Security of modified Ping-Pong protocol in noisy and lossy channel

Abstract

The “Ping-Pong” (PP) protocol is a two-way quantum key protocol based on entanglement. In this protocol, Bob prepares one maximally entangled pair of qubits and sends one qubit to Alice. Then, Alice performs some necessary operations on this qubit and sends it back to Bob. Although this protocol was proposed in 2002, its security in the noisy and lossy channel has not been proven. In this report, we add a simple and experimentally feasible modification to the original PP protocol and prove the security of this modified PP protocol against collective attacks when the noisy and lossy channel is taken into account. Simulation results show that our protocol is practical.

Introduction

Quantum key distribution (QKD)^1,2 allows two remote parties (Alice and Bob) to establish unconditional secure-key bits. Research of QKD mainly concerns one-way protocols. BB84¹ protocol is the most commonly used one-way QKD protocol. One-way QKD protocols need the information carriers to be transferred from Alice to Bob via the quantum channel to generate the secure-key bits. For example, in BB84, Alice randomly prepares her qubits into one of the quantum states |0〉, |1〉, and and sends them to Bob via an untrusted quantum channel. Then Bob performs some measurements on the incoming qubits and key bits are generated.

In the past decade, some two-way QKD protocols have been proposed^3,4,5,6,7 and experimentally realized^8,9,10,11,12. In these protocols, Bob prepares some quantum states and sends them to Alice, Alice performs encoding operations on the received states and sends them back in the same quantum channel, then Bob makes some measurements and gets the key bits. Typical examples of these protocols are “Ping-Pong” (PP)³ protocol, LM05⁶ protocol and N09⁷ protocol. The first one uses entanglement while the last two protocols not. These protocols are all deterministic, which means Bob can obtain Alice's key bits directly, without a basis reconciliation step.

The major difficulty of the security proof for the two-way QKD protocols is that the eavesdropper, Eve, may attack the travel qubit on both the forward (Bob-Alice) channel and the backward (Alice-Bob) channel. This makes the security analysis quite complicated. Fortunately, for the LM05 protocol, its security has been proven in different ways^13,14,15 recently and N09 protocol is also proven to be secure in Refs. 16, 17. A super dense coding (SDC) protocol similar to PP protocol is also proved secure¹⁵. However, these proofs are all based on the assumption that there are no losses in the channel and detectors. In fact, the security of PP protocol has been challenged by channel loss^18,19,20,21. Hence, the security of PP protocol when loss is considered remains an open question until now.

In this paper, we propose a modified Ping-Pong protocol and prove its security against collective attacks in noisy and lossy channel. To the best of our knowledge, this is the first security proof of PP protocol considering the loss in channel.

Original ping-pong protocol

It's beneficial to give a brief description of the PP protocol. Consider that Bob prepares two-qubits maximally entangled state , where |0〉 and |1〉 are the eigenstates of Pauli matrix σ_z. He sends one of the qubits (travel qubit) to Alice via an untrusted channel and retains the other (home qubit) in her quantum memory. Then, Alice randomly chooses message mode or control mode to proceed. In message mode, Alice performs an unitary operation I to the incoming qubit to encode classical bit 0, or σ_z to encode bit 1. After her encoding operation, Alice sends this qubit back to Bob. When Bob receives the travel qubit, he performs a Bell measurement on both qubits to decode Alice's bit. In control mode, Alice measures the travel qubit in the basis B_z = {|0〉, |1〉} and announces her measurement outcome through an authenticated channel. On receiving Alice's measurement result, Bob also measures his home qubit with B_z and compare his own measurement result with Alice's. If Alice's and Bob's measurement results coincide, the PP protocol continues; otherwise, they may terminate the protocol. Hence the control mode is used to guarantee the security, while the message mode is for key distribution.

In next section, the modified PP protocol will be given.

Modified ping-pong protocol

In the modified PP protocol, we also use the maximal EPR pair . This protocol process contains four steps:

1. 1

   Bob prepares N pairs of entangled states . He sends half of states (travel qubits) to Alice through a noisy and lossy quantum channel(forward channel) and keeps the other half (home qubits) in his quantum memory.

2. 2

   Alice randomly switches to message mode or control mode with probability c and 1 − c respectively. In message mode, Alice performs one of the four unitary operations I₀, I₁, Y₀ and Y₁ to the incoming states, i.e.,

   

   where |v〉 means the vacuum state. Due to the existence of vacuum state, I₀ and I₁ are no longer identical. So is Y₀ and Y₁. The probabilities of each operation are all 1/4. For operations I₀ and I₁, Alice records her classical information as bit 0. For Y₀ and Y₁, Alice records bit 1. Then Alice sends the encoded states back to Bob through the backward channel. In control mode, Alice measures the incoming signals with projectors {|v〉 〈v|, |0〉 〈0|, |1〉 〈1|}. Then Alice records her measurement results.

3. 3

   Bob also randomly switches to message mode or control mode with probability c and 1 − c respectively. In message mode, Bob performs a Bell-states measurement on his home qubit and his received travel qubit to decode Alice's information (i.e., when Alice encodes bit 0, Bob may obtain the Bell state ; when Alice encodes bit 1, Bob may obtain ). In control mode, Bob measures his reserved qubits with projectors {|v〉 〈v|, |0〉 〈0|, |1〉 〈1|} and records the measurement results.

4. 4

   Alice and Bob publicly announces which trials are in message mode, which are in control mode and their measurements results in control mode. Then Alice and Bob can share the probabilities p₀₀, p₀₁, p_0v, p₁₀, p₁₁ and p_1v (i.e. p_0v is the probability Alice receives a vacuum state when the travel qubit is |0〉 and other probabilities have the similar meanings). These probabilities will be used to bound the eavesdropper Eve's information on key bits. By sacrificing certain bits for error testing, Alice and Bob can also estimate the error rate e for their key bits. Alice and Bob then do classical postprocessing error correction (EC) and privacy amplification (PA) to generate secure-key bits.

The protocol flow is illustrated in Fig. 1.

Figure 1

Coding system of modified PP protocol.

There are two modes: message mode(solid line) and control mode(dash line) in the operations of Alice and Bob. In message mode, if Alice wants to encode bit 0, she will randomly perform I₀ or I₁. If Alice wants to encode bit 1, she will randomly perform Y₀ or Y₁. The operations are defined as I₀{|v〉, |0〉, |1〉} = {|v〉, |0〉, |1〉}, I₁{|v〉, |0〉, |1〉} = {|v〉, −|0〉, −|1〉}, Y₀{|v〉, |0〉, |1〉} = {|v〉, |0〉, −|1〉}, Y₁{|v〉, |0〉, |1〉} = {|v〉, −|0〉, |1〉}. BSM is for Bell-states measurement and Z represents the measurement defined by projectors {|v〉〈v|, |0〉〈0|, |1〉〈1|}.

Security proof of modified ping-pong protocol

Eve's Attack in the Bob-Alice channel

Eve's most general collective attack in the Bob-Alice channel can be written in the form

where p_0v is the probability Alice receives a vacuum state when the travel qubit is |0〉, so is p₀₀, p₀₁, p_1v, p₁₀ and p₁₁. Normalized vectors|E_iv〉 and |E_ij〉 are possible quantum states of Eve's ancilla.

So the joint density matrix of the travel qubit and Eve's ancilla becomes

in which,P{|x〉} = |x〉 〈x|.

After receiving the forward qubits, in encoding mode, Alice will encode her key bits onto the forward qubit by the operations I₀, I₁, Y₀ and Y₁ with the same probability 1/4. The operations I₀ and I₁ result in the same encoding key bit 0, Y₀ and Y₁ result in bit 1. The probabilities that Alice encodes key bit 0 or 1 are still both 1/2.

Let us at first consider the case where Bob's travel qubit collapses into |0〉 (i.e., this case corresponds to the third row of the Eq. (2).). After Alice encoding bit 0, the joint state of Alice and Eve becomes

For the case Alice encodes bit 1, the state is

As described in our modified protocol, Eve cannot obtain any information from the vacuum state. So we can exclude the vacuum state from the joint state and renormalize effective encoding density matrices. Define η_→ = p₀₀ + p₀₁, and (i.e., η_→ can be understood as the efficiency for the forward channel and is estimated directly in experiment.), then the effective encoding matrices in the orthogonal basis {|0〉_A|E₀₀〉, |1〉_A|E₀₁〉} are given by

Since the density matrix we get is already diagonal, our following calculations can be very simple. With system AE, Eve's Von-Neumann entropies on Alice's key bit A′, is given by:

where H is the Shannon's binary entropy function.

Eve's Attack in the Alice-Bob channel

Quantum systems AE on the backward channel can be divided into two events: Bob receives the travel qubit and not. We label these two parts as and . As showed in the prior section, the ratio of the two parts are η_← and 1 − η_← respectively (i.e., η_← is the efficiency of backward channel and can be estimated by Alice and Bob in experiment.). Our goal is to get the lower bound of H(A|E)_received, which means the conditional entropy of Alice on Eve in the case Bob receives the backward qubits. From definition, we have

According to the joint entropy theorem and noticing that the events Bob receives a returning qubit or not are orthogonal, we obtain

By (10)–(11),

To obtain the lower bound of S(A′|AE)_received, it is reasonable to assume that Eve has maximal entropy of Alice's key bit A′ in the case Bob doesn't receive the backward qubit. And recall Eq. (7), we get

Combined with the case that Bob's travel qubit collapsed into |1〉, Eve's total entropy on Alice is given by:

Secure key rate

We assume that the raw key bits are unbiased distributed, which means the error rate Alice encodes 0 or 1 are equal. The error bit e is defined as the probability Alice encodes 0 but the BSM gets |Φ⁻〉 or Alice encodes 1 but the BSM gets |Φ⁺〉. By the authenticated communications, Alice and Bob can estimate the error rate e of their raw key bits. Then they will perform error correction and privacy amplification to generate the secure-key bits. The secure-key rate is given by²²:

where, S(A′|B) is the conditional entropy for Bob's key bits to Alice's key bits and equals H(e) under the unbiased distribution assumption.

We can find the the secure-key rate for this modified PP protocol is very simple. Eve's information on key bits can be just bounded by the error rates for forward channel , and the efficiency of backward channel η_←. The physics behind our proof is that our operation I₀, I₁, Y₀ and Y₁ will introduce a phase randomization to Eve's accessed system AE. This phase randomization will lead to the decoherence of system AE and limit the information that can be gained by Eve.

Simulation

To estimate the performance of our protocol, numerical simulation is given. In this simulation, we use the polarization state of photon transmitted in optical fiber to realize the coding system. On Bob's side, the home qubit is assumed to transmit in a round channel whose the efficiency is the same as the Bob-Alice-Bob channel for simplicity. We use off-the-shelf experimental parameters to establish the simulation, e.g., optical fiber is of an attenuation of 0.20 dB/km, detection efficiency is η_d = 10% and its dark count rate is p_d = 10⁻⁵. Besides, we consider a misalignment of detector as d_e = 1%, η_→ and η_← in the key rate generation formula just equal the transmission efficiency of the corresponding optical fiber η. All the polarization error corresponding to comes from dark count of single photon detector, so . For the error rate between Alice and Bob, it only comes from dark count as . The overall secure-key generation rate is thus per trial. The simulation is shown in Fig. 2. This result show that the modified PP protocol can distribute secure-key bits for distant peers around 50 km.

Figure 2

Simulation: Secure-key rate Lg(R) vs channel distance L (km) from Bob to Alice.

We set η_d = 0.1, d = 10⁻⁵ per pulse. The detector error rate is 1%.

Discussion and conclusion

Two-way deterministic QKD protocols, including PP protocol, do not require basis choices. Thus every encoded bit is used for final key generation. Besides, it has been proved some two-way deterministic QKD protocols are secure against detector-side-channel attacks on the backward channel²³. These advantages make such type protocols potentially useful.

The security of PP protocol when channel loss and noise are presented has been an open problem for a long time. To overcome this problem, we add a simple and experimentally feasible modification to the original PP protocol. Quite interestingly, our modification only leads to a trivial overall to the system of Alice and Bob, but can introduce a phase randomization for Eve's system. With the effects of this phase randomization, we prove the security of this modified PP protocol when the noisy and lossy channel is taken into account. Simulation results show that our protocol is practical. And we also hope that our modification on PP protocol can shed lights on other two-way QKD protocols.