Randomness determines practical security of BB84 quantum key distribution

Unconditional security of the BB84 quantum key distribution protocol has been proved by exploiting the fundamental laws of quantum mechanics, but the practical quantum key distribution system maybe hacked by considering the imperfect state preparation and measurement respectively. Until now, different attacking schemes have been proposed by utilizing imperfect devices, but the general security analysis model against all of the practical attacking schemes has not been proposed. Here, we demonstrate that the general practical attacking schemes can be divided into the Trojan horse attack, strong randomness attack and weak randomness attack respectively. We prove security of BB84 protocol under randomness attacking models, and these results can be applied to guarantee the security of the practical quantum key distribution system.

Quantum key distribution (QKD) [1] is the art of sharing secret keys between two remote parties Alice and Bob, unconditional security of which is based on the fundamental laws of quantum mechanics.The detailed security analysis has been proved by applying the entanglement distillation and purification (EDP) technology [2,3] and the von Neumann entropy theory [4][5][6] respectively.However, unconditional security of the QKD protocol has an important assumption, which requires Alice and Bob have random numbers to control the classical bit encoding and measurement bases selection, and it can be easily proved that security of the final key can't be guaranteed if input random numbers are controlled or known by the eavesdropper Eve.In recent years, practical QKD system was attacked by considering the imperfect state preparation and measurement respectively [7].More generally, the practical attacking scheme can be divided into three different types.The first type is considering the Trojan horse attack [8], where the signal state combining with the trojan horse state can be assumed to be high dimensional state modulation.Note that Eve can measure one dimension of the modulated high dimensional state to get all of the secret key information without being discovered, thus Alice and Bob should apply the dimension filter (such as wavelength filter) to avoid this attack.
The second type is the strong randomness attack, which considers some of the input random numbers are totally controlled by the eavesdropper Eve.Such as the multi photon state can be attacked by applying the photon number splitting (PNS) attack [9,10], where the multi photon encoding quantum states can be assumed to be known by Eve.Another example is the detector blinding attack [11,12], where Eve can easily mount the man-in-the-middle (MITM) attack by converting the avalanche photodiodes (APDs) into linear mode.The detectors have the count iff Bob's bases selection is equal to Eve, which means that the bases selection in Bob's side are controlled by Eve.Recently we propose the probabilistic blinding attack model [13], where Eve partly applies the blinding attack to avoid being catched by detecting the current parameter.In the strong randomness attack model, the final secret key rate should delete all of the counting events known by Eve.The GLLP [14] secret key rate and the decoy state method [15][16][17] can be assumed to delete all of the multi photon pulse counting result, and only the single photon counting event can generate the final secret key.While the probabilistic blinding attack can be assumed to delete all of the blinding counting results, and only the non-blinding counting event can generate the final secret key.In the strong randomness attack model, the previous secret key rate [18] formula can be modified to where p is the probability of valid counting result, which can't be controlled by Eve. a is Alice's measurement outcomes, E is Eve's auxiliary quantum system, S(a|E) = S(a, E) − S(E) is the conditional von Neumann entropy, which demonstrates Eve's uncertainty about Alice's key bit a. e is the practical bit error rate, h(e) = −elog 2 e − (1 − e)log 2 (1 − e) is the classical Shannon entropy function, f ≥ 1 is the error correction efficiency.If we consider the PNS attack, p can be illustrated by the single photon counting rate, S(a|E) can be estimated by the single photon error rate.
The third type is the weak randomness attack, which considers input random numbers are partly controlled by Eve [19].Such as the wavelength dependence about the beam splitter will introduce the wavelength attack [20], where Eve can apply different wavelengths to control Bob's bases selection.Since the practical beam splitter and different wavelengths may only have partial correlation, which means the beam splitter coupling ratio can't reach 0 and 1 with two different bases, thus Eve can only partly control bases selection.Another example is the time shift attack [21], where Eve controls the APDs detection efficiency by controlling the photon arriving time, thus Eve has the advantage to guess the measurement outcomes.Since the practical time shift attack will introduce nonzero error rate, the classical bit encoding can be assumed to be partly known by Eve correspondingly.Now, the Trojan horse attack can be avoided by applying the dimension filter before the state modulation and measurement, which can be used to prevent Eve's Trojan horse light.The strong randomness attacking model has also been analyzed by applying the strict post processing, where we only need to precisely estimate p and S(a|E).However, the weak randomness attacking model has not been analyzed until now.In this work, we prove security of the practical QKD system with weak input random numbers, which can affect the classical bit encoding and bases selection respectively.We give two security analysis models, the first is based on one post processing step, where all of the measurement outcomes should be applied one time error correction and privacy amplification.While the second is considering two post processing steps, where the measurement outcomes in two bases should be applied post processing respectively.If we only consider bit encoding weak randomness, two different methods can get the same secret key rate.But, if we consider the bases selection weak randomness, the analysis result show that two post processing steps can generate much more secret key.Our analysis models can be applied in several attacking schemes, such as the wavelength attack and the time shift attack.Combining with the previous three attacking models, security of the practical QKD system can be evaluated completely.Thus, our analysis result can be applied to estimate security of the practical QKD system, which can be employed to build the practical QKD system security standardization.
BB84 QKD protocol with weak randomness -In the BB84 protocol, there are two binary input bits x 1 and x 0 in Alice's side, which can be used to select the state preparation bases and encoding classical bits respectively.While the state measurement side Bob needs one binary input bit y to select the measurement basis.After the quantum state preparation and measurement, Alice and Bob should apply the bases sifting process to save the same bases case (x 1 = y).Thus, in the security analysis model, the input randomness can be divided into two sets, the first set can be used to decide the encoding classical bit selection x 0 , while the second set can be used to decide the encoding and decoding bases selection x 1 (or y).Since Alice and Bob should publicly compare x 1 and y to save the same value, we can only consider Eve has partial knowledge about the bases selection x 1 before the state measurement, the security analysis model can be simplified correspondingly.Thus we can only assume weak random numbers x 0 and x 1 to control the encoding classical bit and bases selection respectively, the detailed analysis model is given in Fig. 1.In the weak randomness model, the weak random numbers x 0 and x 1 can be controlled by two different sets of hidden variables λ 0 and λ 1 as the following equations, where λ 0 and λ 1 are hidden variables controlled by Eve, p(x 0 = 0) is the probability that Alice encodes classical bit 0, while p(x 0 = 1) = 1 − p(x 0 = 0) is the probability that Alice encodes classical bit 1.Similarly, p(x 1 = 0) is the probability that Alice applies the rectilinear encoding basis, p(x 1 = 1) = 1 − p(x 1 = 0) is the probability that Alice applies the diagonal encoding basis.Note that two sets of hidden variables λ 0 and λ 1 should satisfy i p λ0=i = j p λ1=j = 1.However, even if the practical experimental realization can observe p(x 0 ) = 1 2 and p(x 1 ) = 1 2 respectively, we still can't guarantee p(x for arbitrary hidden variables λ 0 = i and λ 1 = j.Thus, the the aforementioned security analysis model based on perfect random input numbers can't be satisfied directly, we need to estimate the randomness deviation for arbitrary hidden variables.The practical weak randomness model is given by where 0 ).
One-step post processing method -By considering the given hidden variable λ 0 = i, we apply the EDP technology to illustrate the practical state preparation as the following equation, where Alice encoding the classical bit 0 with probability p(x 0 = 0|λ 0 = i), and encoding the classical bit 1 with probability p(x 0 = 1|λ By considering the given hidden variable λ 1 = j, Alice prepares the quantum state in the rectilinear basis with probability p(x 1 = 0|λ 1 = j), and prepares the quantum state in the diagonal basis with probability p(x 1 = 1|λ 1 = j) = 1 − p(x 1 = 0|λ 1 = j), thus the final quantum state preparation under the Pauli quantum channel is where u, v ∈ {0, 1}, H = 1 √ 2 1 1 1 −1 is the Hadmard matrix, u,v q u,v = 1, q 0,0 is the probability that Eve applies identity operation I = 1 0 0 1 , q 0,1 is the probability that Eve applies phase error operation Z = 1 0 0 −1 , q 1,0 is the probability that Eve applies bit error operation X = 0 1 1 0 , q 1,1 is the probability that Eve applies bit phase error operation XZ.Since Alice's state preparation is restricted in the two dimensional Hilbert space, we can prove the final secret key rate under the Pauli quantum channel.Thus, the quantum bit error rate and phase error rate introduced by Eve can be respectively given by where For arbitrary hidden variable λ 0 = i and λ 1 = j, upper bound of the phase error rate e i,j phase can be estimated by applying the bit error rate e i,j bit and the randomness deviation parameters, e i,j phase − e i,j bit where we apply q 00 + q 11 ≤ 1, q 01 + q 10 ≤ 1 and u,v q u,v = 1 in the previous calculation.By applying the EDP technology, the final secret key rate with given hidden variables λ 0 = i and λ 1 = j is In the practical experimental realization, we can only observe the practical quantum bit error rate e bit = i,j p λ0=i p λ1=j e i,j bit , the final secret key rate with given quantum bit error rate e bit can be given by ≥ i,j p λ0=i p λ1=j 1 − h(e i,j phase ) − h(e i,j bit ) ≥ i,j p λ0=i p λ1=j 1 − h(e i,j bit + δ) − h(e i,j bit ) ≥ 1 − h i,j p λ0=i p λ1=j e i,j bit + δ − h i,j p λ0=i p λ1=j e i,j bit = 1 − h(e bit + δ) − h(e bit ), (10) where we apply the concavity property of the Shannon entropy function in the previous calculation.By implementing the security analysis result, we calculate the secret key rate R with given randomness deviation parameters ǫ 0 and ǫ 1 in Fig. 2. The calculation result demonstrates that the bases selection weak randomness decrease the final secret key rate more obviously comparing with the classical bit encoding weak randomness.Two-step post processing method -In the previous weak randomness model, the input random numbers maybe controlled by the hidden variables λ 0 and λ 1 .Since there are two different bases selection (diagonal basis and rectilinear basis) and two different classical bit encoding (0 and 1), we can simply assume λ 0 and λ 1 have two different values {0, 1} respectively.
In the practical experimental realization, we can only observe the classical bit encoding probability p(x 0 ) = , the detailed classical bit deviation model is given in Fig. 3. Similarly, we can also only observe the bases selection probability p(x 1 ) = p λ1=0 p(x 1 |λ 1 = 0) + p λ1=1 p(x 1 |λ 1 = 1), but the observed probability p(x 1 ) = 1 2 can't guarantee , the detailed bases selection deviation model is given in Fig. 4. The practical quantum state preparation is given by where Two−step post processing One−step post processing FIG.2: Secret key rate with different quantum bit error rate value, where the blue solid line is no randomness deviation case, the green dash line is considering ǫ0 = 0.1 and ǫ1 = 0, the red dotted line is considering ǫ0 = 0 and ǫ1 = 0.1 with two-step post processing method, the red dash dotted line is considering ǫ0 = 0 and ǫ1 = 0.1 with one-step post processing method.Comparing with the one-step post processing method, two-step post processing method can generate much more secret key with given basis selection randomness deviation, this is because we can get more precious phase error estimation in the two-step post processing method.For given hidden variables λ 0 and λ 1 , the difference between the phase error rate in the rectilinear basis and bit error rate in the diagonal basis can be given by where e pλ0λ10 = φ For given hidden variable λ1 = 0, e b00 and e b01 are bit error rates introduced in the rectilinear basis and diagonal basis, while ep00 and ep01 are phase error rates introduced in the rectilinear basis and diagonal basis respectively.For given hidden variable λ1 = 1, e b10 and e b11 are bit error rates introduced in the rectilinear basis and diagonal basis, while ep10 and ep11 are phase error rates introduced in the rectilinear basis and diagonal basis respectively.
Similarly, the difference between e pλ11 and e bλ10 is The probability of getting the rectilinear basis and diagonal basis measurement outcomes in Bob's side can be respectively given by where The bit error rate in the rectilinear basis and diagonal basis can be respectively given by e recbit = p rec1 e b00 + p rec2 e b10 p rec , e diabit = p dia1 e b01 + p dia2 e b11 p dia .
By applying the two-step post processing method with the two different bases measurement outcomes, the final secret key rate can be given by where the first part is the secret key generated by the rectilinear basis, while the second part is the secret key generated by the diagonal basis.The corresponding secret key rate R with different quantum bit error rate values is given in Fig. 2, the calculation is based on the nonlinear optimization method with given quantum bit error rate, the detailed explanation is in the methods.To explain our analysis result, we compare the two analysis methods by considering the wavelength attack has the coupling ratio 0.4 and 0.6 with different wavelengths.If the observed quantum bit error rate is 0.02, one-step post processing method can generate the secret key rate 0.0984, while the two-step post processing method can generate the secret key rate 0.6642.Methods-By considering Eve's arbitrary attacking scheme, the final secret key rate with two different bases can be calculated with the following optimization method where Q is the quantum bit error rate estimated in the practical experimental realization, p rec = p dia = 1 2 are the bases selection probability observed in the practical experimental realization.
Conclusion -In this work, security of BB84 QKD protocol again the strong randomness attack and the weak randomness attack have been analyzed, which satisfies several practical attacking schemes, such as the photon number splitting attack, detector blinding attack, wavelength attack and time shift attack.We demonstrate that security of the practical QKD system can be evaluated by respectively considering the Trojan horse attack, the strong randomness attack and the weak randomness attack, and the three attacking models can be employed to build the practical QKD system security standardization in the future.

FIG. 1 :
FIG. 1: Weak randomness QKD model, where x0 decides the encoding classical bit, x1 decides the encoding bases selection, y decides the measurement bases selection.In the weak randomness QKD model, Eve has the advantage to guess the classical bit encoding x0 and the basis selection x1.

FIG. 3 :
FIG. 3: The classical bit encoding x0 is controlled by the hidden variable λ0, different λ0 values have different classical bit encoding probability p(x0|λ0).

3 2 −FIG. 4 :
FIG. 4:The basis selection deviation is controlled by the hidden variable λ1, different λ1 value has different basis selection probability p(x1|λ1).For given hidden variable λ1 = 0, e b00 and e b01 are bit error rates introduced in the rectilinear basis and diagonal basis, while ep00 and ep01 are phase error rates introduced in the rectilinear basis and diagonal basis respectively.For given hidden variable λ1 = 1, e b10 and e b11 are bit error rates introduced in the rectilinear basis and diagonal basis, while ep10 and ep11 are phase error rates introduced in the rectilinear basis and diagonal basis respectively.