# Security of the Bennett-Brassard Quantum Key Distribution Protocol against Collective Attacks

^{1}

^{2}

^{*}

^{†}

## Abstract

**:**

## 1. Introduction

#### 1.1. A Formal Description of the BB84 Protocol

- Alice and Bob agree on a large number n, an error threshold ${p}_{a}$ and on a linear error-correction code C with parity check matrix ${P}_{C}$ of order $r\times n$. They agree as well on a linear key-generation function (privacy amplification) represented by a matrix ${P}_{K}$ of order $m\times n$. Those matrices can be publicly known beforehand or they can be determined during the protocol and sent over the classical channel. The $(r+m)\times n$ matrix whose rows are those of ${P}_{C}$ and ${P}_{K}$ put together is required to be of rank $r+m$.
- Alice randomly chooses $2n$-bit strings $\mathbf{i},\mathbf{b}\in {\mathbf{F}}_{2}^{2n}$, where ${\mathbf{F}}_{2}$ denotes the two element field, with elements $\{0,1\}$, i.e. the field of integers modulo 2. Alice encodes the state $|{\mathbf{i}}^{\mathbf{b}}\rangle =|{i}_{1}^{{b}_{1}}\rangle \dots |{i}_{2n}^{{b}_{2n}}\rangle $ and sends it to Bob over the quantum channel, one qubit at a time. Each time Bob receives a qubit he informs Alice, yet he doesn’t measure it§.
- Alice publicly sends Bob the string $\mathbf{b}$. Bob applies ${H}^{\mathbf{b}}={H}^{{b}_{1}}\otimes \dots \otimes {H}^{{b}_{2n}}$ to his state, so that if Bob had the state $|{\mathbf{i}}^{\mathbf{b}}\rangle $, once he performs ${H}^{\mathbf{b}}$ he possesses the state $|\mathbf{i}\rangle =|{i}_{1}\dots {i}_{2n}\rangle $. Bob then measures these qubits in the computation basis.We denote by ${\mathbf{i}}^{B}$ the string measured by Bob. If there is no noise and no eavesdropping, he gets exactly the bitstring $\mathbf{i}$ sent by Alice.
- Alice randomly chooses n-bits that will be used to detect eavesdropping. This is done by choosing a $2n$-bit string that has exactly n ones. Formally, Alice chooses $\mathbf{s}\in {\mathbf{F}}_{2}^{2n}$ such that $\left|\mathbf{s}\right|=n$. Alice publicly sends Bob $\mathbf{s}$.The bits indexed by $j\in [1..2n]$ such that ${s}_{j}=0$ are used for testing, while the rest are used for generating the final key (via error correction and privacy amplification). We denote the appropriate substrings of $\mathbf{i},\mathbf{b}$ that are relevant for the testing by ${\mathbf{i}}_{\overline{\mathbf{s}}}$ and ${\mathbf{b}}_{\overline{\mathbf{s}}}$, while the substrings relevant for creating the key are denoted ${\mathbf{i}}_{\mathbf{s}}$ and ${\mathbf{b}}_{\mathbf{s}}$.
- For each $j\in [1..2n]$ such that ${s}_{j}=0$, Alice and Bob publish the value of the jth-bit. Bob and Alice compare those bit values, and if more than $n{p}_{a}$ bits mismatch, they abort the protocol. The pre-fixed protocol parameter ${p}_{a}$ is actually the ratio of allowed bit-flips on the testing bits.
- Alice and Bob keep the values of the remaining n bits secret. Alice’s string is denoted $\mathbf{x}={\mathbf{i}}_{\mathbf{s}}$ and named the information string. The corresponding bitstring on Bob’s side is denoted ${\mathbf{x}}^{B}$.
- Alice sends Bob the r-bit error-correction string $\xi =\mathbf{x}{P}_{C}^{\mathrm{T}}$ (where ${P}_{C}^{\mathrm{T}}$ is the transpose of the parity check matrix). Bob uses ξ to correct his string ${\mathbf{x}}^{B}$. The string ξ is called the syndrome of the string $\mathbf{x}$ (with regard to ${P}_{C}$).
- Alice and Bob compute the m-bit final key $\mathbf{k}=\mathbf{x}{P}_{K}^{\mathrm{T}}$.

## 2. Description of Eve’s attack and its properties

#### 2.1. Eve’s attack on a single qubit

#### 2.2. Extending the attack to multiple qubits — the collective attack

#### 2.3. The probability of error

#### 2.4. The probability of error in the conjugate basis

#### 2.5. Flat attacks with respect to basis b

**Proposition**

**1.**

- (1)
- Alice and Bob use the b basis. Eve’s attack causes a bit-flip with probability${p}_{e}^{b}=\frac{1}{2}\left[\langle {E}_{01}^{b}|{E}_{01}^{b}\rangle +\langle {E}_{10}^{b}|{E}_{10}^{b}\rangle \right]$.
- (2)
- However, if Alice and Bob use the $\overline{b}$ basis, Eve’s attack causes a bit-flip with probability ${p}_{e}^{\overline{b}}=\frac{1}{2}\left[1-\text{Re}\left(\langle {E}_{00}^{b}|{E}_{11}^{b}\rangle +\langle {E}_{01}^{b}|{E}_{10}^{b}\rangle \right)\right]=\frac{1}{2}(1-r)$.

#### 2.6. A purification

## 3. Proof of security of BB84 against collective attacks

#### 3.1. Parity strings for the code and the key

#### 3.2. The Shannon distinguishability

**Lemma**

**2**.

#### 3.3. Representing states for bitstrings

#### 3.4. Case of a one-bit key

#### 3.5. Calculating and bounding the trace norm for one bit: the Biham basis.

**Lemma**

**3.**

**Lemma**

**4.**

**Lemma**

**5.**

#### 3.6. Bounding Eve’s accessible information

**Corollary**

**6.**

**Proposition**

**7.**

**Theorem**

**8.**

#### 3.7. Proof of security

**Theorem**

**9.**

#### 3.8. Reliability

## 4. Conclusions and Discussion

## References and Notes

- Bennett, C.H.; Brassard, G. Quantum Cryptography: Public key distribution and coin tossing. In Proceedings of IEEE International Conference on Computers, Systems and Signal Processing; 1984; pp. 175–179. [Google Scholar]
- Biham, E.; Mor, T. Security of quantum cryptography against collective attacks. Physical Review Letters
**1997**, 78, 2256–2259. [Google Scholar] [CrossRef] - Biham, E.; Mor, T. Bounds on information and the security of quantum cryptography. Physical Review Letters
**1997**, 79, 4034–4037. [Google Scholar] [CrossRef] - Biham, E.; Boyer, M.; Brassard, G.; van de Graaf, J.; Mor, T. Security of Quantum Key Distribution Against All Collective Attacks. Algorithmica
**2002**, 34, 372–388. [Google Scholar] - Biham, E.; Boyer, M.; Boykin, P.O.; Mor, T.; Roychowdhury, V.P. A proof of the security of quantum key distribution. J. Cryptology
**2006**, 19, 381–439. [Google Scholar] [CrossRef] - Fuchs, C.A.; Peres, A. Quantum-state disturbance versus information gain: Uncertainty relations for quantum information. Physical Review A
**1996**, 53, 2038–2045. [Google Scholar] [CrossRef] - Boyer, M. Security of the BB84 QKD protocol. 2005; personal notes. [Google Scholar]
- Mayers, D. Unconditional security in quantum cryptography. J. ACM
**2001**, 48, 351–406. [Google Scholar] [CrossRef] - Shor, P.W.; Preskill, J. Simple proof of security of the BB84 quantum key distribution protocol. Physical Review Letters
**2000**, 85, 441–444. [Google Scholar] [CrossRef] [PubMed] - Watanabe, S.; Matsumoto, R.; Uyematsu, T. Noise tolerance of the bb84 protocol with random privacy amplification. International Journal of Quantum Information
**2006**, 4, 935–946. [Google Scholar] [CrossRef] - Molotkov, S.; Timofeev, A. Explicit attack on the key in quantum cryptography (BB84 protocol) reaching the theoretical error limit
_{Qc}≈ 11%. JETP Letters**2007**, 85, 524–529. [Google Scholar] [CrossRef] - Kraus, B.; Gisin, N.; Renner, R. Lower and upper bounds on the secret-key rate for quantum key distribution protocols using one-way classical communication. Physical Review Letters
**2005**, 95, 080501. [Google Scholar] [CrossRef] [PubMed] - Renner, R. Security of Quantum Key Distribution. Arxiv preprint quant-ph/0512258, 2005. [Google Scholar]
- Hoeffding, W. Probability inequalities for sums of bounded random variables. Journal of the American Statistical Association
**1963**, 58, 13–20. [Google Scholar] [CrossRef]

^{*}The only limitations are the laws of physics as we currently know them.^{†}See discussion in Section 4.^{‡}The notations we use match the physicists “spin-notations” where $|{0}^{0}\rangle ={|0\rangle}_{z}$ and $|{1}^{0}\rangle ={|1\rangle}_{z}$ is the standard basis, and $|{0}^{1}\rangle ={|0\rangle}_{x}$ and $|{1}^{1}\rangle ={|1\rangle}_{x}$ is the Hadamard basis.^{§}Here we assume that Bob delays measuring each qubit till after learning its basis. In the more realistic case in which Bob cannot wait with his measurement, or in case some qubits are lost, Alice needs to send more qubits to make sure that $2n$ qubits are obtained (in Alice’s bases) as required.^{‖}Here A is Hermitian, therefore $\left|A\right|=\sqrt{A{A}^{\u2020}}$.^{**}The notation in [5] is $\langle {I}_{Eve}^{\prime}\rangle $, the value ${p}_{a}$ being fixed.^{††}We refer the reader to section 5 of [5] for detailed results and further discussion.

## A. Hoeffding’s theorem

**Theorem 10**(Hoeffding 1963)

**.**

- 1.
- independent random variables with finite first and second moments such that ${a}_{i}\le {X}_{i}\le {b}_{i}$ ($1\le i\le n$)
- 2.
- or a random sample of size n without replacement taken from a population ${c}_{1},...{c}_{N}$ such that ${a}_{i}\le {c}_{i}\le {b}_{i}$ ($1\le i\le N$)

© 2009 by the authors; licensee Molecular Diversity Preservation International, Basel, Switzerland. This article is an open-access article distributed under the terms and conditions of the Creative Commons Attribution license (http://creativecommons.org/licenses/by/3.0/).

## Share and Cite

**MDPI and ACS Style**

Boyer, M.; Gelles, R.; Mor, T.
Security of the Bennett-Brassard Quantum Key Distribution Protocol against Collective Attacks. *Algorithms* **2009**, *2*, 790-807.
https://doi.org/10.3390/a2020790

**AMA Style**

Boyer M, Gelles R, Mor T.
Security of the Bennett-Brassard Quantum Key Distribution Protocol against Collective Attacks. *Algorithms*. 2009; 2(2):790-807.
https://doi.org/10.3390/a2020790

**Chicago/Turabian Style**

Boyer, Michel, Ran Gelles, and Tal Mor.
2009. "Security of the Bennett-Brassard Quantum Key Distribution Protocol against Collective Attacks" *Algorithms* 2, no. 2: 790-807.
https://doi.org/10.3390/a2020790