Guessing probability in quantum key distribution

On the basis of the existing trace distance result, we present a simple and efficient method to tighten the upper bound of the guessing probability. The guessing probability of the final key k can be upper bounded by the guessing probability of another key k′\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\bf{k}}^{\prime}$$\end{document}, if k′\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$${\bf{k}}^{\prime}$$\end{document} can be mapped from the final key k. Compared with the known methods, our result is more tightened by thousands of orders of magnitude. For example, given a 10−9-secure key from the sifted key, the upper bound of the guessing probability obtained using our method is 2 × 10−3277. This value is smaller than the existing result 10−9 by more than 3000 orders of magnitude. Our result shows that from the perspective of guessing probability, the performance of the existing trace distance security is actually much better than what was assumed in the past.


I. Introduction
The first Quantum Key Distribution (QKD) protocol was proposed by Bennett and Brassard in 1984, based on the fundamentals of quantum mechanics [1].Since then, the security of QKD has always been the central issue in the quantum cryptographic field [2].Trace distance is a very important security criterion [3,4].It provides the universal composable security [5,6], which can guarantee the security of key whatever its application may be, such as one-time pad (OTP).This is why many studies choose trace distance for security criterion [3,4,7,8].
In a classical practical cryptosystem, the impact of guessing probability on security is very important [9,10].Especially, the key generated by QKD protocol is not based on the presumed hardness of mathematical problems, so the eavesdropper Eve can only guess the final key via the measurement result of her probe.The guessing probability intuitively describes the probability that Eve can correctly guesses the final key, which can reflect the number of guesses that Eve needs to get the correct final key.
There are few studies on the guessing probability of QKD.Since there are more regorous security measure such as the trace distance [5,6], which gives the composable security.This makes the crucially important theoretical foundation for security of QKD.However, in the real application of QKD projects, customers often ask the question of guessing probablity.The existing prior art results cannot give them a satisfactory upper bound [11].Consequently, some people questioned the security of QKD by relying on the prior art results of guessing probability [12].For example, according to the existing result [11], the guessing probability of an ε-secure key is about 10 −9 if ε is around 10 −9 .Although the final key is far secure than the 30 bits of perfect key, it can be easily mistaken for that there are only 30 bits of security in QKD system [12], just because they have the same guessing probability.In practice, it is not unusual that we need the guessing probability to be much smaller such as 10 −100 or 10 −1000 .Therefore, it is extremely important to find a more tightened upper bound of guessing probability.In this letter, starting from the composable security through the trace distance [2], we give a very efficient and simple method to evaluate the guessing probability.Typically, compared with those previous results, the method proposed here can reduce by hundreds or even thousands orders of magnitude for the upper bound value of the guessing probability.
II.The guessing probability We consider the security definitions of a practical QKD protocol with finitesize under the framework of composable security [3,4,13,14].Suppose that Alice and Bob get two N -bit sifted key strings, s and s .By performing an error correction and private amplification scheme, Alice gets a n 1 -bit key k and Bob gets an estimate key k of k from s and s .The protocol is ε cor -correct if P [k = k] ≤ ε cor .In general, the key k of Alice can be correlated with an eavesdropper system and the density matrix of Alice and Eve is ρ AE .The protocol outputs an ε-secure key [7], if where 1 denotes the trace norm, ρ U is the fully mixed state of Alice's system.The protocol is ε tol -secure if ε cor and ε satisfies ε cor + ε ≤ ε tol which means it is ε tol -indistinguishable from a perfect protocol (which is correct and secret).Without any loss of generality, we consider the case of ε cor = ε in this article.

arXiv:1904.12075v3 [quant-ph] 7 Aug 2019
We define the security level: Definition 1 If key k is ε-secure, we also say the security level of key k is ε.
For symbol clarity, we shall use notation ε k for the security level of key k.With this definition, we shall say key k is ε k -secure, or its security level is ε k .
We define the guessing probability: Definition 2 Let the final key generated by QKD protocol be k, the guessing probability of k is defined as the success probability of the attacker Eve guessing the final key via her measurement result, and is denoted as p(k).
Lemma 1 The guessing probability of an ε k -secure key k with length n 1 is not larger than 1  2 n 1 + ε k .This is a conclusion from Ref. [11].The proof has been given in Ref. [11] already, for readers convenience, we write the proof again in the Appendix A.
According to Lemma 1, the guessing probability of key k can be divided into two parts and one part 2 −n1 is related to the length of the key, the other part ε k (n 1 ) is related to the security level.Under the framework of universally composable security, when calculating the final key length, we often make the security level between 10 −9 ∼ 10 −24 which is much bigger than 2 −n1 , because n 1 is often 10 3 , 10 4 or more larger.Therefore, 2 −n1 can be ignored and p(k) ≤ p(k) ∼ O(ε(k)).In that case, however, the guessing probability of a secure key with a length of tens of bits can also reach this magnitude.Therefore, when the secure requirements are very high, it is obviously not enough for a key with a length of thousands or even longer if the upper bound of guessing probability only stops at this magnitude.Therefore, we cannot simply use this formula alone to get the upper bound of the guessing probability.Fortunately, we have a much better way for tightening the bound.That is what we will present in the following.
Lemma 2 If key k can be mapped to string k by a map M that is known to Eve, then the guessing probability of k cannot be larger than the guessing probability of string k i.e., p(k) ≤ p(k ). ( Here p(k), p(k ) are guessing probabilities of k and k , respectively.
Proof.This lemma is obvious, just because when Eve can correctly guess the k, Eve can obtain the k definitely due to knowing the map M .Otherwise, Eve can still correctly guess the k with a probability not less than 0, i.e. p(k ) = p(k) + δ, δ ≥ 0.
Theorem 1: If an ε k -secure key k with length n 1 can be mapped to an ε k -secure key k with length n 2 , the guessing probability of k cannot be larger than k , i.e.
Proof.This theorem actually requests two conditions: i) the final key k can be mapped to the string k , ii) the string k can be regarded as a ε k -secure key.
With these two conditions, the proof is very simple.Given the condition i), we can apply Lemma 2 to obtain Given the condition ii), we can apply Lemma 1 to obtain And according to Eqs. ( 4) and ( 5), we can obtain This ends our proof of Theorem 1.
As discussed above if the length of the final key k and the string k is very large, then 2 −n1 and 2 −n2 can be ignored.Meanwhile, when n 2 < n 1 , we have That is, Theorem 1 gives a more tightened upper bound of guessing probability.
III. Method With Theorem 1, it is now possible for us to get the upper bound of the guessing probability of an ε k -secure key k much tightly.Instead of directly applying Lemma 1, we choose to first map k to a n 2bit string k = M (k).If string k itself can be regarded as an ε k -secure final key, we can apply Theorem 1 now through calculating p(k ).And we can obtain a much smaller upper bound of the guessing probability of k if ε k is very small and n 2 is not too small.Now the problems remaining for us is what is the map M , and how to make sure that k = M (k) is another key which is ε k -secure, and how to calculate ε k .We start our method with the hashing function in the key distillation.
Our hashing function.We take the key distillation with the random matrix.Denote R nN as the n × N random matrix with each element being either 0 or 1, randomly.Also, we represent the N -bit sifted string s by a column vector S which contains N elements.To obtain a n-bit final key, we simply take the calculation R nN S. As one may check it easily here that our random matrix is a class of two-universal hashing function family [2].
Suppose we have distilled out the n 1 -bit key k from the N -bit sifted key s through hashing by our random matrix R n1N .We can map the n 1 -bit key k into the n 2bit string k = M (k) simply by deleting the last n 1 − n 2 bits from key string k.Obviously, this string k mapped from k can also be regarded as another final key distilled from sift key S by the n 2 × N random hashing matrix R n2N , which is a submatrix of R n1N .In summary, we have This means, on the one hand, k is a string mapped from key k.And on the other hand, k can be regarded as another final key of length n 2 distilled from sifted key s.Since the two conditions in Theorem 1 are satisfied, according to Theorem 1, we can get a tightened upper bound of p(k) with Eq. ( 3), if we know the security level of key k , i.e., the value of ε k .Since our random matrix is a class of two-universal hashing function, the value ε k is dependent on n 2 [4].Details are shown in the Appendix B on the calculation of ε k given n 2 .Hence, in a QKD protocol using random hashing matrix presented here, to get the upper bound of the guessing probability of the n 1bit final key k, we can summarize the procedure above by the following scheme: Scheme 1) Given the n 1 -bit final key k, we delete its last n 1 − n 2 bits and obtain string k .2) We regard k as another possible final key which is ε k -secure.Compute the ε k value of k with the input parameters N and n 2 .
Since in our scheme, the value of ε k is dependent on n 2 as shown in the Appendix B, we can now replace ε k by a functional form, ε k (n 2 ).To obtain a tightened upper bound value of the guessing probability in scheme 1, we need to choose an appropriate n 2 value.In our calculation, we set the condition for the appropriate n 2 .
On the one hand, for any n > n 2 , we have Therefore, in this study, we set 2 −n2 = ε k (n 2 ), and get a tightened guessing probability 2 −n2+1 .
Once we find the value n 2 and the corresponding ε k (n 2 ), we calculate p(k ) by Eq. (3).Obviously, this is the upper bound of guessing probability of all those final key k of length n 1 provided that Thus we can actually use a more efficient scheme to get the upper bound of the guessing probability of key k, as the following Theorem 2: Theorem 2: In a QKD protocol, if the n 1 -bit final key k is distilled from the sifted key s by using random matrix R n1N , the guessing probability of k can be upper bounded by where There are two important points need to be noticed.The first one is when applying our theorem to obtain the non-trivial upper bound of the guessing probability for the final key k, we do not really need to map k to another string k and we only need the existence of a map that can map k to k .As shown above the existence has been proven.The second one is that, in this letter, we use the random matrix R nN as a family of two-universal hash function to distill the key for illustrating our conclusion more intuitively.Of course, we can also use the modified toeplitz matrix [8] instead of random matrix R nN .In  is the total length of sifted key , N = 0.78N tol is the length of the string for key generation, ε = 10 −9 is the security level, n is the length of 10 −9 -secure key, and pguessing is the probability that correctly guess the final key.In particular, p T hm.2 guessing is the result of Theorem 2 of this work.
that case, the final key k can also be mapped to the string k and the string k can also be regarded as a ε ksecure key.It means that the proposed theorem in this study still holds.Therefore, the flow chart of our method of bounding the guessing probability can be shown as Fig. 1.
IV. Discussion Table .I describes the upper bounds of the guessing probability calculated by different N tol , where N tol is the length of total string that includes the sifted keys for key generation and the string used to do parameter estimation.In Table.I, N tol = 10 4 , 10 5 , 10 6 respectively.We can see from Table .I that when N tol = 10 6 , n = 4.90 × 10 5 and the guessing probabilities obtained using the methods of [12] and [11] are about 10 −6 and 10 −9 respectively.However, using our method the guessing probability can be reduced to 2 × 10 −3277 which is more tightened by thousands of orders of magnitude than prior art methods.As the length of N tol increases, the length of final key also increases, but the guessing probabilities in [12] and [11]  changed.Compared with [12] and [11], the guessing probability obtained by our method is significantly reduced, which is more realistic and tighter.It should be noted that we calculate the case without the KPA in Table.I. Now we consider the case of KPA in QKD with our method.Suppose Eve has known t bits of the final n 2 -bit key k , the guessing probability of an 1) .The upper bound of guessing probability of key k now is equal to that of an ideal (n 2 − t − 1)-bit key.Table .II compares the length of ε-secure key n and the length of ε -secure key n when the total length of sifted key are 10 4 , 10 5 , 10 6 respectively.This table shows that if we simply use lemma1, in order to achieve a smaller security level ε , the length of the ε -secure key n is significantly reduced compared with n, thereby greatly reducing the rate r = n /N tol .However, using our method of Theorem 2, at a higher rate r = n/N tol , there is still a very small guessing probability, as can be seen from Table .I.
Our result shows that, in the viewpoint of guessing probability, the performance of the existing trace distance security is actually much better than what was assumed in the past.Incidentally, after Ref. [11], a looser upper bound, 10 −6 for Eve's guessing probability was presented [12].We emphasize that this looser upper bound does not in any sense make an evidence for challenging the validity of the existing security proof of QKD [11].Although a large value of lower bound of Eve's guessing probability can show the insecurity, a large value of upper bound cannot show the insecurity.Note that, if one does not make any effort, one can also conclude a large-value upper bound of 100% for Eve's guessing probability.Such a value is correct for upper bound, but not meaningful: if any new upper bound is larger than the prior art result, it only means that the "new upper bound" is trivial and meaningless rather than the invalidity of the prior art result.Now we point out in which step Ref. [12] has overestimated the value of guessing probability.When the security level is ε, the cases of d > ε leads to an empty key because they do not meet the security criterion of trace distance.So the situation of d > ε should not be taken into consideration.But Eq.(30) of Ref. [12] calculates the guessing probability by the Markov inequality and assumes the probability of d > ε is bigger than zero, this will unreasonally loose the upper bound values of guessing probability.
V. Conclusion In this letter, our goal is to obtain a tightened guessing probability.Based on the existing secure criterion (Trace distance) and a general property of guessing probability, we propose a simple and efficient method to tighten the upper bound of the guessing probability.We find that the guessing probability p(k) of k can be upper bounded by 2 −(n2−1) , where n 2 satisfies 2 −n2 = ε k (n 2 ) and n 2 < n 1 .In particular, a simple random matrix R nN can be used to distill the final key.Comparing with prior art results, of which the upper bound of the guessing probability of an ε-secure key is about ε, our method gives a more tightened upper bound.Therefore, the loose upper bound for the guessing probability was obtained in Ref. [12] cannot be regarded as evidence to question the validity of existing the security proof of QKD.
Eve's guessing probability of string x is q(x), and the maximum guessing probability is p guessing = max x∈X {q(x)}.Without any loss of generality, assuming that the maximum guessing probability is q(x ).Note that x∈X q(x) = 1, then the following holds From the Eqs.(A1)-(A3), we have p guessing ≤ 2 −n1 + ε x , and thus for the n 1 -bit ε k -secure key k, the guessing probability satisfies where p(k) is the upper bound of p(k).This ends our proof of Lemma 1.

Appendix B: The calculation of ε k
We consider the security definitions of a practical QKD protocol with finite-size under the framework of composable security [4,13,14].Suppose that Alice and Bob get two N -bit sifted key strings.By performing an error correction and private amplification scheme, Alice get a n-bit final key k and Bob get an estimate k of k.The protocol is ε cor -correct if P [k = k] ≤ ε cor .In general, the key k of Alice can be correlated with an eavesdropper system and the density matrix of Alice and Eve is ρ AE The protocol outputs an ε k -secure key [13], if where 1 denotes the trace norm, ρ U is the fully mixed state of Alice's system.The protocol is ε tol -secure if ε cor and ε k satisfies ε cor + ε k ≤ ε tol which means it is ε tolindistinguishable from a ideal protocol.Without any loss of generality, we consider the case of ε cor = ε k .
From Lemma 1, we can calculate p(k) given the nbit ε k -secure key k.In this situation, p(k) = 2 −n + ε k .However, in our method with random matrix R, we only know N , the length of sifted key and n 2 , the length of string k mapped from k. String k itself can also be regarded as another final key distilled from sifted key.According to Ref. [4], with N and n 2 , the final key is ε k -secure if ε k satisfies the following equation: where µ = , N z is the length of string used for parameter estimation, h denotes the binary Shannon entropy function, h(x) = −x log x − (1 − x) log(1 − x) and Q tol represents the channel error tolerance.To obtain non-trivial results, we take equality in Eq. (B2) to calculate the value of ε k , given the input n 2 .Since ε k is dependent on n 2 , we use notation ε k (n 2 ) for ε k .Here, ε k (n 2 ) means, given n 2 , we find the value of ε k numerically by Eq. (B2) In our calculation, we choose specific n 2 -value that satisfies 2 −n2 = ε k (n 2 ). (B3) Combining Eq. (B2),we obtain the following equation for a tightened ε k value: and we can calculate the value of ε k and then calculate the guessing probability by Eq. ( 8) in our main body text.

FIG. 1 :
FIG.1: Flow chart of our method of bounding the guessing probability.

TABLE I :
Comparison of the guessing probability in the case of Q tol = 2.14% is the channel error tolerance, Nz = 0.22N tol is the length of string used to do parameter estimation, N tol

TABLE II :
almost remain un-Comparison of the rate r = n/N tol and r = n /N tol under the same parameter of Table.I. ε and ε are the security level, n and n are the length of ε-secure key and the length of ε -secure key respectively.