Security of the KGP

In what follows we consider a finite number of states being sent and measured. Eve is allowed to perform the most general attack permissible by quantum mechanics – a so-called “coherent” attack. This means that Eve can perform any operation allowed by quantum mechanics on any/all states sent over the quantum channel, as well as an arbitrary ancilla system she prepares. Eve is also able to hold systems in quantum memory and perform general measurements at any point during or after the protocol. In this way she is free to take full advantage of all communications, both classical and quantum, sent between Alice and Bob. The classical random variables V , Θn _and

XB,forwardrepresent the information gained by Eve from parameter estimation, basis

declarations in the sifting step and, if Eve is Charlie, the forwarding of XB,forward by

Bob, respectively. Our strategy is to find Eve’s information in terms of her smooth min-entropy, and use that to bound the probability that she can make a signature declaration containing fewer than a specified number of mismatches with Bob’s key.

Eve’s smooth min-entropy

Eve’s conditional smooth min-entropy on Bob’s key XB,keep can be derived using

existing results in QKD, with the only difference being that here Bob gives the extra information XB,forward to Eve. However, since Bob does not subsequently use

this part of the key, this can be treated in the same manner as the V string sacrificed for parameter estimation [117]. For ease of notation, we will simply write X instead

In quantum information it is common for letters near the start of the alphabet (A, B, C, etc) to refer to quantum systems, whereas letters near the end of the alphabet (X, Y , Z, etc) refer to classical random variables. For this reason, during the KGP subprotocol, to align with standard QKD notation we denote Bob’s keys using X, since they are classical bit strings generated from X basis measurements. Nevertheless, when discussing the full signature protocol it is clearer to denote Bob’s keys using the B label to denote Bob’s identity.

of XB,keep.

We gather all of Eve’s information into one quantum system living in the Hilbert space HE. This comprises the space containing Eve’s ancilla quantum systems

following her coherent attack, HE0, as well as the spaces containing the classical information V , Θn_{, and X}

B,forward, which we assume are available to Eve. As in

Appendix B of [114], the min-entropy is then

H_min _{(X|E) ' s}−_X,0+ s−_X,11 − h(φ+_X,1), (6.2)

where the inequality holds up to a small additive term proportional to log(1/). Here s−_X,0 and s−_X,1 are estimates of the number of X basis counts which come from 0 and 1-photon pulses respectively, and which make up the entries in the string X. φ+_X,1 is the phase error rate in X basis measurements coming from single-photon pulses. The superscripts + and − are upper and lower bounds representing worst- case scenario estimates consistent with parameter estimation performed on a finite sample (see Appendix A.1), and h is the binary entropy.

Guessing bounds

Given Eve’s conditional smooth min-entropy, the following theorem places bounds on Eve’s ability to guess X to within a certain Hamming distance.

Theorem 6.1. Suppose that Bob and Eve share the state ρXE where, as above, X is

an n-bit string held by Bob and E is a quantum system representing all information held by Eve. Then, for any strategy, Eve’s probability of making at most r mistakes when guessing X can be bounded as3

pr ≤ r X k=0 n k  2−Hmin (X|E)ρ_{+ . (6.3)}

To prove this theorem, we use the following two lemmas which are proved in

3_{Note that, compared to Ref. [110], this thesis makes a subtle change to the notion of security,}

to one which we now believe makes more sense. Both here and in Ref. [110], Eve succeeds if she is able to make at most r mistakes when guessing X. As per the proof of Lemma 6.3, Eve uses the value of a random variable F to guess X. Although F is a random variable, its distribution function PF depends on Eve’s strategy. In this thesis, we have defined Eve’s success probability,

pr, to be her probability of making at most r mistakes when guessing X, averaged over PF. In Ref.

[110], a stricter notion of prwas used – namely, instead of averaging over PF, it was shown that Eve

could not succeed for any F outcome, except with some small probability. Since, given PF, Eve

cannot further control the value taken by F , we believe the averaged definition used throughout this chapter and the next makes more sense. The ideas and essence of the security proofs remain the same under either definition, but the averaged definition used in this thesis allows for a clearer and simpler statement of our results.

Appendix A.2.

Lemma 6.2. Let τXF be a classical state, i.e.

τXF =

X

x,f

PXF(x, f ) |xi hx| ⊗ |f i hf | (6.4)

for some orthonormal bases {|xi}x and {|f i}f. Let B(τXF) denote the set of all

sub-normalised density matrices -close to τXF in terms of the generalised purified

distance. Then

H_min (X|F )τ = Hmin(X|F )τ (6.5)

for some classical τXF ∈ B(τXF).

Lemma 6.3. Suppose Bob and Eve share the classical state ηXF defined by the

probability distribution QXF, with Bob holding X and Eve holding F . Let qr be

Eve’s probability of guessing X making fewer than r errors, given that X and F are distributed according to QXF. Then qr can be bounded as

qr ≤ r X k=0 n k  2−Hmin(X|F )η_{. (6.6)}

Notation 6.4. For the sake of readability, we introduce the notation

br_n:= r X k=0 n k  . (6.7)

Proof of Theorem 6.1. Bob and Eve share the state ρXE and Eve aims to use this

to guess X while making fewer than r errors. Since Eve must output a classical string, she performs some optimal CPTP mapping NE→F to transform system E into a classical random variable, F , which dictates her guess for X4_{. Her strategy}

maps

ρXE → τXF :=

X

x,f

PXF(x, f ) |xi hx| ⊗ |f i hf | , (6.8)

where PXF is a probability distribution. Although τXF (and hence PXF) are un-

known, Lemma 6.2 states that

H_min (X|F )τ = Hmin(X|F )τ, (6.9)

for some classical τXF ∈ B(τXF) defined by the (possibly sub-normalised) proba-

4_{For example, F could simply represent Eve’s guess for X. More generally though, F could}

bility distribution PXF. Suppose that Tr(τXF) = 1 − δ. Then if X and F were

distributed according to the probability distribution QXF := _1−δ1 PXF, applying

Lemma 6.3 gives qr≤ 1 1 − δb r n2 −Hmin(X|F )τ_{, (6.10)}

where qr is Eve’s probability of making up to r errors under QXF. In fact, X and

F are distributed according to PXF, so we would like to use Eq. (6.10) to bound

pr. The purified distance upper-bounds the trace distance, and the trace distance

characterises the distinguishability of probability distributions. Since PXF is -close

to (1 − δ)QXF in terms of the purified distance,

pr≤ (1 − δ)qr+ . (6.11)

This means that

pr ≤ brn2

−Hmin(X|F )τ _{+ . (6.12)}

The above expression is still not particularly enlightening, since τ is unknown in general. Nevertheless, the data processing inequality (Section 3.4.4) and Lemma 6.2 give

H_min (X|E)ρ≤ Hmin (X|F )τ = Hmin(X|F )τ. (6.13)

Putting it all together, we can bound pr as

pr ≤ brn2 −H

min(X|E)ρ_{+ . (6.14)}