Towards a realization of device-independent quantum key distribution [7]

A DIQKD protocol is composed by the following steps:

• The first phase of the protocol is called distribution. For each round of this phase:
  • Alice uses the source to prepare a maximally entangled state and send half of the state to Bob.
  • Upon receiving the state, Bob announces that he received it, and they both use their respective devices to measure the quantum systems. They record their output in a string of bits.
• The second phase is when Alice and Bob publicly exchange classical information in order to perform error correction, where they correct their strings generating the raw keys, and parameter estimation, where they estimate the parameters of interest. At the end of this phase Alice and Bob are supposed to share the same $n$-bit string and have an estimate of how much knowledge an eavesdropper might have about their raw key.
• In the final phase, Alice and Bob perform privacy amplification, where the not fully secure $n$-bit strings are mapped into smaller strings $K_A$ and $K_B$, which represents the final keys of Alice and Bob respectively.

• Network: we assume the existence of an authenticated public classical channel between Alice and Bob.
• Timing: we assume that the network is synchronous.
• Adversarial model: coherent attacks.
• Isolated labs: no information is leaked from or enters Alice’s and Bob’s labs,
  apart from the state distribution before the measurements and the public classical
  information dictated by the protocol.
• Isolated source: the preparation of states is independent of the measurements.
• Trusted classical post-processing: all the public classical communication is
  performed using an authenticated channel and the local classical computations are
  trusted
• Trusted Random Number Generators: Alice and Bob possess independent and trusted random number generators.

• Network Stage: Entanglement Distribution
• Relevant Network Parameters: transmission error $\\\epsilon_T$, measurement error $\\\epsilon_M$ (see Entanglement Distribution).
• Benchmark values:
  • Minimum number of rounds ranging from $\\\mathcal{O}(10^6)$ to $\\\mathcal{O}(10^{12})$ depending on the network parameters$\\\epsilon_T,\\\epsilon_M$, for commonly used security parameters.
  • $QBER \\\leq 0.071$, taking a depolarizing model as benchmark. Parameters satisfying $\\\epsilon_T+\\\epsilon_M\\\leq 0.071$ are sufficient to asymptotically get positive secret key rate.
• Distribution of Bell pairs, and measurement in three different bases (two basis on Alice’s side and three basis on Bob’s side).
• Alice and Bob require independent and trusted random number generators.

• $n$ expected number of rounds
• The total number of rounds $n$ is divided in to $m$ blocks of size upper-bounded by $s_{\\\max}$.
• $l$ final key length
• $\\\gamma$ fraction of test rounds
• $Q$ quantum bit error rate
• $\\\beta$ CHSH violation
• $\\\omega_{exp}$ expected winning probability on the CHSH game in an honest implementation
• $\\\delta_{est}$ width of the statistical interval for the Bell test
• $\\\delta_{con}$ confidence interval for the Bell test
• $\\\epsilon_s$ smoothing parameter
• $\\\epsilon_{EC},\\\epsilon\’_{EC}$ error probabilities of the error correction protocol
• $\\\epsilon_{EA}$ error probability of Bell violation estimation.
• $\\\epsilon_{con}$ error probability of Bell violation estimation.
• $\\\epsilon_{PA}$ error probability of the privacy amplification protocol
• $\\\mbox{leak}_{EC}$ leakage in the error correction protocol
• For any registers $(Z_i)_{i \\\in \\\mathbb{N}}$, we use $Z_j^k,\\\ (j\\\leq k)$ as a shorthand notation for the string $Z_j,\\\ldots,Z_k$.

Either the protocol aborts with probability higher than $1-(\\\epsilon_{EA}+\\\epsilon_{EC})$, or it generates a
$(2\\\epsilon_{EC}+\\\epsilon_{PA}+\\\epsilon_s)$-correct-and-secret key of length

$$ l\\\geq \\\frac{{n}}{\\\bar{s}}\\\eta_{opt} -\\\frac{{n}}{\\\bar{s}}h(\\\omega_{exp}-\\\delta_{est}) -\\\sqrt{\\\frac{{n}}{\\\bar{s}}}\\\nu_1 -{leak}_{EC} -3\\\log(1-\\\sqrt{1-(\\\frac{\\\epsilon_s}{4(\\\epsilon{EA} + \\\epsilon_{EC})})^2})+2\\\log(\\\frac{1}{2\\\epsilon_{PA}}), $$[7]

where $\\\mbox{leak}_{EC}$ is the leakage due to error correction step and the functions $\\\bar{s}$, $\\\eta{opt}$, $\\\nu_1$ and $\\\nu_2$ are specified below. The security parameters of the error correction protocol, $\\\epsilon_{EC}$ and $\\\epsilon\'{EC}$, mean that if the error correction step of the protocol (see below) does not abort, then $K_A=K_B$ with probability at least $1-\\\epsilon{EC}$, and for an honest implementation, the error correction protocol aborts with probability at most $\\\epsilon\'{EC}+\\\epsilon{EC}$.

• $\\\bar{s}=\\\frac{1-(1-\\\gamma)^{\\\left\\\lceil \\\frac{1}{\\\gamma} \\\right\\\rceil}}{\\\gamma}$
• $\\\eta_{opt}=\\\max_{\\\frac{3}{4}<\\\frac{{p}t(1)}{1-(1-\\\gamma)^{s{max}}}<\\\frac{2+\\\sqrt{2}}{4}} (F_{\\\min}(\\\vec{p},\\\vec{p}_t)-\\\frac{1}{\\\sqrt{m}}\\\nu_2)$
• $F_{\\\min}(\\\vec{p},\\\vec{p}t) = \\\frac{d}{d {p}(1)}g(\\\vec{p}) \\\Big|{\\\vec{p}_t}\\\cdot {p}(1)+( g(\\\vec{p}t)- \\\frac{d}{d{p}(1)}g(\\\vec{p})|{\\\vec{p}_t}\\\cdot {p}_t(1) )$
• $g({\\\vec{p}}) = {s}(1-h(\\\frac{1}{2}+\\\frac{1}{2}\\\sqrt{16\\\frac{{p}(1)}{1-(1-\\\gamma)^{s_{max}}}(\\\frac{{p}(1)}{1-(1-\\\gamma)^{s_{max}}} -1)+3} ))$
• $\\\nu_2 =2 (\\\log(1+6\\\cdot 2^{s_{\\\max}})+\\\left\\\lceil \\\frac{d}{d{p}(1)}g(\\\vec{p})\\\big|_{\\\vec{p}_t}\\\right\\\rceil)\\\sqrt{1-2\\\log \\\epsilon_s}$
• $\\\nu_1=2 \\\Big(\\\log 7 +\\\left\\\lceil\\\frac{|h\'(\\\omega_{exp}+\\\delta_{est})|}{1-(1-\\\gamma)^{s_{\\\max}}}\\\right\\\rceil\\\Big)\\\sqrt{1-2\\\log\\\epsilon_s}$

• Input:$ n, \\\delta$
• Output:$ K_A, K_B$
  1. Distribution and measurement

1. For every block $ j \\\in [m]$
   1. Set $i=0$ and $C_j=\\\bot$.
   2. While $i \\\leq s_{max}$
      1. Set $i=i+1$
      2. Alice and Bob choose a random bit $T_i \\\in {0,1}$ such that $P(T_i=1)=\\\gamma$.
      3. If $T_i=0$ then Alice and Bob choose inputs $(X_i, Y_i)=(0,2)$.
      4. Else they choose $X_i ,Y_i \\\in {0,1}$.
      5. Alice and Bob use their devices with the respective inputs and record their outputs, $A_i$ and $B_i$ respectively.
      6. If $T_i=1$ they set $i=s_{max}+1$.
         At this point Alice holds strings $X_1^n, A_1^n$ and Bob $Y_1^n, B_1^n$, all of length $n$.

2. Error Correction

”Alice and Bob apply the error correction protocol $EC$ (see [ [5]]) , communicating script $O_{EC}$ in the process. ”

1. If $EC$ aborts, they abort the protocol
2. Else they obtain raw keys $\\\tilde{A}_1^n$ and $\\\tilde{B}_1^n$.

3. Parameter estimation

1. Using $B_1^n$ and $\\\tilde{B}_1^n$, Bob sets $C_i$
   1. If $T_i=1$ and $A_i\\\oplus B_i=X_i\\\cdot Y_i$ then $C_i=1$
   2. If $T_i=1$ and $A_i\\\oplus B_i\\\neq X_i\\\cdot Y_i$ then $C_i=0$
   3. If $T_i=0$ then $C_i=\\\bot$
2. Bob aborts If $\\\sum_j C_{j}<m\\\times (\\\omega_{exp}-\\\delta_{est})(1-(1-\\\gamma)^{s_{\\\max}})$, i.e., if they do not achieve the expected violation. ”For the summation in 3.2 we use the convention that $\\\forall x\\\in {0,1,\\\bot},\\\ x+\\\bot=\\\bot+x=x$, that is $\\\bot$ acts as $0$ with respect to the addition.”

4. Privacy amplification

$PA(\\\cdot,\\\cdot)$ ”is a privacy amplification subroutine” (see  [6])

1. Alice and Bob run $PA(A_1^{n’},\\\tilde{B}_1^{n’})$ and obtain secret keys $K_A, K_B$;

1. Acín et al. (2007) gives the first security proof of device-independent QKD against collective attacks.
2. Vazirani and Vidick (2014) gives the first security proof of device-independent QKD against coherent attacks.
3. Arnon-Friedman et al. (2018) & Arnon-Friedman et al. (2019) simplify and tighten security proofs of device-independent QKD against coherent attacks.
4. Tan et al. (2019) shows that post-processing of the key using 2-way classical communication, denoted advantage distillation, can increase the QBER tolerance up $ 9.1\\\%$ .
5. Secret-Key Reconciliation by Public Discussion
6. Security of Quantum Key Distribution
7. Towards a realization of device-independent quantum key distribution

1. Acín, Antonio, Nicolas Brunner, Nicolas Gisin, Serge Massar, Stefano Pironio, and Valerio Scarani. ‘Device-Independent Security of Quantum Cryptography against Collective Attacks’. Phys. Rev. Lett. 98 (June 2007): 230501. https://doi.org/10.1103/PhysRevLett.98.230501.
2. Vazirani, Umesh, and Thomas Vidick. ‘Fully Device-Independent Quantum Key Distribution’. Phys. Rev. Lett. 113 (September 2014): 140501. https://doi.org/10.1103/PhysRevLett.113.140501.
3. Arnon-Friedman, Rotem, Frédéric Dupuis, Omar Fawzi, Renato Renner, and Thomas Vidick. ‘Practical Device-Independent Quantum Cryptography via Entropy Accumulation’. Nature Communications 9, no. 1 (2018): 459.
4. Tan, Ernest Y-Z, Charles C-W Lim, and Renato Renner. ‘Advantage Distillation for Device-Independent Quantum Key Distribution’. Physical Review Letters 124, no. 2 (January 2020). https://doi.org/10.1103/physrevlett.124.020502.
5. Brassard, Gilles, and Louis Salvail. ‘Secret-Key Reconciliation by Public Discussion’. In Advances in Cryptology — EUROCRYPT ’93, edited by Tor Helleseth, 410–23. Berlin, Heidelberg: Springer Berlin Heidelberg, 1994.
6. Renner, Renato. ‘Security of Quantum Key Distribution’. arXiv [Quant-Ph], 2006. arXiv. http://arxiv.org/abs/quant-ph/0512258.
7. Murta, G., S. B. van Dam, J. Ribeiro, R. Hanson, and S. Wehner. ‘Towards a Realization of Device-Independent Quantum Key Distribution’. Quantum Science and Technology 4, no. 3 (July 2019): 035011. https://doi.org/10.1088/2058-9565/ab2819.