Unconditional Security of a $K$-State Quantum Key Distribution Protocol

Quantum key distribution protocols constitute an important part of quantum cryptography, where the security of sensitive information arises from the laws of physics. In this paper we introduce a new family of key distribution protocols and we compare its key with the well-known protocols such as BB84, PBC0 and generation rate to the well-known protocols such as BB84, PBC0 and R04. We also state the security analysis of these protocols based on the entanglement distillation and CSS codes techniques.


I. INTRODUCTION
Quantum cryptography is a blooming field of scientific research, where quantum phenomena are applied to securing sensitive information. Usually, cryptographic systems are based on the key distribution mechanisms and security of the systems depend on computational complexity. The security of quantum cryptography arises from the laws of quantum physics. Thus, quantum cryptography does not impose limitation on the eavesdropper's technology, which is limited by the laws that no one can ever overcome. Scenarios of quantum key distribution (QKD) protocols are based on the assumption that secret key is shared by Alice and Bob, and only a small amount of information can be leaked to an eavesdropper Eve. The first QKD protocol, BB84 [1], became a motivation for expanding research in this area. As a consequence, Mayers in [2] proved the unconditional security of this protocol on a noisy channel against a general attack. Quantum entanglement and the violation of Bell's theorem was introduced to the BB84 protocol by Ekert [3]. Next, Bennett proposed a simple protocol B92 [4] based on two nonorthogonal states. Unconditional security analysis of this protocol was performed by Tamaki et al. in [5,6] and by Quan et al. in [7]. Generalization of BB84 protocol using conjugate bases, i.e. six states was discussed by Bruß [8]. Subsequently, Phoenix et al. [9] introduced PBC00 protocol and they showed that key bits can be generated more efficiently by the usage of three mutually non-orthogonal states. Renes developed the key creation protocols R04 [10] for two qubit-based spherical codes, which is a modified version of the PBC00 protocol. The R04 protocol allows one to use all conclusive events for key extraction. In [11], Boileau et al. proved the unconditional security of the trine spherical code QKD protocol, which concerns also to PBC00 and R04 protocols. The experimental realization of PBC00 * Corresponding author, E-mail: lpawela@iitis.pl and R04 protocols were proposed in [12] and [13]. New results referring to asymptotic analysis of three-state protocol can be found in [14]. Scarani et al. [15] introduced a protocol SARG04, which is resistant to photon number splitting attacks. QKD protocols have become a subject of profound research and various unconditional security analysis of QKD protocol can be found in [16][17][18][19][20], while for a review see [21].
In this paper we propose a new class of QKD protocols with security analysis performed by the use of techniques similar as in [5,11]. It means that the proposed protocol was considered as entanglement distillation protocol (EDP) [22,23]. Subsequently, similarly as in case of BB84 [24], CSS codes [25,26] were used to the security proof.

II. K-STATE PROTOCOL
Let us introduce a class of QKD protocols, which can be reducible to the well-known PBC00 protocol [9]. Assume that Alice and Bob would like to share N secret bits b i . Then, the protocol is as follows.  4. For each bit b i to be encoded, Alice chooses at random r i ∈ 0, . . . , k − 1. The choice of r i determines the encoding base S ri . Thus, the bit value is equal

5.
Alice publicly announces when all of her measurements are done.
6. Bob prepares measurements described by the POVM { 2 K |ψ ⊥ k ψ ⊥ k |} k and announces when the measurements are done. Next, Alice sends sequences of values r i to Bob. If the i-th Bob's mea- In other cases, the events are regarded as inconclusive. These results are discarded.
7. Half of randomly chosen conclusive events are used in the estimation of a bit error rate. If the bit error rate is to high, then they abort the protocol.
8. In the end, they use a classical error correction and privacy amplification protocols.
Notice that for K = 3 and an appropriate choice of a, the above scenario is equivalent to the PBC00 protocol [9]. It can also be shown that protocols of this class achieve the highest key rate for K = 3.

III. POVM ENHANCEMENT
Now we consider a modification of the above protocol.
Steps 1-4 are the same as in the previous protocol. 6 . For each r i , Bob prepares an unambiguous measurement described by the POVM The value λ is determined as a maximal eigenvalue of In other cases, the events are regarded as inconclusive. Finally, Alice and Bob discard results of measurement, which are inconclusive.
Steps 7. and 8. are again the same as in the previous protocol. For K = 3, the characteristics of the protocols P1 and P2 are the same and are equivalent to the characteristics of the PBC00 protocol.

IV. SECURITY ANALYSIS
Similarly to [5,11,24], we consider an entanglement distillation protocol (EDP), which can be reduced to a QKD protocol equivalent to the above scheme. Firstly, we transform the vectors |ψ i by the rotation operator R(−η), where R y (θ) = cos θ − sin θ sin θ cos θ and η = arccos( ψ 1 |ψ 0 )/2 + arctan ψ0|1 ψ0|0 . After this transformation, we get states |ψ i = R(−η)|ψ i , where |ψ 0 = cos( π K )|0 + sin( π K )|1 and |ψ 1 = cos(− π K )|0 + sin(− π K )|1 . This transformation has no impact on the protocol, but is important in the security analysis. Assume that Alice prepares many pairs of qubits in the entangled state |ψ = 1 √ 2 (|+ |ψ 0 + |− |ψ 1 ), where |± = 1 √ 2 (|0 ± |1 ) and the basis {|+ , |− } will be denoted by ±-basis. Next, she randomly chooses a string of trit values r i and applies R y (θ ri ) on the second qubit of every pair. After that, she sends qubits to Bob through a quantum channel. Alice announces the values of r i . Next, Bob performs local filtering operations [27][28][29] 1| and operation R y (−θ ri ) on the received qubits. Next, half of the states are used to determine the number of bit errors after application of ±-basis measurements by Alice and Bob. If the number of error is too high, then the protocol is aborted. Remaining qubits are used to distill Bell states by an EDP based on CSS codes. Alice and Bob perform ±-basis measurements on Bell states to obtain a secret key.
Notice that R y (θ ri )|ψ j = |ψ ri+j mod K and Alice's operation related to measurement { 1 λ |ψ ⊥ i ψ⊥ i |} i on her state are equivalent to ±-basis measurement on the state 1l 2 ⊗ R y (θ ri ) |ψ . The filtering operations F , rotation operation R y (−θ ri ) and ±-basis measurement performed by Bob can by described by the following POVM This measurement is equivalent to the POVM In [24], Shor and Preskil have shown that if the bound of estimations of bit and phase error decreases exponentially as N increases, then Eve's information on secret key is exponentially small. This approach was used to prove the unconditional security of the Bennet 1992 protocol, by Tamaki et al. [5], and the PBC00 and R04 protocols, by Boileau et al. [11]. These proofs were based on the usage of reduction to an entanglement distillation protocol initialed by a local filtering process. Subsequently, we will prove the security of the above entanglement distillation protocol in the same manner as in [5,11,24].
Assume that {p are sets of probabilities of a bit error and a phase error respectively on the i-th pair after Alice and Bob have done the same measurements on i − 1 previous pairs. Thus p (i) b and p (i) p depend on previous results. Moreover, we introduce e b and e p as rates of bit error and phase error in all conclusive results respectively. Estimations of bit and phase error rates will be performed by to use of Azuma's inequality [30] as in [11].

Theorem 1 ([30]
). Let {X i : i = 0, 1, . . . } be a martingale sequence and for each k it holds that |X k − X k−1 | ≤ c k . Then for all integers N ≥ 0 and real numbers γ ≥ 0 Notice that for c k = 1 we get As a result of the Azuma's inequality, Ce b is exponentially close to e p (Ce b = e p ) for particular constant C, if Cp p is satisfied for all i. Assume that Eve can perform any coherent attack E (i) on qubits sent by Alice such that i E (i) † E (i) ≤ 1l. The general equation for the i th state can be described by a mixed state where |φ Let us introduce the notation |Φ ± = 1 √ 2 (|+ |+ ± |− |− ) and |Ψ ± = 1 √ 2 (|+ |− ±|− |+ ). Since the probability of sharing by Alice and Bob a Bell state |Φ + is equal to the probabilities of a bit error p where It can be checked that Similarly as in [11], we calculate the key rate S from the following formula where is the probability of a conclusive result. Since Ce b = e p , we get Notice that for a bit value b = 0 we get outcome probabilities . Thus, the probability of a conclusive result, with the assumption that e b = 0, is equal to which can be simplified to p c (0) = 2 sin 2 ( π K ) for k > 3. Generally, p c can be expressed as which was derived in Appendix A. Notice, that for K = 3, Eq. (15) is reduced to p c (e b ) = 1 2−e b , which corresponds to probability of conclusive results in PBC00 protocol.
In the case of BB84 protocol, bit error rate is equal to phase error rate. Thus C = 1 and p c (e b ) = 1 2 . In the case of P BC00, C = 5 4 and p c (e b ) = 1 2−e b . From Eq. (13) we get that e b ≈ 11.0% for BB84 protocol and e b ≈ 9.81% for PBC00 protocol. It can be checked that an interesting case is for K = 5, where C = 1 8 (11 − √ 5) and e b ≈ 10.5%. Comparison of proposed protocol with BB84 and PBC00 protocols is shown in Fig. 1. As we can see, the best key ratio is for K = 5.

V. CONCLUSION
In this paper we have introduced a new class of quantum key distribution protocols. We have also provided unconditional security analysis of this protocol. We have shown, that there exists 5-state protocol with reasonably high key rate for small bit-flip error rates.
Notice that error e b can be estimated as Now, let us determine a ratio . (A4) From the central limit theorem and the above calculation we get n g n t = Dn i n t + O( ).
Continuing we obtain 1 = n g n t + n e n t + n i n t = n g n t + e b 1 − e b n g n t + n i n t and . (A7)