Lecture 2: Quantum Key Distribution
M. Schiavon
September 25, 2024
In this lecture, we will see how it is possible to apply the peculiar properties of quantum
mechanics to the problem of secure communication. In particular, we will see how it is
possible to reach perfect secrecy using a classical channel. Then, we will show how we
can use quantum mechanics to exchange secret keys by presenting the BB84 quantum key
distribution protocol and how we can quantify its security.
1 Perfect secrecy and the one-time pad
This Section is partly taken from [1]. Further information on this subject can be found in
Chapter 7 of [2].
The goal of a secure communication system is to allow two parties to share a secret message
M = (M1 , . . . , MN ) over an insecure communication channel in a way that an enemy,
usually called Eve, with access to this channel, is not able to get any useful information
about it. In the classical model of a cryptosystem, introduced by Shannon [3], Alice
sends a ciphertext C = (C1 , . . . , CN ) to Bob and Eve has perfect access to the insecure
channel, i.e., she receives the same exact ciphertext. The ciphertext C is a function of the
plaintext message M and a the secret key K ∈ K , shared by Alice and Bob, according
to the model shown in Figure 1.
Figure 1: The Shannon model for symmetric encryption. From [1].
An encryption scheme is formally defined below.
1
Definition 1 (Symmetric encryption scheme). A symmetric encryption scheme is a set
of three functions (Gen, Enc, Dec) such that:
• The generation function can be used to generate a secret key K = Gen();
• The encryption function can be used to produce a ciphertext from a key and a
message C = Enc(M, K);
• The decryption function can be used to recover a plaintext message from a
ciphertext M = Dec(C, K),
with the requirement that, for any message M
Dec(Enc(M, K), K) = M
According to Shannon, the strongest possible type of security is given by perfect secrecy,
defined below.
Definition 2 (Perfect secrecy). An encryption scheme (Gen, Enc, Dec) is perfectly
secret if, for any message M,
I(M; C) = 0, (1)
where C = Enc(M, K), meaning that the message M and the ciphertext C are
statistically independent (or, equivalently, that knowing the ciphertext does not give
any advantage in trying to guess the message with respect to a random choice).
Proposition 1. Shannon proved that perfect secrecy can be achieved only when the
secret key is at least as long as the plaintext message, i.e.,
H(K) ≥ H(M). (2)
Related exercises (TD 2). See exercise 1.
An example of a perfectly-secret cipher is given by the so-called one-time pad (OTP),
first patented by Vernam in 1919, which consists of XOR-ing each bit of the message
m = (m1 , . . . , mN ) with a random binary secret key k ∈ {0, 1}N , with PK (k) = 2−N , i.e.,
c = m ⊕ k. (3)
Related exercises (TD 2). See exercise 2.
2 Quantum key distribution
In the previous Section, we saw that it is possible to build a cipher with perfect secrecy
provided that we have a way to secretly transmit a key k with length at least as long as
the message that we want to transmit. It could be argued that this problem is equivalent
to the one of transmitting the message itself. However, there is a fundamental difference
between transmitting a message, that we want to keep secret, and sharing a random
key. Indeed, in the second case, any information leaked to the eavesdropper is just some
2
random garbage that, if we are able to identify and quantify, we can just discard using a
privacy amplification protocol.
2.1 The BB84 protocol
Quantum key distribution (QKD) is a family of protocols exploiting the properties of quan-
tum mechanics to perform an unconditionally secure key agreement, i.e., a key exchange
mechanism whose security does not depend on some assumption on the computational
power of the adversary, but rather on the laws of Physics. Its security is based on the
no-cloning theorem, or, equivalently, the fact that there exist incompatible observables,
i.e., that it is not possible to measure the value of all the observables of a quantum system
with arbitrary precision1 . It is quite easy to see that the two properties are equivalent.
Indeed, if the no-cloning theorem was false, it could be possible to make arbitrary copies
of the state and measure each observable on an arbitrary number of copies, thus obtaining
their value with arbitrary precision. If, on the other hand, it was possible to measure the
value of all observables of the system with arbitrary precision, it could be possible to use
this information to build an universal quantum cloning machine.
Definition 3 (Mutually unbiased observables). P A peculiarity of quantum
P mechanics
is the existence of pairs of observables, X̂ = x x |ξx ⟩ ⟨ξx | and Ẑ = z z |ζz ⟩ ⟨ζz |,
characterized by the fact that a perfect knowledge about one of them implies complete
ignorance about the other one. These observables are called mutually unbiased and
they are characterized by the property
1
|⟨ξx |ζz ⟩|2 = ∀x ∈ X , z ∈ Z , (4)
d
where d is the dimension of the Hilbert space describing the system under consider-
ation (for the qubit case d = 2).
This property was first exploited in the 1970 by Wisner to propose a way to build unforge-
able money2 . The same idea was exploited in 1984 by Bennett and Brassard to propose
their QKD protocol, now known as BB84 [5]. The main point of their proposal is the use
of two mutually unbiased bases, chosen at random, for encoding and decoding the bit.
Definition 4 (The BB84 protocol). The main steps of the BB84 protocol are described
below:
• Alice and Bob fix an integer n.
• For each l ∈ [n], Alice randomly chooses a bit value xl from a binary random
variable X ∈ {0, 1}, with PX (0) = PX (1) = 1/2, and a basis θl from a binary
random variable Θ ∈ {0, 1}, with PΘ (0) = PΘ (1) = 1/2.
• (State preparation) For each l ∈ [n], if θl = 0, Alice encodes the bit in the Z
basis as 0 ≡ |0⟩ and 1 ≡ √|1⟩, while if θl = 1 she encodes√the bit in the X basis
as 0 ≡ |+⟩ = (|0⟩ + |1⟩) / 2 and 1 ≡ |−⟩ = (|0⟩ − |1⟩) / 2.
1
Actually, it is not even possible to define the value of all the observables of a quantum system.
2
The article was finally published in 1983 [4].
3
• (State distribution) Alice sends the n qubits to Bob through the quantum
channel.
• For each l ∈ [n], Bob picks a random bit bl from a uniform binary random
variable B.
• (State measurement) Bob measures the l-th qubit in the Z basis {|0⟩ , |1⟩}
if bl = 0 or in the X basis {|+⟩ , |−⟩} if bl = 1. He stores the result of the
measurement in the variable yl .
• (Sifting) After the transmission of all the qubits, Alice sends to Bob the list of
the bases used for encoding each qubit in the classical authenticated channel,
and Bob tells Alice for which qubits he measured in the same basis. Then, they
discard the bits in which they used different bases, remaining with two strings,
XS and YS , of approximate length n/2, since the probability that the two bases
coincide is 1/2. These strings are also called sifted keys. In this phase, they get
an advantage over an adversary Eve, since they postselect the events in which
they used the same basis for encoding and measuring the qubit, an information
that Eve could not exploit in her interaction with the qubits in the channela .
• (Parameter estimation) Alice and Bob pick a random subset of the sifted
keys and they compare them through the classical channel, in order to estimate
the quantum bit error rate (QBER). This quantity will be used to estimate the
amount of information leaked to the adversary. The bits used for the parameter
estimation are discarded.
• (Error correction) Alice and Bob perform error correction through commu-
nication via the classical channel, ending with the two equal strings XR and
YR .
• (Privacy amplification) In order to erase the information that Eve has on
the error corrected strings XR and YR , Alice and Bob perform the privacy
amplification ending with two shorter strings SA and SB of which Eve has
negligible information.
a
This is the reason why the sifting must be performed after all the qubits have been measured
by Bob
The working principle of the protocol is illustrated in the table here below. After the
X Θ |ψ⟩ B Y
1 0 |1⟩ 0 1 OK
1 0 |1⟩ 0 1 OK
1 1 |−⟩ 0 1
0 1 |+⟩ 1 0 OK
0 0 |0⟩ 1 1
1 1 |−⟩ 0 1
0 1 |+⟩ 1 0 OK
1 0 |1⟩ 1 0
1 1 |−⟩ 0 1
Table 1: Example of the BB84 protocol. From [6].
4
sifting phase, Alice and Bob keep only the bits where they used the same basis (marked
with “OK” in the Table) and discard the other ones. With a perfect transmission channel,
the sifted bits are equal while the discarded bits have a bit error rate of roughly 50%. This
is what provides Alice and Bob the required advantage over the adversary, Eve, which
allows them to share the secret key.
2.2 Some simple attacks on BB84
We have seen that with a perfect transmission channel, the sifted bits contain no error.
But, what happens if we have an attacker that is trying to steal information about the
transmitted key?
The simplest strategy that an eavesdropper can perform is to measure the qubits in the
quantum channel and for each one, resend a new qubit which depends on the result of her
measurement, implementing a so-called intercept-and-resend attack. However, Eve does
not know which basis is used to encode the qubit, therefore she can apply two natural
strategies.
• Measurement in a random basis. Eve can choose randomly to measure the qubit
in the X or in the Z basis. Considering only sifted events, with probability 1/2,
she chooses the same basis as Alice and Bob and therefore she will not be detected.
However, she has a 1/2 probability of choosing the wrong basis. In this case, the bit
that she measures is completely random (the Z and X bases are mutually unbiased)
and she proceeds to send a qubit encoded in the wrong basis with respect to Bob,
meaning that the bit measured by Bob has no correlation with what Alice sent, thus
giving an error rate of 1/2.
• Measurement in an intermediate basis. A second strategy can be to measure in
the intermediate basis between the X and the Z bases, which is called the Breidbart
basis {cos(π/8) |0⟩ + sin(π/8) |1⟩ , − sin(π/8) |0⟩ + cos(π/8) |1⟩}. In this case, she
has an ∼ 85% chance of correctly guessing the value of the bit, but she will still
introduce some error, since she still has a non-negligible probability of guessing the
wrong bit and she has no information on the encoding basis.
Related exercises (TD 2). See exercise 3 for the intercept-resend attack with the
random basis and exercise 4 for the Breidbart basis.
In general, the fact the Alice encodes the information in non-orthogonal states prevents
Eve from distinguishing them perfectly and, because of that, she will necessarily introduce
errors when she tries to extract information on the state sent by Alice.
2.3 Possible attacks on a QKD system
In the previous section, we have seen some simple attacks on the BB84 protocol. In that
case, the attacker was restricted to a simple measurement and state preparation system,
but this would be too restrictive for defining a system unconditionally secure.
In general, an attack of a quantum key distribution system consist in some physical
interaction with the states transiting on the quantum channel and some measurement
procedure in order to extract information about the transmitted state. According to the
power of the attacker, it is possible to define three categories of attacks, illustrated in
5
Figure 2.
Figure 2: Different categories of attacks on a quantum key distribution system: (a)
individual, (b) collective and (c) coherent attacks. From [7].
Definition 5 (Individual attacks). The first category is composed of individual attacks,
which are the most constrained attacks on a quantum key distribution system. In
these attacks, the eavesdropper attacks each qubit independently and using the same
strategy and performs the measurement individually on each qubit before the classical
post-processing.
It is easy to see that the intercept-and-resend attack introduced in the previous section
enters in this first category of attacks.
Definition 6 (Collective attacks). Collective attacks are a generalization of individual
attacks. In this class of attacks, the eavesdropper is still restricted to attacking each
qubit independently and by using the same strategy, but she can make the ancillary
states interact and postpone the measurement at her will.
Definition 7 (General attacks). The most powerful class of attacks is given by general
attacks, or coherent attacks, where the assumption of an independent interaction with
all the qubits is dropped and there is no restriction on the eavesdropping strategy.
3 Definition of security
This Section is inspired from Section 5.1 of [8] and from Chapter 5 of [9].
In Section 1, we saw that perfect secrecy is attainable as long as the two parties share a
6
random secret key (which is as long as the message). This means that the key exchange
mechanism must produce two keys that are equal, random and secret.
Definition 8 (Protocol). A communication protocol is a set of rules that allow two or
more entities to transmit information via a physical medium.
The key exchange is a two-party protocol which outputs two secret keys KA , KB ∈ S,
where S is the space of all strings of arbitrary length, including the empty string ⊥. If
the protocol aborts, the empty string is returned to both parties: KA = KB =⊥.
The requirement that the two keys are equal is captured by the correctness of the protocol.
Definition 9 (ϵ-Correctness). A protocol is said to be ϵ-correct if
Pr[KA ̸= KB ] ≤ ϵ. (5)
The requirements that the key is random and secret are a little trickier to formalize.
Indeed, assuming that we have a 0-correct protocol, i.e., a protocol for which Pr[KA ̸=
KB ] = 0, we have that the final key k = KA = KB can still be correlated with the
information held by the adversary Eve. In general, it is possible to model Eve’s side
information as a quantum state ρE k that depends on k. The joint state between Alice and
Eve is a cq-state that has the form
X
ρAE = pk |k⟩ ⟨k|A ⊗ ρE
k, (6)
k∈{0,1}n
where we are assuming that Alice and Bob share an n-bit key k.
By making a measurement M on her system E, Eve might still be able to obtain some
information about the key. A possible security criterion is that the accessible information
Iacc (KA ; E), i.e., the maximum mutual information between the random variable WM
obtained over all possible measurements that Eve can apply, satisfies
max I (KA ; WM ) ≤ ϵ. (7)
M
At first sight, this criterion seems to be good, since we are able to bound the maximal
mutual information between the key and the string that the adversary is able to obtain.
However, this does not hold if we use the key on a real protocol. Indeed, in order to use
the key on a real protocol, we must also ensure that, if Eve know n − 1 bits of the key,
she gains no more information on the n-th bit of the key3 . However, this property is not
captured by the accessible information [10], which gives a security criterion that is not
composable, i.e., that does not hold if the protocol is composed with other protocols to
provide more complete functionalities.
A security model that is composable is the one given by abstract cryptography, where a
real cryptographic protocol is compared with an ideal implementation of the functionality
that it should provide, as shown in Figure 3.
In particular, the security is quantified by looking at the probability that a third party
(called distinguisher within the framework), given either the real protocol or an ideal
3
This is equivalent to say that the individual bits of the key are completely uncorrelated.
7
Figure 3: In the abstract cryptography framework, the security is captured by the ability
of an adversary (called distinguisher in the framework) to distinguish between the real
protocol (left) and an ideal implementation of the functionality (right). From [11].
implementation of the functionality with uniform probability, can correctly guess which
one was given. In the real protocol, the distinguisher is given a state ρreal
AE like the one of
eq. (6). The ideal functionality, on the other hand, produces a uniform random key that
is totally uncorrelated from Eve, corresponding to the quantum state
1
ρideal
AE = IA ⊗ ρE . (8)
2n
The abstract cryptography framework reduces the security of the protocol to the problem
of distinguishing between the two quantum states ρreal ideal
AE and ρAE .
Consider the scenario in which the distinguisher is given ρreal ideal
AE or ρAE with a priori prob-
ability 1/2. In order to distinguish them, he has to apply a two-outcome measurement
with POVM elements Mreal and Mideal = I − Mreal . The probability of success of the
distinguisher is given by
1 1
psucc = Tr(Mreal ρreal
AE ) + Tr(Mideal ρideal
AE )
2 2
1 1
= + Tr(Mreal (ρreal ideal
AE − ρAE )), (9)
2 2
where in the second equality we have used the property Mideal = I − Mreal . The distin-
guisher can choose the best possible strategy for distinguish the two states, constraint by
the laws of quantum mechanics which require that 0 ≤ Mreal ≤ I, i.e., all eigenvalues of
Mreal are real and lie between 0 and 1. We can therefore write the maximum probability
of successfully distinguishing between the two states as
1 1 1 1
pmax
succ = + max Tr(M (ρreal ideal
AE − ρAE )) = + T (ρreal ideal
AB , ρAB ), (10)
2 2 0≤M ≤I 2 2
where T is the trace distance between the two quantum states.
Related exercises (TD 2). See exercise 5.
The trace distance gives therefore the distinguishing advantage between the real protocol
and the ideal functionality and for this reason it is taken as a security measure in the
framework of abstract cryptography.
8
Definition 10 (ϵ-Secrecy). A protocol, whose output is the state ρreal
AE , is said to be
ϵ-secret if
real 1 1 real 1
T ρAE , n IA ⊗ ρE = ρAE − n IA ⊗ ρE ≤ ϵ, (11)
2 2 2 1
This is equivalent to say that the distinguishing advantage between the real protocol
and the ideal functionality that outputs a key that is uniform and uncorrelated from
Eve is bounded by ϵ.
Combining the two properties of correctness and secrecy it is possible to give a definition
of security that is composable.
Definition 11 (ϵ-Security). An ϵ-secure protocol is a protocol that is ϵcor -correct and
ϵsec -secret, with
ϵ = ϵcor + ϵsec . (12)
The use of the trace distance in the definition of security makes sure that the composition
of an ϵ1 -secure protocol with an ϵ2 -secure protocol gives an (ϵ1 + ϵ2 )-secure protocol4 .
References
[1] T. Johansson. Lecture 6-7: Shannon’s theory of secrecy. URL https://www.eit.
lth.se/fileadmin/eit/courses/edi051/lecture6to7_slides.pdf.
[2] Thomas M. Cover and Joy A. Thomas. Elements of Information Theory. Wiley,
9 2005. ISBN [’9780471241959’, ’9780471748823’]. doi: 10.1002/047174882x. URL
http://dx.doi.org/10.1002/047174882x.
[3] C. E. Shannon. Communication theory of secrecy systems. Bell System Technical
Journal, 28:656–715, 10 1949. doi: 10.1002/j.1538-7305.1949.tb00928.x. URL http:
//dx.doi.org/10.1002/j.1538-7305.1949.tb00928.x.
[4] Stephen Wiesner. Conjugate coding. ACM SIGACT News, 15:78–88, 1 1983. doi:
10.1145/1008908.1008920. URL http://dx.doi.org/10.1145/1008908.1008920.
[5] Charles H. Bennett and Gilles Brassard. Quantum cryptography: Public key dis-
tribution and coin tossing. Theoretical Computer Science, 560:7–11, 12 2014. doi:
10.1016/j.tcs.2014.05.025. URL http://dx.doi.org/10.1016/j.tcs.2014.05.025.
[6] Joseph M. Renes. Lecture notes on quantum information theory, 2014. URL https:
//edu.itp.phys.ethz.ch/hs15/QIT/renes_lecture_notes14.pdf.
[7] Eleni Diamanti. Security and implementation of differential phase shift quantum
key distribution systems., 2006. URL https://searchworks.stanford.edu/view/
6551479.
[8] Ramona Wolf. Quantum Key Distribution. Springer International Publishing, 2021.
ISBN [’9783030739904’, ’9783030739911’]. doi: 10.1007/978-3-030-73991-1. URL
http://dx.doi.org/10.1007/978-3-030-73991-1.
4
This property is the consequence of the triangle inequality of the trace distance.
9
[9] Thomas Vidick and Stephanie Wehner. Introduction to Quantum Cryptography. Cam-
bridge University Press, 2023.
[10] Robert König, Renato Renner, Andor Bariska, and Ueli Maurer. Small accessi-
ble quantum information does not imply security. Physical Review Letters, 98,
4 2007. doi: 10.1103/physrevlett.98.140502. URL http://dx.doi.org/10.1103/
physrevlett.98.140502.
[11] Christopher Portmann and Renato Renner. Cryptographic security of quantum key
distribution. Sep 2014. URL http://arxiv.org/abs/1409.3525v1.
10