# **Physical-Layer Security, Quantum Key Distribution and Post-quantum Cryptography**

Edited by Ivan B. Djordjevic Printed Edition of the Special Issue Published in *Entropy*

www.mdpi.com/journal/entropy

# **Physical-Layer Security, Quantum Key Distribution and Post-quantum Cryptography**

# **Physical-Layer Security, Quantum Key Distribution and Post-quantum Cryptography**

Editor

**Ivan B. Djordjevic**

MDPI • Basel • Beijing • Wuhan • Barcelona • Belgrade • Manchester • Tokyo • Cluj • Tianjin

*Editor* Ivan B. Djordjevic University of Arizona USA

*Editorial Office* MDPI St. Alban-Anlage 66 4052 Basel, Switzerland

This is a reprint of articles from the Special Issue published online in the open access journal *Entropy* (ISSN 1099-4300) (available at: http://www.mdpi.com).

For citation purposes, cite each article independently as indicated on the article page online and as indicated below:

LastName, A.A.; LastName, B.B.; LastName, C.C. Article Title. *Journal Name* **Year**, *Volume Number*, Page Range.

**ISBN 978-3-0365-5003-9 (Hbk) ISBN 978-3-0365-5004-6 (PDF)**

© 2022 by the authors. Articles in this book are Open Access and distributed under the Creative Commons Attribution (CC BY) license, which allows users to download, copy and build upon published articles, as long as the author and publisher are properly credited, which ensures maximum dissemination and a wider impact of our publications.

The book as a whole is distributed by MDPI under the terms and conditions of the Creative Commons license CC BY-NC-ND.

# **Contents**



# **About the Editor**

#### **Ivan B. Djordjevic**

IVAN B. DJORDJEVIC is a professor of electrical and computer engineering and optical sciences at the University of Arizona, director of the Optical Communications Systems Laboratory (OCSL) and Quantum Communications (QuCom) Lab, and co-director of the Signal Processing and Coding Lab. He is both IEEE Fellow and Optica (formerly OSA) Fellow. He received his PhD degree from the University of Nis, Yugoslavia in 1999. Professor Djordjevic has authored or co-authored 10 books, more than 570 journal and conference publications, and he holds 54 US patents. Dr. Djordjevic serves as an Editor/Member of the Editorial Board for the following journals: IEEE TRANSACTIONS ON COMMUNICATIONS, OPTICAL AND QUANTUM ELECTRONICS, and FREQUENZ. He served as an associate editor for OSA (OPTICA)/IEEE JOURNAL OF OPTICAL COMMUNICATIONS AND NETWORKING from 2019 to 2022. He served as editor/senior editor/area editor of IEEE COMMUNICATIONS LETTERS from 2012 to 2021. He served as editorial board member/associate editor for IOP JOURNAL OF OPTICS and ELSEVIER PHYSICAL COMMUNICATION JOURNAL from to 2016 to 2021. Prior to joining the University of Arizona, Dr. Djordjevic held appointments at the University of Bristol and University of the West of England in UK, Tyco Telecommunications in USA, National Technical University of Athens in Greece, and State Telecommunication Company in Yugoslavia.

# *Editorial* **Physical-Layer Security, Quantum Key Distribution, and Post-Quantum Cryptography**

**Ivan B. Djordjevic**

Department of Electrical and Computer Engineering, University of Arizona, 1230 E. Speedway Blvd., Tucson, AZ 85721, USA; ivan@email.arizona.edu; Tel.: +1-520-626-5119

The growth of data-driven technologies, 5G, and the Internet pose enormous pressure on underlying information infrastructure. There are numerous proposals on how to deal with the possible capacity crunch [1]. However, the security of both optical and wireless networks lags behind reliable and spectrally efficient transmission [2]. Significant achievements have been recently made in the arenas of quantum computing [3] and quantum communication [4,5]. Because most conventional cryptography systems rely on computational security, which guarantees security against an efficient eavesdropper for a limited time, with advancements in quantum computing, this security can be compromised. To solve for these problems, various schemes providing the perfect/unconditional security have been proposed, including physical-layer security (PLS), quantum key distribution (QKD), and post-quantum cryptography. Unfortunately, it is still unclear how to integrate those different proposals with higher-level cryptography schemes. Thus, the purpose of this Special Issue was to integrate these various approaches and enable the next generation of cryptography systems whose security cannot be broken by quantum computers.

The topics addressed in this Special Issue include physical-layer security [2], quantum key distribution (QKD) [2], post-quantum cryptography [6], quantum-enhanced cryptography [7], stealth communication [2], and covert communication [8]. There are 14 papers published in this Special Issue, distributed as follows: 1 review paper, 1 perspective paper, and 12 articles.

In the review paper [9], authors apply the restricted Eve's concept to the satellite-to-satellite secret key distillation. In conventional QKD, it is assumed that Eve is the omnipotent, limited only by the laws of physics. This represents an unreasonable assumption for certain applications, where the presence of Eve is easy to detect, such as free-space optical communications, particularly satellite-to-satellite communications. By introducing geometrical optics within a restricted model, authors have shown that the secret key rate (SKR) can be significantly improved compared to the conventional QKD. Authors analyze SKRs from Bob's perspective through the exclusion zone approach and from Eve's perspective through dynamic positioning of the receiver aperture.

In the perspective paper [10], the author discusses how to build a global quantum communication network (QCN) by interconnecting the disconnected terrestrial QCNs through LEO satellite QCN, based on the cluster state concept. This heterogenous global QCN will provide unprecedented security for future 5G+/6G wireless networks, Internet of Things (IoT), optical networks, and autonomous vehicles.

In the first article paper [11], authors discuss the underwater QKD. Authors apply measurement-device-independent (MDI) QKD with the zero-photon catalysis (ZPC) performed at the emitter of one side to improve the SKR and extend the transmission distance. Numerical results indicate that the proposed ZPC-based scheme outperforms the corresponding single photon subtraction-based scheme in the extreme asymmetric case.

In the second article paper [12], the author describes how to build the multipartite QCN based on the surface code (SC) concept. The key idea is to simultaneously entangle multiple

**Citation:** Djordjevic, I.B.

Physical-Layer Security, Quantum Key Distribution, and Post-Quantum Cryptography. *Entropy* **2022**, *24*, 935. https://doi.org/10.3390/e24070935

Received: 27 June 2022 Accepted: 4 July 2022 Published: 6 July 2022

**Publisher's Note:** MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

**Copyright:** © 2022 by the author. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/).

nodes in an arbitrary topology based on the SC approach. The author also describes how to extend the transmission distance between nodes to beyond 1000 km using SCs.

In the third article paper [13], authors introduce an open-destination MDI QKD network that provides security against untrusted relays and all detector side-channel attacks, in which all user users are capable of distributing keys with the help of other users.

In the fourth article paper [14], authors introduce a QKD protocol which employs the mean multi-king problem in which a sender shares a bit sequence with receivers as a secret key. Authors study the relation between eavesdropper's information gain and disturbance introduced into legitimate users' information, known as the information disturbance theorem, used for the BB84 protocol. Authors show that Eve's extracting information disturbs the quantum states and increases the error probability, as expected.

In the fifth article paper [15], authors introduce a QKD post-processing method, cubically raising the SKR in the number of double matching detection events. In the proposed protocol, contrary to the conventional QKD protocols, the secret bits rely on Bob's measurement basis selection rather than Alice's transmitted bits. Furthermore, the proposed protocol combines the sifting, reconciliation, and amplification into a unique process, thus requiring a single-round iteration without sending redundancy bits.

In the sixth article [16], authors study a recent proposal for quantum identity authentication from Zawadzki [17] and formally prove that the corresponding protocol is insecure.

In the seventh article [18], authors study the phase-matching QKD (PM-QKD) protocol, employing discrete-phase randomization and the post-compensation phase to quadratically improve the SKR. Unfortunately, according to the authors, the discrete-phase randomization opens a security loophole. Authors introduce the unambiguous state discrimination measurement and the photon-number-splitting attack against PM-QKD with imperfect phase randomization, demonstrating the rigorous security of decoy state PM-QKD with a discrete-phase randomization protocol.

In the eight article [19], authors introduce a nonclassical attack on the QKD system and propose a corresponding countermeasure method. The proposed attack is based on the sync pulses attenuated to a photon level to determine the signaling interval. To solve this attack, authors propose using variable power synchronizing pulses at varying lengths, combined with the controlled signal attenuation.

In the nineth article paper [20], an entanglement-based QKD protocol is proposed that employs a modified symmetric version of the Bernstein–Vazirani algorithm to achieve secure and efficient key distribution, with two variants presented (fully symmetric and semi-symmetric).

In the 10th article paper [21], related to the physical-layer security, authors study the impact of injection and jamming attacks during the advantage distillation in a MIMO wireless system and show that the man-in-the-middle attack can be mounted as long as the attacker has one extra antenna with respect to the legitimate users. To solve for this problem, authors propose reducing the injection attack by using a particularly designed pilot randomization technique. Then, by employing a game-theoretic approach, authors evaluate the optimal strategies available to the legitimate users in the presence of reactive jammers.

In the 11th article [22], authors introduce a Bayesian probabilistic algorithm that incorporates all published information in a qubit-based synchronization protocol to efficiently determine the clock offset without sacrificing any secure key. Given that the output of the algorithm is a probability, it can be used to quantify the synchronization confidence.

In the final article paper [23], related to the secure computation, authors present randomized versions of two known oblivious transfer protocols—one being quantum and the other being post-quantum with ring learning and an error assumption, thus demonstrating their security in the quantum universal composability framework with the use of a common reference string model.

**Funding:** This research received no external funding.

**Conflicts of Interest:** The author declares no conflict of interest.

#### **References**


# *Review* **Geometrical Optics Restricted Eavesdropping Analysis of Satellite-to-Satellite Secret Key Distillation**

**Ziwen Pan \* and Ivan B. Djordjevic**

Department of Electrical & Computer Engineering, College of Engineering, The University of Arizona, 1230 E Speedway Blvd, Tucson, AZ 85721, USA; ivan@arizona.edu

**\*** Correspondence: ziwenpan@email.arizona.edu

**Abstract:** Traditionally, the study of quantum key distribution (QKD) assumes an omnipotent eavesdropper that is only limited by the laws of physics. However, this is not the case for specific application scenarios such as the QKD over a free-space link. In this invited paper, we introduce the geometrical optics restricted eavesdropping model for secret key distillation security analysis and apply to a few scenarios common in satellite-to-satellite applications.

**Keywords:** geometrical optics restricted eavesdropping; secret key distillation; satellite-to-satellite

#### **1. Introduction**

Quantum key distribution is known to guarantee unconditional security. The first QKD protocol, BB84, was developed in 1984 [1], which uses the polarization states of single photons to safely distribute keys. This was also known as the first discrete variable (DV)- QKD. Different protocols have since been studied, such as device-independent protocols that study the security with compromised apparatus [2–5], high dimensional protocols that exploit high dimensional degrees of freedom to increase the key rate [6–10] and decoy state protocols [11–13] that use decoy states against the photon-number-splitting attack [14]. Another major category in the study of QKD protocols, the continuous variable (CV) protocols [15,16] that encode keys into CV observables of carrier fields [17], are known to be more easily implementable for their compatibility with current communication devices instead of relying on single-photon generation and detection like most DV protocols.

Generally, in this paper, we assume that Alice uses a multi-photon source governed by the mean photon number without photon-number-resolving detectors so that she is limited in knowing whether she is transmitting a multi-photon wave packet, for example, if she only has a Geiger mode detector that clicks when one or more photons are detected. For security analysis of the quantum key distribution under these assumptions, conventionally, an omnipotent eavesdropper (Eve) that can gather information from the multi-photon wave packets transmitted from Alice to Bob by collecting every photon that does not arrive at Bob's receiver is assumed [18–25]. However, this is not the case for some specific application scenarios. For example, it would be reasonable to assume that the eavesdropper's (Eve's) power collection ability is limited due to the size of her aperture in an optical wireless channel from Alice to Bob. In [26,27], geometrical optics restricted eavesdropping analysis was proposed, considering the reasonably limited power collection ability of Eve. In [28–33], some of the applications of this restricted Eve model were introduced.

In this invited paper, we present some of the applications of the geometrical optics restricted model. In Section 2, we briefly introduce the power-collection-restricted eavesdropping model and give the lower and upper bound expressions. In Section 3.1, we showcase geometrical optics restricted eavesdropping analysis with a case where the eavesdropper has an aperture of a limited size in the same plane as Bob's while investigating the exclusion zone as one of Bob's defense strategies. In Section 3.2, we further assume that Eve's aperture can be dynamically positioned and provide the results while optimizing this

**Citation:** Pan, Z.; Djordjevic, I.B. Geometrical Optics Restricted Eavesdropping Analysis of Satellite-to-Satellite Secret Key Distillation. *Entropy* **2021**, *23*, 950. https://doi.org/10.3390/e23080950

Academic Editor: Jay Lawrence

Received: 14 June 2021 Accepted: 21 July 2021 Published: 25 July 2021

**Publisher's Note:** MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

**Copyright:** © 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/).

eavesdropping strategy. We conclude that the geometrical optics restricted eavesdropping model is suitable for multiple application scenario analysis.

#### **2. Geometrical Optics Restricted Eavesdropping Model**

As is illustrated in Figure 1, instead of assuming that Eve collects all the photons outside of Bob's receiver, only a fraction *κ* of them is collectable by Eve, denoted here as a wiretap channel with a *κ*-transmissivity beamsplitter. Here, *η* is the Alice-to-Bob channel transmissivity, *μ* is the input mean photon number per mode on Alice's side, and *ne* is the noise mean photon number per mode on Eve's side. *ψAA*- and *ψEE*- in Figure 1 are entanglement pairs. Alice would keep mode *A* and send mode *A* to Bob, and in the most general case, Eve would also use entanglement pairs to eavesdrop, retaining mode *E* and sending mode *E* into the channel. In [26], the lower bound on the achievable key rate for direct and reverse reconciliation is shown below:

$$K\_{\rightarrow} \ge \beta g \left( n\_{\epsilon} (1 - \eta) + \eta \mu \right) - \sum\_{i} \lg \left( \frac{\nu\_{y\_i}^{ER} - 1}{2} \right) - \beta g \left( n\_{\epsilon} (1 - \eta) \right) + \lg \left( n\_{\epsilon} (1 - \eta \kappa) \right), \tag{1}$$

$$K\_{\leftarrow} \ge \beta \mathbf{g}(\mu) - \sum\_{i} \mathbf{g}\left(\frac{\nu\_{y\_i}^{ER} - 1}{2}\right) - \beta \mathbf{g}\left(\mu - \frac{\eta \mu (1 + \mu)}{1 + n\_{\leftarrow} - n\_{\leftarrow} \eta + \eta \mu}\right) + \sum\_{i} \mathbf{g}\left(\frac{\nu\_{y\_i}^{ER} - 1}{2}\right), \tag{2}$$

$$\mathbf{g}(\mathbf{x}) = (\mathbf{x} + 1)\log\_2(\mathbf{x} + 1) - \mathbf{x}\log\_2 \mathbf{x} \tag{3}$$

with detailed expressions of *νER yi* available in [26]. Here, *β* is the reconciliation efficiency, which is set to *β* = 1 throughout this paper.

**Figure 1.** Geometrical optics restricted model wiretap channel notation [26].

The upper bound in a pure loss channel (*ne* = 0) is shown to be [26]

$$\mathbb{K} \le \log\_2 \frac{\eta + \kappa (1 - \eta)}{\kappa (1 - \eta)},\tag{4}$$

while the upper bound in a thermal noise channel does not have a closed form expression. Detailed calculations can be found in Appendix A of [26].

#### **3. Applications on Satellite-to-Satellite Secret Key Distillation**

In this section, we study some applications of the geometrical optics restricted model analysis that would be common in satellite-to-satellite links where Eve's collecting ability would be naturally limited due to the radius of her receiver aperture, which usually ranges from centimeters to decimeters for traditional free-space communication. If we take existing space applications into account for an upper-bounding estimation of Eve's aperture size, the Giant Magellan Telescope, one of the largest optical observatories, has a primary mirror of a 12.5-m radius [34]. Other known aperture sizes of satellite-based applications are much smaller, such as the 1.2-m-radius primary mirror for the Hubble Space Telescope [35] and the 20-cm-radius aperture for NASA's "Wide-field Infrared Survey Explorer" infrared telescope [36].

We analyze both the communication parties' and Eve's strategy by starting with a defense strategy from Bob's side called an exclusion zone, under the aforementioned assumptions and considering the case where Eve's aperture is in the same plane with Bob's in Section 3.1. Then, in Section 3.2, we move forward from that and assume that Eve's aperture can be dynamically positioned, concluding Eve's strategy for eavesdropping. In this section, we assume that a Gaussian beam with a beam waist *W*<sup>0</sup> and wavelength *λ* = 1550 nm is transmitted. The space temperature is set to *T* = 3 K, and we calculate the noise mean photon number using the black body radiation equation:

$$m\_c = \frac{1}{e^{\frac{hf}{kT}} - 1} \, \, \, \, \, \tag{5}$$

where *h* is the Planck constant, *f* is the transmission center frequency, and *k* is the Boltzmann constant. We then calculate the power transmitted by Alice *PAlice*, the power received by Bob *PBob*, the power received by Eve *PEve*, and the channel transmissivity *η*, and the restriction factor on Eve *κ* can be expressed as

$$
\eta = \frac{P\_{\text{Bob}}}{P\_{\text{Alice}}} \, \text{ } \tag{6}
$$

$$\kappa = \frac{P\_{\text{Eve}}}{P\_{\text{total}}(1-\eta)} \; \text{ } \tag{7}$$

In this section, we calculate the lower bound as the maximum of the direct reconciliation lower bound and the reverse reconciliation lower bound.

#### *3.1. Bob's Defense Strategy: Exclusion Zone*

In this subsection, we introduce the problem set-up of one of the most straightforward defense strategies of the communication parities: the so-called exclusion zone. In principle, the closer Eve is to the beam transmission axis from Alice to Bob, the more likely the legitimate communication parities would detect the eavesdropper's presence (e.g., with a naïve approach such as a visible or infrared telescope or even radar to detect the eavesdropper's presence and abort communication if a possible eavesdropper is detected within a certain range to the communication parities). In free-space channels such as the satellite links, it is also possible for Bob to have opaque material around his receiver to absorb any photons that might have arrived outside of his receiver's aperture, preventing them from further propagation and possibly ending up in Eve's receiver aperture. As is illustrated in Figure 2, the exclusion zone is denoted with a dashed circle around Bob's receiver, excluding potential eavesdroppers to collect photons that arrive in this region. By definition, Bob's aperture area is also part of the exclusion zone, since the photons arriving at Bob's aperture would not be collectable by Eve. Here, more specifically, we say that Bob is setting up an exclusion zone if the area of the exclusion zone (*Aex*) is larger than his receiver aperture area (*ABob* or *Ab*). Other specified parameters include *L* being the transmission distance and *AAlice* (*Aa*) and *AEve* (*Ae*) being the area of Alice's aperture (radius *ra*) and Eve's aperture (radius *re*), respectively. The radii of Bob's aperture and the exclusion zone are denoted as *rb* and *rex* (*rex* ≥ *rb*). Here, the limited size of Eve's aperture is placed in the same plane as Bob's, since that would be the worst-case scenario for the purpose of our study under this exclusion zone assumption if Eve is not allowed between the Alice-to-Bob line of sight.

**Figure 2.** Limited size aperture of Eve in the same plane as Bob's. Here, Bob is setting an exclusion zone around his receiver as a defense strategy.

To start with, we set *rex* = *rb* (no additional exclusion zone) and investigate how Eve's aperture size would affect the achievable secure key rate lower bound (LB) and upper bound (UB), as shown in Figure 3. Here, we can see that under these parameters, the lower bound was quite close to the upper bound, which gave us the capacity in this scenario. As Eve's aperture size increased, the achievable rate went down and saturated but still outperformed the unrestricted case capacity. The reason for this convergence is that the transmitted beam intensity was the strongest at its center and weakened fast in the outer regions. As such, up to some point, increasing Eve's aperture size would only be able to gather photons from the regions far away from the beam center, thus making it ineffective in increasing Eve's advantage. As a result of that, in the figure below, we only set Eve's aperture radius to be 10 cm, equal to *ra* and *rb*, for a fair comparison.

**Figure 3.** Achievable secure key rate lower and upper bound as functions of Eve's aperture radius *re*, with *rex* = *rb*. The unrestricted case (infinite-sized aperture on Eve's side) is also included. Here, *W*<sup>0</sup> = *ra* = *rb* = *rex* = 20 cm.

In Figure 4, we set the exclusion zone radius to be *rex* = 15 cm and 20 cm to compare the achievable rate lower bounds (LB) and upper bounds (UB) for the case without an additional exclusion zone. Here, we can see that with an aperture of a limited size on Eve's side, the achievable secure key rate outperformed that of the unrestricted case. The lower bound and upper bound were quite close, which gave the range for the capacity. We can also see that an exclusion zone helped increase the key rate when the transmission distance was not too large. However, when the transmission distance was sufficiently large, the lower and upper bounds became constant, as proved in [30], when the collecting ability of Bob and Eve became proportional to their aperture sizes:

$$\lim\_{L \to \infty} \frac{P\_{\text{Eve}}}{P\_{\text{Bob}}} = \frac{A\_c}{A\_b} \, \text{} \, \tag{8}$$

**Figure 4.** Achievable secure key rate lower and upper bounds as functions of the transmission distance. The unrestricted case (infinite size aperture on Eve's side with *rex* = *rb*) is also included. Here, *W*<sup>0</sup> = *ra* = *rb* = *re* = 10 cm.

Here, we can see that an exclusion zone would not affect this saturation very much, as at a large transmission distance, the collecting ability of Bob and Eve became proportional to their aperture sizes as in Equation (8) when the area of an exclusion zone was not significantly larger than the receiver aperture sizes of Bob and Eve.

#### *3.2. Eavesdropper's Strategy: A Dynamically Positioned Aperture*

In this subsection, we introduce and analyze one of the eavesdropper's possible strategies with a dynamically positioned aperture, which would apply to the geometrical optics restricted model, where Eve could dynamically position her aperture behind Bob's. As is illustrated in Figure 5, *AAlice*(*Aa*), *ABob*(*Ab*), and *AEve*(*Ae*) are the area of Alice's aperture (radius *ra*), Bob's aperture (radius *rb*), and Eve's aperture (radius *re*), respectively. *LAB* is the distance between Alice's and Bob's aperture planes, while *LBE* is the distance between Bob's and Eve's aperture planes. *D* is the distance between Eve's aperture center and the beam propagation line-of-sight path.

**Figure 5.** Eavesdropper dynamic positioning set-up.

As was proven in Equation (44) of [33], when *LAB* was sufficiently large, the optimal strategy for Eve was to set *LBE* = *LAB* and *D* = 0. Thus, we set *LBE* = *LAB*, *D* = 0 and obtained the lower and upper bounds on the achievable secure key rate as in Figure 6. It is shown that in this case, the rate increased with the increase in *W*<sup>0</sup> as this decreased the divergence angle, making the beam more focused on Bob's aperture plane. We can also see that Eve suppressed Alice and Bob's achievable key rate compared with the similar distance range in Figure 4 by applying this strategy.

**Figure 6.** Lower and upper bounds of the achievable secure key rate versus *LAB* with *LBE* = *LAB* and *D* = 0. Bob's and Eve's aperture radii are *rb* = *re* = 10 cm.

#### **4. Discussion**

In this invited paper, we briefly introduced the geometrical optics restricted model and presented a few cases applying this model to some common cases in free-space optical links such as the satellite-to-satellite channel. We showcased the achievable secure key rate lower and upper bounds and compared them to the unrestricted case. Furthermore, we investigated the strategy from both the communication parties' side and Eve's side within this model.

**Funding:** National Science Foundation (1828132, 1907918).

**Acknowledgments:** The authors thankfully acknowledge helpful discussions with Saikat Guha, Kaushik P. Seshadreesan and John Gariano from the University of Arizona, Jeffrey H. Shapiro from the Massachusetts Institute of Technology and William Clark and Mark R. Adcock from General Dynamics.

**Conflicts of Interest:** The authors declare no conflict of interest.

#### **References**


# *Perspective* **On Global Quantum Communication Networking**

#### **Ivan B. Djordjevic**

Department of Electrical and Computer Engineering, University of Arizona, Tucson, AZ 85721, USA; ivan@email.arizona.edu; Tel.: +1-520-626-5119

Received: 29 June 2020; Accepted: 28 July 2020; Published: 29 July 2020

**Abstract:** Research in quantum communications networks (QCNs), where multiple users desire to generate or transmit common quantum-secured information, is still in its beginning stage. To solve for the problems of both discrete variable- and continuous variable-quantum key distribution (QKD) schemes in a simultaneous manner as well as to enable the next generation of quantum communication networking, in this Special Issue paper we describe a scenario where disconnected terrestrial QCNs are coupled through low Earth orbit (LEO) satellite quantum network forming heterogeneous satellite–terrestrial QCN. The proposed heterogeneous QCN is based on the cluster state approach and can be used for numerous applications, including: (i) to teleport arbitrary quantum states between any two nodes in the QCN; (ii) to enable the next generation of cyber security systems; (iii) to enable distributed quantum computing; and (iv) to enable the next generation of quantum sensing networks. The proposed QCNs will be robust against various channel impairments over heterogeneous links. Moreover, the proposed QCNs will provide an unprecedented security level for 5G+/6G wireless networks, Internet of Things (IoT), optical networks, and autonomous vehicles, to mention a few.

**Keywords:** quantum key distribution (QKD); discrete variable (DV)-QKD; continuous variable (CV)-QKD; postquantum cryptography (PQC); quantum communications networks (QCNs)

#### **1. Introduction**

Quantum communication (QuCom) employs quantum information theory concepts, in particular the no-cloning theorem and the theorem of indistinguishability of arbitrary quantum states, to implement the distribution of keys with verifiable security, commonly referred to as quantum key distribution (QKD), where security is guaranteed by the fundamental laws of physics as opposed to unproven mathematical assumptions employed in computational security-based cryptography [1–3]. Despite the appealing features of QuComs, there are some fundamental and technical challenges that need to be addressed prior to its widespread application. For instance, both the rate and distance of QuCom are fundamentally limited by channel loss, which is specified by the rate-loss tradeoff. To overcome the rate-distance limit of discrete variable (DV)-QKD protocols, two predominant approaches have been pursued recently: (i) the development of quantum relays and (ii) the employment of trusted relays. Quantum relays require the use of long-duration quantum memories and high-fidelity entanglement distillation [4], which are not yet widely available. On the other hand, the trusted-relay methodology assumes that the relay between two users can be trusted [5]; unfortunately, this assumption is difficult to verify in practice. The measurement device independent (MDI)-QKD approach [6] was able to close the detection loopholes; however, its secret-key rate (SKR) is still bounded by *O*(*T*)-dependence (with *T* standing for transmissivity). Recently, twin-field (TF) QKD has been proposed to overcome the rate-distance limit [7], whose SKR scales with the square-root of transmittance, which represents a promising approach to extend the transmission distance. Another key limitation of DV-QKD is the deadtime of single-photon detectors (SPDs), which limits the baud rate and consequently the SKRs. To solve for this problem, a continuous variable (CV)-QKD can be used instead [1,8–10], which employs homodyne/heterodyne detection instead and thus does not

exhibit the SPDS' deadtime limitation problem. In particular, the discrete modulation (DM)-based CV-QKD protocols offer much better reconciliation efficiency compared to that of Gaussian modulation (GM)-based CV-QKD protocols. Unfortunately, the security proofs of DM-based CV-QKD schemes for collective and coherent attacks are still incomplete. To overcome key challenges for DV-QKD, such as low SKR values and limited distance, as well as for DM-based CV-QKD, such as incompleteness of security proofs, the following approaches have been proposed in our recent papers: (1) discretized GM (DGM)-CV-QKD [11], (2) optimized CV-QKD [12], and (3) hybrid DV-CV QKD [13]. An alternative approach to QKD is post-quantum cryptography (PQC) [14]. PQC is typically referred to by various cryptographic algorithms that are thought to be secure against any quantum computer-based attack. Unfortunately, PQC is also based on unproven assumptions and some of the PQC algorithms will be broken in the future by developing more sophisticated quantum algorithms.

Modern classical communication networks consist of multiple nodes connected by various types of channels, including free-space optical (FSO) links, optical fibers, ground–satellite links, wireless RF, and coaxial cables. Such a heterogeneous architecture would be equally important for QCNs, as quantum nodes may access a QCN via different kinds of channels. Indeed, quantum communications have been individually validated in free-space, optical fibers, and between a satellite and a ground station, but a combined heterogeneous QCN employing multiple types of channels remains elusive. Unlike in the point-to-point communication case, the fundamental quantum communication rate limits are not well known. Several QKD testbeds have been reported so far, including the DARPA QKD network [15], Tokyo QKD network [16], and secure communication based on quantum cryptography (SECOQC) network [17]. The QKD can also be used to establish QKD-based campus-to-campus virtual private networks employing the IPsec protocol [18] as well as to establish the network setup for using transport-layer security (TLS) based on QKD [19]. However, all of these networks employ the dark fiber infrastructure. Quantum communication over satellite links has already been demonstrated; see for example [20,21].

In this Special Issue paper, we propose to implement the multipartite QCN by employing the cluster state-based concept [22]. The proposed quantum network can be used to: (i) perform distributed quantum computing, (ii) teleport quantum states between any two nodes in the network, and (iii) enable the next generation of cyber security systems. The cluster states can be described by using the stabilizer formalism and as such they can easily be certified by simple syndrome measurements. In this formalism, the cluster states can be interpreted as codewords of a corresponding quantum error correction code, while corresponding errors can be corrected for by simple syndrome decoding, among others. By performing simple Y and Z measurements on properly selected nodes we can straightforwardly establish the Einstein–Podolsky–Rosen (EPR) pair between any two nodes in the network. Moreover, multiple EPR pairs can be established simultaneously. We further propose a cluster state-based quantum network of satellites that enables global coverage. The quantum satellite network would be composed of quantum subnetworks comprised of low Earth orbit (LEO) satellites. Some of these LEO satellite-based quantum subnetworks can be connected to a subnetwork of medium Earth orbit (MEO)/ geostationary orbit (GEO) satellites. The LEO satellites should be used to interconnect terrestrial cluster state-based quantum networks. This quantum global network can also be used to distribute the entangled states for quantum sensing applications and to enable distributed quantum computing on a global scale. SDN concepts should be used to reconfigure the proposed QCN.

The paper is organized as follows. In Section 2, we describe the proposed cluster states-based QCN concept. In Section 3, we describe potential approaches to extend the transmission distance between QCN nodes. In Section 4, we describe the QCN that is currently under development at the University of Arizona. Finally, in Section 5, we provide some relevant concluding remarks.

#### **2. Proposed Cluster States-Based Quantum Communications Networks**

To enable the next generation of quantum communication networking, we envision a scenario in which disconnected terrestrial cluster states-based QCNs are coupled through the LEO satellite (cluster state) quantum network, thus providing global coverage. The proposed quantum network will be highly robust against turbulence encountered by FSO links, as the envisioned quantum satellite network will communicate to ground nodes only through the LEO satellite-to-ground links, exhibiting a vertical downlink profile through vacuum followed by a turbulence layer with strength that is altitude-dependent.

The cluster states belong to the class of the graph states, which also include Bell states, Greenberger–Horne–Zeilinger (GHZ) states, W-states, and various entangled states used in quantum error correction [22]. When the cluster *C* is defined as a connected subset on a *d*-dimensional lattice, it obeys the set of eigenvalue equations *Sa* - - φ *<sup>C</sup>* <sup>=</sup> - - φ *<sup>C</sup>*, *Sa* <sup>=</sup> *Xa* <sup>⊗</sup> *b*∈*N*(*a*) *Zb*, where *Sa* are *stabilizer operators* with *N*(*a*) denoting the neighborhood of *a* ∈ *C*. To create a 2-D cluster state, the approach proposed by Gilbert et al. [23] is applicable; it employs linear states, generated by spontaneous parametric down conversion (SPDC), local unitaries, and type I fusion to create the desired 2-D cluster state. The type I fusion is illustrated in Figure 1, based on [23]. The vertical photon is reflected by the polarization beam splitter (PBS), while the horizontal photon is transmitted through the PBS. Given the probabilistic nature of the PBS, with the photons present at both the left and right input ports, there are four possible outcomes, each occurring with probability 0.25. Two outcomes correspond to the desired fusion operators, and the success probability of the fusion is 0.5. When a single photon is detected by the detector, a successful fusion is declared. The procedure to create the T-shape cluster state is described in Figure 2. To create the box-cluster state, we start with a four-qubit linear cluster state, re-label the qubits 2 and 3, and apply the Hadamard gates to qubits 2 and 3, which effectively establish the bond between qubits 1 and 4. Namely, relabeling the qubits is equivalent to the SWAP gate action. To create the box-on-chain cluster state, we start with a longer linear chain of qubits and apply the same approach as in a box-state creation. Two T-shape cluster states can be fused together to get the *H*-shape cluster state, etc.

**Figure 1.** Illustrating the type I fusion process. PBS: polarization beam splitter.

 **Figure 2.** Gilbert's approach to create the *T*-shape cluster state.

Once the 2-D cluster state of nodes is created, we can use properly selected *Y* and *Z* measurements to create the EPR pair between any two arbitrary nodes in the quantum network. As a reminder, the role of the *Z* measurement is to remove the particular node (qubit) from the cluster, whereas the role of *Y* measurement is to remove a given node and link neighboring nodes. As an illustration, the 2-D cluster state with nine nodes is shown in Figure 3. Let us assume that we are interested in establishing EPR pairs between nodes 3 and 7 as well as nodes 1 and 9. We first perform *Y* measurements in the following order: *Y*8, *Y*5, and *Y*<sup>6</sup> to get the intermediate stage. We then perform *Z*-measurement on node 2 and Y measurement on node 4 to get the two desired EPR pairs. Given that the 2-D cluster state is universal, it is possible to use the same network architecture for both QCN and distributed quantum computing. We also imagine the scenario in which each node is equipped with multiple qubits, wherein several layers of 2-D cluster states are active at the same time, which will allow us to simultaneously perform QCN and distributed quantum computing. Moreover, when several 2-D cluster states are run in parallel on the same set of network nodes, we will be able to reconfigure the QCN as needed. This can be done with the help of the SDN concept. The SDN has been introduced to separate the control plane and data plane, manage network services through the abstraction of higher-level functionality, and implement new applications and algorithms efficiently. It has already been studied to enable the coexistence of classical and quantum communication channels. Our SDN-based QCN architecture is composed of three layers, namely an application layer, a control layer, and a QCN layer. Users send their requests from the application layer with the help of the northbound interface to the SDN controller. The SDN controller allocates the QCN resources with the help of its global map through the southbound interface. The QCN layer would be composed of dense wavelength-division multiplexing (DWDM) FSO/single-mode fiber (SMF)/few-mode fiber (FMF) links and QCN nodes. Any two nodes in the QCN can communicate through either through a dedicated SMF/FSO/FMF link or through a wavelength channel. The SDN control should also determine sequence of measurements to be performed in order to establish desired EPR pairs. To deal with time-varying channel conditions over heterogeneous links, we should adapt the system configuration based on both application requirement and link condition.

**Figure 3.** Establishing EPR pairs between nodes 1 and 9 as well as between nodes 3 and 7.

#### **3. Extending the Distance between Nodes in QCN**

The DV-QKD can be used to build QKD networks, as discussed in the introduction. Unfortunately, the DV-QKD is affected by the deadtime of SPDs. Moreover, even if Eve cannot get the key because DV-QKD is used, she can prevent parties from creating secure keys, which is similar to the Denial of Service (DoS) attack. Further, since SKRs for DV-QKD are low, the quantum key pool, storing the secure keys, will often be empty, hampering the operation of QKD networks. To solve for this problem we propose to use the hybrid QKD-PQC protocols, in which QKD is used for raw key transmission and PQC in information reconciliation to reduce the leakage during the error reconciliation stage, which is illustrated in Figure 4. As mentioned in the introduction, the PQC is typically referred to in various cryptographic algorithms that are thought to be secure against any quantum computer-based attack. Unfortunately, the PQC is also based on unproven assumptions and some of the QPC algorithms might be broken in the future by developing advanced quantum algorithms. For this reason we propose to use the PQC algorithms only in the information reconciliation phase so as to limit the leakage due to transmission of parity bits over an authenticated classical channel (in conventional QKD). The quantum algorithms to be developed (not yet known), which will be capable of breaking the PQC algorithms, will have certain complexity expressed in terms of the number of operations *L*. By ensuring that the number of parity bits *N–K* is shorter than the number of secure PQC bits log2*L*, the proposed cryptographic scheme will be secure. Evidently, the proposed cryptographic scheme exploits the complexity of corresponding quantum algorithms used to break the PQC protocols. Given that the McEliece cryptosystem based on quasi cyclic (QC)-low-density parity-check (LDPC) coding is straightforward to implement as shown in [24], whereas the corresponding LDPC encoders and decoders have been already implemented in field-programmable gate array (FPGA) [25], it represents an excellent candidate to be used for the transmission of parity bits in the TF-QKD scheme. As an illustration, the secret fraction that can be achieved with the BB84 protocol is lower bounded by [1]:

$$r = q^{(Z)} \left[ 1 - h2 \left( \mathbf{c}^{(X)} \right) \right] - q^{(Z)} f\_t h \mathbf{\hat{z}} \left( \mathbf{c}^{(Z)} \right), \tag{1}$$

where *q*(*Z*) denotes the probability of declaring a successful result when Alice sent a single-photon and Bob detected it in the *Z*-basis, *fe* denotes the error correction inefficiency (*fe* ≥ 1), *e*(X) [*e*(Z)] denotes the QBER in the X-basis (*Z*-basis), and *h*2(*x*) is the binary entropy function *<sup>h</sup>*2(*x*) = <sup>−</sup>*<sup>x</sup>* log2(*x*) <sup>−</sup> (<sup>1</sup> <sup>−</sup> *<sup>x</sup>*)log2(<sup>1</sup> <sup>−</sup> *<sup>x</sup>*). The second term *<sup>q</sup>*(Z)*h*2[*e*(X)] denotes the amount of information Eve was able to learn during the raw key transmission, and this information can be removed from the final key during the privacy amplification phase. The third term *q*(Z)*fe h*2[*e*(Z)] represents the amount of information revealed during the error correction stage. By sending the parity bits over the PQC channel this term can be effectively eliminated and the SKR can be increased.

**Figure 4.** Illustration of post-quantum cryptography-based information reconciliation.

By using this approach, as illustrated in Figure 5, the transmission distance between two nodes in QCN can be significantly extended. Here we provide comparisons of the joint TF-QKD-McEliece encryption scheme against the phase-matching (PM) TF-QKD protocol introduced in [26], the MDI-QKD protocol [6], and the decoy-state-based BB84 protocol [27]. The system parameters are selected as follows: the detector efficiency η<sup>d</sup> = 0.25, reconciliation inefficiency *f* <sup>e</sup> = 1.15, the dark count rate *pd* = 8 <sup>×</sup> 10−8, the misalignment error *e*<sup>d</sup> = 1.5%, and the number of phase slices for PM TF-QKD is set to *M* = 16. Regarding the transmission medium, it is assumed that recently reported ultra-low-loss fiber of attenuation 0.1419 dB/km (at 1560 nm) is employed [28]. In the same Figure, the Pirandola–Laurenza–Ottaviani–Banchi (PLOB) bound on a linear key rate is provided as well. Both PM TF-QKD and joint TF-QKD-McEliece encryption schemes outperform the decoy-state BB84 protocol for distances larger than 162 km, while simultaneously outperforming the MDI-QKD protocol for all distances, and exceed the PLOB bound at a distance of 322 km. The PM TF-QKD protocol can achieve the maximum distance of 623 km. The proposed joint TF-QKD-McEliece encryption scheme is able to achieve the distance of even 1127 km, thus significantly outperforming all other schemes. Even though the operating wavelength was 1560 nm, other suitable wavelengths such as 2 μm and 3.9 μm can be used as well.

**Figure 5.** Proposed hybrid QKD-PQC scheme against MDI-QKD and TF-QKD in terms of secret-key rate vs. distance, assuming that ultra-low loss fiber is used.

Now, by connecting the *base stations* to the nodes in the proposed QCNs, we can provide the unconditional security to the 5G+/6G wireless networks. By organizing the base stations in a quantum optical mesh network and employing the proposed hybrid QKD-PQC concept we can provide unconditional security to a large number of users. The Internet of Things (IoT) architecture will comprise widely distributed nodes connected via different types of channels to enable new functionalities in communication, sensing, and computing. Communication security in such a giant network is of paramount importance. Our proposed QCNs will underpin the unconditional physical-layer security of the IoT given that it will allow any two arbitrary nodes to securely transmit data at a high rate via an optical link. Critically, the security of such a network will not rest upon the trusted-node assumption, and a compromised node will not affect the security of other nodes. As such, the proposed QCNs will lead to a substantially stronger security level for the IoT. To enable security for future 6G wireless networks at a reasonable cost, the proposed joint satellite–terrestrial QCN can be based on the Cubesat satellites.

For satellite-to-satellite quantum communications, in addition to the proposed hybrid QKD-PQC concept, it also possible to employ our recent restricted eavesdropping concept [29], which offers a significant increase in SKRs. This concept was presented in the ICTON 2020 paper [30]. Alternatively, the hybrid QKD can also be applied [13].

#### **4. QCN under Development**

The terrestrial QCN to be developed at the University of Arizona is shown in Figure 6; it will exploit the existing NSF MRI INQUIRE quantum network, representing the quantum hub (QuHub) to share entangled photons and SPDs among different labs across the campus. The outdoor FSO bidirectional link, connecting the Electrical and Computer Engineering and Optical Sciences buildings, has already been established, with the FSO transceiver shown in Figure 7. We will also create the mesh

network as well as the hybrid network composed of mesh, optical star, and ring network segments. The deployed heterogeneous QCNs will allow us to test novel quantum-networking theories and develop experimental tools for counteracting various channel impairments. To deal with atmospheric turbulence effects, the adaptive optics (AO) subsystem, composed of a wavefront sensor (WFS) and deformable mirror will be used. The AO will be combined with adaptive LDPC coding.

**Figure 6.** Terrestrial quantum communication network to be developed at the University of Arizona.

**Figure 7.** Free-space optical transceiver used in outdoor FSO link.

To provide global coverage, we envision a scenario in which disconnected terrestrial QCNs, such as the one shown in Figure 6, are coupled through the LEO satellite quantum network. We have recently shown that a Bessel–Gaussian (BG) beam, carrying an orbital angular momentum mode, exhibits better tolerance to atmospheric turbulence effects compared to Gaussian beams for distances up to a few kilometers [31]. However, for LEO satellite-to-ground QuCom links, BG beams diffract much faster than Gaussian beams for such long-distance applications. Hence, we need to use pure Bessel beams to overcome this problem, as we have shown in our recent paper [32]. To enable robustness against turbulence encountered by FSO links, the envisioned quantum satellite QCN should communicate to ground nodes only through the LEO satellite-to-ground links, exhibiting a vertical downlink profile through vacuum followed by a turbulence layer with altitude-dependent strength. In principle. MEO/GEO satellite QCNs can be created above LEO QCNs to provide the planetary coverage.

#### **5. Concluding Remarks**

To enable the next generation of quantum-enabled cyber security systems, we proposed a quantum network of satellites that will provide the global coverage. The quantum satellite network will be composed of quantum subnetworks comprised of LEO satellites. Some of these LEO satellite-based quantum subnetworks will be connected to a subnetwork of MEO satellites. The MEO satellite subnetworks will then be interconnected to the global network of GEO satellites. The LEO/MEO satellites will also be used to interconnect terrestrial quantum networks. Each quantum communication subnetwork will be based on the cluster state concept. This quantum global network will allow us to establish EPR pairs between any two nodes in the global network. It can also be used to distribute the entangled states for quantum-sensing applications and to enable distributed quantum computing on a global scale.

**Funding:** This research received no external funding.

**Conflicts of Interest:** The author declares no conflict of interest.

#### **References**


© 2020 by the author. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

# *Article* **Improving Underwater Continuous-Variable Measurement-Device-Independent Quantum Key Distribution via Zero-Photon Catalysis**

#### **Yuang Wang 1,†, Shanhua Zou 1,2,\*,†, Yun Mao <sup>1</sup> and Ying Guo 1,2,3,***<sup>∗</sup>*


Received: 27 March 2020; Accepted: 16 May 2020; Published: 19 May 202

**Abstract:** Underwater quantum key distribution (QKD) is tough but important for modern underwater communications in an insecure environment. It can guarantee secure underwater communication between submarines and enhance safety for critical network nodes. To enhance the performance of continuous-variable quantum key distribution (CVQKD) underwater in terms of maximal transmission distance and secret key rate as well, we adopt measurement-device-independent (MDI) quantum key distribution with the zero-photon catalysis (ZPC) performed at the emitter of one side, which is the ZPC-based MDI-CVQKD. Numerical simulation shows that the ZPC-involved scheme, which is a Gaussian operation in essence, works better than the single photon subtraction (SPS)-involved scheme in the extreme asymmetric case. We find that the transmission of the ZPC-involved scheme is longer than that of the SPS-involved scheme. In addition, we consider the effects of temperature, salinity and solar elevation angle on the system performance in pure seawater. The maximal transmission distance decreases with the increase of temperature and the decrease of sunlight elevation angle, while it changes little over a broad range of salinity.

**Keywords:** continuous-variable quantum key distribution; measurement device independent; zero-photon catalysis; underwater channel

#### **1. Introduction**

Quantum key distribution (QKD) [1–3] is a key part of quantum communications. There are two categories of protocols, that is, the discrete-variable (DV) QKD protocol [4,5] and the continuous variable (CV) QKD protocol [6–8]. DVQKD, which was proposed in 1984 with the proposal of Bennett-Brassard 1984 (BB84) [9], codes on different states of a single photon to convey information. Currently, it has gotten fully developed and has been experimented in free space, optical fiber, and so forth. However, DVQKD can be easily interfered by various factors such as background noise light and noise from components. Besides, because single-photon source is quite hard to realize even nowadays, people use attenuating laser sources for substitution, which could exert bad effects on secret key rate. Fortunately, two decades after BB84 was proposed, CVQKD was born, which was based on the continuity of quantum eigenstate and modulates information on continuous variable of quantum such as phase and amplitude for communications. Compared with DVQKD, CVQKD can automatically filter background noise light with simple light source at the same time. Subsequently, CVQKD is compatible with contemporary optical communication system, which makes it a hot topic

in QKD realm quickly. Moreover, in terms of measurement devices, CVQKD relies on homodyne or heterodyne detectors, which are more efficient to achieve higher secret key rates than single-photon detectors. Of course, CVQKD is still imperfect. There exist disadvantages like short transmission distance, but these defects are being overcome by advancing technology.

Currently, there have been several CVQKD protocols in terms of system model, such as the point-to-point (PP) CVQKD and measurement-device-independent [10,11] (MDI) CVQKD [12]. PP-CVQKD, as literally interpreted, is conducted between two parties, Alice and Bob, directly. It is vulnerable to attacks aimed at detector imperfection. However, in MDI-CVQKD, Alice and Bob first prepare and transmit coherent states to the third party Charlie. Subsequently, Charlie interferes the received states to make Bell measurement and announces measurement results publicly. Finally, the secret key can be shared between Alice and Bob after post-processing. Compared with PP-CVQKD, MDI-CVQKD is born to solve the flaw of detector imperfection. It can resist side-channel attacks such as the local oscillator calibration attack [13], the wavelength attack [14], and the detector saturation attack [15].

At present, CVQKD is always conducted through free space and fiber channel, both of which are meaningful but challenging. Light transmission in air channel can be disturbed by natural environment like atmospheric turbulence [16–18], rain, fog, sunlight, and so forth. Fiber channel seems immune to external disturbance, but it is difficult to be wired up and could be easily destroyed. Underwater CVQKD may be more meaningful than air or fiber channel in a sense. Common QKD methods for two underwater vehicles nowadays are using periscopes and satellite link. However, these methods require underwater vehicles to rise to the sea surface. Fortunately, CVQKD can be feasibly implemented through underwater channel in practice, which provide a more convenient scheme for underwater vehicles to communicate safely. However, the realization of underwater CVQKD is more difficult considering attenuation caused by ocean current, molecular impact, microorganism, scattering, and so forth. These factors could exert adverse effects on entanglement between quantum, thus leading to short transmission distance. In what follows, we consider something different as the effects of temperature, salinity and sun elevation angle.

Recently, there have been several works for QKD underwater. For example, John proposed the underwater BB84 protocol using pairs of polarization entangled photons [19]. Bouchard suggested a high dimensional BB84 protocol with twisted photons in outdoor conditions [20]. After that Ruan proposed a method to estimate parameters to improve CVQKD performance [21]. However, the implementation of MDI-QKD underwater has been waiting for some researches to fill the gaps. Note that despite the absolute device security of MDI-QKD, its transmission distance is unsatisfactory, and thus it is difficult to be implemented in harsh environments like seawater. Fortunately, to lengthen the transmission distance, the non-Gaussian operations [22] like single photon subtraction (SPS) [23] and zero-photon catalysis (ZPC) [24] are the most commonly used means. One article has put forward a plan of operating single photon subtraction (SPS) in the fiber-based CVQKD [25]. In this paper, we dedicate to lengthen the transmission distance of underwater CVQKD via the Gaussian operations. Motivated by the characteristics of noiseless attenuation, we perform the zero-photon catalysis, which can keep the Gaussian behavior of photon to prolong the maximal transmission distance of the CVQKD system underwater with the achievable high secret key rate.

This paper is structured as follows. In Section 2, we propose the ZPC-based MDI-CVQKD for underwater secure communication. In Section 3, we show the performance improvement of the ZPC-based scheme by using numerical simulations. Finally, a conclusion is drawn in Section 4.

#### **2. The ZPC-Based MDI-CVQKD Protocol**

In this section, we suggest the ZPC-based MDI-CVQKD system through underwater channel. Due to the equivalence of prepare-and-measure (PM) scheme and entanglement-based (EB) scheme, we consider the EB ZPC-involved scheme to simplify the security proof of the underwater MDI-CVQKD system.

Figure 1 shows the schematic diagram of the EB ZPC-involved scheme. In this scheme, Alice in deep water aims to establish a secret channel with Bob in shallow water. Note that Alice and Bob may not locate in the same vertical area. For the convenience of demonstration, we suppose that Alice is vertically below Bob, and the transmission distance turns into depth. First, Alice and Bob prepare entanglement resource EPR1 and EPR2 with variances *VA* and *VB*, respectively. Then, they keep modes *A*<sup>1</sup> and *B*1, and send other modes *A*<sup>2</sup> and *B*<sup>2</sup> to an untrusted party Charlie through water channel. To simplify equipment, we assume that the ZPC operation is conducted by David on Alice's side, which turns mode *A*<sup>2</sup> into mode *A* 2. After that, Charlie receives modes *A* <sup>2</sup> and *B*2, and performs BSM (Bell state measurement)-based detection and announces measurement results *PC*<sup>2</sup> and *XC*<sup>1</sup> publicly through a classical channel. Ultimately, Bob modifies mode *B*<sup>1</sup> to mode *B*<sup>1</sup> through operation *D*(*α*), where *D*(*α*) is a displacement operation. In this way, Alice and Bob obtain two mode *A*1, *B*<sup>1</sup> for heterodyne detection to get data (*XA*, *PA*) and (*XB*, *PB*), which can be used for estimation of channel parameter, coordinate information, and so forth. After series of post-processing, secret key will be achieved successfully.

**Figure 1.** Schematic diagram of the zero-photon catalysis (ZPC) based measurement-device-independentcontinuous-variable quantum key distribution (MDI-CVQKD) through underwater channel. Hom: homodyne detection, Het: heterodyne detection, PD: photon detector, BS: beam splitter.

As for the ZPC-involved data-processing shown in Figure 1 (a), vacuum state in auxiliary mode D is injected into an input port of beam splitter (BS) with transmittance *T*, which is detected at the corresponding output port of BS at the same time. That is exactly the ZPC operation. This process is usually represented by an equivalent operator given by

$$\stackrel{\wedge}{O}\_0 \equiv \text{Tr}\left[B(T)\prod\_{\text{off}}^\wedge\right] = {}\_D\left\langle 0 \right| B(T) \left| 0 \right\rangle\_{D'} \tag{1}$$

where *B*(*T*) is the operator representing BS with transmittance *T* and can be described as

$$B(T) = \exp[\sqrt{T} - 1)(a\_2 \,^\dagger a\_2 + d \,^\dagger d) + (d \,^\dagger a\_2 - d a\_2 \,^\dagger)\sqrt{1 - T}],\tag{2}$$

and <sup>∧</sup> ∏ off is the projection operator in photon detector(PD), which here is an on/off detector. Now we consider how the ZPC operation makes effect. State EPR1 is essentially a two-mode squeezed vacuum state, which can be expressed as

$$\begin{aligned} \langle |EPR\_1\rangle\_{A\_1A\_2} &= S\_2(r)|0,0\rangle\_{A\_1A\_2} \\ &= \sqrt{1-\lambda^2} \sum\_{l=0}^{\infty} \lambda^l \langle l,l\rangle\_{A\_1A\_2} \end{aligned} \tag{3}$$

where *λ*= (*VA* <sup>−</sup> <sup>1</sup>)(*VA* <sup>+</sup> <sup>1</sup>). After conducting the ZPC operation, this state turns into <sup>|</sup>*<sup>ψ</sup> A*1*A* 2 , which can be described as

$$|\psi\rangle\_{A\_1\overline{A}\_2} = \frac{\overline{O}\_0}{\sqrt{P\_d}} |EPR\_1\rangle\_{A\_1A\_2} \tag{4}$$

where *Pd* = 2/(1 + T + (1 − T)*VA*), standing for the success probability of the ZPC operation. Subsequently, the covariance matrix of |*ψ A*1*A* <sup>2</sup> can be calculated as

$$W\_{A\_1\overline{A}\_2} = \left(\begin{array}{cc} \ge \prod & z\sigma\_z \\ z\sigma\_z & y\prod \end{array}\right),\tag{5}$$

where *σ<sup>z</sup>* = diag(1, −1), *x* = *y* = (2*VA* − *RVA* + *R*)/(1 + *T* + *RVA*), and *z* = 2 *<sup>T</sup>*(*VA*<sup>2</sup> <sup>−</sup> <sup>1</sup>)/(<sup>1</sup> <sup>+</sup> *<sup>T</sup>* <sup>+</sup> *RVA*). We note that the above-mentioned ZPC operation is actually a Gaussian operation in essence, which have an effect on the performance of the underwater CVQKD system.

#### **3. Security Analysis**

While demonstrating the effect of the ZPC-involved scheme on the underwater CVQKD system, we consider transmittance of seawater channel, which characterizes the transparency of seawater, thus affecting the ability of light transmission, which is shown in Appendix A. Subsequently, we show the performance improvement of the ZPC-based system.

#### *3.1. Derivation of the Secret Key Rate*

As shown in Figure 2, we have an equivalent point-to-point (PP) protocol of the underwater ZPC-based MDI-CVQKD. It should be noticed that the reasonableness of this equivalence has been proved [26]. Thus we use *Tc* and *εth* to represent the transmittance and excess noise of the PP CVQKD protocol given by

$$T\_{\mathfrak{c}} = \mathfrak{g}^2 T\_A / 2,\tag{6}$$

and

$$
\varepsilon\_{th} = T\_B / T\_A (\varepsilon\_B - 2) + \varepsilon\_A + 2 / T\_A. \tag{7}
$$

Taking into account the noise caused by Charlie's imperfect detection, the whole channel noise can be expressed as

$$
\chi\_{tot} = 1 - T\_c / T\_c + \varepsilon\_{th} + 2\chi\_{\text{hom}} / T\_{A\prime} \tag{8}
$$

with *χ*hom = (*νel* + 1 − *η*)/*η*, where *νel* stands for electronic noise and *η* stands for quantum efficiency. The transmittance *TA*(*B*) of seawater channel can be expressed as

$$T\_{A(B)} = \mathfrak{e}^{-a(\lambda)D\_{AC(BC)}}\mathfrak{e}\tag{9}$$

where *α*(*λ*) means attenuation coefficient shown in Appendix A.

**Figure 2.** Schematic diagram of the ZPC-based point-to-point (PP) CVQKD system.

Different from non-Gaussian operation, after performing ZPC, the resulting state |*ψ A*1*A* <sup>2</sup> is still a Gaussian state, thus it is reasonable to derive the secret key rate directly from the conventional Gaussian CVQKD given by

$$K = P\_d\{ (\beta I(A:B)) - \chi(B:E) \},\tag{10}$$

where *β* means the reverse-reconciliation efficiency, *I*(*A* : *B*) represents the mutual information between Alice and Bob, and *χ*(*B* : *E*) denotes the Holevo bound between Bob and Eve. Assuming |*ψ A*1*B* <sup>1</sup> denotes the state when <sup>|</sup>*<sup>ψ</sup> A*1*A* <sup>2</sup> passes through the channel in the equivalent PP CVQKD protocol, the covariance matrix of |*ψ A*1*B* <sup>1</sup> can be described as

$$\begin{split} \boldsymbol{V}\_{A\_{1}\overline{B}\_{1}} &= \left( \begin{array}{c} \mathrm{X}\prod & \mathcal{Z}\sigma\_{z} \\ \mathcal{Z}\sigma\_{z} & \mathrm{Y}\prod \end{array} \right) \\ &= \left( \begin{array}{c} \mathrm{x}\prod & \sqrt{T\_{c}}z\sigma\_{z} \\ \sqrt{T\_{c}}z\sigma\_{z} & T\_{c}(\mathbf{x}+\chi\_{\mathrm{tot}})\prod \end{array} \right). \end{split} \tag{11}$$

Then, *I*(*A* : *B*) can be calculated as

$$I(A:B) = \log\_2 \frac{(X+1)(Y+1)}{(X+1)(Y+1) - Z^2}.\tag{12}$$

To calculate *χ*(*B* : *E*), we assume Eve is aware of David's existence and can purify the whole system *<sup>ρ</sup>A*1*<sup>B</sup>* 1*ED*. Based on this, *<sup>χ</sup>*(*<sup>B</sup>* : *<sup>E</sup>*) can be described as

$$\begin{aligned} \chi(B:E) &= S(E) - S(E|B) \\ &= \sum\_{i=1}^{2} G(\frac{\lambda\_i - 1}{2}) - G(\frac{\lambda\_3 - 1}{2}), \end{aligned} \tag{13}$$

where *<sup>G</sup>*(*x*)=(*<sup>x</sup>* <sup>+</sup> <sup>1</sup>)log2(*<sup>x</sup>* <sup>+</sup> <sup>1</sup>) <sup>−</sup> *<sup>x</sup>*log2*x*, representing the von Neumann entropy, and *<sup>λ</sup>*<sup>2</sup> 1,2 = (<sup>Δ</sup> <sup>±</sup> <sup>√</sup>Δ<sup>2</sup> <sup>−</sup> <sup>4</sup>*ω*2)/2 with *<sup>ω</sup>* <sup>=</sup> *XY*−*Z*<sup>2</sup> and <sup>Δ</sup> <sup>=</sup> *<sup>X</sup>*2+*Y*2−2*Z*<sup>2</sup> .

#### *3.2. Numerical Simulations*

In the following, we show the performance improvement of the ZPC-based MDI-CVQKD in terms of the maximal transmission distance and the secret key rate as well, compared with the SPS-based MDI-CVQKD and the traditional MDI-CVQKD.

In numerical simulations of the secret key rate of the ZPC-based MDI-CVQKD, we set *DBC* = 0, which is the asymmetric case that achieves the longest transmission distance. Moreover, we take into account *ε<sup>A</sup>* = *ε<sup>B</sup>* = 0.01, *β* = 0.96, *η* = 1, and *νel* = 0. First of all, we consider the influence of the tunable variance *VA* and *VB*, where *VA* and *VB* are significant to system, as shown in Figure 3. For the simplicity, we set *VA* = *VB*. We find that the traditional scheme is sensitive to *VA*(*VB*), whereas the SPS-based and ZPC-based schemes show the stable transmission depth even when *VA*(*VB*) changes in a big range in Figure 3a. In addition, the secret key rate decreases fast with the increase of *VA*(*VB*), as shown in Figure 3b. By contrast, the secret key rate of the other two schemes decrease slowly with the increase of *VA*(*VB*). This result shows that the ZPC-based and SPS-based schemes have a more flexible application in the underwater CVQKD system.

**Figure 3.** (**a**) The secret key rate as a function of *VA* (*VB*) for the traditional scheme (blue surface) and the ZPC-based (magenta surface) and the single photon subtraction (SPS)-based scheme (green surface). (**b**) A cross section of (a) where depth is set to 30 m for the traditional (yellow), the ZPC-based (blue), and the SPS-based (red).

Note that in practical system, the performance of CVQKD is related to the perfection of components. For example, the Faraday-mirror, which is used for adjusting the polarization angle of signal, is quite sensitive to the rotation angle. The rotation angle should be set as 45◦ accurately to make the polarization angles of signal and local oscillator orthogonal. However, in practice, the rotation angle could not be perfectly set, thus leading to the decrease of secret key rate, especially when transmittance *T* is small. Fortunately, increasing variance appropriately can provide us an efficient ploy to make up for the defects [27].

In Figure 4, we illustrate the performance of the related schemes in terms of the secret key rate and the maximal transmission depth under different variance. From Figure 4a, when variance *VA* (*VB*) is small, both underwater ZPC-based and SPS-based schemes show no obvious advantages in terms of depth compared with the condition on land. For the SPS-based scheme, it reaches the longest depth at about 43 m, which is close to that of the traditional scheme. For the ZPC-based scheme, it has the longest transmission distance of 50 m. This phenomenon may be caused by the small transmittance in the sea. Due to the small transmittance of seawater, the secret key rate of all three schemes comes to zero fast, thus giving fewer chances for the SPS-based scheme and ZPC-based scheme to show distance advantages. However, In Figure 4b, it shows a different result. When variance *VA* (*VB*) is increased, the longest distance of traditional scheme decreases to 30 m, while the performance of the SPS-based and ZPC-based schemes maintain stable. It seems that for the increased modulation

variance the SPS-based and ZPC-based schemes show better performance than the traditional protocol, of which the ZPC operation works better. Moreover, it also shows that for the high modulation variance, the ZPC-based scheme is the best among the three schemes discussed above.

**Figure 4.** The secret key rate of the MDI-CVQKD system under pure seawater via the ZPC-based scheme, the SPS-based scheme, and the traditional scheme. *T*(SPS) = 0.9. The purple line represents PLOB [28] bound. (**a**). *VA* = *VB* = 40. (**b**). *VA* = *VB* = 150.

To show the advantages of the ZPC-based scheme over the SPS-based scheme, we plot the secret key rate as a function of transmittance (T) of beam splitter (BS) and depth. As shown in Figure 5, the ZPC-based scheme has apparent advantages in terms of both secret key rate and depth compared with the SPS-based scheme. Besides, from this figure, we can get the optimal transmittance (T) of both two schemes. We find that the optimal transmittance (T) is 0.75 for the ZPC-based scheme and 0.72 for the SPS-based scheme. This result proves that the ZPC operation does improve system performance and works better than the SPS operation.

**Figure 5.** The secret key rate of the MDI-CVQKD system under pure seawater for *VA* = *VB* = 40. (**a**) the ZPC-based scheme, (**b**) the SPS-based scheme.

Subsequently, we consider effects of factors of pure sea water on the ZPC-based MDI-CVQKD system. First of all, we consider the effects of temperature in Figure 6. It shows that the transmission depth changes by about 5 m when the temperature ranges from 0 ◦C to 40 ◦C. It seems that the colder the seawater means the better the performance. This characteristic is easily to be comprehended since colder seawater means weaker thermal movement of molecular, thus leading to weaker influence on the performance of the underwater CVQKD system. It should be noticed that this range of change is possible, considering differences in seasons, time in a day and geographical location.

**Figure 6.** Relationship among secret key rate, transmission depth and temperature for *VA* = *VB* = 40.

Figure 7 shows the effects of sun elevation angle. Here we consider the influence that sunlight exerts on transmittance and omit the influence on the excess noise. The reason for this simplification is based on the assumption that the photon detector is ideal and not affected by background light. It is shown that depth lengthens by about 15 m when the sun elevation angle changes from 70◦ to 20◦. Therefore, we could deduce that the underwater CVQKD system has the best performance around midday and has the worst performance at dusk. This result is quite different from the situation of CVQKD in free space, transmittance of which has little relationship to background light while background noise is influenced profoundly by background solar light.

**Figure 7.** Secret key rate of the ZPC-based MDI-CVQKD in oligotrophic seawater under different sun elevation angle for *VA* = *VB* = 40. The upper three lines represent PLOB bound corresponding different sun elevation angle.

From simulation above, we can find that even if ZPC operation improves the performance of CV-MDI-QKD to some extent, our scheme is still constrained by transmission distance compared with conditions in fiber and open air, which is secure up to at least 100 km. However, its flexibility compared with fiber allows it to become the next generation of optical switch underwater. For example, it can be used as a non-contact optical switch to establish secure net for underwater vehicles. Besides, it can be applied to optical communication system for autonomous underwater robots [29] and remote underwater robot operation [30]. Moreover, the development of underwater wireless optical communication (UWOC) provides another chance for our scheme. Recently, Sun verified the operation of UWOC at tens of gigabits per second or close to a hundred meters of distance [31]. With the help of our proposed scheme, UWOC will be safer and more credible.

#### **4. Conclusions**

We have proposed a ZPC-involved scheme for strengthening the security of the underwater MDI-CVQKD system in terms of the secret key rate and the maximal transmission depth. This scheme aims to establish a potential underwater MDI-CVQKD channel between two underwater parties. We consider the influence that the ZPC operation exerts on the MDI-CVQKD system and derive the secret key rate. To make it more persuasive, we compare the ZPC-involved scheme with the SPS-involved and traditional schemes as well. Numerical simulations show that the ZPC-involved scheme has better performance, prolonging the transmission depth by about 5 m. We find that the ZPC-involved scheme shows better performance obviously when the tunable modulation variance is set high. Besides, we consider the possible factors influencing our proposed method. It is found that temperature has a relatively considerable impact on transmission depth while salinity is not an important factor in terms of the maximal transmission depth and the secret key rate. In addition, sun elevation angle influences the system performance to some extent as well, which implies that the performance of the underwater CVQKD system may be changeable with different time.

**Author Contributions:** Conceptualization, writing–traditional draft preparation, Y.W. and Y.M.; software and validation, Y.M.; formal analysis, Y.W. and Y.M.; Data curation, S.Z.; supervision, Y.G. All authors have read and agreed to the published version of the manuscript.

**Funding:** This work is supported by the National Natural Science Foundation of China (Grant No. 61871407).

**Conflicts of Interest:** The authors declare no conflict of interest.

#### **Abbreviations**

The following abbreviations are used in this manuscript:


#### **Appendix A. A: Seawater Channel**

Usually, transmittance is a function of distance (here means depth) *D* and attenuation coefficient *α*(*λ*). Since the transmission distance of light in seawater is short, seawater channel could be regarded as a linear attenuation model, which can be expressed as

$$T\_{\text{car}} = \mathfrak{e}^{-a(\lambda)D},\tag{A1}$$

where *α*(*λ*) is related to wavelength *λ*. In seawater, the blue-green light (450 nm < *λ* < 550 nm) has the smallest attenuation coefficient. For the performance improvement, we use 520 nm laser in numerical simulations. The attenuation coefficient *α*(*λ*) is affected by absorption and scattering [32,33]. Absorption, as it is literally comprehended, means irreversible energy loss of light caused by the interaction of photons and particles, which is a kind of electromagnetic action. However, scattering is a purely physical collision process happening between photons and particles, which just changes the direction of photon movement and does not cause energy degradation. Involving these two factors, the expression of *α*(*λ*) can be written as

$$a(\lambda) = a(\lambda) + b(\lambda),\tag{A2}$$

where *a*(*λ*) is absorption coefficient and *b*(*λ*) is scattering coefficient. More specifically, the parameters *a*(*λ*) and *b*(*λ*) consist the effects of seawater and other particles given by [34]

$$a(\lambda) = a\_{\text{w}}(\lambda) + a\_{\text{CDM}}(\lambda) + a\_{\text{phy}}(\lambda) + a\_{\text{det}}(\lambda), \tag{A3}$$

and

$$b(\lambda) = b\_{\rm w}(\lambda) + b\_{\rm phy}(\lambda) + b\_{\rm det}(\lambda), \tag{A4}$$

where *w* means pure sea water, *CDOM* means colored dissolved organic matter, *phy* means plankton, and *det* means detritus. Consequently, it is impossible to calculate all impact factors. However, researchers have demonstrated some effects of factors such as chlorophyll, bubbles, and salt, providing us valuable experience. In fact, besides the above-mentioned factors, temperature and sunlight could have potential impacts on *α*(*λ*) as well. Therefore, we will further consider the mixing effects of temperature and salinity, and the effects of sun elevation angle in the following part of this section. Since the factors we consider have little effects on impurity not belonging to seawater, our security analysis is based on pure seawater.

#### *Appendix A.1. Mixing Effects of Temperature and Salinity*

In what follows, we consider the effect of temperature and salinity on the ZPC-based MDI-CVQKD in pure seawater environment. Then the attenuation coefficient *α* can be simplified to

$$a = a\_{\mathcal{W}} + b\_{\mathcal{W}\_{\prime}} \tag{A5}$$

where *aw* stands for absorption coefficient of seawater and *bw* stands for scattering coefficient. Moreover, *bw* contains two parts, the fluctuation of the density of pure water (*bwd*) and the electro shrinkage effect of hydrated ions (*bwe*) given by

$$b\_{\rm nv} = b\_{\rm uve} + b\_{\rm nvd} \tag{A6}$$

where *bwe* and *bwd* can be respectively expressed as

$$b\_{\rm uv} = \frac{64\pi^5 NR^6 (2+\delta)}{3\lambda^4 (1+\delta)} \left(\frac{\varepsilon\_{\rm uu} - \varepsilon\_{\rm puv}}{\varepsilon\_{\rm uu} + 2\varepsilon\_{\rm puv}}\right)^2,\tag{A7}$$

$$b\_{wd} = \frac{8\pi^3}{\lambda^4} \left(\rho \frac{\partial n^2}{\partial \rho}\right)^2 k \tau \beta h(\delta),\tag{A8}$$

where *λ* is light wavelength, *N* is number of ions in unit volume, *δ* is solution depolarization, *n* is the refractive index of pure water, *k* is Boltzmann constant, *β* is isothermal compressibility, *τ* is absolute temperature, *ρ* is seawater density, *R* represents hydration radius [35], *εwa* and *ε pw* represent the average dielectric constant of the hydrated ions and the average dielectric constant of pure water respectively, and *<sup>h</sup>*(*δ*)=(<sup>2</sup> <sup>+</sup> *<sup>δ</sup>*)/(<sup>7</sup> <sup>−</sup> <sup>7</sup>*δ*). In addition, we take into account *<sup>ε</sup> pw* <sup>=</sup> *nw*2, and *<sup>ε</sup>wa* <sup>=</sup> *<sup>ε</sup>hw*(R<sup>3</sup> <sup>−</sup> *<sup>r</sup>*3)/*r*<sup>3</sup> <sup>+</sup> *<sup>ε</sup>ir*3/R3, where *<sup>r</sup>* represents the effective radius of ions [36], *<sup>ε</sup><sup>i</sup>* is the Dielectric constant of ions, *εhw* denotes the Dielectric constant of water in the first hydrated layer. Both *ε<sup>i</sup>* and *εhw* can be obtained from Clausius-Mossotti equation [37].

In Equation (12), it shows that the increase of *N* (number of ions in unit volume) will lead to the increase of *bwe*, whereas the increase of salinity will lead to the decrease of *bwd*, as shown in Equation (13). Besides, the increase of temperature will cause the increase of *bwd*. In reality, it is analyzed that *bwe* acts as the main factor affecting *bw* because the increase of salinity also causes the increase of *bw*, the trend of which is similar to that of *bwe*. However, *bwe* is quite small and is slightly influenced by salinity [38]. Therefore, we ignore the effect of *bw* on the CVQKD system while deriving the secret key rate. Note that the scattering coefficient *bw* is also negligible compared with the absorption coefficient *aw* in terms of temperature [39].

Therefore, the change of total attenuation coefficient *α* with temperature and salinity mainly reflects the change of absorption coefficient *aw* with temperature and salinity, and the change of attenuation coefficient and absorption coefficient is consistent. Note that the effect of temperature on absorption coefficient in seawater can be expressed as [40]

$$a\_w(\lambda, T, S) = a\_w(\lambda, T\_0, 0) + \psi\_S S + \psi\_T(T - T\_0), \tag{A9}$$

where *T* and *T*<sup>0</sup> mean real-time temperature and initial temperature respectively, *S* means salinity, *ψ<sup>S</sup>* and *ψ<sup>T</sup>* stand for linear salinity slope and temperature slope, respectively. From analysis all above, we obtain the expression of transmittance in pure seawater

$$T\_{\text{puresea}} = \varepsilon^{-\left[a\_W(\lambda, T\_0, 0) + \psi \circ S + \psi \tau \left(T - T\_0\right)\right]D}.\tag{A10}$$

To show the mixing effects of temperature and salinity visually, we simulate in the pure seawater environment, where attenuation coefficient *α* is around 0.04. Note that according to Reference [40], when *λ* = 520 nm, *ψ<sup>S</sup>* = −0.00002 and *ψ<sup>T</sup>* = 0.0002 for seawater respectively. In Figure A1, we find that temperature has a great influence on the attenuation coefficient *α*. Specifically, the attenuation coefficient *α* increases by 0.008 when temperature changes from 0 ◦C to 40 ◦C. However, salinity has little influence on the attenuation coefficient *α*. The range of 40 PSU brings no significant changes.

**Figure A1.** Effects of temperature and salinity on attenuation coefficient.

#### *Appendix A.2. Effects of Sun Elevation Angle*

Generally speaking, the intensity of sunlight, which is closely related to sun elevation angle, mainly influences transmittance of seawater and excess noise. In this section, we will have a deep insight into these two effects.

First, we study its influence on transmittance. It is generally admitted that the transparency and color of ocean water are determined by the optical properties of sea water, which are related to sunlight illumination. Thus, the optical properties changed by sunlight could have a certain impact on the underwater ZPC-based MDI-CVQKD system. To have a quantitative elaboration of the impact of sunlight or more specifically, the irradiance on the transmittance of seawater, we consider the effects of sun elevation angle on the performance of the CVQKD system.

Actually, the transmittance of seawater in different depth *z* relates with sun light through the following equation [41]

$$T\_{sca}(z) = \left[E\_d(z) + \mu\_s F\_s e^{-kz/\mu\_s}\right]/(E\_0 + \mu\_s F\_s),\tag{A11}$$

where *Ed*(*z*) is downward irradiance, *μ<sup>s</sup>* is the angle at which sun rays enter the water, and *Fs* is the irradiance from the sky just below the sea surface given by *Fs* = *qE*<sup>0</sup> with a parameter *q* related to characteristics of atmosphere and the air-water interface. In addition, *E*<sup>0</sup> is the irradiance of the sky diffuse light going into the water and *k* = *a* + 2*bB*, where *a* is the absorption coefficient, and *bB* is the backscattering coefficient. According to the Snellius law, *μ<sup>s</sup>* and sun elevation angle have the following relationship

$$
\mu\_{\mathfrak{s}} = \sqrt{1 - \cos^2 \mathfrak{h}\_{\mathfrak{s}} / n\_w^2} \tag{A12}
$$

where *hs* is the sun elevation angle, and *nw* is the refraction coefficient of seawater (usually takes value 1.34). *Ed*(*z*) can be calculated through irradiance attenuation coefficient, which takes different value in different depth *z*, given by

$$k\_d(z) = -\frac{1}{E\_d(z)} \times \frac{dE\_d(z)}{dz}.\tag{A13}$$

Therefore, the relationship among *kd*(*z*), absorption coefficient *a* and scattering coefficient *b* can be expressed by [42]

$$k\_d(z) = \frac{1}{\mu\_0} [a^2 + G(\mu\_0)ab]^{\frac{1}{2}},\tag{A14}$$

where *G*(*μ*0) = *q*1*μ*<sup>0</sup> − *q*2. *q*<sup>1</sup> and *q*<sup>2</sup> are related to the average value of *kd*(*z*), which in practice we often take the value of intermediate depth.

From the elaboration of *T*(*z*), it is still not easy to get an accurate simulation of the transmittance *T*(*z*). Fortunately, we can obtain data directly from the derived chart [41]. For example, the transmittance (520 nm light) of 10 m deep oligotrophic seawater is 62%, 56%, and 52% corresponding sun elevation angle of 70◦, 45◦, and 20◦, respectively. Thus, it is possible to calculate the attenuation coefficient through the equation *α* = − ln *T*/*D*, which are 0.047, 0.057 and 0.065, correspondingly.

Then, we analyze its influence on excess noise. According to Reference [43], the solar background noise underwater is

$$P = L\Omega B \pi r^2,\tag{A15}$$

where Ω = *π* and *L*, *B*, *r* mean solar radiance, filter bandwidth determined by laser generating local oscillator (LO), radius of virtual telescope on sea surface to receive background light respectively. The parameter *L* can be calculated by

$$L = \frac{H R L\_f e^{-cD}}{\pi},\tag{A16}$$

where *H* is downwelling irradiance, *R* = 1.25%, *Lf* = 1 are underwater reflectance of *H* and the factor of directional dependence of the underwater radiance. Finally, we derive the expression of excess noise underwater:

$$
\varepsilon = \varepsilon\_{\rm lim} + \frac{\tau P}{h\nu},
\tag{A17}
$$

where *ε*lim means excess noise limit and is estimated as 0.01 (SNU), *τ* = 1 ns is the reciprocal of frequency of homodyne detector at Bob's end, *h* is Planck's constant and *ν* is the frequency of noise photons, which is in the range of visible light. Note that *H* ranges from about 0.5 to 2 for clear day time. The according excess noise ranges from 0.01 to 0.012, which is so trivial that could be ignored.

#### **References**


© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

# *Article* **Surface-Codes-Based Quantum Communication Networks**

#### **Ivan B. Djordjevic**

Department of Electrical and Computer Engineering, University of Arizona, Tucson, AZ 85721, USA; ivan@email.arizona.edu; Tel.: +1-520-626-5119

Received: 8 August 2020; Accepted: 21 September 2020; Published: 22 September 2020

**Abstract:** In this paper, we propose the surface codes (SCs)-based multipartite quantum communication networks (QCNs). We describe an approach that enables us to simultaneously entangle multiple nodes in an arbitrary network topology based on the SCs. We also describe how to extend the transmission distance between arbitrary two nodes by using the SCs. The numerical results indicate that transmission distance between nodes can be extended to beyond 1000 km by employing simple syndrome decoding. Finally, we describe how to operate the proposed QCN by employing the software-defined networking (SDN) concept.

**Keywords:** quantum key distribution (QKD); quantum communications networks (QCNs); quantum communications; entanglement; surface codes

#### **1. Introduction**

Quantum information processing (QIP) opens up new avenues for reliable communications, high-precision sensing, and high-performance computing [1–20]. Entanglement represents a unique resource for QIP, which allows quantum computers to solve classically intractable problems [7], provides certifiable security [2] for data transmissions, and enables sensors to achieve measurement sensitivities beyond the classical limit [8]. The quantum communication is the key cornerstone to fully exploit the properties of entanglement. The modern classical communications tend to use heterogeneous networks capable of simultaneous data transmission between nodes connected via different types of channels, such as free-space optical (FSO) and fiber-optics links. Nodes in existing quantum communication networks (QCNs), however, have been limited to a single optical medium. Moreover, trusted node assumption [4] is required to operate the current QCNs. As a result, one compromised node in a QCN can undermine the security of the entire QCN. Several quantum key distribution (QKD) testbeds have been reported so far, such as the DARPA QKD network [5], Tokyo QKD network [6], and the secure communication based on quantum cryptography (SECOQC) network [7]. Unfortunately, these different QKD networks employ the dark fiber infrastructure.

In this paper, we propose the multipartite heterogenous QCN employing the surface codes, which does not require the trusted node assumption. The research on multipartite entanglement is getting momentum with numerous experimental demonstrations, such as [8]. The surface codes, typically defined on a 2-D lattice, are closely related to the quantum topological codes on the boundary [1], introduced by Bravyi and Kitaev [11,12]. This class of codes is highly popular in quantum computing [13–15] because only local qubits are involved in stabilizers. In *Litinski's framework* [14], the surface code for quantum computing is represented as a game, played on a board partitioned in a certain number of tiles. On each tile we can place a logical qubit, represented as a *patch*. The edges of qubits represent the logical Pauli operators [1]. The logical qubits correspond to the surface code (SC) patches. By placing the SC patches in nodes of a communication network, and connecting the neighbouring patches by *d* wavelength channels, corresponding to the distance of the underlying surface code, we

can create the quantum communication network. The SC patches placed in intermediate nodes can be operated as the SC-based quantum repeaters, thus extending significantly the transmission distance. When the patch edges in the tiles of neighbouring network nodes are different, we can perform the product measurements to entangle them. For instance, the product *Z*⊗*Z* between adjacent nodes' patches can be simultaneously measured to introduce the entanglement between two adjacent quantum nodes. Namely, we start with the state |++ = 0.5(|00 + |11 + |01 + |10) and perform the measurement on *Z*⊗*Z* operator. If the result of the measurement is +1, the qubits end up in state 2−1/2(|00 + |11); otherwise, they end up in state 2−1/<sup>2</sup> (|01 + |10). In either case, the qubits are maximally entangled. This indicates that the proposed SC-based QCN is highly flexible and have numerous applications, including: (i) to teleport quantum states between any two nodes in the network, (ii) to develop the information infrastructure with unprecedented security level, (iii) to enable distributed quantum computing, and (iv) to enable ultra-high precision for quantum sensing applications. To operate such a quantum network, we propose to employ the software-defined networking (SDN) concepts.

The paper is organized as follows. In Section 2, we introduce the surface codes and describe briefly the *Litinski's* formalism needed in incoming sections. In Section 3, we describe the proposed SC-based QCN concept. In Section 4, we describe our approach to extend the transmission distance between QCN nodes. In Section 5, we provide illustrative numerical results. In Section 6, we describe how to operate the proposed SC-based QCN by utilizing the SDN concepts. Finally, in Section 7, we provide some important concluding remarks.

#### **2. Surface Codes for Quantum Networking and Distributed Computing**

The surface code belongs to the class of topological codes [1] and it is defined on a 2-D lattice, with one illustrative example provided in Figure 1, with qubits being clearly indicated in Figure 1a. The stabilizers of plaquette type can be defined as provided in Figure 1b. Each plaquette stabilizer denoted by X (*Z*) is composed of Pauli *X* (*Z*)-operators on qubits located in the intersection of edges of corresponding plaquette. As an illustration, the plaquette stabilizer denoted by *X* related to qubits 1 and 2 will be *X*1×2. The plaquette stabilizer denoted by *Z*, related to qubits 5, 6, 8, and 9, will be *Z*5*Z*6*Z*8*Z*9. To simplify the notation, we can use the representation provided in Figure 1c, where the shaded plaquettes correspond to all-*X* containing operators' stabilizers, while the white plaquettes correspond to all-Z containing operators' stabilizers. The stabilizers require only local qubits' interaction, which is not true for other classes of quantum error correction codes.

**Figure 1.** Illustration of a surface code: (**a**) the qubits are located in the lattice positions, (**b**) all-X and all-Z plaquette operators, (**c**) popular representation of surface codes in which stabilizers are clearly indicated, and (**d**) logical operators.

The weight-2 stabilizers are allocated around perimeter, while weight-4 stabilizers are located in the interior. The logical operators for this code are run over both sides of the lattice, as shown in Figure 1d, and can be represented as *X* = *X*3*X*6*X*9, *Z* = *Z*1*Z*2*Z*3. The codeword length is determined as the product of side lengths, expressed in number of qubits, and, for the surface code from Figure 1, we have that *n* = *L*<sup>x</sup> × *L*<sup>z</sup> = 3 × 3 = 9. On the other hand, the number of information qubits is *k* = 1. The

minimum distance of this code is determined as the minimum side length, that is *d* = min(*L*x,*L*z) = 3, indicating that this code can correct a single qubit error.

Let us now specify the *rules of the game*, that is the operations that can be applied to the patches (qubits), which can be categorized as [14]: (i) *initialization*, (ii) *qubit measurements*, and (iii) *patch deformations*. Compared to computing only limited number of operations are required in quantum networking. With each of these operations, we associate the cost, expressed in terms of time-steps, with each time-step (t.s.) corresponding to ~*d* code cycles (related to the measuring all stabilizers *d* times), with *d* being the distance of underlying surface code per tile. One-qubit patches, shown in Figure 2 as |*q*1 and |*q*2, can be initialized to |0 or |+ states, while two-qubit patches, shown in Figure 2 as |*q*3, to |00 or |++ states, with associated cost being 0 t.s. (The logic |+-state indicates that all physical qubits are initialized into |+-state.) In principle, one-qubit patches can be initialized to the arbitrary states, such as the *magic state* |*m* = |0 + exp(jπ/4)|1; however, an undetected Pauli error [1] can spoil the initialized state. The *single-patch measurements* can be performed in *X* or Z bases, and after the measurement the corresponding patches get removed from the board, thus freeing up the occupied tiles for future use. The cost associated with single-patch measurements is 0 t.s. For *two-patch measurements*, when the edges in neighboring tiles are different, we can perform the product measurements. As an illustration, the product *Z*⊗*Z* between adjacent patches can be measured as illustrated in Figure 3 (left).

**Figure 2.** Illustration of one-qubit and two-qubits patches: (**a**) notation and (**b**) actual physical implementation.

**Figure 3.** Illustrating the lattice surgery procedure for the measurement on the product Z⊗Z.

In surface codes, this corresponds to the *lattice surgery* [14,15], in which we change the configuration as shown in Figure 3 (right) by introducing the patches with dark-red edges; after that, we measure the stabilizers for *d* cycles to get the outcome of measurements, and split again. The cost associated with the lattice surgery is 1 t.s. This represents the way to introduce the entanglement between two adjacent patches. Namely, we start with the state |++ = 0.5(|00 + |11 + |01 + |10) and perform the measurement on *Z*⊗*Z* operator. If the result of the measurement is +1, the qubits end up in state 2−1/2(|00 + |11); otherwise, they end up in state 2−1/<sup>2</sup> (|01 + |10). In either case, the qubits are maximally entangled. We can apply the similar procedure to the *X*⊗*Z* product operator. Of course, it is also possible to measure the product operator involving the *Y* operator, which is really not needed in our proposed QCNs. What is even more interesting is that it is possible to measure the product for more than two encoded Pauli operators through *multi-patch measurements* [14].

#### **3. Proposed Surface-Codes-Based Quantum Communications Networks**

To enable the next generation of quantum communication networking, we propose to employ the surface codes so that the logical qubits are located at different nodes in the network. The logical qubits are represented by the patches introduced in the previous section. For simplicity, we assume that the surface code is defined on a *d* × *d* grid. The neighboring nodes are connected by employing *d* wavelengths, as illustrated in Figure 4. Some of the optical links could be FSO links.

By performing the *Z*⊗*Z* measurement, as described in the previous section, the logical qubits create the Einstein–Podolsky–Rosen (EPR) pair. The results of the measurements have been passed to the SDN controller, which will know the exact EPR pair being created. To create the desired QCN, the corresponding product measurements need to be simultaneously performed. As an illustration, let us consider the ring network composed of four nodes, as shown in Figure 5 (left), with each node being equipped with the surface code patch representing the corresponding logical qubits. In principle, one surface patch can be split between multiple nodes, but, to facilitate explanations, we assume that each node contains a single SC patch. By performing the simultaneous product *Z*⊗*Z* measurements between logical qubits *q*<sup>1</sup> and *q*2, *q*<sup>2</sup> and *q*3, *q*<sup>3</sup> and *q*4, *q*<sup>4</sup> and *q*1, we can entangle the nodes 1–4 and thus create the ring QCN. On the other hand, for the four-node mesh network shown in Figure 5 (right), by performing the simultaneous product *Z*⊗*Z* measurements between logical qubits *q*<sup>1</sup> and *q*2, *q*<sup>2</sup> and *q*3, *q*<sup>3</sup> and *q*4, *q*<sup>4</sup> and *q*<sup>1</sup> as well as the simultaneous *X*⊗*X* measurements between *q*<sup>1</sup> and *q*3, *q*<sup>2</sup> and *q*4, we can entangle the four qubits into the mesh configuration. By providing the results of the measurements to the SDN control plane, the exact maximum entangled state between nodes in the QCN will be known. Clearly, this approach allows us to entangle the logical qubits in an arbitrary network. The trapped ions-based technology represents a perfect candidate for practical implementation of the proposed QCN. By equipping every node in the proposed QCN by multiple qubit patches, in principle, we can simultaneously perform quantum networking and quantum distributed computing. Instead of wavelength-division multiplexing (WDM), the multicore fiber can also be used to connect the logical qubits [16]. The proposed QCN does not require the trusted node assumption, but it is assumed that Eve does not have access to SDN controller.

**Figure 4.** Simplified description of connecting two logical qubits from two neighboring nodes by *d* wavelengths.

**Figure 5.** Illustrative four-node ring (**left**) and four-node mesh (**right**) quantum communication networks.

#### **4. Extending the Distance between the Nodes in the Proposed SC-Based QCN**

To extend the transmission distance between neighboring nodes in QCN, we propose to use the *quantum error correction (QEC)-based repeaters*. So far, QEC-based repeaters are based on two-dimensional QE-based repeaters, such as the dual-containing Calderbank–Shor–Steane (CSS)-codes-based repeaters [17] and surface-codes-based repeaters [18]. Unfortunately, dual-containing CSS codes are essentially girth-4 quantum low-density parity-check (LDPC) codes with poor error correction performance [19]. On the other hand, the surface codes proposed in [18] introduce large latency and are not compatible with the QCN proposed in the previous section. Here, we propose a different approach to interpret an intermediate node as an SC patch and apply the patch deformation approach due to Litinski and thus extend the logical qubit to two spatially separated patches, which is illustrated in Figure 6. In this example, three wavelengths are needed to interact remote patches. Once the logical qubit is extended to the intermediate node, we further perform product *X*⊗*Z* measurements to entangle the logical qubits *q*<sup>1</sup> and *q*2. This approach is applicable to several intermediate nodes, thus offering the potential to significantly extend the distance between any two desired nodes in the QCN.

**Figure 6.** Extending the distance between two nodes in a quantum communication network (QCN) by creating the logical qubit spanning two spatially separated surface code (SC) patches.

#### **5. Illustrative Numerical Results**

Although the channel loss dominates the performance of quantum repeaters, there will be quantum errors associated with each stage, which can be represented by using the quantum channel model provided in Figure 7, where *X* and *Z* quantum errors occur with the same probability *p*. The corresponding Kraus representation [1] is given by:

$$
\rho\_f = \pounds(\rho) = (1 - 2p)\rho + pX\rho X + pZ\rho Z. \tag{1}
$$

**Figure 7.** Quantum channel model under study: (**a**) Pauli operator description and (**b**) density operator description.

Let us consider the BB84 protocol by employing the approach introduced in previous section. The corresponding secret-key rate after *N* sections will be:

$$SKR = \left\{ [1 - P(E)]T \right\}^N \max \left( 1 - h\_2(q\_N^{(Z)}) - f\_c h\_2(q\_N^{(X)}), 0 \right). \tag{2}$$

where *fe* denotes the error correction inefficiency (*fe* ≥ 1), *q* (*X*) *N q* (*Z*) *N* denotes the quantum bit-error rate (QBER) in the *X*-basis (*Z*-basis) after *N* stages, *T* represents the single link transmissivity, and *h*2(*x*) is the binary entropy function *h*2(*x*) = −*x* log2(*x*) − (1 − *x*)log2(1 − *x*). The term *h*<sup>2</sup> *q* (*Z*) *N* represents the amount of information Eve was able to learn during the raw key transmission, which can be removed from the final key during the privacy amplification phase. The term *feh*<sup>2</sup> *q* (*X*) *N* represents the amount of information revealed to Eve during the information reconciliation stage. The dark counts, device imperfections, and errors introduced by Eve are all contributed to the Eve and included in transition probability *p*. The QBER after *N* stages can be estimated by:

$$q\_N = \frac{1 - s^N}{2}, \; s = 1 - 2p. \tag{3}$$

The probability of the syndrome decoding error is bounded by [1]:

$$P(E) \le \sum\_{j=\lfloor (d-1)/2 \rfloor + 1}^{d^2} \binom{d^2}{j} (1-s)^j s^{d^2-j}, \ s = 1-2p,\tag{4}$$

So, [1 − *P*(*E*)]*T* represents the success probability for the single stage. The total success probability can be estimated by {[1 − *P*(*E*)]*T*} *<sup>N</sup>* and is illustrated in Figure 8 by setting the *X* (*Z*) qubit error probability to *<sup>p</sup>* <sup>=</sup> <sup>10</sup>−<sup>2</sup> and transmissivity to *<sup>T</sup>* <sup>=</sup> 1, for different *<sup>d</sup>* <sup>×</sup> *<sup>d</sup>* surface codes.

**Figure 8.** Total success probability defined as (1 <sup>−</sup> *<sup>P</sup>*(*E*))*N*, where *<sup>N</sup>* is the number of stages, when the *d* × *d* surface code is used, and syndrome decoding is applied.

The numerical results for secret-key rate (SKR) for different transmissivities *T* (assuming that *fe* = 1) vs. the number of stages *N* are summarized in Figures 9 and 10. The channel transmittance in Figure 9 is set to *T* = 0.95, while in Figure 10 it is set to *T* = 0.85. The qubit error transition probability *p* is used as a parameter. In both figures, the 7 × 7 surface code is used. Given that the effective transmission distance of the fiber is given by [20]:

$$L\_{\rm eff} = \frac{1 - \varepsilon^{-\alpha L}}{\alpha} \approx 1/\alpha,\tag{5}$$

**Figure 9.** Normalized secret-key rate (SKR) vs. the number of stages *N* assuming that the 7 × 7 surface code is used, and single link channel transmittance is *T* = 0.95.

**Figure 10.** Normalized SKR vs. number of stages *N* assuming that 7 × 7 surface code is used, and single link channel transmittance is *T* = 0.85.

For ultra-low loss fiber introduced in [21] with attenuation coefficient α = 0.1419 dB/km, we obtain that *L*eff = 30.606 km. The total transmission length can be now estimated by:

$$L\_{\text{tot}} = N L\_{\text{eff}} \| \ln T \| \tag{6}$$

For *T* = 0.95, by setting the qubit error probability to *p* = 10−4, we can see from Figure 9 that the achievable total transmission distance for normalized SKR of 10−<sup>6</sup> is *L*tot = 252 <sup>×</sup> 30.606 <sup>×</sup> |ln0.95| = 395.61 km. On the other hand, for *T* = 0.85, by setting the qubit error probability to *p* = 10<sup>−</sup>4, we can see from Figure 10 that the achievable total transmission distance for normalized SKR of 10−<sup>15</sup> (typical for discrete variable QKD schemes [2]) is *L*tot = 208 × 30.606 × |ln0.85| = 1034.61 km, and this results is comparable to the recently proposed hybrid QKD-postquantum cryptography scheme [22,23]. By employing higher complexity quantum sum-product algorithm [1] in each stage, instead of simple syndrome decoding, the total transmission distance well beyond 1000 km can be achieved. Typical QKD transmission distances are significantly shorter, even when the most advanced twin-field QKD schemes are used [24].

#### **6. Operating the Proposed QCN by SDN Control**

The SDN has been introduced to separate the control plane and data plane, manage network services through abstraction of higher-level functionality, and implement new applications and algorithms efficiently [25,26]. It has already been studied to enable the coexistence of classical and quantum communication channels [27]. To enhance the security of the software-defined optical networks, authors in [28] proposed a four-layer architecture composed of: application, control, QKD, and data layers. The SDN-based QCN architecture compatible with the proposed QCN should contain three layers only—namely, application layer, control layer, and QCN layer. Users will send their requests from the application layer with the help of northbound interface to the SDN controller. The SDN controller will allocate the QCN resources with the help of its global map through the southbound interface. The QCN layer can be composed of DWDM links and QCN nodes. Each QCN node should contain quantum transceivers, integrated on the same chip, together with a *d* × *d* array of physical qubits. Any two nodes in QCN can communicate through either a dedicated SMF link or by *d* wavelength channels. To enable so, we could employ our recently proposed bidirectional optical space switch [29], to reconfigure the QCN. Other alternative optical switches can be used as well. In addition to conventional modules, the application layer should also have modules to provide security management services. On the other hand, the control layer, in addition to controlling the QCN layer, should provide allocation of resources as well as provide services for multiple applications. To deal with time-varying channel conditions over heterogeneous links, we can adapt the channel configuration based on both application requirements and link conditions.

#### **7. Concluding Remarks**

To enable the next generation of quantum communication networks, we have proposed to employ the surface-codes-based patches as quantum nodes. We have described how to simultaneously entangle multiple quantum nodes in any quantum network topology by employing the SCs. We have also described how to extend the transmission distance between any two quantum nodes to beyond 1000 km. Finally, we have described how to operate the proposed QCN by employing the SDN concept. The trapped ion technology is an excellent candidate to be used as an enabling technology to implement SC-based QCNs. One important issue will be to implement a portable, rack-mounted ion-trap-based quantum interface, and some progress has already been made by researchers from Duke University in collaboration with ColdQuanta, Inc [30]. To improve the efficiency of the proposed QCNs, the high-dimensional SCs should be employed. By employing high-dimensional-based quantum error correction, we can achieve error correction capability comparable to 2D but with significantly shorter codeword lengths as discussed in [31]. An alternative approach to the proposed QCN will be a recently introduced cluster-state-based QCN [32].

**Funding:** This research received no external funding.

**Conflicts of Interest:** The author declares no conflict of interest.

#### **References**


© 2020 by the author. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

# **Open-Destination Measurement-Device-Independent Quantum Key Distribution Network**

**Wen-Fei Cao 1,2, Yi-Zheng Zhen 1,2, Yu-Lin Zheng 1,2, Shuai Zhao 1,2, Feihu Xu 1,2,\*, Li Li 1,2,\*, Zeng-Bing Chen 3,\*, Nai-Le Liu 1,2,\* and Kai Chen 1,2,\***


Received: 16 August 2020; Accepted: 22 September 2020; Published: 26 September 2020

**Abstract:** Quantum key distribution (QKD) networks hold promise for sharing secure randomness over multi-partities. Most existing QKD network schemes and demonstrations are based on trusted relays or limited to point-to-point scenario. Here, we propose a flexible and extensible scheme named as open-destination measurement-device-independent QKD network. The scheme enjoys security against untrusted relays and all detector side-channel attacks. Particularly, any users can accomplish key distribution under assistance of others in the network. As an illustration, we show in detail a four-user network where two users establish secure communication and present realistic simulations by taking into account imperfections of both sources and detectors.

**Keywords:** quantum cryptography; quantum key distribution; quantum network; measurement-device-independent

**PACS:** 03.67.Dd; 03.67.Hk

#### **1. Introduction**

Quantum key distribution (QKD) [1–4] provides unconditional security between distant communication parties based on the fundamental laws of quantum physics. In the last three decades, QKD has achieved tremendous progress in both theoretical developments and experimental demonstrations. To extend to a large scale, the QKD network holds promise to establish an unconditionally secure global network. Different topologies for QKD network have been demonstrated experimentally during the past decades [5–11]. However, due to high demanding on security and the relatively low detection efficiency, the realization of large-scale QKD networks is still challenging.

On the one hand, many previous demonstrations of quantum networks heavily rely on the assumption of trusted measurement devices. From security point of view, however, such assumption is challenging in realistic situations, as various kinds of detector side-channel attacks are found due to the imperfections of practical devices [12–16]. Fortunately, measurement-device-independent QKD (MDI-QKD) protocol [17,18] can remove all kinds of attacks in the detector side-channel. Since its security does not rely on any assumptions on measurement devices, MDI-QKD networks are expected to close the security loophole existing in the previous QKD networks. The MDI-QKD network has been discussed theoretically in Ref. [19,20], and a preliminary experimental MDI-QKD network demonstration was realized very recently [21].

On the other hand, most of the existing QKD networks are limited to point-to-point QKD. When expanded to multi-partite QKD case, the complexity increases, and the efficiency decreases significantly. Recent study shows that multi-partite entanglement can speed up QKD in networks [22]. Therefore, it is highly desirable to develop variously novel schemes of QKD networks if assisted by multi-partite entanglement source. Then, an immediate problem comes out: how to design a QKD network enjoying security against untrusted measurement devices and simultaneously offer practical applicability for arbitrary scalability? This is exactly the purpose of this work.

In this paper, we propose a flexible and extensible protocol named as open-destination MDI-QKD network, by combining the idea of open-destination teleportation [23] and MDI-QKD [17,18]. In this protocol, secure communication between any two users in the network can be accomplished under assistance of others. The open-destination feature allows these two-party users share secure keys simultaneously, where we also generalize to the case of *C* communication users. Remarkably, this feature allows communication users not to be specified before the measurement step, which makes the network flexible and extendable. Furthermore, the MDI feature enables this scheme to be secure against untrusted relays and all detector side-channel attacks. Specially, all users need only trusted state-preparation devices at hand, while the untrusted relay section is made by entangled resources and measurement devices.

#### **2. Open-Destination MDI-QKD Network**

Consider an *N*-party quantum network. We are particularly interested in the case where arbitrary two users want to share secure keys. This scenario is denoted as (*N*, 2) for convenience. To simplify the discussion, here we focus on the star-type network, where both the user and a central source emit quantum signals. The signals are measured by untrusted relays located between each user and the central source.

#### *2.1. Protocol*

The (*N*, 2) open-destination MDI-QKD runs as follows. An illustration of the (4, 2) example is shown in Figure 1.

Step. 1 **Preparation**: A third party, which may be untrusted, prepares *N*-partite GHZ state

$$|GHZ\rangle\_N = \frac{1}{\sqrt{2}}(|0\rangle^{\otimes N} + |1\rangle^{\otimes N}),\tag{1}$$

where |0 and |1 denote two eigenstates of the computational basis *Z*. All users prepare BB84 polarization states, i.e., |0 , |1 , |+ , and |− with |± = (|0 ±|1 )/ <sup>√</sup><sup>2</sup> being the two eigenstates of the basis *X*. The third party and all users distribute the prepared quantum states to their relays, which may also be untrusted.


users' prepared states (see Appendix A for details). Then, the two users obtain the raw key bits.

Step. 5 **Post-processing**: The two communication users estimate the quantum phase error and quantum bit error rate (QBER) in *Z* and *X* bases, according to which they further perform error correction and privacy amplification to extract correct and secure keys.

In this protocol, the multi-partite GHZ state between distant users can also be established through a prior distributed singlets, following the scheme of Bose *et al.* [24]. In fact, the open-destination feature allows arbitrary two users in the network to share secure keys based on the same experiment statistics. To accomplish the task of MDI-QKD among arbitrary two users, a natural scheme is to establish direct MDI-QKD between each two users. This requires either the central source to adjust his devices such that EPR pairs (the maximally entangled quantum states of a two qubit system, named after Einsetin, Podolski and Rosen Paradox [25]) are sent along desired directions, or a number *N*(*N* − 1)/2 of two-user combinations to establish direct MDI-QKD using the same number of untrusted relays. The open-destination scheme is an alternative scheme. It does not require the central source to adjust his devices according to the demand of communications, at the same time involve only *N* untrusted relays. In a practical scenario, all the users can use weak coherent pulses to reduce experimental cost and apply decoy-state techniques [26–28] to avoid photon-number-splitting attack, as well as to estimate the gain and the error rate.

**Figure 1.** An optical diagram for the polarization-encoding (4, 2) open-destination measurement-device-independent quantum key distribution (MDI-QKD) network. The GHZ source outputs 4-partite GHZ entangled state in polarization and the light source outputs BB84 polarization state. The BSM represents the Bell state measurement, where BS is the 50:50 beam splitter, PBS is the polarization beam splitter, and *D*1*H*, *D*2*H*, *D*1*V*, and *D*2*<sup>V</sup>* are single-photon detectors. A click in *D*1*<sup>H</sup>* and *D*2*V*, or in *D*1*<sup>V</sup>* and *D*2*H*, indicates a projection into the Bell state |*ψ*− = (|01 −|10 )/ <sup>√</sup>2, and a click in *<sup>D</sup>*1*<sup>H</sup>* and *<sup>D</sup>*1*V*, or in *<sup>D</sup>*2*<sup>H</sup>* and *<sup>D</sup>*2*V*, indicates a projection into the Bell state <sup>|</sup>*ψ*<sup>+</sup> = (|01 + |10 )/ <sup>√</sup>2.

#### *2.2. Correctness and Security Analysis*

We will show the correctness and security of the open-destination MDI-QKD protocol, i.e., the communication users end up with sharing a common key in an honest run and any eavesdropper can only obtain limited information of the final key. The following analysis applies for the (*N*, 2) case. As an illustration, we show a detailed derivation of the (4, 2) in Appendix A.

For the correctness of the protocol, we show that after successful BSMs and other users announce the *X*-basis states, the two communication users can perform flip their bits locally to obtain perfectly correlated sifted keys. We start from rewriting the GHZ state as

$$|GHZ\rangle\_N = \frac{1}{\sqrt{2}} \left[ |00\rangle\_{12} \bigotimes\_{k=3\ldots N} \frac{|+\rangle\_k + |-\rangle\_k}{\sqrt{2}} + |11\rangle\_{12} \bigotimes\_{k=3\ldots N} \frac{|+\rangle\_k - |-\rangle\_k}{\sqrt{2}} \right],\tag{2}$$

$$= \left(\frac{1}{\sqrt{2}}\right)^{N-1} \sum\_{\chi} \left( |00\rangle\_{12} + (-1)^{\sigma\_{\overline{\chi}}} |11\rangle\_{12} \right) |\chi\rangle\_{3\dots N} \,. \tag{3}$$

Here, *<sup>χ</sup>* ∈ {+, −}*N*−<sup>2</sup> is a string of *<sup>N</sup>* <sup>−</sup> 2 bits with bit value "+" or "−" and *σχ* <sup>=</sup> <sup>0</sup>(1) if the number of "−" is even (odd).

We label each user by 1- , 2- , ... , *N* and let the two communication users be 1 and 2- . In a successful run of the protocol, suppose that users 1 and 2 prepare states |*α* , |*β* ∈{0, 1, +, −}, respectively, and other users 3- , ... , *N* prepare state in the *X* basis, denoted as a string *χ*- ∈ {+, −}*N*−2. In addition, denote the successful BSM results as a string *<sup>υ</sup>* ∈ {+, −}*N*, with the *<sup>k</sup>*th bit *<sup>υ</sup><sup>k</sup>* denoting the BSM outcome on the state prepared by the user *k* and the *k*-th particle of the GHZ state. Here, *υ<sup>k</sup>* = ± corresponds to projections |*ψ*± *ψ*±|, respectively. Then, when other users send states denoted by |*χ*- and when all untrusted relays announce successful BSM results *υ*, the equivalent measurement *Mχ*- ,*υ* 12 on 1 and 2is

$$\sqrt{M\_{1'2'}^{\chi',\nu}}|a\beta\rangle\_{1'2'} = \left(\bigotimes\_{k} \langle \Psi^{\nu\_{k}}|\_{kk'}\right)|GHZ\rangle\_{N} \otimes |a\beta\rangle\_{1'2'} |\chi'\rangle\_{3'...N'} \tag{4}$$

$$\begin{aligned} \left(\frac{1}{\sqrt{2}}\right)^{N-1} \sum\_{\chi} \langle \psi^{\nu\_1}|\_{11'} \langle \psi^{\nu\_2}|\_{22'} \left(|00\rangle\_{12} + (-1)^{\sigma\_\chi} |11\rangle\_{12}\right) |a\beta\rangle\_{1'2'} \\ \times \prod\_{k=3\dots N} \langle \psi^{\nu\_k}|\_{kk'} |\chi\rangle\_k |\chi'\rangle\_{k'} \end{aligned} \tag{5}$$

$$
\approx \left( \langle 00 \vert\_{1'2'} + (-1)^{\tau} \langle 11 \vert\_{1'2'} \right) \vert a \vert \mathcal{S} \rangle\_{1'2'} \,. \tag{6}
$$

Here, *τ* = *σχ*-<sup>⊕</sup>*υ*˜ <sup>⊕</sup> *<sup>υ</sup>*<sup>1</sup> <sup>⊕</sup> *<sup>υ</sup>*<sup>2</sup> with *<sup>υ</sup>*˜ <sup>=</sup> *<sup>υ</sup>*3*υ*<sup>4</sup> ... *<sup>υ</sup><sup>N</sup>* ∈ {+, −}*N*−<sup>2</sup> and *σχ*-<sup>⊕</sup>*υ*˜ = +(−) if the number of "−" in *χ*- ⊕ *υ*˜ is even (odd). Therefore, when the user 1 and 2 both prepare *Z*-basis states, or when they both prepare *X*-basis states with *τ* = 0, the corresponding strings are correctly correlated; otherwise, when they both prepare *X*-basis states but *τ* = 1, their strings are anticorrelated, and one party needs to flip all his/her bits.

For the security of the protocol, here we show that an open-destination MDI-QKD can be equivalent to a standard bipartite MDI-QKD if we only focus on the two communication users. Recall that, in the standard MDI-QKD, two parties, Alice and Bob, prepare and send quantum signals to a remote untrusted relay, which announces a successful BSM result or not. In our scheme, one can treat all parts outside the two users 1 and 2 as an untrusted relay [29]. That is, the GHZ source, the BSM setups and all other users serve as a big untrusted relay, and the successful BSM results in the standard MDI-QKD corresponds to all BSMs announcing successful measurements together with all other users announcing *X*-basis states (see Figure A1 as an example of the (4, 2) case). In this sense, our scheme is reduced to the MDI-QKD and the two has the same security. Additionally, although we require the preparation device of each user to be trusted in the protocol, the two communication users need not to trust these preparation devices of other users.

#### *2.3. Key Generation Rate*

The key generation rate for open-destination MDI-QKD can be derived similarly as the standard MDI-QKD, i.e., by converting it to an entanglement purification scheme. Suppose that the two communication users both have virtual singlets at their hands and then send one particle to the untrusted relays. In a successful run of the protocol, the remaining virtual particles of the two communication users will be entangled. When the entanglement between the virtual particles is sufficiently strong, the monogamy property of entanglement [30–32] guarantees the extraction of information-theoretically secure key bits between the two users. In this sense, the secret key rate can be roughly viewed as the gains of entanglement purification in the asymptotic case. Taking account of imperfections, such as basis misalignment, channel loss, and dark counts of the detectors, the key generation rate is given by the GLLP method [33]

$$R\_2 = \mathcal{Q}^{ZZ} \left[ 1 - H\left(e^{\chi X}\right) - fH\left(e^{ZZ}\right) \right]. \tag{7}$$

Here, we have assumed that the user 1 and 2 use *Z* basis to generate keys and use *X* basis to estimate phase errors. In the equation, *QZZ* denotes the overall gain in the *Z* basis, and *eXX* (*eZZ*) denotes the phase (bit) error rate, *f* > 1 is the error correction inefficiency for the error correction process, and *H*(*x*) = −*x* log2(*x*) − (1 − *x*)log2(1 − *x*) is the binary Shannon entropy function. In a realistic experiment, if using weak coherent pulses and adopting decoy-state techniques, *QZZ*, *eZZ*, and *eXX* can be efficiently estimated [27,28].

#### *2.4. Comparison with the Standard MDI-QKD*

The open-destination MDI-QKD network is different from the conventional MDI-QKD. The main difference comes from the open-destination feature, which in fact allows the all 2-party users in the network generate their own secure keys independently and simultaneously. There are in fact *N*(*N* − 1)/2 combinations of such two-party users. If one uses the conventional MDI-QKD scheme, the same number of untrusted relays are required. To increase the communication distance, one may further add the same number of relays and EPR sources to construct the user-relay-EPR source-relay-user structure. Such construction of quantum network could be expensive considering the number of devices required. One could also use the optical switches to reduce the number of relays; however, in this case the communication would be arranged in time order and some users have to wait. In the open-destination scheme, *N* untrusted relays are sufficient to connect each other supplied with good-quality GHZ central source. Although the distribution of GHZ states may lead to other technological challenges, the open-destination scheme can reduce the number of devices significantly in constructing the network. As for the performance, the two schemes in fact have similar performance in the ideal case. The difference is that the open-destination scheme generates secure keys for any two-party users in one round of implementation while the bipartite MDI-QKD scheme costs *N*(*N* − 1)/2 rounds. Furthermore, the open-destination scheme also establishes conference key agreements among arbitrary users, which can not be accomplished directly via the bipartite MDI-QKD. We will discuss this case in the next section.

#### **3. Numerical Simulation**

As an example, we will analyze the secure key rate for the (4, 2) open-destination MDI-QKD (see Appendices B and C for details). For simplicity, the single-photon source and the asymptotic approximations are assumed. We let the BSM setups be located in each user's side, although, in a realistic experiment, the BSM setups can be located in anywhere to increase the communication distance. We suppose that quantum channels are identically depolarizing such that untrusted relays receive the GHZ state in a mixture form [34]:

$$\rho = p \left| GHZ \right> \left< GHZ \right|\_{4} + \frac{1-p}{16} \mathbb{I}\_{16\prime} \tag{8}$$

where 0 ≤ *p* ≤ 1. We also assume that all detectors are identical, i.e., they have the same dark count rates and the same detection efficiencies. After numerical simulation, the lower bound of secure key rates with respective to communication distance between user and central source are shown in Figure 2.

**Figure 2.** Lower bound on the secret key rate *R* versus communication distance between communication users using Werner-like states source. The red line denotes *p* = 1, i.e., the perfect GHZ source. The parameters are chosen according to experiments [35] : the detection efficiency *η<sup>d</sup>* = 40%, the misalignment-error probability of the system *ed* = 2%, the dark count rate of the detector *pd* <sup>=</sup> <sup>8</sup> <sup>×</sup> <sup>10</sup>−8, the error correction efficiency *<sup>f</sup>* <sup>=</sup> 1.16, the intrinsic loss coefficient of the standard telecom fiber channel *α* = 0.2 dB/km.

The simulation shows that the secure key rate and the largest communication distance decrease when *p* decreases. To implement open-destination MDI-QKD efficiently, good-quality GHZ sources and single-photon sources are necessary. If such requirements are satisfied, our scheme can tolerate a high loss of more than 500 km of optical fibers, i.e., 100 dB, using perfect GHZ source and single-photon source, even when the BSM setups are located in every user's side. One can double the communication distance by putting the BSM setups in the middle of the users and the GHZ source, which is similar with the case in MDI-QKD [17,18]. For the realistic case where weak coherent pulses are used, our analysis can be generalized by considering the decoy state method [27,28] and following the procedures in Refs. [36,37].

#### **4. Generalization to The (N,C) Case**

As aforementioned, the complete analysis has been focused on the (*N*, 2) open-destination MDI-QKD case. Here, we show that the case of two communication users can also generalized to the case of *C* communication users. Note that the open-destination feature enables any *C* users to generate secure keys at the same time.

Suppose that, in an *N*-party quantum network with users 1, 2, ··· , *N*, the communication users are denoted by the subset C = {*i*1, *i*2,..., *iC*}, where *C* = |C|. The auxiliary set denoted by A consists of auxiliary users, i.e., users that assist communication users to generate secure keys, with *A* = |A| = *N* − *C* users. According to Equation (3), for a general *C* communication users case, the GHZ state can be rewritten as

$$|GHZ\rangle\_N = \frac{1}{\sqrt{2}} \left[ |00\cdots0\rangle\_{12\cdots \mathbb{C}} \bigotimes\_{k=\mathbb{C}+1\ldots N} \frac{|+\rangle\_k + |-\rangle\_k}{\sqrt{2}} + |11\cdots1\rangle\_{12\cdots \mathbb{C}} \bigotimes\_{k=\mathbb{C}+1\ldots N} \frac{|+\rangle\_k - |-\rangle\_k}{\sqrt{2}} \right],\tag{9}$$

$$= \left(\frac{1}{\sqrt{2}}\right)^{N-1} \sum\_{\mathbb{X}} \left( |00\cdots \cdot 0\rangle\_{12\cdots \mathbb{C}} + (-1)^{\sigma\_{\mathbb{X}}} |11\cdots \cdot 1\rangle\_{12\cdots \mathbb{C}} \right) |\chi\rangle\_{\mathbb{C}+1\ldots N}.\tag{10}$$

Here, *<sup>χ</sup>* ∈ {+, −}*N*−*<sup>C</sup>* is a string of *<sup>N</sup>* <sup>−</sup> *<sup>C</sup>* bits with bit value "+" or "−" and *σχ* <sup>=</sup> <sup>0</sup>(1) if the number of "−" is even (odd). Intuitively, with the assistance of *N* − *C* auxiliary users, *C*-qubit GHZ states are shared among arbitrary *C* communication users. Meanwhile, based on the *C*-qubit GHZ state, the communication users can complete different quantum information tasks with the merit of open destination, such as quantum conference key agreement [24,34,38–40] and quantum secret sharing [39,41–43]. In general, we call it the (*N*, *C*) open-destination quantum communication task. When *C* = 2, and the aim is to establish QKD, the task is reduced to the (*N*, 2) open-destination MDI-QKD network discussed above.

For instance, in the general case of (*N*, *C*) open-destination quantum conference key agreement, all users prepares and sends BB84 states to their respective untrusted relays. The central source simultaneously distribute the GHZ state, which is measured together with the state from user on the untrusted relay. When the relays announce successful BSM outcomes and when all auxiliary users announce their prepared states in *X*-basis, the communication users virtually share a multipartite entangled state, as the same of the (*N*, 2) case. After suitable local operations of bit flips, all communication users share correctly correlated bits.

By slightly modifying the scheme, the experimental cost, especially the number of detectors can be reduced significantly. For instance, when all users announce their preparation basis *X* for assisting others while keep the bits corresponding to *Z* basis for distill the key, any *C* users can share secure keys simultaneously. This is because their respective sifted keys corresponds to different portions of the raw data. If one insists on using the conventional two-party QKD and multi-party conference key agreement scheme to realize the same function of the open-destination scheme under discussion, about (2*<sup>N</sup>* <sup>−</sup> <sup>2</sup>)*<sup>N</sup>* detectors are required. In the open-destination scheme, the number of detectors is reduced to 4*N*, which only increases linearly with the user number *N*.

As an example, we consider the case of (*N*, 3) open-destination quantum conference key agreement. From Equation (10), the post-selected 3-party GHZ state is |*φ*<sup>±</sup> 3-party = (|000 ±|111 )/ √2 according to the announcements of the states and the BSM results related with auxiliary users. Meanwhile, as shown in Table 1, an equivalent GHZ analyzer among three communication users can be obtained according to the post-selected GHZ state |*φ*<sup>±</sup> 3-party and the BSM results of their corresponding relays. Then, according to the MDI-QCC protocol in Ref. [39], (*N*, 3) open-destination quantum conference key agreement can be directly conducted based on the equivalent GHZ analyzer.


**Table 1.** The equivalent GHZ analyzer measurement results of three communication users. Here, GHZ*<sup>A</sup>* denotes the post-selected GHZ state from the GHZ source; BSM result 1(2,3) denotes the BSM results of three relays nearby the communication users' side; GHZ analyzer*<sup>C</sup>* denotes the results of corresponding GHZ analyzer among three communication users.

Similar to the open-destination MDI-QKD in Section (2) of the (*N*, 2) case, the security of the (*N*, 3) open-destination quantum conference key agreement is also based on the entanglement purification discussion [39,44,45]. According to the multi-partite entanglement purification scheme [46], the secret key rate can be written as follows [34,39,40]:

$$R\_3 = Q^Z \{ 1 - f \cdot \max[H(E\_{12}^Z), H(E\_{13}^Z)] - H(E^X) \},\tag{11}$$

where *Q<sup>Z</sup>* is the overall gains when three communication users send out quantum states in *Z* basis, *E<sup>Z</sup>* <sup>12</sup> (*E<sup>Z</sup>* <sup>13</sup>) is the marginal quantum bit error rate between user 1 and user 2 (3) in *Z* basis, *E<sup>X</sup>* is the overall quantum bit error rate in *X* basis, *f* is the error correction efficiency, and *<sup>H</sup>*(*x*) = <sup>−</sup>*<sup>x</sup>* log2(*x*) <sup>−</sup> (<sup>1</sup> <sup>−</sup> *<sup>x</sup>*)log2(<sup>1</sup> <sup>−</sup> *<sup>x</sup>*) is the binary Shannon entropy function. *<sup>Q</sup>Z*, *<sup>E</sup>X*, *<sup>E</sup><sup>Z</sup>* 12, and *E<sup>Z</sup>* <sup>13</sup> can be gotten directly from the experimental results. Meanwhile, the estimation of key rate can be slightly different if the sources of users are weak coherent states [33].

#### **5. Conclusions**

As a conclusion, we proposed a flexible and extensible scheme of the (*N*, 2) open-destination MDI-QKD network. We proved the correctness and security of the protocol, and derived practical key generation rate formula. For an illustration, we studied a specific network where two of four users want to distill quantum secure keys. For the scenario, we presented a polarization-encoding scheme for experimental implementation and offered in detail a simulation by taking the imperfections in both source and detectors into account. The simulation results show that the scheme enjoys a promising structure and performance in real-life situation.

A significant virtue of our scheme is the security against untrustful relays and all detector side-channel attacks. Moreover, the open-destination feature enables any two users to establish MDI-QKD without changing the network structures. In fact, one can establish MDI-QKD among arbitrary users even after the entangled source have been distributed and all the measurements have been completed. Furthermore, following the multi-entanglement swapping scheme, the network can be extended into a large scale by adding shared multi-partite GHZ states.

We would like to remark that currently the efficiency was relatively low (seen from Figure 2). This can be overcome by taking optimization in network topology, basis selections, and measurements for both the auxiliary and communication parties, as well as considering asymmetric loss for various channels, etc., like techniques adopted in Ref. [47]. Any future improvement on distributing multipartite entanglement efficiently and effectively will definitely benefit the proposed scheme and push it forward practical applications.

**Author Contributions:** Conceptualization, K.C.; methodology, F.X., L.L., N.-L.L., and K.C.; software, W.-F.C. and Y.-L.Z.; validation, Y.-Z.Z., Y.-L.Z., and K.C.; investigation, W.-F.C., Y.-Z.Z.; Writing—Original draft preparation, W.-F.C., Z.-Y.Z., and S.Z.; Writing—Review and editing, F.X., L.L., Z.-B.C., N.-L.L., and K.C.; visualization, W.-F.C., N.-L.L., and K.C.; supervision, F.X., L.L., Z.-B.C., N.-L.L., and K.C.; All authors have read and agreed to the published version of the manuscript.

**Funding:** This research was funded by the Chinese Academy of Science, the National Fundamental Research Program, the National Natural Science Foundation of China (Grants No. 11575174, No. 11374287, No. 61125502, No. 11574297, and No. 61771443), as well as the Fundamental Research Funds for the Central Universities (WK2340000083).

**Acknowledgments:** We thank Yu-Ao Chen and Qiang Zhang for valuable and enlightening discussions.

**Conflicts of Interest:** The authors declare no conflict of interest.

#### **Appendix A. Sifting Procedure of The (4,2) Case**

In this section, we describe the sifting procedure of open-destination MDI-QKD in detail for the (4, 2) case. We will show that such scenario can be reduced to the standard MDI-QKD scenario. The general case can be proved in a similar way, as shown in the main text. The schematic diagram is depicted in Figure A1a.

We start by writing the GHZ state as

$$\begin{split} |GHZ\rangle\_4 = &\frac{1}{2\sqrt{2}} [(|00\rangle + |11\rangle)(|++\rangle + |--\rangle) \\ &+ (|00\rangle - |11\rangle)(|+-\rangle + |-+\rangle)]. \end{split} \tag{A1}$$

Up to the announcement of the quantum state of users 3 and 4- , the BSM(s) of relays 3 and 4 on the received quantum state from GHZ source and quantum state from users 3- (4- ) can be treated as an equivalent projective measurement on the whole GHZ state. Specifically, if the relays 3 and 4 perform the BSM and obtain equivalent projective measurement results |00 or |11 (|01 or |10 ), the photons received by relays 1 and 2 will be projected into state <sup>|</sup>*φ*<sup>+</sup> = (|00 + |11 )/ <sup>√</sup><sup>2</sup> (|*φ*<sup>−</sup> = (|00 −|11 ) <sup>√</sup>2) according to Equation (A1). After announcement of the successful BSM results and the quantum states of auxiliary users 3 and 4- , the projected state received by relays 1 and 2 can be determined. So, one can treat the GHZ source, the BSM setups of relays 3 and 4 and the quantum state of auxiliary user 3 and 4 as an virtual entanglement source, which outputs different Bell states. The protocol is thus directly equivalent to MDI-QKD with an entangled source in the middle [29] as illustrated in Figure A1b. Since the virtual Bell state with two BSMs along each side can be equivalent to a virtual BSM, the scheme is finally equivalent to implement MDI-QKD between users 1 and 2- as showed in Figure A1c. Therefore, in an honest run, the protocol is reduced to the honest standard MDI-QKD scenario, and the parties will end up with sharing a common key.

**Figure A1.** (**a**) The schematic diagram for the (4, 2) open-destination MDI-QKD scheme. Users 1- and 2 denote communication users, while users 3 and 4 denote auxiliary users. (**b**) The equivalent topological schematic diagram when users 1 and 2 communicate with each other. According to BSM results of relays 3 and 4 and quantum states of auxiliary users 3 and 4- , the GHZ state is projected to a virtual Bell state. (**c**) The final equivalent topological schematic diagram that users 1 and 2 perform MDI-QKD, according to the BSM results and the virtual Bell state.

Firstly, notice that the projection measurement of two systems onto one Bell state can be viewed as a POVM (positive operator valued measure) on one system if one knows the state of the other system. For example, as shown in Figure A1a, a successful BSM result of |*ψ*− of the relay 3 with auxiliary photons from auxiliary 3 in the state |*α* - <sup>3</sup> can be viewed as a POVM tr3- [|*ψ*− *ψ*−| 33- |*α α*|3-] on the state 3. In the open-destination scheme, we have |*α* ∈ {|+ , |− } and the BSM results {|*ψ*<sup>+</sup> , |*ψ*− }. The correspondence between the POVM on the system *k* and the untrusted relay announces a successful BSM together with auxiliary state are listed in Table A1.

**Table A1.** The correspondence between the POVM on state labeled *k* and the BSM result labeled by *kk*- with auxiliary state labeled by *k*- .


Secondly, when the two auxiliary users prepare *X*-basis photons and the corresponding relays get successful BSM results, according to Table A1, the total GHZ state collapses into one of the maximally entangled states |*φ*± = <sup>√</sup><sup>1</sup> 2 (|*HH* ±|*VV* ) at the side of two communication users.

Thirdly, at the sides of the two communication users, according to the post-selected Bell state |*φ*± and the BSM results of their corresponding relays, a BSM between two communication users can be obtained. Such correspondence is listed in Table A2.

**Table A2.** The equivalent BSM results of two communication users. Here, Bell*<sup>A</sup>* denotes the post-selected Bell state from the GHZ source; BSM result 1(2) denotes the BSM results of the two relays nearby the communication users' side; BSM*<sup>C</sup>* denotes the results of corresponding BSM between two communication users.


Finally, as shown in Table A3, according to the final equivalent BSM result and the preparation bases, one of the communication users apply a bit flip or not such that their keys can be correlated. In fact, only when both communication users select *X* basis and the final equivalent BSM result is |*φ*− , one of them needs to apply a bit flip. After many rounds, they obtain enough raw key bits that can be used in the following data post-processing process.

**Table A3.** Flip table according to the preparation bases and the equivalent BSM result at communication users side.


#### **Appendix B. Detector Analysis**

Since the BSM with the auxiliary photon is equivalent to an probabilistic projective measurement, one can use an equivalent detector to replace the BSM device with the corresponding light source in the key rate analysis. Here, we develop a method to derive the equivalent detector parameters, i.e., the detection efficiency and the dark count of the equivalent detector. We use the BSM setup with polarization encoding as illustrated in Figure A2.

In *H*/*V* basis, suppose that Alice and Bob encode the same polarization states; then, the state becomes as follows after the BS:

$$a\_H^\dagger b\_H^\dagger \left| vac\right> \to \left(a\_{1H}^{\dagger 2} - a\_{2H}^{\dagger 2}\right) \left| vac\right>\,,\tag{A2}$$

where *<sup>a</sup>*† (*b*†) denotes creation operators, and <sup>|</sup>*vac* denotes vacuum state. The probability of the successful BSM when the input states are |*H* and |*H* , is given by

$$P\_{HH} = 2p\_d(1 - p\_d)^2(1 - (1 - p\_d)(1 - \\\\\eta\_d)^2),\tag{A3}$$

where *η<sup>d</sup>* is the detection efficiency, and *pd* is the dark count. Suppose that Alice and Bob encode different polarization state; then, after the BS, the state becomes as follows:

$$\begin{split} \left| a\_{H}^{\dagger} b\_{V}^{\dagger} \right| \left| vac \right> &\to \left( a\_{1H}^{\dagger} a\_{1V}^{\dagger} - a\_{2H}^{\dagger} a\_{2V}^{\dagger} \right) \left| vac \right> \\ &\to \left( a\_{2H}^{\dagger} a\_{1V}^{\dagger} - a\_{1H}^{\dagger} a\_{2V}^{\dagger} \right) \left| vac \right>. \end{split} \tag{A4}$$

**Figure A2.** The BSM setup with polarization encoding. BS denotes beam splitter, PBS denotes polarization beam splitter, and *H* and *V* denote, respectively, horizontal and vertical linear polarizations, and *D*1*H*, *D*2*H*, *D*1*V*, *D*2*<sup>V</sup>* denote single-photon detectors. A click in *D*1*<sup>H</sup>* and *D*2*V*, or in *D*1*<sup>V</sup>* and *D*2*H*, indicates a projection into the Bell state |*ψ*− = (|*HV* −|*VH* )/ <sup>√</sup>2, and a click in *<sup>D</sup>*1*<sup>H</sup>* and *<sup>D</sup>*1*V*, or in *<sup>D</sup>*2*<sup>H</sup>* and *<sup>D</sup>*2*V*, indicates a projection into the Bell state <sup>|</sup>*ψ*<sup>+</sup> = (|*HV* + |*VH* )/ <sup>√</sup>2.

The probability of the successful BSM when the input states are |*H* and |*V* is given by

$$P\_{HV} = (1 - p\_d)^2 (1 - (1 - p\_d)(1 - \eta\_d))^2. \tag{A5}$$

Thus, the equivalent detection probability when the input state is |*H* is given by

$$\begin{split} \eta\_{H}^{'} = & \frac{1}{2} (1 - p\_d)^2 \left[ 2p\_d (1 - (1 - p\_d)(1 - \eta\_d)^2) \right. \\ & \left. + \left( 1 - (1 - p\_d)(1 - \eta\_d) \right)^2 \right]. \end{split} \tag{A6}$$

Due to symmetry, the equivalent detection probability when the input state is |*V* has the same form with the case that the input state is |*H* , i.e., one has *η* - *<sup>V</sup>* = *η* - *<sup>H</sup>*. Similarly, by using the transformation relation under {+, −} basis

$$\begin{aligned} &a\_+^\dagger b\_+^\dagger \left| vac \right> \to \left(a\_{1H}^\dagger a\_{1V}^\dagger - a\_{2H}^\dagger a\_{2V}^\dagger \right) \left| vac \right>\\ &a\_+^\dagger b\_-^\dagger \left| vac \right> \to \left(a\_{1H}^\dagger a\_{2V}^\dagger - a\_{1V}^\dagger a\_{2H}^\dagger \right) \left| vac \right>, \end{aligned} \tag{A7}$$

one can ontain the equivalent detection probability when the input state is |+ as follows:

$$
\eta\_{+}^{'} = (1 - p\_d)^2 (1 - (1 - p\_d)(1 - \eta\_d))^2. \tag{A8}
$$

Due to symmetry, one has *η* - <sup>−</sup> <sup>=</sup> *<sup>η</sup>* - +.

We consider practical experimental parameters, which are listed in Table A4. For the experimental parameters, one arrives at

$$
\eta\_d^{'Z} = 0.08, \quad \eta\_d^{'X} = 0.16,\tag{A9}
$$

where *η* - *Z <sup>d</sup>* denotes the equivalent detection efficiency for *H*/*V* basis, i.e., *Z* basis, and *η* - *X <sup>d</sup>* denotes the equivalent detection efficiency for +/− basis, i.e., *X* basis.

**Table A4.** List of experimental parameters used for simulation. *η<sup>d</sup>* is the detection efficiency; *ed* is the misalignment-error probability of the system; *pd* is the dark count rate of the detector; *f* is error correction efficiency; *α* is the intrinsic loss coefficient of the standard telecom fiber channel.


To calculate the parameters for equivalent dark count, one should consider the case in which there was no incoming photon. Suppose the local photon being |*H* , and the incoming photon being vacumm state, the states become as follows after the BS:

$$|b\_H^\dagger|vac\rangle \to \frac{i}{\sqrt{2}}a\_{1H}^\dagger + \frac{1}{\sqrt{2}}a\_{2H}^\dagger\tag{A10}$$

where *b*† *<sup>H</sup>* denotes the creation operator of local photon. So, one can get the probability of the successful BSM as follows:

$$P\_H = 2p\_d(1-p\_d)^2 \eta\_d.\tag{A11}$$

Due to symmetry, one has that *P*<sup>+</sup> = *P*<sup>−</sup> = *PV* = *PH*. Here, *Px* denotes the probability of the successful BSM result when the local photon is |*x* and there is no incoming photon. So, one can get the equivalent dark count as

$$p\_d' = 2p\_d(1 - p\_d)^2 \eta\_d.\tag{A12}$$

For the experimental parameters given in Table A4, one arrives at

$$p\_d^{'} = 6.4 \times 10^{-8} \,\text{.}\tag{A13}$$

Finally, one can achieve the parameters for the equivalent detectors shown in Table A5.

**Table A5.** List of the parameters for the equivalent detectors. *η* - *Z <sup>d</sup>* (*η* - *X <sup>d</sup>* ) denotes the equivalent detection efficiency for *Z* (*X*) basis, and *p* - *<sup>d</sup>* denotes the equivalent dark count.

$$\begin{array}{cccc}\hline\hline\eta\_d^{'Z} & \eta\_d^{'X} & p\_d^{'} \\\hline 8\% & 16\% & 6.4 \times 10^{-8} \\\hline\hline\end{array}$$

#### **Appendix C. Simulation for (4,2)-Scenario**

For simulation purposes, one can assume practically that the source has the form of Werner-like states

$$\rho = p \left| \text{GHZ} \right> \left< \text{GHZ} \right|\_{4} + \frac{1-p}{16} \mathbb{I}, \tag{A14}$$

in which |*GHZ* <sup>4</sup> = (|*HHHH* + |*VVVV* )/ <sup>√</sup><sup>2</sup> is the 4-partite GHZ states, <sup>I</sup>/16 is the 4-partite maximal mixed states, and 0 ≤ *p* ≤ 1. As proven in the previous section, according to the measurement results of auxiliary side, the photons received by communication side will be projected into different Bell states. Here, we consider the case in which auxiliary side get the |+ ⊗|+ results, due to the symmetry. When auxiliary side get the |+ ⊗|+ result, the particles received by communication side will collapse into

$$
\rho\_{\rm AB} = p \left| \phi^+ \right\rangle \left\langle \phi^+ \right| + \frac{1-p}{4} \mathbb{I}, \tag{A15}
$$

where *<sup>φ</sup>*<sup>+</sup> = (|*HH* + |*VV* )/ <sup>√</sup><sup>2</sup> is one of the Bell states. So, it is equivalent with the case in which the two communication users (denoted by Alice and Bob) perform an entanglement-based QKD using the two-qubit Werner states *ρAB* as a source and the equivalent detectors as detection device, as illustrated in Figure A3, from the perspective of key rate analysis.

Taking these imperfections of the source and detectors into account, the key generation rate in a realistic setup will be given by

$$R = Q\_{11}^{ZZ} \left( 1 - H(e\_{11}^{XX}) \right) - Q\_{\mu\nu}^{ZZ} \cdot f \cdot H(E\_{\mu\nu}^{ZZ}).\tag{A16}$$

In the following, we discuss how one can derive each quantity in this key rate formula, i.e., *QZZ* <sup>11</sup> , *eXX* <sup>11</sup> , *<sup>Q</sup>ZZ μν* , and *EZZ μν* .

**Figure A3.** Equivalent setup for Alice and Bob when tracing the BSM results of the auxiliary users. PBS denotes polarization beam splitter, PM denotes polarization modulator, and EPR denotes EPR source.

*Yield.* Denote the yield of single-photon pair as *Y*11, i.e., the conditional probability of a coincidence detection event given that the entanglement source emits an single-photon pair. Then, *Y*<sup>11</sup> is given by

$$Y\_{11} = \left[1 - (1 - \chi\_{0A})(1 - \eta\_A)\right][1 - (1 - \chi\_{0B})(1 - \eta\_B)],\tag{A17}$$

where *Y*0*<sup>A</sup>* = *Y*0*<sup>B</sup>* = *p* - *<sup>d</sup>* are the background count rates on Alice's and Bob's sides in the *Z* basis, and *η<sup>A</sup>* = *η<sup>B</sup>* = *η* - *Z <sup>d</sup>* <sup>×</sup> <sup>10</sup>−*αL*/20 denotes the total detection efficiency considering the channel loss. Equation (A17) is also applicable to the *X* basis. Then, the gain of the single photon part and the overall gain are given by

$$\mathbf{Q}\_{\mu\nu}^{ZZ} = \mathbf{Q}\_{11}^{ZZ} = \mathbf{Y}\_{11}.\tag{A18}$$

*Error Rate.* The error rate of single-photon pair in the *X* basis *eXX* <sup>11</sup> has three main contributions taking some imperfections into account: (i) *The imperfections of entanglement source*, i.e., the maximal mixed states component, which brings 50% error rate *e*<sup>0</sup> = 1/2; (ii) *Background counts*, which are random noises *e*<sup>0</sup> = 1/2; (iii) *Intrinsic detector error ed*, which characterizes the alignment and stability of the optical system. So, the error rate of single-photon pair *eXX* <sup>11</sup> is given as follows:

$$\varepsilon\_{11}^{XX} Y\_{11} = p\varepsilon\_0(Y\_{11} - \eta\_A \eta\_B) + p\varepsilon\_d \eta\_A \eta\_B + (1 - p)\varepsilon\_0 Y\_{11},\tag{A19}$$

where the first item comes from background counts, the second term comes from intrinsic errors, and the third term comes from the mixed part of the source. So, one achieves the error rate of single-photon pair *eXX* <sup>11</sup> as follows:

$$
\varepsilon\_{11}^{XX} = \varepsilon\_0 - \frac{p\eta\_A \eta\_B (\varepsilon\_0 - \varepsilon\_d)}{\chi\_{11}}.\tag{A20}
$$

Similarly, the error rate in the *Z* basis is given by

$$E\_{\mu\nu}^{ZZ} = \mathfrak{e}\_0 - \frac{p\eta\_A \eta\_B (\mathfrak{e}\_0 - \mathfrak{e}\_d)}{Y\_{11}}.\tag{A21}$$

#### **Reference**


© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

# *Article* **Distinguishability and Disturbance in the Quantum Key Distribution Protocol Using the Mean Multi-Kings' Problem**

#### **Masakazu Yoshida 1,\*, Ayumu Nakayama <sup>2</sup> and Jun Cheng <sup>3</sup>**


Received: 7 October 2020; Accepted: 9 November 2020; Published: 11 November 2020

**Abstract:** We introduce a quantum key distribution protocol using mean multi-kings' problem. Using this protocol, a sender can share a bit sequence as a secret key with receivers. We consider a relation between information gain by an eavesdropper and disturbance contained in legitimate users' information. In BB84 protocol, such relation is known as the so-called information disturbance theorem. We focus on a setting that the sender and two receivers try to share bit sequences and the eavesdropper tries to extract information by interacting legitimate users' systems and an ancilla system. We derive trade-off inequalities between distinguishability of quantum states corresponding to the bit sequence for the eavesdropper and error probability of the bit sequence shared with the legitimate users. Our inequalities show that eavesdropper's extracting information regarding the secret keys inevitably induces disturbing the states and increasing the error probability.

**Keywords:** quantum key distribution; mean-king's problem; mean multi-kings' problem; information disturbance theorem

#### **1. Introduction**

In the quantum state discrimination problems, one tries to discriminate the quantum states by performing the single measurement. Several strategies exist, e.g., in [1–3] and Section 9.1.4 in [4]. On the other hand, in the mean-king's problem [5], one can use not the single measurement but also post-information. Specific setting of the mean-king's problem is often told as a tale [6] of a king and a physicist Alice. In the tale, Alice prepares a qubit in an initial state at first. The king performs a measurement with one of observables *σx*, *σy*, *σ<sup>z</sup>* on the qubit and obtains an outcome. Then, Alice obtains an outcome by performing a measurement on the qubit. After the measurement, the king reveals the observable he has measured as the post-information. Then, Alice tries to guess king's outcome by using her outcome and the post-information. A solution to the problem is a pair of the initial state and Alice's measurement such that she can guess king's outcome correctly. Using Aharonov–Bergman–Lebowitz rule [7], a solution which consists of Bell state and a measurement on a bipartite system has been shown [5]. As an application of the solution to the mean-king's problem, a quantum key distribution protocol (QKD) has been shown [8]. In this protocol, Alice and the king employ the guessing result as a secret key, and security analysis of the protocol has been considered [8–11].

A QKD protocol by using mean multi-kings' problem has been shown [12] (see Section 2 for details). In this protocol, Alice and kings (called King1, King2, ..., King*n*) are legitimate users. Alice guesses each king's measurement outcome by using her measurement outcome and post-information from each

king; then, each guessing result is shared as a secret key between Alice and each king. The protocol has superior aspects, such as the number of measurements, state preparation and key discarding, to several realizations (whose components are the QKD protocol by using the mean-king's problem or BB84 protocol [13]) for Alice and each king to share the secret key. In the case of *n* = 2, security analysis against a simple attack so called intercept-resend attack has been considered and error rate of bits shared between Alice and the kings has been shown.

In this paper, we consider a relation between information gain by an eavesdropper (called Eve) and disturbance contained in the legitimate users' information in the QKD protocol by using the mean multi-kings' problem. In BB84 protocol, such relation is known as the so-called information disturbance theorem [14–18]. According to the theorem, Eve's information gain in a basis inevitably induces disturbance contained in the legitimate users' information in the conjugate basis. Therefore, the theorem is also regarded as an information theoretical version of the uncertainty relation. The theorem also plays an important role in the proof of the unconditional security [19]. We consider that Eve tries to extract information by employing an attack which she performs any measurement on her quantum system at any time after interacting the quantum system with kings' qubits after their measurements in the case of *n* = 2. In this setting, we give trade-off inequalities between distinguishability of quantum states corresponding to the bit sequences for Eve and error probability of the bit sequences shared with Alice and the kings. Our inequalities show that Eve's extracting information regarding the secret keys inevitably induces disturbing the states of kings' qubits and increasing the error probability even though the post-information and Alice's qubit are used in the guessing step, unlike BB84 protocol.

This paper is organized as follows. In the next section, we review a description of the quantum key distribution protocol by using the mean multi-kings' problem. In Section 3, we give the description of the protocol in the case of *n* = 2. In Section 4, we give the outline of the attack and the trade-off inequalities between distinguishability and disturbance. Finally, we summarize this paper in Section 5.

#### **2. Protocol**

Let us start by introducing the essence of the mean multi-kings' problem and the QKD by using it. Alice and King1, King2, ... , King*<sup>n</sup>* are the characters in this problem. The problem can be summarized as follows. Alice prepares a composite system, which consists of her system and *n* systems for kings, in an initial state. Each king performs a measurement on his system and obtains an outcome. After kings' measurement, Alice performs a measurement on the composite system and obtains an outcome. Furthermore, each king reveals post-information: the measurement type he has performed. Immediately, Alice guesses kings' outcomes by using her outcome and the post-information from each king. A solution to the problem is defined as a three-tuple of the initial state, Alice's measurement, and a guessing function such that she can guess kings' outcomes correctly. In this problem, the initial state will be changed depending on the kings' measurements and outcomes. In general, it is impossible to distinguish the changed states correctly. Therefore, Alice tries to get some potential answers by performing the measurement and to narrow down the correct outcome from them by using the guessing function of her outcome and the post-information.

We can construct the QKD protocol by using a setting of the mean multi-kings' problem and a solution to it, i.e., Alice and each king share the guessing result as a secret key. Figure 1 is a graphically demonstrated protocol. Let us consider a setting that Alice prepares a composite system which consists of *n* + 1 qubits and each king performs one of two fixed measurements on his qubit. Then, two solutions where the initial states are multipartite entangled states can be shown as described below; therefore, we can also construct the QKD protocol by using those solutions. In the QKD, Alice and each king try to share secret keys while she switches the solutions.

**Figure 1.** The QKD protocol by using the mean multi-kings' problem.

Before introducing details of the QKD protocol, we introduce some preliminary definitions, the setting of the mean multi-kings' problem, and the solutions to it. Define

$$Z\_0 := |0\rangle\langle 0| , Z\_1 := |1\rangle\langle 1| , X\_0 := |\emptyset\rangle\langle \emptyset| , X\_1 := |\overleftarrow{1}\rangle\langle \overleftarrow{1}|\tag{1}$$

for |0 := (1, 0)*T*, <sup>|</sup><sup>1</sup> := (0, 1)*T*, <sup>|</sup>0¯ := <sup>√</sup><sup>1</sup> 2 (1, 1)*T*, <sup>|</sup>1¯ := <sup>√</sup><sup>1</sup> 2 (1, <sup>−</sup>1)*T*. Define an outcome set

$$\mathcal{K} := \{ (s\_1, t\_1, s\_2, t\_2, \dots, s\_n, t\_n) \mid s\_j, t\_j \in \{0, 1\} \},\tag{2}$$

operators for (*s*1, *<sup>t</sup>*1,*s*2, *<sup>t</sup>*2,...,*sn*, *tn*) ∈ K

$$E^{(Z)}\_{\left(s\_1t\_1, s\_2t\_2, \dots, s\_nt\_n\right)} := \quad X\_{s\_1}Z\_{t\_1} \otimes X\_{s\_2}Z\_{t\_2} \otimes \dots \otimes X\_{s\_n}Z\_{t\_n} \tag{3}$$

$$E^{(X)}\_{\left(s\_1t\_1, s\_2t\_2, \dots, s\_nt\_n\right)} := \quad Z\_{s\_1}X\_{t\_1} \otimes Z\_{s\_2}X\_{t\_2} \otimes \dots \otimes Z\_{s\_nt}X\_{t\_nt} \tag{4}$$

and an index set

$$S\_{\left(\boldsymbol{I}\_{\boldsymbol{j}},\boldsymbol{i}\_{\boldsymbol{j}}\right)\_{j=1}^{n}}^{\left(\mathcal{W}\right)} = S\_{\left(\boldsymbol{I}\_{1},\boldsymbol{i}\_{1},\boldsymbol{I}\_{2},\boldsymbol{i}\_{2},\ldots,\boldsymbol{I}\_{n},\boldsymbol{j}\_{n}\right)}^{\left(\mathcal{W}\right)} := S\_{\left(\boldsymbol{I}\_{1},\boldsymbol{i}\_{1}\right)}^{\left(\mathcal{W}\right)} \times S\_{\left(\boldsymbol{I}\_{2},\boldsymbol{i}\_{2}\right)}^{\left(\mathcal{W}\right)} \times \cdots \times S\_{\left(\boldsymbol{I}\_{n},\boldsymbol{i}\_{n}\right)}^{\left(\mathcal{W}\right)}\tag{5}$$

(*W* ∈ {*Z*, *X*}) which consists of direct product of

$$S\_{(l,i)}^{(Z)} := \begin{cases} \{ (0,i), (1,i) \} & (l = 0, i \in \{0, 1\})\\ \{ (i,0), (i,1) \} & (l = 1, i \in \{0, 1\}), \end{cases} \tag{6}$$

$$S\_{(j,i)}^{(X)} := \begin{cases} \{ (i,0), (i,1) \} & (J=0, i \in \{0,1\})\\ \{ (0,i), (1,i) \} & (J=1, i \in \{0,1\}). \end{cases} \tag{7}$$

We define the setting of the mean multi-kings' problem. Alice prepares the composite system (*<sup>n</sup>* <sup>+</sup> 1 qubits) <sup>H</sup>˜ :<sup>=</sup> <sup>H</sup>*<sup>A</sup>* <sup>⊗</sup> <sup>H</sup>*K*<sup>1</sup> <sup>⊗</sup> <sup>H</sup>*K*<sup>2</sup> ⊗···⊗ <sup>H</sup>*Kn* (C2) <sup>⊗</sup>*n*+<sup>1</sup> in an initial state. Each King*<sup>j</sup>* performs one of the measurements on H*Kj*

$$M^{(l\_{\hat{\jmath}})} = (M\_0^{(l\_{\hat{\jmath}})}, M\_1^{(l\_{\hat{\jmath}})}) \ (l\_{\hat{\jmath}} \in \{0, 1\}),\tag{8}$$

where *M*(0) := (*M*(0) <sup>0</sup> :<sup>=</sup> *<sup>Z</sup>*0, *<sup>M</sup>*(0) <sup>1</sup> :<sup>=</sup> *<sup>Z</sup>*1) and *<sup>M</sup>*(1) := (*M*(1) <sup>0</sup> :<sup>=</sup> *<sup>X</sup>*0, *<sup>M</sup>*(1) <sup>1</sup> := *X*1), and obtains an outcome *ij* ∈ {0, 1}. Alice performs a measurement on <sup>H</sup>˜ and obtains an outcome. After Alice's measurement, the kings reveal (*Jj*)*<sup>n</sup> <sup>j</sup>*=<sup>1</sup> as the post-information. Then, Alice tries to guess kings' outcomes by using her outcome and the post-information.

Here, we show two solutions to the problem. In this case, Alice can guess the kings' outcomes correctly by employing one of

$$|\Phi^{(Z)}\rangle := \frac{1}{\sqrt{2}}(|00\cdots0\rangle + |11\cdots1\rangle)\tag{9}$$

$$|\Phi^{(X)}\rangle := \frac{1}{\sqrt{2}}(|\bullet\rangle \cdot \cdot \bullet\rangle + |\bullet\rangle \cdot \cdot \mathbf{I}\rangle) \tag{10}$$

as an initial state, a measurement depending on the initial state <sup>|</sup>Φ(*W*) 

$$P^{(W)} := \left(P\_k^{(W)} := 2^{n+1} | (\mathbb{I} \otimes E\_k^{(W)}) \Phi^{(W)} \rangle \langle (\mathbb{I} \otimes E\_k^{(W)}) \Phi^{(W)} | \right)\_{k \in \mathbb{K}} \tag{11}$$

and a guessing function *s*(*k*,(*Jj*)*<sup>n</sup> <sup>j</sup>*=1, <sup>Φ</sup>(*W*)) of her outcome *<sup>k</sup>* <sup>∈</sup> <sup>K</sup>, the post-information (*Jj*)*<sup>n</sup> <sup>j</sup>*=1, and the initial state <sup>|</sup>Φ(*W*) , where *s*(*k*,(*Jj*)*<sup>n</sup> <sup>j</sup>*=1, <sup>Φ</sup>(*W*)) is defined as (*ij*)*<sup>n</sup> <sup>j</sup>*=<sup>1</sup> satisfying *<sup>k</sup>* <sup>∈</sup> *<sup>S</sup>*(*W*) (*Jj*,*ij*)*<sup>n</sup> j*=1 (we regard *k* = (*s*1, *t*1,*s*2, *t*2,...,*sn*, *tn*) in the same light as ((*s*1, *t*1),(*s*2, *t*2),...,(*sn*, *tn*))).

We clear the number of non-zero matrices in her measurement and their orthogonality. We can observe

$$\begin{array}{rcl} \langle | \mathbb{1} \otimes E\_k^{(Z)} | \Phi^{(Z)} \rangle &=& \langle | \mathbb{1} \otimes \mathcal{X}\_{\mathfrak{s}\_1} \mathcal{Z}\_{\mathfrak{t}\_1} \otimes \cdots \otimes \mathcal{X}\_{\mathfrak{s}\_n} \mathcal{Z}\_{\mathfrak{t}\_n} \rangle \frac{1}{\sqrt{2}} (| 00 \cdots 0 \rangle + | 11 \cdots 1 \rangle) \\ &=& \frac{1}{\sqrt{2}} (\delta\_{\mathfrak{t}\_1 0} \cdots \delta\_{\mathfrak{t}\_n 0} | 0 \rangle \mathcal{X}\_{\mathfrak{s}\_1} | 0 \rangle \otimes \mathcal{X}\_{\mathfrak{s}\_2} | 0 \rangle \otimes \cdots \otimes \mathcal{X}\_{\mathfrak{s}\_n} | 0 \rangle \\ &+ \delta\_{\mathfrak{t}\_1 1} \cdots \delta\_{\mathfrak{t}\_n 1} | 1 \rangle \otimes \mathcal{X}\_{\mathfrak{s}\_1} | 1 \rangle \otimes \mathcal{X}\_{\mathfrak{s}\_2} | 1 \rangle \otimes \cdots \otimes \mathcal{X}\_{\mathfrak{s}\_n} | 1 \rangle ). \end{array} \tag{12}$$

Then, the number of non-zero vectors is equal to 2*n*<sup>+</sup>1. It leads to the conclusion that the number of non-zero matrices in *P*(*Z*) is equal to 2*n*<sup>+</sup>1. Furthermore, we observe

$$\begin{array}{ll} \langle (\mathbb{L}\otimes \boldsymbol{E}\_{\mathbf{k}}^{(Z)})\Phi^{(Z)}|(\mathbb{L}\otimes \boldsymbol{E}\_{\mathbf{k}'}^{(Z)})\Phi^{(Z)}\rangle\\ = & \langle (\mathbb{L}\otimes \boldsymbol{X}\_{\mathbf{s}\_{1}}\mathbf{Z}\_{t\_{1}}\otimes \cdots \otimes \mathbf{X}\_{\mathbf{s}\_{n}}\mathbf{Z}\_{t\_{n}})\Phi^{(Z)}|(\mathbb{L}\otimes \boldsymbol{X}\_{\mathbf{s}'\_{1}}\mathbf{Z}\_{t'\_{1}}\otimes \cdots \otimes \mathbf{X}\_{\mathbf{s}'\_{n}}\mathbf{Z}\_{t'\_{n}})\Phi^{(Z)}\rangle\\ = & \frac{1}{2^{n+1}}(\delta\_{t\_{1}0}\delta\_{t\_{2}0}\cdots\delta\_{t\_{n}0} + \delta\_{t\_{1}1}\delta\_{t\_{2}1}\cdots\delta\_{t\_{n}1})\delta\_{\mathbf{k}\mathbf{k}'}\mathbf{z} \end{array} \tag{13}$$

It implies that *<sup>P</sup>*(*Z*) is an orthogonal measurement on <sup>H</sup>˜ . When *<sup>Z</sup>* is switched to *<sup>X</sup>*, we have the same result in the case of *W* = *X*.

Next, we show that Alice can correctly guess kings' outcomes. We observe

$$\mathcal{S}^{(\mathcal{W})}\_{(l\_j, i\_j)\_{j=1}^n} \cap \mathcal{S}^{(\mathcal{W})}\_{(l\_j, i'\_j)\_{j=1}^n} = \mathcal{Q} \tag{14}$$

for any *Jj* and (*i*1, *i*2,..., *in*) = (*i* - 1, *i* - <sup>2</sup>,..., *i* - *<sup>n</sup>*), and

$$M\_{i\_1}^{(l\_1)} \otimes M\_{i\_2}^{(l\_2)} \otimes \cdots \otimes M\_{i\_n}^{(l\_n)} = \sum\_{k \in S\_{(l\_j; i\_j)\_{j=1}^n}^{(W)}} E\_k^{(W)} \tag{15}$$

holds for any *Jj* and *ij*. When King*<sup>j</sup>* performs the measurement *<sup>M</sup>*(*Jj*) and obtains an outcome *ij*, by Equation (15), the post-measurement state is proportional to

$$\langle \mid (\mathbb{L} \otimes M\_{i\_1}^{(I)} \otimes M\_{i\_2}^{(I\_2)} \otimes \cdots \otimes M\_{i\_n}^{(I\_n)}) \Phi^{(\mathbb{W})} \rangle \in \bigoplus\_{k \in S\_{(l\_j i\_j)\_{j=1}^n}^{(\mathbb{W})}} \mathcal{A}\_{k'} \tag{16}$$

where <sup>A</sup>*<sup>k</sup>* is a subspace spanned by <sup>|</sup>(<sup>I</sup> <sup>⊗</sup>*E*(*W*) *<sup>k</sup>* )Φ(*W*) . A*<sup>k</sup>* and A*k* are orthogonal for any *k* = *k* and *<sup>P</sup>*(*W*) is composed of orthogonal projections onto each subspace <sup>A</sup>*<sup>k</sup>* by Equation (13). If Alice obtains an outcome *k* by performing *P*(*W*) and the post-information (*Jj*)*<sup>n</sup> <sup>j</sup>*=<sup>1</sup> from the kings, then kings' outcomes (*ij*)*<sup>n</sup> <sup>j</sup>*=<sup>1</sup> should satisfy *<sup>k</sup>* <sup>∈</sup> *<sup>S</sup>*(*W*) (*Jj*,*ij*)*<sup>n</sup> j*=1 . However, by Equation (14), such (*ij*)*<sup>n</sup> <sup>j</sup>*=<sup>1</sup> uniquely exists. Thus, Alice can correctly guess kings' outcomes.

A description of the QKD protocol by using the mean multi-kings' problem is as follows.


*j*=1

Then, Alice and kings work together to calculate error rate *<sup>j</sup>* )*<sup>n</sup> <sup>j</sup>*=1(*<sup>i</sup> <sup>r</sup>* .

The rest of the process is the same as for ordinary QKD protocols, such as BB84 protocol. If the error rate is too large, the protocol is aborted. Otherwise, the leftover sequences are performed with error-correction and privacy amplification [20].

Remark that Alice and each King*<sup>j</sup>* can share the secret key when they employ the QKD protocol using the mean-king's problem or BB84 protocol. In the case of employing the QKD using the mean-king's problem (see left hand side of Figure 2), Alice prepares 2 qubits in the Bell state and performs a single measurement on the 2 qubits for each King*j*. Therefore, she needs to prepare 2*n* qubits and perform *n* measurements to share the secret key with *n* kings. On the other hand, in the QKD protocol using the mean multi-kings' problem, Alice only prepares *<sup>n</sup>* <sup>+</sup> 1 qubits in <sup>|</sup>Φ(*Z*) or <sup>|</sup>Φ(*X*) and performs the single measurement *P*(*Z*) or *P*(*X*). In the case where the BB84 protocol is employed (see right hand side of Figure 2), Alice just prepares *n* qubits in one of the states |0 , |1 , <sup>|</sup>0¯ , <sup>|</sup>1¯ and no performing the measurement is required. Then, Alice and King*<sup>j</sup>* discard the raw key where their bases do not match before calculating error rate. On the other hand, in the QKD protocol using the mean multi-kings' problem, there is not such discarding step before calculating error rate.

**Figure 2.** The QKD protocols using the mean-king's problem (**left hand side**) and BB84 protocols (**right hand side**) for Alice and the kings to share the secret key.

*Entropy* **2020**, *22*, 1275

#### **3. Protocol:** *n* **= 2**

We describe the working of the protocol in the case of *n* = 2 by focusing on the case of *W* = *Z* to reduce cumbersome notations.

By Equation (2), the index set takes the following form,

$$\mathcal{K} = \{ (s\_1, t\_1, s\_2, t\_2) \mid s\_{j\_i}, t\_j \in \{0, 1\} \}. \tag{17}$$

And by Equation (3), the operator *E*(*Z*) *<sup>k</sup>* for *k* ∈ K takes the following form,

$$E\_k^{(Z)} = E\_{(s\_1, t\_1, s\_2, t\_2)}^{(Z)} = \mathcal{X}\_{s\_1} \mathcal{Z}\_{t\_1} \otimes \mathcal{X}\_{s\_2} \mathcal{Z}\_{t\_2} \ (k = (s\_1, t\_1, s\_2, t\_2) \in \mathcal{K}).\tag{18}$$

Similarly, we can observe the operators for *W* = *X*. By Equation (5), we observe the index sets *S*(*W*) (*J*1,*i*1,*J*2,*i*2) for *<sup>J</sup>*<sup>1</sup> <sup>=</sup> 0, *<sup>J</sup>*<sup>2</sup> <sup>=</sup> 0, *<sup>i</sup>*1, *<sup>i</sup>*<sup>2</sup> ∈ {0, 1}, and *<sup>W</sup>* <sup>=</sup> *<sup>Z</sup>*:

$$\begin{array}{rcll} S\_{(0,0,0),0}^{(2)} &=& \frac{S\_{(2)}^{(2)}}{(0,0)} \times \frac{S\_{(2)}^{(2)}}{(0,0)} \\ &=& \{ ((0,0),(0,0)),((0,0),(1,0)),((1,0),(0,0)),((1,0),(1,0)) \} \\ S\_{(0,0,0),1}^{(2)} &=& \{ ^{(2)}\_{(0,0)} \times S\_{(0,1)}^{(2)} \\ &=& \{ ((0,0),(0,1)),((0,0),(1,1)),((1,0),(0,1)),((1,0),(1,1)) \} \\ &=& \{ ((0,0,0),(1),(0,0,1,1),(1,0,0,1),(1,0,1,1) \} \\ S\_{(0,1,0,0)}^{(2)} &=& S\_{(0,1)}^{(2)} \times S\_{(0,0)}^{(2)} \\ &=& \{ ((0,1),(0,0)),((0,1),(1,0)),((1,1),(0,0)),((1,1),(1,0)) \} \\ &=& \{ ((0,1,0),(0,1),(0,1),(1,0,0),(1,1,1,0) \} \\ S\_{(0,1,0,1)}^{(2)} &=& S\_{(0,1)}^{(2)} \times S\_{(0,1)}^{(2)} \\ &=& \{ ((0,1),(0,1)),((0,1),(1,1),(0,1),(1,1),(1,1) \} \\ &=& \{ ((0,1),(0,1)),((0,1),(1,0),(1,1),(1,1),(1) \} \\ \end{array} \tag{21}$$

where we regard ((*l*1, *l*2),(*l*3, *l*4)) in the same light as (*l*1, *l*2, *l*3, *l*4). Similarly, we can observe the index sets for other *J*1, *J*2, *i*1, *i*2, and *W*.

Let us consider that Alice prepares the qubits <sup>H</sup>˜ <sup>=</sup> <sup>H</sup>*<sup>A</sup>* <sup>⊗</sup> <sup>H</sup>*K*<sup>1</sup> <sup>⊗</sup> <sup>H</sup>*K*<sup>2</sup> in the initial state

$$|\Phi^{(Z)}\rangle = \frac{1}{\sqrt{2}}(|000\rangle + |111\rangle). \tag{23}$$

Let us consider that King1 and King2 choose the same measurement *M*(0) and obtain the same outcome 0, i.e., *J*<sup>1</sup> = 0, *J*<sup>2</sup> = 0 and *i*<sup>1</sup> = 0, *i*<sup>2</sup> = 0. After kings' measurement, Alice performs the measurement *P*(*Z*) = (*P*(*Z*) *<sup>k</sup>* )*k*∈K on <sup>H</sup>˜ , where

$$\begin{array}{rcll}P\_k^{(Z)} &=& 8|(\mathbb{1}\otimes E\_k^{(Z)})\Phi^{(Z)}\rangle\langle(\mathbb{1}\otimes E\_k^{(Z)})\Phi^{(Z)}|r\\ &=& 8|(\mathbb{1}\otimes X\_{\mathfrak{s}\_1}Z\_{t\_1}\otimes X\_{\mathfrak{s}\_2}Z\_{t\_2})\Phi^{(Z)}\rangle\langle(\mathbb{1}\otimes X\_{\mathfrak{s}\_1}Z\_{t\_1}\otimes X\_{\mathfrak{s}\_2}Z\_{t\_2})\Phi^{(Z)}|.\end{array} \tag{24}$$

After the measurement, King1 and King2 announce the post-information *J*<sup>1</sup> = 0 and *J*<sup>2</sup> = 0 to Alice. When Alice obtains an outcome *k* = (0, 0, 0, 0), she is assured that kings' outcome (*i*1, *i*2) is (0, 0), because (*i*1, *<sup>i</sup>*2) satisfying *<sup>k</sup>* = (0, 0, 0, 0) <sup>∈</sup> *<sup>S</sup>*(*W*) (*J*1,*i*1,*J*2,*i*2) <sup>=</sup> *<sup>S</sup>*(*Z*) (0,*i*1,0,*i*2) is (0, 0). In Table 1, we summarize Alice's guessing rule by using her outcome and the post-information from the kings.

**Table 1.** The relationship among kings' measurements *J*1, *J*2, Alice's outcome *k*, and kings' outcomes *<sup>i</sup>*1, *<sup>i</sup>*<sup>2</sup> when she chooses <sup>|</sup>Φ(*W*) . In this table, NA means that probability of obtaining the corresponding outcome *<sup>k</sup>* is zero unless Eve performs an attack because the corresponding matrix *<sup>P</sup>*(*W*) *<sup>k</sup>* is a zero matrix. An example of Alice's guessing: Alice is assured that kings' outcome (*i*1, *i*2) is (0, 0) when *W* = *Z*, *J*<sup>1</sup> = 0, *J*<sup>2</sup> = 0, and *k* = (0, 0, 0, 0).


In the case of *n* = 2, the following simple attack so called intercept-resend attack can be considered. An eavesdropper (called Eve) intercepts H*Kj* returned to Alice from King*<sup>j</sup>* (step 2 in the protocol) and performs the measurement *<sup>M</sup>*(0) or *<sup>M</sup>*(1) probabilistically on <sup>H</sup>*Kj* . After the measurement, she resends H*Kj* to Alice. When Eve performs the intercept-resend attack to only <sup>H</sup>*K*<sup>1</sup> , the probability which the error occurs is <sup>1</sup> <sup>8</sup> , where the error means the event: *δ*(*<sup>i</sup> u <sup>j</sup>* )<sup>2</sup> *<sup>j</sup>*=1(*i u j* )2 *j*=1 = 0. When Eve performs the intercept-resend attack to both H*K*<sup>1</sup> and H*K*<sup>2</sup> , the probability which the error occurs is <sup>1</sup> <sup>32</sup> (*p*<sup>1</sup> + *p*<sup>2</sup> − 2*p*<sup>1</sup> *p*<sup>2</sup> + 7), where *pj* denotes the probability, which Eve performs the measurement *<sup>M</sup>*(0) on <sup>H</sup>*Kj* (*<sup>j</sup>* ∈ {1, 2}). The minimum value of the probability is 0.21875 when (*p*<sup>1</sup> = 1, *p*<sup>2</sup> = 1) or (*p*<sup>1</sup> = 0, *p*<sup>2</sup> = 0) and the maximum value of the probability is 0.25 when (*p*<sup>1</sup> = 1, *p*<sup>2</sup> = 0) or (*p*<sup>1</sup> = 0, *p*<sup>2</sup> = 1).

#### **4. Distinguishability vs. Disturbance**

In this section, let us consider two types of the attacks and let us see whether Eve can extract information by employing the attacks without disturbing contained in legitimate users' information in the case of *n* = 2. First, Eve tries to gain information from the qubit returned to Alice by King1 (step 2 in the protocol) by interacting the qubit H*K*<sup>1</sup> with her quantum system H*<sup>E</sup>* (see Figure 3). Second, she tries to gain information from the qubits H*Kj* returned to Alice by King*<sup>j</sup>* (step 2 in the protocol) by interacting H*K*<sup>1</sup> ⊗ H*K*<sup>2</sup> with her quantum system H*<sup>E</sup>* (see Figure 4). In both of the attacks, Eve performs any measurement on her quantum system H*<sup>E</sup>* at any time.

We can consider an attack that Eve interacts her quantum system with the qubits sent to the kings by Alice. However, in this attack, the qubits are not encoded because the kings have not measured the qubits. Especially, in the case of *n* = 1, the setting of the attack can be considered as monogamy of entanglement [21,22]. Moreover, we can also consider an attack that Eve interacts her quantum system with both of the qubits sent to the kings by Alice and the qubits returned to Alice by the kings. However, the setting of the attack is different from one for discussing the information disturbance theorem. In the setting for the theorem, Eve tries to information extract from only the encoded qubits. Therefore, we concentrate on the above two attacks that Eve tries to extract information from the qubits sent to Alice by the kings.

**Figure 3.** The interaction H*K*<sup>1</sup> with H*E*.

**Figure 4.** The interaction H*K*<sup>1</sup> ⊗ H*K*<sup>2</sup> with H*E*.

In the beginning, we define error probability which represents probability that Alice cannot guess king's outcomes correctly by using her outcome and the post-information. Remark that the error probability is different from the error rate (step 6 in the protocol). Let *<sup>P</sup>*(*W*)(*<sup>k</sup>* <sup>|</sup> *<sup>J</sup>*1; *<sup>i</sup>*1, *<sup>J</sup>*2; *<sup>i</sup>*2) be the probability that Alice obtains an outcome *<sup>k</sup>* when she chooses <sup>|</sup>Φ(*W*) and King*<sup>j</sup>* obtains an outcome *ij* with the measurement *<sup>M</sup>*(*Jj*) (*<sup>j</sup>* ∈ {1, 2}). We define

$$P\_{\text{succ}(l\_1; i\_1, l\_2; i\_2)}^{(\mathcal{W})} := \sum\_{k \in S\_{(l\_j; i\_j)\_{j=1}^2}^{(\mathcal{W})}} P^{(\mathcal{W})}(k \mid l\_1; i\_1, l\_2; i\_2) \tag{25}$$

and

$$P\_{\text{succ}(J\_1; i\_1, J\_2; i\_2)} := \frac{1}{2} \sum\_{W \in \{X, Z\}} P\_{\text{succ}(J\_1; i\_1, J\_2; i\_2)}^{(W)}.\tag{26}$$

Then, we define the error probability when King*<sup>j</sup>* obtains an outcome *ij* with the measurement *M*(*Jj*) :

$$P\_{\text{err}(f\_1; i\_1, l\_2; i\_2)} := 1 - P\_{\text{succ}(f\_1; i\_1, l\_2; i\_2)}.\tag{27}$$

Equation (27) represents probability that Alice's sequence and kings' sequence do not match when King*<sup>j</sup>* obtains an outcome *ij* with the measurement *<sup>M</sup>*(*Jj*) , i.e., Alice cannot guess kings' outcomes correctly by using her outcome and the post-information.

Let us consider that Eve tries to extract information from H*K*<sup>1</sup> . Eve prepares her own quantum system <sup>H</sup>*<sup>E</sup>* in a quantum state <sup>Ω</sup>. She intercepts <sup>H</sup>*K*<sup>1</sup> in the state *<sup>ρ</sup>*(*K*1) returned to Alice by King1 and interacts it with H*E*. Let us denote the interaction by

$$T^\*(\rho^{(K\_1)}) := \mathcal{U}\rho^{(K\_1)} \otimes \Omega \mathcal{U}^\dagger,\tag{28}$$

where *U* is a unitary operator on H*K*<sup>1</sup> ⊗ H*E*. Moreover, we denote the local state of H*<sup>E</sup>* (resp. H*K*<sup>1</sup> ) by partial trace over the H*K*<sup>1</sup> (resp. H*E*)

$$T\_{\mathbb{E}}^{\*}\left(\boldsymbol{\rho}^{(\mathcal{K}\_{1})}\right) := \operatorname{tr}\_{\mathcal{H}\_{\mathbb{K}\_{1}}} T^{\*}\left(\boldsymbol{\rho}^{(\mathcal{K}\_{1})}\right) \; \left(\operatorname{resp. } T\_{\mathbb{K}\_{1}}^{\*}\left(\boldsymbol{\rho}^{(\mathcal{K}\_{1})}\right) := \operatorname{tr}\_{\mathcal{H}\_{\mathbb{K}\_{\mathbb{E}}}} T^{\*}\left(\boldsymbol{\rho}^{(\mathcal{K}\_{1})}\right)\right). \tag{29}$$

*Entropy* **2020**, *22*, 1275

Let us consider that King1 obtains an outcome *<sup>i</sup>* with a measurement *<sup>M</sup>*(1). Then, the state of <sup>H</sup>*K*<sup>1</sup> before the interaction is *<sup>ρ</sup>*(*K*1) <sup>=</sup> <sup>|</sup>¯*<sup>i</sup>* ¯*i*|. Eve tries to extract information regarding to the secret key by distinguishing *T*∗ *E*(|0¯ 0¯|) and *<sup>T</sup>*<sup>∗</sup> *E*(|1¯ 1¯|).

We employ trace distance as a measure for distinguishability of the states. Trace norm between a state *<sup>ρ</sup>* and a state *<sup>σ</sup>* is defined as ||*<sup>ρ</sup>* <sup>−</sup> *<sup>σ</sup>*||<sup>1</sup> :<sup>=</sup> sup||*A*||=<sup>1</sup> <sup>|</sup> tr(*<sup>ρ</sup>* <sup>−</sup> *<sup>σ</sup>*)*A*|, where || · || denotes operator norm. Trace distance is defined as follows,

$$D(\rho, \sigma) := \frac{1}{2}||\rho - \sigma||\_1. \tag{30}$$

It takes a value from 0 to 1. In addition, *D*(*ρ*, *σ*) = 0 if and only if *ρ* = *σ*, and *D*(*ρ*, *σ*) = 0 if and only if tr(*ρσ*) = 0. Let us remind the definition of fidelity [23,24]. Fidelity between *ρ* and *σ* is defined as *<sup>F</sup>*(*ρ*, *<sup>σ</sup>*) :<sup>=</sup> tr *ρ*1/2*σρ*1/2. The following alternative expression of fidelity [25,26] has been shown,

$$F(\rho, \sigma) = \inf\_{(M\_4)\_{\bar{x}} : \text{POVM} \sum\_{\bar{a}} \sqrt{p(a \mid \rho)p(a \mid \sigma)}} \tag{31}$$

where *p*(*a* | *ρ*) and *p*(*a* | *σ*) are defined as *p*(*a* | *ρ*) := tr(*Maρ*) and *p*(*a* | *σ*) := tr(*Maσ*).

**Lemma 1.** *The following relation between trace distance and fidelity holds,*

$$\frac{1}{2}||T^\*\_E(\left|\left|\right>\left|0\right>) - T^\*\_E(\left|\right>\left|1\right>)||\_1 \le F(T^\*\_{K\_1}(\left|0\right>\left|0\right>), T^\*\_{K\_1}(\left|1\right>\left|1\right>)). \tag{32}$$

**Proof of Lemma 1.** From Lemma 3 in [27], we have

$$|\langle 0|T(\mathbb{1} \otimes A)|1\rangle| \le ||A||F(T\_{K\_1}^\*(|0\rangle\langle 0|), T\_{K\_1}^\*(|1\rangle\langle 1|))\tag{33}$$

for any operator *<sup>A</sup>* on H*E*, where *<sup>T</sup>* is defined as tr *<sup>T</sup>*∗(*ρ*)*<sup>X</sup>* = tr *<sup>ρ</sup>T*(*X*). By using Equation (33), we observe

$$\begin{array}{rcl} \left| \text{tr} \left[ \left\{ T\_E^\*(|\vec{0}\rangle\langle\vec{0}| - T\_E^\* \begin{pmatrix} \frac{1}{2} \mathbb{I} \end{pmatrix} \right\} A \right] \right| &=& \left| \text{tr} \left\{ \left( |\vec{0}\rangle\langle\vec{0}| - \frac{1}{2} \mathbb{I} \right) T(\mathbb{I} \otimes A) \right\} \right| \\ &=& \left| \text{tr} \left\{ \frac{1}{2} (|0\rangle\langle1| + |1\rangle\langle0|) T(\mathbb{I} \otimes A) \right\} \right| \\ &\leq& \frac{1}{2} \{ |\langle 1| T(\mathbb{I} \otimes A) |0\rangle \rangle + |\langle 0| T(\mathbb{I} \otimes A) |1\rangle | \} \\ &\leq& |A| |F(T\_{K\_1}^\*(|0\rangle\langle0|), T\_{K\_1}^\*(|1\rangle\langle1|)) . \end{array} \right. \tag{34}$$

Then,

$$\begin{array}{rcl} \frac{1}{2}||T\_E^\*(|\emptyset\rangle\langle\emptyset|) - T\_E^\*(|\overline{1}\rangle\langle\overline{1}|)||\_1 &=& \left||T\_E^\*(|\emptyset\rangle\langle\emptyset|) - T\_E^\*\left(\frac{1}{2}\mathbb{1}\right)\right||\_1 \\ &=& \sup\_{||A||=1} \left| \text{tr}\left[\left\{(T\_E^\*(|\overline{0}\rangle\langle\overline{0}|) - T\_E^\*\left(\frac{1}{2}\mathbb{1}\right)\right\}A\right]\right| \\ &\leq& F(T\_{K\_1}^\*(|0\rangle\langle0|), T\_{K\_1}^\*(|1\rangle\langle1|)) \end{array} \tag{35}$$

holds.

**Theorem 1.** *The following trade-off inequality holds,*

$$D(T\_E^\*(|\emptyset\rangle\langle\emptyset|), T\_E^\*(|\mathbb{1}\rangle\langle\mathbb{1}|)) \quad \le \sqrt{2P\_{\text{err}(0;0,0;0)}} + \sqrt{2P\_{\text{err}(0;1,0;1)}}.\tag{36}$$

The left hand side of the inequality represents distinguishability for Eve, and the right hand side is the sum of the error probabilities which represent probability that Alice's sequence and kings' sequence are not equal when the kings obtain the corresponding outcomes with the corresponding measurements, i.e., Alice cannot guess kings' sequence correctly by using her outcome and the

post-information. This theorem shows that Eve's extracting information regarding King1's key related with the measurement *M*(1) inevitably induces disturbing the states and increases the error probability when both of kings choose the measurement *M*(0). This implies that the more Eve extracts information, the more possibility for Alice and the kings to detect the existence of the attack increases. In particular, Eve cannot extract information about the key at all (i.e., trace distance is zero) when the corresponding error probabilities are zero. Remark that similar inequalities between distinguishability of other pairs of states and the error probabilities can be proven in the similar way as below.

**Proof of Theorem 1.** Before obtaining the inequalities, let us observe the error probability. Define *ρ<sup>i</sup>* := *T*<sup>∗</sup> *K*1 (|*i i*|). By direct calculations (see Appendix A for details), we have the following probability,

$$P\_{\text{err}(0;i,0;i)} = \frac{1}{2} (1 - \langle i | \rho\_i i \rangle). \tag{37}$$

By using Equations (31) and (37), we have

$$\begin{array}{rcl} F(\rho\_0, \rho\_1) &=& \inf\_{(M\_4)\_\delta \in \mathrm{FOVM}} \sum\_d \sqrt{\mathrm{tr}(M\_4 \rho\_0) \, \mathrm{tr}(M\_4 \rho\_1)} \\ &\le \frac{\sqrt{\mathrm{tr}(\lfloor 0 \rfloor \langle 0 \rfloor \rho\_0) \, \mathrm{tr}(\langle 0 \rangle \langle 0 \rfloor \rho\_1)} + \sqrt{\mathrm{tr}(\lfloor 1 \rfloor \langle 1 \rfloor \rho\_0) \, \mathrm{tr}(\lfloor 1 \rfloor \langle 1 \rfloor \rho\_1)}}{\sqrt{\langle 0 \vert \rho\_0 0 \rangle \{1 - \langle 1 \vert \rho\_1 1 \rangle\}} + \sqrt{\langle 1 - \langle 0 \vert \rho\_0 0 \rangle \rangle \langle 1 \vert \rho\_1 1 \rangle}} \\ &\le \frac{\sqrt{1 - \langle 1 \vert \rho\_1 1 \rangle} + \sqrt{1 - \langle 0 \vert \rho\_0 0 \rangle}}{\sqrt{2P\_{\mathrm{err}(0:0;0:0)}} + \sqrt{2P\_{\mathrm{err}(0:1;0:1)}}} \end{array} \tag{38}$$

where we employ (|0 0|, |1 1|) as a POVM in the first inequality. Then, we have the trade-off inequality by the definition of trace distance, Equations (32) and (38).

Let us consider that Eve tries to extract information from H*K*<sup>1</sup> and H*K*<sup>2</sup> . Eve prepares a quantum systems <sup>H</sup>*<sup>E</sup>* in a quantum state <sup>Ω</sup>. She intercepts <sup>H</sup>*K*<sup>1</sup> <sup>⊗</sup> <sup>H</sup>*K*<sup>2</sup> in the state *<sup>ρ</sup>*(*K*1,*K*2) returned to Alice by King1 and King2. Then, she interacts both systems with H*E*. Let us denote the interaction by

$$K^\*(\rho^{(K\_1, K\_2)}) := V\rho^{(K\_1, K\_2)} \circledcirc \Omega V^\dagger,\tag{39}$$

where *<sup>V</sup>* is a unitary operator on H*K*<sup>1</sup> ⊗ H*K*<sup>2</sup> ⊗ H*E*. And we denote the local state of H*<sup>E</sup>* (resp. H*K*<sup>1</sup> ⊗ H*K*<sup>2</sup> ) by partial trace over the H*K*<sup>1</sup> ⊗ H*K*<sup>2</sup> (resp. H*E*)

$$K\_E^\*(\boldsymbol{\rho}^{(K\_1, K\_2)}) := \text{tr}\_{\mathcal{H}\_{\mathbb{K}\_1} \otimes \mathcal{H}\_{\mathbb{K}\_2}} K^\*(\boldsymbol{\rho}^{(K\_1, K\_2)}) \text{ (resp. } K\_{K\_1, K\_2}^\*(\boldsymbol{\rho}^{(K\_1 K\_2)}) := \text{tr}\_{\mathcal{H}\_{\mathbb{K}\_E}} K^\*(\boldsymbol{\rho}^{(K\_1, K\_2)}) \text{)}.\tag{40}$$

Let us consider that King1 and King2 perform the same measurement *M*(1) and obtain the same outcome *<sup>i</sup>*. Then, the state of <sup>H</sup>*K*<sup>1</sup> <sup>⊗</sup> <sup>H</sup>*K*<sup>2</sup> before the interaction is <sup>|</sup>¯*i*¯*<sup>i</sup>* ¯*i*¯*i*|. Eve tries to extract information regarding to the secret key by distinguishing *K*∗ *E*(|0¯0¯ 0¯0¯|) and *<sup>K</sup>*<sup>∗</sup> *E*(|1¯1¯ 1¯1¯|).

**Lemma 2.** *The following relation between trace distance and fidelity holds,*

$$\begin{array}{rcl}||K^\*\_{\boldsymbol{E}}(|\boldsymbol{l}\boldsymbol{0}\rangle\langle\boldsymbol{0}\boldsymbol{0}|)-K^\*\_{\boldsymbol{E}}(|\boldsymbol{l}\boldsymbol{1}\rangle\langle\boldsymbol{1}\boldsymbol{1}|)||\_{1} & \leq & \sum\_{i\in\{0,1\}}F(K^\*\_{\boldsymbol{K}\_1\boldsymbol{K}\_2}(|ii\rangle\langleii|),K^\*\_{\boldsymbol{K}\_1\boldsymbol{K}\_2}(|01\rangle\langle01|)) \\ &+\sum\_{i\in\{0,1\}}F(K^\*\_{\boldsymbol{K}\_1\boldsymbol{K}\_2}(|ii\rangle\langleii|),K^\*\_{\boldsymbol{K}\_1\boldsymbol{K}\_2}(|10\rangle\langle10|)). \end{array} \tag{41}$$

**Proof of Lemma 2.** From Lemma 3 in [27], we have

$$|\langle i\_1 i\_2 | \mathcal{K}(I \otimes A) | i\_1' i\_2' \rangle| \le ||A|| |F(K\_{\mathcal{K}\_1 \mathcal{K}\_2}^\*(|i\_1 i\_2\rangle\langle i\_1 i\_2|), K\_{\mathcal{K}\_1 \mathcal{K}\_2}^\*(|i\_1' i\_2'\rangle\langle i\_1' i\_2'|)) \tag{42}$$

for any operator *<sup>A</sup>* on H*E*, where *<sup>K</sup>* is defined as tr *<sup>K</sup>*∗(*ρ*)*<sup>X</sup>* = tr *<sup>ρ</sup>K*(*X*). By using Equation (42), we observe

$$\begin{split} \left| \text{tr} \{ \mathcal{K}\_{\mathcal{E}}^{\ast} (|\partial \!\!\!/ \partial \!\!/ \partial \!\!\!/ \partial \!\!\/) - \mathcal{K}\_{\mathcal{E}}^{\ast} (|\!\!\!\!\!/ \partial \!\!\/ \partial \!\!\/) \} A \right| &= \left| \text{tr} \{ (|\!\!\!\!\/ \partial \!\!\/) - |\!\!\!\!\/ \partial \!\!\/) K (\mathbb{1} \otimes A) \} \right| \\ &= \left| \text{tr} \left\{ \frac{1}{2} (|\!\!\!\/ \partial\!\/) (\!\!\!\/ \partial \!\!\/) + |\!\!\!\/ \partial \!\!\/) (\!\!\!\/ \partial \!\!\/) + |\!\!\!\/ \partial \!\!\/) \left| \begin{array}{c} \\ \text{tr} \end{array} \right| \\ &\leq \left| 10 \right\rangle \langle 00 | + |10 \rangle \langle 11 | + |11 \rangle \langle 01 | + |11 \rangle \langle 10 | \!\!\/) K (\mathbb{1} \otimes A) \right| \\ &\leq \sum\_{\ell \in \{0, 1\}} \left| \langle i | \!\!\/ \partial \!\!\/ \partial \!\/ \partial \!\!\/) \right| + \sum\_{\ell \in \{0, 1\}} \left| \langle i | \!\!\/ \partial \!\!\/ \partial \!\!\/) \langle 01 | \!\!\/ \partial \!\!\/ \partial \!\/ \rangle \right| \\ &\leq ||A|| \left\{ \sum\_{\ell \in \{0, 1\}} F (K\_{\mathcal{E}\_{\mathbb{K}\_{\ell} \mathbb{K}\_{2}} | \langle i | \!\!\/$$

In Equation (43), we take supreme over all *A* such that ||*A*|| = 1, then we have Equation (41).

**Theorem 2.** *The following trade-off inequality holds,*

$$D\left(\mathcal{K}\_E^\*(\left|\mathbf{0}\right>\langle\mathbf{0}0\rangle), \mathcal{K}\_E^\*(\left|\mathbf{i}\right|\vec{1}\rangle\langle\mathbf{i}\,\vec{1}\vert)\right) \\ < \sum\_{i\_1, i\_2 \in \{0, 1\}} \sqrt{2P\_{\text{err}(0; i\_1, 0; i\_2)}}.\tag{44}$$

Although Eve tries to distinguish the states on H*K*<sup>1</sup> ⊗ H*K*<sup>2</sup> , this theorem gives the same claim as the one of Theorem 1. This theorem shows that Eve's extracting information regarding kings' keys related with the measurement *M*(1) inevitably induces disturbing the states and increases the error probability when both of kings choose the measurement *M*(0). Remark that similar inequalities between distinguishability of other pairs of states and the error probabilities can be proven in the similar way as below.

**Proof of Theorem 2.** In the same manner, let us observe the error probability. Define *ρi*1*i*<sup>2</sup> := *K*∗ *K*1*K*<sup>2</sup> (|*i*1*i*2 *i*1*i*2|). By direct calculations (see Appendix B for details), we have the following probability,

$$P\_{\text{err}(0;i\_1,0;j\_2)} = \begin{cases} \frac{1}{2} (1 - \langle i\_1 i\_2 | \rho\_{i\_1 i\_2} | i\_1 i\_2 \rangle) & (i\_1 = i\_2) \\\ 1 - \frac{1}{2} \langle i\_1 i\_2 | \rho\_{i\_1 i\_2} | i\_1 i\_2 \rangle & (i\_1 \neq i\_2) \end{cases} \tag{45}$$

By using Equations (31) and (45), we have

$$\begin{array}{rcl}F(\rho\_{00},\rho\_{01}) &=& \inf\_{(M\_{L})\_{z}\in\mathrm{PVM}\_{k}}\sum\sqrt{\mathrm{tr}(M\_{l}\rho\_{01})\mathrm{tr}(M\_{l}\rho\_{01})}\\ &\leq& \sqrt{\mathrm{tr}\{\{(|1\rangle\langle 11|+|01\rangle\langle 01|)\rho\_{00}\}\mathrm{tr}\{\{|00\rangle\langle 00|+|01\rangle\langle 01|\}\rho\_{01}\}}\\ &+& \sqrt{\mathrm{tr}\{\{|00\rangle\langle 00|+|10\rangle\langle 10|\}\rho\_{00}\}\mathrm{tr}\{\{|00\rangle\langle 00|+|10\rangle\langle 10|\}\rho\_{01}\}}\\ &<& \sqrt{\mathrm{tr}\{\{|11\rangle\langle 11|+|01\rangle\langle 01|\}\rho\_{00}\}}+\sqrt{\mathrm{tr}\{\{|00\rangle\langle 00|+|10\rangle\langle 10|\}\rho\_{01}\}}\\ &=& \sqrt{1-\langle\langle 00|\rho\_{00}|00\rangle-\langle 10|\rho\_{00}|10\rangle}+\sqrt{1-\langle\langle 11|\rho\_{01}|01\rangle-\langle 11|\rho\_{01}|11\rangle}}\\ &=& \sqrt{\frac{2P\_{\mathrm{err}}(0.0;00)}{\sqrt{2P\_{\mathrm{err}}(0.0;0)}}+\sqrt{2P\_{\mathrm{err}}(0.0;01)}}.\end{array} \tag{46}$$

where we employ (|11 11| + |01 01|, |00 00| + |10 10|) as a POVM in the first inequality. In the same manner, we have

$$F(\rho\_{ii}, \rho\_{01}) \quad < \sqrt{2P\_{\text{err}(0;0;0)}} + \sqrt{2P\_{\text{err}(0;0;0;1)}}\tag{47}$$

$$F(\rho\_{\vec{n}\prime}\rho\_{10}) \quad < \sqrt{2P\_{\text{err}(0\neq 0\neq)}} + \sqrt{2P\_{\text{err}(0\neq 0\neq)}} \quad (i \in \{0, 1\}).\tag{48}$$

Then, we have the trade-off inequality by the definition of trace distance, Equations (41) and (48).

#### **5. Summary**

In this paper, we discussed the quantum key distribution protocol using the mean multi-kings' problem. By using the protocol, Alice can share the secret key with King*<sup>j</sup>* (*j* = 1, 2, ... , *n*). In the case of *n* = 2, we considered whether Eve can extract information when she can performs the interaction between her own quantum system and the qubit returned by King*<sup>j</sup>* and can performs any measurement on her quantum system at any time. We employed trace distance as a measure for distinguishability of the states for Eve. Furthermore, we gave the trade-off inequalities between trace distance of the quantum states corresponding to the secret key for Eve and the error probability which represents probability that the bit sequences shared by the legitimate users do not match. In BB84, such relation is know as the information disturbance theorem and the theorem is also regarded as an information theoretical version of the uncertainty relation. Our inequalities showed that Eve's extracting information regarding kings' keys inevitably induces disturbing the states and increases the error probability even though Alice can use the post-information to guess kings' outcomes. This implies that the information gain by Eve increases possibility for the legitimate users to detect the existence of the attacks. In particular, when the corresponding error probability is zero, Eve cannot extract any information.

**Author Contributions:** Conceptualization, M.Y.; investigation, A.N. and J.C. All authors have read and agreed to the published version of the manuscript.

**Funding:** This research received no external funding.

**Conflicts of Interest:** The authors declare no conflict of interest.

#### **Appendix A**

We provide a direct calculation for obtaining the error probabilities in the proof of Theorem 1. Let us consider that the initial state is <sup>|</sup>Φ(*W*) , King*<sup>j</sup>* (*<sup>j</sup>* ∈ {1, 2}) obtains an outcome *ij* with *<sup>M</sup>*(*Jj*) , and Eve performs the interaction on H*K*<sup>1</sup> ⊗ H*E*. Let *ρ* (*W*) (*J*1;*i*1,*J*2;*i*2) be a state of the composite system before Alice's measurement. The state takes one of the following forms,

$$\rho^{(Z)}\_{\left(0\not{p}\_{1}\mathbb{I},0\not{p}\_{1}\right)} = \quad |i\_{1}\rangle\langle i\_{1}| \otimes \rho\_{i\_{1}} \otimes |i\_{1}\rangle\langle i\_{1}| \,\tag{A1}$$

$$\rho^{(Z)}\_{(0j\_1,1j\_2)} = |i\_1\rangle\langle i\_1| \otimes \rho\_{i\_1} \otimes |\vec{t}\_2\rangle\langle \vec{t}\_2| \,. \tag{A2}$$

$$\rho^{(Z)}\_{(1\dot{\imath}\_1\jmath\_2\dot{\jmath}\_2)} = |i\_2\rangle\langle i\_2| \otimes \rho\_{\tilde{i}\_1} \otimes |i\_2\rangle\langle i\_2| \,. \tag{A3}$$

$$\rho^{(Z)}\_{(1\bar{\jmath}1\_11;1\bar{\jmath}2\_2)} = |\check{\imath}\_1\rangle\langle\check{\imath}\_1| \otimes \rho\_{\check{\imath}\_1} \otimes |\check{\imath}\_2\rangle\langle\check{\imath}\_2| \tag{A4}$$

$$\rho^{(\mathbf{X})}\_{(0j\_1,0j\_2)} = |i\_1 \oplus i\_2\rangle\langle i\_1 \oplus i\_2| \otimes \rho\_{i\_1} \otimes |i\_2\rangle\langle i\_2|,\tag{A5}$$

$$\rho^{(X)}\_{(0j\_1,1j\_2)} = \begin{array}{c} |\check{\mathbf{i}}\_2\rangle\langle \check{\mathbf{i}}\_2| \otimes \rho\_{\hat{\mathbf{i}}\_1} \otimes |\check{\mathbf{i}}\_2\rangle\langle \check{\mathbf{i}}\_2| \end{array} \tag{A6}$$

$$\rho^{(\mathbf{X})}\_{(1:j\_1,0;j\_2)} = |\vec{i}\_1\rangle\langle\vec{i}\_1| \otimes \rho\_{\tilde{i}\_1} \otimes |i\_2\rangle\langle i\_2| \,. \tag{A7}$$

$$\rho^{(\mathbf{X})}\_{(1:\vec{i}\_{1},1:\vec{i}\_{1})} \quad = \quad |\vec{i}\_{1}\rangle\langle\vec{i}\_{1}| \otimes \rho\_{\tilde{i}\_{1}} \otimes |\vec{i}\_{1}\rangle\langle\vec{i}\_{1}| \,\tag{A8}$$

where *ρ<sup>i</sup>* := *T*<sup>∗</sup> *K*1 (|*i i*|), *ρ*¯*<sup>i</sup>* := *T*<sup>∗</sup> *K*1 (|¯*i* ¯*i*|), and <sup>⊕</sup> denotes exclusive or. By direct calculation of

$$P\_{\text{succ}(\{l\_1;i\_1,l\_2;i\_2\})}^{(\mathcal{W})} = \sum\_{k \in S^{(\mathcal{W})}\_{(\{l\_j;i\_j\}\_{j=1}^2)}^{(\mathcal{W})}} \text{tr}\left(P\_k^{(\mathcal{W})} \rho^{(\mathcal{W})}\_{(\{l\_1;i\_1,l\_2;i\_2\})}\right)\_{\prime} \tag{A9}$$

we have the following probabilities,

$$P\_{\text{suc}(0;i\_1,0;i\_1)}^{(Z)} = P\_{\text{suc}(0;i\_1,1;i\_2)}^{(Z)} = 1,\tag{A10}$$

$$P\_{\text{suc}(1:j\_1,0;i\_2)}^{(Z)} = P\_{\text{suc}(1:j\_1,1;j\_2)}^{(Z)} = \langle \vec{l}\_1 | \rho\_{\vec{i}\_1} \vec{l}\_1 \rangle,\tag{A11}$$

$$P\_{\text{suc}(0;i\_1,0;i\_2)}^{(X)} = P\_{\text{suc}(0;i\_1,1;i\_2)}^{(X)} = \langle i\_1 | \rho\_{i\_1} i\_1 \rangle,\tag{A12}$$

$$P\_{\text{suc}(1;i\_1,0;i\_2)}^{(X)} = P\_{\text{suc}(1;i\_1,1;i\_1)}^{(X)} = 1,\tag{A13}$$

where we can find out the index set *S*(*W*) (*Jj*,*ij*)<sup>2</sup> *j*=1 in Table 1. By the definition of *P*suc(*J*1;*i*1,*J*2;*i*2), we have the following probabilities,

$$P\_{\text{succ}(0;i\_1,0;i\_2)} = \begin{cases} \frac{1}{2}(\langle i\_1|\rho\_{i\_1}i\_1\rangle + 1) & (i\_1 = i\_2) \\\frac{1}{2}\langle i\_1|\rho\_{i\_1}i\_1\rangle & (i\_1 \neq i\_2) \end{cases} \tag{A14}$$

$$P\_{\text{succ}(0:i\_1, 1:j\_2)} = \frac{1}{2} \langle i\_1 | \rho\_{i\_1} i\_1 \rangle,\tag{A15}$$

$$P\_{\text{succ}(1:j\_1,0;j\_2)} = \frac{1}{2} \langle \vec{i}\_1 | \rho\_{\vec{i}\_1} \vec{i}\_1 \rangle,\tag{A16}$$

$$P\_{\text{succ}(1:j\_1,1:j\_2)} = \begin{cases} \frac{1}{2}(\langle \vec{l}\_1 | \rho\_{\vec{l}\_1} \vec{l}\_1 \rangle + 1) & (i\_1 = i\_2) \\\frac{1}{2}\langle \vec{l}\_1 | \rho\_{\vec{l}\_1}^\dagger \vec{l}\_1 \rangle & (i\_1 \neq i\_2) \end{cases} \tag{A17}$$

Then, we can observe the error probabilities from these probabilities.

#### **Appendix B**

We provide a direct calculation for obtaining the error probabilities in the proof of Theorem 2. Let us consider that the initial state is <sup>|</sup>Φ(*W*) , King*<sup>j</sup>* (*<sup>j</sup>* ∈ {1, 2}) obtains an outcome *ij* with *<sup>M</sup>*(*Jj*) , and Eve performs the interaction on H*K*<sup>1</sup> ⊗ H*K*<sup>2</sup> ⊗ H*Ej* . Let *ρ* -(*W*) (*J*1;*i*1,*J*2;*i*2) be a state of the composite system before Alice's measurement. The state takes one of the following forms,

$$\rho\_{(0j\_1,0j\_1)}^{\prime(Z)} = |i\_1\rangle\langle i\_1| \otimes \rho\_{i\_1i\_1} \tag{A18}$$

$$\rho^{\prime (Z)}\_{(0;i\_1,1;i\_2)} = |i\_1\rangle\langle i\_1| \otimes \rho\_{i\_1\tilde{i}\_2\prime} \tag{A19}$$

$$
\rho\_{(1\dot{\imath}\_1\jmath\_1\dot{\jmath}\_2)}^{\prime(Z)} = \quad |\dot{\imath}\_2\rangle\langle\dot{\imath}\_2| \otimes \rho\_{\dot{\imath}\_1\dot{\imath}\_2\prime}^{\prime} \tag{A20}
$$

$$\rho\_{(1\dot{\imath}\_1,1\dot{\imath}\_2)}^{\prime(Z)} = \quad |\ddot{\imath}\_1\rangle\langle\ddot{\imath}\_1| \otimes \rho\_{\tilde{\imath}\_1\tilde{\imath}\_2\prime} \tag{A21}$$

$$\rho\_{(0;i\_1,0;i\_2)}^{\prime(X)} = \quad |i\_1 \oplus i\_2\rangle\langle i\_1 \oplus i\_2| \otimes \rho\_{i\_1i\_2} \tag{A22}$$

$$\rho\_{(0j\_1,1;j\_2)}^{\prime(X)} = \quad |\mathring{\imath}2\rangle\langle\mathring{\imath}2| \otimes \rho\_{\mathring{\imath}1\mathring{\imath}2^{\prime}}\tag{A23}$$

$$\rho\_{(1:i\_1,0;i\_2)}^{\prime(X)} = \quad |i\_1^{\top}\rangle\langle i\_1^{\top}| \otimes \rho\_{i\_1i\_2}^{\prime} \tag{A24}$$

$$\begin{array}{rcl}\rho\_{(1\tilde{\imath}\_{1}1\tilde{\imath}\_{1})}^{\prime(X)} & = & |\tilde{l}\_{1}\rangle\langle\tilde{l}\_{1}| \otimes \rho\_{\tilde{\imath}\_{1}\tilde{\imath}\_{1}} \\\end{array} \tag{A25}$$

where *ρij* := *K*<sup>∗</sup> *K*1*K*<sup>2</sup> (|*ij ij*|) (*i*, *<sup>j</sup>* ∈ {0, 1, 0, ¯ 1¯}).

By direct calculation of

$$P\_{\text{succ}(f\_1; i\_1, f\_2; i\_2)}^{(W)} = \sum\_{k \in S\_{(f\_j^i; j\_j^i)\_{j=1}^2}} \text{tr}\left(P\_k^{(W)} \rho\_{(f\_1; i\_1, f\_2; i\_2)}^{(W)}\right),\tag{A26}$$

we have the following probabilities,

$$P\_{\text{succ}(0;j\_1,0;j\_1)}^{(Z)} = \mathbf{1},\tag{A27}$$

$$P\_{\text{succ}(0:i\_1,1:i\_2)}^{(Z)} = \langle \,^{\overline{i\_1}} \overline{i\_2} | \rho\_{i\_1 \overline{i\_2}} | \overline{i\_1} \overline{i\_2} \rangle + \langle \overline{i\_1 \oplus 1} \overline{i\_2} | \rho\_{i\_1 \overline{i\_2}} | \overline{i\_1 \oplus 1} \overline{i\_2} \rangle,\tag{A28}$$

$$P\_{\text{succ}(1:i\_1,0;i\_2)}^{(Z)} = \langle \,^{\overline{i}}l\_1 \overset{\mathbb{Z}}{2} | \rho\_{\overline{i}\_1 i\_2} | \,^{\overline{i}}l\_1 \overset{\mathbb{Z}}{2} \rangle + \langle \,^{\overline{i}}\_1 \overline{i\_2 \oplus 1} | \rho\_{\overline{i}\_1 i\_2} | \,^{\overline{i}}\_1 \overline{i\_2 \oplus 1} \rangle,\tag{A29}$$

$$P\_{\text{succ}(1:j\_1, 1:j\_2)}^{(Z)} = \quad \langle \vec{l}\_1 \vec{l}\_2 | \rho\_{\tilde{i}\_1 \tilde{i}\_2} | \vec{l}\_1 \vec{l}\_2 \rangle , \tag{A30}$$

$$P\_{\text{succ}(0:i\_1,0;i\_2)}^{(X)} = \quad \langle i\_1 i\_2 | \rho\_{i\_1 i\_2} | i\_1 i\_2 \rangle \,. \tag{A31}$$

$$P\_{\text{succ}(0:i\_1,1:i\_2)}^{(X)} = \langle i\_1 i\_2 | \rho\_{i\_1 \tilde{i}\_2} | i\_1 i\_2 \rangle + \langle i\_1 i\_2 \oplus 1 | \rho\_{i\_1 \tilde{i}\_2} | i\_1 i\_2 \oplus 1 \rangle,\tag{A32}$$

$$P\_{\text{succ}(1:i\_1,0;i\_2)}^{(X)} = \langle i\_1 i\_2 | \rho\_{\tilde{i}\_1 \dot{i}\_2} | i\_1 i\_2 \rangle + \langle i\_1 \oplus 1 i\_2 | \rho\_{\tilde{i}\_1 \dot{i}\_2} | i\_1 \oplus 1 i\_2 \rangle,\tag{A33}$$

$$P\_{\text{succ}(1:j\_1,1:j\_1)}^{(X)} = \quad 1. \tag{A34}$$

By the definition of *P*suc(*J*1;*i*1,*J*2;*i*2), we have the following probabilities,

$$P\_{\rm succ(0;i\_1,0;i\_2)} = \begin{cases} \frac{1}{\mathcal{T}} (\langle i\_1 i\_2 | \rho\_{i\_1 i\_2} | i\_1 i\_2 \rangle + 1) & (i\_1 = i\_2) \\\frac{1}{\mathcal{T}} \langle i\_1 i\_2 | \rho\_{i\_1 i\_2} | i\_1 i\_2 \rangle & (i\_1 \neq i\_2) \end{cases} \tag{A35}$$

$$\begin{split} P\_{\text{succ}(0;i\_1,1;i\_2)} &= \frac{1}{2} (\langle \mathring{l}\_1 \mathring{l}\_2 | \rho\_{i\_1 \tilde{i}\_2} | \mathring{l}\_1 \mathring{l}\_2 \rangle + \langle \overleftarrow{l\_1 \oplus 1} \mathring{l}\_2 | \rho\_{i\_1 \tilde{i}\_2} | \overleftarrow{l\_1 \oplus 1} \mathring{l}\_2 \rangle \\ &+ \langle i\_1 i\_2 | \rho\_{i\_1 \tilde{i}\_2} | i\_1 i\_2 \rangle + \langle i\_1 i\_2 \oplus 1 | \rho\_{i\_1 \tilde{i}\_2} | i\_1 i\_2 \oplus 1 \rangle ), \end{split} \tag{A36}$$

$$\begin{array}{rcl}P\_{\text{succ}(1;i\_1,0;i\_2)} &=& \frac{1}{2}(\langle\!\langle\!i\_1\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\/)\!\rangle\!\rangle\!\rangle\!\rangle + \langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\/)\!\rangle\!\rangle\!\rangle\!\rangle + \langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\/)\!\rangle\!\rangle\!\rangle + \langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\/)\!\rangle\!\rangle\!\rangle\!\rangle\!\rangle})} \\ &+ \langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\langle\!\rangle\!\rangle\!\rangle\!\rangle\!\rangle\!\rangle\!\rangle}\right) \end{array} \tag{A37}$$

$$P\_{\rm succ(1;i\_1,1;i\_2)} = \begin{cases} \frac{1}{2} (\langle \vec{l\_1 i\_2} | \rho\_{\vec{i\_1 i\_2}} | \vec{l\_1 i\_2} \rangle + 1) & (i\_1 = i\_2) \\\frac{1}{2} \langle \vec{l\_1 i\_2} | \rho\_{\vec{i\_1 i\_2}} | \vec{l\_1 i\_2} \rangle & (i\_1 \neq i\_2) \end{cases} \tag{A38}$$

Then, we can observe the error probabilities from those probabilities.

#### **References**


**Publisher's Note:** MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

# *Article* **Beyond the Limits of Shannon's Information in Quantum Key Distribution**

**Luis Adrián Lizama-Pérez 1,\*, J. Mauricio López R. <sup>2</sup> and Emmanuel H. Samperio <sup>1</sup>**


**Abstract:** We present a new post-processing method for Quantum Key Distribution (QKD) that raises cubically the secret key rate in the number of double matching detection events. In Shannon's communication model, information is prepared at Alice's side, and it is then intended to pass it over a noisy channel. In our approach, secret bits do not rely in Alice's transmitted quantum bits but in Bob's basis measurement choices. Therefore, measured bits are publicly revealed, while bases selections remain secret. Our method implements sifting, reconciliation, and amplification in a unique process, and it just requires a round iteration; no redundancy bits are sent, and there is no limit in the correctable error percentage. Moreover, this method can be implemented as a post-processing software into QKD technologies already in use.

**Keywords:** QKD; distillation; amplification; reconciliation

**Citation:** Lizama-Pérez, L.; López R., J.M.; Samperio, E.H. Beyond the Limits of Shannon's Information in Quantum Key Distribution. *Entropy* **2021**, *23*, 229. https://doi.org/ 10.3390/e23020229

Academic Editor: Ivan B. Djordjevic

Received: 18 December 2020 Accepted: 10 February 2021 Published: 16 February 2021

**Publisher's Note:** MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

**Copyright:** © 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/).

#### **1. Introduction**

To put it in historical context, fiber-optic telecommunications over long distances was not possible until manufacturing techniques that improved drastically its efficiency were developed. Fibers had been used to see inside the body, but they remained unusable for long-distance information transfer because too much light was lost along the way. However, in the 1960s, Charles Kao introduced a new disruptive approach based on pure glass fibers and laser technology with transcendent achievements [1].

In the quantum era, Quantum Key Distribution (QKD) is one of the most promising technologies to secure the information intended to cross data networks. However, the development of new techniques for the rapid establishment of secret key information using quantum pulses over long distances has become unpostponable [2–6].

Unfortunately, some factors prevent QKD of becoming a widely used technology as its inability to reach long-distances and produce large keys at high speed. The greatest weakness of QKD technology lies in its ability to gain useful information to establish a secret key despite the noise in the quantum channel [7,8]. On the one hand, noise provides the possibility for an attacker to disguise themselves, and, on the other hand, it imposes severe difficulties to correct errors produced during transmission in order to derive two identical cryptographic keys at both sides of the quantum link [9,10]. In the case of BB84 protocol, it has been estimated that a secure key can be distilled when the quantum bit error rate (QBER) is less than 11% [11].

In the few past years, we have developed a new scheme for QKD quantum called quantum flows [12–14] capable of resisting challenging attacks [15–25]. In quantum flows approach, Alice sends to Bob a pair of quantum states, parallel or non-orthogonal, which is chosen randomly. Bob measures the two quantum states with the same measurement basis, *X* or *Z* under active basis selection. If Bob obtains the same result, a single bit has been transmitted from Alice to Bob. Quantum flows have allowed us to formulate a new method for QKD distillation based on binary structures called frames. Framed reconciliation integrates the regular QKD stages of sifting, reconciliation, and amplification in a unique process. This property makes our method unique in the context of QKD distillation; moreover, it accelerates convergence and produces a key that grows cubically in the number of double detection events.

In this work, we enhance the framed reconciliation method showed previously for 2 × 2 frames [14], and we discuss that framed reconciliation can surpass Shannon's information bounds for noisy channels. We strongly recommend that the reader consults our previous work on Quantum Key Distillation Using Binary Frames, so that we can keep the present article concise, as far as possible. Basic concepts comprise quantum flows, non-orthogonal quantum states, quantum photonic gains, binary frames, and matching results (MR). Having introduced 2 × 2 frames, which are the frames with the minimum size, we discuss here 3 × 2 frames. Throughout the article, we will compare both schemes.

#### **2. Communication Model**

Classical theory of communication, as it was established by Claude Shannon in 1948, defines a general communication system where Alice (the information source) prepares an information signal, that she sends over a noisy channel, but it corrupts at least in part due to the presence of noise in the channel [26,27]. At the other side, Bob receives this information signal, but Alice and Bob must implement a processing method to recover from the errors produced during transmission [28–32].

Shannon's theory imposes a limit to the highest transmission speed over a noisy channel because it can never surpass the channel capacity. The coding rate is computed as the number of message symbols divided by the number of transmitted signals. A higher coding rate means higher transmission speed. When the efficiency of the codes approximates to the channel capacity by increasing the number of transmitted signals, it is known that these codes approach to the Shannon limit. However, a coding rate too high makes it impossible to achieve a decoding error probability close to zero because the optimum channel capacity is achievable just by letting the number of transmitted signals reach infinity [33]. We claim our method goes beyond this limit because it does not require the number of transmitted signals to be increased. In fact, the coding rate reaches unity. The QKD protocol in Reference [34] exhibits a total efficiency of the communication to come up to 100%, but it does not define an error correction algorithm.

On the other side, if *e* is the probability that a transmitted 0 bit is received as a 1 and 1 − *e* is the probability to be received as a 0, Shannon theory implies that, in case that *e* = 0.5, one can never say anything about the original message [35,36] because the entropy is maximized when the two possible outcomes are equally probable. Since our method corrects errors when *e* = 0.5, we claim that it goes beyond the limits implied by Shannon's theory.

In our approach, we call active (or real) information that which is derived from Shannon's model viewpoint because information is first prepared by Alice, then transmitted through the (quantum) channel, and, finally, recovered by Bob after it has been measured and proven to be correct. Conversely, in our scheme, information is not enclosed in the transmitted quantum pulses but in the quantum bases (*X* or *Z*) that Bob chooses at the other side. In fact, measured bits are publicly announced but the measurement bases are never revealed. We designated reactive information to this communication paradigm that we introduced to the sifting QKD procedure.

Reactive bits are computed using Bob's measurement bases, so errors produced in the quantum channel are easily detected by Alice because such bits are publicly revealed by Bob. Remarkably, in the presence of the unit error rate, information can still be recovered since errors give reactive information by themselves. For the same reason, not all of Alice's information can be recovered, even in the absence of errors produced by the quantum channel.

Two reconciliation approaches have been conceived in QKD: direct and reverse reconciliation. In reverse reconciliation (RR), Alice must infer Bob's outcomes, rather than Bob guessing Alice's encodings, known as direct reconciliation (DR). Under this classification frame, reconciliation is RR, so let us briefly contrast our approach with RR which was introduced in the context of continuous variable QKD [31,37].

It has been demonstrated that RR reconciliation achieves longer distances even beyond the 3dB limit of previous CV-QKD works [38]. RR reconciliation has been implemented over LDPC basis [39], and it was shown that LDPC codes can reach within 0.0045 dB of the Shannon limit. Unfortunately, it requires large block lengths (107) [40]. Even more, decoding LDPC has larger computational and memory requirements than either Cascade or Winnow algorithms [41]. In contrast, our method does not require additional bits which reduces the coding rate. Our experimental simulations show complete efficiency in detecting/correcting errors. Moreover, the secret throughput grows cubically in the number of double detection events.

Before we introduce 3 × 2 frames, we will explain quantum communication based on frames through a simple example about our reconciliation method. To facilitate its exposition, we use 2 × 2 frames in this example. Then, to simplify exposition we discuss the role of auxiliary frames in the 2 × 2 case. In Section 3, we address the research methodology for 3 × 2 frames and then we detail the QKD distillation protocol. To make the discussion more effective, we have placed tables of 3 × 2 protocol in the Appendix A. Finally, in Section 4, we analyze the efficiency and the security of the 3 × 2 protocol against different attacks as the Intercept-Resend (IR) attack and the Photon Number Splitting (PNS) attack.

#### *2.1. Quantum Communication*

In the BB84 protocol [42–45], a quantum state |*iX* (or |*iZ* ), where *i* represents the encoded bit (*i* = 0, 1), is useful to be distilled whenever it has been measured in the proper (compatible) quantum basis, basis *X* for |*iX* (or *Z* for |*iZ* ). Otherwise, a non-compatible measurement is produced, the bit derived from this measurement is ambiguous, and it must be discarded. However, in the quantum flows scheme, ambiguous cases can still be used for the following reasons [14]:


#### *2.2. Example of Error Correction*

In order to better introduce our communication model, let us illustrate it with a simple example to contrast it with Shannon's model. To see the effect of the errors instead of the losses in the channel, let us assume a conservative quantum channel. Table 1 shows an hypothetical QKD protocol possibly based on BB84, where Alice has sent 18 quantum states (in practical implementations, some sifted bits must be sacrificed to estimate the error rate of the channel). In this example, a 30% error rate (*e*) is produced; therefore, the QKD distillation process must be declined because prominent reconciliation algorithms, such as Cascade, Winnow, or LDPC, cannot work with this high error rate.

**Table 1.** In this example of a running Quantum Key Distribution (QKD), 6 errors (underlined at Bob's column) among 18 measured quantum states are produced, so it gives an error rate of 30%. According to Shannon's limit, it yields a transmission rate of 0.0817. It is known that, at 50%, there is no reconcilable information.


Let us suppose that the same errors are produced using the framed reconciliation method as it is illustrated in Figure 1. In this example, we ignored the losses due to double detection events and the amplification gain produced by the amount of combinations between double matching detection events (we will discuss them later). The reconciliation based on frames can process this error rate; in fact, it can reconcile any error rate that *e* has in the channel, so there is no need to estimate *e* wasting bits for this purpose. To simplify the exposition, in this example, we used 2 × 2 frames, but we will discuss 3 × 2 frames in the Distillation Method section.


**Figure 1.** Using frame reconciliation, all errors are detected and corrected (or removed). Each double detection event has been enumerated to follow them into the frames (see Tables 2 and 3).

**Table 2.** Alice receives the Sifting String (SS) from Bob, which she knows belongs to *f*2, *f*3, and *f*4, respectively, but they are ambiguous, so she uses the auxiliary frames *f*10, *f*9, and *f*9, respectively, to identify the error and then correct it.


**Table 3.** After Alice receives these SS, she determines that the respective frames must be eliminated because ambiguity cannot be removed.


#### *2.3. Auxiliary Frames*

A major component of the framed reconciliation method relies in the auxiliary frames. There are two types of auxiliary frames: zero frames and testing frames. Every quantum state of a zero frame is |0*<sup>X</sup>* or |0*<sup>Z</sup>* . Identifying measurement errors in a zero frame is easy, as we will see later. A testing frame contains one row that is under evaluation because it presumably contains error, and the rest of the rows come from a zero verified frame.

To compute the sifting string (SS), we follow the next procedure: A sifting string is constructed concatenating the bits that result after the ⊕ logical operation is applied to each column of the frame (a blank space is treated as a zero bit) and putting the measured bits that are produced by the optical detectors. The secret bits are derived from the code that is assigned to the arrangement of measurements inside the frame. We call measurement results (MR) to this arrangement. To see the role of auxiliary frames, let us assume that we intend to apply the framing algorithm to the Shannon's model; thus, several zero bits are interleaved between the secret bits to be used as auxiliary correcting bits.

1. To achieve reconciliation in Shannon's model, the first step is to ensure that auxiliary zero bits are error-free. However, Shannon's 2 × 1 frames does not allow to identify errors in two consecutive zero bits (at least in one round iteration) as indicated by the following relations:

$$
\begin{pmatrix} 0 \\ \oplus \\ 0 \end{pmatrix} = \begin{pmatrix} 1 \\ \oplus \\ 1 \end{pmatrix} = 0 \text{ (SS)}\dots
$$

In addition, when using 2 × 1 frames, there is a unique possible matching result (MR), that is written below; therefore, no secret information can be derived from MRs in Shannon's model.

$$
\begin{pmatrix} \bullet \\ \bullet \end{pmatrix} \cdot
$$

2. By contrast, using 2 × 2 frames, errors in the auxiliary frames can be easily identified. Here, we list the error-free zero frames:

$$
\begin{pmatrix}
\oplus \\
\end{pmatrix} = \begin{pmatrix}
\oplus \\
\end{pmatrix} = \begin{pmatrix}
\oplus \\
\end{pmatrix} = \begin{pmatrix}
\oplus \\
\end{pmatrix} = 00,\\
00 \quad \text{(SS)},
$$

which can be compared, for illustrative purposes, to the erroneous cases:

$$
\begin{pmatrix}
\oplus & \\
\end{pmatrix} = \begin{pmatrix}
\oplus & \\
\end{pmatrix} = 11, 11 \quad \text{(SS)},
$$

$$
\begin{pmatrix}
\oplus & \\
\end{pmatrix} = \begin{pmatrix}
\oplus & \\
\end{pmatrix} = 00, 11 \quad \text{(SS)}.
$$

3. Ambiguous SS are produced in regular frames. For example, to the left, we indicate that Alice sends the frame *f*<sup>2</sup> to Bob, who measures it using MR = 11. However, when applying the *Z* measurement basis, the photo-detector yields an error reporting |1*<sup>Z</sup>* instead |0*<sup>Z</sup>* ; so, we have:

$$f\_{2\_{\mathfrak{a}}} = \begin{pmatrix} |1\_{X}\rangle & |0\_{Z}\rangle \\ |1\_{X}\rangle & |1\_{Z}\rangle \end{pmatrix}, f\_{2\_{\mathfrak{b}}} = \begin{pmatrix} - & |1\_{Z}\rangle \\ \oplus & \\ |1\_{X}\rangle & - \end{pmatrix} = 11,11 \quad \text{(SS)}.$$

When Alice receives the string SS = 11,11 which belongs to *f*2, she knows it implies two possibilities: either SS comes from the error-free string SS24 = 11, 11 under MR = 10 in *f*<sup>2</sup> or an error is produced in the first measured bit that actually corresponds to the string SS23 = 10, 01 under MR = 11 in *f*2. To disambiguate it, Alice uses the auxiliary frame *f*10. Thus, she looks at a frame *f*<sup>10</sup> where the ambiguous row (−, |1*<sup>Z</sup>* ) is allocated. Remember that each row is combined with each other. Previously, the second row of *f*10, i.e., (|0*<sup>X</sup>* , −), was verified as a zero frame. Then, suppose Alice finds the following *f*<sup>10</sup> case:

$$f\_{10} = \begin{pmatrix} - & |1\_Z\rangle \\ \oplus & \\ |0\_X\rangle & - \end{pmatrix} = 10, 10.$$

The sifting string 10,10 reveals that an error exists in the row that is under evaluation; therefore, Alice decides SS23. Then, the pair (SS23, *f*2) determines Alice's secret bit. It must be highlighted that the sifting strings of auxiliary frames cannot be distinguished from other identical SS from regular frames, so privacy is guaranteed. In fact, it is ensured that each SS can proceed equally from each bit.

#### *2.4. One-Time Pad XOR Equivalency*

It is known that the XOR one-time pad encryption method is a perfect cryptosystem provided the crypto key achieves the same number of bits as the plaintext. Let us show that the framing method actually behaves as one-time encryption. First, in Table 4, we can see the logical XOR (⊕) function. Each encrypted bit *c* could be produced by each key bit denoted as *k*.


**Table 4.** The logical XOR function.

As specified in the framed reconciliation method [14], Bob must reveal the sifting bits along the measured bits. However, each SS maps two different MRs, as can be verified in Table 5. Since secret bits are enclosed in MRs, we proved that secret bits of the framing protocol are equivalent to the secret bits of the XOR one-time pad cryptosystem. The same analysis can be applied to the 3 × 2 frames.

**Table 5.** The XOR function for 2 × 2 frames; matching results (MR) is the measurement result, and sb denotes the final secret bit.


#### **3. Distillation Method with 3** × **2 Frames**

Before we detail the steps of the distillation method for 3 × 2 frames, let us describe the research methodology we applied:


under the auxiliary frames must be detected. In addition, all the SS that cannot be disambiguated must be identified and the corresponding frames must be removed. We show in Table A5 the cases that can be successfully disambiguated.

6. At Bob's side, each (SS, MR) pair defines a secret bit (sb). For Alice, the same secret bit results from the pair (SS, *fi*) because she knows the frame that is behind each SS. It must be guaranteed that each SS can be produced equally by both bits. In addition, it must be ensured that each secret bit proceeds from the same number of frames, so that the bit probability of each SS is the same in order to reduce the eavesdropper's information gain (SS are publicly transmitted over the classical channel). This action may involve removing some extra SS. Alice sends to Bob the set of SS of all the frames that must be eliminated including auxiliary frames. Table A3 of Appendix A enlists SS, MR, frames, and sb.

Now, we can proceed to summarize the steps of the distillation method for 3 × 2 frames that comprises sifting, reconciliation, and privacy amplification. The overall steps of the process are indicated in Figure 2:


She generates frames *f*<sup>25</sup> to prepare the auxiliary frames.

Using auxiliary frames, Alice removes ambiguity. Alice gets the secret bits using the relation (SS, *fi*) and Table A3 of Appendix A.

Alice informs Bob of the cases that must be eliminated (because they cannot be disambiguated).

6. Bob removes the frames identified by Alice to reach Alice's secret bit string. Bob's secret bits are derived from (SS, MR) and Table A3 of Appendix A.

**Figure 2.** The frame distillation runs in one iteration: Alice sends pairs of non-orthogonal states (*NOi*). Bob informs to Alice which cases produced double matching detection events (*i*). Alice generates all possible frames and sends to Bob the frame arrangement information (*fn*). Bob returns back the sifting strings (SS*n*). Finally, Alice tells Bob which cases he must delete (*rm*). Step 1 is executed over the quantum channel, while steps 2 to 5 are completed using the classical channel.

#### **4. Secret Rate**

The secret rate of the framed reconciliation method can be derived directly from frames without recurring to quantum physics mathematical relations. First off, we must enlist the Sifting String (SS) generated by all the frames classified by Measurement Result (MR) and separate the error-free SS from the erroneous SS (single and multiple errors). According to the size of frames (2 × 2 or 3 × 2), the error could be in the first bit, second bit, third bit, two bits, two of three bits, and three bits simultaneously. Then, we proceed to identify ambiguous SS, (because they appear simultaneously as error-free SS and erroneous SS for a given frame). Then, we identify the SS that can still be used after they are inspected under auxiliary frames. We call those cases unequivocal SS cases.

We calculate the secret rate (in absence of eavesdropping) as the sum up of the information derived from the unequivocal error-free rate and the amount of information derived from the unequivocal erroneous rate (unequivocal error-free rate is obtained as the number of unequivocal error-free SS under the total number of error-free SS; conversely, the unequivocal error rate is obtained as the rate of unequivocal erroneous SS over the total erroneous SS cases). As mentioned earlier, unequivocal means that ambiguity can be removed using auxiliary frames. The bits from remaining SS must be eliminated since they do not contribute to the secret rate.

In Table 6, we detail the deduction of the secret rate. Each SS contributes with a single bit. In 2 × 2 frames, we have 4 usable frames, and each one generates 4 SS; to compute the unequivocal erroneous rate, we have 2 SS per frame that can be recovered from 12 SS per frame yields <sup>1</sup> <sup>6</sup> . On the other hand, to derive the unequivocal error-free rate, we have 2 SS per frame that can be recovered from 4 SS per frame it yields <sup>1</sup> <sup>2</sup> . The unequivocal erroneous rate in 3 <sup>×</sup> 2 frames yields <sup>1</sup> <sup>3</sup> , and the unequivocal error-free rate gives <sup>1</sup> <sup>21</sup> (see Figure 3).


**Table 6.** The secret rate is indicated without taking the framing gain for each frame size. The secret rate is shown when *e* = 0 and *e* = 1.

**Figure 3.** The theoretical transmission rate is plotted as a function of the quantum bit error rate (QBER) *e*; we show the 2 × 2 and 3 × 2 lines and the Shannon's reference function. When *e* = 1, the secret rate achieves 0.16 for 2 × 2 frames and 0.047 for 3 × 2 frames.

#### *4.1. Secret Throughput*

One of the main advantages of the reconciliation method based on frames is the total number of secret bits that results when the framing gain is applied. Remarkably, framing gain results from the amount of total combinations among double matching detection events. We call this process privacy pre-amplification (or amplification in short). Therefore, we compute the secret throughput multiplying the secret rate by the framing gain. In the case of 2 <sup>×</sup> 2 frames, we have 4 usable frames under 16 total frames, so the framing gain is <sup>1</sup> 4 ( *n* <sup>2</sup>). Conversely, in 3 <sup>×</sup> 2 frames, there are 24 over 64 frames, so the framing gain is <sup>3</sup> 8 ( *n* 3). Equation (2) describes the secret throughput for each case.

$$\begin{aligned} I\_{\text{ab}\_{(2x2)}} &= \frac{1}{4} \binom{n}{2} \left(\frac{1}{2} - \frac{1}{3}e\right) \\\ I\_{\text{ab}\_{(3x2)}} &= \frac{3}{8} \binom{n}{3} \left(\frac{1}{3} - \frac{2}{7}e\right) \end{aligned} \tag{1}$$

Just to appreciate the growth rate of each frame size, we compute, in Table 7, some values of the secret throughput as a function of *n* and *e*. As it can be inferred, 3 × 2 frames have a visible advantage to produce secret bits, e.g., when *n* = 103, it raises the secret throughput to *n* = 10<sup>8</sup> bits.


**Table 7.** The theoretical secret throughput (bits) as a function of *n* and *e* for each frame size.

#### *4.2. Rate Code*

The rate code *rab* is the relation between the secret information and the total bits generated to achieve reconciliation. In the case of 2 × 2 frames, the total information is 4( *n* <sup>2</sup>), while the total number is 6( *n* <sup>3</sup>) in 3 × 2 frames. The rate code for each size of frame is written in Equation (2).

$$\begin{split} r\_{ab\_{(2\times 2)}} &= \frac{1}{16} \left( \frac{1}{2} - \frac{1}{3}c \right) \\ r\_{ab\_{(3\times 2)}} &= \frac{1}{16} \left( \frac{1}{3} - \frac{2}{7}c \right) \end{split} \tag{2}$$

#### *4.3. Secret Key Rate*

In the case of frame reconciliation, the eavesdropper has a great disadvantage since they do not know Bob's bases selection because they are not revealed over the classical channel. Even if the eavesdropper captures some copies of the quantum pulses, they must deal with the double detection events and the basis choices. Moreover, although the eavesdropper could replicate some double detection events, Alice performs all combinations between double detection events. As a consequence of the privacy amplification process, the eavesdropper's information reduces even more.

#### 4.3.1. The Intercept and Resend Attack (IR)

In the Intercept and Resend (IR) attack, the eavesdropper first measures each pair of non-orthogonal quantum pulses in the quantum channel, and then they send another pair of quantum pulses to Bob prepared according to the same quantum states.

Since secret bits are derived only from double matching detection events, Eve must produce first a double matching detection event using the quantum states she intercepts in the quantum channel because no useful information could be extracted from double non-matching detection events nor even single detection events.

In addition, Eve must guarantee that both states she resends to Bob's station achieve his optical detectors, which imposes a severe difficulty because vacuum or single detection events are more probable than double detection events. However, suppose Eve forces both quantum states to arrive Bob's receiver station. We can derive the efficiency of the IR attack using the following example:

	- <sup>1</sup> <sup>2</sup> due to Bob's *Z* basis: (|0*<sup>Z</sup>* , |0*<sup>Z</sup>* ).
	- <sup>1</sup> <sup>2</sup> due to Bob's *X* basis: {(|0*<sup>X</sup>* , |0*<sup>X</sup>* ),(|1*X* , |1*<sup>X</sup>* ),(|1*X* , |0*<sup>X</sup>* ),(|0*X* , |1*<sup>X</sup>* )}.

To match Eve's double detection event (|0*<sup>Z</sup>* , |0*<sup>Z</sup>* ), Bob must choose the *Z* basis which occurs with <sup>1</sup> <sup>2</sup> probability, so Eve's final probability is <sup>1</sup> 4 .

The overall scheme is depicted in the following diagram, where *Q*(+,+) represents Alice's pairs of non-orthogonal states:

#### 4.3.2. The Photon Number Splitting Attack (PNS)

The eavesdropper has a copy of all the quantum states that arrive to Bob's station because Alice sends attenuated (multi-photon) quantum pulses, and the eavesdropper is equipped with a sufficiently large quantum memory. However, the eavesdropper's probability of getting a double matching detection event is <sup>1</sup> <sup>2</sup> . In addition, Eve must measure choosing between two different measurement basis (*X* or *Z*); thus, his final probability is <sup>1</sup> 4 :


4.3.3. The Bases Choice Attack (BC)

The eavesdropper would decide to apply another quantum measurement bases to gain more information, and then they use the measurement bases *X* + *Z* or *X* − *Z*. First, consider that the eavesdropper chooses between the measurement bases (*X* + *Z* or *X* − *Z*) with 0.5 probability. However, non-matching detection events are ambiguous for the eavesdropper, which occur with <sup>6</sup> <sup>16</sup> probability. In contrast, they get a double matching event with <sup>9</sup> <sup>16</sup> probability. As a result, the chance to get Bob's information is <sup>9</sup> 32 .

Equation (3) shows the relation to compute the secret key rate for each frame size. It is written as the secret information multiplied by the rate between the total frames produced by Alice and those the eavesdropper duplicates.

$$\begin{split} \Delta I\_{(2X2)} &= \left[\frac{1}{2} - \frac{1}{3}\mathcal{e}\right] \left[1 - \frac{\binom{\mathcal{R} \cdot n}{2}}{\binom{n}{2}}\right] \\ \Delta I\_{(3X2)} &= \left[\frac{1}{3} - \frac{2}{7}\mathcal{e}\right] \left[1 - \frac{\binom{\mathcal{R} \cdot n}{3}}{\binom{n}{3}}\right] \end{split} \tag{3}$$

Table 8 shows the final secret key information for each attack: Intercept and Resend attack (IR), Photon Number Splitting attack (PNS), and Basis Choice attack (BC). In the case of 2 × 2 frames, we have ignored the linear term *n* that is generated in ( *n* <sup>2</sup>) because the quadratic term *n*<sup>2</sup> is dominant. In the same way, we omitted the quadratic and linear terms produced by ( *n* <sup>3</sup>) because of the high order of the cubic term.


**Table 8.** The secret key rate is computed as Δ*I* = *Iab* − *Iae* for each attack.

As it can be deduced from Table 8, the secret key rate is affected slightly by the eavesdropper's behavior. This new scenario opens the possibility to employ less attenuated pulses as in CV-QKD to achieve, on one hand, long-distances quantum links or, on the other, portable QKD in closed buildings [46].

#### **5. Conclusions**

We have discussed a new post-processing method for Quantum Key Distribution (QKD) that raises cubically the secret key rate in the number of double matching detection events. Secret bits are derived from reactive bits instead of Shannon information, so Bob's measured bits are publicly revealed, while bases selections remain secret. Our method implements sifting, reconciliation, and amplification in a unique process, and it just requires a round iteration; no redundancy bits are sent, and no limit in the correctable error percentage. Despite the fact that the reconciliation is performed with a unity error channel, the secret rate is kept, at least theoretically, in 16% using 2 × 2 frames and 4.7% when using 3 × 2 frames.

It is not difficult to evaluate the security of this method because it can be evaluated directly through the frames. There is no dependency on other security mechanism as hash functions.

The protocol works fast, at least theoretically, convergence is guaranteed, and it can be implemented as a post-processing software into QKD technologies.

**Author Contributions:** L.A.L.-P. conceived of the presented idea, he developed the theoretical formalism, J.M.L.R. supervised the project and contributed to the interpretation of the results and E.H.S. performed software and numerical simulations. All authors have read and agreed to the published version of the manuscript.

**Funding:** This research was funded by National Council of Science and Technology of Mexico (CONACyT) and Center for Research and Advanced Studies of the National Polytechnic Institute of Mexico (Cinvestav-IPN).

**Informed Consent Statement:** Not applicable.

**Data Availability Statement:** The data presented in this study are available within the article.

**Conflicts of Interest:** The authors declare no conflict of interest in this article.

#### **Appendix A**

This Appendix contains the relevant tables used for the framed methodology:



**Table A1.** There are 24 useful frames: *fi*, where *i* = 1, . . . , 24 and 3 Auxiliary frames *fj*, where *j* = 25, . . . , 27.

**Table A2.** There exist eight possible Matching Results (MR) for 3 × 2 frames. The bit produced by a double matching event is represented inside the key notation with the symbol •. Additionally, each MR has been identified with a binary code left to each frame. After the sifting process, such MR code will become part of the secret key.


**Table A3.** Bob sends to Alice the Sifting Strings (SS) which are constructed with the sifting bits and the measured bits. Alice knows the frames behind each SS, so she can get the secret bit (sb). On his side, Bob uses the SS and the MR to achieve the same bit.


**Table A4.** We list the 24 frames that Alice uses during the distillation process. Bob computes the sifting bits applying the XOR function to each column (they are written at the bottom of each frame) and appending an extra (required) sifting bit. The sifting bits define the set {000, 001, 010, 011, 100, 101, 110, 111} that does not contain redundancy, so that Alice can identify without ambiguity Bob's Matching Results.



**Table A4.** *Cont.*

**Alice Bob** ⎞ ⎠ ⎛ ⎝ |1*X* − |1*X* − |1*X* − ⎞ ⎠ 10 0 ⎛ ⎝ − |1*Z* − |0*Z* − |0*Z* ⎞ ⎠ 01 0 ⎛ ⎝ |1*X* − − |0*Z* |1*X* − ⎞ ⎠ 00 0 ⎛ ⎝ |1*X* − |1*X* − − |0*Z* ⎞ ⎠ 00 1 ⎛ ⎝ − |1*Z* − |0*Z* |1*X* − ⎞ ⎠ 11 1 ⎛ ⎝ |1*X* − − |0*Z* − |0*Z* ⎞ ⎠ 10 1 ⎞ ⎠ ⎛ ⎝ |0*X* − |1*X* − |0*X* − ⎞ ⎠ 10 0 ⎛ ⎝ − |1*Z* − |1*Z* − |0*Z* ⎞ ⎠ 01 0 ⎛ ⎝ |0*X* − − |1*Z* |0*X* − ⎞ ⎠ 01 0

⎛

− |1*Z*

⎞

*f*<sup>10</sup> = ⎛ ⎝ |1*X* |1*Z* |1*X* |0*Z* |1*X* |0*Z* ⎝ |1*X* − − |0*Z* ⎠ 11 0 ⎛ ⎝ − |1*Z* |1*X* − |1*X* − ⎞ ⎠ 01 1 *f*<sup>11</sup> = ⎛ ⎝ |0*X* |1*Z* |1*X* |1*Z* |0*X* |0*Z* ⎛ ⎝ − |1*Z* |1*X* − − |0*Z* ⎞ ⎠ 11 0 ⎛ ⎝ |0*X* − |1*X* − − |0*Z* ⎞ ⎠ 10 1 ⎛ ⎝ − |1*Z* − |1*Z* |0*X* − ⎞ ⎠ 00 1 ⎛ ⎝ |0*X* − − |1*Z* − |0*Z* ⎞ ⎠ 01 1 ⎛ ⎝ − |1*Z* |1*X* − |0*X* − ⎞ ⎠ 11 1 *f*<sup>12</sup> = ⎛ ⎝ |0*X* |0*Z* |1*X* |1*Z* |0*X* |1*Z* ⎞ ⎠ ⎛ ⎝ |0*X* − |1*X* − |0*X* − ⎞ ⎠ 10 0 ⎛ ⎝ − |0*Z* − |1*Z* − |1*Z* ⎞ ⎠ 00 0 ⎛ ⎝ |0*X* − − |1*Z* |0*X* − ⎞ ⎠ 01 0 ⎛ ⎝ − |0*Z* |1*X* − − |1*Z* ⎞ ⎠ 11 0 ⎛ ⎝ |0*X* − |1*X* − − |1*Z* ⎞ ⎠ 11 1 ⎛ ⎝ − |0*Z* − |1*Z* |0*X* − ⎞ ⎠ 01 1 ⎛ ⎝ |0*X* − − |1*Z* − |1*Z* ⎞ ⎠ 00 1 ⎛ ⎝ − |0*Z* |1*X* − |0*X* − ⎞ ⎠ 10 1 *f*<sup>13</sup> = ⎛ ⎝ |0*X* |0*Z* |1*X* |0*Z* |1*X* |1*Z* ⎞ ⎠ ⎛ ⎝ |0*X* − |1*X* − |1*X* − ⎞ ⎠ 00 0 ⎛ ⎝ − |0*Z* − |0*Z* − |1*Z* ⎞ ⎠ 01 0 ⎛ ⎝ |0*X* − − |0*Z* |1*X* − ⎞ ⎠ 10 0 ⎛ ⎝ − |0*Z* |1*X* − − |1*Z* ⎞ ⎠ 11 0 ⎛ ⎝ |0*X* − |1*X* − − |1*Z* ⎞ ⎠ 11 1 ⎛ ⎝ − |0*Z* − |0*Z* |1*X* − ⎞ ⎠ 10 1 ⎛ ⎝ |0*X* − − |0*Z* − |1*Z* ⎞ ⎠ 01 1 ⎛ ⎝ − |0*Z* |1*X* − |1*X* − ⎞ ⎠ 00 1 *f*<sup>14</sup> = ⎛ ⎝ |1*X* |1*Z* |1*X* |0*Z* |0*X* |0*Z* ⎞ ⎠ ⎛ ⎝ |1*X* − |1*X* − |0*X* − ⎞ ⎠ 00 0 ⎛ ⎝ − |1*Z* − |0*Z* − |0*Z* ⎞ ⎠ 01 0 ⎛ ⎝ |1*X* − − |0*Z* |0*X* − ⎞ ⎠ 10 0 ⎛ ⎝ − |1*Z* |1*X* − − |0*Z* ⎞ ⎠ 11 0 ⎛ ⎝ |1*X* − |1*X* − − |0*Z* ⎞ ⎠ 00 1 ⎛ ⎝ − |1*Z* − |0*Z* |0*X* − ⎞ ⎠ 01 1 ⎛ ⎝ |1*X* − − |0*Z* − |0*Z* ⎞ ⎠ 10 1 ⎛ ⎝ − |1*Z* |1*X* − |0*X* − ⎞ ⎠ 11 1

**Alice Bob** *f*<sup>15</sup> = ⎛ ⎝ |0*X* |0*Z* |0*X* |1*Z* |1*X* |1*Z* ⎞ ⎠ ⎛ ⎝ |0*X* − |0*X* − |1*X* − ⎞ ⎠ 10 0 ⎛ ⎝ − |0*Z* − |1*Z* − |1*Z* ⎞ ⎠ 00 0 ⎛ ⎝ |0*X* − − |1*Z* |1*X* − ⎞ ⎠ 11 0 ⎛ ⎝ − |0*Z* |0*X* − − |1*Z* ⎞ ⎠ 01 0 ⎛ ⎝ |0*X* − |0*X* − − |1*Z* ⎞ ⎠ 01 1 ⎛ ⎝ − |0*Z* − |1*Z* |1*X* − ⎞ ⎠ 11 1 ⎛ ⎝ |0*X* − − |1*Z* − |1*Z* ⎞ ⎠ 00 1 ⎛ ⎝ − |0*Z* |0*X* − |1*X* − ⎞ ⎠ 10 1 *f*<sup>16</sup> = ⎛ ⎝ |0*X* |1*Z* |0*X* |1*Z* |1*X* |0*Z* ⎞ ⎠ ⎛ ⎝ |0*X* − |0*X* − |1*X* − ⎞ ⎠ 10 0 ⎛ ⎝ − |1*Z* − |1*Z* − |0*Z* ⎞ ⎠ 00 0 ⎛ ⎝ |0*X* − − |1*Z* |1*X* − ⎞ ⎠ 11 0 ⎛ ⎝ − |1*Z* |0*X* − − |0*Z* ⎞ ⎠ 01 0 ⎛ ⎝ |0*X* − |0*X* − − |0*Z* ⎞ ⎠ 00 1 ⎛ ⎝ − |1*Z* − |1*Z* |1*X* − ⎞ ⎠ 10 1 ⎛ ⎝ |0*X* − − |1*Z* − |0*Z* ⎞ ⎠ 01 1 ⎛ ⎝ − |1*Z* |0*X* − |1*X* − ⎞ ⎠ 11 1 *f*<sup>17</sup> = ⎛ ⎝ |0*X* |1*Z* |0*X* |1*Z* |1*X* |1*Z* ⎞ ⎠ ⎛ ⎝ |0*X* − |0*X* − |1*X* − ⎞ ⎠ 10 0 ⎛ ⎝ − |1*Z* − |1*Z* − |1*Z* ⎞ ⎠ 01 0 ⎛ ⎝ |0*X* − − |1*Z* |1*X* − ⎞ ⎠ 11 0 ⎛ ⎝ − |1*Z* |0*X* − − |1*Z* ⎞ ⎠ 00 0 ⎛ ⎝ |0*X* − |0*X* − − |1*Z* ⎞ ⎠ 01 1 ⎛ ⎝ − |1*Z* − |1*Z* |1*X* − ⎞ ⎠ 10 1 ⎛ ⎝ |0*X* − − |1*Z* − |1*Z* ⎞ ⎠ 00 1 ⎛ ⎝ − |1*Z* |0*X* − |1*X* − ⎞ ⎠ 11 1 *f*<sup>18</sup> = ⎛ ⎝ |0*X* |0*Z* |1*X* |1*Z* |1*X* |0*Z* ⎞ ⎠ ⎛ ⎝ |0*X* − |1*X* − |1*X* − ⎞ ⎠ 00 0 ⎛ ⎝ − |0*Z* − |1*Z* − |0*Z* ⎞ ⎠ 01 0 ⎛ ⎝ |0*X* − − |1*Z* |1*X* − ⎞ ⎠ 11 0 ⎛ ⎝ − |0*Z* |1*X* − − |0*Z* ⎞ ⎠ 10 0 ⎛ ⎝ |0*X* − |1*X* − − |0*Z* ⎞ ⎠ 10 1 ⎛ ⎝ − |0*Z* − |1*Z* |1*X* − ⎞ ⎠ 11 1 ⎛ ⎝ |0*X* − − |1*Z* − |0*Z* ⎞ ⎠ 01 1 ⎛ ⎝ − |0*Z* |1*X* − |1*X* − ⎞ ⎠ 00 1 *f*<sup>19</sup> = ⎛ ⎝ |0*X* |1*Z* |1*X* |1*Z* |1*X* |1*Z* ⎞ ⎠ ⎛ ⎝ |0*X* − |1*X* − |1*X* − ⎞ ⎠ 00 0 ⎛ ⎝ − |1*Z* − |1*Z* − |1*Z* ⎞ ⎠ 01 0 ⎛ ⎝ |0*X* − − |1*Z* |1*X* − ⎞ ⎠ 11 0 ⎛ ⎝ − |1*Z* |1*X* − − |1*Z* ⎞ ⎠ 10 0 ⎛ ⎝ |0*X* − |1*X* − − |1*Z* ⎞ ⎠ 11 1 ⎛ ⎝ − |1*Z* − |1*Z* |1*X* − ⎞ ⎠ 10 1 ⎛ ⎝ |0*X* − − |1*Z* − |1*Z* ⎞ ⎠ 00 1 ⎛ ⎝ − |1*Z* |1*X* − |1*X* − ⎞ ⎠ 01 1

**Table A4.** *Cont.*

**Alice Bob** *f*<sup>20</sup> = ⎛ ⎝ |1*X* |0*Z* |0*X* |1*Z* |0*X* |1*Z* ⎞ ⎠ ⎛ ⎝ |1*X* − |0*X* − |0*X* − ⎞ ⎠ 10 0 ⎛ ⎝ − |0*Z* − |1*Z* − |1*Z* ⎞ ⎠ 00 0 ⎛ ⎝ |1*X* − − |1*Z* |0*X* − ⎞ ⎠ 11 0 ⎛ ⎝ − |0*Z* |0*X* − − |1*Z* ⎞ ⎠ 01 0 ⎛ ⎝ |1*X* − |0*X* − − |1*Z* ⎞ ⎠ 11 1 ⎛ ⎝ − |0*Z* − |1*Z* |0*X* − ⎞ ⎠ 01 1 ⎛ ⎝ |1*X* − − |1*Z* − |1*Z* ⎞ ⎠ 10 1 ⎛ ⎝ − |0*Z* |0*X* − |0*X* − ⎞ ⎠ 00 1 *f*<sup>21</sup> = ⎛ ⎝ |1*X* |1*Z* |0*X* |1*Z* |0*X* |1*Z* ⎞ ⎠ ⎛ ⎝ |1*X* − |0*X* − |0*X* − ⎞ ⎠ 10 0 ⎛ ⎝ − |1*Z* − |1*Z* − |1*Z* ⎞ ⎠ 01 0 ⎛ ⎝ |1*X* − − |1*Z* |0*X* − ⎞ ⎠ 11 0 ⎛ ⎝ − |1*Z* |0*X* − − |1*Z* ⎞ ⎠ 00 0 ⎛ ⎝ |1*X* − |0*X* − − |1*Z* ⎞ ⎠ 11 1 ⎛ ⎝ − |1*Z* − |1*Z* |0*X* − ⎞ ⎠ 00 1 ⎛ ⎝ |1*X* − − |1*Z* − |1*Z* ⎞ ⎠ 10 1 ⎛ ⎝ − |1*Z* |0*X* − |0*X* − ⎞ ⎠ 01 1 *f*<sup>22</sup> = ⎛ ⎝ |1*X* |1*Z* |1*X* |1*Z* |0*X* |1*Z* ⎞ ⎠ ⎛ ⎝ |1*X* − |1*X* − |0*X* − ⎞ ⎠ 00 0 ⎛ ⎝ − |1*Z* − |1*Z* − |1*Z* ⎞ ⎠ 01 0 ⎛ ⎝ |1*X* − − |1*Z* |0*X* − ⎞ ⎠ 11 0 ⎛ ⎝ − |1*Z* |1*X* − − |1*Z* ⎞ ⎠ 10 0 ⎛ ⎝ |1*X* − |1*X* − − |1*Z* ⎞ ⎠ 01 1 ⎛ ⎝ − |1*Z* − |1*Z* |0*X* − ⎞ ⎠ 00 1 ⎛ ⎝ |1*X* − − |1*Z* − |1*Z* ⎞ ⎠ 10 1 ⎛ ⎝ − |1*Z* |1*X* − |0*X* − ⎞ ⎠ 11 1 *f*<sup>23</sup> = ⎛ ⎝ |1*X* |0*Z* |1*X* |1*Z* |1*X* |1*Z* ⎞ ⎠ ⎛ ⎝ |1*X* − |1*X* − |1*X* − ⎞ ⎠ 10 0 ⎛ ⎝ − |0*Z* − |1*Z* − |1*Z* ⎞ ⎠ 00 0 ⎛ ⎝ |1*X* − − |1*Z* |1*X* − ⎞ ⎠ 01 0 ⎛ ⎝ − |0*Z* |1*X* − − |1*Z* ⎞ ⎠ 11 0 ⎛ ⎝ |1*X* − |1*X* − − |1*Z* ⎞ ⎠ 01 1 ⎛ ⎝ − |0*Z* − |1*Z* |1*X* − ⎞ ⎠ 11 1 ⎛ ⎝ |1*X* − − |1*Z* − |1*Z* ⎞ ⎠ 10 1 ⎛ ⎝ − |0*Z* |1*X* − |1*X* − ⎞ ⎠ 00 1 *f*<sup>24</sup> = ⎛ ⎝ |1*X* |1*Z* |1*X* |1*Z* |1*X* |0*Z* ⎞ ⎠ ⎛ ⎝ |1*X* − |1*X* − |1*X* − ⎞ ⎠ 10 0 ⎛ ⎝ − |1*Z* − |1*Z* − |0*Z* ⎞ ⎠ 00 0 ⎛ ⎝ |1*X* − − |1*Z* |1*X* − ⎞ ⎠ 01 0 ⎛ ⎝ − |1*Z* |1*X* − − |0*Z* ⎞ ⎠ 11 0 ⎛ ⎝ |1*X* − |1*X* − − |0*Z* ⎞ ⎠ 00 1 ⎛ ⎝ − |1*Z* − |1*Z* |1*X* − ⎞ ⎠ 10 1 ⎛ ⎝ |1*X* − − |1*Z* − |0*Z* ⎞ ⎠ 11 1 ⎛ ⎝ − |1*Z* |1*X* − |1*X* − ⎞ ⎠ 01 1

**Table A4.** *Cont.*


**Table A5.** We list the cases that can be successfully disambiguated. Zero cases refer to the errorfree SS.


**Table A5.** *Cont.*

#### **References**


### *Article* **An Attack on Zawadzki's Quantum Authentication Scheme**

**Carlos E. González-Guillén 1,†, María Isabel González Vasco 2,†, Floyd Johnson 3,\*,† and Ángel L. Pérez del Pozo 2,†**


**Abstract:** Identification schemes are interactive cryptographic protocols typically involving two parties, a prover, who wants to provide evidence of their identity and a verifier, who checks the provided evidence and decides whether or not it comes from the intended prover. Given the growing interest in quantum computation, it is indeed desirable to have explicit designs for achieving user identification through quantum resources. In this paper, we comment on a recent proposal for quantum identity authentication from Zawadzki. We discuss the applicability of the theoretical impossibility results from Lo, Colbeck and Buhrman et al. and formally prove that the protocol must necessarily be insecure. Moreover, to better illustrate our insecurity claim, we present an attack on Zawadzki's protocol and show that by using a simple strategy an adversary may indeed obtain relevant information on the shared identification secret. Specifically, through the use of the principal of conclusive exclusion on quantum measurements, our attack geometrically reduces the key space resulting in the claimed logarithmic security being reduced effectively by a factor of two after only three verification attempts.

**Keywords:** quantum identity authentication; private equality tests; conclusive exclusion

#### **1. Introduction**

One of the major goals of cryptography is authentication in different flavours, namely, providing guarantees that certain interaction is actually involving some specific parties from a designated presumed set of users. In the two party scenario, cryptographic constructions towards this goal are called identity authentication schemes, and have been extensively studied in classical cryptography [1,2]. Classically, there are different ways of defining so-called identification schemes, for mutual authentication of peers, mainly depending on whether the involved parties share some secret information (such as a password) or should rely on different (often certified) keys provided by a trusted third party. The advent of quantum computers may suggest the end for many of these protocols however.

Since Wiesner proposed using quantum mechanics in cryptography in the 1970s, multiple directions using this concept have undergone serious research. One major role quantum mechanics has played in cryptography is the development of quantum key distribution (QKD) where two parties can securely share a one time pad using quantum mechanics, for example, the seminal protocol BB84 [3]. Among protocols providing entity authentication and strictly quantum in nature, some of them, such as those in [4–6], are based on entanglement, while more recently [7,8] do not rely on entanglement but rather propose to obtain identity authentication evidence from only the common knowledge of a shared secret. These approaches are known as quantum identity authentication (QIA) protocols (see also the related papers [9–14]). Due to the existence of quantum protocols such as BB84 that do not rely on entanglement it would be more appealing to not rely on entanglement for entity authentication purposes.

**Citation:** González-Guillén, C.E.; González Vasco, M.I.; Johnson, F.; Pérez del Pozo, Á.L. An Attack on Zawadzki's Quantum Authentication Scheme. *Entropy* **2021**, *23*, 389. https://doi.org/10.3390/e23040389

Academic Editor: Ivan B. Djordjevic

Received: 29 January 2021 Accepted: 23 March 2021 Published: 25 March 2021

**Publisher's Note:** MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

**Copyright:** © 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/).

The QIA constructions in which authentication is intended from the common knowledge of a shared secret, often called QIA schemes (or just quantum identification schemes), are closely related to protocols for quantum equality tests and quantum private comparison. All these constructions are concrete examples of two-party computations with asymmetric output, i.e., allowing only one of the two parties involved to learn the result of a computation on two private inputs. Without imposing restrictions on an adversary it was shown by Lo [15], Colbeck [16] and Buhrman et al. [17] that these kind of constructions are impossible, even in a quantum setting. As a consequence, constructions for generic unrestricted adversaries in the quantum setting are doomed to failure.

While there are many things in common in the frameworks for developing QKD protocols and identification schemes built as private comparison tests, we make note of the following key differences in cryptographic considerations. Most QKD setups involve an authenticated classical channel, thus the recipients may safely compare check bits to see if there is an unintended observer. This however may not be the case in an authentication scheme (like the one considered in this paper), so there may be no way for the legitimate parties to determine if an eavesdropper is present. Thus, if the states obtained by the authenticating party are not as expected, the authentication fails without the users knowing if it is due to an adversarial presence or an attempted impersonator. For this reason the traditional so called intercept-and-resend attack is completely irrelevant for authentication as the adversary is always capable of sending messages as if coming from Alice or Bob, though without the correct private value the protocol is overwhelming likely to fail. The closest equivalent constraint is that the authenticating party may only make a single measurement on a qubit before the state collapses. This constraint bars the adversary from making many measurements on the same state in order to fully receive the private value. This however does not exclude the possibility that many different calls of the authentication protocol are made. Unlike key distribution protocols, where after a failure the key is discarded, both classical and quantum authentication protocols must be secure after being run multiple times with the same shared secret though with different random inputs [1]. We make special note here that the objectives of QKD and QIA schemes are very different. With this in mind readers should be cautious to apply the results of this work to any current or future scheme if and only if its objectives and methods fall within certain parameters.

#### *1.1. Our Contribution*

Recently, an original work about authentication without entanglement by Hong et al. in [8] was improved by Zawadzki using tools from classical cryptography in [7]. In Zawadzki's protocol, there are two parties, Alice and Bob, who share a common secret bitstring *k*. In order to achieve entity authentication from Alice to Bob, they run a noninteractive protocol in which Alice first computes a hash value *ha*, which depends on *k* and a random nonce *r*; then Alice sends *r* to Bob so he can reproduce the computation obtaining a hash value *hb* (which must equal *ha* if there is no adversarial interference). Next Alice sequentially sends quantum states to Bob, which she prepares as a function of consecutive pairs of bits of *h*. At reception, Bob measures these states choosing each time a basis which depends on the value *h*. If all measures' outcomes are the expected ones, Bob concludes that the other party must know *k* and, therefore, identifies it as being Alice.

Our theoretical analysis of the protocol shows its insecurity, but in a non-constructive way (e.g., it does not help finding a concrete successful adversarial strategy). However, we are in addition able to show an explicit attack against the protocol, based on conclusive exclusion on quantum measurements, which we describe in Section 4. There we analyze in detail how the attack halves the size of the key space after only three verification attempts.

Note that, when analyzing Zawadski's protocol, we deal only with its theoretical design. Both the impossibility results we invoke and our attack do not take advantage of physical aspects, such as distance or timing, they hold independently of the implementation. It is indeed interesting to study in depth how identification protocols could be practically

deployed in the real world, and what weaknesses could be exploited, but this is beyond the scope of this work. These physical issues, present in attacks against QKD, such as, for example, time-shift attacks [18], phase-remapping attacks [19] or synchronization attacks [20], would also naturally arise for quantum identification protocols.

Finally, we discuss the applicability of the impossibility results and the explicit attack to other QIA protocols, such as [4,5,8,21–24]. For instance, we point out that the protocol from Hong et al. [8], in which Zawadzki's protocol is based upon, is vulnerable to the same attack we describe against the latter. On the other hand, the rest of the protocols cited, for different reasons discussed later, are neither affected by the impossibility results nor vulnerable to our attack.

The main contribution that arises from this work is that our theoretical analysis evidences an implication of the proven impossibility of identification schemes, such as Zawadzki's design. Thus, we stress that fundamental changes in the original proposal, beyond preventing our particular attack, would be needed in order to derive a secure identification scheme.

#### *1.2. Paper Roadmap*

We start this contribution by summarizing in Section 2 the impossibility results from Lo [15], Colbeck [16] and Buhrman et al. [17], concerning generic quantum two party protocols. Further, we present and discuss the Zawadzki protocol in Section 3, evidencing it actually fits the framework considered in the impossibility results from Section 2, and thus concluding it must necessarily be insecure. Moreover, we outline a simple explicit attack which we describe in Section 4. Finally we discuss how other QIA protocols are affected by our results in Section 5 and provide some conclusions in Section 6.

#### **2. Quantum Equality Tests Are Impossible**

A one sided equality test is a cryptographic protocol in which one party, Alice, convinces another party, Bob, that they share a common key by revealing nothing to them but equality (or inequality) of their inputs. Formally we define a key space *K* and a function *<sup>F</sup>* : *<sup>K</sup>*<sup>2</sup> → {0, 1} which checks for equality. Let *<sup>i</sup>* <sup>∈</sup> *<sup>K</sup>* be Alice's key and *<sup>j</sup>* <sup>∈</sup> *<sup>K</sup>* be Bob's key. The goals of a one sided equality test are as follows:


The above is a specific case of a one-sided two-party secure computation protocol as described in [15], as only one side, Bob, learns the output of the computation. In this work, a very general result is proven indicating that any protocol realising a one-sided two-party secure computation task is impossible, even in a quantum setting. In particular, Lo shows in [15] that if a protocol satisfies (1) and (2) then Bob can know the output of *F*(*i*, *j*) for any *j*. Furthermore, a one sided equality test with some small relaxations on points (1) and (3) is also proven impossible. Hence, any one-sided QIA protocol which validates identities using equality tests by use of quantum mechanics is impossible without imposing restrictions on the adversary.

Note that the above argument says nothing about protocols with built in adversarial assumptions such as those presented in [25,26]. Further, note that many of QIA schemes in the literature include a final round where Bob accepts or rejects, which makes Alice aware of the success or failure of the protocol. Indeed, those schemes can be straightforwardly turned into one-sided equality tests by suppressing Bob's final message announcing the result. Hence, they are clearly insecure against a dishonest Bob. However, note that if any such protocol can be modified so that Alice may obtain information on the identification output at some point before the last protocol round, it is unclear how Lo's impossibility result would apply. However, if they are built upon equality tests we can get impossibility from another well know result by Buhrman el al. [17]. Certainly, two-sided QIA schemes, in which both Alice and Bob learn the result of the protocol, are a particular case of two-sided two-party computations. It is shown in [17] that a correct quantum protocol for a classical two-sided two-party computation that is secure against one of the parties is completely insecure against the other. For equality tests, if one of the parties, say Alice, learns nothing else than *F*(*i*, *j*), the other party, Bob, will indeed be able to compute *F*(*i*, *j*) for all possible inputs *j*. Thus, any two-sided QIA protocol which validates identities using equality tests is also impossible without imposing further restrictions on the adversary.

Both total insecurity results are valid for protocols that compute a deterministic function *F*, and admit relaxed versions for computations that implement approximate versions of *F*. For a non-deterministic function *F*, Colbeck [16] showed that in a correct one-sided or two-sided two-party computation for *F*, one of the parties can always access more information about the other party's input than it is supposed to, where the analysis is only done quantitatively for dychotomic values of *i*,*j*, and extended trivially to the general case, yielding a qualitative more than a quantitative result.

#### **3. Insecurity of Zawadzki's QIA Protocol**

In this section, we outline the protocol proposed in [7] and show that it must be insecure on Alice's side by the results discussed in Section 2. Moreover, we consider minor changes to the protocol to evidence that making it more "in line" with classical authentication does not help, as the protocol remains insecure. Indeed, the changes introduced do not fundamentally alter the protocol, namely both the changed and unchanged protocols allow for the attack we outline in Section 4 to provide information leakage.

The protocol proposed in [7] can be described as follows: suppose Alice and Bob have keys *ka* and *kb*, respectively, and agree on some universal hash function (universal hash functions are to be understood as families H of functions providing a nice collisionresistance property, i.e., given inputs *x* = *y*, the probability of *h*(*x*) = *h*(*y*) can be proven negligible if *h* is chosen at random from H (see [27]). In an abuse of notation, is it typical to treat them as individual functions, as we do above) *<sup>H</sup>* : {0, 1}*<sup>N</sup>* → {0, 1}2*d*. Bob wishes to verify that *kb* = *ka* without leaking any information about *kb* or *ka*. Alice randomly generates a nonce *ra* from a designated domain and calculates the value *ha* = *H*(*ra*||*ka*). Alice sends Bob *ra*. Bob receives *rb* (which in principle should be equal to *ra*) then calculates the value *hb* = *H*(*rb*||*kb*). Note that if *ka* = *kb* and the nonces are received as constructed, then *ha* = *hb*. Alice then acts on pairs of bits in *ha* with an embedding function *<sup>Q</sup>* : {0, 1}<sup>2</sup> <sup>→</sup> <sup>C</sup>2. This function *<sup>Q</sup>* uses the first of the two binary values to determine the measurement basis (horizontal/vertical or diagonal/antidiagonal) and the second to determine the specific qubit in {|0 , |1 , |+ , |− }. More precisely, *Q*(0, 0) = |0 , *Q*(0, 1) = |1 , *Q*(1, 0) = |+ and *Q*(1, 1) = |− . Applying *Q* to the pairs of bits in *ha* Alice prepares and sends *d* qubits to Bob over the quantum channel one by one with a constant speed known to Bob.

Using the first bit of each pair Bob decides in which base he measures the quantum states and insures he obtains the correct qubit according to the second bit of the pair. If the loss of qubits is very high or the rate of bits measured by Bob that disagree with the even bits of *hb* is over a certain threshold then Bob rejects Alice's challenge. Otherwise he accepts her challenge. See Figure 1 for a schematic overview of the protocol.

For the sake of simplicity we restrict the security analysis to the case where there are no losses in the communication and the bit error rate is set to 0.

The Zawadzki protocol is claimed to be leakage resistant when considering an adversary measuring in a random basis. The reasoning behind this is that unless an adversary, Eve, correctly guesses the correct basis for each round, she will obtain different values for at least one of the bits of the hash. Now suppose an adversary is capable of computing preimages of hash functions through brute force with unbounded classical computational power or through dictionary attacks with unbounded classical memory. In this case it is unlikely that there will exist a *ke* ∈ *K* such that *H*(*re*||*ke*) matches what Eve measured. In

the event there does exist such a *ke* then with overwhelming probability *ke* = *ka* = *kb* and Eve will not be able to falsify authentication of Alice or Bob.


**Figure 1.** The protocol presented in [7].

Unfortunately, Zawadzki's protocol implemets a two-sided equality test (one-sided if the last accept/reject round is omitted) for the secrets, with a relaxation on the correctness, that is, the condition *F*(*i*, *j*) = 1 if and only if *i* = *j* (in this case *i* is *ha* and *j* is *hb*). Suppose, for the sake of reasoning, that the protocol were a correct two-sided equality test, then all the results summarized in Section 2 apply and the protocol has necessary leakage. As Bob is sending nothing but the final bit, we know that nothing can possibly leak from *hb*. Thus, any potential leakage comes from *ha* and in fact it is completely leaked. Although Eve may not be able to determine any exact bit of *ka*, due to collisions of the hash function, she may drastically reduce the number of possible options for *ka* to those *k* such that *ha* = *H*(*ra*||*k*) and hence construct a proper subset of *K* such that the true value for *ka* is contained in this subset.

However, Zawadzki's protocol is not perfectly correct. Whenever Alice and Bob secrets, *ha* and *hb*, differ in the measurement bits (the ones associated to the measurements basis), there is some probability of the computation returning value 1 and thus Bob accepting Alice's input as valid. This probability is exponentially small in the number of different measurement bits between *ha* and *hb*, that is, for a large majority of the cases this probability is very small. Thus, the reasoning made in the approximate case of the relaxation of the correctness in the one-sided case in [15] can be applied to Zawadzki's protocol (without the last round) in these cases. That is, when Bob chooses a secret that differs in many measurement bits from Alice's secret, what will happen for a random choice of the secret, he will be able not only to compute with some probability (close to 1) the equality test for (*ha*, *hb*), but to compute the equality test with some different probabilities (close to 1) for every (*ha*, *h*- *<sup>b</sup>*) such that the output of the computation has large probability of being the

value of the equality test. Thus, he will obtain partial (but close to full) information about many different secrets at the same time.

The approximate version of the result of Buhrman et al. [17] does not straightforwardly say anything in this case as their notion of approximate correctness requires that the function *F* should be computed correctly for every input with probability close to 1. Whereas in Zawadzki's proposal the pairs of secrets (*ha*, *hb*) that only differ in one of the measurement bits has probability of computing correctly the equality test equals 1/2. However, it may be possible to give a version of the result of Buhrman et al. with a different notion of approximate correctness.

Finally, the result of Colbeck does apply when considering the non deterministic function *F* to be the actual computation of the secrets *ha* and *hb* implemented by the protocol. Thus, the function implemented by the protocol is not secure and a dishonest Bob could learn information about the implemented function for more than one secret *hb* at a time, acquiring more information than following the protocol honestly.

Next we analyze what happens if some minor changes are done to make the protocol more in line with classical authentication schemes. Unfortunately, we conclude that these changes do not fundamentally modify the protocol and as will be clear the previous reasoning still holds. Moreover, both the changed and unchanged protocols still allow for the particular attack outlined in Section 4 to provide information leakage by allowing an adversary to learn about many *ha* simultaneously as predicted by the results of Lo and Colbeck.

Changes made to the protocol are as follows: (1) Bob generates *r* and *H*, this is done to thwart a simple attack discussed later; (2) the hash function changes between trials, this has no impact on the security of the protocol due to the public nature of the hash in both instances; and finally (3) here we assume for simplicity that Alice and Bob obtain the same nonce *r* with certainty, using classical error correction techniques one can be relatively certain both parties obtain the same nonce. See Figure 2 below for a schematic overview of the modified protocol.


**Figure 2.** Modified protocol.

The reason we force Bob to generate the randomness instead of Alice is that an adversary with unbounded quantum memory may impersonate Bob but not make a measurement. Suppose an adversary does not know the key but requests Alice to identify herself. If Alice generates and sends *r*, *H* with the string of states |*ϕ<sup>i</sup>* then the adversary may record *r*, *H* and hold in memory, but not measure, the qubits. At a later time an honest participant may ask the adversary to identify themselves, in this case the adversary may send *r*, *H* and the qubits in memory. Thus, the adversary correctly forges an authentication. Note that as we have presented the algorithm an adversary may still make this impersonation by waiting between Alice and Bob then passing the information between the two. The difference is that as long as Bob generates the nonce then this attack must only be done while Alice and Bob are both online, whereas if Alice generates and sends the nonce then an adversary may hold the states for as long as is technologically feasible.

Unfortunately, the changes introduced do not alter the validity of the impossibility results discussed before. This updated version is still a two-sided equality test (one-sided if the last accept/reject round is omitted) for the secrets with a relaxation on the correctness, as no changes have been introduced after the generation of the secrets.

Thus, both the original and the modified protocols have necessary leakage and due to the non-interactive nature of Bob we know that *kb* has no leakage, thus we know there must exist some leakage on *ka*. Although Eve may not be able to determine any exact bit of *ka* she may drastically reduce the number of possible options for *ka* and hence construct a proper subset of *K* such that the true value for *ka* is contained in this subset. An attack exemplifying this phenomenon is described in the next section.

#### **4. A Key Space Reduction Attack on Zawadzki's Protocol**

Before discussing the specific attack, let *B* be a set of orthogonal bases in C<sup>2</sup> and consider the following fact. If a quantum state is prepared in a basis *b* ∈ *B* with value *v* ∈ {0, 1}, then an adversary may always remove one possible combination of *b* and *v* with a single measurement. Upon measuring in basis *b*- ∈ *B* an adversary obtains *v*- ∈ {0, 1}. The adversary is then certain the original pair (*b*, *v*) was not (*b*- , 1 *v*- ), as when measured in the basis *b* the qubit prepared by *b* and *v* will yield *v* with certainty. Note that the adversary cannot say with certainty how the qubit was prepared, but he can always remove one possible option. This is an example of conclusive exclusion discussed in [28] in the case of two measurement bases.

Suppose now that instead of sampling at random for *b* and *v*, the qubit is prepared using a private key *k* ∈ *K* and a set of public parameters *p*, namely *b* = *b*(*k*, *p*) and *v* = *v*(*k*, *p*). An adversary once again measures in basis *b*- ∈ *B* (chosen or taken at random) to obtain *v*- ∈ {0, 1}, they may then determine a basis/value pair in which the qubit was not prepared. Because the adversary is assumed to be computationally unbounded they may then compute *b*(ˆ *k*, *p*) and *v*(ˆ *k*, *p*) for all ˆ *k* ∈ *K*. Whenever these computations output the impossible pair *k*- , *v* the adversary becomes aware that ˆ *k* = *k*, hence reducing the key space. The extent to which the key space is reduced depends on the number of basis in *B*. If the distribution of basis choices in *B* is low entropy the attack may be accomplished as described while if *B* is high entropy then a probabilistic version decreases the space of likely keys. The assumption that the adversary is computationally unbounded may be lifted if *k* is low entropy (for he can then indeed test all possible values for *k*—given there are only a polynomial set of candidates), however assuming a computationally bounded adversary immediately removes unconditional security as an end goal.

Let us now apply this key space reduction to the QIA protocol proposed in [7], in this case the private key is *k* and the public parameters are *r* and *H*. Suppose an Eve has no a priori knowledge of the key except its existence in *K*. After receiving *r* and *H* over the classical channel she measures all qubits |*ϕ<sup>i</sup>* received from Alice in the horizontal/vertical basis and records the outputs as *M*. In the case where Eve is utilizing man-in-the-middle, she is done. If she is impersonating Bob, she accepts or rejects the protocol.

After the protocol finishes the adversary may then compute *h*<sup>ˆ</sup> *<sup>k</sup>* <sup>=</sup> *<sup>H</sup>*(*r*||<sup>ˆ</sup> *k*) for all ˆ *k* ∈ *K*. Suppose the first qubit Eve measured in *M* was |0 . She now examines the first two bits of each *h*<sup>ˆ</sup> *<sup>k</sup>*, those that begin 00, 10, or 11 are all possible of obtaining the qubit |0 after measurement. The first of these three tuples will yield |0 with certainty and the later two with a probability of 0.5. The final tuple 01 however is not possible as that would imply that the qubit started in the state |1 and measured in |0 . Thus, Eve knows that any ˆ *k* such that *h*<sup>ˆ</sup> *<sup>k</sup>* begins 01 is not the key. The hash function is assumed to be independent and identically distributed so this removes approximately <sup>1</sup> <sup>4</sup> of all possible keys. Repeat this process for all qubits. After completion of all hash and check operations the adversary has obtained a subset of the key space which contains the key, hence causing information leakage. Specifically, the adversary knows the key is in subset *S* defined by

$$S = \{ s \in \mathbb{K} : h\_{\mathfrak{s}\_{2i}} = M\_i \text{ and } h\_{\mathfrak{s}\_{2i-1}} = 0 \,\forall i \le d \}.$$

Note that the true key *<sup>k</sup>* <sup>∈</sup> *<sup>S</sup>* and <sup>|</sup>*S*| ≈ ( <sup>3</sup> <sup>4</sup> )*d*|*K*|.

After running this attack on a single attempted authentication the proposed ideal (brute force) security of 22*<sup>d</sup>* <sup>=</sup> <sup>2</sup>*<sup>N</sup>* drops to 3*<sup>d</sup>* <sup>=</sup> <sup>2</sup>*log*2(3)/2*<sup>N</sup>* <sup>≈</sup> <sup>2</sup>0.792*N*. Recall that authentication protocols must remain secure given many attempts. Thus, an adversary is allowed to receive multiple authentication attempts, possibly claiming that the received hash of the shared secret is denied due to interference from a third party. The logarithm of the security parameter drops geometrically at a rate of *log*2(3) <sup>2</sup> ≈ 0.792 after every authentication the adversary receives, meaning that once an adversary obtains the third authentication (all with different random values or even different hash functions) the brute force security has been reduced to brute force on a string of half the length. This trend continues with every authentication attempt.

#### **5. Other QIA Protocols**

It is worth pointing out that the attack described in Section 4 also applies to the protocol by Hong et al. [8], which Zawadzki [7] modifies. In more detail, the protocol in [8] is similar to Zawadzki's, but does not use a hash function. Instead, whenever Alice transmits the qubits sequentially and, before sending each qubit, she randomly decides if she is going to use security mode or authentication mode. In the first case, she sends a decoy state while in the second one, a qubit encoding two bits of the authentication string is sent, similarly to [7]. After Bob's reception, Alice announces which mode she just has used. Therefore an adversary using the same strategy described in our attack in Section 4 and collecting the information obtained whenever Alice announces authentication mode, will be able to shrink the size of the key space in the same way we have previously stated.

On the other hand, other quantum identification protocols proposed in the literature are not vulnerable to our attack neither contradict the impossibility results mentioned in Section 2. For instance, some of them [4,5,21] are aided by the presence of a trusted third party, therefore not being real two-party protocols. Another type of protocols, such as [22–24], make use of an entangled quantum state shared between both parties. In [22], the users, in addition, share a bitstring used as a password; both parties measures their part of the entangled state to produce a one time key that one of the users XORs with the password and sends the result to the other who checks for consistency. The downside of this approach is that to repeat the identification process the parties need to be provided again with new entangled states. In [23,24], the users do not share any classical secret, they just use the entangled state to identify themselves.

#### **6. Conclusions**

The protocol given by Zawadzki in [7] may be secure against hash preimage attacks when attempting to find an exact match; however, when considering impossible results from quantum measurements we see some hashed key values are not possible. Proverbially, the forest may be secure but each of the trees reveals enough information to reconstruct the possible forests. By eliminating approximately one quarter of the key options from each

qubit we see that by measuring all the individual qubits in a random basis does in fact reveal a great deal about the key. This attack does not concern quantum memory but rather relies heavily on classical computational power. Hence, unlike [25,26] where the authors consider a bounded quantum storage model, the only way to make this protocol secure without greatly changing its construction is to constrict adversarial computational power.

No solution is presented to the problem outlined in this paper. The reason for this is that any solution presented which does not impose more fundamental restrictions such as limited quantum memory or polynomial time restriction will inevitably fail due to the results of Lo [15], Colbeck [16] and Buhrman et al. [17]. Regardless of the restriction imposed, implementation of this and any other "prepare and measure" authentication scheme must find a way to contend with key space reductions posed by conclusive exclusion.

**Author Contributions:** Conceptualization—all authors equally; original draft preparation—F.J.; review, editing and final draft writing—all authors equally. All authors have read and agreed to the published version of the manuscript.

**Funding:** This research was sponsored in part by the NATO Science for Peace and Security Programme under grant G5448, in part by Spanish MINECO under grants MTM2016-77213-R and MTM2017-88385-P, and in part by Programa Propio de I+D+i of the Universidad Politécnica de Madrid.

**Conflicts of Interest:** The authors declare no conflict of interest.

#### **References**


# *Article* **Phase-Matching Quantum Key Distribution with Discrete Phase Randomization**

**Xiaoxu Zhang 1,2,3, Yang Wang 1,2,\*, Musheng Jiang 1,2, Yifei Lu 1,2, Hongwei Li 1,2, Chun Zhou 1,2 and Wansu Bao 1,2**


**Abstract:** The twin-field quantum key distribution (TF-QKD) protocol and its variations have been proposed to overcome the linear Pirandola–Laurenza–Ottaviani–Banchi (PLOB) bound. One variation called phase-matching QKD (PM-QKD) protocol employs discrete phase randomization and the phase post-compensation technique to improve the key rate quadratically. However, the discrete phase randomization opens a loophole to threaten the actual security. In this paper, we first introduce the unambiguous state discrimination (USD) measurement and the photon-number-splitting (PNS) attack against PM-QKD with imperfect phase randomization. Then, we prove the rigorous security of decoy state PM-QKD with discrete phase randomization. Simulation results show that, considering the intrinsic bit error rate and sifting factor, there is an optimal discrete phase randomization value to guarantee security and performance. Furthermore, as the number of discrete phase randomization increases, the key rate of adopting vacuum and one decoy state approaches infinite decoy states, the key rate between discrete phase randomization and continuous phase randomization is almost the same.

**Keywords:** twin-field quantum key distribution; phase-matching; discrete phase randomization; intrinsic bit error rate

#### **1. Introduction**

Quantum key distribution (QKD) can offer information theoretically secure means to distribute secret keys between two remote parties [1], but the performance is restricted by the fundamental rate-loss limit [2,3]. Recently, a novel twin-field QKD (TF-QKD) protocol [4] is proposed to surpass the linear Pirandola–Laurenza–Ottaviani–Banchi (PLOB) bound [2], which shows the superiority relation between key rate and channel transmittance, *R* ∼ *O*( √*η*). However, the security proof is not completed in the original TF-QKD protocol [4]. In order to present a more rigorous security proof, various variations [5–10] of the original TF-QKD protocol have been proposed. The related experimental works have also been extensively studied [11–20].

All of these variant TF-QKD protocols have their own advantages. The no-phase-postselection TF-QKD (NPP-TF-QKD) protocol [5,6] provides better key rate performance in closer-to-mid distance, but it needs phase locking and pre-phase feedback in the experiment, so it is hard to implement [5,6,21]. The sending-or-not-sending TF-QKD (SNS-TF-QKD) protocol [10] can tolerate large misalignment errors and provide better performance in long distance [10,21]. The phase-matching QKD (PM-QKD) protocol [8] has no phase locking with phase slices and employs a phase post-compensation technique, so it can be easily experimentally implemented without pre-phase feedback [13,21].

In reality, the decoy state method is adopted to ensure the security of imperfect single photon source [22–25] in the actual QKD system. An important theoretical premise

**Citation:** Zhang, X.; Wang, Y.; Jiang, M.; Lu, Y.; Li, H.; Zhou, C.; Bao, W. Phase-Matching Quantum Key Distribution with Discrete Phase Randomization. *Entropy* **2021**, *23*, 508. https://doi.org/10.3390/e23050508

Academic Editor: Ivan B. Djordjevic

Received: 12 March 2021 Accepted: 21 April 2021 Published: 23 April 2021

**Publisher's Note:** MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

**Copyright:** © 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/).

and assumption of the method is that the global phase of coherent sources should be continuously randomized [26–28]. However, perfect phase randomization is very difficult to achieve. In an actual experiment, there are two means to randomize the global phase. One means is to turn the laser on and off by controlling the current, but it is not suitable for PM-QKD with the phase post-compensation technique—the reason for this is that we do not know the precise phase slices. Moreover, experiments show that residual phase correlations may exist between adjacent pulses [29]. The other one is to actively modulate the phase of coherent sources controlled by a phase modulator with a true random number generator; this method is suitable for PM-QKD, but the phase randomization is not continuous. Thus, neither of these two means satisfy the assumption of the decoy state method, which may introduce a potential loophole that threatens the security of the actual protocol [30]. Then, the unambiguous state discrimination (USD) measurement [31] and the photon-numbersplitting (PNS) attack [32] can be used against the imperfect phase randomization.

An earlier security analysis of discrete phase randomization appears in the decoy state Bennet-Brassard-1984 (BB84) in Reference [33], which points out, when the number of discrete phase values is larger, that the performance of discrete phase randomization is close to that of continuous phase randomization, and the number is said to be ten [33]. Similar security analysis methods are used for several other protocols, the measurementdevice-independent (MDI) QKD in Reference [34], the NPP-TF-QKD in References [35,36], the SNS-TF-QKD in Reference [37], the PM-QKD in Reference [38]. Therein, Reference [38] uses a different security poof method with Reference [8], and there is no in-depth formula derivation in the decoy state PM-QKD with discrete phase randomization. In this paper, we focus on these discrete global phase randomization issues in the PM-QKD protocol [39], study a concrete attack against PM-QKD with imperfect phase randomization, apply the decoy-state method to derive the single photon yield formula to exhibit performance of the key rate and compare the yield difference of continuous phase randomization with discrete phase randomization.

The paper is arranged as follows: in Section 2, we review the PM-QKD protocol in detail, based on the security analysis of symmetric-encoding PM-QKD, we estimate the overall phase error rate. In Section 3, we show a concrete attack against PM-QKD with imperfect phase randomization. In Section 4, we show how to apply the decoy-state method to obtain the upper bound of the phase-flip error rate with discrete phase randomization; moreover, the yield difference between continuous and discrete phase randomization is also studied in this section. The numerical simulation results are shown in Section 5, and then we conclude in Section 6.

#### **2. The Protocol of PM-QKD**

We employ the attenuated laser as a single photon source, which is regarded as the coherent state. When the coherent state is randomized by continuous phase, it is equivalent to the Fock state, with the photon number distribution as

$$P\_{j|\alpha} = e^{-\alpha} \frac{\alpha^j}{j!} \tag{1}$$

In this section, we review the PM-QKD protocol, and without considering the security effects of discrete phase randomization, Equation (1) is used for formula derivation.

#### *2.1. Protocol Description*

The implementation process of the PM-QKD is similar to Reference [39].

• State preparation. In each round, the coherent state <sup>√</sup>*α*A*ei*(*πκ*A<sup>+</sup> <sup>2</sup>*<sup>π</sup> <sup>D</sup> d*A) is prepared by Alice, the intensity *α*<sup>A</sup> ∈ {*μ*A, *ν*A, *ω*A}, where *μ*<sup>A</sup> is she signal state, *ν*<sup>A</sup> is the decoy state, *ω*<sup>A</sup> is the vacuum state, the random key bit *κ*<sup>A</sup> ∈ {0, 1}, the discrete phase randomization number *d*<sup>A</sup> is randomly chosen from {0, 1, ··· , *D* − 1}, *D* is the number of maximum discrete phase that is modulated by Alice, for simplicity, assume

*D* is an even number. Similarly, Bob prepares the coherent state <sup>√</sup>*α*B*ei*(*πκ*B<sup>+</sup> <sup>2</sup>*<sup>π</sup> <sup>D</sup> d*B) , therein, *α*<sup>A</sup> = *α*<sup>B</sup> = *<sup>α</sup>* <sup>2</sup> <sup>∈</sup> !*<sup>μ</sup>* 2 , *ν* <sup>2</sup> , *<sup>ω</sup>* 2 " .


#### *2.2. Phase Error Estimation*

The security analysis of asymptotic case is considered, so there are no statistical fluctuations. The analysis method of the phase error rate that we use comes from [39], which is an important new viewpoint of QKD security, establishing the relationship between the symmetric encoding and privacy with the standard phase-error-correction approach [40], and we summarize briefly as follows.

If the joint state *ρ*AB is a pure of even or odd state, the symmetric encoding PM-QKD protocol is perfectly private, the phase error rate *Eph* = 0, if the joint state *ρ*AB is a mixture of even and odd state, *ρ*AB = *Poddρodd* + *Pevenρeven*, the phase error rate *Eph* = 0, the effective detection ratios of odd and even components of signal state are estimated by [39]

$$\begin{aligned} q\_{odd|\mu} &= P\_{odd|\mu} \frac{Y\_{odd|\mu}}{Q\_{\mu}}\\ q\_{even|\mu} &= P\_{even|\mu} \frac{Y\_{even|\mu}}{Q\_{\mu}} \end{aligned} \tag{2}$$

where *<sup>Q</sup><sup>μ</sup>* = *Podd*|*<sup>μ</sup>Yodd*|*<sup>μ</sup>* + *Peven*|*<sup>μ</sup>Yeven*|*<sup>μ</sup>* is the total gain of mixture signal state *<sup>ρ</sup>*AB. *Yodd*|*<sup>μ</sup>* and *Yeven*|*<sup>μ</sup>* are the yield of odd signal state *<sup>ρ</sup>odd* and even signal state *<sup>ρ</sup>even*, respectively. *Podd*|*<sup>μ</sup>* and *Podd*|*<sup>μ</sup>* are the signal state probability of odd and even photon numbers.

The overall phase error rate comes from the even components, which is estimated by [39]

$$E\_{ph} = P\_{\text{even}|\mu} \frac{Y\_{\text{even}|\mu}}{Q\_{\mu}} \tag{3}$$

where *Peven*|*<sup>μ</sup>* is given by the above section, *<sup>Q</sup><sup>μ</sup>* is given by the experiment results, the important task is to estimate the parameter *Yeven*|*μ*.

For simplicity, we use phase match pairs and discard phase mismatch pairs, so the upper bound of phase error rate comes from the signal state bounded by

$$E\_{\rm pl} \le 1 - q\_{1|\mu} \tag{4}$$

where *<sup>q</sup>*1|*<sup>μ</sup>* = *<sup>P</sup>*1|*<sup>μ</sup> <sup>Y</sup>*1|*<sup>μ</sup> <sup>Q</sup><sup>μ</sup>* . According to the above discussion, we get the final secure key rate by

$$R\_f = \frac{2}{D} Q\_\mu [1 - H\_2(E\_{ph}) - fH\_2(E\_\mu)] \tag{5}$$

where *Q<sup>μ</sup>* is the total gain of the signal state, *Eph* is the phase error rate of the signal state, *E<sup>μ</sup>* is the bit error rate of the signal state, *f* is the error correction efficiency, *H*2(*x*) = −*x*log2(*x*) − (1 − *x*)log2(1 − *x*) is the binary entropy function.

#### **3. Attack PM-QKD with Imperfect Phase Randomization**

Considering the extreme case that Eve knows, the exact phases of the signal and decoy states without phase randomization, the PM-QKD protocol will have a serious security loophole. Due to the signal state and the decoy state not being orthogonal, Eve can use USD measurement to distinguish the signal state and the decoy state with the probability *q* < 1. The optimal success probability [41] of USD measurement on each side is *qopt* = 1 − *e* −| <sup>√</sup>*μ*−√*v*<sup>|</sup> 2 /4, which is obtained by performing positive operator valued measurement. After performing USD measurement, Eve measures the number of photons in the pulse and performs a PNS attack.

For the sake of simplicity, we neglect the dark count and the misalignment error, and only consider the channel loss. Without attacking, the gains of the signal state and decoy state are

$$\begin{aligned} Q\_{\mu} &= 1 - e^{-\eta \mu} \\ Q\_{v} &= 1 - e^{-\eta v} \end{aligned} \tag{6}$$

where *η* is the channel loss.

Under the PNS attack, the gains of the signal state and decoy state are

$$\begin{aligned} Q^{\text{attack}}\_{\mu} &= \sum\_{j=1}^{\infty} q\_{opt}^{2} Z\_{j}^{\mu} e^{-\mu} \frac{\mu^{j}}{j!} \\ Q^{\text{attack}}\_{\upsilon} &= \sum\_{j=1}^{\infty} q\_{opt}^{2} Z\_{j}^{\upsilon} e^{-\upsilon} \frac{\upsilon^{j}}{j!} \end{aligned} \tag{7}$$

where *Z<sup>μ</sup> <sup>j</sup>* and *<sup>Z</sup><sup>v</sup> <sup>j</sup>* represent the probability that Eve forwards *j* photons to the signal state and the decoy state, with *j* as the sum of the photons on both sides.

The simplified upper key rate under the PNS attack is bounded by

$$R^{\mu} = R\_{\rm PNS} = \sum\_{j=1}^{\infty} q\_{opt}^{2} Z\_{j}^{\mu} e^{-\mu} \frac{\mu^{j}}{j!} [1 - H\_{2}(E\_{pl})] \tag{8}$$

The lower key rate of the simplified Equation (5) is bounded by

$$R\_{\rm PM}^{l} = R\_{\rm PM} = Q\_{\mu} [1 - H\_2(E\_{pl})] \tag{9}$$

Combining the USD measurement with PNS attack, the security of final key rate without the phase randomized system is vulnerable. We can optimize *Z<sup>μ</sup> <sup>j</sup>* to let *<sup>R</sup><sup>l</sup>* PM > *<sup>R</sup>u*, especially for long distance communication, due to channel loss is large enough, we can block single photon and release multiple photons. Then, the key rate will be higher than the secure key rate, and information will leak out. Hence, Eve's goal is to minimize *Ru*.

It is worth noting that the attack scheme of USD measurement and PNS attack, which requires the quantum non-demolition measurement [42] about the photon numbers, the lossless channel and the ability of controlling detector efficiency, all of these are beyond the current technology. Ma adopts the beam splitting (BS) attack [43] in Reference [8]. We briefly present his results as follows.

Ma [8] points out, under the BS attack, that the probability of successfully distinguishing the states is *<sup>P</sup>*suc <sup>=</sup> <sup>1</sup> <sup>−</sup> *<sup>e</sup>*−(1−*η*)*μ*. The simplified key rate of PM-QKD is lower bounded by

$$R\_{\rm BS}^l = Q\_{\mu} e^{-2(1-\eta)\mu} \tag{10}$$

Ma [8] supposes that the photon number channel model exists in PM-QKD, then Gottesman–Lo–Lutkenhaus–Preskill (GLLP) [26] analysis can be used to obtain the formula

$$R\_{\rm GLLP} = Q\_{1|\mu}[1 - H\_2(E\_{1|\mu}^{\rm pl})] - Q\_{\mu}f H\_2(E\_{\mu}) \tag{11}$$

where *<sup>Q</sup>*1|*<sup>μ</sup>* is the gain of the single photon signal state, *<sup>E</sup>ph* <sup>1</sup>|*<sup>μ</sup>* is the phase error rate.

Due to the yield being *Yj* <sup>=</sup> <sup>1</sup> <sup>−</sup> (<sup>1</sup> <sup>−</sup> *<sup>η</sup>*)*<sup>j</sup>* , the simplified GLLP key rate is lower bounded by

$$R\_{\rm GLLP}^l = R\_{\rm GLLP} = Q\_{1|\mu} = \eta \mu \varepsilon^{-\mu} \tag{12}$$

Final results show that, when *η* is smaller than a certain value, the GLLP formula cannot hold under the BS attack, so the photon number channel model is invalid. Fortunately, the PM formula can defend against BS attack; the precondition is that the intensity must be weaker.

#### **4. The PM-QKD with Discrete Phase Modulation of Coherent State Sources**

In this section, we introduce the security analysis of discrete phase randomized PM-QKD. Then, we apply the decoy-state method to derive the single photon yield formula. Finally, we compare the yield difference between continuous phase randomization and discrete phase randomization.

#### *4.1. Coherent State with Discrete Phase Randomization*

For the coherent state with discrete phase randomization, the joint state of Alice and Bob of PM-QKD is as follows

$$\langle |\psi\rangle\_{\rm AB} = \sum\_{d\_{\rm A}=0}^{D-1} \left| \sqrt{a\_{\rm A}} \varepsilon^{i(\pi \chi\_{\rm A} + \frac{2\pi}{D} d\_{\rm A})} \right\rangle\_{\rm A} \left| \sqrt{a\_{\rm B}} \varepsilon^{i(\pi \chi\_{\rm B} + \frac{2\pi}{D} d\_{\rm B})} \right\rangle\_{\rm B} \tag{13}$$

where *κ*A, *κ*<sup>B</sup> ∈ {0, 1}, |*d*<sup>A</sup> − *d*<sup>B</sup> − *dδ*| mod *D* = 0 or |*d*<sup>A</sup> − *d*<sup>B</sup> − *dδ*| mod *D* = *D*/2.

Considering the simple case, *d<sup>δ</sup>* = 0, then |*d*<sup>A</sup> − *d*B| = 0 or |*d*<sup>A</sup> − *d*B| = *D*/2. Now, the density matrix can be written as

$$\begin{split} \rho\_{\rm AB}^{D} &= \frac{1}{D} \sum\_{d\_{\rm A}=0}^{D-1} \left| \sqrt{\pi\_{\rm A}} e^{i(\pi \kappa\_{\rm A} + \frac{2\pi}{D} d\_{\rm A})} \right\rangle\_{\rm A} \left\langle \sqrt{\pi\_{\rm A}} e^{-i(\pi \kappa\_{\rm A} + \frac{2\pi}{D} d\_{\rm A})} \right| \\ &\quad \otimes \left| \sqrt{\pi\_{\rm B}} e^{i(\pi \kappa\_{\rm B} + \frac{2\pi}{D} d\_{\rm B})} \right\rangle\_{\rm B} \left\langle \sqrt{\pi\_{\rm B}} e^{-i(\pi \kappa\_{\rm B} + \frac{2\pi}{D} d\_{\rm B})} \right| \\ &= \sum\_{j=0}^{D-1} P\_{j|\rm a}^{D} \left| \lambda\_{j|a}^{D} \right\rangle\_{\rm AB} \left\langle \lambda\_{j|a}^{D} \right| \end{split} \tag{14}$$

where *P<sup>D</sup> <sup>j</sup>*|*<sup>α</sup>* <sup>=</sup> <sup>∞</sup> ∑ *l*=0 *e*<sup>−</sup>*ααlD*+*<sup>j</sup>* (*lD*+*j*)! , *λ<sup>D</sup> j*|*α* AB <sup>=</sup> *<sup>e</sup>*−*α*/2 *P<sup>D</sup> j*|*α* ∞ ∑ *l*=0 ( <sup>√</sup>*α*) *lD*+*j* √(*lD*+*j*)! |*lD* + *j* AB, with |*lD* + *j* AB = √ <sup>1</sup> 2*lD*+*<sup>j</sup>* (*lD*+*j*) (*a*† <sup>±</sup> *<sup>b</sup>*†) *lD*+*j* |00 AB.

In our security analysis with discrete phase randomization, we modify the final secure key rate Equation (5) to

$$R\_f = \frac{2}{D} Q\_{\mu} [1 - H\_{\text{2}}(E\_{ph}^D) - f H\_{\text{2}}(E\_{\mu})] \tag{15}$$

where the upper bound of phase error rate *E<sup>D</sup> ph* comes from the signal state bounded by *E<sup>D</sup> ph* <sup>≤</sup> <sup>1</sup> <sup>−</sup> *<sup>q</sup><sup>D</sup>* <sup>1</sup>|*μ*, with *<sup>q</sup><sup>D</sup>* <sup>1</sup>|*<sup>μ</sup>* <sup>=</sup> *<sup>P</sup><sup>D</sup>* 1|*μ Y<sup>D</sup>* 1|*μ <sup>Q</sup><sup>μ</sup>* . The bit error rate *E<sup>μ</sup>* and the gain *Q<sup>μ</sup>* remain the same.

#### *4.2. The Decoy-State Method*

In discrete phase randomized PM-QKD, we estimate the yield *Y<sup>D</sup>* <sup>1</sup>|*<sup>μ</sup>* of the single-photon signal state. We use the vacuum and one decoy state, which is similar to the BB84 decoy state analysis [24].

We know that, in the security proof of the decoy state method with continuous phase randomization, there is an important assumption

$$Y\_{\bar{j}|signal} = Y\_{\bar{j}|decay} \tag{16}$$

However, it is not strict in the condition of discrete phase randomization, *Y<sup>D</sup> <sup>j</sup>*|*signal* <sup>=</sup> *Y<sup>D</sup> <sup>j</sup>*|*decoy*; the reason lies in

$$\left|\lambda\_{j\mid\mu}^{D}\right\rangle \neq \left|\lambda\_{j\mid\upsilon}^{D}\right\rangle\tag{17}$$

Consider the properties of trace distance; we need to estimate the difference of yields for different intensities as [33]

$$\left| Y\_{j\mid\mu}^{D} - Y\_{j\mid\upsilon}^{D} \right| = \sqrt{1 - \left( F\_{j\mid\mu\upsilon}^{D} \right)^{2}} \tag{18}$$

where *F<sup>D</sup> <sup>j</sup>*|*μν* <sup>=</sup> <sup>∞</sup> ∑ *l*=0 (*μv*) (*lD*+*j*)/2 (*lD*+*j*)! %& <sup>∞</sup> ∑ *l*=0 *μlD*+*<sup>j</sup>* (*lD*+*j*)! ∞ ∑ *l*=0 *vlD*+*<sup>j</sup>* (*lD*+*j*)! , that is the fidelity of *λ<sup>D</sup> j*|*μ* and *λ<sup>D</sup> j*|*v* .

The estimation of the yield *Y<sup>D</sup>* <sup>1</sup>|*<sup>μ</sup>* is similar to continuous phase randomization. The equation can be written as

$$\begin{aligned} Q\_{\mu} &= \sum\_{j=0}^{D-1} P\_{j|\mu}^{D} Y\_{j|\mu}^{D} \\ Q\_{\upsilon} &= \sum\_{j=0}^{D-1} P\_{j|\upsilon}^{D} Y\_{j|\upsilon}^{D} = \sum\_{j=0}^{N-1} P\_{j|\upsilon}^{D} Y\_{j|\mu}^{D} + \sum\_{j=0}^{D-1} P\_{j|\upsilon}^{D} (Y\_{j|\upsilon}^{D} - Y\_{j|\mu}^{D}) \end{aligned} \tag{19}$$

We have

$$\begin{split} Y\_{1\parallel \mu}^{D} &= [P\_{2\parallel \mu}^{D} Q\_{\upsilon} - P\_{2\parallel \upsilon}^{D} Q\_{\mu} - (P\_{2\parallel \mu}^{D} P\_{0\vert \upsilon}^{D} - P\_{0\vert \mu}^{D} P\_{2\vert \upsilon}^{D}) Y\_{0\parallel \mu}^{D} \\ &- P\_{2\parallel \mu}^{D} \sum\_{j=0}^{D-1} P\_{j\vert \upsilon}^{D} (Y\_{j\vert \upsilon}^{D} - Y\_{j\vert \mu}^{D}) - \sum\_{j\geq 3}^{\infty} (P\_{2\vert \mu}^{D} P\_{j\vert \upsilon}^{D} - P\_{j\vert \mu}^{D} P\_{2\vert \upsilon}^{D}) Y\_{j\vert \mu}^{D} \Big] \\ &/ (P\_{2\vert \mu}^{D} P\_{1\vert \upsilon}^{D} - P\_{1\vert \mu}^{D} P\_{2\vert \upsilon}^{D}) \end{split} \tag{20}$$

with <sup>∞</sup> ∑ *j*≥3 (*P<sup>D</sup>* 2|*μ P<sup>D</sup> <sup>j</sup>*|*<sup>v</sup>* <sup>−</sup> *<sup>P</sup><sup>D</sup> j*|*μ P<sup>D</sup>* <sup>2</sup>|*v*)*Y<sup>D</sup> <sup>j</sup>*|*<sup>μ</sup>* <sup>≤</sup> 0, *<sup>Y</sup><sup>D</sup>* <sup>0</sup>|*<sup>μ</sup>* <sup>≤</sup> *<sup>Q</sup>ω*/*P<sup>D</sup>* <sup>0</sup>|*<sup>ω</sup>* <sup>+</sup> \$ <sup>1</sup> − (*F<sup>D</sup>* <sup>0</sup>|*μω*) <sup>2</sup> and *<sup>D</sup>*−<sup>1</sup> ∑ *j*=0 *P<sup>D</sup> <sup>j</sup>*|*v*(*Y<sup>D</sup> <sup>j</sup>*|*<sup>v</sup>* − *Y<sup>D</sup> <sup>j</sup>*|*μ*) = *<sup>D</sup>*−<sup>1</sup> ∑ *j*=0 *P<sup>D</sup> j*|*μ* \$ <sup>1</sup> − *<sup>F</sup><sup>D</sup> j*|*μν* 2 .

Then

$$Y\_{1\parallel\mu}^{D} \ge \frac{P\_{2\parallel\mu}^{D} Q\_{\mathcal{V}} - P\_{2\parallel\nu}^{D} Q\_{\mathcal{H}} - (P\_{2\parallel\mu}^{D} P\_{0\parallel\nu}^{D} - P\_{0\parallel\mu}^{D} P\_{2\parallel\nu}^{D}) Y\_{0\parallel\mu}^{D} - P\_{2\parallel\mu}^{D} \sum\_{j=0}^{D-1} P\_{j\parallel\mu}^{D} \sqrt{1 - F\_{j\parallel\mu\nu}^{D} \frac{2}{\sqrt{2}}}}{P\_{2\parallel\mu}^{D} P\_{1\parallel\nu}^{D} - P\_{1\parallel\mu}^{D} P\_{2\parallel\nu}^{D}} \tag{211}$$

#### *4.3. The Yield Difference between Continuous and Discrete Phase Randomization*

To compare the yield difference of continuous phase randomization and discrete phase randomization, the density matrix of the continuous phase randomization can be written as

$$\begin{split} \rho\_{\rm AB} &= \frac{1}{2\pi} \int\_0^{2\pi} \left| \sqrt{a\_{\rm A}} e^{i(\pi \mathbf{x}\_{\rm A} + \varphi\_{\rm A})} \right\rangle\_{\rm A} \left\langle \sqrt{a\_{\rm A}} e^{-i(\pi \mathbf{x}\_{\rm A} + \varphi\_{\rm A})} \right| \\ &\quad \otimes \left| \sqrt{a\_{\rm B}} e^{i(\pi \mathbf{x}\_{\rm B} + \varphi\_{\rm B})} \right\rangle\_{\rm B} \left\langle \sqrt{a\_{\rm B}} e^{-i(\pi \mathbf{x}\_{\rm B} + \varphi\_{\rm B})} \right| \\ &= \sum\_{j=0}^{\infty} P\_{j|\mathbf{a}} \left| j \right\rangle\_{\rm AB} \langle j \rangle \end{split} \tag{22}$$

where the general Poisson distribution *Pj*|*<sup>α</sup>* is given by Equation (1), with |*j* AB = √<sup>1</sup> 2*<sup>j</sup> j*! (*a*† <sup>±</sup> *<sup>b</sup>*†)*<sup>j</sup>* |00 AB.

In the ideal case, *<sup>D</sup>* <sup>→</sup> <sup>∞</sup>, the fidelity *<sup>F</sup>C*,*<sup>D</sup> <sup>j</sup>*|*<sup>α</sup>* between <sup>|</sup>*<sup>j</sup>* AB and *λ<sup>D</sup> j*|*α* AB should be the same. In the security analysis, the fidelity *FC*,*<sup>D</sup> <sup>j</sup>*|*<sup>α</sup>* between <sup>|</sup>*<sup>j</sup>* AB and *λ<sup>D</sup> j*|*α* AB is bounded by

$$\begin{split} F\_{j|a}^{\rm C,D} &= F\left( |j\rangle\_{\rm AB'} \left| \begin{matrix} \lambda\_{j|a}^{D} \end{matrix} \right\rangle\_{\rm AB} \right) = \frac{\left| \left< j \mid \lambda\_{j|a}^{D} \right\rangle\_{\rm AB} \right|}{\sqrt{\langle j \mid j \rangle\_{\rm AB} \left\langle \lambda\_{j|a}^{D} \mid \lambda\_{j|a}^{D} \right\rangle\_{\rm AB}}} \\ &= 1 \Bigg/ \frac{e^{-\alpha/2}}{\sqrt{\overline{P\_{j|a}^{D}}}} \sum\_{l=0}^{\infty} \frac{\left( \sqrt{\alpha} \right)^{lD+j}}{\sqrt{\langle lD+j \rangle!}} \end{matrix} \tag{23}$$

which is related to the intensity *α*, photon number *j* and discrete phase numbers *D*. Therefore, the yield difference is bounded by

$$\left| \left| Y\_{j|a} - Y\_{j|a}^D \right| \le \sqrt{1 - F\_{j|a}^{C,D}} = \sqrt{1 - 1 \sqrt{\frac{e^{-a/2}}{\sqrt{P\_{j|a}^D}}} \sum\_{l=0}^{\infty} \frac{\left( \sqrt{a} \right)^{lD + j}}{\sqrt{(lD + j)!}}} \tag{24}$$

#### **5. Numerical Results**

Let's suppose the transmittances between Alice/Bob and Charlie are *η*<sup>A</sup> = *η*<sup>B</sup> = *η<sup>f</sup>* , the detection efficiency of detectors is *ηd*, after the channel and detection losses, *η* = *η<sup>f</sup> ηd*, the detection click probabilities are given by

$$\begin{aligned} P\_a(L) &= (1 - p\_d)e^{-\eta a \cos^2 \frac{\Phi\_{\text{AB}}}{2}} \\ P\_a(L) &= 1 - P\_a(L) \\ P\_a(R) &= (1 - p\_d)e^{-\eta a \sin^2 \frac{\Phi\_{\text{AB}}}{2}} \\ P\_a(R) &= 1 - P\_a(\bar{R}) \end{aligned} \tag{25}$$

where *Pα*(*L*)/*Pα*(*R*) and *Pα*(*L*¯)/*Pα*(*R*¯) are the detection click probabilities of the L/R click and no L/R click, *φ*AB is the phase mismatch between Alice and Bob.

Due to the discrete phase randomization, we can obtain *D* phase slices. Although we keep the phase match pairs and discard all of the others, there is still an intrinsic bit error rate [4], *ED* = *<sup>D</sup>* 2*π* - 2*π*/*D* <sup>0</sup> sin2 *<sup>φ</sup>*AB <sup>2</sup> *dφ*AB. Significantly, this is very different from BB84 protocol with the global phase mismatch value *φ*AB = 0. When we use discrete phase randomization, we must consider the intrinsic bit error rate, which will deeply affect the bit error rate and phase error rate.

The error gain can be given by

$$\begin{split} Q\_a^E &= \frac{D}{2\pi} \int\_0^{\frac{2\pi}{D}} P\_a(R) P\_a(L) d\phi\_{\rm AB} \\ &= \frac{D}{2\pi} \int\_0^{\frac{2\pi}{D}} (1 - p\_d) e^{-\eta \arccos^2 \frac{\theta\_{\rm AB}}{2}} d\phi\_{\rm AB} - (1 - p\_d)^2 e^{-\eta a} \end{split} \tag{26}$$

We can derive the total gain *Qα* as

$$\begin{split} \mathbb{Q}\_{a} &= \frac{D}{2\pi} \int\_{0}^{\frac{2\pi}{D}} [P\_{a}(L)P\_{a}(\vec{R}) + P\_{a}(R)P\_{a}(\vec{L})]d\phi\_{\rm AB} \\ &= \frac{D}{2\pi} \int\_{0}^{\frac{2\pi}{D}} (1 - p\_{d})e^{-\eta a \sin^{2}\frac{\theta\_{\rm AB}}{2}} d\phi\_{\rm AB} - (1 - p\_{d})^{2}e^{-\eta a} + Q\_{a}^{E} \end{split} \tag{27}$$

The bit error rate of signal states is given by

$$E\_{\mu} = \frac{Q\_{\mu}^{E}(1 - 2\varepsilon\_{opt}) + e\_{opt}Q\_{\mu}}{Q\_{\mu}} \tag{28}$$

The simulate parameters are listed in Table 1.

**Table 1.** List of parameters used in numerical simulations. Here *pd* is the dark counts rate; *eopt* is the misalignment error probability of the system; *η<sup>d</sup>* is the detection efficiency; *f* is the error correction efficiency; *η<sup>f</sup>* is the transmission fiber loss coefficient (dB/km).


In the key rate versus the transmission distance of the finite decoy states PM protocol with a different number of phase values, as shown in Figure 1, the PLOB bound is plotted for comparison. The smaller *D*, the lower the key rate; the reason is that the smaller the *D*, the larger the intrinsic bit error rate. *D* = 8 can break the PLOB bound, and meanwhile, we can find that there is an optimal *D* = 10, which can guarantee better performance. With the increase of *D*, the key rate will become lower due to the sifting factor 2/*D*. Hence, in an actual experiment of PM-QKD, we must find the suitable discrete phases value to guarantee security and performance. When *D* → ∞, the key rate will tend to 0; we do not present it here.

Moreover, we compare the performance of PM-QKD with discrete phase randomization between infinite decoy states and vacuum and one decoy state. As depicted in Figure 2, when we adopt vacuum and one decoy state and small *D*, the key rate exhibits poor performance. As *D* increases, the key rate of adopting vacuum and one decoy state approaches infinite decoy states. Combining the conclusion of Figure 1, we find that the discrete phase *D* = 10 still maintains good security and performance when the finite decoy states are implemented.

**Figure 1.** The key rate versus the transmission distance of the PM-QKD with different number of discrete phase values; the PLOB linear bound is plotted for comparison.

**Figure 2.** The key rate versus the transmission distance of the PM-QKD with different number of discrete phase values, infinite decoy states and vacuum and one decoy state are plotted for comparison. The dash line represents the case of vacuum and one decoy state; the solid line represents the case of infinite decoy states.

Due to there being a sifting factor 2/*D*, we know that when *D* → ∞, the key rate will tend to 0. In order to compare the key rate between continuous phase randomization and discrete phase randomization, we first compare the fidelity between |*j* AB and *λ<sup>D</sup> j*|*α* AB, as shown in Figure 3a. The fidelity varies slightly with the intensity. With the increase of *D*, the fidelity gradually approaches 1. Therefore, when *D* is too small, the method of continuous phase randomization is not suitable; we cannot ignore the safety effect of discrete phase randomization.

Then, considering finite decoy states, the key rate between continuous phase randomization and discrete phase randomization has been studied in Figure 3b. As *D* increases,

the performance of a key rate between discrete phase randomization and continuous phase randomization is almost the same. This is consistent with the conclusion in Figure 3a.

**Figure 3.** (**a**) The fidelity of different mean photon numbers. The fidelity refers to Equation (23), which we take *j* = 1. (**b**) The key rate versus the transmission distance of the PM-QKD with a different number of discrete phase values. The solid line represents the coherent state with continuous phase randomization; the dash line represents the coherent state with discrete phase randomization.

(**b**)

#### **6. Conclusions**

In this paper, we introduce the USD measurement and PNS attack against PM-QKD with imperfect phase randomization, and simultaneously, we deeply study the security of discrete phase randomization PM-QKD protocol with a decoy state in the asymptotic case. Our simulation results show that, as *D* increases, the key rate of adopting vacuum and one decoy state approaches infinite decoy states, and furthermore, the performance of key rate between discrete phase randomization and continuous phase randomization is almost the same. We also find that due to the intrinsic bit error rate and sifting factor, there is an optimal discrete phase randomization value to guarantee security and performance. Therefore, for the actual PM-QKD system, we should better adopt the suitable discrete phase randomization value to apply.

**Author Contributions:** X.Z. carried out numerical simulation and wrote the paper; Y.W. and W.B. assisted in discussing the research topic; M.J. contributed to attack; X.Z. and Y.L. derived the formulas; H.L. and C.Z. discussed the PM-QKD protocol. All authors participated in revising and all authors have read and agreed to the published version of the manuscript.

**Funding:** This work is sponsored by National Key Research and Development Program of China (Grant No. 2020YFA0309702), National Natural Science Foundation of China (Grants No. 61605248, No. 61675235 and No. 61505261) and Natural Science Foundation of Henan (Grant No. 202300410534 and No. 202300410532).

**Institutional Review Board Statement:** Not applicable.

**Informed Consent Statement:** Not applicable.

**Data Availability Statement:** The data presented in this study are available within the article.

**Conflicts of Interest:** The authors declare no conflict of interest.

#### **References**


### *Article* **Nonclassical Attack on a Quantum Key Distribution System**

**Anton Pljonkin 1,\*, Dmitry Petrov 1, Lilia Sabantina <sup>2</sup> and Kamila Dakhkilgova <sup>3</sup>**


**Abstract:** The article is focused on research of an attack on the quantum key distribution system and proposes a countermeasure method. Particularly noteworthy is that this is not a classic attack on a quantum protocol. We describe an attack on the process of calibration. Results of the research show that quantum key distribution systems have vulnerabilities not only in the protocols, but also in other vital system components. The described type of attack does not affect the cryptographic strength of the received keys and does not point to the vulnerability of the quantum key distribution protocol. We also propose a method for autocompensating optical communication system development, which protects synchronization from unauthorized access. The proposed method is based on the use of sync pulses attenuated to a photon level in the process of detecting a time interval with a signal. The paper presents the results of experimental studies that show the discrepancies between the theoretical and real parameters of the system. The obtained data allow the length of the quantum channel to be calculated with high accuracy.

**Keywords:** quantum key distribution; single-photon mode; synchronization; algorithm; detection probability; vulnerability

#### **1. Introduction**

This research was inspired by the works "Quantum man-in-the-middle attack on the calibration process of quantum key distribution" [1] and "Device calibration impacts security of quantum key distribution" [2], which describe attacks on the calibration system. In the beginning, it is necessary to clarify several important nuances about our research: the experiments were carried out with a two-pass quantum key distribution system (QKDS) Clavis2; we do not examine the security of the quantum BB84 protocol and do not claim that our attack is an attack on the BB84 protocol; and we do not test the strength of quantum keys and do not claim that the described attack affects the strength of the keys. These are important notes for understanding the aims of the paper. The quantum key distribution process and the synchronization process are different. There are many articles in the literature that describe these processes in detail. There are attacks on both quantum protocols and the synchronization process, but there is practically no literature describing attacks on the synchronization process. Our experiment was carried on the real Clavis<sup>2</sup> quantum key distribution system. These are two stations connected by a quantum channeloptical fiber. In real operating conditions, QKDS have many loopholes for an attacker. This is not about quantum cryptography protocols that are reasonably secure. We are referring to the technical imperfection of systems. The authors [1,2] discuss such imperfections and show that an attacker can use them for attacks. It is important to understand that the purpose of an attack on the QKDS may not only be the acquisition of a secret key. Implementation of a controlled interference can also be a target of an attacker. From the user's point of view, this looks like a technical failure of the system, and there are two

**Citation:** Pljonkin, A.; Petrov, D.; Sabantina, L.; Dakhkilgova, K. Nonclassical Attack on a Quantum Key Distribution System. *Entropy* **2021**, *23*, 509. https://doi.org/ 10.3390/e23050509

Academic Editors: Ivan B. Djordjevic and Rosario Lo Franco

Received: 29 March 2021 Accepted: 22 April 2021 Published: 23 April 2021

**Publisher's Note:** MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

**Copyright:** © 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/).

options: the user understands that the failure was caused by an attacker, or the user does not detect the attacker. In this work, we will show experimentally how it is possible to interfere with the normal operation of the QKDS without revealing itself.

The basic principles of quantum cryptography are absolute theoretical secrecy of the transmitted data and the impossibility of unauthorized access to it. For cryptographic systems, the security issue is formulated as the problem of distributing the encryption key between legitimate users. Quantum cryptography systems solve the problem of generating and distributing the encryption key using methods that are based on the laws of quantum physics and are implemented in quantum key distribution systems. In the description of quantum key distribution systems, much attention is paid to the operation of quantum protocols. The main problem is the insufficient study of the synchronization process of quantum key distribution systems. This paper contains a general description of quantum cryptography principles. A two-way plug and play fiber-optic quantum key distribution system with phase coding of photon states in synchronization mode was examined. A quantum key distribution system was built on the basis of the scheme with automatic compensation of polarization mode distortions. Single-photon avalanche diodes were used as optical radiation detecting devices. The operation of such systems is impossible without the process of station coordination, i.e., synchronization of the transmitter and receiver separated in space. In the QKDS, synchronization consists of a high-precision determination of the length of the optical pulse propagation path and is based on the registration of the moment when the synchronizing pulse is received by photodetectors.

#### **2. Experiment and Simulation**

#### *2.1. Signal Level in the QKD System*

The most appropriate form of synchronization signal for the QKDS is a periodic sequence of optical pulses [3]. In this case, the time markers are the pulses themselves, and the measurement process consists of dividing the entire follow-up period into time intervals. The conversion of a photon to a primary electron is registered in each time interval. The results of live tests of a quantum cryptographic network based on the IDQuantique Clavis2 3110 QKD system are described in [4–7], and it is shown that the synchronization process generates multiphoton pulses, and the photodetectors operate in linear mode. Using the constructed energy model of the current Clavis2 3110 QKD system, we show that the synchronization mode does not involve algorithms for controlling the emission power. Figure 1 shows the dependence of the number of photons in the pulse on the length of the quantum channel. The quantum channel is a fiber-optic communication line connecting two stations of the QKD system. Dependencies demonstrate three synchronization modes and take into account the following complex losses: in the optical fiber at the junction points, and total losses in the encoding station (−47.7 dBm). The energy model of the QKD system describes the characteristics of the detection equipment. In the process of high-precision determination of the length of a quantum channel, pulses are sent from the transmitting station to the encoding station, where they are reflected from the Faraday mirror and follow back along the same optical path. The process is divided into three stages, for each of which the pulse power values correspond to P1 = −48.3 dBm, P2 = −55.8 dBm, and P3 = −24.2 dBm. The values of P1, P2, and P3 were obtained experimentally using Yokogawa AQ2202 equipment. The photon energy with the refraction index for the Corning®SMF-28e+ fiber is equal to

$$E(p) = \frac{h\frac{\varepsilon}{n}}{\gamma} = \frac{6.62 \cdot 10^{-34} \cdot 2.01 \cdot 10^8}{1550 \cdot 10^{-9}} = 0.0085 \cdot 10^{-17} \tag{1}$$

**Figure 1.** Dependence of the number of photons in a pulse on the length of the quantum channel.

Repetition rate f1 = 800 Hz, f2 = 800 Hz, f3 = 5 MHz, and pulse duration τ = 1 ns. The pulse duration is the same for the three modes. We performed the simulation based on the equation. The graphs were plotted using the classical formula for expressing the number of photons in terms of the pulse energy at a known repetition rate, taking into account the refraction index of the emission in the fiber.

The dependences clearly demonstrate that only when the quantum channel is L = 50 km long (taking into account the resulting losses and the double path of movement of the pulses), the average number of photons in the pulse approximates to unity (the average value of the three synchronization stages). The ordinate axis shows the resulting value, i.e., the pulse with this number of photons passed the distance L × 2 and entered the photodetector. It is apparent that the first stage had the most powerful energy characteristics. The latter was related to the need to ensure the highest probability of detecting the reflected signal at the first stage, since an erroneous detection or omission of the signal at the first stage will cause a complex detection error at subsequent stages. Note that the power of optical synchronizing pulses is constant for all values of the length of the quantum channel, i.e., the system does not adjust the laser power depending on the length of the quantum channel. A pulse with the number of photons m >> 10 is called a multiphoton pulse, 1 < m < 10 is a photon pulse, and m < 1 is a single-photon pulse. Therein, a single-photon should not be perceived as a division of a photon, but as the presence of a signal in each j-th pulse.

We showed experimentally that the multiphoton mode of calibration in the quantum key distribution system is a vulnerability. Note that the purpose of unauthorized access may be not only to intercept and read information, but also to synchronize the attacker's equipment in order to interfere with the work of the QKDS [8–10].

#### *2.2. Experimental Attack on a Quantum Channel and Analysis*

We configured the experimental design (Figure 2), where the quantum communication system stations were located in adjoining rooms. A quantum channel of variable length was organized between them. Corning®SMF-28e+ optical fiber coils with lengths (L) of 1, 2, 4, and 25 km were used for this. At the junction points of the optical coils, two fiber-optic couplers with division coefficients were connected in series: kC1 (70%, 30%) and kC2 (90%, 10%). The output of the transmitting station was connected to the input of the divider kC1, and the output of the divider kC1 (70%) was connected to the output of the divider kC2 (90%). The input of the kC2 divider was connected to the quantum channel in the direction of the receiver station. Outputs kC2 (10%) and kC1 (30%) were connected to an optical power meter (Yokogawa AQ2202) to capture signals.

**Figure 2.** Experiment scheme. Clavis2 3110 QKD system with optical power couplers (kC1, kC2). I/O is input/output.

Note that the implementation of couplers in the optical communication channel was not technically difficult. The latter was provided by two welded joints in the fiber-optic communication line. The presence of two couplers allows one to calculate the time of re-reflection, since the moment of interception of an optical pulse in only one direction does not give complete information to the attacker about the operation of the system. It is crucial to intercept the optical pulse during the reverse propagation of the reflected signal. With information about the re-reflection time, an attacker can calculate the exact distance to the recipient's station and back [11–16]. This data allows one to perform some attacks on quantum communication protocols, for example, an attack in which the operation of the coding station is simulated. The attacker inserts their equipment instead of the encoding station and sends substitution signals to the transmitting station's photodetectors at the right time. The aim of our experiment was to prove the possibility of successful implementation of an attack on a quantum communication system by interference with the calibration stage.

In the described design, the QKD system is put into operation mode. The synchronization process and the operation of the quantum protocol BB84 function normally without critical errors, i.e., the presence of two power couplers in the optical communication channel is not detected by the system and does not affect its operation. Keys are formed in cycles, and the synchronization processes successfully. In this mode, the experiment lasted 24 h, and the system functioned without failures. After the signals at outputs kC1 (30%) and kC2 (10%) were repeatedly recorded, we connected the optical emission source (Yokogawa AQ2202) to the output kC2 (10%). The connection of the emission source also did not affect the operation of the QKDS. Further, at random times, we provided a signalinterference (τ = 1 ns, f = 270 Hz) to the output of the coupler kC2 (10%). The duration of interference activation varied from 5 s to 10 min. In interference mode, the system did not stop operating and did not issue errors but initiated the synchronization process again. After synchronization, the quantum protocol operation was restored, and the key distribution process resumed. We performed a simulation. We clearly demonstrated the effect of interference on the operation of the quantum key distribution protocol. Figure 3 shows the dynamics of the measured quantum error (QBER).

**Figure 3.** Dynamics measured by QKDS QBER software; 1–10 refer to iterations.

We can see that the graph does not contain any critical changes. Analysis of the dynamics of quantum error does not allow for the detection of unauthorized interference in the operation of the system. The latter is also confirmed by the graph in Figure 4, which shows the dynamics of generated quantum keys.

**Figure 4.** Dynamics of accumulated quantum keys. The length of each key is 512 bits; 1–10 refer to iterations.

Figure 4 shows the number of keys that are cyclically accumulated in the buffer. Note that the length of a single key is 512 bits. The dependencies in Figures 3 and 4 are presented for the length of the quantum channel L = 25,732 m. The graph in Figure 4 also does not indicate when the system was affected by the interference. If we consider the approximation of this dependence on the time axis, the time delay with an error of about 10% of the average key generation cycle will be visible in the intervals with interference enabled. This delay occurs periodically during the operation of the QKD system and may be due to the presence of in homogeneities in the quantum channel or physical changes in the optical fiber due to temperature influences. Thus, the time dependence analysis also does not allow for the detection of the presence of couplers in the communication channel or indicate unauthorized interference. Let us turn to Figures 5 and 6. Figure 5

shows statistics of accumulated quantum keys and QBER at different optical link lengths without using couplers (i.e., without introducing interference).

**Figure 5.** Statistical data of the BB84 quantum protocol, quantum keys; 1–6 refer to iterations.

**Figure 6.** Statistical data on the operation of the quantum protocol BB84, QBER; 1–6 refer to iterations.

The graphs show that the maximum number of accumulated keys for 6 iterations is 9546, with a quantum channel length (L) of 7880 m. The graph shows a significant difference when the length of the fiber optic cable is 50,456 m. Here, the number of keys generated in one iteration differs significantly from the same value for a shorter length of the fiber optic link, while the growth dynamics is preserved. This dependence behavior is due to the fact that the limit length of the quantum channel introduces significant attenuation in the signal. The values 8.76 < QBER < 9.54 for a quantum channel length of 50,456 m are also high, but these values are not critical, because they do not exceed the calculated value QBER = 11%. Comparing the dynamics of changes in the number of accumulated keys and QBER in the presence of couplers and without them, let us turn to the dependencies in Figures 3–6 that are plotted for the length of the quantum channel in 25,732 m. The QBER value is within 2.3 < QBER < 3.1 if there are couplers, and within 2.8 < QBER < 5.7 if there are no couplers. These values are valid and do not indicate the presence of an attacker in the communication channel. Moreover, in the experiment, the values in the absence of couplers exceeded the values in the presence of couplers. The latter indicates that external destabilizing factors have a more significant impact on QBER than the presence of additional prepared connections in the communication channel.

When looking at graphs that reflect the accumulated keys, it is clear that for six iterations, the values do not differ significantly on the two curves (the average number of 512-bit keys per iteration is about 300). Analysis of the results confirms the conclusion that the presence of couplers in the communication channel and the impact of interference do not affect the statistical data of the quantum protocol. A similar conclusion can be drawn when considering the approximated curve on a time chart.

#### **3. Single-Photon Synchronization Method**

The results of the experiment show the vulnerability of the synchronization process QKDS and prove the possibility of interfering with the system, while remaining unnoticed. Note that the classical method of controlling the emission power in a quantum communication channel does not allow for detection of the presence of couplers. Under ideal experimental conditions, when the quantum channel consists of a continuous fiber (coil), the couplers can be detected using a reflectometer. In this case, it was possible to see attenuation of 0.2–0.4 dB at the places of split joints. If only welded joints are used, the presence of losses is almost impossible to detect. In real conditions, the completed length of the quantum channel does not exceed 1 km, and the presence of fiber optic splice closure is an integral part of the communication system. Fiber optic splice closure and inhomogeneities of optical fiber introduce additional attenuation and hide the possible presence of unauthorized connection to the communication channel. The reflectometric detection method does not allow one to distinguish legitimate inhomogeneities (of different types) from illegitimate ones.

We should also mention the quantum effects of the environment [17,18]. Note that the quantum fluctuations are not described by classical functions and cannot be compensated. Moreover, such quantum effects could be influencing the system, but it is expected that their effects would be small. Of course, such effects must be taken into account, and their influence on the quantum system should be investigated. There are environmental effects that can affect the physical properties of the fiber. For example, temperature tends to change the physical length of a fiber under certain conditions, but it is compensated for by checking the length in the program.

We propose a method that provides protection against an attack on the QKDS during the synchronization process. A distinctive feature of the method is the use of synchronization pulses weakened to a single-photon level. In this case, the optical signal is attenuated at the encoding station by a controlled attenuator, and the value of the insertion loss is calculated so that after reflection from the Faraday mirror, the average number of photons (m) in the synchronizing pulse is 0.1–0.5. Registration of single-photon pulses is performed by avalanche photodiodes in Geiger mode.

The maximum length of the fiber optic link in QKDS is *L* = 100 km. Taking into account the back propagation of emission to avoid overlapping of back transmitted pulses at *L* = 100 km, the repetition period is *Ts* = 2 × *L*/*vfiber* ≈ 1 ms. Therefore, the maximum repetition rate of optical pulses should not exceed *fs*.*max* = 1/*Ts* ≈ 1 kHz. The repetition period *Ts* is divided into *Nw* time intervals with duration *τ<sup>w</sup>* in such a way that *Ts* = *Nw* × *τw*. All intervals are analyzed sequentially. Each interval is analyzed N

times, where N is the selection size. The pulse duration *τ<sup>s</sup>* = 1 ns and *τ<sup>w</sup>* = (2 ... 4) × *τs*. Absolute stability of the repetition period Δ*Ts* and the duration Δ*τ<sup>s</sup>* is assumed. In each interval, the number of accepted photoelectrons and/or dark current pulses (DCP) are recorded. After polling all *Nw* time intervals, an array of values is generated as follows:

$$\{n\_{w.N}(j), j = \overline{1, N\_w}\} = \{n\_{w.N}(1), n\_{w.N}(2), \dots, n\_{w.N}(j), \dots, n\_{w.N}(N\_w)\}$$

At the values of *τ<sup>s</sup>* and *τw*, the synchronizing pulse can lie entirely within one time interval or lie on the border of two neighboring ones. In the first case, the values *nw*.*N*(2), ... , *nw*.*N*(*j*), ... , *nw*.*N*(*Nw*) in *Nw* − 1 intervals are described by Poisson's law with the parameter *nd*.*<sup>N</sup>* = *N* × *ξ<sup>d</sup>* × *τw*. At the same time, in the interval with a synchronizing pulse, the number *nw*.*N*(1), with the parameter *nw*.*<sup>N</sup>* = *N* × *ξ<sup>d</sup>* × *τ<sup>w</sup>* + *N* × *ns*. Here *ξ<sup>d</sup>* is the rate of occurrence of DCP, *ns* is the average number of the photoelectrons registered for the duration of the pulse.

If the pulse lies in two neighboring intervals, then random values *nw*.*N*(3), ... , *nw*.*N*(*j*), ... , *nw*.*N*(*Nw*) in *Nw* − 2 noise intervals are described by Poisson's law with the parameter *nd*.*<sup>N</sup>* = *N* × *ξ<sup>d</sup>* × *τw*, and in neighboring intervals are the numbers *nw*.*N*(1) and *nw*.*N*(2), respectively, with parameters *nw*1.*<sup>N</sup>* = *N* × *ξ<sup>d</sup>* × *τ<sup>w</sup>* + *N* × *ns*<sup>1</sup> and *nw*2.*<sup>N</sup>* = *N* × *ξ<sup>d</sup>* × *τ<sup>w</sup>* + *N* × *ns*2. Here *ns*<sup>1</sup> = *ns* × (1 − *τw*/*t*1) and *ns*<sup>2</sup> = *ns* − *ns*<sup>1</sup> are, respectively, the average number of photons registered in neighboring intervals with the condition that the moment of occurrence of single-photon pulse (*t*1) belongs to the first interval. Noise intervals should be understood as analyzed intervals in which the signal is not recorded. In such intervals, noise values can be recorded—the DCP of the photodetector [12,13]. To analyze the process of detecting a synchronizing signal using single-photon pulses, the laws of probability of the distribution density are applied [14].

The analytical expression (2) is used for calculating the probability of correct detection of the signaling interval (*PD*).

$$P\_D = \sum\_{n\_{w,N}=1}^{\infty} \frac{\left(\overline{n\_{w,N}}\right)^{n\_{w,N}}}{n\_{w,N}!} \cdot \exp\left[-\overline{n\_{w,N}}\right] \cdot P\_{d,N}\{n\_{w,N}\} \tag{2}$$

Here

$$P\_{d,N}\{n\_{w,N}\} = \left(\sum\_{n\_{d,N}=0}^{n\_{w,N}-1} \frac{\overline{n\_{d,N}}^{n\_{d,N}}}{n\_{d,N}!} \cdot \exp\left(-\overline{n\_{d,N}}\right)\right)^{N\_{w}-1} \tag{3}$$

represents the probability of registering no more than (*nw*.*<sup>N</sup>* − 1) DCP in all (*Nw* − 1) noise time intervals during the analysis, provided that *nw*.*<sup>N</sup>* photoelectrons and DCP are registered in the signal time interval for a selection of size N. Taking into account the value *Nw*, the average number of DCP per sample in the noise interval tends to zero. This allows summation in the formula only for 2 values of *nd*.*<sup>N</sup>* equal to 0 and 1. Simplifying expression (2), we get

$$\begin{split} P\_D &= \exp(-N\_{\overline{w}}\cdot\overline{n\_{d.N}} + \overline{n\_{d.N}})\overline{n\_{\overline{w}.N}} \cdot \exp\left(-\overline{n\_{w.N}}\right) \\ &\quad + \left[1 - \exp\left(-\overline{n\_{\overline{w}.N}}\right) - \overline{n\_{\overline{w}.N}} \cdot \exp\left(-\overline{n\_{w.N}}\right)\right] \cdot \left(1 + \overline{n\_{d.N}}\right)^{N\_{\overline{w}} - 1} . \end{split} \tag{4}$$

The simulation results show that the divergence of the calculation results for Equations (2)−(4) do not exceed 0.02% over the entire variation range in the number of time intervals. The registration validity condition for no more than one photoelectron and/or DCP is typical for a single-photon avalanche photodiode. This proves that it is possible to use expression (4) to calculate the probability of correctly detecting the time interval during the synchronization of the QKDS, provided that *nw*.*<sup>N</sup>* 1. An important parameter of the avalanche photodiode is the recovery time of the operating mode (*τdead*). In the proposed method, the time interval poll is performed sequentially in each frame, i.e., one-time interval is analyzed for the repetition period (T); here *T τdead*. This approach allows the recovery time of the working mode of the photodetector to be ignored

when calculating. Another distinctive feature of the single-photon mode of operation of the photodetector is the quantum efficiency coefficient of the photocathode (k), which must be taken into account when simulating. Let us look at the graphs in Figure 7, which demonstrate the dependence of the probability of correctly detecting the time interval with signal on the selection size. Dependencies are plotted using Equation (4). The developed method involves the use of a weakened optical synchronizing pulse with an average number of photons 0.1 < m < 1. Thus, given the critical values of the average number of photons per pulse, the frequency of DCP and the quantum efficiency of the photocathode, the variable value is only the selection size in each time interval. Let us explain that the DCP of the photodetector are its shot-noise, which can cause an avalanche effect [15–17].

**Figure 7.** Dependence of the probability of correct detection on the selection size.

The graphs show that the probability of correct detection reaches maximum values (*PD* > 99.3%) already at the selection size N = 30 (without taking into account quantum efficiency) and at N = 150 with taking into account quantum efficiency. Note that the typical selection size of the current Clavis2 3110 system is 800. Next, let us consider the simulation results that show the influence of the frequency of DCP and the selection size on the probabilistic characteristics of detecting the signaling time interval. The task of simulation is to find the optimal values of N and DCP, at which the maximum probability of detection is achieved. Calculations were made taking into account the above average quantum efficiency of the photocathode (k = 25%). Figure 8 shows the results of simulation of the algorithm for detecting a single-photon signal. The graphs show the dependence of the probability of correct detection of the signaling interval on selection size for different values of DCP.

**Figure 8.** Probability of correct detection of a single-photon signal.

The average amount of photoelectrons (m) in a pulse is 0.1. The graph shows that at the minimum values of the selection size (128<N< 32), the probability of detection (*PD*) is no more than 80%, and the number of DCP does not matter. This behavior of the curves is explained by a small difference in the number of DCP and photoelectrons in time intervals. The divergence is leveled when the selection size increases. On the other hand, if the value of DCP > 200, the selection size does not matter, since the probability of detection (*PD*) over the entire range of values does not exceed 98%. The optimal values of DCP and N for achieving high probability values (*PD* > 99.3%) are the limits of N > 256 for DCP < 150. Consider Figure 9, where calculations of the probability of erroneous detection of a signaling time interval with a single-photon pulse are presented.

**Figure 9.** Probability of erroneous detection of a single-photon signal.

The figure is made for three values of the selection size (N = 256, 512, 1024) and the range of values of DCP ∈ {25 : 400}. It is apparent that the selection size N = 1024 has a significant impact on the probability at the maximum values of DCP. Thus, in the single-photon mode, the probability of erroneous detection increases sharply at DCP > 200. This is due to the fact that with the statistical accumulation of summands in Equation (4), an increase in the direct dependence of the number of DCP and the selection size causes an increase in noise signals, which are interpreted as "false positives" of single-photon avalanche photodiode. Note that the average value of DCP for the photodiodes used in QKD systems is within the range of 25 < DCP < 100. For example, the typical DCP value for

id210 and id230 photodetectors is 40 and 50 Hz, respectively [18,19]. Such photodetectors are used in the Clavis2 and Clavis3 QKDS [20–24]. We applied the real characteristics of the id230 photodetector to our calculations (see Figure 10). The average number of photoelectrons m = 0.1 was achieved by attenuating the signal in the receiver station. The quantum efficiency of the photocathode k = 25%.

**Figure 10.** Calculating the detection probability for id230.

#### **4. Discussion**

The experimental part was strongly considered in this work. Due to the lack of a QKD system, most research groups are concerned with theoretical research. Our research team conducted theoretical research based on real experiences and found weak points by exploring real systems. By conducting experiments, we can demonstrate that this weakness can be very critical for practical application. Then, we proposed a new theoretical method to reduce the possibility of this vulnerability. The synchronization process is not part of the quantum protocol, but as shown in practice, the attacker can also access the hardware if they can access the synchronization. This can have serious consequences in real situations.

In addition, during the experiment, it was found that a new synchronization method can protect the system from quantum channel attacks. This does not represent an attack on quantum protocols but means an attack on optical communication circuits. The purpose of this attack is to destroy the key distribution.

#### **5. Conclusions**

Results of research show that an attack on the QKDS synchronization system can be successfully implemented. A method to counter this type of attack is presented. An important feature is that this is not a classic attack on a quantum protocol. We show that quantum key distribution systems have vulnerabilities not only in the operation of protocols. The described type of attack does not affect the cryptographic strength of the received keys, but it allows disrupting the operation of the QKDS. We are disrupting the quantum channel, but we are not interfering with the quantum protocol. Here is a simple example: if an attacker simply damages the optical cable (cuts it), the system will easily detect it; if we use our method, then the system does not detect an intruder in the quantum channel. We also propose a method that protects synchronization data from unauthorized access. The method is based on the use of sync pulses attenuated to a photon level in the process of detecting a time interval with a signal. Note that the classical attack by a compressed powerful light pulse cannot be realized, since we use an avalanche photodiode in the Geiger mode.

Synchronizing pulses are registered by single-photon avalanche photodiodes in Geiger mode. The algorithm for detecting an optical signal is described, and analytical expressions are presented for calculating probabilistic characteristics that show the undiminished dynamics of correct detection of an optical synchronizing signal. The method is simulated for optical communication systems that operate according to a two-pass scheme. The paper presents the results of experimental studies that show the vulnerability of the synchronization process in autocompensation quantum key distribution systems with phase encoding of states. An additional measure of control against unauthorized interference is the use of variable power synchronizing pulse at varying lengths of the quantum channel. Together with controlled signal attenuation, this measure will increase the security of the QKD system from unauthorized access. The results of the experiment show that the system uses pulses of the same power regardless of the length of the quantum channel. Simple calculations of sufficient synchronizing pulse power will allow the intensity of the emission source to be adjusted and pulses of calculated power to be generated depending on the length of the quantum channel.

**Author Contributions:** A.P. supervision, developed the algorithm, analyzed data, and performed the experiments; D.P. analyzed the experimental data; L.S. and K.D. checked the data and wrote the paper; Writing—review and editing, all authors. All authors have read and agreed to the published version of the manuscript.

**Funding:** The publication was carried out as part of the support of the publication activity of the Southern Federal University.

**Institutional Review Board Statement:** The study was conducted according to the guidelines of the Declaration of Helsinki, and approved by the Institutional Review Board of Southern federal university (12/05-2015).

**Data Availability Statement:** All results and data obtained can be found in open access publications.

**Acknowledgments:** The authors express their gratitude to Pljonkins Inc. for the support.

**Conflicts of Interest:** The authors declare no conflict of interest.

#### **References**


# *Article* **QKD Based on Symmetric Entangled Bernstein-Vazirani**

**Michael Ampatzis † and Theodore Andronikos \*,†**

Department of Informatics, Ionian University, 7 Tsirigoti Square, 49100 Corfu, Greece; p16abat@ionio.gr

**\*** Correspondence: andronikos@ionio.gr

† These authors contributed equally to this work.

**Abstract:** This paper introduces a novel entanglement-based QKD protocol, that makes use of a modified symmetric version of the Bernstein-Vazirani algorithm, in order to achieve secure and efficient key distribution. Two variants of the protocol, one fully symmetric and one semi-symmetric, are presented. In both cases, the spatially separated Alice and Bob share multiple EPR pairs, each one qubit of the pair. The fully symmetric version allows both parties to input their tentative secret key from their respective location and acquire in the end a totally new and original key, an idea which was inspired by the Diffie-Hellman key exchange protocol. In the semi-symmetric version, Alice sends her chosen secret key to Bob (or vice versa). The performance of both protocols against an eavesdroppers attack is analyzed. Finally, in order to illustrate the operation of the protocols in practice, two small scale but detailed examples are given.

**Keywords:** quantum cryptography; quantum key distribution; the Bernstein-Vazirani algorithm; EPR pairs; quantum entanglement; quantum information theory

#### **1. Introduction**

In the course of the last century, the scientific community experimented with different ideas and forms of computation, trying to harness the power of nature and create machines that allowed us to process immeasurable amounts of information in mere seconds, thus radically changing the world around us in the span of a few decades. However, in the present era classical computers are reaching a point where it will be infeasible to substantially enhance their efficiency due to the physical limitations of transistors. This has started a new incentive to resurrect previous attempts concerning research of new types of computation. Out of all the different proposals for a viable substitute to classical computing, undoubtedly the most promising of them all is quantum computation, mainly due to the fact that it allows the exploitation of the most fundamental properties of physics.

*1.1. Related Work*

As technology comes closer to the realization of this goal, it appears that certain profound adaptations regarding different branches of computer science need to take place in order to achieve a smoother transition from the classical to the quantum era. One of the most important such branches is the field of cryptography, due to the vulnerability of the current security algorithms against quantum computers [1,2]. This inherent weakness in the modern security protocols and the race for building a resilient security infrastructure against quantum computers [3] before they become a reality, were the two catalysts that resulted in a schism of the field into two sub-fields, which are based on two different philosophies and ideologies. The first sub-field, known as post-quantum cryptography or quantum-resistant cryptography, relies on the complexity of mathematics as its security basis. It is an attempt to develop cryptographic systems that are secure against both quantum and classical computers and can also be interpreted within the already existing communications protocols and networks. The second sub-field, which is called quantum cryptography,

**Citation:** Ampatzis, M.; Andronikos, T. QKD Based on Symmetric Entangled Bernstein-Vazirani. *Entropy* **2021**, *23*, 870. https:// doi.org/10.3390/e23070870

Academic Editor: Ivan B. Djordjevic

Received: 9 June 2021 Accepted: 5 July 2021 Published: 7 July 2021

**Publisher's Note:** MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

**Copyright:** © 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/).

is being built upon the implementation of the properties of quantum mechanics and, thus, takes advantage of nature's own fundamental laws in order to achieve security.

The sub-field of quantum cryptography, on which the primary interest of the current paper lies upon, has seen enormous growth of both theoretical and practical nature. Two landmark papers, the BB84 protocol [4] and the E91 protocol [5], were the first papers that proved that key distribution between two parties relying on the properties of quantum mechanics was possible. These two protocols have established the two schemes that all quantum key distribution (QKD) protocols are based on, the *prepare-and-measure-based scheme* and the *entanglement-based scheme*. After the publications of these two protocols, a plethora of interesting proposals for different QKD protocols based on these two schemes were suggested, further expanding the field on a theoretical level. At the same time, some truly remarkable real life implementations of some protocols were demonstrated as in [6–11]. These implementations have demonstrated that quantum cryptography is not just a mere theoretical experiment, but a possible reality in the near future.

Over the last few years, there was a noticeable increase in the effort to find new viable applications for well-known quantum algorithms, such as the Deutsch-Jozsa algorithm [12], the Bernstein-Vazirani algorithm [13] and Simon's periodicity algorithm [14]. Many of these proposals have been made in the field of quantum cryptography, using these algorithms as viable QKD protocols [15–17]. Motivated from these attempts, this paper proposes two novel variants of an entanglement-based QKD protocol that makes use of the Bernstein-Vazirani algorithm. The novelty of this work lies on the fact that it uniquely combines some key ingredients. Starting with entanglement, which is an integral part of the protocol, the corresponding qubits in Alice and Bob's input registers are maximally entangled. Thus, the proposed protocols exhibit all the inherent advantages that an entanglement-based QKD protocol provides in terms of security against an eavesdropper, as first demonstrated in the E91 protocol [5]. Additionally, the Bernstein–Vazirani algorithm [13], a fast and useful quantum algorithm that guarantees the creation of the key using just one application of the appropriate function, is used in a critical manner. Furthermore, the fully symmetric variant is inspired by the Diffie-Hellman idea [18] of deriving the final key from a random combination of two separate keys. This idea is not just cosmetic, as the ability to obtain a key that neither Alice or Bob know from the start, adds an additional layer of security, further improving the strength of the protocol. Finally, the proposed protocol can be implemented in two versions: the fully symmetric version and the semi-symmetric one. In the fully symmetric variant, both Alice and Bob can input their tentative secret keys from their respective locations and acquire in the end a totally new and original key. In the semi-symmetric one, Alice (alternatively Bob) constructs the secret key that she (or he) communicates securely to the other party.

The protocol is described as a quantum game, which despite the rather playful name, it is another noteworthy field that has emerged due to the transition to the quantum era and is used to address difficult and interesting problems within the quantum realm. This approach was chosen in an effort to make the presentation more mnemonic and easier to follow, due to the close connection that both fields share and the fact that any cryptographic situation can be conceived as a game between the two fictional heroes Alice and Bob, who play the roles of two remote parties that are trying to communicate, and the enemy Eve who tries to eavesdrop the conversation, a case which becomes apparent with the quantum game of coin tossing and the BB84 protocol [4,19] and references therein. This situation has been generalized in [20] to quantum dice rolling. For the reader striving for a more rounded understanding of the connection of the two fields, one can start with the two important works in the field of quantum game theory dating back to 1999, which were instrumental for the creation of the field: Meyer's PQ penny flip game [21], which can be regarded as the quantum analogue of the classical penny flip game, and the introduction of the Eisert-Wilkens-Lewenstein scheme [22] that is widely used in the field. Regarding the PQ penny flip game, some recent results can be found in [23,24], were its connection to the dihedral groups was established. As for the Eisert-Wilkens-Lewenstein scheme, it proved

fruitful in providing many interesting results. For example, it led to quantum adaptations of the famous prisoners' dilemma in which the quantum strategies are better than any classical strategy ([22]), as well as extensions of the classical repeated prisoners' dilemma conditional strategies to a quantum setting ([25]).

#### *1.2. Organization*

The paper is structured as follows. Section 1 provides a brief introduction to the subject and gives the most relevant references. Section 2 introduces and explains the tools used for the formulation of the protocols in this article. Section 3 presents and thoroughly analyzes the fSEBV and sSEBV protocols, so that their functionality can be completely understood. Section 4 contains two detailed examples, one for each protocol, to demonstrate their operation. Finally, Section 5 summarizes the proposed protocols and discusses their potential applications in various situations.

#### **2. Preliminaries**

#### *2.1. Quantum Entanglement and Bell States*

Quantum entanglement is one of the fundamental principles of quantum mechanics and can be described mathematically as the linear combination of two or more product states. The Bell states are specific quantum states of two qubits, sometimes called an EPR pair, that represent the simplest examples of quantum entanglement. From the perspective of quantum computation, an EPR pair can be produced by a circuit with two qubits, in which a Hadamard gate is applied to the first qubit and subsequently a CNOT gate is applied to both qubits. These states can be elegantly described by the following equation taken from [26].

$$|\beta\_{x,y}\rangle = \frac{|0\rangle\,|y\rangle + (-1)^x |1\rangle\,|\bar{y}\rangle}{\sqrt{2}}\,,\tag{1}$$

where |*y*¯ is the negation of |*y* .

In a more detailed manner, the Bell states can be described as follows.

$$|\Phi^+\rangle = |\beta\_{00}\rangle = \frac{|0\rangle\,|0\rangle + |1\rangle\,|1\rangle}{\sqrt{2}}\tag{2}$$

$$|\Phi^-\rangle = |\beta\_{10}\rangle = \frac{|0\rangle\,|0\rangle - |1\rangle\,|1\rangle}{\sqrt{2}}\tag{3}$$

$$|\Psi^+\rangle = |\beta\_{01}\rangle = \frac{|0\rangle\,|1\rangle + |1\rangle\,|0\rangle}{\sqrt{2}}\tag{4}$$

$$|\Psi^-\rangle = |\beta\_{11}\rangle = \frac{|0\rangle\,|1\rangle - |1\rangle\,|0\rangle}{\sqrt{2}}\tag{5}$$

The main advantage of quantum entanglement is that if one qubit of the pair is measured, then the other will collapse immediately despite the distance between the two. This unique characteristic of quantum entanglement can be used on quantum key distribution as first described by Ekert in the E91 protocol. Therefore, in order to achieve quantum key distribution, multiple EPR pairs will be needed. For this reason, the mathematical representation of multiple EPR pairs will be expedient. If one starts with the entangled Bell state <sup>|</sup>Φ<sup>+</sup> , which can be cast as

$$|\Phi^+\rangle = \frac{1}{\sqrt{2}} (|0\rangle\_A |0\rangle\_B + |1\rangle\_A |1\rangle\_B) \; , \tag{6}$$

some easy computations show that

$$\left| \left| \Phi^{+} \right\rangle \right\rangle^{\otimes n} = \frac{1}{\sqrt{2^{n}}} \sum\_{\mathbf{x} \in \{0, 1\}^{n}} \left| \mathbf{x} \right\rangle\_{A} \left| \mathbf{x} \right\rangle\_{B} \left| \mathbf{x} \right\rangle\_{B} \tag{7}$$

which will be required in the presentation of Section 3.

#### *2.2. A Brief Description of the Bernstein-Vazirani Algorithm*

Regarded as one of the earliest quantum algorithms, along with the Deutsch-Josza algorithm and Simon's periodicity algorithm, the Bernstein-Vazirani algorithm, first introduced by Ethan Bernstein and Umesh Vazirani, can be considered to be a useful extension of the Deutsch-Josza algorithm, due to the fact that it was directly inspired by it and shared multiple common characteristics on both structure and implementation. Yet, despite the similarities, it has proved its value by demonstrating that the superiority of a quantum computer can be successfully used for more complex problems than the Deutsch-Josza problem.

The Bernstein-Vazirani problem can be described as the ensuing game between two players, namely Alice and Bob, who are spatially separated. Alice in Athens is corresponding with Bob in Corfu using letters. Alice starts the game by selecting a number *x* from 0 to <sup>2</sup>*<sup>n</sup>* <sup>−</sup> 1 and mails its binary *<sup>n</sup>*-bit representation **<sup>x</sup>** to Bob. After Bob receives this message, he calculates the value of some function

$$f: \{0, 1, \ldots, 2^n - 1\} \to \{0, 1\} \,,\tag{8}$$

and replies with the result, which is either 0 or 1. The rules of the game dictate that Bob must use a function *f***s**(**x**), where **s** = *sn*−<sup>1</sup> ...*s*1*s*<sup>0</sup> and **x** = *xn*−<sup>1</sup> ... *x*1*x*<sup>0</sup> are *n*-bit binary numbers representing integers in the range 0, 1, . . . , 2*<sup>n</sup>* <sup>−</sup> 1, such that

$$f\_{\mathbf{s}}(\mathbf{x}) = \mathbf{s} \cdot \mathbf{x} \bmod 2 \,\,. \tag{9}$$

The inner product modulo 2 is defined as

$$\mathbf{s} \cdot \mathbf{x} \bmod 2 = s\_{n-1} \mathbf{x}\_{n-1} \oplus \dots \oplus s\_0 \mathbf{x}\_0 \tag{10}$$

where ⊕ is the exclusive-or operator. Therefore, the function is guaranteed to return the bitwise product of Alice's input **x** with a secret key **s** that Bob has chosen. Alice's goal in this game is to determine with certainty the secret key **s** that Bob has picked, corresponding with him as little as possible. How fast can she succeed?

In the *classical* version of this problem, Alice can find the secret key **s** by taking advantage of the nature of the function *f***s**(**x**) and, in particular, by sending Bob the inputs shown in Table 1.

**Table 1.** Alice must communicate with Bob *n* times in order find the secret key **s**.


In that way, Alice will discover a bit of the string **s** (the bit *si*) with each query she sends. For example, with **x** = 10 ... 0 she can obtain the most significant bit of **s**, with **x** = 01 ... 0 she will find the next most significant bit of **s**, and by following the same procedure, when she reaches **x** = 00 ... 1, she will have finally managed to reveal the entire string **s**. Despite, the efficiency of this method, Alice is still limited by sending to Bob only one query at a time. Therefore, the best possible classical scenario requires from her to correspond with Bob at least *n* times, in order for her to succeed in her goal.

By observing the core attributes of the aforementioned game, we can divide it into the following three big steps, which are:


It can be seen from the above steps that the game can easily become more efficient by implementing certain tools from quantum mechanics. If Alice and Bob were able to exchange information with the use of qubits instead of classical bits, then Alice could send the superposition of these qubits to Bob with only one message. Furthermore, if Bob was using a unitary transformation *Uf* instead of a function *f***s**(*x*), then Alice would be able to achieve her goal with only one communication.

The *quantum* version of the Bernstein-Vazirani algorithm, can be described by the following quantum game. The game initially starts with Alice preparing two quantum registers, one of size *n* to store her query in and one of size 1, in which Bob will store his answer in. We will refer to these registers as Alice's input and output registers, respectively. Next, she applies the Hadamard gate to every qubit, in order to acquire the even superposition state of each register and then she sends both registers to Bob. Right after Bob receives the contents of the registers, he applies the unitary transform *Uf* and sends them back to Alice. In the final stage of the game, Alice concludes the algorithm by measuring her input register and obtaining the secret key **s**. The whole process of the game, is summarized in Figure 1 below.

#### **The Bernstein-Vazirani algorithm**

**Figure 1.** This figures gives a schematic representation of the Bernstein-Vazirani algorithm.

Now, in order to obtain a better understanding of the nature of the algorithm, let us examine the evolution of the quantum states more closely. First, Alice starts with the initial state

$$\left|\Psi\_0\right\rangle = \left|0\right\rangle^{\otimes n} \left|1\right\rangle. \tag{11}$$

The *n* qubits of her input register are all prepared at state |0 and the qubit of the output register is prepared at state |1 . Next, Alice applies the Hadamard transform to both registers and the state becomes

$$|\psi\_1\rangle = \frac{1}{\sqrt{2^n}} \sum\_{\mathbf{x} \in \{0, 1\}^n} |\mathbf{x}\rangle \left(\frac{|0\rangle - |1\rangle}{\sqrt{2}}\right). \tag{12}$$

The derivation of the previous equation is based on the fact that

$$H^{\otimes n} \left| 0 \right\rangle^{\otimes n} = \frac{1}{\sqrt{2^n}} \sum\_{\mathbf{x} \in \{0, 1\}^n} \left| \mathbf{x} \right\rangle \,, \tag{13}$$

a standard result in the literature (for its derivation see [26,27]). At this point the input register is in an even superposition of all possible states and the output register is in an evenly weighted superposition of |0 and |1 . Thus, Alice is now ready to send both registers to Bob so he may apply the function *f***s**(*x*) using

$$\mathcal{U}\_f: |\mathbf{x}, \mathcal{Y}\rangle \to |\mathbf{x}, \mathcal{Y} \oplus f(\mathbf{x})\rangle \text{ ,} \tag{14}$$

which results in the next state

$$|\psi\_2\rangle = \frac{1}{\sqrt{2^n}} \sum\_{\mathbf{x} \in \{0, 1\}^n} (-1)^{f(\mathbf{x})} |\mathbf{x}\rangle \left(\frac{|0\rangle - |1\rangle}{\sqrt{2}}\right) \,. \tag{15}$$

The appearance of (−1)*f*(**x**) in Equation (15) is due to the fact that if <sup>|</sup>*<sup>y</sup>* = <sup>|</sup><sup>0</sup> −|1 <sup>√</sup><sup>2</sup> , then

$$f(\mathbf{y}\oplus f(\mathbf{x})) = \begin{cases} \frac{|0\rangle - |1\rangle}{\sqrt{2}} & \text{if } f(\mathbf{x}) = 0\\ \frac{|1\rangle - |0\rangle}{\sqrt{2}} & \text{if } f(\mathbf{x}) = 1 \end{cases} \Rightarrow |\mathbf{y}\oplus f(\mathbf{x})\rangle = (-1)^{f(\mathbf{x})} \left(\frac{|0\rangle - |1\rangle}{\sqrt{2}}\right). \tag{16}$$

In view of (9) and (15) becomes

$$|\psi\_2\rangle = \frac{1}{\sqrt{2^n}} \sum\_{\mathbf{x} \in \{0, 1\}^n} (-1)^{\mathbf{x} \cdot \mathbf{x}} |\mathbf{x}\rangle \left(\frac{|0\rangle - |1\rangle}{\sqrt{2}}\right) ,\tag{17}$$

which is the state returned back to Alice.

Let us now recall the following well-known equation that gives in a succinct form the result of the application of the Hadamard transformation to an arbitrary *n*-qubit basis ket |**x** (see [26,27]).

$$H^{\otimes n} \left| \mathbf{x} \right> = \frac{1}{\sqrt{2^n}} \sum\_{\mathbf{z} \in \{0, 1\}^n} (-1)^{\mathbf{z} \cdot \mathbf{x}} \left| \mathbf{z} \right> \,. \tag{18}$$

Thus, after Alice receives the registers back, she applies the Hadamard transform to the input register for a second time. Via the use of Equation (18), the resulting state can be written as

$$\begin{array}{rcl} \left| \psi\_{3} \right\rangle &=& \frac{1}{\sqrt{2^{n}}} \sum\_{\mathbf{x} \in \{0,1\}^{n}} (-1)^{\mathbf{x}\cdot\mathbf{x}} H^{\otimes n} \left| \mathbf{x} \right\rangle \left( \frac{|0\rangle - |1\rangle}{\sqrt{2}} \right) \\ &=& \frac{1}{\sqrt{2^{n}}} \sum\_{\mathbf{x} \in \{0,1\}^{n}} (-1)^{\mathbf{x}\cdot\mathbf{x}} \left( \frac{1}{\sqrt{2^{n}}} \sum\_{\mathbf{z} \in \{0,1\}^{n}} (-1)^{\mathbf{z}\cdot\mathbf{x}} \left| \mathbf{z} \right\rangle \right) \left( \frac{|0\rangle - |1\rangle}{\sqrt{2}} \right) \\ &=& \frac{1}{2^{n}} \sum\_{\mathbf{x} \in \{0,1\}^{n}} \sum\_{\mathbf{z} \in \{0,1\}^{n}} (-1)^{\mathbf{x}\cdot\mathbf{x} \oplus \mathbf{z}} \left| \mathbf{z} \right\rangle \left( \frac{|0\rangle - |1\rangle}{\sqrt{2}} \right) \\ &=& \frac{1}{2^{n}} \sum\_{\mathbf{z} \in \{0,1\}^{n}} \sum\_{\mathbf{x} \in \{0,1\}^{n}} (-1)^{\left(\mathbf{z} \oplus \mathbf{z}\right) \cdot \mathbf{x}} \left| \mathbf{z} \right\rangle \left( \frac{|0\rangle - |1\rangle}{\sqrt{2}} \right) = \left| \mathbf{s} \right\rangle \left( \frac{|0\rangle - |1\rangle}{\sqrt{2}} \right) \end{array} \tag{19}$$

The last equation is due to the following fact: if **<sup>s</sup>** <sup>=</sup> **<sup>z</sup>**, then <sup>∀</sup> **<sup>x</sup>** ∈ {0, 1}*<sup>n</sup>* (**<sup>s</sup>** <sup>⊕</sup> **<sup>z</sup>**)· **<sup>x</sup>** <sup>=</sup> 0, otherwise for exactly half of the inputs **x** the exponent will be 0 and for the remaining half the exponent will be 1. This is typically written in a more concise manner as follows:

$$\sum\_{\mathbf{x}\in\{0,1\}^n} (-1)^{\left(\mathbf{z}\oplus\mathbf{z}\right)\cdot\mathbf{x}} = 2^n \delta\_{\mathbf{z},\mathbf{z}}\,. \tag{20}$$

The algorithm terminates with the final measurement of the input register by Alice whereby she obtains the secret key **s** and concludes the whole process.

#### **3. QKD Based on Symmetric Entangled B-V**

In this section, the two versions of the proposed symmetric entangled QKD protocol based on the Bernstein-Vazirani algorithm are presented and described in great detail. These are the *fully symmetric* version of the protocol, or **fSEBV** for short, and the *semisymmetric* version of the protocol, or **sSEBV** for short.

#### *3.1. The fSEBV Protocol*

Starting with the fSEBV protocol we consider a slight alteration of the aforementioned Bernstein-Vazirani game. As before, the game starts with the two players Alice and Bob who are spatially separated. This time, instead of using normal qubits in a separable state, they use maximally entangled EPR pairs, and they both share a qubit from each pair. An important rule of the game is that there are no limitations on which entity will actually create the EPR pairs in the first place. The pairs can be created and distributed accordingly by Alice or Bob, or they can be acquired from a third party source. This last situation is depicted in Figure 2. Exactly as in the previous game, the goal of the current game is to acquire a secret key **s**. However, in this specific protocol symmetry plays a crucial role, as Alice and Bod behave in a perfectly symmetrical way by both having their own secret keys, which they will attempt to input into the system, exactly as in the original algorithm. Alice's key is denoted by **s***A*, Bob's key by **s***<sup>B</sup>* and they both take identical actions. Please note that neither Alice nor Bob need apply the Hadamard transform onto their input registers because they are already in the desired even superposition of all basis states, as they are populated by *<sup>n</sup>* pairs in the <sup>|</sup>Φ<sup>+</sup> Bell state. In this respect the fSEBV protocol differs from the vanilla Bernstein-Vazirani algorithm.

**Figure 2.** Alice and Bob are spatially separated. A third party, the source, creates *<sup>n</sup>* pairs of <sup>|</sup>Φ<sup>+</sup> entangled photons and sends one qubit from every pair to Alice and the other qubit to Bob.

Following the aforementioned steps of the fSEBV protocol, a valid question may arise regarding what will Alice and Bob acquire after they both apply their starting secret keys **s***<sup>A</sup>* and **s***<sup>B</sup>* into their own pieces of the EPR pairs? To provide the answer, let us examine the algorithm more closely. With the help of Equation (7), the initial state of the protocol can be written as

$$|\psi\_0\rangle = |\Phi^+\rangle^{\otimes n} |1\rangle\_A |1\rangle\_B = \frac{1}{\sqrt{2^n}} \sum\_{\mathbf{x} \in \{0, 1\}^n} |\mathbf{x}\rangle\_A |\mathbf{x}\rangle\_B |1\rangle\_A |1\rangle\_B \ . \tag{21}$$

Subscripts A and B are consistently used to designate Alice's and Bob's registers respectively. Alice and Bob initiate the protocol by applying the Hadamard transform to their output registers, which produces the ensuing state

$$|\psi\_1\rangle = \frac{1}{\sqrt{2^n}} \sum\_{\mathbf{x} \in \{0, 1\}^n} |\mathbf{x}\rangle\_A |\mathbf{x}\rangle\_B \left(\frac{|0\rangle - |1\rangle}{\sqrt{2}}\right)\_A \left(\frac{|0\rangle - |1\rangle}{\sqrt{2}}\right)\_B. \tag{22}$$

Now, both Alice and Bob can apply their functions on their registers using the standard scheme

$$\mathcal{U}\_f: |\mathbf{x}, \mathcal{Y}\rangle \to |\mathbf{x}, \mathcal{Y} \oplus f(\mathbf{x})\rangle \text{ .} \tag{23}$$

Consequently, the next state becomes

$$|\psi\_2\rangle = \frac{1}{\sqrt{2^n}} \sum\_{\mathbf{x} \in \{0, 1\}^n} (-1)^{f\_A(\mathbf{x})} |\mathbf{x}\rangle\_A (-1)^{f\_B(\mathbf{x})} |\mathbf{x}\rangle\_B \left(\frac{|0\rangle - |1\rangle}{\sqrt{2}}\right)\_A \left(\frac{|0\rangle - |1\rangle}{\sqrt{2}}\right)\_B. \tag{24}$$

At this stage, let us recall that Alice's and Bob's functions are

$$f\_A(\mathbf{x}) = \mathbf{s}\_A \cdot \mathbf{x} \bmod 2\tag{25}$$

*fB*(**x**) = **s***<sup>B</sup>* · **x** mod 2 , (26)

where **s***<sup>A</sup>* and **s***<sup>B</sup>* are the keys chosen by Alice and Bob, respectively. Based on (24)–(26) can be written as

$$\begin{split} \left| \langle \Psi\_{2} \rangle \right| &= \frac{1}{\sqrt{2^{n}}} \sum\_{\mathbf{x} \in \{0, 1\}^{n}} (-1)^{\mathbf{s}\_{A} \cdot \mathbf{x}} \left| \mathbf{x} \right\rangle\_{A} (-1)^{\mathbf{s}\_{B} \cdot \mathbf{x}} \left| \mathbf{x} \right\rangle\_{B} \left( \frac{|0\rangle - |1\rangle}{\sqrt{2}} \right)\_{A} \left( \frac{|0\rangle - |1\rangle}{\sqrt{2}} \right)\_{B} \\ &= \frac{1}{\sqrt{2^{n}}} \sum\_{\mathbf{x} \in \{0, 1\}^{n}} (-1)^{\mathbf{s}\_{A} \cdot \mathbf{x} \langle \rangle \mathbf{s}\_{B} \cdot \mathbf{x}} \left| \mathbf{x} \right\rangle\_{A} \left| \mathbf{x} \right\rangle\_{B} \left( \frac{|0\rangle - |1\rangle}{\sqrt{2}} \right)\_{A} \left( \frac{|0\rangle - |1\rangle}{\sqrt{2}} \right)\_{B} \\ &= \frac{1}{\sqrt{2^{n}}} \sum\_{\mathbf{x} \in \{0, 1\}^{n}} (-1)^{\mathbf{s}\_{A} \cdot \mathbf{j} \langle \mathbf{s}\_{B} \rangle \cdot \mathbf{x}} \left| \mathbf{x} \right\rangle\_{A} \left| \mathbf{x} \right\rangle\_{B} \left( \frac{|0\rangle - |1\rangle}{\sqrt{2}} \right)\_{A} \left( \frac{|0\rangle - |1\rangle}{\sqrt{2}} \right)\_{B} . \end{split} \tag{27}$$

Subsequently, both Alice and Bob apply the Hadamard transformation to their input registers. This drives the system into the next state, which, by utilizing Equation (18) twice, can be written as


When **<sup>z</sup>** <sup>⊕</sup> **<sup>w</sup>** <sup>=</sup> **<sup>s</sup>***<sup>A</sup>* <sup>⊕</sup> **<sup>s</sup>***B*, then <sup>∀</sup>**<sup>x</sup>** ∈ {0, 1}*n*, the expression (−1)(**s***A*⊕**s***B*⊕**z**⊕**w**)·**<sup>x</sup>** becomes (−1)<sup>0</sup> <sup>=</sup> 1 and the sum <sup>∑</sup>**x**∈{0,1}*<sup>n</sup>* (−1)(**s***A*⊕**s***B*⊕**z**⊕**w**)·**<sup>x</sup>** <sup>=</sup> <sup>2</sup>*n*.

Whenever **z** ⊕ **w** = **s***<sup>A</sup>* ⊕ **s***B*, the sum is just 0 because for exactly half of the inputs **x** the exponent will be 0 and for the remaining half the exponent will be 1. Hence, one may write that

$$\sum\_{\mathbf{x}\in\{0,1\}^{n}}(-1)^{(\mathfrak{s}\_{A}\oplus\mathfrak{s}\_{B}\oplus\mathfrak{x}\oplus\mathfrak{w})\cdot\mathbf{x}}=2^{n}\delta\_{\mathfrak{s}\_{A}\oplus\mathfrak{s}\_{B},\mathfrak{x}\oplus\mathfrak{w}}\cdot\tag{29}$$

Using Equation (29), and ignoring for the moment the two factors |<sup>0</sup> −|1 √2 *<sup>A</sup>* and |<sup>0</sup> −|1 √2 *B* , the following two equivalent and symmetric forms can be derived

$$\sum\_{\mathbf{z}\in\{0,1\}^{n}}\sum\_{\mathbf{w}\in\{0,1\}^{n}}\sum\_{\mathbf{x}\in\{0,1\}^{n}}(-1)^{\left(\mathbf{s}\_{A}\odot\mathbf{s}\_{B}\odot\mathbf{z}\odot\mathbf{w}\right)\cdot\mathbf{x}}\left|\mathbf{z}\right\rangle\_{A}\left|\mathbf{w}\right\rangle\_{B} = 2^{n}\sum\_{\mathbf{z}\in\{0,1\}^{n}}\left|\mathbf{z}\right\rangle\_{A}\left|\mathbf{s}\_{A}\oplus\mathbf{s}\_{B}\oplus\mathbf{z}\right\rangle\_{B}\quad,\tag{30}$$

and

$$\sum\_{\mathbf{w}\in\{0,1\}^{n}}\sum\_{\mathbf{z}\in\{0,1\}^{n}}\sum\_{\mathbf{x}\in\{0,1\}^{n}}(-1)^{\left(\mathbf{s}\_{A}\odot\mathbf{s}\_{B}\odot\mathbf{z}\odot\mathbf{w}\right)\cdot\mathbf{x}}\left|\mathbf{z}\right\rangle\_{A}\left|\mathbf{w}\right\rangle\_{B} = 2^{n}\sum\_{\mathbf{w}\in\{0,1\}^{n}}\left|\mathbf{s}\_{A}\oplus\mathbf{s}\_{B}\oplus\mathbf{w}\right\rangle\_{A}\left|\mathbf{w}\right\rangle\_{B}\dots\right\|\_{B}\left|\mathbf{w}\right\rangle\_{B}.\tag{31}$$

By combining (28) with (30) and (31), state |*ψ*<sup>3</sup> can be written in two different ways:

$$\begin{split} \left| \left| \psi\_{3} \right> \right\rangle &= \begin{array}{c} \frac{1}{\sqrt{2^{n}}} \sum\_{\mathbf{z} \in \{0, 1\}^{n}} \left| \mathbf{z} \right>\_{A} \left| \mathbf{s}\_{A} \oplus \mathbf{s}\_{B} \oplus \mathbf{z} \right>\_{B} \left( \frac{\left| 0 \right> - \left| 1 \right>}{\sqrt{2}} \right)\_{A} \left( \frac{\left| 0 \right> - \left| 1 \right>}{\sqrt{2}} \right)\_{B} \\ &= \begin{array}{c} \frac{1}{\sqrt{2^{n}}} \sum\_{\mathbf{w} \in \{0, 1\}^{n}} \left| \mathbf{s}\_{A} \oplus \mathbf{s}\_{B} \oplus \mathbf{w} \right>\_{A} \left| \mathbf{w} \right>\_{B} \left( \frac{\left| 0 \right> - \left| 1 \right>}{\sqrt{2}} \right)\_{A} \left( \frac{\left| 0 \right> - \left| 1 \right>}{\sqrt{2}} \right)\_{B} . \end{array} \end{split} \tag{32}$$

Finally, Alice and Bob measure their EPR pairs in the input registers, obtaining

$$\left|\psi\_{4}\right\rangle = \left|\mathbf{z}\_{0}\right\rangle\_{A} \left|\mathbf{s}\_{A} \oplus \mathbf{s}\_{B} \oplus \mathbf{z}\_{0}\right\rangle\_{B} = \left|\mathbf{s}\_{A} \oplus \mathbf{s}\_{B} \oplus \mathbf{w}\_{0}\right\rangle\_{A} \left|\mathbf{w}\_{0}\right\rangle\_{B} \quad \text{ for some} \quad \mathbf{z}\_{0}, \mathbf{w}\_{0} \in \left\{0, 1\right\}^{n}. \tag{33}$$

Please note that in general **z**<sup>0</sup> = **w**0. The quantum part of the protocol is now complete. The final secret key is the string **s***<sup>A</sup>* ⊕ **s***<sup>B</sup>* ⊕ **z**<sup>0</sup> that Bob measured in his input register. In the highly unlikely event that |**s***<sup>A</sup>* ⊕ **s***<sup>B</sup>* ⊕ **z**<sup>0</sup> = |0 ⊗*n* , Bob should inform Alice through the use of the public channel that the whole procedure must be repeated once again, since such a key is clearly unacceptable. However, for a *n*-bit key the probability of this happening is negligible, specifically <sup>1</sup> <sup>2</sup>*<sup>n</sup>* , which rapidly tends to 0 as *n* → ∞. Hence, it may be safely assumed that Bob possesses a viable secret key, namely **s***<sup>A</sup>* ⊕ **s***<sup>B</sup>* ⊕ **z**0. Now the final step is for Alice to obtain the secret key too. This is easily achieved by simply having Bob publicly announce his tentative secret key **s***<sup>B</sup>* to Alice via the use of the public channel. Alice, who has measured the binary string **z**<sup>0</sup> and she is already aware of her initial secret key **s***A*, can easily obtain the final key, by simply calculating the XOR of **s***A*, her measurement **z**<sup>0</sup> and Bob's initial key **s***B*, which she learns from the public channel. This concludes the fSEBV protocol.

The symmetry inherent in this protocol, enables the seamless reversal of roles. The protocol, as stated above, grants the initiative to Bob: it is his measurement **s***<sup>A</sup>* ⊕ **s***<sup>B</sup>* ⊕ **z**<sup>0</sup> that produces the secret key and it is his task to send his initial key **s***<sup>B</sup>* to Alice, in order to successfully complete the procedure. It is equally feasible to have Alice instead of Bob drive the whole process by taking her measurement **s***<sup>A</sup>* ⊕ **s***<sup>B</sup>* ⊕ **w**<sup>0</sup> to be the secret key, as shown in (33). In such an implementation of the fSEBV protocol, Alice must reveal her initial key **s***<sup>A</sup>* to Bob via the public channel.

During the transmission of Bob's key **s***<sup>B</sup>* using a public channel, any potential eavesdropper, namely Eve, does not gain any advantage by listening to the public channel. Due to the fact that she is oblivious of **z**<sup>0</sup> and **s***A*, she has no way of knowing or computing the final secret key. Hence, the fSEBV protocol ensures that if Alice and Bob can create their keys using a random number generator, in order to avoid possible patterns in the keys, Eve will be left with 2*<sup>n</sup>* different combinations to test in order to find the secret key.

The steps of the protocol from Alice's and Bob's side are shown below in an algorithmic manner. Figure 3 depicts the protocol graphically in the form of a quantum circuit.

**Figure 3.** This figures gives a schematic representation of the proposed protocol.



• Otherwise Bob communicates his tentative key **s***<sup>B</sup>* to Alice via the public channel

#### *3.2. The sSEBV Protocol*

The sSEBV protocol explores a special but important case of the fSEBV protocol, which differs from the latter in one important aspect. Alice possesses her random initial key **s***A*, but Bob's key **s***<sup>B</sup>* is not a random binary string anymore; it is specifically taken to be **0** = 0 ... 0. Essentially, sSEBV protocol answers the question of what will happen, if one of the players, either Alice or Bob, decides not to send a key. As before Alice and Bob are spatially separated and they both share *n* EPR pairs. In this variant, Alice and Bod behave in a semi-symmetrical way. Alice still uses her random initial key **s***A*, but Bob is obliged to use **0** as his initial key.

In this case, by using Equation (7), it can seen that the initial state of the system is the following

$$\left| \left| \psi\_0 \right> = \left| \Phi^+ \right>^{\odot n} \left| 1 \right>\_A \left| 1 \right>\_B = \frac{1}{\sqrt{2^n}} \sum\_{\mathbf{x} \in \{0, 1\}^n} \left| \mathbf{x} \right>\_A \left| \mathbf{x} \right>\_B \left| 1 \right>\_A \left| 1 \right>\_B \left| 1 \right>\_B \tag{34}$$

Similarly, Alice and Bob initiate the protocol by applying the Hadamard transform to their output registers, which produces the ensuing state

$$|\psi\_1\rangle = \frac{1}{\sqrt{2^n}} \sum\_{\mathbf{x} \in \{0, 1\}^n} |\mathbf{x}\rangle\_A |\mathbf{x}\rangle\_B \left(\frac{|0\rangle - |1\rangle}{\sqrt{2}}\right)\_A \left(\frac{|0\rangle - |1\rangle}{\sqrt{2}}\right)\_B. \tag{35}$$

Next Alice and Bob apply their corresponding functions on their registers via the standard scheme

$$\mathcal{U}\_f: |\mathbf{x}, \mathcal{Y}\rangle \to |\mathbf{x}, \mathcal{Y} \oplus f(\mathbf{x})\rangle \text{ ,}\tag{36}$$

only now the situation is quite different because Bob must necessarily use **0**:

$$f\_A(\mathbf{x}) = \mathbf{s}\_A \cdot \mathbf{x} \bmod 2\tag{37}$$

$$f\_{\mathbb{B}}(\mathbf{x}) = \mathbf{0} \cdot \mathbf{x} \bmod 2 = 0 \; . \tag{38}$$

In view of Equations (37) and (38), the next state becomes

$$\begin{split} \left| \psi\_{2} \right\rangle &= \frac{1}{\sqrt{2^{n}}} \sum\_{\mathbf{x} \in \{0,1\}^{n}} (-1)^{f\_{A}(\mathbf{x})} \left| \mathbf{x} \right\rangle\_{A} (-1)^{0} \left| \mathbf{x} \right\rangle\_{B} \left( \frac{|0\rangle - |1\rangle}{\sqrt{2}} \right)\_{A} \left( \frac{|0\rangle - |1\rangle}{\sqrt{2}} \right)\_{B} \\ &= \frac{1}{\sqrt{2^{n}}} \sum\_{\mathbf{x} \in \{0,1\}^{n}} (-1)^{\mathbf{s}\_{A} \cdot \mathbf{x}} \left| \mathbf{x} \right\rangle\_{A} \left| \mathbf{x} \right\rangle\_{B} \left( \frac{|0\rangle - |1\rangle}{\sqrt{2}} \right)\_{A} \left( \frac{|0\rangle - |1\rangle}{\sqrt{2}} \right)\_{B} . \end{split} \tag{39}$$

Subsequently, both Alice and Bob apply the Hadamard transformation to their input registers. Taking into account Equation (18), one can see that their combined actions drive the system into the next state


When **<sup>z</sup>** <sup>⊕</sup> **<sup>w</sup>** <sup>=</sup> **<sup>s</sup>***A*, then <sup>∀</sup>**<sup>x</sup>** ∈ {0, 1}*n*, the expression (−1)(**s***A*⊕**z**⊕**w**)·**<sup>x</sup>** becomes (−1)<sup>0</sup> <sup>=</sup> <sup>1</sup> and the sum <sup>∑</sup>**x**∈{0,1}*<sup>n</sup>* (−1)(**s***A*⊕**z**⊕**w**)·**<sup>x</sup>** <sup>=</sup> <sup>2</sup>*n*. Whenever **<sup>z</sup>** <sup>⊕</sup> **<sup>w</sup>** <sup>=</sup> **<sup>s</sup>***A*, the sum is just 0 because for exactly half of the inputs **x** the exponent will be 0 and for the remaining half the exponent will be 1. Therefore, again one may write that

$$\sum\_{\mathbf{x}\in\{0,1\}^{\mathrm{tr}}} (-1)^{\left(\mathfrak{s}\_{A}\oplus\mathbf{z}\oplus\mathbf{w}\right)\cdot\mathbf{x}} = 2^{\mathfrak{n}} \delta\_{\mathfrak{s}\_{A}\mathbf{z}\oplus\mathbf{w}\cdot\mathbf{z}}\,. \tag{41}$$

Using Equation (41), and ignoring for the moment the two factors |<sup>0</sup> −|1 √2 *<sup>A</sup>* and |<sup>0</sup> −|1 √2 *B* , the following two equivalent and symmetric forms can be derived

$$\sum\_{\mathbf{z}\in\{0,1\}^{n}}\sum\_{\mathbf{w}\in\{0,1\}^{n}}\sum\_{\mathbf{x}\in\{0,1\}^{n}}(-1)^{(\mathbf{s}\_{A}\oplus\mathbf{s}\_{B}\oplus\mathbf{z}\oplus\mathbf{w})\cdot\mathbf{x}}|\mathbf{z}\rangle\_{A}|\mathbf{w}\rangle\_{B} = 2^{n}\sum\_{\mathbf{z}\in\{0,1\}^{n}}|\mathbf{z}\rangle\_{A}|\mathbf{s}\_{A}\oplus\mathbf{z}\rangle\_{B}\,,\tag{42}$$

and

$$\sum\_{\mathbf{w}\in\{0,1\}^{n}}\sum\_{\mathbf{z}\in\{0,1\}^{n}}\sum\_{\mathbf{x}\in\{0,1\}^{n}}(-1)^{(\mathbf{s}\_{A}\oplus\mathbf{z}\oplus\mathbf{w})\cdot\mathbf{x}}|\mathbf{z}\rangle\_{A}|\mathbf{w}\rangle\_{B} = 2^{n}\sum\_{\mathbf{w}\in\{0,1\}^{n}}|\mathbf{s}\_{A}\oplus\mathbf{w}\rangle\_{A}|\mathbf{w}\rangle\_{B}\,. \tag{43}$$

By combining (40) with (42) and (43), state |*ψ*<sup>3</sup> can be written in two different ways:

$$\begin{array}{rcl}|\psi\_{3}\rangle &=& \frac{1}{\sqrt{2^{n}}} \sum\_{\mathbf{z}\in\{0,1\}^{n}} |\mathbf{z}\rangle\_{A} \,|\mathbf{s}\_{A}\oplus\mathbf{z}\rangle\_{B} \left(\frac{|0\rangle-|1\rangle}{\sqrt{2}}\right)\_{A} \Big(\frac{|0\rangle-|1\rangle}{\sqrt{2}}\Big)\_{B} \\ &=& \frac{1}{\sqrt{2^{n}}} \sum\_{\mathbf{w}\in\{0,1\}^{n}} |\mathbf{s}\_{A}\oplus\mathbf{w}\rangle\_{A} \,|\mathbf{w}\rangle\_{B} \left(\frac{|0\rangle-|1\rangle}{\sqrt{2}}\right)\_{A} \Big(\frac{|0\rangle-|1\rangle}{\sqrt{2}}\Big)\_{B}. \end{array} \tag{44}$$

Now, when Alice and Bob measure their input registers, they will obtain

$$|\psi\_4\rangle = |\mathbf{z}\_0\rangle\_A \left| \mathbf{s}\_A \oplus \mathbf{z}\_0 \right\rangle\_B = |\mathbf{s}\_A \oplus \mathbf{w}\_0\rangle\_A \left| \mathbf{w}\_0 \right\rangle\_B \quad \text{ for some} \quad \mathbf{z}\_0, \mathbf{w}\_0 \in \{0, 1\}^n. \tag{45}$$

As in the fSEBV protocol, here also holds that **z**<sup>0</sup> = **w**<sup>0</sup> in general. This time, there are two ways in which the final part of the protocol can unfold. One way, exactly like before, is to take Bob's measurement as the new secret key. The other, equally viable choice, is to take Alice's initial key **s***<sup>A</sup>* as the final secret key. In that case Alice must publicly announce **z**<sup>0</sup> to Bob via a public channel, so that he can compute **s***A*. This is a suitable choice in cases where, for whatever reason, Alice must set the secret key herself, not wanting to leave anything to chance. In that way she may securely communicate her chosen key to Bob. As before, during the transmission of Alice's measurement **z**<sup>0</sup> using a public channel, Eve does not gain any advantage by eavesdropping on their communication. Due to the fact that she is oblivious to **s***A*, she has no way of knowing or computing the final secret key. Hence, the sSEBV protocol also ensures that if Alice devises her key using a random number generator, in order to avoid possible patterns in the keys, Eve will be left with 2*<sup>n</sup>* different combinations to test in order to find the secret key.

The detailed actions for the implementation of the sSEBV protocol from Alice's and Bob's side are given below. Although the sSEBV protocol is not perfectly symmetric, reversal of Alice's and Bob's roles is still trivially easy. As can be seen from the following description, not only is Alice the one to choose the secret key, but it is also she that sends the final measurement **z**<sup>0</sup> to Bob so that he can successfully derive the secret key. It is equally feasible to have Bob instead of Alice choose the secret key and have Alice use **0** in the first stage. In such a realization of the sSEBV protocol, Bob must also reveal his final measurement **w**<sup>0</sup> to Alice via the public channel.

#### **4. Examples Illustrating the Operation of the Protocols**

This section presents and analyzes two small scale but detailed examples in order to illustrate the operation of the fSEBV and sSEBV protocols in practice. The fSEBV and sSEBV protocols were simulated using IBM's *Qiskit* open source SDK ([28]). Specifically, the Aer provider using the high performance *qasm* simulator for simulating quantum circuits [29] in its default settings was used. Please note that during our tests it was not possible to simulate in Qiskit Alice and Bob being spatially separated or a third party source providing the entangled EPR pairs. So these important assumptions cannot be accurately reflected in the simulation and for that reason the examples do not represent a real life environment. As a result Alice and Bob appear in the same circuit. Specifically, Alice's input register consists of the qubits |*q*2*q*1*q*<sup>0</sup> and her output register is |*q*<sup>3</sup> . Symmetrically, Bob's input register consists of the qubits |*q*6*q*5*q*<sup>4</sup> and his output register is |*q*<sup>7</sup> . Moreover, the entangled EPR pairs are created by the circuit itself. This is depicted in Figures 4, where in the initial stage of the corresponding circuits Hadamard and CNOT gates are used to populate Alice's and Bob's input registers with entangled EPR pairs, exactly as explained in Section 2.

#### **Protocol sSEBV:** Alice's actions


#### **Protocol sSEBV:** Bob's actions


#### *4.1. Example for the fSEBV Protocol*

In this example it is assumed that **s***<sup>A</sup>* = 101 and **s***<sup>B</sup>* = 110. The resulting circuit in displayed in Figure 4.

The final measurement by Alice and Bob will produce one of the 8 outcomes shown in Figure 5 along with their corresponding probabilities as given by running the qasm simulator for 2048 shots. A simple inspection of the possible outcomes confirms Equation (33). This is because every possible outcome can be written either as |**z**<sup>0</sup> *<sup>A</sup>* |**s***<sup>A</sup>* ⊕ **s***<sup>B</sup>* ⊕ **z**<sup>0</sup> *<sup>B</sup>* or as |**s***<sup>A</sup>* ⊕ **s***<sup>B</sup>* ⊕ **w**<sup>0</sup> *<sup>A</sup>* |**w**<sup>0</sup> *<sup>B</sup>*, for some, generally different, **<sup>z</sup>**0, **<sup>w</sup>**<sup>0</sup> ∈ {0, 1}*n*. Hence, Bob, after

measuring (and accepting) the secret key **s***<sup>A</sup>* ⊕ **s***<sup>B</sup>* ⊕ **z**0, just needs to send his secret key **s***<sup>B</sup>* = 110 to Alice so that she too can derive the secret key.

**Figure 5.** The possible outcomes of the measurement and their corresponding probabilities for the circuit in Figure 4.

To avoid any confusion, we clarify that the measurements shown in Figure 5 depict both Alice's and Bob's input registers as |*q*6*q*5*q*4*q*2*q*1*q*<sup>0</sup> . In particular, every one of the eight possible outcomes is shown along with the probability of measuring this outcome, as computed by the qasm simulator. The three most significant bits represent Bob's measurement or |**s***<sup>A</sup>* ⊕ **s***<sup>B</sup>* ⊕ **z**<sup>0</sup> *<sup>B</sup>* and the three least significant bits represent Alice's measurement or |**z**<sup>0</sup> *<sup>A</sup>*. Thus, for this specific example, if Bob announces his initial key **s***<sup>B</sup>* = 110 to Alice, and Alice performs a XOR operation upon her measurement with Bob's initial key and her own initial key **s***<sup>A</sup>* = 101, then Alice will obtain Bob's final measurement, which is the secret key.

#### *4.2. Example for the sSEBV Protocol*

In this example too, the entangled EPR pairs are created by the circuit itself. In the initial stage of the corresponding circuits Hadamard and CNOT gates are used to populate Alice's and Bob's input registers with entangled EPR pairs, as explained in Section 2. Moreover, it is assumed that **s***<sup>A</sup>* = 101 and **s***<sup>B</sup>* = 000. The resulting circuit in displayed in Figure 6.

**Figure 6.** The circuit for the sSEBV protocol.

This time the final measurement by Alice and Bob will produce one of the 8 outcomes shown in Figure 7 along with their corresponding probabilities as given by running the qasm simulator for 2048 shots. As noted in the previous case, it suffices to inspect the possible outcomes in order to confirm Equation (45). Now the correct interpretation of the outcomes means viewing them either as |**z**<sup>0</sup> *<sup>A</sup>* |**s***<sup>A</sup>* ⊕ **z**<sup>0</sup> *<sup>B</sup>* or as |**s***<sup>A</sup>* ⊕ **w**<sup>0</sup> *<sup>A</sup>* |**w**<sup>0</sup> *<sup>B</sup>*, for some, generally different, **<sup>z</sup>**0, **<sup>w</sup>**<sup>0</sup> ∈ {0, 1}*n*. Hence, Alice, after making her final measurement and finding a random binary string **z**0, she just needs to send **z**<sup>0</sup> to Bob. Then Bob will be able to derive Alice's chosen secret key **s***<sup>A</sup>* = 101.

**Figure 7.** The possible outcomes of the measurement and their corresponding probabilities for the circuit in Figure 6.

Again, all of the eight possible outcomes are shown along with the probability of measuring each one of them, as computed by the qasm simulator. The measurements shown in Figure 7 depict both Alice's and Bob's input registers as |*q*6*q*5*q*4*q*2*q*1*q*<sup>0</sup> , that is the three most significant bits represent Bob's measurement or |**s***<sup>A</sup>* ⊕ **z**<sup>0</sup> *<sup>B</sup>* and the three least significant bits represent Alice's measurement or |**z**<sup>0</sup> *<sup>A</sup>*. In this specific example, if Alice announces her measurement |**z**<sup>0</sup> *<sup>A</sup>* to Bob, and Bob performs a XOR operation upon his measurement, with Alice's measurement, then Bob will obtain the secret key **s***<sup>A</sup>* = 101 chosen by Alice.

#### **5. Discussion and Conclusions**

QKD protocols have surely proved by now that they are the future of key distribution. Their advantage stems from the fact that they allow us to harness the power of quantum-mechanics and nature's own laws, without having to rely on the complexity of certain mathematical problems. In this paper, we tried to further expand the field of quantum cryptography, by proposing a novel use for the Bernstein-Vazirani algorithm as a symmetrical entanglement-based QKD protocol, coming in two flavors.

These two flavors differ on the degree of symmetry employed by the protocol. In the fully symmetric variant, Alice and Bob take completely identical actions. This variant has the ability to create a totally new and original key, a key that both Alice and Bob were initially oblivious of. This can be useful in many situations as it ensures an additional advantage security wise. Furthermore, it provides a degree of fairness, by putting both parties on an equal footing, in the sense that neither Alice nor Bob can solely determine the secret key.

On the other hand, the semi-symmetric variant, which can technically be viewed as a special case of the first protocol, deviates from this symmetry. In effect, the semi-symmetric protocol answers the question of what will happen if one of the two players wants to specify the secret key. In the presentation given in Section 3 it was Alice that chose the secret key, but it is trivial to adjust the protocol so that Bob can be the party to decide the secret key. This protocol can be useful in situations where a specific key must be chosen by either Alice or Bob, and this key must be securely transmitted to the other party.

Additionally, we demonstrated two small scale but comprehensive examples, illustrating the operation of the two protocols in practice. Finally, we explained the protocols strength against an eavesdropping attack by Eve. Both variants exhibit the inherent robustness of entanglement-based protocols against Eve's attacks, as originally described by Ekert. Moreover, the use of extra inputs in order to acquire the final secret key, adds another layer of security.

In closing, we remark that we also believe that the rest of the old quantum algorithms, such as the Deutsch-Jozsa algorithm and Simon's periodicity algorithm, can all be implemented as a symmetrical entanglement-based QKD protocols, posing a viable suggestion for future work, along with the performance of these proposals against different quantum attacks.

**Author Contributions:** Conceptualization, T.A. and M.A.; methodology, T.A.; validation, M.A.; formal analysis, T.A.; investigation, M.A.; writing original draft preparation, M.A. and T.A. All authors have read and agreed to the published version of the manuscript.

**Funding:** This research received no external funding.

**Institutional Review Board Statement:** Not applicable.

**Informed Consent Statement:** Not applicable.

**Data Availability Statement:** Data sharing not applicable.

**Conflicts of Interest:** The authors declare no conflict of interest.

#### **References**


# *Article* **Protecting Physical Layer Secret Key Generation from Active Attacks**

**Miroslav Mitev 1,\*, Arsenia Chorti 2, E. Veronica Belmega <sup>2</sup> and H. Vincent Poor <sup>3</sup>**

	- arsenia.chorti@ensea.fr (A.C.); veronica.belmega@ensea.fr (E.V.B.)

**Abstract:** Lightweight session key agreement schemes are expected to play a central role in building Internet of things (IoT) security in sixth-generation (6G) networks. A well-established approach deriving from the physical layer is a secret key generation (SKG) from shared randomness (in the form of wireless fading coefficients). However, although practical, SKG schemes have been shown to be vulnerable to active attacks over the initial "advantage distillation" phase, throughout which estimates of the fading coefficients are obtained at the legitimate users. In fact, by injecting carefully designed signals during this phase, a man-in-the-middle (MiM) attack could manipulate and control part of the reconciled bits and thus render SKG vulnerable to brute force attacks. Alternatively, a denial of service attack can be mounted by a reactive jammer. In this paper, we investigate the impact of injection and jamming attacks during the advantage distillation in a multiple-input–multipleoutput (MIMO) system. First, we show that a MiM attack can be mounted as long as the attacker has one extra antenna with respect to the legitimate users, and we propose a pilot randomization scheme that allows the legitimate users to successfully reduce the injection attack to a less harmful jamming attack. Secondly, by taking a game-theoretic approach we evaluate the optimal strategies available to the legitimate users in the presence of reactive jammers.

**Keywords:** physical layer security; secret key generation; injection attacks; jamming attacks; pilot randomization

#### **1. Introduction**

The increasing interest in physical layer security (PLS) has been stimulated by many practical needs, particularly in the context of Internet of things (IoT) applications [1]. For example, in [2,3], secret key generation (SKG) from wireless fading coefficients was analyzed, showing its potential as a lightweight alternative to standard security schemes. In fact, the SKG scheme allows two legitimate parties (Alice and Bob) to extract on-thefly secret keys, without the need for significant infrastructure. Furthermore, it has been information-theoretically proven that by following the SKG process, Alice and Bob can extract a shared secret over unauthenticated channels [4–6]. Building on that, numerous practical experiments have demonstrated the feasibility of the scheme [7,8]. Moreover, it has been shown that SKG can be combined with authenticated encryption (AE) schemes [9,10] in order to overcome trivial man-in-the-middle (MiM) attacks, similarly to known MiM attacks on unauthenticated Diffie–Hellman schemes.

The success of the SKG scheme relies on the reciprocity and variability of wireless channels. On the one hand, the reciprocity property allows both Alice and Bob to measure an identical channel impulse response during the coherence time of the channel [11–13], while on the other hand, the variability property of the wireless channel directly affects the key generation rates [14–17].

**Citation:** Mitev, M.; Chorti, A.; Belmega, E.V.; Poor, H.V. Protecting Physical Layer Secret Key Generation from Active Attacks. *Entropy* **2021**, *23*, 960. https://doi.org/10.3390/ e23080960

Academic Editor: Ivan B. Djordjevic

Received: 15 June 2021 Accepted: 23 July 2021 Published: 27 July 2021

**Publisher's Note:** MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

**Copyright:** © 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/).

However, the exchange of pilots during the channel estimation phase between Alice and Bob could allow an adversary (Mallory) to estimate the channels Alice–Mallory and Bob–Mallory. Having this information, Mallory could inject suitably precoded signals during the SKG process and could potentially control a significant part of the reconciled sequence while remaining undetected. To overcome this, instead of transmitting publicly known pilot signals, we propose a two-way randomized pilot transmission between Alice and Bob. An earlier work studied this problem for an orthogonal frequency-division multiplexing (OFDM) system [18]. Here, we investigate the scenario of a multiple-input– multiple-output (MIMO) system. We prove that if Mallory has one extra antenna with respect to Alice and Bob, she could always launch an injection attack. Next, through theoretical analysis, we show that the proposed pilot randomization scheme successfully reduces an injection attack to a less harmful uncorrelated jamming attack, ensuring that the extracted key bits are secret from both active and passive adversaries.

In the second part of this paper, we delve deeper into jamming attacks over MIMO systems. In particular, we focus on denial of service (DoS) in the form of reactive jamming. We derive the optimal strategies for both the attacker and the legitimate users. Through numerical evaluation, we demonstrate that, depending on their capabilities, reactive jammers could provoke legitimate users to transmit at full power in order to achieve a positive SKG rate.

#### **2. System Model**

In this work, we consider a time-division duplex MIMO (TDD–MIMO) system consisting of two legitimate nodes and an active adversary, namely, Alice, Bob, and Mallory, respectively. On the one hand, Alice and Bob are generating secret keys using the wireless SKG procedure, while on the other hand, Mallory performs an injection attack on the MIMO links Mallory–Alice and Mallory–Bob. The number of antennas at Alice *NA* and Bob *NB* are assumed to be equal, i.e., *NA* = *NB* = *N*. To better illustrate the considered scenario, we give a brief overview of the SKG procedure, and show how an injection attack could affect the process.

#### *2.1. Secret Key Generation from Fading Coefficients*

As illustrated in Figure 1, the standard SKG procedure consists of three phases [19]: (1) advantage distillation: the legitimate nodes exchange pilot signals, each using *N* transmit and *N* receive antenna elements, in order to estimate their reciprocal channel state information (CSI).

$$\mathbf{z}\_A = \mathbf{H}\mathbf{x} + \mathbf{n}\_A \tag{1}$$

$$\mathbf{z}\_{\rm B} = \mathbf{H}^{\rm T}\mathbf{x} + \mathbf{n}\_{\rm B} \tag{2}$$

where **H** represents the channel matrix of size *Nr* × *Nt* = *N* × *N* such that its (*i*, *j*) entry represents the channel linking the *i*-th receive antenna, and the *j*-th transmit antenna, **z** represents the received vector of length *Nr*, **x** denotes the transmitted vector consisting of *Nt* = *Nr* = *N* elements, **n***<sup>A</sup>* and **n***<sup>B</sup>* are the received noise vectors at Alice and Bob, each of length *Nr*, respectively. Note that, due to the reciprocity of the wireless channel, Alice and Bob observe **H** and **H***T*, respectively. To conclude this step, **z***<sup>A</sup>* and **z***<sup>B</sup>* are passed through suitable quantizers [20], generating binary vectors **r***<sup>A</sup>* and **r***B*, respectively; (2) information reconciliation: discrepancies, due to imperfect channel estimation in the quantizer local outputs, are reconciled through a public exchange of helper data **s***<sup>A</sup>* (see Figure 1), e.g., by using Slepian–Wolf reconciliation techniques [10,21]; (3) privacy amplification: the legitimate nodes apply universal hash functions to the reconciled information **r***<sup>A</sup>* and obtain key **k**. This step ensures that the generated key **k** is uniformly distributed and completely unpredictable by an adversary.

During the process above, an eavesdropping adversary could obtain channel observations, given as follows:

$$\mathbf{z}\_{AM} = \mathbf{H}\_{AM}\mathbf{x} + \mathbf{n}\_{AM} \tag{3}$$

$$\mathbf{z}\_{BM} = \mathbf{H}\_{BM}\mathbf{x} + \mathbf{n}\_{BM} \tag{4}$$

where the channel matrices in the links Alice–Mallory and Bob–Mallory are denoted by **H***AM* and by **H***BM*, respectively, while the received noise vectors are demoted by **n***AM* and **n***BM*. Afterward, the SKG capacity between Alice and Bob is expressed as the conditional mutual information between the observations of Alice, Bob, and Mallory.

$$I(\mathbf{z}\_A; \mathbf{z}\_B | \mathbf{z}\_{AM}, \mathbf{z}\_{BM}) . \tag{5}$$

**Figure 1.** Secret key generation process between Alice and Bob.

#### *2.2. Injection Attacks during SKG*

One of the most critical threats to the SKG model, given in Figure 1, is MiM in the form of an injection attack [11,22,23]. The main components of the injection attack are captured in Figure 2. While, the legitimate nodes Alice and Bob exchange pilot signals during the advantage distillation phase, Mallory injects signals **p**. Based on the results in [22], we assume that Mallory has perfect knowledge of the channel vectors in the MIMO links Mallory–Alice, **H***MA* = **H***<sup>T</sup> AM* and Mallory–Bob, **<sup>H</sup>***MB* = **<sup>H</sup>***<sup>T</sup> BM*. This is a reasonable assumption since Mallory can estimate the channel vectors while Alice and Bob exchange pilot signals, as long as the channel's coherence time is respected (a plausible scenario in slow-fading, low-mobility environments). Finally, Mallory chooses the vector **p** such that the same signal is "injected" at both Alice and Bob, i.e., **H***MA***p** = **H***MB***p**.

**Figure 2.** Injection attack performed by Mallory: While Alice and Bob exchange pilot signals **x** over a Rayleigh fading channel with realization **H**, Mallory injects a signal **p** such that the received signals at both Alice and Bob coincide **w** = **H***MA***p** = **H***MB***p**.

#### **3. Analysis of Injection Attacks in MIMO SKG**

In this section, we first prove that if Mallory has one extra antenna, with respect to Alice and Bob, she could always launch an injection attack. Next, we propose a pilot randomization scheme and show that when employed, legitimate users could successfully reduce the attack to a jamming attack.

**Lemma 1.** *While Alice and Bob perform advantage distillation using N antennas, Mallory could always launch an injection attack, as long as she has at least N* + 1 *antennas.*

**Proof.** The precoding vector of Mallory **p** of size (*N* + 1) × 1 is represented as

$$\mathbf{p} = \begin{bmatrix} p\_1 \\ \vdots \\ p\_{N+1} \end{bmatrix}. \tag{6}$$

The channel matrices **H***MA* and **H***MB* have size *N* × (*N* + 1), such that

$$\mathbf{H}\_{MA} = \begin{bmatrix} H\_{MA\_{1,1}} & \cdots & H\_{MA\_{1,N+1}} \\ \vdots & \cdots & \vdots \\ H\_{MA\_{N,1}} & \cdots & H\_{MA\_{NN+1}} \end{bmatrix} \tag{7}$$

and

**H***MB* = ⎡ ⎢ ⎣ *HMB*1,1 ··· *HMB*1,*N*+<sup>1</sup> . . . ··· . . . *HMBN*,1 ··· *HMBN*,*N*+<sup>1</sup> ⎤ ⎥ <sup>⎦</sup>. (8)

Next, we can represent the equation

$$\mathbf{H}\_{MA}\mathbf{p} = \mathbf{H}\_{MB}\mathbf{p}\_{\prime} \tag{9}$$

as

$$(\mathbf{H}\_{MA} - \mathbf{H}\_{MB})\mathbf{p} = 0,\tag{10}$$

where **H***<sup>M</sup>* = **H***MA* − **H***MB* is equal to:

$$\mathbf{H}\_M = \begin{bmatrix} H\_{MA\_{1,1}} - H\_{MB\_{1,1}} & \cdots & H\_{MA\_{1,N+1}} - H\_{MB\_{1,N+1}} \\ \vdots & \cdots & \vdots \\ H\_{MA\_{N,1}} - H\_{MB\_{N,1}} & \cdots & H\_{MA\_{N,N+1}} - H\_{MB\_{N,N+1}} \end{bmatrix}. \tag{11}$$

Given the above, Equation (10) can be rewritten as **HMp** = 0, where **HM** is given in Equation (11). The equality **HMp** = 0 is equivalent to solving the following linear system of equations:

$$\begin{cases} \begin{array}{cc} H\_{M\_{1,1}}p\_1 + H\_{M\_{1,2}}p\_2 + \cdots + H\_{M\_{1,N+1}}p\_{N+1} &=& 0 \\ \vdots & \\ H\_{M\_{N,1}}p\_1 + H\_{M\_{N,2}}p\_2 + \cdots + H\_{M\_{N,N+1}}p\_{N+1} &=& 0. \end{array} \end{cases} \tag{12}$$

Due to the fact that Mallory has an additional degree of freedom (one extra antenna), as compared to Alice and Bob, she can treat one of the elements in **p** as a constant and solve for the others in terms of it. Based on this, we let *pN*+<sup>1</sup> be a constant and rewrite the system in (12) as

$$\begin{cases} \begin{array}{ccccc} H\_{M\_{1,1}}p\_1 + H\_{M\_{1,2}}p\_2 + \cdots + H\_{M\_{1,N}}p\_N & = & -H\_{M\_{1,N+1}}p\_{N+1} \\ \vdots & & \\ H\_{M\_{N,1}}p\_1 + H\_{M\_{N,2}}p\_2 + \cdots + H\_{M\_{N,N}}p\_N & = & -H\_{M\_{N,N+1}}p\_{N+1} \end{array} \end{cases} \tag{13}$$

The system of equations in (13) can be represented as **Ax** = **b**, where the *N* × *N* matrix **A** is the *<sup>N</sup>* <sup>×</sup> *<sup>N</sup>* matrix containing the first *<sup>N</sup>* lines and *<sup>N</sup>* columns of **<sup>H</sup>***M*, **<sup>x</sup>** = (*p*1, *<sup>p</sup>*2, ... , *pN*)*T*, and **<sup>b</sup>** contains the right-hand side of the system, i.e., **<sup>b</sup>** = (−*HM*1,*N*+<sup>1</sup> *pN*+1, ... , <sup>−</sup>*HMN*,*N*+<sup>1</sup> *pN*+1)*T*. Finally, since det(**A**) = 0 almost surely, (i.e., under the assumptions in Section 2, det(**A**) is a continuous random variable, hence det(**A**) = 0 with probability 1) and therefore the system's solution is unique and given by

$$(p\_1, p\_2, \dots, p\_N)^T = \mathbf{A}^{-1} \mathbf{b}.\tag{14}$$

Note that if Mallory has the same number of antennas as Alice and Bob, she will not have one extra degree of freedom and the transition from the system in Equation (12) to the system in Equation (13) would not be possible. However, as shown here, if Mallory has one extra antenna, with respect to Alice and Bob, she can treat one of the elements in **p** as constant, which allows her to find the rest of the elements as in Equation (14). This concludes the proof of Lemma 1.

Based on Lemma 1, the observations of Alice and Bob are now given by

$$\mathbf{z}\_A = \mathbf{H}\mathbf{x} + \mathbf{w} + \mathbf{n}\_A \tag{15}$$

$$\mathbf{z}\_{\rm B} = \mathbf{H}^T \mathbf{x} + \mathbf{w} + \mathbf{n}\_{\rm B} \tag{16}$$

where **w** = **H***MA***p** = **H***MB***p** denotes the observed injected signals at Alice and Bob, which are identical due to the precoding vector **p**. By injecting **w**, Mallory controls the secret key rate, which is now upper bounded by [18,24]

$$L \le I(\mathbf{z}\_A, \mathbf{z}\_B; \mathbf{w}).\tag{17}$$

#### *Pilot Randomization as a Countermeasure to Injection Attacks*

It has been shown that a countermeasure to injection attacks can be built by randomizing the pilot sequence exchanged between Alice and Bob [18,23,24]. In this work, we propose a MIMO pilot randomization scheme in which pilots are drawn from a (scaled) QPSK modulation. Specifically, Alice and Bob do not transmit the same pilot signal **x**; instead, they transmit independent, random pilot signals **x** and **y** drawn from i.i.d. zeromean discrete uniform distributions in which the individual elements of the vectors have probability mass functions as <sup>U</sup>({±*<sup>r</sup>* <sup>±</sup> *jr*},..., {±*<sup>r</sup>* <sup>±</sup> *jr*}), where *<sup>j</sup>* <sup>=</sup> √−1,*<sup>r</sup>* <sup>=</sup> <sup>√</sup>*P*/2, so that E[**x**] = E[**y**] = (0, ... , 0)*T*, (E 8 |*x*1| 2 9 , ... ,E 8 |*xN*| 2 9 )*<sup>T</sup>* = (E 8 |*y*1| 2 9 , ... ,E 8 |*yN*| 2 9 )*<sup>T</sup>* = (*P*, ... , *P*)*<sup>T</sup>* and (E[*x*1*y*1], ... ,E[*xNyN*])*<sup>T</sup>* = (0, ... , 0)*T*, i.e., the pilots are randomly chosen QPSK signals. Given that Alice's and Bob's observation **z***<sup>A</sup>* and **z***<sup>B</sup>* are modified as

$$\mathbf{z}\_A = \mathbf{H}\mathbf{y} + \mathbf{w} + \mathbf{n}\_{A\prime} \tag{18}$$

$$\mathbf{z}\_{\mathcal{B}} = \mathbf{H}^T \mathbf{x} + \mathbf{w} + \mathbf{n}\_{\mathcal{B}}.\tag{19}$$

Finally, to generate shared randomness, Alice and Bob post-multiply **z***<sup>A</sup>* and **z***<sup>B</sup>* by their own randomized pilot signals, such as *z*˜*<sup>A</sup>* = **x***T***z***<sup>A</sup>* and *z*˜*<sup>B</sup>* = **y***T***z***<sup>B</sup>* (unobservable by Mallory). Given this, the modified observations are expressed as

$$\tilde{z}\_A = -\mathbf{x}^T \mathbf{H} \mathbf{y} + \mathbf{x}^T \mathbf{w} + \mathbf{x}^T \mathbf{n}\_{A\prime} \tag{20}$$

$$\begin{array}{rcl} \tilde{\mathbf{z}}\_{B} & = & \mathbf{y}^{T} \mathbf{H}^{T} \mathbf{x} + \mathbf{y}^{T} \mathbf{w} + \mathbf{y}^{T} \mathbf{n}\_{B} \end{array} \tag{21}$$

where the shared randomness between Alice and Bob is now represented by **x***T***Hy** = **xH***T***y***T*. Furthermore, the independence of **x** and **y** ensures the following:

$$L \le I(\mathbb{E}\_{A}, \mathbb{E}\_{B}; \mathbf{w}) = 0. \tag{22}$$

#### **4. Jamming Attacks on SKG**

In this section, we focus on reactive jamming attacks in SKG systems and examine the scenario in which Mallory reactively jams Alice (note that the scenario in which Mallory jams Bob is identical). A reactive jamming attack is an intelligent approach in which the jammer initially senses the spectrum and jams only if a transmission is detected. Due to the difficulty to be detected, reactive jamming attacks are considered to be a great threat to legitimate transmission [25,26]. Next, we assume that Alice and Bob perform SKG in a TDD–MIMO system with a spatially uncorrelated channel. It has been proven that the optimal power strategy for Alice and Bob in this scenario is to employ equal power distribution [27], which is also assumed for this study, i.e.,

$$\left(\mathbb{E}\left[|\mathbf{x}\_1|^2\right], \dots, \mathbb{E}\left[|\mathbf{x}\_N|^2\right]\right)^T = (p, \dots, p)^T \text{ with } p \in [0, P]. \tag{23}$$

In the following, we assume that Mallory has *N* antennas, and as a reactive jammer, she senses the spectrum and jams in the link Mallory–Alice only if she detects a power greater than a certain threshold *p*th. Thus, instead of considering Mallory's power allocation matrix, we work with the sum jamming power for all antennas, which can be represented as a power allocation vector *γ* = (*γ*1, ... , *γN*). By denoting the available jamming power by *N*Γ, the following short-term power constraint is considered:

$$\underline{\chi} \in \mathbb{R}\_{+}^{N} \quad \sum\_{i=1}^{N} \gamma\_{i} \le N\Gamma. \tag{24}$$

Assuming that **H** is uncorrelated with **H***AM*, **H***BM* and that all channel matrices have independent and identically distributed elements that are drawn from circularly symmetric zero-mean Gaussian distributions of variances *σ*<sup>2</sup> and *σ*<sup>2</sup> *<sup>J</sup>* , respectively, then the SKG capacity can be expressed as [27]

$$\mathbb{C}\_{K}(p,\underline{\gamma}) = N \sum\_{i=1}^{N} \log \left( 1 + \frac{p\sigma^{2}}{2(1 + \gamma\_{i}\sigma\_{f}^{2}) + \frac{(1 + \gamma\_{i}\sigma\_{f}^{2})^{2}}{p\tau^{2}}} \right). \tag{25}$$

#### *4.1. Optimal Power Allocation Strategies*

In the following, we take a game-theoretic approach in order to evaluate the optimal strategies of Alice, Bob and Mallory. Throughout the following Alice and Bob's common objective is to maximize *CK*(*p*, *γ*) with respect to (w.r.t.) *p*, while Mallory wants to minimize *CK*(*p*, *γ*) w.r.t. *γ*. Due to the reversed objectives, we formulated a noncooperative zero-sum game, which studies the strategic interaction between the legitimate users and the jammer: G = ({*L*, *J*}, {AL, AJ(*p*)}, *CK*(*p*, *γ*)). The game G has three components: (i) there are two players, namely, *L*, denoting the legitimate users (Alice and Bob act as a single player), and *J* being the jammer (Mallory); (ii) player *L* has a set of possible actions A*<sup>L</sup>* = [0, *P*], while player *J*'s set of actions is

$$\mathcal{A}\_{\mathcal{I}}(p) = \begin{cases} \{(0, \dots, 0)\}\_{\prime} & \text{if } p \le p\_{\text{th}\prime} \\ \{\underline{\gamma} \in \mathbb{R}\_{+}^{N} | \sum\_{i=1}^{N} \gamma\_{i} \le N\Gamma\}\_{\prime} & \text{if } p > p\_{\text{th}\prime} \end{cases} \tag{26}$$

Lastly, *CK*(*p*, *γ*) denotes the payoff function of player *L*.

Given the fact that player *J* is a reactive jammer, i.e, first observes the transmit power of player *L* and subsequently chooses a strategy, we study a hierarchical game in which player *L* is the leader, and player *J* is the follower. In this game, the solution is the Stackelberg equilibrium (SE)—rather than Nash—and it is defined as a strategy profile (*p*SE, *γ*SE) where player *L* chooses their optimal strategy first, by anticipating the strategic reaction of player *J* (i.e., its best response). This is expressed as:

$$p^{\text{SE}} \triangleq \underset{p \in \mathcal{A}\_{\text{L}}}{\text{arg}\, \text{max}} \mathbb{C}\_{\mathcal{K}}(p, \underline{\gamma}^\*(p)), \text{ and } \underline{\gamma}^{\text{SE}} \triangleq \underline{\gamma}^\*(p^{\text{SE}}),\tag{27}$$

where *γ*∗(*p*) defines the best response (BR) of player *J* to any strategy *p* ∈ A*<sup>L</sup>* chosen by player *L*, and it is defined as follows:

$$\underline{\mathbf{\varDelta}}^{\*}(p) \stackrel{\scriptstyle \Delta}{=} \arg\min \mathbf{C}\_{K}(p, \underline{\mathbf{\varDelta}}) . \tag{28}$$

Finally, based on the detection capabilities at player *L*, two scenarios are considered: (i) when the detection threshold *p*th is fixed (defined by the sensing capability of Mallory's receiver); (ii) when *p*th is part of player *L*'s strategy and could vary.

#### *4.2. Stackelberg Equilibrium with Fixed Detection Threshold*

In this section, we evaluate SE, when player *J*'s detection threshold *p*th is predefined and constant. Note that the case *<sup>P</sup>* <sup>≤</sup> *<sup>p</sup>*th is trivial as *<sup>γ</sup>*SE = (0, ... , 0), and the legitimate users will optimally use their maximum available power, i.e., (*p*SE = *P*). Indeed, due to the poorly chosen threshold *p*th or low sensing capabilities of Mallory, the legitimate transmission will not be detected and therefore will not be jammed. In the following, we assume that *P* > *p*th.

**Lemma 2.** *The BR of player J for any p* ∈ A*<sup>L</sup> chosen by player L defined in (28) is the uniform power allocation, given as*

$$\underline{\chi}^\*(p) \stackrel{\scriptstyle \triangle}{=} \begin{cases} (\Gamma, \dots, \Gamma), & \text{if } p > p\_{\text{th}\prime} \\ (0, \dots, 0), & \text{if } p \le p\_{\text{th}\prime} \end{cases} \tag{29}$$

**Proof.** Note that *CK*(*p*, *γi*) is a monotonically decreasing convex function w.r.t *γi*, *i* = 1, ... , *N* for any *p* > 0. Based on the principles of convexity in order to minimize *CK*, Mallory has to transmit with full power from all antennas. The detailed proof can be found in [18].

Based on the result from Lemma 1, the SKG rate can have the following two forms:

$$\mathbb{C}\_{K}(p,\underline{\operatorname{\mathcal{T}}}^{\*}(p)) = \begin{cases} \operatorname{\mathbb{C}}\_{K}(p,(0,\dots,0)), & \text{if } p \le p\_{\text{th}\nu} \\ \operatorname{\mathbb{C}}\_{K}(p,(\Gamma,\dots,\Gamma)), & \text{if } p > p\_{\text{th}\nu} \end{cases} \tag{30}$$

which simplifies the players' options.

**Theorem 1.** *Depending on their available power P for SKG, Alice and Bob will either transmit at P or pth. The SE point of the game is unique when P* <sup>=</sup> *pth*(Γ*σ*<sup>2</sup> *<sup>J</sup>* + 1) *and is given by*

$$\mathbb{P}\left(p^{SE}, \underline{\chi}^{SE}\right) = \begin{cases} \{\left(p\_{th\prime}\left(0, \dots, 0\right)\right)\}, \text{ if } P < p\_{th}\left(\sigma\_I^2 \Gamma + 1\right),\\ \{\left(P, \left(\Gamma, \dots, \Gamma\right)\right)\}, \text{ if } P > p\_{th}\left(\sigma\_I^2 \Gamma + 1\right). \end{cases} \tag{31}$$

*When P* = *pth*(*σ*<sup>2</sup> *<sup>J</sup>* <sup>Γ</sup> <sup>+</sup>1)*, the game* <sup>G</sup> *has two SEs:* (*pSE*, *<sup>γ</sup>SE*) ∈ {(*pth*,(0, ... , 0)),(*P*,(Γ, ... , <sup>Γ</sup>))}*.*

**Proof.** Given the BR of player *J* defined in (29), the legitimate users want to identify their optimal *p* ∈ A*<sup>L</sup>* that maximizes

$$\mathbb{C}\_{\mathcal{K}}(p,\underline{\gamma}^\*(p)) = \begin{cases} \,^c\mathbb{C}\_{\mathcal{K}}(p,(0,\dots,0)), & \text{if } p \le p\_{\text{th}\prime} \\ \,^c\mathbb{C}\_{\mathcal{K}}(p,(\Gamma,\dots,\Gamma)), & \text{if } p > p\_{\text{th}\prime} \end{cases} \tag{32}$$

Given the fact that *CK*(*p*, *γ*) is monotonically increasing with *p* for fixed *γ*, two cases are distinguished: (a) *p* ∈ [0, *p*th], (b) *p* ∈ (*p*th, *P*]. The optimal *p* in each case is given by

(a) arg max *p*∈[0,*p*th] *CK*(*p*, *γ*∗(*p*)) = arg max *p*∈[0,*p*th] *CK*(*p*,(0, . . . , 0) = *p*th, (b) arg max *p*∈(*p*th,*P*] *CK*(*p*, *γ*∗(*p*)) = arg max *p*∈(*p*th,*P*] *CK*(*p*,(Γ,..., Γ) = *P*.

From (a) and (b), it can be concluded that the overall solution is *p*SE =

$$\underset{p \in \mathcal{A}\_{L}}{\arg\max} \mathbb{C}\_{K}(p, \underline{\mathcal{T}}^{\*}(p)) = \begin{cases} p\_{\text{th}\prime} & \text{if } \mathbb{C}\_{K}(P, \Gamma) < \mathbb{C}\_{K}(p\_{\text{th}\prime}, 0), \\ P\_{\prime} & \text{if } \mathbb{C}\_{K}(P, \Gamma) > \mathbb{C}\_{K}(p\_{\text{th}\prime}, 0), \\ \{p\_{\text{th}\prime}, P\}, & \text{if } \mathbb{C}\_{K}(P, \Gamma) = \mathbb{C}\_{K}(p\_{\text{th}\prime}, 0). \end{cases}$$

To simplify the above possibilities, we focus on the case when the utility function *CK*(*P*, Γ), i.e., being detected and jammed, equals the utility function when player *L* is transmitting at threshold *p*th (player *J* is silent), i.e., *CK*(*P*, Γ) = *CK*(*p*th, 0). Using this equality, by substituting appropriately into (25), we obtain a quadratic equation in *P*.

$$P^2(2\sigma^2 p\_{\rm th} + 1) - P(2p\_{\rm th}^{\circ}\sigma^2 + 2\sigma\_{\rm f}^2 \Gamma p\_{\rm th} \sigma^2 \sigma^2) - (1 + \sigma\_{\rm f}^2 \Gamma)^2 p\_{\rm th} \sigma^2 = 0.1$$

Note that Equation (33) has a unique positive root equal to *p*th(*σ*<sup>2</sup> *<sup>J</sup>* Γ + 1). Furthermore, due to the fact that the leading coefficient of (33): (2*σ*<sup>2</sup> *<sup>p</sup>*th <sup>+</sup> <sup>1</sup>) <sup>≥</sup> 0 and *<sup>P</sup>* <sup>&</sup>gt; 0, we can state that the inequalities *CK*(*P*, Γ) > *CK*(*p*th, 0) and *CK*(*P*, Γ) < *CK*(*p*th, 0) are equivalent to *P* > *p*th(*σ*<sup>2</sup> *<sup>J</sup>* <sup>Γ</sup> + <sup>1</sup>) and *<sup>P</sup>* < *<sup>p</sup>*th(*σ*<sup>2</sup> *<sup>J</sup>* Γ + 1), respectively.

A numerical evaluation of the SKG rate is presented in Figure 3. The parameters used are *N* = 10, *p*th = 2, Γ = 3, and *σ*<sup>2</sup> = *σ*<sup>2</sup> *<sup>J</sup>* = 1. Figure 3 compares the achievable SKG rates of the SE strategy, i.e., *p* = *pSE* with the two alternative strategies, i.e., *p* = *P* or *p* = *p*th. It can be seen that if player *L* deviates from the SE point the achievable SKG rate can decrease by up to 40%.

**Figure 3.** SE policy, compared to always transmitting with either full power or with *p*th. Used parameters *p*th = 2, Γ = 3, *N* = 10, *σ*<sup>2</sup> = *σ*<sup>2</sup> *<sup>J</sup>* = 1.

#### *4.3. Stackelberg Equilibrium with Strategic pth*

Finally, we investigate the case when Mallory could optimally adjust *p*th and show how her choice impacts Alice's and Bob's strategies. Allowing *p*th to vary modifies the game under study as follows <sup>G</sup><sup>ˆ</sup> = ({*L*, *<sup>J</sup>*}, {A*L*, <sup>A</sup>ˆ*J*(*p*)}, *CK*(*p*, *<sup>γ</sup>*, *<sup>p</sup>*th)), where

$$\mathcal{A}\_{I}(p) \triangleq \begin{cases} \{ ((0, \dots, 0), p\_{\rm th}), \, p\_{\rm th} \ge 0 \}, & \text{if } p\_{\rm th} \ge p\_{\prime} \\ \{ (\underline{\chi}, p\_{\rm th}) \in \mathbb{R}\_{+}^{N} \mid \sum\_{i=1}^{N} \gamma\_{i} \le N \Gamma \}, & \text{if } p\_{\rm th} < p. \end{cases} \tag{33}$$

The BR of the jammer can then be defined as

$$\mathbb{P}\left(\widehat{\underline{\chi}}^{\*}(p), \widehat{p\_{\rm th}}^{-}(p)\right) \triangleq \operatorname\*{arg\,min}\_{\left(\underline{\chi}, p\_{\rm th}\right) \in \mathcal{A}\_{\mathbb{J}}(p)} \mathbb{C}\_{\mathbb{K}}(p\_{\prime} \underline{\chi}\_{\prime} p\_{\rm th}).\tag{34}$$

**Lemma 3.** *Mallory's BR in this scenario is a set of strategies as follows:*

$$(\widehat{\underline{\chi}}^\*(p), \widehat{p\_{th}}^{-\*}(p)) \in \{ ((\Gamma, \dots, \Gamma)\epsilon), \; \epsilon \in [0, p) \}. \tag{35}$$

**Proof.** The problem that the jammer wants to solve is min (*γ*,*p*th)∈Aˆ*J*(*p*) *CK*(*p*, *γ*, *p*th), which can be split as follows:

$$\min\_{p\_{\text{th}} \ge 0} \min\_{\underline{\mathcal{U}} \in \mathcal{A}\_{\mathcal{I}}(p)} \mathbb{C}\_{\mathcal{K}}(p\_{\text{\!\!\!T}}(p), p\_{\text{\!\!\!n}}).\tag{36}$$

The solution of the inner minimization is known from (29). For the outer problem, we have to find the optimal *<sup>p</sup>*th <sup>≥</sup> 0 that minimizes *CK*(*p*, *<sup>γ</sup>*∗(*p*), *<sup>p</sup>*th). Given that

$$\min\_{p\_{\text{th}} \ge 0} \mathbb{C}\_{\mathcal{K}}(p\_{\prime} \hat{\underline{\chi}}^{\*}(p), p\_{\text{th}}) = \begin{cases} \mathbb{C}\_{\mathcal{K}}(p\_{\prime} \Gamma\_{\prime}, p\_{\text{th}}), & \text{if } p\_{\text{th}} < p\_{\prime} \\\mathbb{C}\_{\mathcal{K}}(p\_{\prime} 0, p\_{\text{th}}), & \text{if } p\_{\text{th}} \ge p\_{\prime} \end{cases} \tag{37}$$

and that *CK*(*p*, Γ, *p*th) < *CK*(*p*, 0, *p*th), player *J* can optimally choose any *p*th such that *p*th = , ∀ < *p*. This allows the jammer to detect any ongoing transmission and to perform a jamming attack.

**Theorem 2.** *The game* <sup>G</sup><sup>ˆ</sup> *has an infinite number of SEs as follows:*

$$(\widehat{p}^{SE}, \widehat{\underline{\chi}}^{SE}, \widehat{p}\_{t\hbar}^{\sim SE}) \in \{ (P, (\Gamma, \dots, \Gamma)\epsilon), \ \forall \epsilon < P \}. \tag{38}$$

**Proof.** Given Mallory's BR, we evaluate the SE of the game <sup>G</sup>ˆ. The definition for *<sup>p</sup>*SE is given as follows:

$$
\hat{p}^{\text{St}} \stackrel{\triangle}{=} \underset{p \in \mathcal{A}\_{\mathcal{L}}}{\text{arg }} \max \mathcal{C}\_{\mathcal{K}}(p, \hat{\underline{\chi}}^{\*}(p), \hat{p\_{\text{th}}}(p)^{\*}).\tag{39}
$$

Since Mallory will act as in (35), we have

$$\mathbb{C}\_{\mathcal{K}}(p, \widehat{\underline{\chi}}^{\*}(p), \widehat{p\_{\rm th}}(p)^{\*}) = \mathbb{C}\_{\mathcal{K}}(p, \Gamma, \mathfrak{e}), \ \forall \mathfrak{e} < p,\tag{40}$$

and the fact that *CK*(*p*, <sup>Γ</sup>, ) is monotonically increasing with *<sup>p</sup>* results in *<sup>p</sup>*SE <sup>=</sup> *<sup>P</sup>*.

Figure 4 illustrates the achievable SKG rate when *p*th is part of player *J*'s strategy. As in Figure 3, the parameters are chosen as Γ = 3, *N* = 10 and *σ*<sup>2</sup> *<sup>J</sup>* = 1. It can be seen that due to a strategically chosen threshold from player *J* the legitimate users have no other choice but to transmit at full power *p* = *P* = *p*SE. In fact, if the legitimate users deviate from the SE strategy and transmit with low power *p* = *p*th, player *J* could successfully disrupt their SKG process and decrease their achievable SKG rate by up to 97%.

**Figure 4.** The effect to the SE policy when *p*th is part of player *J* strategy. Comparison of the achievable SKG rate when player *L* chooses *p* = *p*SE with the case when transmitting with power *p*th. Used parameters Γ = 3, *N* = 10, *σ*<sup>2</sup> = *σ*<sup>2</sup> *<sup>J</sup>* = 1.

#### **5. Conclusions**

In this study, injection and reactive jamming attacks were analyzed in MIMO SKG systems. With respect to injection attacks, the study demonstrated that a trivial advantage in the form of one extra antenna allows a MiM to mount such an attack. As a countermeasure, we showed that a pilot randomization scheme can successfully reduce injection attacks to jamming attacks. With respect to jamming attacks, using a game-theoretic approach, we showed that an intelligent reactive jammer should optimally jam with full power when a transmission is sensed. Finally, by strategically choosing her jamming threshold, i.e., just below the power level used by the legitimate users, Mallory could perform a much more effective attack. In fact, our theoretical analysis suggests that in this case, Alice and Bob have no choice but to use their full power available for SKG. An important topic for further research in this area is an examination of these initial findings in practical scenarios.

**Author Contributions:** Conceptualization, M.M., A.C., E.V.B. and H.V.P.; Methodology, M.M., A.C., E.V.B. and H.V.P.; Software, M.M.; Validation, M.M., A.C., E.V.B. and H.V.P.; Supervision, A.C., E.V.B. and H.V.P.; Writing—review and editing, M.M., A.C., E.V.B. and H.V.P. All authors have read and agreed to the published version of the manuscript.

**Funding:** H.V. Poor was supported in part by the U.S. National Science Foundation under Grant CCF-1908308. E.V. Belmega and A. Chorti were supported by the ELIOT ANR-18-CE40-0030 and FAPESP 2018/12579-7 project. A. Chorti was also supported by CYU Initiative of Excellence (INEX) funding.

**Institutional Review Board Statement:** Not applicable.

**Informed Consent Statement:** Not applicable.

**Conflicts of Interest:** The authors declare no conflict of interest.

#### **References**


# *Article* **Qubit-Based Clock Synchronization for QKD Systems Using a Bayesian Approach**

**Roderick D. Cochran \* and Daniel J. Gauthier**

Department of Physics, The Ohio State University, 191 West Woodruff Ave., Columbus, OH 43210, USA; gauthier.51@osu.edu

**\*** Correspondence: cochran.467@osu.edu

**Abstract:** Quantum key distribution (QKD) systems provide a method for two users to exchange a provably secure key. Synchronizing the users' clocks is an essential step before a secure key can be distilled. Qubit-based synchronization protocols directly use the transmitted quantum states to achieve synchronization and thus avoid the need for additional classical synchronization hardware. Previous qubit-based synchronization protocols sacrifice secure key either directly or indirectly, and all known qubit-based synchronization protocols do not efficiently use all publicly available information published by the users. Here, we introduce a Bayesian probabilistic algorithm that incorporates all published information to efficiently find the clock offset without sacrificing any secure key. Additionally, the output of the algorithm is a probability, which allows us to quantify our confidence in the synchronization. For demonstration purposes, we present a model system with accompanying simulations of an efficient three-state BB84 prepare-and-measure protocol with decoy states. We use our algorithm to exploit the correlations between Alice's published basis and mean photon number choices and Bob's measurement outcomes to probabilistically determine the most likely clock offset. We find that we can achieve a 95 percent synchronization confidence in only 4140 communication bin widths, meaning we can tolerate clock drift approaching 1 part in 4140 in this example when simulating this system with a dark count probability per communication bin width of 8 <sup>×</sup> <sup>10</sup>−<sup>4</sup> and a received mean photon number of 0.01.

**Keywords:** quantum key distribution (QKD); clock synchronization; Bayesian statistics

#### **1. Introduction**

Introduced in 1984 [1], quantum key distribution (QKD) is a symmetric encryption protocol that promises unconditional information security founded on the fundamental laws of physics, rather than on the difficulty of computational problems. Bennett and Brassard established the first QKD protocol (BB84), which used the polarization degree of freedom of single photons to transmit information. Subsequently developed protocols have extended QKD to different types of systems [2] and relaxed the requirement for a true singlephoton source [3], paving the way for practical implementations of quantum cryptography.

For the sake of concreteness, we consider a polarization-based prepare-and-measure protocol. Here, one user (Alice) prepares and transmits a periodic sequence of quantum states with period *τ<sup>A</sup>* encoded in at least two mutually unbiased orthonormal bases. In our example system, we use two bases: horizontal/vertical (H/V) polarization and left circular/right (L/R) circular polarization. We also use the decoy-state protocol where Alice occasionally sends the vacuum quantum state. A second user (Bob), measures each quantum state randomly in one of the two bases and records the result. After the measurement phase is complete, Alice and Bob publish their basis choices for each measurement and keep only the measurements where Bob registers a click with his single-photon counting detectors and they use the same basis. This process, called sifting, allows distilling a raw key, which, after error correction and privacy amplification [4], becomes the secret classical key securely shared between Alice and Bob. Because qubits are lost to the environment via

**Citation:** Cochran, R.D.; Gauthier, D.J. Qubit-Based Clock Synchronization for QKD Systems Using a Bayesian Approach. *Entropy* **2021**, *23*, 988. https://doi.org/ 10.3390/e23080988

Academic Editor: Ivan B. Djordjevic

Received: 22 June 2021 Accepted: 27 July 2021 Published: 30 July 2021

**Publisher's Note:** MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

**Copyright:** © 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/).

transmission loss and environmental radiation is detected due to stray light and thermal effects, our system is formally considered open. However, the security of the system is still guaranteed using privacy amplification based on the quantum bit error rate (QBER). Our example system uses a pulsed stochastic photonic source with decoy states [3], where the decoys are photonic wavepackets with a lower mean photon number. To simplify the example system and make it more efficient, we only transmit one state in the monitoring basis, which gives an equivalent secure key rate in comparison to transmitting both states in this basis [5,6].

A practical issue in quantum communication protocols is synchronizing Alice and Bob's two data streams. If Bob does not know precisely when Alice begins data transmission, he must begin recording measurements early or else risk missing some of Alice's transmission. In either case, because some signals do not arrive at Bob due to channel loss, and extraneous events are caused by stray light and detector dark counts, the first event Bob records is unlikely to be the first event Alice sends, resulting in some timing offset that must be determined. Correcting this offset is an essential precursor to sifting: If Alice and Bob do not agree on the timing of the events, they will compare basis choices from different events, resulting in a high QBER and likely share no information. In addition, determining which time bins correspond to Alice's wavepacket arrival and which do not allows timing-based noise filtering.

Further complicating the communication protocol is that the relative clock offset may not be a constant due to drift in the relative phase and frequency between the transmitter and receiver clocks. Alice has a communication protocol temporal bin width *τ<sup>A</sup>* that may be different from Bob's bin width *τB*. The timing offset between their clocks Δ at the *n*th communication time bin since the most recent clock synchronization is given by

$$
\Delta = t\_0 + (\tau\_A - \tau\_B)n + \varepsilon \tag{1}
$$

for an initial timing offset *t*<sup>0</sup> and higher-order timing error *ε*. In this way, small differences in clock frequencies can gradually change the clock offset so that a previously calculated synchronization is no longer valid. Other timing errors, such as clock jitter and frequency drift, also contribute to the need for a more robust synchronization solution. We denote the time over which synchronization is maintained as *Tb*, i.e., the time over which the error in Δ *τA*.

Clock synchronization is sometimes achieved by directly sending Alice's clock signal to Bob over a separate channel via an optical link or using a radio-frequency signal [7–16]. However, this introduces additional hardware requirements and increases the cost and complexity of the setup. One way to avoid these additional resource requirements is to use the quantum channel itself to transmit the information necessary to perform the synchronization [17–20]. One such qubit-based synchronization protocol was introduced and demonstrated by Calderaro et al. [17]. Their protocol uses a dedicated clock-synchronization phase followed by a key distribution phase. In the synchronization phase, a pre-agreed synchronization string is transmitted to Bob and the clocks are aligned during post-processing.

The pre-agreed synchronization string is used to find the initial offset between Alice and Bob's clocks. Because it must be public knowledge, it cannot be used to generate a secure key. If the clock frequencies are not consistent, simple clock offset recovery only temporarily aligns until the clock drift becomes of-the-order-of the communication protocol temporal bin width *τA*. Correcting for this clock frequency drift using only clock offset recovery requires repeated synchronization/key distribution phases with a regularity that depends on the stability of the clocks used in the experiment. This reduces the overall secure key rate because no QKD states can be sent while the synchronization states are being sent, which may result in zero key rate due to finite-key effects [21,22]. However, to account for this drift without needing to send regular synchronization strings, Calderaro et al. performs clock frequency recovery using the periodic arrival times of Alice's qubits. Unlike

the clock offset recovery, this does not require a pre-agreed synchronization string and thus does not decrease the amount of key that can be sent.

While our method only uses clock offset recovery at this time, it avoids these potential impacts on secure key rate by synchronizing the clocks using only information that is already publicly sent over the insecure classical channel by Alice and Bob for sifting and security analysis: The basis choices and the mean photon number of the transmitted signal. Because we are transmitting only one state in the monitoring basis, the basis choices provide information about which of Bob's measurement outcomes are more likely. The decoy state choices, which determine Alice's mean photon number for each wavepacket, also contain information about Bob's measurement outcomes. For example, Bob is unlikely to record any detections if Alice sends the vacuum decoy state.

By comparing this information to his measurement outcomes, Bob can probabilistically determine the timing offset. To account for potential clock drift, Bob can perform this synchronization in subsets of length *Tb*. Thus, Bob can find the up-to-date timing offset and ensure that the basis choices he publishes are properly lined up with the ones sent to him by Alice, but this requires an efficient analysis method to reduce the data requirements. Of course, our approach as well as Calderaro's requires low enough channel loss so that there are enough events received by Bob over a drift interval as discussed below.

Another example of a qubit-based synchronization protocol for continuously-pumped entanglement-based QKD systems was introduced by Ho et al. [20]. Here, they correlate Alice and Bob's detection events without considering basis information. Their synchronization method relies on Alice's knowledge that some communication time bins are empty (assuming essentially unit detection efficiency for Alice's setup) and hence Bob's corresponding time bin should also be empty. There is a single dominant peak in the correlation function that identifies Δ assuming a large enough number of Bob's detection events. Because the detection timing information must already be shared publicly, this strategy does not sacrifice any secure key. This method fails when the probability of Alice generating a photon per communication time bin approaches unity because every time bin is likely to be filled and hence the correlation function will have multiple high-value peaks that create timing ambiguity.

In the next section, we outline our synchronization algorithm and its advantages, and derive a formula for the synchronization probability using Bayesian analysis. In Section 3 we introduce a model system, and in Section 4 we simulate data in this model system to demonstrate the effectiveness of our method. In Section 5 we present our conclusions and the potential applicability of this work to other QKD systems.

#### **2. Qubit-Based Synchronization Algorithm**

Similar to previous approaches, our algorithm uses a cross-correlation of Alice's periodically transmitted data and Bob's received data to find the number of each type of event pairing, where the cross-correlation is computed efficiently using a Fast Fourier Transform (FFT). One complication of a prepare-and-measure scheme is that Alice attempts to send a quantum state every communication time bin, corresponding to the high-photonprobability limit of the Ho et al. [20] method discussed above. This problem is addressed here using the decoy-state protocol [3], which must be used anyway to prevent a photonnumber-splitting attack.

Decoy states are sent by Alice randomly and correspond to wavepackets with a mean photon number smaller than the signal state and often includes sending the vacuum state. The vacuum state is particularly effective in the synchronization process because Alice has high certainty that she sent no photons, limited by her ability to completely block the source. Bob should then also see no photons, limited by the source of detection clicks from non-ideal effects such as detector dark counts, detector afterpulsing, stray light, and the bleed through of light from Alice's source.

Beyond the decoy states, there are additional sources of correlation that can be exploited to help improve the synchronization process. For example, Alice's use of the

efficient three-state protocol, where she only sends one state in the monitoring basis, gives useful information if Alice and Bob also share basis-state information, which is already required for sifting. We use a Bayesian statistical method, described below, that uses all prior knowledge of the system characteristics, such as the state fidelities, the mean photon numbers, the channel loss, the fractional sorting of Bob's device for the two bases, and the detector efficiency, to generate a lookup table of Bob's detection probabilities for Alice's different inputs. With these, we can easily compute the synchronization probabilities of different possible offsets using Bayesian statistics. Alice and Bob's data is most correlated when they are synchronized.

A significant advantage of our approach is that it does not sacrifice any secure key: We only use the information that is already sent publicly over the insecure classical channel. This is an improvement over synchronization protocols that share some fraction of the raw data for synchronization purposes, as well as protocols that have a dedicated clocksynchronization phase [17] during which no QKD states can be sent.

Bayesian analysis is a logical choice for synthesizing all available information and using it to make accurate predictions about Δ. It also has the advantage that it predicts the probability that Δˆ is the best estimate of synchronization offset. This allows us to quantitatively express our level of confidence in the synchronization estimate. Furthermore, the additional information we incorporate in the protocol allows us to make a decision with fewer received qubits, which makes the system more robust to clock drift.

Our algorithm uses FFTs to compute cross-correlations between Alice's inputs and Bob's outputs, allowing us to count the number of each type of input-output pairing for the different time offsets. The computational complexity of our algorithm is dominated by these FFTs, which go as O(*N* log *N*) where *N* is the number of sampling bins. Each cross-correlation requires three FFT computations, so the number of FFTs that must be performed is 3 × *nin* × *nout* for a number of distinct inputs *nin* and distinct outputs *nout*. In this example, *nin* = 5 (H/V signal, H/V decoy, L/R signal, L/R decoy, and vacuum) and *nout* = 4 (H,V,L, and R), thus maintaining the computational complexity of O(*N* log2 *N*).

#### *Synchronization Probability*

Here we will use the strings of Alice and Bob's data. A string of Bob's data consists of the results of each of his detectors at each sampling bin. Typically, Bob's strings are very sparse because there are many sampling bins in which he registers no detections. A string of Alice's data consists of her published information at each sampling bin. If the communication time bin width is greater than the sampling time bin width, Alice will have multiple string entries for each state she sends, each corresponding to what she is sending at that part of her duty cycle. Determining the synchronization probability consists of comparing different strings of Bob's data (starting at different temporal offsets) to strings of Alice's data and calculating which of Bob's strings *D* is most likely to be the one generated by Alice's corresponding string. We determine, for a particular string of Bob's, the probability that it could have been generated by Alice's published string.

Mathematically, we phrase this as the likelihood *p*(*D*|*S*) of generating Bob's string *D* given the assumption that its generating string is the one Alice has published, denoted by *S*. The uninformed assumption, which we will denote as *S*¯, is that Bob's string *D* has been generated by a random string other than Alice's published string (from some other portion of Alice's sent data), with the stipulation that the other string is also periodic. This mathematical framework will consider a subset of Alice's data of *N* sampling bin widths compared against a subset of Bob's data of *N* + *M* sampling bin widths, meaning there will be *M* possible offsets to consider.

To begin in our protocol formalism, we note that *D* is a string of length *M* + *N* of Bob's measurements at each sampling bin (including sampling bins where no detections were received). Each measurement *Bi* in Bob's string consists of the click or no-click results at all of Bob's detectors. Bob's string *D* can be written as

$$D = \{B\_1, \dots, B\_{M+N}\}\_{\prime} \tag{2}$$

which we can rewrite as

$$D = \{B\_1, D'\},\tag{3}$$

where

$$D' = \{B\_2, \ldots, B\_{M+N}\}.\tag{4}$$

We prefer to write the likelihood *p*(*D*|*S*) in terms of known quantities such as the *p*(*B*1|*S*), the conditional probability of a time bin measurement *B*<sup>1</sup> given *S*. Using this notation, *p*(*D*|*S*) is given by

$$p(D|S) = p(B\_1, D'|S) = p(B\_1|D', S)p(D'|S),\tag{5}$$

where the final equality is a result of the product rule. Because we have assumed that *B*<sup>1</sup> is generated from Alice's string, knowing *D* gives us no additional information about *B*1. At best, it informs us whether *S* is true, which is already assumed; the bits are otherwise independent because Alice's sequence is random. Using these observations, we obtain

$$p(B\_1|D',S) = p(B\_1|S),\tag{6}$$

and, by extension,

$$p(D|S) = \prod\_{i=1}^{N+M} p(B\_i|S),\tag{7}$$

allowing us to write the likelihood as the product of the measurement probabilities at each sampling bin. We note that even in the example where Alice only sends one state in the monitoring basis, Bob must still measure both states in each basis to detect potential eavesdropper attacks [5,6]. For computational ease, we also determine each sampling bin measurement probability as the product of the probabilities of the outcomes at the four different detectors *b*-, which are given by

$$p(B\_i|S) = \prod\_{\ell=1}^4 p(b\_\ell|S) \tag{8}$$

Again, because the detectors' events are assumed to be generated by independent random processes, these probabilities can be considered independent when the generating string is known.

When the generating string is not known (under the uninformed assumption *S*¯), the detection probabilities can be approximated as independent when the received mean photon number is low. Because the synchronization task is most difficult in low-signal regimes, we use this approximation going forward. Thus,

$$p(D|\vec{S}) = \prod\_{i=1}^{N+M} p(B\_i|\vec{S}) \tag{9}$$

and

$$p(B\_i|\mathcal{S}) = \prod\_{\ell=1}^4 p(b\_\ell|\mathcal{S}).\tag{10}$$

For a given input from Alice, each of Bob's four detectors has an opportunity to detect a photon above the detection clicks arising from non-ideal behaviors. Naturally, we will use our knowledge of the system (the state fidelities, the quality of the polarization sorting, the dark count rates, the detector efficiencies, and the signal and decoy received mean

photon number) to estimate the detection probabilities as accurately and efficiently as possible. Using a lookup table of the detection probabilities for the different inputs from Alice, these likelihoods can be calculated using standard statistical methods.

However, the likelihood of generating *D* from Alice's published string is not the same as the probability that Alice's published string is the one that generated *D*, which is given by *p*(*S*|*D*) and is the most relevant quantity to determine synchronization. Bayes' theorem allows us to rewrite this quantity, called the posterior, as

$$p(S|D) = \frac{p(D|S)p(S)}{p(D)}.\tag{11}$$

In addition, we must also include the information that we expect exactly one correct synchronization offset (not just one on average).

To formulate the problem as an exclusive synchronization, we must find the probability that some discreet timing offset, given by the time-bin index *j*, is the correct synchronization offset, and that all the other offsets are incorrect. In other words, the probability that, for a given string of length *N* published by Alice, all the measurements before the *j*th bin are generated randomly, the measurements from *j* to *j* + *N* are generated from Alice's published string, and the measurements after *j* + *N* are generated randomly. Under these assumptions, we can write *p*(*B*1, ..., *BM*+*N*|*Sj*) as a product of the likelihoods of these three sections as

$$p(B\_1, \ldots, B\_{M+N}|S\_{\bar{\jmath}}) = p(B\_1, \ldots, B\_{\bar{\jmath}-1}|S\_{\bar{\jmath}}) p(B\_{\bar{\jmath}}, \ldots, B\_{\bar{\jmath}+N}|S\_{\bar{\jmath}}) p(B\_{\bar{\jmath}+N+1}, \ldots, B\_{M+N}|S\_{\bar{\jmath}}).\tag{12}$$

Here we introduce *S*¯ *<sup>j</sup>*, the assumption that the data is produced by a random string other than the synchronization string in question, but one with the same phase (i.e., the signal arrives at the same time bin in each period as it does for *Sj*).

We can find the conditional probability for matching Alice's string to Bob's string at a potential synchronization index *j* in this framework using Equation (11), which gives

$$p(S\_j | B\_1, \ldots, B\_{M+N}) = \frac{p(B\_1, \ldots, B\_{M+N} | S\_j) p(S\_j)}{p(B\_1, \ldots, B\_{M+N})} \,. \tag{13}$$

Equation (13) is our main result and is the quantity of interest to identify clock synchronization between Alice and Bob. We determine the optimum synchronization index based on the value of *j* that maximizes this quantity, and the quantity itself gives us our confidence in that choice.

The denominator in Equation (13) can be written in terms of known quantities using marginalization. Marginalization consists of rewriting a probability as a sum of the comprehensive conditional probabilities; in this case, the different possible synchronization indices written as

$$p(S\_j | B\_{1\prime}, \dots, B\_{M+N}) = \frac{p(B\_{1\prime}, \dots, B\_{M+N} | S\_j) p(S\_j)}{\sum\_{i=1}^{M} p(B\_{1\prime}, \dots, B\_{M+N} | S\_i) p(S\_i)},\tag{14}$$

where the *i* denotes the other potential synchronization indices.

To evaluate Equation (13), the likelihoods *p*(*B*1, ..., *BM*+*N*|*Sj*) and *p*(*B*1, ..., *BM*+*N*|*Si*) can be determined using Equations (7), (9) and (12). The quantity *p*(*Sj*), called the prior, is the ad hoc probability that *D* corresponds to Alice's published string. That is, *p*(*Sj*) is the probability that we are at the correct synchronization index. We use a uniform prior, which assumes each candidate has a naïve 1/*M* probability of being the correct one given that we have *M* candidate indices, which means that

$$p(S\_i) = p(S\_j) = \frac{1}{M} \tag{15}$$

so that the prior terms cancel, giving us

$$p(\mathcal{S}\_{\bar{j}}|B\_{1\prime}...\mathcal{B}\_{M+N}) = \frac{p(B\_{1\prime}...\mathcal{B}\_{M+N}|\mathcal{S}\_{\bar{j}})}{\sum\_{i=1}^{M} p(B\_{1\prime}...\mathcal{B}\_{M+N}|\mathcal{S}\_{\bar{i}})} \,. \tag{16}$$

Next, we apply Equation (12) to obtain

$$\begin{aligned} p(\underline{S}\_{\bar{j}}|B\_{1},\ldots,B\_{M+N}) &= \\ \frac{p(B\_{1},\ldots,B\_{\bar{j}-1}|\bar{S}\_{\bar{j}})p(B\_{\bar{j}},\ldots,B\_{\bar{j}+N}|S\_{\bar{j}})p(B\_{\bar{j}+N+1},\ldots,B\_{M+N}|\bar{S}\_{\bar{j}})}{\sum\_{i=1}^{M} p(B\_{1},\ldots,B\_{\bar{i}-1}|\bar{S}\_{\bar{i}})p(B\_{\bar{i}},\ldots,B\_{\bar{i}+N}|S\_{\bar{i}})p(B\_{\bar{i}+N+1},\ldots,B\_{M+N}|\bar{S}\_{\bar{i}})} \end{aligned} \tag{17}$$

and use Equations (7) and (9) (of which the latter uses a low received mean photon number approximation) to write everything in terms of known quantities as

$$p(S\_j | B\_1, \dots, B\_{M+N}) \approx \frac{\prod\_{k=1}^{j-1} p(B\_k | S\_j) \prod\_{k=j}^{j+N} p(B\_k | S\_j) \prod\_{k=j+N+1}^{M+N} p(B\_k | S\_j)}{\sum\_{i=1}^M \left( \prod\_{k=1}^{i-1} p(B\_k | S\_i) \prod\_{k=i}^{i+N} p(B\_k | S\_i) \prod\_{k=i+N+1}^{M+N} p(B\_k | S\_i) \right)} \tag{18}$$

Equation (18) is our master equation for the synchronization probability of an index *j*. The numerator consists of the probability of an *N*-length string of Bob's data starting at *j* being produced by Alice's published string, along with the probability that the remaining data was produced by an unknown string of Alice's data. The denominator sums this same quantity over all possible synchronization indices, ensuring normalization. We take the value of *j* that maximizes this quantity to be the optimum synchronization index, and the value of *p*(*Sj*|*B*1, ..., *BM*+*N*) gives us the probability that we are correct. We can compute this conditional probability using FFTs to count the number of each unique bin measurement along with a lookup table of the probabilities of the events.

#### **3. Model System**

To illustrate our protocol, we simulate a model QKD system using a polarizationbased prepare-and-measure protocol with decoy states and only sending one state in the monitoring basis. We set Alice's repetition rate to be *fA* = 1/*τ<sup>A</sup>* and a wavepacket duration of Δ*t* = *τA*/*m* with *m* = 8 for a duty cycle of 12.5 percent. We set Bob's sampling rate to *n fA* with *n* = 8 so that his sample period is matched to the wavepacket duration. These conditions are illustrated in Figure 1. Alice generates a pseudorandom sequence such that four quantum states L/R/H and a vacuum decoy state (a decoy state with mean photon number equal to zero) are sent in equal parts on average.

For our numerical experiments, we simulate a QKD session by generating data that emulates the state preparation and measurement, including aspects such as the *received* mean photon number *μ*, probability of a detector dark count *d* over one communication bin width *τA*, and variation in Δ due to clock drift, assumed to be constant over *Tb*. This allows us to test how these factors impact the synchronization performance. We assume a transmitted mean photon number *μ<sup>A</sup>* = 1 where the received mean photon number *μ* = *ημ<sup>A</sup>* for a channel transmission *η*. While this *μ<sup>A</sup>* is on the upper end of values used in typical experiments, it allows us to explore the performance and limitations of our algorithm at or beyond the greatest received mean photon number one would realistically use: *μ<sup>A</sup>* = 1 with zero loss.

**Figure 1.** Illustration of the relative times used in the QKD protocol. Here, the signal (red) straddles bins 1–2 due to an offset of Δ, and we do not consider bins 3–8. We take *τ<sup>A</sup>* = *τB*, which is approximately correct for a short enough data subset.

Assuming a Poisson distribution for Alice's source, the probability of Bob registering a click *p*(*click*, -) over a period *τ<sup>A</sup>* at a particular detector is given by

$$p(click, \ell) = 1 - (1 - d)e^{-\mu\_{\ell}} \tag{19}$$

where *μ* is the mean photon number received by detector -. The portion of the total mean photon number *μ* that goes to the different detectors depends on which polarization state is sent. We use ideal BB84 sorting in our model system so that all states have an equal chance of being measured in either basis. States measured in the same basis as they are prepared are detected accurately, while states measured in the opposite basis have an equal chance of being measured in either opposite-basis state. For example, if Alice prepared an H-state that Bob receives *μ* = 0.8, Bob's measures *μ<sup>H</sup>* = 0.4, *μ<sup>v</sup>* = 0, and *μ<sup>L</sup>* = *μ<sup>R</sup>* = 0.2.

We assume that the observation window is long enough so that the *p*'s and *μ*'s can be estimated accurately from the finite number of observations. This means the average click probability can be extracted from the Bob's raw data and we rewrite Equation (19) as a function of *p*(*click*, -) so that

$$\mu\_{\ell} = \ln \left( \frac{1 - d}{1 - p(\operatorname{click}, \ell)} \right) \tag{20}$$

The mean photon numbers of the constituent pulses incident at the four detectors sum to the average mean photon number of the main pulse just before it enters Bob's detection apparatus, so we can estimate the received mean photon number of a signal state as

$$\mu = \frac{4}{3} \sum\_{\ell=1}^{4} \ln \left( \frac{1-d}{1-p(click, \ell)} \right),\tag{21}$$

where the factor of 4/3 accounts for the fact that we are sending vacuum states 25% of the time.

We divide the data set into subsets duration *Tb* and perform synchronization and sifting on each subset. Bob can record up to eight events (each of which may or may not include a detection event or dark count) assuming that the detector deadtime is less than Bob's sampling time. However, because the clocks can only be synchronized to a resolution of Bob's sampling bin width, we expect Alice's wavepacket to straddle 2 bins as illustrated in Figure 1, with the end bins only having a partial wavepacket. The remaining six bins only contain dark counts, which can be discarded after we determine Δ to reduce noise. This amounts to detector time-gating in the post-analysis.

We assume that Bob begins recording before Alice begins transmitting, and continues to record after she stops sending, so our received data is bookended by low signal regions. We find a best-fit step function to identify where the transmission begins and ends, which gives us a coarse approximation of the synchronization index. For a range of different string lengths *N* that determine the number of sampling bin widths in each synchronization subset, we examine a window of *M* = 4000 nearby potential synchronization indices. This value is chosen based on the typical precision of the coarse approximation of the synchronization given by the best-fit step function.

#### **4. Synchronization Simulations**

To verify that our algorithm returns an accurate probability of synchronization, we run 1000 simulated trials with a known synchronization index and compare the average calculated probability of synchronization *p*(*Sj*|*B*1, ..., *BM*+*N*) to the average rate of finding the correct index, which we denote by *f*(*Sj*|*B*1, ..., *BM*+*N*), in Figure 2. If our model is accurate, then *p*(*Sj*|*B*1, ..., *BM*+*N*) ∼ *f*(*Sj*|*B*1, ..., *BM*+*N*), in which case we can take *p*(*Sj*|*B*1, ..., *BM*+*N*) to be a reliable metric for quantifying our confidence in obtaining the correct Δ.

**Figure 2.** Bob's required data record length needed to determine synchronization for two different channel transmissions of (**a**) *η* = 0.05, corresponding to *μ* = 0.05 and (**b**) *η* = 1, corresponding to *μ* = 1. We also show the probability of not obtaining synchronization, which better highlights transition to high-certainty synchronization.

We see that *p*(*Sj*|*B*1, ..., *BM*+*N*) ∼ *f*(*Sj*|*B*1, ..., *BM*+*N*) to within our errorbars for moderate channel loss (Figure 2a). However, *p*(*Sj*|*B*1, ..., *BM*+*N*) is consistently larger than *f*(*Sj*|*B*1, ..., *BM*+*N*) for the case of zero channel loss (Figure 2b), a condition that is unlikely to be encountered in an experiment but highlights the limitation of our algorithm. This

result is not surprising given that our derivation given in Section 2 assumes low *μ* to arrive at Equation (9). Assuming a transmitted mean photon number of 1, Figure 2b corresponds to a zero channel loss system. This represents an upper limit on *μ* encountered in a typical decoy state protocol where *μ<sup>A</sup>* 1 and thus, also serves as a lower bound on the accuracy of our calculated synchronization probability.

A lower received mean photon number means a lower density of detected events. Because detected events provide more information than no-detection events, a lower *μ* requires us to consider a larger set of sampling bin widths *N* to achieve the same synchronization confidence. Despite the fact that *p*(*Sj*|*B*1, ..., *BM*+*N*) does not match *f*(*Sj*|*B*1, ..., *BM*+*N*) as well at higher values of *μ*, we can still achieve equivalent average values of *f*(*Sj*|*B*1, ..., *BM*+*N*) at lower values of *N*. This fact is also illustrated in Figure 3, where we see a direct correlation between *μ* and the *N* at which the synchronization probabilities converge to one. The higher values of *μ* converge at lower values of *N*.

**Figure 3.** Average calculated synchronization probability as a function of string length on a logarithmic scale for different received mean photon numbers. The probability of registering a dark count during one communication bin width is *<sup>d</sup>* <sup>=</sup> <sup>8</sup> <sup>×</sup> <sup>10</sup>−4.

Another way to view this relation between *μ*, *N*, and *p*(*Sj*|*B*1, ..., *BM*+*N*) is to consider the string length *N* required to achieve a particular synchronization confidence as a function of *μ* as shown in Figure 4. For high *μ* and low *N*, we observe an approximately linear relation between *log*10*μ* and *log*10*N* with a slope of ∼−1, which means that *N* ∼ 1/*μ*. For lower *μ*, where there are fewer events and dark counts play a larger role, the probability curves exhibit steeper slopes, demonstrating that synchronization becomes increasingly difficult. This data can be used to estimate whether it is possible to synchronize over an experimentally measured temporal block length *Tb* and, if it is possible, how low a value of *μ* can be tolerated while still synchronizing reliably. As a concrete example, Bob needs 33,110 sampling bin widths, or about 4140 communication bin widths, to achieve a 95% confidence for clock synchronization for *<sup>μ</sup>* <sup>=</sup> 0.01 and *<sup>d</sup>* <sup>=</sup> <sup>8</sup> <sup>×</sup> <sup>10</sup>−4. This means we can tolerate clock drifts approaching 1 part in 4140, or 242 μs of drift per second, because our method assumes that the clock drift is much less than one communication bin width. For context, we measure the rate of clock drift between two phase lock loops driven by crystal oscillator clocks on DE10 Standard field programmable gate arrays (FPGAs), and find the average clock drift rate to be 13.5 μs per second. Thus, our algorithm can tolerate realistic clock drift rates in this example.

#### **5. Conclusions**

In conclusion, we develop a novel probabilistic approach to qubit-based clock synchronization using Bayesian analysis. By exploiting correlations between information Alice shares publicly, such as basis and decoy state choices, and Bob's detection events, we can find the correct synchronization clock offset without sacrificing any secret key. Additionally, our algorithm is more robust to noise, loss, and clock drift in comparison to other protocols by incorporating all publicly available information using the Bayesian framework. Finally, we demonstrate that our algorithm is successful and robust using a simulated BB84 communication scheme, which confirms that our synchronization metric corresponds to the probability of synchronization, especially in the low-*μ* limit. Our algorithm is applicable to other QKD systems that use other degrees-of-freedom of the photon for which it is possible to divulge some timing information.

**Author Contributions:** Conceptualization, R.D.C.; methodology, R.D.C.; software, R.D.C.; validation, R.D.C.; formal analysis, R.D.C.; investigation, R.D.C.; resources, R.D.C.; data curation, R.D.C.; writing—original draft preparation, R.D.C.; writing—review and editing, R.D.C. and D.J.G.; visualization, R.D.C. and D.J.G.; supervision, D.J.G.; project administration, D.J.G.; funding acquisition, R.D.C. and D.J.G. All authors have read and agreed to the published version of the manuscript.

**Funding:** This material is based on research sponsored by NASA under grant 80NSSC20K0629 and the Air Force Research Laboratory and the Southwestern Council for Higher Education under agreement FA8650-19-2-9300. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of NASA, the Southwestern Council for Higher Education and the Air Force Research Laboratory (AFRL), or the U.S. Government.

**Data Availability Statement:** All code and data used in simulations is publicly available on GitHub: https://github.com/roderickdcochran/qubit\_based\_synchronization (accessed on 29 July 2021).

**Acknowledgments:** We thank Daniel Sanchez-Rosales for help in collecting the data on FPGA clock drift. R.D.C. acknowledge discussions of the Bayesian analysis with Richard Furnstahl.

**Conflicts of Interest:** The authors declare no conflict of interest. The funders had no role in the design of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript, or in the decision to publish the results.

#### **References**


# *Article* **Randomized Oblivious Transfer for Secure Multiparty Computation in the Quantum Setting**

**Bruno Costa 1,2, Pedro Branco 1,3, Manuel Goulão 1,3, Mariano Lemus <sup>1</sup> and Paulo Mateus 1,3,\***


**\*** Correspondence: pmat@math.tecnico.ulisboa.pt

**Abstract:** Secure computation is a powerful cryptographic tool that encompasses the evaluation of any multivariate function with arbitrary inputs from mutually distrusting parties. The oblivious transfer primitive serves is a basic building block for the general task of secure multi-party computation. Therefore, analyzing the security in the universal composability framework becomes mandatory when dealing with multi-party computation protocols composed of oblivious transfer subroutines. Furthermore, since the required number of oblivious transfer instances scales with the size of the circuits, oblivious transfer remains as a bottleneck for large-scale multi-party computation implementations. Techniques that allow one to extend a small number of oblivious transfers into a larger one in an efficient way make use of the oblivious transfer variant called randomized oblivious transfer. In this work, we present randomized versions of two known oblivious transfer protocols, one quantum and another post-quantum with ring learning with an error assumption. We then prove their security in the quantum universal composability framework, in a common reference string model.

**Keywords:** oblivious transfer; quantum cryptography; post-quantum cryptography; universal composability

#### **1. Introduction**

Oblivious transfer (OT), first introduced by Rabin in 1981 [1], is an important primitive in modern cryptography. The OT primitive is known to be a basic building block for other cryptographic tasks, including secure Multi-Party Computation (MPC), Bit Commitment (BC), Coin-Tossing, and Zero-Knowledge Proofs [2–7].

A 1-out-of-2 OT protocol [8] consists of two parties, a sender with two input messages (*m*0, *m*1) and a receiver with a choice bit *b* ∈ {0, 1}. The goal of the protocol is to output only the message *mb* to the receiver, with no information about *m*1−*b*, and the sender remains oblivious to the receiver's input bit *b*. Note that, in the original work by Rabin, called all-or-nothing OT [1], the sender has a single input message, while the receiver has none. The protocol outputs the message to the receiver with probability <sup>1</sup> <sup>2</sup> , such that the receiver has no information whether or not the receiver obtained the message. It was shown that one can construct 1-out-of-2 OT from all-or-nothing OT [9]. Another OT variant is that of Randomized Oblivious Transfer (ROT), where neither of the parties have any inputs. The ROT protocol, instead, outputs the messages (*m*0, *m*1) to the sender and (*b*, *mb*) to the receiver, with (*m*0, *m*1, *b*) chosen uniformly at random from their domains.

MPC [10,11], which is an extremely useful cryptographic tool to compute arbitrary functionalities, can be reduced to the OT primitive; i.e., having access to a secure OT is sufficient [2]. MPC implementations based on oblivious-circuit evaluation techniques require a large number of OT (one per input wire for Yao [10], and one per AND gate for

**Citation:** Costa, B.; Branco, P.; Goulão, M.; Lemus, M.; Mateus, P. Randomized Oblivious Transfer for Secure Multiparty Computation in the Quantum Setting. *Entropy* **2021**, *23*, 1001. https://doi.org/10.3390/ e23081001

Academic Editor: Ivan B. Djordjevic

Received: 14 June 2021 Accepted: 22 July 2021 Published: 31 July 2021

**Publisher's Note:** MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

**Copyright:** © 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/).

GMW [11]). Since classical OT schemes (being based on asymmetric-key cryptography) are relatively slow, the development of large-scale MPC implementations has been severely hindered by the required OT rates. In order to deal with this issue of OT efficiency, the concept of OT extension was introduced by Ishai et al. in 2003 [12]. This technique refers to extending a small number of computationally expensive *base* OTs into a larger number of OTs, using only cheap symmetric cryptography primitives. For proving the security of these OT extension techniques in the malicious-adversary setting [13], it turns out that one is required to use ROT instances as the base OTs. Additionally, ROT finds direct application in designing efficient Private Set Intersection (PSI) protocols [14], one of the most popular MPC techniques.

Moreover, even though the efficiency issue can be solved by the use of OT extensions for MPC applications, there is the underlying threat that asymmetric-key based schemes (e.g., integer-factorization or discrete-logarithm problems) will be faced with the arrival of quantum computers [15]. The research initiatives for developing quantum-resistant solutions have been following two paths. The first being on the development of more hard-to-break classical cryptography algorithms that will remain secure even against a quantum adversary. These solutions include the approximate Shortest Vector Problem (SVP) on ideal lattices [16], the Learning with Errors (LWE) problem [17] and its ring version, Ring Learning with Errors (RLWE) [16], constituting a new area of research, called post-quantum cryptography. The second approach is that of quantum cryptography, where solutions for Quantum Key Distribution (QKD), BC, and OT already exist [18]. While unconditional security for QKD has been proven [19], there are impossibility results to achieve for the case of BC and OT [20–22]. Nevertheless, practical solutions for BC and OT were proposed under the assumption of physical limitations on the devices, such as noisy storage and bounded quantum memories [23–27].

#### *Our Contribution*

In this work, we explore the construction of two ROT protocols in the quantum Universal Composability (UC) framework, in the Common Reference String (CRS) model:


In both cases, the basic idea is to build upon existing non-randomized OT protocols in such a way as to force the values of all of the protocol's outputs to be influenced by both parties. This allows us to randomize both the messages *m*0, *m*<sup>1</sup> and the choice bit *b* as long as at least one party is honest, leading to a ROT protocol. Furthermore, we prove that the resulting protocols are secure in the quantum UC framework.

This paper is organized in five sections. In Section 2, we briefly review some definitions and functionalities relevant for the description and analysis of the protocols. In Section 3, we present the generic construction of ROT from OT and afterwards present the commitment scheme and OT protocols that we will be using to achieve the quantum security we need. The security of the protocols are then shown in Section 4. Finally, in Section 5, we present the main results of this work.

#### **2. Background**

The problems regarding Ring Learning with Errors are conjectured to be hard on both classical and quantum computers. Before defining the RLWE distribution and its decision problem, we first present the notation used. Let *Rq* = Z*q*[*X*]/ *f*(*X*) be a ring, where *<sup>q</sup>* <sup>&</sup>gt; 2 is a prime, and *<sup>f</sup>*(*X*) is a cyclotomic polynomial of degree *<sup>n</sup>*. Let *<sup>β</sup>* <sup>∈</sup> <sup>N</sup> and *χ* be the error distribution that outputs elements of *Rq* with a norm greater than *β* with negligible probability.

**Definition 1** (RLWE distribution)**.** *Let q*, *Rq and χ be as above. The RLWE distribution As*,*<sup>χ</sup> is obtained by sampling a* ∈ *Rq uniformly, choosing e* ←\$ *χ and outputting* (*a*, *b* = *as* + *e* mod *q*) *for a secret s* ∈ *Rq.*

**Definition 2** (decision-RLWE)**.** *Let q*, *Rq*, *χ and As*,*<sup>χ</sup> be as above. For s* ←\$ *Rq, given many polynomial samples, the goal is to distinguish between As*,*<sup>χ</sup> and a uniform distribution over Rq* × *Rq.*

By using the the RLWE variant of the LWE problem we are able to not only work with smaller keys but also increase the speed of the operations by using the Number Theoretic Transform (NTT). The protocol we will be analyzing uses a variant of the RLWE problem, the Hermite Normal Form of the RLWE problem (HNF-RLWE), in which the secret *s* is sampled from the error distribution *χ* instead of being chosen uniformly at random from the ring *Rq*. This version of the problem is assumed to be hard as well, since RLWE reduces to it [31].

Often times studying the standalone security of protocols is not enough, since they will be frequently used as subroutines in more complex tasks, as is the case of OT, as well as Coin Tossing, Commitment schemes, Zero-Knowledge proofs, etc. In order to ensure that protocols are secure in any computational environment, Canetti [32] introduced the Universal Composability (UC) framework, which we define next.

Let *π* be an *n*-party protocol and F be an ideal functionality. We denote as IDEALF,S,<sup>Z</sup> the output of the environment Z at the end of the ideal-world execution of functionality F with adversary S, and as EXEC*π*,A,<sup>Z</sup> the output of the environment Z at the end of the real-world execution of *π* with adversary A. The notion of a protocol securely emulating some ideal functionality is as follows:

**Definition 3** (UC-secure)**.** *We say that π UC-emulates* F *if for any adversary* A *there exists a simulator* S*, such that, for all environment* Z*,*

$$IDEAL\_{\mathcal{F},\mathcal{S},\mathcal{Z}} \approx EXEC\_{\pi,\mathcal{A},\mathcal{Z}} \cdot$$

When discussing UC security, we can consider either a bounded (computational) or unbounded (statistical) approach. In computational UC security, we restrict the adversary, simulator, and environment to polynomial-time machines, and this approach is used when showing security based on computational assumptions. On the other hand, in statistical UC security, we quantify over all adversaries, simulators, and environments; as such, we can model statistical security.

In this work, we consider *malicious* adversaries, that is, adversaries that can deviate in any way from the protocol. However, we assume that the corruption of a party happens before the start of the protocol, and both the sender or the receiver may be corrupted.

In Figures 1–5 we present the functionalities that will be relevant in this work.

#### **Functionality** F*OT*

**Parameters:** String size -. **Parties:** The sender *S* and the receiver *R*.

1. Upon receiving inputs (*m*0, *<sup>m</sup>*1) ∈ {0, 1}- × {0, 1} from *S* and *b* ∈ {0, 1} from *R*, F*OT* sends *mb* to *R*.

**Figure 1.** OT functionality .

**Functionality** F*ROT*

**Parameters:** String size -. **Parties:** The sender *S* and the receiver *R*.

1. Upon receiving message START from both *S* and *R*, F*ROT* samples *m*0, *m*<sup>1</sup> \$ ←− {0, 1}-

and *b* \$ ←− {0, 1}. It then sends (*m*0, *m*1) to *S* and (*b*, *mb*) to *R*.

**Figure 2.** ROT functionality.

**Functionality** F*COM* **Parameters:** Commitment size - (for bit commitment, - = 1). **Parties:** The sender *S* and the recipient *R*.


**Figure 3.** Commitment functionality.

**Parameters:** Distribution D.

#### **Functionality** F*CRS*

1. When activated for the first time on input VALUE, F <sup>D</sup> *CRS* chooses a value *<sup>d</sup>* \$ ←− D and sends *d* back to the activating party. Every other activation will return the same *d* to the activating party.

**Figure 4.** Common Reference String functionality.

#### **Functionality** F*NIZK*

**Parameters:** Common statement *x*. **Parties:** The verifier *V* and the prover *P*.


**Figure 5.** Non-Interactive Zero-Knowledge functionality.

We stress that the definition of F*ROT* presented here is stronger than the one presented in Unruh's original paper [28], in which the outputs are only random if the parties are both honest. In the same paper, the UC framework is extended to the quantum setting by allowing the protocol *π*, the adversary A, the simulator S, and the environment Z to be quantum.

Unruh [28] also showed that, when *π* is a classical protocol and *π* statistically UCemulates F, then *π* statistically quantum-UC-emulates F, providing a lift from statistical classical-UC to statistical quantum-UC. A similar result exists for the computational case [28], but it is required that the adversary in the classical case is given the same computational power as in the quantum setting; in other words, we need to guarantee that the classical machines present in the proof of UC security are as powerful as quantumpolynomial-time machines.

Consider protocols *π* and *σ*, we denote the protocol where *σ* invokes instances of *π* by *σπ*. A usual situation would be *σ*<sup>F</sup> , being a protocol that uses some ideal functionality <sup>F</sup>, and *<sup>σ</sup><sup>π</sup>* would then be the protocol that results from implementing that functionality with some protocol *π*. Composition has been shown to be secure, both in the classical [32] and quantum settings [28].

**Theorem 1** (Universal Composition Theorem [28])**.** *Let* F, G *be ideal functionalities. Let π be an n-party protocol that UC-emulates* G *in the* F*-hybrid model, and let η be an n-party protocol that UC-emulates* <sup>F</sup>*. Protocol <sup>π</sup><sup>η</sup> then UC-emulates* <sup>G</sup>*.*

#### **3. Protocols**

In this section, we start by presenting the generic construction of ROT from OT, using a commitment scheme, and afterwards describe the commitment scheme and the quantum OT protocol that will allow our ROT protocol to computationally quantum-UC-emulate F*ROT*. Finally, we describe a post-quantum approach, a ROT protocol based on the RLWE assumption, inspired by the recent work of [30], with a small tweak to avoid using random oracles, which misbehave against quantum adversaries.

#### *3.1. Generating an UC-Secure Random OT*

The protocol *πOT*→*ROT* is presented in Figure 6. We consider the two parties: the sender <sup>S</sup> and the receiver <sup>R</sup>. It begins with <sup>R</sup> sampling two strings *<sup>r</sup>*0,*r*<sup>1</sup> ∈ {0, 1} and committing them to <sup>S</sup>. <sup>R</sup> then chooses a random bit *<sup>c</sup>*, and S chooses two random strings, *<sup>w</sup>*0, *<sup>w</sup>*<sup>1</sup> ∈ {0, 1}-. With these, the parties invoke the F*OT* functionality. Following that, S chooses a random bit *<sup>d</sup>* and sends it over to R. Finally, R opens his commitment, and S checks if it matches the initial commit. If it does not, it aborts; otherwise, it outputs (*M*<sup>0</sup> <sup>=</sup> *wd* <sup>⊕</sup> *rd*, *<sup>M</sup>*<sup>1</sup> <sup>=</sup> *wd*⊕<sup>1</sup> <sup>⊕</sup> *rd*⊕1). <sup>R</sup> outputs (*<sup>b</sup>* <sup>=</sup> *<sup>c</sup>* <sup>⊕</sup> *<sup>d</sup>*, *Mb* <sup>=</sup> *wc* <sup>⊕</sup> *rc*).


**Figure 6.** ROT protocol based on secure commitments.

#### *3.2. UC-Secure Commitment Scheme*

Canetti [33] showed that UC-secure commitment schemes are impossible in the plain model, and the same result was later proven for the quantum setting as well [22]. With that in mind, we will be working on the Common Reference String (CRS) model defined in Figure 4.

The protocol *πCOM* in Figure 7 has been shown to be computationally UC-secure in the CRS model [33]. The key to this protocol's composability is the use of a trapdoor pseudorandom generator (PRNG) *Gpk*, which is described by its public key *pk*. This generator *Gpk* stretches *n*-bit inputs to 4*n*-bit outputs, and has a trapdoor *td*. Having access to both *pk* and *td*, we can easily check if a given string *<sup>y</sup>* ∈ {0, 1}4*<sup>n</sup>* is in the range of *Gpk*.

**Figure 7.** UC-secure BC scheme in the One-Time CRS Model [32].

Note that the protocol *πCOM* is a bit commitment protocol, and for string commitment, an instance of *πCOM* is needed to run for each bit of the string.

#### *3.3. UC-Secure Quantum OT Protocol*

The protocol in Figure 8 was proposed by Yao and has been shown to be statistically quantum-UC-secure with ideal commitments [28].

We describe the logical qubit states |0 and |1 (representing the computational basis), and the states |+ = (|0 + |1 )/ <sup>√</sup>2, |− = (|0 −|1 )/ <sup>√</sup><sup>2</sup> (representing the Hadamard basis). We use the following notation to define the states |(*si*, *ai*) for *si*, *ai* ∈ {0, 1}:

$$\begin{aligned} \vert (0,0) \rangle &= \vert 0 \rangle \quad \vert (0,1) \rangle = \vert + \rangle, \\ \vert (1,0) \rangle &= \vert 1 \rangle \quad \vert (1,1) \rangle = \vert - \rangle. \end{aligned}$$

The protocol begins with the sender S preparing qubit states and sending them to the receiver R, which then samples a random string *<sup>a</sup>*˜. For every qubit received, R measures the *i*-th state on a computational basis if *a*˜*<sup>i</sup>* = 0 or, on the Hadamard basis, if *a*˜*<sup>i</sup>* = 1. Therefore, approximately half of R's measurement results will be correlated with the prepared states by S, while the rest will be uncorrelated. To ensure security against a dishonest R, it is required to commit information on all of his measurement bases and outcomes to S, which then picks a random subset of them and tests for correlations. The passing of this test (statistically) ensures that R measured its qubits honestly. Next, S shares with R the bases it used for her state-preparation and, with this information, R knows which of its results are correlated with the sender's. The receiver, then, creates two sets: *I*0, with indices where it is measured on the same basis as S, and *<sup>I</sup>*1, where their measuring bases differ. Following that, R uses its choice bit *<sup>b</sup>* to select the order in which it sends the two sets to S. The sender samples two hash functions *f*0, *f*<sup>1</sup> at random, from a *2-universal* family of hash functions **F**, in order to generate uniform keys of appropriate size, as that of the messages *<sup>m</sup>*0, *<sup>m</sup>*1. S sends the encrypted messages *<sup>w</sup>*0, *<sup>w</sup>*<sup>1</sup> to <sup>R</sup>, which can only decrypt the message corresponding to the set *I*0.

#### *3.4. Post-Quantum UC-Secure ROT Protocol*

The protocol in Figure 9 is based on the recently proposed protocol by [30] (which was based on [29]), which has been shown to be UC-secure under the RLWE assumption in the Random Oracle Model (ROM). However, UC security using ROM does not directly lift to UC security against quantum adversaries. Taking that into consideration, our idea is to replace the random oracle calls, which are used to either commit to a string or to generate a random string.

In order to understand the protocol *πROT*, we need to provide some preliminary definitions. A signal function Sig and an extraction function Ext are described as in the key exchange protocol using RLWE of [34], to be used by the involved parties to reconcile a shared key.

Let *<sup>σ</sup>*0, *<sup>σ</sup>*<sup>1</sup> : <sup>Z</sup>*<sup>q</sup>* → {0, 1}. We define *<sup>σ</sup>*0, *<sup>σ</sup>*<sup>1</sup> as follows:

$$
\sigma\_0(a) = \begin{cases} 0, & a \in \left[ -\left\lfloor \frac{q}{4} \right\rfloor, \left\lfloor \frac{q}{4} \right\rfloor \right] \\ 1, & \text{otherwise} \end{cases} \quad \text{and} \quad \sigma\_1(a) = \begin{cases} 0, & a \in \left[ -\left\lfloor \frac{q}{4} + 1 \right\rfloor, \left\lfloor \frac{q}{4} + 1 \right\rfloor \right] \\ 1, & \text{otherwise} \end{cases}
$$

Next, we need to extend *σ*0, *σ*<sup>1</sup> to the ring case. For any *a* = ∑*n*−<sup>1</sup> *<sup>i</sup>*=<sup>0</sup> *aiX<sup>i</sup>* <sup>∈</sup> *Rq*, we define *σ*0, *σ*<sup>1</sup> : *Rq* → *R*<sup>2</sup> as follows:

$$\sigma\_0(a) = \sum\_{i=0}^{n-1} \sigma\_0(a\_i) X^i \quad \text{and} \quad \sigma\_1(a) = \sum\_{i=0}^{n-1} \sigma\_1(a\_i) X^i$$

The signal function Sig : *Rq* <sup>→</sup> *<sup>R</sup>*<sup>2</sup> can now be defined as Sig(*a*) = *<sup>σ</sup>b*(*a*), where *<sup>b</sup>* <sup>←</sup>\$ {0, 1}, while the extraction function Ext : *Rq* <sup>×</sup> *<sup>R</sup>*<sup>2</sup> <sup>→</sup> *<sup>R</sup>*<sup>2</sup> is

$$\operatorname{Ext}(a,\sigma) = \left(a + \sigma \frac{q-1}{2} \mod q\right) \mod 2.1$$

We can now describe the ROT protocol based on the RLWE assumption, Figure 9, which can be seen as a tweaked version of the protocol of [30], where we replace the random oracles by a commitment scheme and a NIZK protocol, modeled as functionalities. Let *χ* and *q* be as in Definition 2 and be the security parameter. Let (*m*, *h*) be the

common string, where *<sup>m</sup>*, *<sup>h</sup>* <sup>∈</sup> *Rq*, and let Ext and Sig be the algorithms defined above.

The protocol starts with both parties generating an RLWE sample. The sender S generates *<sup>p</sup>*S <sup>=</sup> *ms*S <sup>+</sup> <sup>2</sup>*e*S mod *<sup>q</sup>*, and the receiver <sup>R</sup> generates *<sup>p</sup><sup>c</sup>* R <sup>=</sup> *ms*<sup>R</sup> <sup>+</sup> <sup>2</sup>*e*<sup>R</sup> mod *<sup>q</sup>*, where *<sup>c</sup>* is a bit randomly chosen by R. If the sampled bit *<sup>c</sup>* <sup>=</sup> 1, then R computes *<sup>p</sup>*<sup>0</sup> R <sup>=</sup> *<sup>p</sup>*<sup>1</sup> R − *<sup>h</sup>* mod *<sup>q</sup>*. The receiver then samples two strings *<sup>t</sup>*0, *<sup>t</sup>*<sup>1</sup> <sup>←</sup>\$ {0, 1}-, commits both strings, and sends *p*<sup>0</sup> R to <sup>S</sup>. The sender uses the common string *<sup>h</sup>* and *<sup>p</sup>*<sup>0</sup> R to compute *<sup>p</sup>*<sup>1</sup> R <sup>=</sup> *<sup>p</sup>*<sup>0</sup> R <sup>+</sup> *<sup>h</sup>* mod *q* and uses both values *p*<sup>0</sup> R, *p*1 R to generate two RLWE samples. *<sup>k</sup><sup>i</sup>* S <sup>=</sup> *<sup>s</sup>*S*p<sup>i</sup>* R <sup>+</sup> <sup>2</sup>*e*- S mod *<sup>q</sup>* for *<sup>i</sup>* ∈ {0, 1}. <sup>S</sup> now computes *<sup>σ</sup><sup>i</sup>* <sup>=</sup> Sig(*k<sup>i</sup>* S) and sk*<sup>i</sup>* S <sup>=</sup> Ext(*k<sup>i</sup>* S, *<sup>σ</sup>i*), for *<sup>i</sup>* ∈ {0, 1}, and sends *<sup>p</sup>*S, *<sup>σ</sup>*0, *<sup>σ</sup>*<sup>1</sup> to <sup>R</sup>. The receiver then generates an RLWE sample *<sup>k</sup>*R <sup>=</sup> *<sup>s</sup>*R*p*S <sup>+</sup> <sup>2</sup>*e*- R mod *<sup>q</sup>* from *<sup>p</sup>*S and computes skR <sup>=</sup> Ext(*k*R, *<sup>σ</sup>c*). The key exchange protocol guarantees that sk*<sup>c</sup>* S <sup>=</sup> sk<sup>R</sup> with overwhelming probability, so as to guarantee that <sup>R</sup> did not cheat (and indeed the computed skR). Both parties engage in a NIZK protocol. If the proof fails, <sup>S</sup> aborts; otherwise, he samples a bit *<sup>a</sup>* and two strings *<sup>r</sup>*0,*r*<sup>1</sup> <sup>←</sup>\$ {0, 1} and sends *a*,*r*0,*r*<sup>1</sup> to R. The receiver opens his initial commitment to S, and if the test passes, both parties output their messages: <sup>S</sup> outputs (*M*<sup>0</sup> <sup>=</sup> sk*<sup>a</sup>* S <sup>⊕</sup> *ra* <sup>⊕</sup> *ta*, *<sup>M</sup>*<sup>1</sup> <sup>=</sup> sk*a*⊕<sup>1</sup> S <sup>⊕</sup> *ra*⊕<sup>1</sup> <sup>⊕</sup> *ta*⊕1), and <sup>R</sup> outputs (*<sup>b</sup>* <sup>=</sup> *<sup>a</sup>* <sup>⊕</sup> *<sup>c</sup>*, *Mb* <sup>=</sup> skR <sup>⊕</sup> *rc* <sup>⊕</sup> *tc*).

To simplify the description of *πROT* in Figure 9, we represent F*NIZK* with a single input from the prover <sup>R</sup> (the witness *<sup>w</sup>*) and a single output to the verifier S, where this output is 1 if *w* satisfies R or 0 otherwise. Let the binary relation R be such that

$$\mathcal{R}(\mathfrak{x}, w) = 1 \iff w = \mathfrak{sk}\_{\mathfrak{S}}^0 \vee w = \mathfrak{sk}\_{\mathfrak{S}'}^1$$

where *<sup>x</sup>* <sup>=</sup> Enc(sk<sup>0</sup> S, sk<sup>1</sup> S) for a given public key encryption scheme.


**Figure 9.** UC ROT protocol in the CRS model based on the RLWE assumption.

The F*NIZK* functionality can, for instance, be instantiated using the protocol described in [35]. This protocol is shown to be quantum-composable in the CRS model, based on the LWE assumption.

#### **4. Security**

In this section, we establish the quantum-UC security of the proposed protocols in the CRS model. We begin by analyzing the quantum protocol first and proving that *<sup>π</sup>OT*→*ROT* is quantum-UC-secure when instantiated with *<sup>π</sup>COM* and *<sup>π</sup>πCOM QOT* . We then prove the quantum-UC security of the *πROT*.

#### *4.1. Quantum-UC Security of the Quantum ROT Protocol*

**Theorem 2.** *Protocol πOT*→*ROT quantum-UC-emulates* F*ROT in the* F*OT*, F*COM -hybrid model.*

**Proof.** We start by describing how the simulator S behaves in each of the possible cases for the execution of the protocol when an adversary A is present.

*Corrupted Sender.* In this case, S simulates the view of the sender, effectively controlling the inputs to F*COM* and the input bit to F*OT*. In order to do so, we start by replacing F*COM* by a commitment functionality F*FakeCOM*, which allows the receiver to cheat. In the commit phase, F*FakeCOM* expects a message COMMIT instead of (COMMIT, *x*); in the open phase, F*FakeCOM* expects a message (OPEN, *x*) instead of OPEN, which is then sent to the sender. We now change the receiver's implementation to match with the new functionality; that is, when committing to message *m*, the receiver stores that message and later gives it to F*FakeCOM* when opening the commitment.

We can now describe how the simulator works. S starts by receiving (*M*0, *M*1) from F*ROT*; afterwards, it sends COMMIT to F*FakeCOM*, samples *c* ←\$ {0, 1}, and sends *c* to F*OT*. Upon receiving *d*, the simulator extracts *w*0, *w*<sup>1</sup> from observing the sender's call to F*OT* and computes *rd* = *<sup>M</sup>*<sup>0</sup> ⊕ *wd* and *rd*⊕<sup>1</sup> = *<sup>M</sup>*<sup>1</sup> ⊕ *wd*⊕1. Finally, it sends (OPEN,(*r*0,*r*1)) to F*FakeCOM*.

*Corrupted Receiver.* Now, S simulates the view of the receiver, controlling the input messages to F*OT*. The simulator starts by receiving (*b*, *M*) from F*ROT*. After receiving the commitment message, S extracts the strings *r*0,*r*<sup>1</sup> and the bit *c* from observing the receiver's call to F*COM* and F*OT*, respectively. It then computes *wc* = *rc* ⊕ *M* and *d* = *b* ⊕ *c* and samples *wc*⊕<sup>1</sup> <sup>←</sup>\$ {0, 1}-; afterwards, send (*w*0, *w*1) to F*OT* and *d* to A. When F*COM* replies with open(*r*0,*r*1), it checks if the values received match the original commitments and aborts if they do not.

*Both/None parties corrupted.* When both parties are corrupted, S internally runs A, which generates the messages for both parties.

When the adversary does not corrupt any party, the simulator does not have an input from the ideal functionality F*ROT*. As such, S runs the honest receiver and the honest sender, executing the needed algorithms when a dummy party is called in the ideal execution. The simulator forwards the messages of the honestly simulated protocol to A.

To finish the proof, it remains to show that the simulated executions of the protocol are indistinguishable from the real one.

**Claim 1.** *If the adversary* A *corrupts the sender, then the real execution of the protocol πOT*→*ROT is indistinguishable from the simulated one.*

**Proof.** The real world execution can be viewed as a game that proceeds as follows:


The differences between the two traces are the commitment functionality and how the values *r*0,*r*<sup>1</sup> are generated. However, since the commitments are opened in the same way, replacing F*COM* by F*FakeCOM* leads to a perfectly indistinguishable network. Regarding *r*0,*r*1, since *M*0, *M*<sup>1</sup> are uniform random values, which come from F*ROT*, the values *r*0,*r*<sup>1</sup> are also statistically indistinguishable from uniform random values. Therefore, the two executions are statistically indistinguishable.

**Claim 2.** *If the adversary* A *corrupts the receiver, then the real execution of the protocol πOT*→*ROT is indistinguishable from the simulated one.*

**Proof.** The real world execution can be viewed as a game that proceeds as follows:


The ideal world execution can be viewed as a game that proceeds as follows:


In this case, the difference between both traces is in how *wc* and *d* are generated. Since *M* and *b* are uniform random values, which come from F*ROT*, both the string *wc* and the bit *d* are statistically indistinguishable from a uniform random string and a uniform random bit, respectively. Thus, the above two executions are statistically indistinguishable.

Finally, it is trivial to conclude that, when both parties are corrupted and when neither parties are corrupted, the simulated executions of the protocol are indistinguishable from the real execution. This concludes the proof.

We have shown that, with *πOT*→*ROT*, we can transform *πQOT* into a ROT. We now need to prove that *πCOM* remains UC-secure when working in a quantum setting.

**Theorem 3.** *Let Gpk be a quantum robust PRNG. πCOM then (computationally) quantum UCemulates* F*COM in the CRS model.*

**Proof.** We start by briefly describing the UC security proof of *πCOM* by Canneti in [33].

The simulation starts with the simulator S by generating *pk*0, *pk*1, sampling random *<sup>r</sup>*0,*r*<sup>1</sup> ∈ {0, 1}*n*, and setting *<sup>σ</sup>* <sup>=</sup> *Gpk*<sup>0</sup> (*r*0) <sup>⊕</sup> *Gpk*<sup>1</sup> (*r*1). With this fake string, <sup>S</sup> tells the adversary A that the sender is committed to *y* = *Gpk*<sup>0</sup> (*r*0). By later sending *r*<sup>0</sup> or *r*1, the simulator is able to open the commitment to either *b* = 0 or to *b* = 1, respectively. If it were possible to distinguish the fake string from the real one, it would contradict the pseudo-randomness of the generator.

When working in a quantum setting, the indistinguishability of the fake string reduces to the pseudo-randomness of the generator; that is, the environment can only distinguish between the real world and ideal world executions if it is possible to distinguish the fake string *σ* from the real one. As such, if the generators are quantum robust, the environment will not be able to distinguish between both strings. Therefore, the arguments used in the classical UC security proof follow for quantum UC security as well.

Finally, we analyze the security of the proposed composition of protocols. Let *πQROT* denote *<sup>π</sup>OT*→*ROT* instantiated with *<sup>π</sup>COM* and *<sup>π</sup>πCOM QOT* .

#### **Theorem 4.** *Protocol πQROT quantum-UC-emulates* F*ROT.*

**Proof.** First, we analyze the UC security of *ππCOM QOT* . Protocol *πQOT* with ideal commitments is known to be universally composable [28]; as such, since *πCOM* is a composable commitment scheme, we have that *ππCOM QOT* quantum-UC-emulates F*OT*.

Finally, as was shown in Theorem 2, *πOT*→*ROT* with ideal commitments and an ideal OT is universally composable. Since both *<sup>π</sup>COM* and *<sup>π</sup>πCOM QOT* are universally composable, the result follows directly.

A downside of using *πCOM* as the commitment scheme is that we require a call to *πCOM* for each bit of the string we intend to commit, which will affect the protocol's efficiency. However, since a composable commitment is required, this is our best suggestion in the CRS model.

#### *4.2. Quantum-UC Security of the Post-Quantum ROT Protocol*

We now analyze the security of *πROT*. The simulator will use its ability to program the CRS and extract the NIZK witness in order to obtain the desired UC security.

**Theorem 5.** *Protocol πROT (computationally) quantum-UC-emulates FROT in the CRS model, given that the HNF-RLWE assumption holds.*

**Proof.** Once again, we describe the behavior of the simulator S in each of the possible cases for the execution of the protocol when an adversary A is present.

*Corrupted Sender.* The simulator S simulates the view of the sender, meaning that it controls the communication with <sup>R</sup> as well as the inputs of <sup>F</sup>*COM* and <sup>F</sup>*NIZK*. As in the proof of security for *πQROT*, we will be replacing F*COM* by the functionality F*FakeCOM* and changing the receiver's implementation to match F*FakeCOM*.

S starts by receiving (*M*0, *M*1) from F*ROT*. It then samples *c* ←\$ {0, 1} and *<sup>t</sup>*0, *<sup>t</sup>*<sup>1</sup> <sup>←</sup>\$ {0, 1}-, as an honest receiver would. Next, it computes two RLWE samples, *p*0 R <sup>=</sup> *ms*<sup>0</sup> R <sup>+</sup> <sup>2</sup>*e*<sup>0</sup> R mod *<sup>q</sup>* and *<sup>p</sup>*<sup>1</sup> R <sup>=</sup> *ms*<sup>0</sup> R <sup>+</sup> <sup>2</sup>*e*<sup>0</sup> R mod *<sup>q</sup>*, sets *<sup>h</sup>* <sup>=</sup> *<sup>p</sup>*<sup>1</sup> R <sup>−</sup> *<sup>p</sup>*<sup>0</sup> R, and programs <sup>F</sup>*CRS* to return (*m*, *<sup>h</sup>*) when queried. Following that, it sends *<sup>p</sup>*<sup>0</sup> R to <sup>A</sup> and sends COMMIT to F*FakeCOM*.

After receiving (*p*S, *<sup>σ</sup>*0, *<sup>σ</sup>*1), <sup>S</sup> computes sk*<sup>i</sup>* R <sup>=</sup> Ext(*s<sup>i</sup>* R*p*<sup>S</sup> <sup>+</sup> <sup>2</sup>*e*- R *i* , *σi*), for *i* ∈ {0, 1}, and sends sk*<sup>c</sup>* R to <sup>F</sup>*NIZK*. Finally, upon receiving *<sup>a</sup>*,*r*0,*r*1, <sup>S</sup> computes *ta* <sup>=</sup> *<sup>M</sup>*<sup>0</sup> <sup>⊕</sup> sk*<sup>a</sup>* S <sup>⊕</sup> *ra* and *ta*⊕<sup>1</sup> <sup>=</sup> *<sup>M</sup>*<sup>1</sup> <sup>⊕</sup> sk*a*⊕<sup>1</sup> S <sup>⊕</sup> *ra*⊕<sup>1</sup> and sends (OPEN, (*t*0, *<sup>t</sup>*1)) to <sup>F</sup>*FakeCOM*.

*Corrupted Receiver.* In this case, S simulates the view of the receiver, controlling the communication with <sup>S</sup>. The simulator starts by receiving (*b*, *<sup>M</sup>*) from <sup>F</sup>*ROT*. It computes *<sup>p</sup>*S as an honest sender; after receiving *p*<sup>0</sup> R as well as the receipt of the commitment, it computes sk*<sup>i</sup>* S, *<sup>σ</sup><sup>i</sup>* honestly, for *<sup>i</sup>* ∈ {0, 1}, and sends *<sup>p</sup>*S, *<sup>σ</sup>*0, *<sup>σ</sup>*<sup>1</sup> to <sup>A</sup>. After receiving the reply from F*NIZK*, if the test passed, S extracts *c* from observing the call made to F*NIZK* and comparing skR to sk<sup>0</sup> S and sk<sup>1</sup> S. Finally, it computes *<sup>a</sup>* <sup>=</sup> *<sup>b</sup>* <sup>⊕</sup> *<sup>c</sup>* and *rc* <sup>=</sup> *<sup>M</sup>* <sup>⊕</sup> sk*<sup>c</sup>* S <sup>⊕</sup> *tc*, samples *rc*⊕<sup>1</sup> <sup>←</sup>\$ {0, 1} and sends *a*,*r*0,*r*<sup>1</sup> to A. At the end, it checks if *t*0, *t*<sup>1</sup> match the initial commitment, aborting if they do not.

*Both/None parties corrupted.* Here, both cases work as in the previous UC security proof. When both parties are corrupted, the adversary is ran internally by S. When neither of the parties are corrupted, S runs the honest receiver and sender, sending all the messages between them to A.

Again, we now need to show that the real execution of the protocol is indistinguishable from the simulated ones.

**Claim 3.** *If the adversary* A *corrupts the sender, then the real execution of the protocol πROT is indistinguishable from the simulated one.*

**Proof.** The real world execution can be viewed as a game that proceeds as follows:


The ideal world execution can be viewed as a game that proceeds as follows:


The first difference between both games is in *p*<sup>0</sup> R and *<sup>p</sup>*<sup>1</sup> R. In the real world game, only *p<sup>c</sup>* R is an RLWE sample (*pc*⊕<sup>1</sup> R is a uniform random sample), while in the ideal world game, both *p*<sup>0</sup> R and *<sup>p</sup>*<sup>1</sup> R are RLWE samples. Given that the RLWE assumption holds, both situations are indistinguishable.

Once again, replacing F*COM* by F*FakeCOM* leads to an indistinguishable network, since the commitments are opened in the same way. Finally, in the real world, *t*0, *t*<sup>1</sup> are

uniform random values, while in the ideal world, they are not. However, since *M*0, *M*<sup>1</sup> are uniform random values that come from F*ROT*, the values in the ideal world are statistically indistinguishable from uniform random values.

Thus, the two executions are indistinguishable, assuming the RLWE assumption holds.

**Claim 4.** *If the adversary* A *corrupts the receiver, then the real execution of the protocol πROT is indistinguishable from the simulated one.*

**Proof.** The real world execution can be viewed as a game that proceeds as follows:


The games differ in how *a* and *rc* are generated; however, since *b* and *M* are uniform random values that come from F*ROT*, both *rc* and *a* are statistically indistinguishable from a uniform random string and a uniform random bit, respectively. Hence, the real world execution and the ideal world execution are indistinguishable, assuming that the RLWE assumption holds.

It remains to be seen whether the simulated executions where both parties are corrupted and when no party is corrupted are also indistinguishable. As in the previous proof, both are trivial, which concludes the proof.

#### **5. Conclusions**

In view of the usefulness of MPC and the steady evolution of both quantum technology and post-quantum cryptography techniques, as well as recognizing the potential threat quantum computers can present in the landscape of information security, we have proposed two potential solutions for quantum secure implementations of ROT.

Both of these protocols have in common that they use a commitment scheme based on quantum-secure pseudo-random generators, which is universally composable in the CRS model. The CRS assumption has the advantage of being weaker and better understood than the quantum random oracle, and it is independent of technological limitations as opposed to the noisy storage assumptions, which are two of the most common models in which the security of OT protocols is studied.

The first construction is based on a quantum OT protocol composed with a quantum secure bit commitment, which is then transformed into a ROT protocol. The usage of a PRNG, which is secure against any poly-time quantum distinguisher, is the key to the commitment scheme's quantum composability. The second construction is based on a highly efficient UC-secure ROT protocol from the RLWE assumption, initially proposed in the ROM. Our protocol differs in that we remove the random oracle's requirement, replacing it by a commitment scheme and non-interactive zero knowledge protocol, which allows us to make a quantum-secure UC protocol, but in the CRS model instead.

Potential future work directions include the following:


**Author Contributions:** Conceptualization, P.M.; investigation and formal analysis B.C., P.B., M.G., M.L. and P.M.; writing—original draft preparation, B.C.; writing—review and editing, M.G.; validation, M.G. and M.L.; supervision, P.M. All authors have read and agreed to the published version of the manuscript.

**Funding:** This research was funded by Fundação para a Ciência e a Tecnologia (FCT) with reference UIDB/50008/2020 (Instituto de Telecomunicações via actions QuRUNNER, QUESTS) and Projects QuantumMining POCI-01-0145-FEDER-031826, PREDICT PTDC/CCI-CIF/29877/2017, and QuantumPrime PTDC/EEI-TEL/8017/2020. BC thanks Capgemini Engineering. PB gratefully acknowledges the support from DP-PMI and FCT (Portugal) through the grant PD/BD/135181/2017. MG gratefully acknowledges the support from DP-PMI and FCT (Portugal) through the grant PD/BD/135182/2017.

**Data Availability Statement:** Not applicable.

**Acknowledgments:** The authors thank Preeti Yadav for editorial improvements.

**Conflicts of Interest:** The authors declare no conflict of interest.

#### **References**


MDPI St. Alban-Anlage 66 4052 Basel Switzerland Tel. +41 61 683 77 34 Fax +41 61 302 89 18 www.mdpi.com

*Entropy* Editorial Office E-mail: entropy@mdpi.com www.mdpi.com/journal/entropy

MDPI St. Alban-Anlage 66 4052 Basel Switzerland

Tel: +41 61 683 77 34

www.mdpi.com

ISBN 978-3-0365-5004-6