Mediated semiquantum key distribution

In this work, we design a quantum key distribution protocol, allowing two limited semiquantum or “classical” users to establish a shared secret key with the help of a fully quantum server. A semiquantum user can prepare and measure qubits only in the computational basis and so must rely on this quantum server to produce qubits in alternative bases and also to perform alternative measurements. However, we assume that the server is untrusted and we prove the unconditional security of our protocol even in the worst case: when this quantum server is an all-powerful adversary. We also compute a lower bound of the key rate of our protocol, in the asymptotic scenario, as a function of the observed error rate in the channel, allowing us to compute the maximally tolerated error of our protocol. Our results show that a semiquantum protocol may hold similar security to a fully quantum one.

Figure 1

A mediated semiquantum key distribution protocol. Here, $A$ and $B$ are the two semiquantum users who wish to distill a secure secret key known only to themselves. These two users are connected to an untrusted, fully quantum server, by a two-way quantum channel. The server is able to send qubits to $A$ and $B$, who may then both return a qubit to the server. Not only is the server considered to be adversarial in our work, but there may also exist an eavesdropper between one or both of the channels connecting the server to $A$ or $B$. The dashed line connecting the two eavesdroppers in this figure represents a possible connection, either quantum, classical, or physical (in case they are located in the same physical location—perhaps at a branch point in the quantum channel) between the eavesdroppers.

Figure 2

Lower bound of the key rate [vertical axis, approximately the ratio of secure secret key bits to the size of the raw key—see Eq. (2)] when the center is semihonest and the noise in both channels is modeled by two independent depolarizing channels with parameters $p$ and $q$, respectively. Here $Q$ (horizontal axis) is the probability that $A$'s and $B$'s measurement results differ. That is, the key rate is plotted as a function of $Q=p/2$: the error rate of $A$'s and $B$'s measurement results. In this graph, we assume $p=q$; that is, the noise in both directions is equal. Observe that the key rate is positive so long as $Q\le 0.199$.

Figure 3

A graph of various statistics in the depolarization example when $p=q$ (the horizontal axis $Q$ is the probability that $A$'s and $B$'s measurement results differ; namely, $Q=p/2$). Solid line, the value of $p_w$ (the probability that $C$ sends “$-1$” if both $A$ and $B$ reflect); dashed line, $p_a$ (the probability that C sends “$-1$” if both $A$ and $B$ measure); dotted line (bottom), $Q_Z$ (the probability that $A$'s and $B$'s raw key bits differ on any particular iteration). Observe that $Q_Z$ is very small as $Q$ increases. This is because the quantum server is throwing out most iterations where their measurement results differ. This drops the value of $p_a$ and so $A$ and $B$ require more iterations; however, less information is leaked due to error correction.

Figure 4

A graph of Eq. (26), a lower bound of the key rate [vertical axis, approximately the ratio of secure secret key bits to the size of the raw key—see Eq. (2)] of our protocol in the worst-case scenario when $C$ is adversarial and $A$ and $B$ use only $p_w$ to bound $I(A:C)$. The horizontal axis $Q$ is the probability that $A$'s and $B$'s measurement results differ. For this graph we assume $p_w=Q$ and $p_a=1/2$ [see Eq. (26)]. Note that the key rate is positive so long as $Q\le 0.0335$.

Figure 5

A graph of Eq. (27), a lower bound of the key rate [vertical axis, approximately the ratio of secure secret key bits to the size of the raw key—see Eq. (2)] of our protocol when $C$ is adversarial and $A$ and $B$, using $p_{-1}(A\ne B)$, observe (or enforce) $\langle f_2|f_2\rangle ,\langle f_3|f_3\rangle \le Q$; also assuming that $p_w=Q$. The horizontal $Q$ axis is the probability that $A$'s and $B$'s measurement results differ. We consider three scenarios: the solid line plots the key rate when $p_a=.5$; the dashed line is for $p_a=.4$; and the dotted line is when $p_a=.3$. The key rate is positive for $Q\le 0.1065$ when $p_a=0.5$ and when $p_a=0.3$, the key rate is positive for $Q\le 0.0525$; see the text for a discussion of how $p_a$ might be better taken into account.