Abstract
On the basis of the existing trace distance result, we present a simple and efficient method to tighten the upper bound of the guessing probability. The guessing probability of the final key k can be upper bounded by the guessing probability of another key \({\bf{k}}^{\prime}\), if \({\bf{k}}^{\prime}\) can be mapped from the final key k. Compared with the known methods, our result is more tightened by thousands of orders of magnitude. For example, given a 10^{−9}secure key from the sifted key, the upper bound of the guessing probability obtained using our method is 2 × 10^{−3277}. This value is smaller than the existing result 10^{−9} by more than 3000 orders of magnitude. Our result shows that from the perspective of guessing probability, the performance of the existing trace distance security is actually much better than what was assumed in the past.
Introduction
The first quantum key distribution (QKD) protocol has been proposed by Bennett and Brassard in 1984; the protocol was based on the fundamentals of quantum mechanics^{1}. Since then, the security of QKD has always been the central issue in the quantum cryptographic field^{2}. Trace distance is a very important security criterion^{3,4}. It provides the universal composable security^{5,6}, which can guarantee the security of key regardless of its application such as onetime pad (OTP). This is why many studies choose trace distance for the security criterion^{3,4,7,8}.
In a classical practical cryptosystem, the impact of guessing probability on security is very important^{9,10}. Specifically, the key generated by the QKD protocol is not based on the presumed hardness of mathematical problems; thus, the eavesdropper Eve can only guess the final key via the measurement result of her probe. The guessing probability intuitively describes the probability that Eve can correctly guess the final key, which can reflect the number of guesses that Eve requires to obtain the final key.
There are few studies on the guessing probability of QKD. Because there are more rigorous security criterions, such as the trace distance^{5,6}, which gives the composable security. This makes the theoretical foundation for security of QKD crucially important. However, in the real application of QKD projects, customers often ask the question of guessing probability. The existing prior art results cannot give them a satisfactory upper bound^{11}. Consequently, some people questioned the security of QKD by relying on the prior art results of guessing probability^{12}. For example, according to the existing result^{11}, the guessing probability of the εsecure key is approximately 10^{−9} if ε is approximately 10^{−9}. From the perspective of guessing probability, the security of the value 10^{−9} is equivalent to that of a 30 perfect bits. The existing classical computer systems can easily crack such key. In practice, it is not unusual to request a much smaller guessing probability such as 10^{−100} or 10^{−1000}. Therefore, it is beneficial to find a more tightened upper bound of guessing probability.
As an important criterion in cryptography, guessing probability alone cannot guarantee the security of the final key. However, the large value of the loose upper bound of the guessing probability does not indicate the insecurity of the final key^{12} because the value is not achievable by Eve, and one can find a more tightened value for the upper bound of the guessing probability. Here, by applying the trace distance criterion^{2}, we find such tightened bound. We show that the guessing probability is actually smaller than the existing bound values by many orders of magnitude if one takes the privacy amplification by Toeplitz matrix. This shows that the trace distance criterion^{2} can actually produce a much better result than what was assumed previously in the viewpoint of guessing probability.
Results
We consider the security definitions of a practical QKD protocol with finite size under the framework of composable security^{3,4,13,14}. Suppose that Alice and Bob get two Nbit sifted key strings, s and \({\bf{s}}^{\prime}\). By performing an error correction and private amplification scheme, Alice gets an n_{1}bit key k, and Bob gets an estimate key \(\hat{{\bf{k}}}\) of k from s and \({\bf{s}}^{\prime}\). The protocol is ε_{cor}correct if \(P[{\bf{k}}\,\ne\, \hat{{\bf{k}}}]\le {\varepsilon }_{{\rm{cor}}}\). In general, the key k of Alice can be correlated with an eavesdropper system, and the density matrix of Alice and Eve is ρ_{AE}. The protocol outputs an εsecure key^{7}, if
where ∥ ⋅ ∥_{1} denotes the trace norm, ρ_{U} is the fully mixed state of Alice’s system. The protocol is ε_{tol}secure if ε_{cor} and ε satisfy ε_{cor} + ε ≤ ε_{tol}, which means that it is ε_{tol}indistinguishable from a perfect protocol (which is correct and secret). Without any loss of generality, we consider the case of ε_{cor} = ε in this article.
We define the security level:
Definition 1
If key k is εsecure, the security level of key k is ε
For symbol clarity, we will use notation ε_{k} for the security level of key k. With this definition, we can say that the key k is ε_{k}secure or that its security level is ε_{k}
We define the guessing probability:
Definition 2
Let the final key generated by the QKD protocol be k; the guessing probability of k is defined as the success probability of the attacker Eve guessing the final key via her measurement result and is denoted as p(k).
Lemma 1
The guessing probability of ε_{k}secure key k with length n_{1} is not larger than \(\frac{1}{{2}^{{n}_{1}}}+{\varepsilon }_{{\bf{k}}}\)
This is a conclusion from ref. ^{11}. The proof has been already given in ref. ^{11}; for the convenience of readers, we write the proof again in the “Methods” section
According to Lemma 1, the guessing probability of key k can be divided into two parts; one part \({2}^{{n}_{1}}\) is related to the length of the key, the other part ε_{k}(n_{1}) is related to the security level. Under the framework of universally composable security, when calculating the final key length, we often make the security level to be between 10^{−9} and 10^{−24}, which is much bigger than \({2}^{{n}_{1}}\) because n_{1} is often 10^{3}, 10^{4}, or larger. Therefore, \({2}^{{n}_{1}}\) can be ignored and \(p({\bf{k}})\le \bar{p}({\bf{k}}) \sim {\mathcal{O}}(\varepsilon ({\bf{k}}))\). However, the guessing probability of a secure key with a length of tens of bits can also reach this magnitude. Therefore, when the secure requirements are very high, it is clearly not enough for a key with a length of thousands of bits or even longer if the upper bound of guessing probability only stops at this magnitude. Therefore, we cannot simply use this formula alone to obtain the upper bound of the guessing probability. Fortunately, we have a much better way for tightening the bound. The approach will be presented below.
Lemma 2
If key k can be mapped to string \({\bf{k}}^{\prime}\) by a map M that is known to Eve, then the guessing probability of k cannot be larger than the guessing probability of string \({\bf{k}}^{\prime}\), i.e.,
Here \(p({\bf{k}}),p({\bf{k}}^{\prime} )\) are the guessing probabilities of k and \({\bf{k}}^{\prime}\), respectively
Proof. This lemma is clear because when Eve can correctly guess k, Eve can obtain \({\bf{k}}^{\prime}\) by knowing the map M. Otherwise, Eve can still correctly guess the \({\bf{k}}^{\prime}\) with a probability not less than 0, i.e., \(p({\bf{k}}^{\prime} )=p({\bf{k}})+\delta ,\delta \ge 0\).
Theorem 1
If the ε_{k}secure key k with a length n_{1} can be mapped to the \({\varepsilon }_{{\bf{k}}^{\prime} }\)secure key \({\bf{k}}^{\prime}\) with length n_{2}, the guessing probability of k cannot be larger than \({\bf{k}}^{\prime}\), i.e.,
Proof. This theorem actually requires two conditions:

(i)
the final key k can be mapped to the string \({\bf{k}}^{\prime}\),

(ii)
the string \({\bf{k}}^{\prime}\) can be regarded as a \({\varepsilon }_{{\bf{k}}^{\prime} }\)secure key.
Using the abovementioned conditions, the proof is very simple. Given the condition (i), we can apply Lemma 2 to obtain
Given the condition (ii), we can apply Lemma 1 to obtain
where \(\bar{p}({\bf{k}}^{\prime} )\) is the upper bound of \(p({\bf{k}}^{\prime} )\). According to Eqs. (4) and (5), we can obtain
This ends our proof of Theorem 1
As discussed above, if the length of the final key k and the string \({\bf{k}}^{\prime}\) are very large, then \({2}^{{n}_{1}}\) and \({2}^{{n}_{2}}\) can be ignored. Meanwhile, if n_{2} < n_{1} and \({\varepsilon }_{{\bf{k}}^{\prime} }\,<\,{\varepsilon }_{{\bf{k}}}\), then \({2}^{{n}_{2}}+{\varepsilon }_{{\bf{k}}^{\prime} } \sim {\varepsilon }_{{\bf{k}}^{\prime} }\le {\varepsilon }_{{\bf{k}}} \sim {2}^{{n}_{1}}+{\varepsilon }_{{\bf{k}}}\). Thus, Theorem 1 can provide a tighter upper bound of guessing probability.
Using Theorem 1, it is now possible for us to obtain the upper bound of the guessing probability of the ε_{k}secure key k more tightly. Instead of directly applying Lemma 1, we choose to first map k to an n_{2}bit string \({\bf{k}}^{\prime} =M({\bf{k}})\). If the string \({\bf{k}}^{\prime}\) itself can be regarded as an \({\varepsilon }_{{\bf{k}}^{\prime} }\)secure final key, we can apply Theorem 1 by calculating \(\bar{p}({\bf{k}}^{\prime} )\). In addition, we can obtain a much smaller upper bound of the guessing probability of k if \({\varepsilon }_{{\bf{k}}^{\prime} }\) is very small and n_{2} is not too small. Now, the remaining problems are to determine the map M, to make sure that \({\bf{k}}^{\prime} =M({\bf{k}})\) is another key that is \({\varepsilon }_{{\bf{k}}^{\prime} }\)secure, and to calculate \({\varepsilon }_{{\bf{k}}^{\prime} }\). We start our method with the hashing function in the key distillation.
Our hashing function
We use the key distillation with the random matrix. Denote R_{nN} as the n × N random matrix with each element being randomly chosen to be either 0 or 1. In addition, we represent the Nbit sifted string s by a column vector, which contains N elements. To obtain the nbit final key, we use the calculation R_{nN}s. It can be easily confirmed that our random matrix belongs to the class of twouniversal hashing function family^{2}.
Suppose we have distilled out the n_{1}bit key k from the Nbit sifted key s through hashing by our random matrix \({R}_{{n}_{1}N}\). We can map the n_{1}bit key k into the n_{2}bit string \({\bf{k}}^{\prime} =M({\bf{k}})\) by deleting the last n_{1} − n_{2} bits from the key string k. Clearly, this string \({\bf{k}}^{\prime}\) mapped from k can be also regarded as another final key distilled from the sift key s by the n_{2} × N random hashing matrix \({R}_{{n}_{2}N}\), which is a submatrix of \({R}_{{n}_{1}N}\). In summary, we have
This means that \({\bf{k}}^{\prime}\) is a string mapped from key k. Moreover, \({\bf{k}}^{\prime}\) can be regarded as another final key of length n_{2} distilled from the sifted key s. Because the two conditions in Theorem 1 are satisfied, according to Theorem 1, we can obtain a tightened upper bound of p(k) with Eq. (3) if we know the security level of key \({\bf{k}}^{\prime}\), i.e., the value of \({\varepsilon }_{{\bf{k}}^{\prime} }\). Because our random matrix is a class of twouniversal hashing function, the value \({\varepsilon }_{{\bf{k}}^{\prime} }\) depends on n_{2}^{4}. The details are shown in the “Methods” section and explain the calculation of \({\varepsilon }_{{\bf{k}}^{\prime} }\) for n_{2}. Hence, in the QKD protocol that uses a random hashing matrix presented here, to obtain the upper bound of the guessing probability of the n_{1}bit final key k, we can summarize the procedure above by the following scheme:
Scheme (1) Given the n_{1}bit final key k, we delete its last n_{1} − n_{2} bits and obtain a string \({\bf{k}}^{\prime}\). (2) We regard \({\bf{k}}^{\prime}\) as another possible final key that is \({\varepsilon }_{{\bf{k}}^{\prime} }\)secure. Compute the \({\varepsilon }_{{\bf{k}}^{\prime} }\) value of \({\bf{k}}^{\prime}\) with the input parameters N and n_{2}. (3) Calculate \(\bar{p}({\bf{k}})\) by Theorem 1 through Eq. (3).
Because on our scheme the value of \({\varepsilon }_{{\bf{k}}^{\prime} }\) is dependent on n_{2}, as shown in the “Methods” section, we can now replace \({\varepsilon }_{{\bf{k}}^{\prime} }\) by a functional form, \({\varepsilon }_{{\bf{k}}^{\prime} }({n}_{2})\). To obtain the tightened upper bound value of the guessing probability in scheme 1, we need to choose an appropriate n_{2} value. In our calculation, we set the condition
for the appropriate n_{2}.
For any n > n_{2}, we have \({\varepsilon }_{{\bf{k}}}(n)\,>\,{\varepsilon }_{{\bf{k}}^{\prime} }({n}_{2})={2}^{{n}_{2}}\); however, for any n < n_{2}, we have \({2}^{n}\,>\,{2}^{{n}_{2}}\). In conclusion, if n ≠ n_{2}, \({2}^{n}+{\varepsilon }_{{\bf{k}}}(n)\,>\,{2}^{{n}_{2}}\). Therefore, in this study, we set \({2}^{{n}_{2}}={\varepsilon }_{{\bf{k}}^{\prime} }({n}_{2})\), and obtain a tightened guessing probability \({2}^{{n}_{2}+1}\).
Once we determine the value n_{2} and the corresponding \({\varepsilon }_{{\bf{k}}^{\prime} }({n}_{2})\), we calculate \(\bar{p}({\bf{k}}^{\prime} )\) by Eq. (3). Clearly, this is the upper bound of the guessing probability of the final key k of length n_{1} provided that
Thus, we can actually use a more efficient scheme to obtain the upper bound of the guessing probability of key k, as the following Theorem 2:
As shown in Fig. 1, the arrow between s and k indicates that the ε_{k}secure n_{1}bit final key k can be distilled from the Nbit sifted key s using a random matrix \({R}_{{n}_{1}N}\), i.e. \({\bf{k}}={R}_{{n}_{1}N}{\bf{s}}\). The arrow between k and \({\bf{k}}^{\prime}\) indicates that there exists a map M that can map the key k into \({\bf{k}}^{\prime}\), i.e., \({\bf{k}}^{\prime} =M({\bf{k}})\). The arrow between the sifted key s and \({\bf{k}}^{\prime}\) indicates that if a random hashing matrix \({R}_{{n}_{2}N}\) is used to distill the final key, we have \({\bf{k}}^{\prime} ={R}_{{n}_{2}N}{\bf{s}}\). Then if n_{2} satisfies the condition in Theorem 2, a tightened guessing probability of k can be obtained.
There are two important points need to be noticed. First, when applying our theorem to obtain the nontrivial upper bound of the guessing probability for the final key k, we do not really need to transform k to another string \({\bf{k}}^{\prime}\), and we only need the existence of a map that can map k to \({\bf{k}}^{\prime}\) mathematically. That is to say, we use the final key k, but its guessing probability is calculated from the shorter key \({\bf{k}}^{\prime}\). As shown above, the existence has been proven. Second, in this study, we use the random matrix R_{nN} as a family of twouniversal hash functions to distill the key to illustrate our conclusion more intuitively. Of course, we can also use the modified Toeplitz matrix^{8} instead of the random matrix R_{nN}. Thus, the final key k can be also mapped to the string \({\bf{k}}^{\prime}\), and the string \({\bf{k}}^{\prime}\) can also be regarded as the \({\varepsilon }_{{\bf{k}}^{\prime} }\)secure key. This means that the proposed theorem in this study still holds.
Theorem 2
In the QKD protocol, if the n_{1}bit final key k is distilled from the sifted key s using a random matrix \({R}_{{n}_{1}N}\), the guessing probability of k can be upper bounded by
where \({\bf{k}}^{\prime} =M({\bf{k}})={R}_{{n}_{2}N}{\bf{s}}\) and n_{2} satisfies \({2}^{{n}_{2}}={\varepsilon }_{{\bf{k}}^{\prime} }({n}_{2}),{n}_{2}\,<\,{n}_{1}.\)
Discussion
Table 1 describes the upper bounds of the guessing probability calculated by different N_{tol}, where N_{tol} is the length of the total string that includes the sifted keys for key generation and the string used to do parameter estimation. In Table 1, N_{tol} = 10^{4}, 10^{5}, and 10^{6}. Table 1 shows that when N_{tol} = 10^{6}, n = 4.90 × 10^{5} and the guessing probabilities obtained using the methods of ref. ^{12} and ref. ^{11} are approximately 10^{−6} and 10^{−9}, respectively. However, using our method, the guessing probability can be reduced to 2 × 10^{−3277}, which is more tightened by thousands of orders of magnitude than prior art methods. With an increase in the length of N_{tol}, the length of the final key also increases; however, the guessing probabilities in ref. ^{12} and ref. ^{11} almost remain unchanged. Compared with ref. ^{12} and ref. ^{11}, the guessing probability obtained by our method is considerably reduced, which is more realistic and tighter. It should be noted that we calculate the case without the knownplaintext attack (KPA) in Table 1. Now, we consider the case of KPA in QKD using our method. Suppose that Eve knows the t bits of the final n_{2}bit key \({\bf{k}}^{\prime}\); then, the guessing probability of the \({\varepsilon }_{{\bf{k}}^{\prime} }\)secure key \({\bf{k}}^{\prime}\) is \({p}_{{\rm{KPA}}}({\bf{k}}^{\prime} )\le {2}^{({n}_{2}t1)}\). Now, the upper bound of the guessing probability of key \({\bf{k}}^{\prime}\) is equal to that of an ideal (n_{2} − t − 1)bit key.
Table 2 compares the length of the εsecure key n and the length of \(\varepsilon ^{\prime}\)secure key \(n^{\prime}\) when the total length of the sifted key is 10^{4}, 10^{5}, and 10^{6}. This table shows that if only using Lemma 1 to obtain a smaller guessing probability, ε needs to be reduced. Accordingly, the length of the final key and the key rate will be considerably reduced. For example, from Table 2, when N_{tol} = 10^{6}, if the customer wants to reduce the guessing probability from 10^{−9} to 2 × 10^{−3277}, the length of the key will become \(n^{\prime} =1.1\times 1{0}^{4}\), and the key rate will become \(r^{\prime} =0.01\). This result is much lower than the original key length n = 4.9 × 10^{5} and the key rate r = 0.49. Using our result, there is actually no bit cost for a much smaller bound value of guessing probability. For example, when N_{tol} = 10^{6}, we can upper bound the guessing probability by 2 × 10^{−3277} by setting ε = 10^{−9}. Thus, without reducing the value of ε, we can obtain a tightened upper bound of guessing probability \({p}_{{\rm{g}}}^{{\rm{Thm.2}}}\) of k, as can be seen from Table 1.
Our result shows that in terms of guessing probability, the performance of the existing trace distance security is much better than what has been assumed in the past. Incidentally, in ref. ^{11}, a looser upper bound, 10^{−6} for Eve’s guessing probability, was presented^{12}. We emphasize that this looser upper bound does not in any sense challenge the validity of the existing security proof of QKD^{11}. Although the large value of lower bound of Eve’s guessing probability can show insecurity, the large value of upper bound cannot show insecurity. If one does not make any effort, one can also obtain a largevalue upper bound of 100% for Eve’s guessing probability. Such value is correct for the upper bound but not meaningful. If any new upper bound is larger than that in the prior art result, it means that the “new upper bound” is trivial and meaningless rather than the prior art result is invalid. Thus, the looser upper bound presented by ref. ^{12} only shows that Eve’s guessing probability of the key is smaller than 10^{−6}. It does not conflict with more tightened results presented elsewhere.
In this study, our goal is to obtain a tightened guessing probability. On the basis of the existing secure criterion (Trace distance) and the general property of guessing probability, we propose a simple and efficient method to tighten the upper bound of the guessing probability. We find that the guessing probability p(k) of k can be upper bounded by \({2}^{({n}_{2}1)}\), where n_{2} satisfies \({2}^{{n}_{2}}={\varepsilon }_{{\bf{k}}^{\prime} }({n}_{2})\) and n_{2} < n_{1}. Specifically, a simple random matrix R_{nN} can be used to distill the final key. Compared with the prior art results, of which the upper bound of the guessing probability of the εsecure key is approximately ε, our method provides a more tightened upper bound. Therefore, the loose upper bound for the guessing probability obtained in ref. ^{12} cannot be regarded as evidence to question the validity of existing the security proof of QKD.
Methods
Proof of Lemma 1
Lemma 1
The guessing probability of the ε_{k}secure key k with length n_{1} is not larger than \(\frac{1}{{2}^{{n}_{1}}}+{\varepsilon }_{{\bf{k}}}\).
This is a conclusion obtained from ref. ^{11}. The proof has been already presented in ref. ^{11}. Here, for the convenience of the reader, we write the proof again.
Proof. Let the nbit string x be the ε_{x}secure key in \({\mathcal{X}}\). The density matrix of Alice and Eve is ρ_{XE} and satisfies
where \({\rho }_{{{\rm{U}}}_{{\bf{x}}}}\) is the fully mixed state in \({\mathcal{X}}\). Then we have
Eve’s guessing probability of string x is q(x), and the maximum guessing probability is \({p}_{{\rm{g}}}={\max }_{{\bf{x}}\in {\mathcal{X}}}\{q({\bf{x}})\}\). Without any loss of generality, it is possible to assume that the maximum guessing probability is \(q({\bf{x}}^{\prime} )\). Note that \({\sum }_{{\bf{x}}\in {\mathcal{X}}}q({\bf{x}})=1\), then the following holds
From Eqs. (11) to (13), we have \({p}_{{\rm{g}}}\le {2}^{{n}_{1}}+{\varepsilon }_{{\bf{x}}}\); thus, for the n_{1}bit ε_{k}secure key k, the guessing probability satisfies
where \(\bar{p}({\bf{k}})\) is the upper bound of p(k). This ends our proof of Lemma 1.
Calculation of \({\varepsilon }_{{\bf{k}}}^{\prime}\)
We consider the security definitions of a practical QKD protocol with a finite size under the framework of composable security^{4,13,14}. Suppose that Alice and Bob get two Nbit sifted key strings. By performing an error correction and private amplification scheme, Alice get an nbit final key k and Bob get an estimate \(\hat{{\bf{k}}}\) of k. The protocol is ε_{cor}correct if \(P[{\bf{k}}\,\ne\, \hat{{\bf{k}}}]\le {\varepsilon }_{{\rm{cor}}}\). In general, the key k of Alice can be correlated with an eavesdropper system, and the density matrix of Alice and Eve is ρ_{AE}.
The protocol outputs an ε_{k}secure key^{13}, if
where ∥ ⋅ ∥_{1} denotes the trace norm, ρ_{U} is the fully mixed state of Alice's system. The protocol is ε_{tol}secure if ε_{cor} and ε_{k} satisfies ε_{cor} + ε_{k} ≤ ε_{tol}, which means that it is ε_{tol}indistinguishable from an ideal protocol. Without any loss of generality, we consider the case of ε_{cor} = ε_{k}.
From Lemma 1, we can calculate \(\bar{p}({\bf{k}})\) given the nbit ε_{k}secure key k. In this situation, \(\bar{p}({\bf{k}})={2}^{n}+{\varepsilon }_{{\bf{k}}}\). However, in our method, we only know N and n_{2}, which are the length of the sifted key and \({\bf{k}}^{\prime}\). (The string \({\bf{k}}^{\prime}\) itself can be also regarded as another final key distilled from the sifted key.) To get a tightened upper bound of the guessing probability of k, we need to obtain the value of \({\varepsilon }_{{\bf{k}}^{\prime} }\). According to ref. ^{4}, with N and n_{2}, the final key is \({\varepsilon }_{{\bf{k}}^{\prime} }\)secure if \({\varepsilon }_{{\bf{k}}^{\prime} }\) satisfies the following equation:
where \(\mu =\sqrt{\frac{N+{N}_{z}}{N{N}_{z}}\frac{{N}_{z}+1}{{N}_{z}}\mathrm{ln}\,\frac{2}{{\varepsilon }_{{\bf{k}}^{\prime} }}}\), N_{z} is the length of string used for parameter estimation, f = 1.1, h denotes the binary Shannon entropy function, \(h(x)=x\,{\log}\,x(1x){\log}\,(1x)\) and Q_{tol} represents the channel error tolerance. To obtain nontrivial results, we use equality in Eq. (16) to calculate the value of \({\varepsilon }_{{\bf{k}}^{\prime} }\), given the input n_{2}. Since \({\varepsilon }_{{\bf{k}}^{\prime} }\) is dependent on n_{2}, we use notation \({\varepsilon }_{{\bf{k}}^{\prime} }({n}_{2})\) for \({\varepsilon }_{{\bf{k}}^{\prime} }\). Here, \({\varepsilon }_{{\bf{k}}^{\prime} }({n}_{2})\), if n_{2} is given and we numerically find the value of \({\varepsilon }_{{\bf{k}}^{\prime} }\) by Eq. (16).
In our calculation, we choose a specific n_{2}value that satisfies
In combination with Eq. (16), we obtain the following equation for the tightened \({\varepsilon }_{{\bf{k}}^{\prime} }\) value:
and we can calculate the value of \({\varepsilon }_{{\bf{k}}^{\prime} }\) and then calculate the guessing probability by Eq. (8) in our main body text.
Data availability
The data that support the findings of this study are available from the corresponding authors upon reasonable request.
References
Bennett, C. & Brassard, G. Quantum cryptography: public key distribution and coin tossing. In Proc. IEEE International Conference on Computers, Systems, and Signal Processing, Bangalore, India, 175−179 (IEEE Press, New York, 1984).
Renner, R. Security of quantum key distribution. Int. J. Quantum Inf. 6, 1 (2008).
Curty, M. et al. Finitekey analysis for measurementdeviceindependent quantum key distribution. Nat. Commun. 5, 3732 (2014).
Tomamichel, M., Lim, C. C. W., Gisin, N. & Renner, R. Tight finitekey analysis for quantum cryptography. Nat. Commun. 3, 634 (2012).
BenOr, M., Horodecki, M., Leung, D. W., Mayers, D. & Oppenheim, J. In Theory of Cryptography Conference, 386−406 (Springer, 2005).
Renner, R. & König, R. In Theory of Cryptography Conference, 407−425 (Springer, 2005).
König, R., Renner, R., Bariska, A. & Maurer, U. Small accessible quantum information does not imply security. Phys. Rev. Lett. 98, 140502 (2007).
Hayashi, M. & Tsurumaru, T. Concise and tight security analysis of the BennettBrassard 1984 protocol with finite key lengths. N. J. Phys. 14, 093014 (2012).
Alimomeni, M. & SafaviNaini, R. In International Conference on Information Theoretic Security, 1−13 (Springer, 2012).
Issa, I. & Wagner, A. B. Measuring secrecy by the probability of a successful guess. IEEE Trans. Inf. Theory 63, 3783 (2017).
Portmann, C. & Renner, R. Cryptographic security of quantum key distribution. Preprint at: https://arxiv.org/abs/1409.3525 (2014).
Yuen, H. P. Security of quantum key distribution. IEEE Access 4, 724 (2016).
Canetti, R. In Proceedings 2001 IEEE International Conference on Cluster Computing, 136−145 (IEEE, 2001).
MüllerQuade, J. & Renner, R. Composability in quantum cryptography. N. J. Phys 11, 085006 (2009).
Acknowledgements
We acknowledge the financial support in part by the Ministry of Science and Technology of China through The National Key Research and Development Program of China grant no. 2017YFA0303901; National Natural Science Foundation of China grant nos. 11474182, 11774198, 11974204 and U1738142.
Author information
Authors and Affiliations
Contributions
X.B.W. developed the theory, J.T.W. and J.Q.Q. contributed equally to the calculation work, C.J. and Z.W.Y. contributed to simulation work. All authors contributed to the manuscript.
Corresponding authors
Ethics declarations
Competing interests
The authors declare no competing interests.
Additional information
Publisher’s note Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Wang, XB., Wang, JT., Qin, JQ. et al. Guessing probability in quantum key distribution. npj Quantum Inf 6, 45 (2020). https://doi.org/10.1038/s4153402002673
Received:
Accepted:
Published:
DOI: https://doi.org/10.1038/s4153402002673
This article is cited by

Estimating security of the quantum key distribution from the guesswork
Quantum Information Processing (2022)