Counterfactual protocol within device independent framework and its insecurity

We consider the counterfactual protocol proposed in Phys. Rev. Lett., 103, 230501 (2009) within a device independent framework and show how its security can easily be compromised. Capitalising on the fact that the protocol is based on the use of a single photon entanglement phenomenon, we propose an equivalent protocol. It can be made secure within such a pessimistic framework against a supra-quantum Eve limited only by the no-signalling principle. The equivalence the protocol demonstrates the possibility of device independent framework for counterfactual quantum cryptography.

We imagine that two parties, say Alice and Bob, share a setup as depicted in Fig. 1. The protocol starts when Alice triggers the photon source (S) that emits a pulse containing a single-photon. Depending on Alice's random choices, the single-photon could be in either horizontally polarised state H which represent Alice's bit '0' or vertically polarised state V as bit '1' . The single-photon pulse passes through a 50:50 beam splitter (BS1) in which the output results in the following state (in accordance with Alice's choice of polarisation state): where 0 i denotes the vacuum state with i ∈ A, B represent the path towards Alice's mirror M1 and Bob's site, respectively. We further denote the paths A, B 1 and B 2 for the paths from the source towards M1, from the beam splitter BS1 to the mirror M2 and from M2 to BS2 respectively. The pulse that travels through path B is reflected by M2 before entering the input port of the polarising beam splitter (PBS) on Bob's site. Bob will randomly choose between horizontal and vertical polarisation to represent his bit. The PBS is configured such that, if Bob's choice of polarisation is not equal to Alice, the PBS will transmit the pulse towards BS2 and the split pulse that travels in the two modes are recombined at beam splitter, BS2. In an ideal setting, the interference effect will cause the photon to be detected at D1 with certainty.
However, if the incoming polarisation is the same with Bob's choice, the pulse will be reflected towards Bob's measurement setting which consists of photon detector, D3. The measurement process will cause the state Ψ H to collapse to either H 0 On the other hand, if the state collapses to either H 0 A B or V 0 A B , the detector D3 will click with certainty. At the end of transmission, Alice and Bob will reveal which of their detectors click. The case of detector D3 clicking implies that Alice gets nothing, while a click of either D1 or D2 implies that Bob effectively did not receive a photon. As D1 also clicks in the case of an interference, only the click at D2 provides Alice with a conclusive guess of Bob's choice of polarisation. Thus the raw key will be extracted from the event in which detector D2 clicks.

Security Analysis
In this section, we describe the CQKD within a device independent scenario in which Alice and Bob are provided with untrusted devices and they have no knowledge of the internal function of the QKD devices. The adversary may configure the devices such that they simulate the results that would be obtained from executing a counterfactual QKD protocol as described above.
In what follows, we can view these devices as black boxes (' A' for Alice and 'B' for Bob) each provided with binary input, say a 'H' and a 'V' button as potrayed in Fig. 2. For definiteness, we define 'H' as bit '0' and 'V' as bit '1' . Path A and B 1 are the paths from the input buttons in Alice's site towards M1 and from Alice's input buttons to Box B, respectively. Meanwhile, path B 2 is the path connecting Box B and Box A. We further consider two different strategies by Eve in determining how the black boxes should behave. In either case, Eve would be using www.nature.com/scientificreports www.nature.com/scientificreports/ tripartite states distributing one subsystem to Alice and one to Bob. In the first strategy, an entangled bipartite state of Alice and Bob is separable from a (relevant) third parity state. In the second approach, the tripartite states are completely separable. We will now investigate the two strategies.
cQKD with entangled states. The requirement to disclose 'which detector clicked' in public channel 2,11 was intended to allow Alice and Bob to know when a bit is accepted for key generation purpose. However, this provides Eve with information on the bit string regardless of whether the qubits are entangled or not.
Let us now propose a protocol by prescribing requirements of how the boxes should behave in order to replicate the effects of the counterfactual QKD. Suppose that the states, Ψ m being distributed are given by: where m ∈ {H, V} depends on Alice's choice of a button. Since the state H B and V B can be measured perfectly without disturbing the entangled state, then knowing 'which detector clicked' will allow Eve to know with certainty which bit is accepted as a key. Hence, the revelation of 'which detector clicked' as proposed by refs. 2,11 has become the main loophole in this protocol as Eve knows precisely well on the values of m, which she can determine.
One way of closing this loophole while still allowing for the legitimate parties to share a key is by having Alice to only declare when detector D2 clicks. In this way, whenever Bob does not measure a photon (D3), he would know when D2 clicks thus not use those for key sharing and when D1 clicks for key bits.
The second less obvious loophole is the case for Bob's resending of a qubit in the path B 2 . Hence, if Alice and Bob were to drop this requirement i.e. they do not reveal which detector clicked in the public channel, or at most mention only when D2 clicks, and assure themselves that their first two qubits are in fact a maximally entangled states (which can violate a Bell inequality) then it is possible for them to extract a secure key. cQKD with separable states. Now, suppose the state that is really being distributed is a three-qubit state, either: where m ∈ {H, V} depends on Alice's choice of a button and the subscript A and B represent the qubit that is being distributed to Alice and Bob, respectively. While we do not make any requirement on state m B to be a polarised state we nevertheless assume so in what follows for the sake of simplicity. The two-qubit state (either m 1 B B or m 0 B B ) would then be sent to Bob's box, B. Bob will also randomly choose between his 'H' or 'V' button.
At first glance, it may seems as if information is leaked out of Alice's site by sending the state m B over to Bob. However, in a counterfactual perspective, it is crucial that the state m B i.e the polarisation degree of freedom to be accessible to Bob otherwise the PBS cannot work. Eve would eventually know the values of m as she can make a measurement to distinguish the two polarisation states perfectly. Based on the choices made by Alice and Bob, we will consider the following two cases.
• Case 1: Alice's and Bob's bit do not match. Bob's device will resend the second qubit to Alice's site. This qubit along with her qubit would be inputs to box A in which would result in D1 clicking. This replicates the interference effect of the counterfactual QKD. We note that while this may seemingly 'violate' a requirement www.nature.com/scientificreports www.nature.com/scientificreports/ of device-independence where no information is leaked from Bob's station, we argue this to be exceptional given the necessary channel (path B 2 ) from Bob to Alice in a counterfactual setup. • Case 2: Alice's and Bob's bit coincide. Bob's box will not send anything towards Alice's site. This action is similar to the path-blocking procedure as in refs. 2,11 . We then consider the following scenarios: The above can be achieved by first equipping box B with a measurement device to distinguish between the polarisation states of the third incoming qubit, m B in order to measure whether it is horizontally or vertically polarised. Since it is orthogonal, then it can be done perfectly. We further require box B to act as follows: when Bob inputs a choice for polarisation (using either the H or V button), his choice would be compared to the polarisation of the third incoming qubit. If they are the same, a further measurement is made to distinguish between states 0 B and 1 B of the second qubit. In the case of the latter, the detector D3 is fired. Either way the process for box B ends and no qubit is sent out of Bob's site. On the other hand, if the polarisation of the incoming qubit is different from Bob's button choice, the second qubit is sent to Alice.
In order to simulate the counterfactual protocol we propose the following ansatz. For Case 1, we require that box A to behave as such that the probability of detector Dj clicking given ⊕ i i 1 B A is written as for j = 1, 2 with no input B represents the event when there is no incoming qubit from Bob. This box can be done by virtue of having the controlled-NOT gate called CNOT, which is defined as , . Hence, let us reconsider both cases.
In Case 1, box A will receive the second qubit from Bob as well as Alice's qubit as inputs. Box A will then perform the CNOT function on either one of the following: with Alice's resulting state would eventually be detected by either detector D1 or D2. Assuming that detector D1 will detect state 0 A and D2 will detect state 1 A , the above CNOT function will eventually result in D2 only clicking. When Alice's and Bob's bit are the same, no qubit from Bob will be sent out to box A. In the event where box A detects Alice's qubit as 1 A , it will perform a CNOT function on state + = + x ( 0 1 )/ 2 along with Alice's state written as A We can assume that the state + x is supplied by the box A. As a result, with equiprobability detector D1 and D2 will click. On the other hand, if state 0 A is being detected, then box A will end its process.
As demonstrated above, Eve can perfectly simulate the protocol by distributing a system that is made up of entirely separable states. As she knows the values of m, as well as when Alice and Bob accepts or rejects a run, Eve basically has complete knowledge of the key. It is then obvious that the protocol presented by refs. 2,11 are not secure in a device independent context.
By not revealing the information on 'which detector clicked' , Eve would not have known which bit is going to be accepted even if the strings for raw key is publicly broadcasted. It would seem that both scenarios can be viewed as a separate system. In what follows, we are going to propose a framework for device independent CQKD (DI-CQKD) based on these conditions.

the proposed Di-cQKD
In this protocol, we assume that Alice and Bob share two setups as shown in Fig. 3. For definiteness, we named the setup which consists of source S 1 as Setup 1 while the other as Setup 2.
In Setup 1, we will consider the protocol proposed in ref. 12 , from this point onward will be referred to as SDI protocol (an acronym derived from its Single-photon entanglement nature in a Device Independent framework), which is based on single-photon entanglement protocol 13 where Q AB (α, β, ρ) is the joint probability distribution of the absence of photon(s) events in Alice's and Bob's detectors given as The α and β are the coherent displacements of the path accessible to Alice and Bob, respectively. If Eq. (11) violates the inequality −1 ≤ I CH ≤ 0 then the secrecy is guaranteed as the nonlocality is satisfied. We refer the detail description of Setup 1 to SDI protocol. Meanwhile, in Setup 2, Alice would prepare the qubit to be in either horizontally polarised state H or vertically polarised state V . She would then submit this qubit to Bob where he will measure it in the rectilinear basis (this can be achieved by a polarising beam splitter with two detectors) and the measurements would distinguish between the polarisation states perfectly. For the sake of simplicity, we shall assume that the channel for Setup 2 is completely error free. This is not unreasonable as given the fact that the states can be distinguished perfectly, even by Eve, one can imagine that there is no reason for them to be transmitted as single photons subject to a depolarising channel; rather these states can be essentially 'broadcast' and the only real critical issue is to have it authenticated. Note that, we also do not put the requirement that both setups need to be performed simultaneously. Now, using the results from both setups we can established the key as follows. We discard the result for all runs in Setup 2 that correspond to bit 1 in Setup 1. The remaining bits from Setup 2 will then serve as key strings for Alice and Bob. The protocol can now be outlined as follows.
1. Alice submits a photon to the 50:50 beam splitter, resulting in an entangled states of single photon and vacuum that is accessible to both Alice (in path A) and Bob (in path B). 2. Both of them would make a homodyne measurement, identical to the ones presented in SDI protocol. 3. After completing the transmission and measurement process, Alice and Bob would estimate the CH value on the measurement results and perform error correction procedure. 4. Note that steps 1 to 3 is identical to the SDI protocol, with the exception of privacy amplification which we do not execute. 5. Alice sends to Bob a string of polarised photon. 6. Bob measures the states using rectilinear basis. 7. Based on the results of step 2 and 5, the legitimate parties will discard the rounds in both setups which corresponds to bit 1 of Setup 1. 8. The remaining bits would then be used as a raw key. It is worth noting that we are proposing an equivalent protocol to CQKD within a device independent scenario. By equivalence we mean that the protocol actually capitalises on the nature of single photon entanglement while the bits used for key is derive from the case where photons have not travelled to Bob but only to Alice. This is in fact the working principle for the CQKD. In what follows we will provide a heuristic analysis of the proposed protocol's security. Security analysis. Supposedly, Alice and Bob share N bit strings in which we consider that on average, there would be an equal number between bit 0 and bit 1. Within these N bits, there are U bits that is unknown to Eve in which half of them will eventually be discarded. Hence, the possible ways for the parties to throw out the bits, W can be determine as follows Eve's uncertainty, U E related to the unknown bits is given by the Shannon entropy as Now, let us apply the above scenario in which Alice and Bob would initially share N bits string to the SDI protocol. Similarly, we imagine that Eve would not have any knowledge on U bits out of these N bits. Then, Eve's uncertainty per bit for this protocol is given by which is approximately equal to the probability of Eve sending a nonlocal box, p NL . Let us consider a scenario where Alice and Bob discard an equal fraction of bits in the SDI protocol i.e. the bits which correspond to Eve sending nonlocal boxes is halved. Therefore, the uncertainty that she has in that scenario would be We define R as the ratio of the uncertainty of this protocol to Eve's uncertainty when half of SDI protocol bit are discarded written as In the limit of long keys i.e. as U approaching infinite, we obtain This is of course the result that we would attain considering that the number of the two bits are equal. With Eve's uncertainty, ε u = p NL ⋅ R and Eve's information I AE = 1 − ε u , the key rate, K is given by the following formula is the binary entropic function. Note that e AB is the error between Alice and Bob, which corresponds to Setup 1. Hence, it is instructive to compare the performance of DI-CQKD with SDI protocol. We note that the key rate that is described in Eq. (19) should be divided by 2 when comparing the protocols. This is due to our assumption that the number of bit '0' and '1' in the string are necessarily the same. As we can see from Fig. 4, the maximum key rate achievable for the DI-CQKD protocol (represented as the solid curve) being approximately 0.22, which is the same as the SDI protocol described by the dashed curve. However, it is obvious from the graph that the key rate of DI-CQKD is non zero for a CH violation up to about −1.06 whereas the SDI protocol obtain a non zero key rate only up till −1.08 of the CH violation. The DI-CQKD perform better than the SDI protocol, as the key rate of DI-CQKD remains greater than the key rate of SDI protocol throughout the graph. This obvious increment is the result of Eve's information being suppress in the DI-CQKD making her uncertainty per bit is twice than that of SDI protocol.

conclusion
In this work, we have outline the CQKD protocol as described by refs. 2,11 and analysed the security of the CQKD within a device independent context. We eventually show that the security of the protocol is compromised as the protocol is reproducible using separable states, resulting in an entirely classical correlations between the systems where the states can actually be predetermined by Eve. We further show that the need for the legitimate parties to disclose 'which detector clicked' in the public channel has given Eve access to the information of the shared key despite the state being entangled. This is because the entanglement is only between the first two qubits while the polarised state that is used to establish the key string is not. Hence, we propose a new (equivalent) version of CQKD within device independent scenario, the DI-CQKD, with the basic building block being the SDI protocol of the previous chapter.