No Signalling and Quantum Key Distribution 0405101

7/27/2019 No Signalling and Quantum Key Distribution 0405101

1/5

arXiv:quant-ph/0405101v3

29Apr2005

No Signalling and Quantum Key Distribution

Jonathan Barrett,1,2, Lucien Hardy,3, and Adrian Kent4,

1Physique Theorique, Universite Libre de Bruxelles,CP 225, Boulevard du Triomphe, 1050 Bruxelles, Belgium

2Centre for Quantum Information and Communication, CP 165/59,Universite Libre de Bruxelles, Avenue F. D. Roosevelt 50, 1050 Bruxelles, Belgium

3Perimeter Institute, 35 King Street North, Waterloo ON, N2J 2W9, Canada4

Centre for Quantum Computation, DAMTP, Centre for Mathematical Sciences,University of Cambridge, Wilberforce Road, Cambridge CB3 0WA, U.K.(Dated: March 2005 (revised))

Standard quantum key distribution protocols are provably secure against eavesdropping attacks,if quantum theory is correct. It is theoretically interesting to know if we need to assume the validityof quantum theory to prove the security of quantum key distribution, or whether its security canbe based on other physical principles. The question would also be of practical interest if quantummechanics were ever to fail in some regime, because a scientifically and technologically advancedeavesdropper could perhaps use post-quantum physics to extract information from quantum com-munications without necessarily causing the quantum state disturbances on which existing securityproofs rely. Here we describe a key distribution scheme provably secure against general attacks bya post-quantum eavesdropper who is limited only by the impossibility of superluminal signalling.The security of the scheme stems from violation of a Bell inequality.

PACS numbers: 03.67.-a 03.67.Dd 03.65.Ta

With the discoveries of quantum cryptography [1] andquantum key distribution [2, 3], it is now well under-stood that cryptographic tasks can be guaranteed secureby physical principles. For example, we now have proto-cols for various important tasks, including key distribu-tion, that are provably secure provided quantum theoryis correct [4]. Protocols for bit commitment have beendeveloped with security based only on the impossibilityof superluminal signalling [5, 6]. The possibility of bas-ing cryptographic security on known superselection ruleshas also recently been discussed [7, 8].

In this paper we investigate whether it is possible todevise a quantum key distribution scheme that is prov-ably secure if superluminal signalling is impossible. Weallow for eavesdroppers who can break the laws of quan-tum mechanics, as long as nothing they can do impliesthe possibility of superluminal signalling. In general, thiswill mean that the security proofs of existing quantumkey distribution protocols are no longer valid, as we canno longer assume that quantum theory correctly predictsthe tradeoff between the information that Eve can ex-tract and the disturbance she must necessarily cause.

As we show below, there is an intimate connection be-

tween the possibility of such a protocol and the violationof a Bell inequality [9, 10]. Non-local (in the sense ofBell inequality violating) correlations constitute an ex-ploitable resource for this task, just as entanglement is aresource for conventional quantum key distribution. Wepresent a quantum scheme, involving Bell violation, thatis secure against general attacks by a non-signalling Eve.

One motivation for this work is practical: existing se-curity proofs assume the validity of quantum theory, andwhile quantum theory has been confirmed in an impres-

sive range of experiments, it remains plausible that somefuture experiment will demonstrate a limit to its domainof validity. Admittedly, it is also conceivable that somefuture experiment could demonstrate the possibility ofsuperluminal signalling. But the possibilities are logi-cally independent: quantum theory could fail withoutviolating standard relativistic causality, and vice versa.A cryptographic scheme that can be guaranteed secureby either of two physical principles is more trustworthythan one whose security relies entirely on one.

There are also compelling theoretical motivations. Un-derstanding which cryptographic tasks can be guaranteedsecure by which physical principles improves our under-standing of the relationship between information theoryand physical theory. Our work also demonstrates a newway of proving security for quantum protocols, whichmay be useful in other contexts, and sheds new light onnon-locality and its relation to secrecy.

A Quantum Protocol for Secret Bit Distribution

We assume that Alice and Bob have a noise-free

quantum channel and an authenticated classical chan-nel. Consider the following protocol, which we showbelow generates a single shared secret bit, guaran-teed secure against general attacks by post-quantumeavesdroppers. Define the bases Xr = {cos r2N|0 +sin r

2N|1, sin r2N|0+cos r2N|1} for integer r. For eachbasis, we define outcomes 0 and 1 to correspond respec-tively to the projections onto the first and second basiselements. Thus Xr+N contains the same basis states asXr with the outcome conventions reversed; i.e. we inter-
http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3http://arxiv.org/abs/quant-ph/0405101v3


2/5

2

pret the bases X1 and XN below to be XN1 and X0with outcomes reversed. We take the security parametersN and M (defined below) to be large positive integers.To simplify the analysis, we will take M N.

1. Alice and Bob share n = M N2 pairs of systems,each in the maximally entangled state | =1/

2(|01 |10).2. Alice and Bob choose independent random ele-

ments riA and riB of the set {0, 1, . . . , N 1} for

each i from 1 to M N2, and measure their i-th par-ticle in the bases Ai Xri

Aand Bi Xri

B.

3. When all their measurements are complete, Aliceand Bob announce their bases over a public, au-thenticated, classical channel.

4. Alice and Bob abort the protocol and restart unless

2M N

i

c=1,0,1

|{j : Aj = Xi, Bj = Xi+c}| .

(The expected size of the sum is 3M N. The prob-ability of the condition failing is of order eMN/6.)

5. The outcomes are kept secret for one randomly cho-sen pair for which the bases chosen were Xi andXi+c for some i and c = 1, 0 or 1. We call bases ofthis form neighbouring or identical. The outcomesare announced for all the remaining pairs (for allbasis choices).

6. Alice and Bob abort the protocol if their outcomesa and b are not anti-correlated (i.e. a = b) in all thecases where they chose neighbouring or identicalbases.

7. If the protocol is not aborted, their unannouncedoutcomes define the secret bit, which is taken byAlice to be equal to her outcome and by Bob to beopposite to his.

Eavesdropping attacks

To analyse the security of this protocol, we must de-scribe formally the actions available to post-quantumeavesdroppers. To give Eve maximum power, we assume

that each pair of systems is produced by a source underher control. In a general, or collective, attack, Eve pre-pares 2n + 1 systems in a post-quantum state , sendingn systems to Alice, n to Bob, and keeping 1. The state defines measurement probabilities

P(abe|ABE),

where A = {A1, . . . , An}, B = {B1, . . . , Bn} are sets ofAlices and Bobs possible measurement choices and E =

{E1} is a set containing a possible measurement choiceof Eve, with corresponding outcomes a,b,e. This statemay be non-quantum and non-local, but must not allowsignalling even if the parties cooperate. Thus, for anypartitionings A = A1A2, B = B1B2 and E = E1E2(possibly including empty subsets), and any alternativechoices A2, B2, E2, we require that

a2b2e2

P(a1a2b1b2e1e2 |A1A2B1B2E1E2) = (1)

a2b2e2

P(a1a2b1b2e1e2 |A1A2B1B2E1E2) .

Eve may wait until all Alices and Bobs communicationsare finished before performing her measurement.

We need a further technical assumption. It seems nat-ural to postulate that, once Eve has prepared a post-quantum state , the range of measurements availableto her and their outcome probabilities are (up to rela-bellings) time-independent. In fact, a slightly weaker as-sumption suffices: we assume that in post-quantum the-ory, as in quantum theory, measurements on a sharedstate cannot be used to send signals between the partiesin any configuration (even if not spacelike separated). Ifthis assumption were dropped, one could allow a theoryin which information about the bases and outcomes ofany measurements carried out by Alice and Bob propa-gates to Eve at light speed, so she can obtain these databy a later measurement timelike separated from Alicesand Bobs. While theories of this type may seem implau-sible, or even pathological, they can be made internallyconsistent without allowing superluminal communication[12]. Clearly, secure key distribution would be impossible

if Eve could exploit a theory of this type.One can justify excluding this possibility by extendinga standard cryptographic assumption to post-quantumcryptology. Conventional security analyses of quantumkey distribution require that Alices and Bobs laborato-ries are completely secure against Eves scrutiny a nec-essary cryptographic assumption, which does not followfrom the laws of quantum theory. Similarly, in the post-quantum context, we assume that no information aboutevents in Alices and Bobs laboratories in particular,their measurements or outcomes subsequently propa-gates to Eve. Put another way, Alice and Bob have toassume they can establish secure laboratories, else cryp-

tography is pointless. The aim is to guarantee securekey distribution modulo this assumption. We shall provethat the protocol above is indeed secure against generalattacks.

Proof of security

We define Aj , Bj to be Alices and Bobs basis choicesfor the j-th pair; these are random variables, each mea-


3/5

3

surement occuring with probability 1/N. We also defineaj , bj to be their measurement outcomes and write

tj =1

3N

c=1,0,1

N1

i=0

P(aj = bj |Aj = Xi , Bj = Xi+c).

(Recall that X1 and XN are XN1 and X0 with out-comes reversed.) Note that if is local we have tj 1 2

3N. Thus this is a generalised Bell inequality (it is infact similar to the chained Bell inequality of Braunsteinand Caves [13].) If there is no eavesdropping, so thatgenuine singlet states are shared, then quantum mechan-ics gives tj = 1 O(1/(N2)), for all j, thus violatingthe inequality for large enough N. This is crucial for thesecurity of the protocol; it is violation of this inequalitythat allows Eves knowledge to be bounded. Below, weshall derive a lower bound on the value ofts for the secretpair s, given that Alices and Bobs tests are passed, andgiven that Eve is not using a strategy that almost always

fails the tests. Then we show that the lower bound on tsimplies an upper bound on Eves information, which canbe made arbitrarily small as M, N become large.

From now on, we assume that there is at least one pairfor which Alices and Bobs measurements were neigh-bouring or identical (otherwise they will abort). Let s, arandom variable, be the index of the pair chosen to de-fine the secret bit. A post-quantum state determinesthe probability P(pass) that Alices and Bobs tests arepassed, so that they do not abort the protocol.Lemma For any such that P(pass) > , we

have that

P(as = bs|pass) > 1 1/(2M N ).

Proof Let m, a random variable, be the numberof pairs for which the measurements were neighbouringor identical. For a given pair, let C be the condition thatthe measurements were neighbouring or identical and theoutcomes anti-correlated. If the secret pair satisfies C,then Alice and Bob will agree on the value of the secretbit. We denote by #(C) the number of pairs for which Cholds. Define the following four mutually exclusive andcollectively exhaustive events.

E0 m < 2M N

E1 m 2M N and #(C) < m 1E2 m 2M N and #(C) = m 1E3 m 2M N and #(C) = m.

Note that if E0 or E1 occurs, then Alice and Bob willdefinitely abort. If E3 occurs, then Alice and Bob willdefinitely not abort. A given post-quantum state de-fines a probability for each of these four events, which wewrite as P(Ei) qi.

Now we have P(pass) = q3 + q2 P(pass|E2). If E2occurs, then the test will only be passed if the secret pairdo not satisfy C. This means that we have

P(pass|E2) =MN2

i=2MN

P(m = i|E2)/i

1/(2M N). (2)

But P(pass) > , so we can write q3 > q2/(2M N).Therefore

P(as = bs|pass) = q3q3 + q2 P(pass|E2)

> 1 1/(2M N ), (3)

where the inequality follows from the fact that the righthand side of the first line either equals 1 or is monotoni-cally increasing with q3. QED.

It follows from the lemma above, the no-signalling con-

dition (1) and the chain rule for conditional probabilitiesthat, conditioned on passing the test,

ts > 1 1/(2MN ). (4)

From now on, we assume that the test is passed, and wecan consider that Alice, Bob and Eve share three sys-tems, such that Eq. (4) is satisfied. We now show thatthe knowledge that Eve can get by performing a mea-surement on her system is small.

We do this by contradiction. Thus suppose that withprobability > 0, Eve gets an outcome e0 such that

P(as = b, bs = b |As = Xk, Bs = Xk+d, e0)> (1/2)(1 + ),

for some k and d = 1, 0 or 1, where > 0 and b {0, 1}. Define

pAi P(as = b|As = Xi , e0)pBi P(bs = b|Bs = Xi , e0),

The no-signalling condition (1) ensures that pAi is in-dependent of which measurement Bob performs, and

similarly that pB

i is independent of which measurementAlice performs. This enables us to write pAk , pBk+d >

(1/2)(1 + ). Now

P(as = bs |As = Xi, Bs = Xi+c, e0) =P(as = b, bs = b |As = Xi, Bs = Xi+c, e0)

+ P(as = b, bs = b |As = Xi, Bs = Xi+c, e0) min(pAi , pBi+c) + min(1 pAi , 1 pBi+c)= 1 |pAi pBi+c| .


4/5


5/5

5

[6] A. Kent, e-print quant-ph/9906103, to appear in J. Cryp-tology (2006).

[7] A. Kitaev, D. Mayers, and J. Preskill, Phys. Rev. A 69052326 (2004).

[8] F. Verstraete and J. I. Cirac, Phys. Rev. Lett. 91, 10404(2003).

[9] J. S. Bell, Physics 1, 195 (1964), reprinted in J. S. Bell,Speakable and unspeakable in quantum mechanics (Cam-bridge University Press, Cambridge, 1987).

[10] J. F. Clauser, M. A. Horne, A. Shimony, and R. A. Holt,

Phys. Rev. Lett. 23, 880 (1969).[11] J. Barrett, N. Linden, S. Massar, S. Pironio, S. Popescu,

and D. Roberts, Phys. Rev. A 71, 022101 (2005).[12] A. Kent, e-print quant-ph/0204106.[13] S. Braunstein and C. Caves, Ann. Phys. 202, 22-56

(1990).[14] A. Valentini, Phys. Lett. A 297, 273 (2002).[15] C. H. Bennett, G. Brassard, and N. D. Mermin, Phys.

Rev. Lett. 68, 557 (1992).
http://arxiv.org/abs/quant-ph/9906103http://arxiv.org/abs/quant-ph/0204106http://arxiv.org/abs/quant-ph/0204106http://arxiv.org/abs/quant-ph/9906103

No Signalling and Quantum Key Distribution 0405101

Documents

Transcript of No Signalling and Quantum Key Distribution 0405101