Measurement-Device-Independent Quantum Key Distribution

The security of the measurement-device-independent quantum key distribution protocol through untrusted nodes has been directly proven using fundamental entropy uncertainty relations. Reasons for the amazing coincidence of the expressions for the secrete key length in the BB84 and MDI protocols are presented.


INTRODUCTION
Quantum cryptography solves the key problem of symmetric cryptography-distribution of a common secrete cryptographic key-between remote users through open quantum and authentic classical communication channels accessible for eavesdropping [1].
The basic configuration of quantum key distribution (QKD) is a point-point configuration, where the key is distributed between two nodes. Currently existing telecommunication networks require a common key between any pair of nodes that are not connected directly through the quantum communication channel. This problem is currently solved by means of using trusted nodes through which key agreement is performed (see, e.g., [2][3][4]). Such a decision was made in the Chinese National Network [5] and in the Russian University Network [6].
Trusted nodes require the complete cryptographic protection of equipment because quantum keys to neighboring network segments connected to a trusted node are accessible at it. In other words, the operation of equipment should be inaccessible to an eavesdropper (Eve). It is also necessary to ensure protection against the unauthorized modification of the equipment operation.
The key in most QKD systems is formed by processing photocounts in a pair of single-photon detectors. A count in one detector means bit 0 in the key and a count in the second detector means bit 1. Consequently, the results of operation of the detectors should be inaccessible to the eavesdropper.
Existing modifications of QKD with untrusted detectors allow eavesdropper access to the results of operation of the detectors [7]. However, such a modification does not ensure the possibility of the use of an untrusted node in the network; it only allows one to use the detectors in an uncontrolled region.
Quantum key distribution systems with an untrusted intermediate node have been actively studied in the last decade. Such QKD systems make it possible to obtain a common key between two nodes of the network that are connected with each other through the untrusted intermediate node, which does not require the protection of equipment at it: the eavesdropper sees the entire operation of equipment, including the results of the operation of the photodetectors. This idea was proposed in [8,9], and this QKD protocol was called the measurement device independent (MDI) QKD protocol.
The authors of [8,9] only outlined reasons why such as a QKD system ensures the security of distributed keys and stated that the omitted proof of the security of the MDI protocol is similar to the proof of the security of the original BB84 QKD protocol [1].
Although these protocols are strongly different, the formula for the length of the secrete key for the MDI QKD protocol coincides with the famous formula for the BB84 protocol; in the asymptotic limit of long sequences, this formula in the direct + basis [11] (see also below) has the form Here, is information leakage to the eavesdropper in attacks on the quantum communication channel in the × basis, is the error on the receiver (Bob) side in this basis, leak is the information leakage to the eavesdropper during the correction of errors through the classical communication channel in the + basis, and is the error in the + basis. In the × +

QUANTUM INFORMATICS
Shannon limit, leak , where h(x) = is the Shannon binary entropy function, Eq. (1) is transformed to . The aims of this work are to clarify a reason for such an amazing coincidence of the expressions for the length of the secrete key for the BB84 and MDI protocols and to directly prove the security of the MDI QKD protocol using fundamental entropy uncertainty relations [12,13].
Different approaches to the proof of the security of the BB84 QKD protocol. The subsequent proof of the security of MDI QKD and the relation with the basic BB84 protocol require more detailed comments. To this end, it is necessary to recall different approaches to the proof of the security of the BB84 protocol.
The first, quite difficult proof of the security of the BB84 protocol was apparently given in [14].
Further, the authors of [15] reduced the proof of the security of the BB84 protocol to the so-called Einstein-Podolsky-Rosen (EPR) version of the protocol. The idea of the proof is that Alice and Bob, using "entanglement purification" [16], obtained a certain number of pure (perfect) entangled EPR pairs, which contain perfect correlations between Alice and Bob states. Perfect correlations allow one to obtain a common secrete key. However, the purification of EPR pairs requires a quantum memory. Furthermore, entanglement has a property of monogamy [17]; i.e., if two users have a distributed perfect EPR pair, this entangled state cannot correlate with another quantum state of the eavesdropper.
The next important step was made in [10], where quantum codes for the correction of errors were used in the proof. It was shown that information leakage to Eve in one of the bases is due to the error in the Alice-Bob channel in the conjugate basis. Famous formula (1) for the length of the key was obtained in [10].
An important step was made in [18], where a proof of security was given in terms of proximity in trace distance between three-particle Alice-Bob-Eve quantum states corresponding to the real situation with an eavesdropping attack on the quantum communication channel and a perfect state, where Eve's state does not correlate with the Alice-Bob state.
A significant advance in the understanding of the security of the BB84 protocol [19] was achieved with fundamental entropy uncertainty relations [12,13] (see also the history of this problem in [20], where numerous references and variants of uncertainty relations are given). However, entropy uncertainty relations themselves do not provide information on explicit quantum states of users of the protocol.
The explicit eavesdropping attack against transmitted states in the BB84 protocol that reaches the theoretical limit in the critical error Q c ≈ 11% was con- [21]. The inclusion of side channels of information leakage requires the knowledge of quantum states of all users of the protocol in an explicit form. The explicit construction of quantum states of all users of the protocol made it possible further to prove the security of the protocol not for ideal situations but for real conditions of the operation of systems [22,23] for the unstrict single-photon states, different quantum efficiencies of detectors, side channels of information leakage to Eve, including passive and active probing of the components of elements of the system such as phase and intensity modulators, back flash of single-photon detectors, and for finite transmitted sequences taking into account side channels of information leakage.

MEASUREMENT-DEVICE-INDEPENDENT
QUANTUM KEY DISTRIBUTION Before the proof, we describe the MDI QKD protocol with polarization encoding in the single-photon case [8].
As in the BB84 protocol [1], Alice and Bob randomly and equiprobably choose the direct (+) or diagonal (×) basis independently from each other. In the chosen basis, Alice and Bob equiprobably choose one of the orthogonal states corresponding to bits 0 and 1, where and are the states corresponding to the horizontal and vertical polarizations in the direct basis, respectively, and and are the states corresponding to the horizontal and vertical polarizations in the diagonal basis rotated by with respect to the direct basis, respectively.
States given by Eqs.
(2) enter the untrusted node, where measurements in the incomplete Bell basis occur; i.e., states are projected on entangled states. Entangled states in the + basis have the form . [8,24].

Measurements in the incomplete Bell basis are implemented through an optical scheme with linear elements
Measurements in the complete Bell basis , require nonlinear optical elements; therefore, their experimental implementation is much more difficult. The first measurements in the complete Bell basis were performed in teleportation experiments in [25].
The results of measurements at the untrusted node are accessible to all participants including the eavesdropper. After a series of measurements, messages in which Alice and Bob used different bases are rejected.
After a count in the measurement channels in the + basis, Bob inverts the bit that he has sent. In this case, binding occurs to Alice's bit. The reason is as follows. If attacks on the quantum communication channel were absent, the count in the measurement channels occurs only when Alice sent bit 0 and Bob sent bit 1 (and vice versa, Alice sent bit 1 and Bob sent bit 0). To obtain a common identical bit, Bob inverts his sent bit. Alice's and Bob's bits are synchronized. An attack on the quantum communication channel will lead to errors.
When Alice sends bit 0 and Bob sends bit 0, the count at the untrusted node does not occur in the absence of attack on the quantum communication channel. In the presence of attack on the quantum communication channel, counts occur and lead to errors in Bob's bit sequence.
The state in the + basis is transformed to the state in the × basis, which contains the 00 and 11 components and the inversion of Bob's bit at the count in this measurement channel is not required. The state is invariant under change in the basis and is transformed to the state .
For this reason, in the case of the count in the channel, Bob inverts his bit, as in the + basis. At the count in the channel in the × basis, Bob does not invert his bit.
Then, some messages are opened to estimate the probability of errors. This estimate is necessary to calculate information leakage to Eve, taking into account that she knows counts at the untrusted node.

PROOF OF THE SECURITY OF THE MEASUREMENT-DEVICE-
INDEPENDENT PROTOCOL ON ENTANGLED STATES In each message, Alice and Bob send single-photon states corresponding to bit 0 or 1 in one of the bases. To use entropy uncertainty relations and to clarify the relation to the BB84 protocol, it is convenient to use the equivalent version of the protocol on EPR states.
The EPR version of the BB84 protocol is as follows. Alice prepares an EPR pair (Fig. 1a). Alice holds subsystem A as a reference and sends subsystem B to Bob. This subsystem is subjected to eavesdropping attacks in the quantum communication Then, Alice measures her subsystem in a randomly chosen basis. After measurements, subsystem A randomly and equiprobably is in one of the states 0 and 1. Due to perfect correlations in the EPR state, subsystem B is in the same state as Alice's subsystem. This procedure is equivalent to the equiprobable preparation of one of the states in the basis and its sending to the communication channel. The EPR version makes it possible to have a common ancestor state in any basis and to obtain the three-particle Alice-Bob-Eve density matrix, which further enters into entropy uncertainty relations.
In addition to the Alice-Bob-Eve subsystem, the MDI protocol involves the subsystem of the untrusted node, which is an information bonus to Eve.
The EPR version of the MDI protocol is as follows. Alice and Bob prepare their EPR pairs and , respectively. Subsystems and are sent to the untrusted node, whereas Alice and Bob hold subsystems A and B as references. Subsystems and are subjected to eavesdropping attacks in the quantum communication channel.
Then, Alice and Bob perform measurements of their reference subsystems in one of the bases. In the case of the absence of attacks on the quantum communication channel, correlations between Alice and Bob's bits after measurements at the untrusted node of subsystem are perfect. We now consider the situation more formally. The EPR states of Alice and Bob have the form If Eve attacks the quantum communication channel, correlations between Alice's and Bob's bits are no longer perfect and errors in bit sequences appear.

Eve's Attack on States in the Quantum
Communication Channel The action of Eve is specified by a superoperator. Any superoperator (completely positive map) is unitarily representable [26,27]; i.e., it can be represented as a unitary transformation of the initial state and the auxiliary state of the eavesdropper. We consider the eavesdropping attack on states of the subsystem . In the + basis (consideration in the × basis is similar and is reduced to the substitution + → × in the formulas below) The action of the unitary transformation by the eavesdropper on individual components of the state given by Eq. (4), which are necessary for the further interpretation of measurements, has the form The decomposition of the pure state given by Eq. ) were taken as the basis vectors in this space. A particular form of Eve's states is not required in this work but it can be obtained explicitly from the conditions of unitarity of .

Measurements at the Untrusted Node and Measurements by Alice and Bob
We discuss measurements of subsystems and and measurements at the untrusted node. Measurements by Alice and Bob in the + and × bases are specified by the decomposition of unity and are independent of each other. The respective decompositions for measurements by Alice and Bob have the form (9) ) ) Measurements at the untrusted node is given by the following partial decomposition of unity in the subspace spanned on the vectors and : (11) The joint three-particle density matrix of all participants that determines the joint probability of measurement outcomes at the untrusted node in the measurement channel and measurement channels by Alice and Bob , and , after measurements of the common quantum state given by Eq. (4) has the form (12) Since Alice and Bob obtain bit strings after measurements, which are usually denoted as x and y, respectively, and correspond to orthogonal quantum states, , , , and are accepted in Eqs. (12) and below.
After measurements in the + basis, Bob inverts his bit, which is described by the Pauli operator . Taking into account Eqs. (5)-(8), after measurements of and the inversion of Bob's bit, we have in the + basis: Here, is the "total" Eve state including her states in the quantum channel and at the untrusted node accessible to her.
Since measurements specified by Eq. (11) are performed in the incomplete Bell basis, the density matrix given by Eqs. (12) and (13) should be normalized to unity. We accept that Eve's states are normalized so that the trace of the density matrix (13) is unity (see below).
Taking into account Eq. (13), the Alice-Bob partial density matrix in the + basis takes the form (14) where Eve's states are normalized as Here, are the conditional (transition) probabilities for the classical Alice-Bob channel (Fig. 2) and depend on the action of the eavesdropper. The probability of errors in Bob's bits with respect to Alice's bits depends on the actions of Eve in the quantum communication channel. The Eve-untrusted node density matrix has the form (21)

Interpretation of Measurement Outcomes, Transfer of Correlations between Alice's and Bob's States through the Untrusted Node
Let Alice and Bob send bits 0 and 1 in the + basis, respectively. In this case, a count in the channel at the untrusted node indicates correlations; i.e., the undisturbed state reaches the untrusted node with a certain probability, which is described by the second term in Eq. (13), and gives the count in the channels including this state. To match Alice's and Bob's bits (matching to Alice's bit), Bob inverts his bit . In this case, Alice's and Bob's bits are matched with the probability given by Eqs. (15) and (16). Let Alice and Bob now send the state . In the absence of eavesdropping attacks on the quantum communication channel, these states do not give a count in the channels at the untrusted node because these channels do not include these states.
The attack on the communication channel perturbs these states, leading to the appearance of the components , which give the count at the untrusted node. After the count, Bob inverts his bit . As a result, Alice's and Bob's bits 0 and 1, respectively, are mismatched and the error appears with the probability given by Eqs. (15) and (16).
Other states are considered similarly.

To estimate the probability of errors, Alice and Bob open a part of the sequence, which is then rejected.
It is advisable to recall the situation in the BB84 protocol, where perfect correlations between Alice and Bob states are initially introduced in the Alice EPR pair (Fig. 1a). Perfect correlations are violated: the initial perfect "purity" of the EPR pair is violated after eavesdropping attacks on subsystem B.
Perfect correlations between the Alice state and the state sent to the untrusted node in the MDI protocol are carried by the EPR pair . Similarly, correlations for Bob states are initially included in the EPR pair . In the absence of eavesdropping attacks on the quantum communication channel, measurements at the untrusted node transfer perfect correlations in each EPR pair to perfect correlations between Alice (subsystem A) and Bob (subsystem B) states. In other words, in the absence of attacks on the communication channel, the purity of each EPR pair is transferred after measurements to the purity of a new EPR pair of Alice and Bob.
The attack on the communication channel violates perfect correlations in the new EPR pair with a certain probability, and the imperfection of the EPR pair mismatches Alice and Bob bits, i.e., leads to errors in Alice and Bob bits.
Informally, Alice and Bob determine the purity (perfectness) of the new EPR pair, which occurs with a certain probability (see Eqs. (15) and (16)), through measurements at the untrusted node and through opening of some of their bit sequences.
We also recall that Bob inverts his bit after measurements at the untrusted node because measurements are performed in the channels; i.e., these measurements are described by the projection on these states, which include the states Fig. 2. Representation of the classical Alice-Bob channel in the + basis and the notation of transition probabilities. and . The choice of measuring states is due to the simplicity of the experimental implementation of such measurements in the coincidence scheme with only linear optical elements [8].
When states are sent and measured in the × basis, the inversion of the Bob bit is required only at counts in the measurement channel. This inversion is not required at counts in the channel because the state in the × basis contains the components of the and states (see relation (2) between states in different bases).

Calculation of the Alice-Bob Conditional Entropy
Thus, after measurements at the untrusted node, Alice and Bob are in the situation of the classical binary communication channel (unnecessarily symmetric, see Fig. 2). This communication channel is described by the partial density matrices and , which are diagonal. In view of Eq. (14), the conditional von Neumann entropies needed below have the form In the symmetric case and , we obtain (25) This relation can be informally interpreted so that is the minimum number of bits per message required to correct errors on the Bob side in the Shannon asymptotic limit of long sequences.

ENTROPY UNCERTAINTY RELATIONS,
THE LENGTH OF THE SECRETE KEY Entropy uncertainty relations are information theory reformulations of uncertainty relations for a pair of noncommuting observables [28,29] (see also the history in review [20]).
Let the quantum state describing the state of Alice, Bob, Eve, and the untrusted node be specified by the density matrices and in the + and × bases, respectively. Here, the quantities , , and have the same meanings as the respective parameters in Eqs. (14)- (16), but for measurements in the × basis.
Entropy uncertainty relations relate information deficit on the Alice bit string in the × basis under the condition that the eavesdropper has a quantum system (Eve-untrusted node) to Bob information deficit on the Alice bit string in the + basis under the condition that Bob has the bit string correlated with the Alice string . The sum of two information deficits cannot be less than one bit. Informally, Bob information deficit is the minimum number of bits required for Bob to correct errors through the authentic classical communication channel.
Entropy uncertainty relations allow one to determine information leakage to Eve through errors observed on the receiver side, i.e., Bob information deficit, without step-by-step examination of all possible eavesdropping attack. In the symmetric case, we arrive at the inequality (33) which coincides with the famous formula for the length of the secrete key in the BB84 protocol [10].

CONCLUSIONS
We discuss informal reasons for the security of keys in the MDI protocol. Alice and Bob send one information bit to the untrusted node in each message. Measurements at the untrusted node in the basis of entangled states open one bit, which is in fact the Alice and Bob parity bit. One bit remains unknown.
The eavesdropping attack on the quantum communication channel generates errors between Alice and Bob bits and Eve obtain information additional to the parity bit.
In the absence of the eavesdropping attack on the quantum communication channel, i.e., in the absence of errors between Alice and Bob, correlations between Alice and Bob are perfect in any basis. These correlations between Alice and Bob are carried through measurements at the untrusted node. Perfect correlations in any basis mean the perfectness of the EPR pair . The attack on the quantum communication channel violates perfect correlations between Alice and Bob, and the EPR pair remains perfect only with a certain probability depending on the probability of errors.
After measurements at the untrusted node, in the measurement channel where Bob does not detect errors, an imperfect EPR pair appears between Alice and Bob, as in the BB84 protocol. For example, if Alice sent bit 0, Bob sent bit 1, and a count in the measurement channel appeared with a certain