Quantum key distribution promises unconditional security. This means that the security of the key is established without limitations imposed on the computational or a technological power of the eavesdropper. However, unconditional security only holds within a certain framework. Outside of the framework, we are not able to claim unconditional security. The requirements of the framework are the following:
(i) Eve has no access to any device inside Alice and Bob’s laboratories.
(ii) Eve can tamper with the quantum channel at will, but she is limited by the laws of quantum mechanics.
(iii) Eve can listen to all the messages sent over the classical channel, but the authentica- tion prevents her from changing the messages. Authentication, which is a well-known problem in the field of classical cryptography, can be achieved by means of secure classical authentication algorithms requiring only a short pre-shared secret key. In this framework, Eve’s most general attack is on the quantum signals. She attaches a fresh quantum system E0 (ancilla) to the second half of the source states |Φi⊗nAS followed by a unitary transformation, that takes the joint systems SnE0 to BnE. She then keeps the transformed ancilla E for herself, and resends the remaining systems Bn to Bob. After Eve’s interaction with the signals, but prior to Alice and Bob’s measurements, the state held by Alice and Bob is described by an unknown (mixed) state ρnAB, instead of n perfect copies of the source state |ΦiAS.
Historically, Eve’s attack strategy is divided into three classes.
1. In the individual attack Eve interacts with each of the signals sent by Alice individ- ually. She attaches a fresh quantum system E0 to each source state |ΦiAS and uses the same unitary UE each time. The unitary takes the composite system SE0 to BE. Eve sends B to Bob (see Fig. 3.1), keeps E for herself, and performs a measurement on each individual system E in order to extract information about the key. Some protocols have been analyzed under this assumption in Refs. [15, 6, 22]. However,
Alice Bob |Φ! Source A S B E
U
E E Eve Sunday, April 18, 2010Figure 3.1: In the source-replacement scheme, Alice prepares the entangled state|Φi. The system A is kept by Alice, while the system S is sent through the quantum channel to Bob. Eve attaches ancillas to the signal states and performs a unitary transformation on the joint system SE, transforming it to BE. She resends the system B to Bob. After Eve’s interaction, Alice and Bob no longer share a perfect copy of|Φi, but a bipartite state ρAB, which is only partially characterized by their observations.
individual attacks are no longer analyzed in the QKD community, not only because they are less powerful than other attacks (e.g. collective attacks), but also because the calculation of the key rate involves an optimization over Eve’s measurement, which is generally difficult to perform, and does not lead to a composable security proof (see Sec. 3.3 for the definition of composability).
2. The second type of attack is the collective attack. While in the collective attack the interaction with the signals is the same as in the individual attack, Eve is allowed to do a collective measurement on all signals jointly at the end of the protocol. She can also use all information revealed to her during the classical phase of the protocol. In particular, under the assumption of collective attacks, ρn
AB assumes a product form: ρn
AB = ρ
⊗n AB.
3. Finally, in the most general attack, the coherent attack, Eve interacts with all the signals coherently using one large ancilla on all n systems. Under this type of attack no simplification of ρn
3.2.1
Collective attacks in the source-replacement scheme
For collective attacks, Eve’s interaction is completely determined by the unitary UE be- tween each signal and the ancilla. According to the Choi-Jamiolkowski isomorphism, the transformation UE is equivalently characterized by the purification |ΨiABE of ρAB on the dilated space HABE. The dimension of the purifying system E is the same as the di- mension of AB. In order to guarantee unconditional security, we must assume that Eve can exploit everything allowed by quantum mechanics for her attack, which is realized by giving her full control over|ΨiABE. Note that to each ρAB an entire class of purifications |ΨiW
ABE =1AB⊗ WE|ΨiABE can be constructed, where W is local unitary transformation on Eve’s system. However, such local transformations on Eve’s system are irrelevant when quantifying Eve’s knowledge on the key.
After Alice and Bob measure the systems AB of |ΨiABE with respect to the POVMs MA={FAx} and MB ={FBy}, the resulting state shared between Alice, Bob and Eve is a tripartite classical-classical-quantum (ccq) state [31]
ρXY E = X
x,y
p(x, y)|xihx|X ⊗ |yihy|Y ⊗ ρxyE (3.6)
where|xi and |yi are two sets of orthonormal bases,
p(x, y) = tr{FAx⊗ FBy ρAB} (3.7) is the probability distribution of the measurement outcomes, and
ρxyE = trAB{FAx⊗ F y
B⊗ 1E|ΨihΨ|}/p(x, y) (3.8)
are Eve’s quantum states conditioned on the event that Alice and Bob’s outcomes were x and y.