }_k)\in {\mathbf{F}}_2^k$. Since $w\notin C^{\perp }$ there is i such that ${\beta }_i·w\ne 0$. Assume wlg that ${\beta }_1·w=1$; then

$$\begin{array}{cc}\hfill \sum _{c\in C}{(-1)}^{c·w}& =\sum _{({\alpha }_1,\dots ,{\alpha }_k)\in {\mathbf{F}}_2^k}{(-1)}^{({\alpha }_1{\beta }_1+\dots +{\alpha }_k{\beta }_k)·w}\hfill \\ & =[{(-1)}^0+{(-1)}^1]\sum _{({\alpha }_2,\dots ,{\alpha }_k)\in {\mathbf{F}}_2^{k-1}}{(-1)}^{({\alpha }_2{\beta }_2+\dots +{\alpha }_k{\beta }_k)·w}=0.\hfill \end{array}$$

☐

By Lemma 4, the parenthesized factor in the right-hand side of (37) is zero unless $m+m^{\prime }+v_{r+1}\in C^{\perp }=V_r$, however, $m,m^{\prime },v_{r+1}\in V_r^c$, and so is their sum. Thus, when the parenthesized factor is not zero, $m+m^{\prime }+v_{r+1}$ must equal 0, since $V_r\cap V_r^c=\left\{0\right\}$. The resulting sum must equal $\left|C\right|=2^{n-r}$. The equality $m+m^{\prime }+v_{r+1}=0$ rewrites as $m^{\prime }=m+v_{r+1}$ and (37) reduces to

$$\begin{array}{cc}\hfill {\tilde{\rho }}_0-{\tilde{\rho }}_1& =2\sum _{m\in V_r^c}{(-1)}^{(m+(m+v_{r+1})+v_{r+1})·i_{\xi }}|{\eta }_m\rangle \langle {\eta }_{m+v_{r+1}}|\hfill \\ & =2\sum _{m\in V_r^c}|{\eta }_m\rangle \langle {\eta }_{m+v_{r+1}}|.\hfill \end{array}$$

Therefore we conclude that

$$\frac{1}{2}tr|{\tilde{\rho }}_0-{\tilde{\rho }}_1|=tr\left|\sum _{m\in V_r^c}|{\eta }_m\rangle \langle {\eta }_{m+v_{r+1}}|\right|.$$

(38)

By Lemma 3, $\langle {\eta }_m|{\eta }_n\rangle =0$ if $m\ne n$ with $m,n\in V_r^c$. If we let $\langle {\eta }_m|{\eta }_m\rangle =d_{{\eta }_m}^2$ we get, ${\sum }_{m\in V_r^c}{d}_{{\eta }_m}^2=1$ by (36). Let us rewrite the $|{\eta }_m\rangle$ for $m\in V_r^c$ as $|{\eta }_m\rangle =d_{{\eta }_m}|{\widehat{\eta }}_m\rangle$ with $\langle {\widehat{\eta }}_m|{\widehat{\eta }}_n\rangle ={\delta }_{m,n}$ for $m,n\in V_r^c$. It is known that for any operator A, $\left|A\right|=\sqrt{A^{†}A}$ and thus‖

$$\begin{array}{cc}\hfill tr\left|\sum _{m\in V_r^c}|{\eta }_m\rangle \langle {\eta }_{m+v_{r+1}}|\right|& =tr\sqrt{\sum _{m\in V_r^c}|{\eta }_m\rangle \langle {\eta }_{m+v_{r+1}}|\sum _{m^{\prime }\in V_r^c}|{\eta }_{m^{\prime }+v_{r+1}}\rangle \langle {\eta }_{m^{\prime }}|}\hfill \\ & =tr\sqrt{\sum _{m,m^{\prime }\in V_r^c}|{\eta }_m\rangle \langle {\eta }_{m+v_{r+1}}|{\eta }_{m^{\prime }+v_{r+1}}\rangle \langle {\eta }_{m^{\prime }}|}\hfill \\ & =tr\sqrt{\sum _{m\in V_r^c}{d}_{{\eta }_{m+v_{r+1}}}^2{d}_{{\eta }_m}^2|{\widehat{\eta }}_m\rangle \langle {\widehat{\eta }}_m|}\hfill \\ & =\sum _{m\in V_r^c}{d}_{{\eta }_{m+v_{r+1}}}{d}_{{\eta }_m}\hfill \end{array}$$

where the last equation follows directly from the spectral decomposition that figures under the square root. Using the fact that $V_r^c=V_{r+1}^c\cup \left(v_{r+1}+V_{r+1}^c\right)$ and that this union is disjoint, we deduce

$$\begin{array}{cc}\hfill \frac{1}{2}tr|{\tilde{\rho }}_0-{\tilde{\rho }}_1|& =2\sum _{m\in V_{r+1}^c}{d}_{{\eta }_m}{d}_{{\eta }_{m+v_{r+1}}}.\hfill \end{array}$$

(39)

In order to bound this result we use the following Lemma,

Lemma 5.

Let I be any set, $s:I\to I$ be such that $s^2={\mathbf{1}}_I$ and $p_i\ge 0$ with ${\sum }_{i\in I}{p}_i\le 1$. Let $I^{\prime }\subseteq I$ and $E\subseteq I$ such that $I^{\prime }\cap s\left(I^{\prime }\right)=\varnothing$ and $I^{\prime }\subseteq E\cup s\left(E\right)$; then

$${\displaystyle \sum _{i\in I^{\prime }}\sqrt{p_i{p}_{s\left(i\right)}}\le \sqrt{\sum _{i\in E}{p}_i}.}$$

Proof.

For $i\in I^{\prime }$, if $i\notin E$ let $h\left(i\right)=s\left(i\right)\in E$ and $h\left(s\right(i\left)\right)=i$, else let $h\left(i\right)=i\in E$ and $h\left(s\right(i\left)\right)=s\left(i\right)$. This function is well defined because i and $s\left(i\right)$ cannot be both in $I^{\prime }$. Moreover $h\left(h\right(i\left)\right)=i$ and h is thus 1–1 on $I^{\prime }$.

$$\sum _{i\in I^{\prime }}\sqrt{p_i{p}_{s\left(i\right)}}=\sum _{i\in I^{\prime }}\sqrt{p_{h\left(i\right)}}\sqrt{p_{s\left(h\right(i\left)\right)}}\le \sqrt{\sum _{i\in I^{\prime }}{p}_{h\left(i\right)}}\sqrt{\sum _{i\in I^{\prime }}{p}_{s\left(h\right(i\left)\right)}}\le \sqrt{\sum _{i\in E}{p}_i}$$

the first inequality being justified by Schwartz inequality.    ☐

We now use the lemma. Let $I=V_r^c$, $I^{\prime }=V_{r+1}^c$, $s\left(m\right)=m+v_{r+1}$; clearly $I^{\prime }\cap s\left(I^{\prime }\right)=\varnothing$ and $s^2={\mathbf{1}}_I$. Let also $E=\left\{m\in I\mid d_H(m,V_r)\ge d_{r,1}/2\right\}$ where $d_{r,1}$ was defined as the smallest Hamming distance between $v_{r+1}$ and the elements of $V_r$. For the lemma to apply, we need to show that $I^{\prime }\subseteq E\cup s\left(E\right)$. If $m\in I^{\prime }$ was such that $m\notin E$ and $m\notin s\left(E\right)$ then $s\left(m\right)\notin E$, $d_H(m,V_r)<d_{r,1}/2$ and $d_H(m+v_{r+1},V_r)<d_{r,1}/2$; this implies $d_H(v_{r+1},V_r)<d_{r,1}$, contrary to the definition of $d_{r,1}$. By the definition of E, if $c=m+v^{\prime }$ for $m\in E$ and $v^{\prime }\in V_r$ then $\left|c\right|\ge d_{r,1}/2$. Consequently, letting $p_m=d_{{\eta }_m}^2$ for $m\in I$, ${\sum }_{m\in I}{p}_m=1$ and

$$\begin{array}{cc}\text{By (39)}\hfill & \hfill {\left(\frac{1}{2}tr|{\tilde{\rho }}_0-{\tilde{\rho }}_1|\right)}^2& =4{\left(\sum _{m\in V_{r+1}^c}{d}_{{\eta }_m}{d}_{{\eta }_{m+v_{r+1}}}\right)}^2\hfill & \text{By Lemma 5}\hfill & & \le 4{\left(\sqrt{\sum _{m\in E}{d}_{{\eta }_m}^2}\right)}^2\hfill & & =4\sum _{\begin{array}{c}m\in V_r^c\\ d_H(m,V_r)\ge d_{r,1}/2\end{array}}\sum _{v^{\prime }\in V_r}{d}_{m+v^{\prime }}^2\le 4\sum _{\left|c\right|\ge d_{r,1}/2}{d}_c^2.\hfill \end{array}$$

Using Lemma 2 (Eq. (34), we get

$$\mathrm{SD}({\widehat{\rho }}_0,{\widehat{\rho }}_1)\le \frac{1}{2}tr|{\tilde{\rho }}_0-{\tilde{\rho }}_1|\le 2\sqrt{\sum _{\left|c\right|\ge d_{r,1}/2}{d}_c^2}.$$

(40)

Note that this result is identical to the bound derived in [5, Lemma 4.5 (Eq. D.8)]. This result is much better than the loose bound [5, Lemma D.2 (Eq. D.3)] which is based on the methods of [4].

As a consequence, using (31) we get

$$\mathrm{SD}({\widehat{\rho }}_0,{\widehat{\rho }}_1)\le 2\sqrt{P\left[|{\mathbf{C}}_I|\ge d_{r,1}/2\mid {\mathbf{B}}_I=\overline{{\mathbf{b}}^{\prime }},\mathbf{s}\right]}.$$

(41)

3.6. Bounding Eve’s accessible information

We now rewrite more carefully inequality (41) so as to be able to take into account all the parameters that were fixed and that we will now let vary in order to average Eve’s information on the entire range of these parameters.

Let $\mathbf{c}=\mathbf{i}+{\mathbf{i}}^B$, the exclusive-or of the $2n$-bit string sent by Alice and of the one measured by Bob. Each index $1\le l\le 2n$ such that $c_l=1$ corresponds to a mismatch in Bob’s bit value with respect to the value sent by Alice. If $s_l=1$ the bit is an “information bit” and if $s_l=0$ it is a “test bit”. The corresponding “error on the information bits” is thus ${\mathbf{c}}_{\mathbf{s}}$ and the error on the test bits is ${\mathbf{c}}_{\overline{\mathbf{s}}}$. The random variable corresponding to ${\mathbf{c}}_{\mathbf{s}}$ and ${\mathbf{c}}_{\overline{\mathbf{s}}}$ are denoted ${\mathbf{C}}_I$ and ${\mathbf{C}}_T$ respectively; they depend on $\mathbf{b}$ and $\mathbf{s}$. In order to lighten the notation, we will write $P[{\mathbf{C}}_I={\mathbf{c}}_{\mathbf{s}}\mid \mathbf{b},\mathbf{s}]$ to mean the probability that the error string on the bits such that $s_i=1$ be ${\mathbf{c}}_{\mathbf{s}}$ conditional to Alice having used the basis string $\mathbf{b}$ and the selection string $\mathbf{s}$. As a consequence, $P[{\mathbf{C}}_I={\mathbf{c}}_{\mathbf{s}}\mid \mathbf{b}+\mathbf{s},\mathbf{s}]$ denotes the probability that the error string on information bits be ${\mathbf{c}}_{\mathbf{s}}$ if the selection string is $\mathbf{s}$ and the basis string is $\mathbf{b}+\mathbf{s}$, i.e. is just the same as $\mathbf{b}$ but all the bases corresponding to the positions selected by $\mathbf{s}$ (of the information bits) are replaced by their conjuguates. Equations (31) and (41) can now be rewritten more cleanly as

$$\begin{array}{cc}& d_{{\mathbf{c}}_{\mathbf{s}}}^2=P[{\mathbf{C}}_I={\mathbf{c}}_{\mathbf{s}}\mid \mathbf{b}+\mathbf{s},\mathbf{s}]=P[{\mathbf{C}}_I={\mathbf{c}}_{\mathbf{s}}\mid {\mathbf{c}}_{\overline{\mathbf{s}}},\mathbf{b}+\mathbf{s},\mathbf{s}]\hfill \end{array}$$

(42)

$$\begin{array}{cc}& \mathrm{SD}({\widehat{\rho }}_0,{\widehat{\rho }}_1)\le 2\sqrt{P\left[|{\mathbf{C}}_I|\ge d_{r,1}/2\mid \mathbf{b}+\mathbf{s},\mathbf{s}\right]}\hfill \end{array}$$

(43)

where in the right hand side of (42) we use the fact that qubits are attacked independently, the error on information bits thus being independent of the error ${\mathbf{c}}_{\overline{\mathbf{s}}}$ on test bits. Equation (43) was derived for a (virtual) flat attack associated to $\mathbf{b}$. That flat attack had the same ${\widehat{\rho }}_0$ and ${\widehat{\rho }}_1$ as the original attack, and could only give a lower error rate in the conjuguate bases. As a consequence equation (43) also holds for the original attack U and from now on, the probability of error on the right-hand side will be understood to be the one induced by the original attack $U=U_1\otimes \dots \otimes U_{2n}$.

For any such fixed attack U, Eve’s information depends only on the syndrome ξ, the characteristic string $\mathbf{s}$ for the information bits, and the corresponding bases of the information string ${\mathbf{b}}_{\mathbf{s}}$ (yet, as said, we use the entire $2n$-bit string $\mathbf{b}$).

Corollary 6.

For a 1-bit key k,

$$I(\mathbf{K};\mathbf{E}\mid \mathbf{b},\mathbf{s},\xi ,{\mathbf{c}}_{\overline{\mathbf{s}}})=I(\mathbf{K};\mathbf{E}\mid \mathbf{b},\mathbf{s},\xi )\le 2\sqrt{P\left[\left(|{\mathbf{C}}_I|\ge \frac{d_{r,1}}{2}\right)\mid \mathbf{b}+\mathbf{s},\mathbf{s}\right]}$$

(44)

where $\mathbf{K}$ is the random variable giving as output key k and $\mathbf{E}$ is the random variable corresponding to the outputs of Eve’s (optimal) measurement.

Proof.

This follows from the fact that $error({\widehat{\rho }}_0,{\widehat{\rho }}_1)$ is Eve’s accessible information on k if she holds ${\widehat{\rho }}_k$ given by (32). These states correspond to Eve’s state when Alice encodes the key-bit k assuming Eve learns ξ, $\mathbf{b}$ and $\mathbf{s}$. Eve’s information also depends in principle on ${\mathbf{c}}_{\overline{\mathbf{s}}}$ but since her attack on a qubit is independent of the other qubits, the bits of ${\mathbf{c}}_{\overline{\mathbf{s}}}$ have no influence on her state and may be omitted from the parameters on which Eve’s information I depends.    ☐

Proposition 7.

For an m-bit key $\mathbf{k}$,

$$I(\mathbf{K};\mathbf{E}\mid \mathbf{b},\mathbf{s},\xi ,{\mathbf{c}}_{\overline{\mathbf{s}}})=I(\mathbf{K};\mathbf{E}\mid \mathbf{b},\mathbf{s},\xi )\le 2m\sqrt{P\left[\left(|{\mathbf{C}}_I|\ge \frac{d_{r,m}}{2}\right)\mid \mathbf{b}+\mathbf{s},\mathbf{s}\right]}.$$

(45)

Proof.

This follows from Corollary 6 by applying the chain rule for mutual information. Details of the proof can be found in [5, Section 4.5].   ☐

The value we want to bound is Eve’s expected information, assuming Eve gets no information if the test fails, which happens when ${\displaystyle \frac{|{\mathbf{c}}_{\overline{\mathbf{s}}}|}{n}>p_a}$. If we let

$$I_{\left(p_a\right)}(\mathbf{K};\mathbf{E}\mid \mathbf{b},\mathbf{s},\xi ,{\mathbf{c}}_{\overline{\mathbf{s}}})=\left\{\begin{array}{cc}I(\mathbf{K};\mathbf{E}\mid \mathbf{b},\mathbf{s},\xi )\hfill & \text{if}{\displaystyle \frac{|{\mathbf{c}}_{\overline{\mathbf{s}}}|}{n}\le p_a}\hfill \\ 0\hfill & \text{otherwise}\hfill \end{array}\right.$$

(46)

then the accessible information to bound, denoted** $\langle I_{\text{Eve}}^{\left(p_a\right)}\rangle$, is given by

$$\langle I_{\text{Eve}}^{\left(p_a\right)}\rangle =\sum _{\mathbf{b},\mathbf{s},\xi ,{\mathbf{c}}_{\overline{\mathbf{s}}}}{I}_{\left(p_a\right)}(\mathbf{K};\mathbf{E}\mid \mathbf{b},\mathbf{s},\xi ,{\mathbf{c}}_{\overline{\mathbf{s}}})p(\mathbf{b},\mathbf{s},\xi ,{\mathbf{c}}_{\overline{\mathbf{s}}}).$$

(47)

Theorem 8.

$$\langle I_{Eve}^{\left(p_a\right)}\rangle \le 2m\sqrt{P\left[\left(\frac{|{\mathbf{C}}_I|}{n}\ge \frac{d_{r,m}}{2n}\right)\wedge \left(\frac{|{\mathbf{C}}_T|}{n}\le p_a\right)\right]}$$

(48)

where ${\displaystyle \frac{|{\mathbf{C}}_T|}{n}}$ is the random variable corresponding to the error rate on test bits and ${\displaystyle \frac{|{\mathbf{C}}_I|}{n}}$ is the random variable corresponding to the error rate on the information bits.

Proof.

The function $x^2$ is convex, i.e. ${\left({\sum }_i{p}_i{x}_i\right)}^2\le {\sum }_i{p}_i{x}_i^2$ for $p_i\ge 0$, ${\sum }_i{p}_i=1$. We apply this to the square ${\langle I_{Eve}^{\left(p_a\right)}\rangle }^2$ of the information we want to bound.

$$\begin{array}{cccc}\text{by 47}\hfill & \hfill {\langle I_{Eve}^{\left(p_a\right)}\rangle }^2& ={\left[\sum _{\mathbf{b},\left|\mathbf{s}\right|=n,\xi ,{\mathbf{c}}_{\overline{\mathbf{s}}}}{I}_{\left(p_a\right)}(\mathbf{K};\mathbf{E}\mid \mathbf{b},\mathbf{s},\xi ,{\mathbf{c}}_{\overline{\mathbf{s}}})p(\mathbf{b},\mathbf{s},\xi ,{\mathbf{c}}_{\overline{\mathbf{s}}})\right]}^2\hfill & \text{by convexity of }{x}^2\hfill & & \le \sum _{\mathbf{b},\left|\mathbf{s}\right|=n,\xi ,{\mathbf{c}}_{\overline{\mathbf{s}}}}{I}_{\left(p_a\right)}^2(\mathbf{K};\mathbf{E}\mid \mathbf{b},\mathbf{s},\xi ,{\mathbf{c}}_{\overline{\mathbf{s}}})p(\mathbf{b},\mathbf{s},\xi ,{\mathbf{c}}_{\overline{\mathbf{s}}})\hfill & \text{by (46)}\hfill & & \le \sum _{\mathbf{b},\left|\mathbf{s}\right|=n,\xi ,\frac{|{\mathbf{c}}_{\overline{\mathbf{s}}}|}{n}\le p_a}{I}^2(\mathbf{K};\mathbf{E}\mid \mathbf{b},\mathbf{s},\xi )p(\mathbf{b},\mathbf{s},\xi ,{\mathbf{c}}_{\overline{\mathbf{s}}})\hfill & \text{by (45) and (42)}\hfill & & \le 4m^2\sum _{\mathbf{b},\left|\mathbf{s}\right|=n,\xi ,\frac{|{\mathbf{c}}_{\overline{\mathbf{s}}}|}{n}\le p_a}P\left[\left(\left|{\mathbf{C}}_I\right|\ge \frac{d_{r,m}}{2}\right)\mid {\mathbf{c}}_{\overline{\mathbf{s}}},\mathbf{b}+\mathbf{s},\mathbf{s}\right]p(\mathbf{b},\mathbf{s},\xi ,{\mathbf{c}}_{\overline{\mathbf{s}}})\hfill & & =4m^2\sum _{\mathbf{b},\left|\mathbf{s}\right|=n,\frac{|{\mathbf{c}}_{\overline{\mathbf{s}}}|}{n}\le p_a}P\left[\left(\left|{\mathbf{C}}_I\right|\ge \frac{d_{r,m}}{2}\right)\mid {\mathbf{c}}_{\overline{\mathbf{s}}},\mathbf{b}+\mathbf{s},\mathbf{s}\right]p(\mathbf{b},\mathbf{s},{\mathbf{c}}_{\overline{\mathbf{s}}}).\hfill & & \phantom{\text{by}\text{convexity}\text{of}{x}^2}\hfill \end{array}$$

Since the test bits are unaffected by replacing the basis of the information bits:

$$p(\mathbf{b},\mathbf{s},{\mathbf{c}}_{\overline{\mathbf{s}}})=p({\mathbf{c}}_{\overline{\mathbf{s}}}\mid \mathbf{b},\mathbf{s})p(\mathbf{b},\mathbf{s})=p({\mathbf{c}}_{\overline{\mathbf{s}}}\mid \mathbf{b}+\mathbf{s},\mathbf{s})p(\mathbf{b},\mathbf{s})=p({\mathbf{c}}_{\overline{\mathbf{s}}}\mid \mathbf{b}+\mathbf{s},\mathbf{s})p(\mathbf{b}+\mathbf{s},\mathbf{s})=p({\mathbf{c}}_{\overline{\mathbf{s}}},\mathbf{b}+\mathbf{s},\mathbf{s}),$$

and, letting $\tilde{\mathbf{b}}=\mathbf{b}+\mathbf{s}$,

$$\begin{array}{cccc}\hfill {\langle I_{Eve}^{\left(p_a\right)}\rangle }^2& \le 4m^2\sum _{\tilde{\mathbf{b}},\left|\mathbf{s}\right|=n,\frac{|{\mathbf{c}}_{\overline{\mathbf{s}}}|}{n}\le p_a}\left[\left(\left|{\mathbf{C}}_I\right|\ge \frac{d_{r,m}}{2}\right)\mid {\mathbf{c}}_{\overline{\mathbf{s}}},\tilde{\mathbf{b}},\mathbf{s}\right]p({\mathbf{c}}_{\overline{\mathbf{s}}},\tilde{\mathbf{b}},\mathbf{s})\hfill & & \phantom{\text{by}\text{convexity}\text{of}{x}^2}\hfill \end{array}$$

$$\begin{array}{cc}& =4m^2\sum _{\tilde{\mathbf{b}},\left|\mathbf{s}\right|=n}P\left[\left(\left|{\mathbf{C}}_I\right|\ge \frac{d_{r,m}}{2}\right)\wedge \left(\frac{|{\mathbf{C}}_T|}{n}\le p_a\right)\mid \tilde{\mathbf{b}},\mathbf{s}\right]p(\tilde{\mathbf{b}},\mathbf{s})\hfill \end{array}$$

$$\begin{array}{cc}& =4m^{2}P\left[\left(|{\mathbf{C}}_I|\ge \frac{d_{r,m}}{2}\right)\wedge \left(\frac{|{\mathbf{C}}_T|}{n}\le p_a\right)\right]\hfill \end{array}$$

(49)

3.7. Proof of security

Following the point of view of [5] we choose a code such that ${\displaystyle \frac{d_{r,m}}{2n}>p_a+ϵ}$ for some ϵ; the right-hand side of (48) is then less than ${\displaystyle P\left[\left(\frac{|{\mathbf{C}}_I|}{n}>p_a+ϵ\right)\wedge \left(\frac{|{\mathbf{C}}_T|}{n}\le p_a\right)\right]}$ which itself is exponentially small in n. For each particular string $c_1\dots c_{2n}$ corresponding to a measurement of all qubits in some admissible basis $\mathbf{b}$ we can apply Hoeffding’s sampling (Theorem 10). Let $\overline{X}=\frac{|{\mathbf{C}}_I|}{n}$ be the average of the sample corresponding to erroneous information bits; $\mu =\frac{|{\mathbf{C}}_I|+|{\mathbf{C}}_T|}{2n}$ is the expectancy of $\overline{X}$. $\frac{|{\mathbf{C}}_T|}{n}\le p_a$ is equivalent to $2\mu -\overline{X}\le p_a$, or equivalently, to $\overline{X}-\mu \ge \mu -p_a$. For the population $c_1,\dots ,c_{2n}$ the conditions ${\displaystyle \left(\frac{|{\mathbf{C}}_I|}{n}>p_a+ϵ\right)}$ and ${\displaystyle \left(\frac{|{\mathbf{C}}_T|}{n}\le p_a\right)}$ then rewrite to

$$\left(\overline{X}-\mu >ϵ+p_a-\mu \right)\wedge \left(\overline{X}-\mu \ge \mu -p_a\right)$$

(50)

which implies $2(\overline{X}-\mu )>ϵ$ and using Hoeffding’s theorem (Theorem 10)

$$P\left[\left(\frac{|{\mathbf{C}}_I|}{n}>p_a+ϵ\right)\wedge \left(\frac{|{\mathbf{C}}_T|}{n}\le p_a\right)\right]\le P\left[\overline{X}-\mu >\frac{ϵ}{2}\right]\le e^{-\frac{1}{2}n{ϵ}^2}.$$

(51)

The above discussion gives the following

Theorem 9.

Let us be given $\delta >0$, $R>0$ and, for infinitely many values of n, a family $\{v_1^n,\dots ,v_{r_n+m_n}^n\}$ of linearly independent vectors in ${\mathbf{F}}_2^n$ such that $\delta \le \frac{d_{r_n,m_n}}{n}$ and $\frac{m_n}{n}\le R$. Then for any $p_a>0$ and ${ϵ}_{\sec }>0$ such that $p_a+{ϵ}_{\sec }\le \frac{\delta }{2}$, Eve’s accessible information satisfies the following bound

$$\langle I_{\text{Eve}}^{\left(p_a\right)}\rangle \le 2Rn{e}^{-\frac{{ϵ}_{\sec }^2}{4}n}.$$

All we need to guarantee security is thus vectors $\{v_1^n,\dots ,v_{r_n+m_n}^n\}$ satisfying the conditions of the theorem. Such families were proven to exist in [5].

3.8. Reliability

For the key to be reliable, we need to be sure that the error rate on the information bits is less than the maximal rate that the error correcting code can handle. The maximum number of errors for our code will be fixed to $n(p_a+{ϵ}_{\mathrm{rel}})$. For the code to be reliable with exponentially small probability of failure, we need

$$P\left[\left(\frac{|{\mathbf{C}}_I|}{n}>p_a+{ϵ}_{\mathrm{rel}}\right)\wedge \left(\frac{|{\mathbf{C}}_T|}{n}\le p_a\right)\right]\le e^{-\frac{1}{2}n{ϵ}_{\text{rel}}^2}.$$

For any fixed set of used bits, the test bits and the information bits is a random partition with two subsets of size n and the argument used in the previous section applies. The same requirement figures in [5].

4. Conclusions and Discussion

In this paper we have analyzed the security of the BB84 protocol against any collective attack using the methods and tools used in proving security against the more powerful joint attack. By doing this we maintain the security proof relatively simple, yet we achieve a far more meaningful result than previously achieved for the collective attack [4]. The basic idea of this paper can also be found in a presentation given by one of us (M.B.), at the Technion [7].

The same theorems (8 and 9) proven in this paper, are also obtained by [5] for the joint attack. This result leads to an asymptotic error-rate threshold of 7.56%††, the same asymptotic result obtained for the joint attack in [5,8]. Note that these results are not just asymptotical but also explicit in the sense that for every ϵ and every threshold smaller than $(7.56-ϵ)$, a sufficiently large number n can explicitly be calculated such that the final key is reliable and secure. Explicit numbers expressing the reliability and security can also be obtained. To the best of our knowledge, such explicit results were not obtained via the methods shown in [9]. The threshold of 7.56% obtained here and in [5,8] still has a gap from the asymptotical threshold of 11% reported by [9]. This gap can be explained by the different choice of privacy amplification, see for instance [5,10,11].

Other researchers also reached very interesting results regarding the collective attack and its relations to the joint attack, via other methods. See for instance [12,13] in which it is proven that security against collective attacks implies security against joint attacks. However, their definition of the collective attack is not identical to the definition given in [2], which is used in [3,4] and in the current paper. Furthermore, the conjecture that the strongest joint attack is a collective attack is not addressed by [12,13] and remain an open problem. We leave the comparison of our result to the results obtained via these other methods for a future research.