Unconditional Security in Quantum Cryptography

DOMINIC MAYERS
NEC Research Institute, Princeton, New Jersey

Abstract. Basic techniques to prove the unconditional security of quantum cryptography are
described. They are applied to a quantum key distribution protocol proposed by Bennett and
Brassard [1984]. The proof considers a practical variation on the protocol in which the channel is
noisy and photons may be lost during the transmission. Each individual signal sent into the channel
must contain a single photon or any two-dimensional system in the exact state described in the
protocol. No restriction is imposed on the detector used at the receiving side of the channel, except
that whether or not the received system is detected must be independent of the basis used to measure
this system.
Categories and Subject Descriptors: E.3 [Data Encryption]: public key cryptosystems
General Terms: Security
Additional Key Words and Phrases: Quantum cryptography, quantum information theory, uncondi-
tional security

1. Introduction
This paper proves the unconditional security of quantum key distribution and
reviews basic notions and principles which apply to any quantum key distribution
protocol, and in fact to other kind of quantum protocols as well. The protocol
that we consider was proposed by Bennett and Brassard [1984], which was also
the first proposed quantum key distribution protocol. An improved variation on
the protocol was proposed later in Bennett et al. [1992]. A first version of the
proof was published in Mayers [1996]. The proof relies on techniques provided in
Mayers and Salvail [1994], Yao [1995], and Mayers [1995], but the paper is
self-contained.
At the time of writing, all other known proofs of security in quantum
cryptography consider only restricted kinds of attacks.1 Though some of these

1
See, for example, Bennett and Brassard [1984], Bennett et al. [1966; 1992], Mayers and Salvail [1994],
Ekert [1991], Bennett [1992], Deutsch et al. [1996], Biham and Mor [1996], and Biham et al. [1998].

This research was partially supported by DIMACS and part of the work was done while the author
worked for the Department of Computer Science of Princeton University.
Author’s address: D. Mayers, NEC Research Institute, 4 Independence Way, Princeton, NJ 08540;
e-mail: [email protected].
Permission to make digital / hard copy of part or all of this work for personal or classroom use is
granted without fee provided that the copies are not made or distributed for profit or commercial
advantage, the copyright notice, the title of the publication, and its date appear, and notice is given
that copying is by permission of the Association for Computing Machinery (ACM), Inc. To copy
otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission
and / or a fee.
© 2001 ACM 0004-5411/01/0500-0351 $05.00

Journal of the ACM, Vol. 48, No. 3, May 2001, pp. 351–406.
352 DOMINIC MAYERS

other proofs2 encompass all attacks that can be realized with the current
technology, it is of interest to establish a security guarantee that holds against
unlimited computational power, both classical and quantum mechanical.
In Deutsch et al. [1996], the authors discuss how security (for a different kind
of quantum key distribution protocols [Ekert 1991; Bennett et al. 1996]) against
all attacks can be obtained. However, additional work was required to obtain a
bound on the eavesdropper’s information that is valid for all attacks or to obtain
a proof that such a bound exists (see the security criteria in Section 2). A bound
was proposed recently under the assumption that the honest participants use
perfect quantum computers and quantum communication devices [Lo and Chau
1998]. The above list of references is not intended to be exhaustive. A survey of
previous works in quantum cryptography can be found in Brassard and Crépeau
[1996].
In quantum key distribution, and ideally in other applications of quantum
cryptography, a security result is expected to hold against all attacks allowed by
quantum mechanics. This is what is called an unconditional security, and this is
what we will prove. On top of an unconditional security, it is desirable to have a
security that holds when quantum computing devices (such as measuring appara-
tus, sources of photons, or quantum channels) used in the protocol are imperfect.
A fundamental aspect of security is to know where the trust is required. The
property that needs to be trusted should be reasonable and simple. Here, we will
take care of an imperfect measuring apparatus and an imperfect channel in the
protocol analyzed. However, we will assume that the source transmits a single
photon per pulse with the exact polarization angle specified in the protocol.
Putting our trust in this property is not so reasonable, but fortunately a
fundamental mechanism that can take care of this issue is already known [Mayers
and Yao 1998; Mayers 2001a].
Section 2 defines the general notion of privacy for quantum key distribution.
Section 3 contains preliminaries, basic lemmas and the general model used to
analyze the protocol. In section 4, the protocol is described. Section 5 contains
the proof of privacy. The notation used is summarized in Appendix A.

2. The Security Criteria

In this article, a security definition that applies to all quantum key distribution
protocols is provided. The goal of an ideal key distribution is to allow two
participants, Alice and Bob, who share no information initially to share a secret
key (a string of bits) at the end. A third participant, usually called Eve, should
not be able to obtain any information about the key. Also, whatever Eve does,
Alice’s and Bob’s key should be identical. It is assumed that all quantum
communication between Alice and Bob passes through Eve, and similarly for
classical communication.
2.1. THEORETICAL IMPOSSIBILITIES IN KEY DISTRIBUTION. In reality, one can-
not realize this ideal task. There are few subtle points to consider. In particular,
no quantum key distribution protocol can succeed if Eve has the power to
impersonate Alice while communicating with Bob and to impersonate Bob while

2
See, for example, Mayers and Salvail [1994], Bennett et al. [1966], Deutsch et al. [1996], Biham and
Mor [1996], and Biham et al. [1998].
Unconditional Security in Quantum Cryptography 353

communicating with Alice. To address this problem, Alice and Bob can authen-
ticate [Wegman and Carter 1981] their classical messages so that Eve cannot
impersonate them any more. There exist unconditionally secure techniques for
authentication [Wegman and Carter 1981] that require that Alice and Bob share
a small secret key to begin with, so that the protocol implements key expansion
rather than key distribution [Bennett et al. 1992]. This approach can be used in a
scenario where Alice and Bob have met before to exchange the initial key. In a
scenario where Alice and Bob have never exchanged a secret key before, one
must assume that Alice and Bob have access to a faithful (classical) public
channel so that a third party cannot accomplish the impersonation attack without
being detected. The cheater can only add his messages to the messages which are
faithfully exchanged between Alice and Bob, but then Alice and Bob will see that
a third person is trying to cheat. This principle was previously mentioned in
Bennett et al. [1992].
Another related point is that a secret key is not always shared between Alice
and Bob because it is always possible for a third party to jam the quantum
channel. Alice and Bob must verify that some validation constraints are satisfied,
including an upper bound on the number of errors, and decide accordingly
whether or not they can share a secret key. These validation constraints
encompasses anything that Alice and Bob consider in order to decide whether or
not they can share a secret key. The event that the validation constraints are
satisfied is denoted ᏼ.

2.2. ON SECURITY PARAMETERS. We typically define the security of a proto-

col in terms of a security parameter N. In an information theoretic setting, which
is our case, a quantity f N such as the amount of Shannon’s information available
to Eve must decrease exponentially fast as N increases. Often, there are other
parameters in the protocol, for example, the tolerated error rate or the percent-
age of bits used for a test. Let ⑀ជ denotes all these parameters. The value of some
of the parameters in ⑀ជ , such as the error rate, depends upon the physical setting.
The other parameters are not fixed by the physical setting. Ideally, we should
optimize the protocol, that is, minimize f N , over the nonphysical parameters. In
any case, we want to prove that the quantity f N ⫽ f N ( ⑀ជ ) is exponentially small in
N for all valid values of these parameters. The implicit quantifiers are (@⑀ជ 僆
ValidDomain) (@N ⱖ N 0 ( ⑀ជ )) f N ( ⑀ជ ) ⱕ c( ⑀ជ ) exp(⫺g( ⑀ជ ) N) where N 0 , c and g
are well-defined functions on ⑀ជ 僆 ValidDomain. In an information theoretic
setting, we believe that the above is the essential that one needs to know about
security parameters. The situation is more complicated in a computational
setting.
We can do the complete analysis of a protocol for fixed values of N and ⑀ជ . If
these were the actual values used in a given application, such an analysis will be
enough for this particular application. Since the use of security parameters in
statements that makes sense without them will unnecessarily complicate the
notation, we will not use security parameters in our basic definitions and general
results. However, the statements about the specific protocol that we analyze will
contain security parameters. To obtain the asymptotic behavior, we will simply
make sure that the proof respects the quantifiers (@⑀ជ 僆 ValidDomain) (@N ⱖ
N 0 ( ⑀ជ )). . . , but that is an easy mathematical task. The important concepts apply
to fixed values of the parameter N and ⑀ជ .
354 DOMINIC MAYERS

2.3. ON RANDOM VARIABLES. Formally, a random variable x is a function on

a probabilistic space, the space of every possible outcome of a random experi-
ment. In our case, this probabilistic space corresponds to the set of every possible
outcome v̂ of the protocol. The outcome v̂ includes all data generated in the
protocol. Its probability is denoted p(v̂). So, a random variable x ⫽ x(v̂) takes a
value x which depends upon the outcome v̂. It is the standard convention for
random variables to write x ⫽ x to mean x(v̂) ⫽ x, that is, we do not explicitly
write the dependence upon the outcome of the random experiment. Usually, we
will use a boldface typesetting for a random variable, that is, the function, when
it is important to distinguish it from its value. Variables are also used to describe
protocols and procedures. These are other kind of variables, and we will use
ordinary typesetting in this case.
In this paper, an event is a random variable with outcome TRUE or FALSE, that
is, it is a property of the random outcome v̂ of the protocol. In other papers, an
event is defined as a set of outcomes. This alternative definition is equivalent.
The probability of an event Ᏹ is Pr(Ᏹ) def ⫽ 兺 v̂兩Ᏹ p(v̂).
If for every element v̂ in the probability space, we have y(v̂) ⫽ f(x(v̂)) for
some deterministic function f, we say that the random variable y is a determinis-
tic function of x, and we write y兩x( x) to denote the value taken by y when x ⫽ x.
We will omit the indice “兩x” when the situation permits.

2.4. THE CRITERIA. To formulate our criteria, we will consider the protocol
as a random experiment that defines random variables. Let Eve’s view v be all the
classical data received or generated by Eve during the protocol. This includes
classical announcements and outcomes of measurements. Here, it is assumed
that the result of the validation test is announced to Eve at the end of the
protocol, so that the event ᏼ (TRUE when the test succeeds) is a deterministic
function of v. We often associate security of key distribution with privacy, but the
security of key distribution also includes that Alice’s and Bob’s keys must be
identical. We shall consider this other security aspect as well, but we understand
that the interesting aspect is privacy.
For privacy, it is assumed that Eve is interested about Alice’s key, which is
denoted k. The length of the key is always defined and included in Eve’s view v.
The length of the key does not have to be fixed in advance, and it may be
convenient not to fix it. For example, to use the channel at its full capacity which
may vary in time (in view of the weather, etc.), the length of the key can be made
a function of the error rate measured during the execution of the protocol. When
the test fails, the protocol sets m ⫽ 0 and k is the null string.
For any two random variables x and y, we denote by p x( x) ⫽ Pr(x ⫽ x) and
p x兩y( x兩y) ⫽ Pr(x ⫽ x兩y ⫽ y). However, when the situation permits, we will use
p( x), p( x兩y), etc, to mean p x( x), p x兩y( x兩y), etc.

Definition 1. Consider any number f ⬎ 0. A quantum key distribution

protocol is f-private if, for every strategy adopted by Eve,

冘 p 共 m 兲共 m ⫺ H 共 k兩v兲兲 ⱕ f
m
m (1)
Unconditional Security in Quantum Cryptography 355

where

冘 冘
def
H m 共 k兩v兲 ⫽ ⫺ p共k, v兩m兲log2( p(k兩v))
m
v k僆{0,1}

is the Shannon entropy of the key k conditional to Eve’s view v in the context of
a fixed length m for the key.
One would think that I(k;v) ⱕ f, where I(k;v) is the mutual information (see
Appendix B), should be the privacy criteria. To the contrary, our definition says
that the privacy criteria is simply that the key must be uniformly distributed. The
average of the quantity m ⫺ H m (k兩v), not the mutual information I(k;v),
corresponds to information that Eve has about the key. The idea is that Eve’s
attack might influence the distribution of the key k independently of her view v,
that is, Eve’s attack might even influence the a priori distribution of probability of
the key k. In an unrealistic example, Eve might attack the protocol in such a way
that the only possible keys are the keys k ⫽ 0 . . . 0 with 0 everywhere. Given
this attack, even before the protocol runs, she knows that the key will be 0 . . . 0.
A distinction between the information that is available a priori (i.e., before Eve
receives any data) and the information that is obtained a posteriori (i.e., via
Eve’s view v) seems unnecessary and artificial.
Note that in the definition of H m (k兩v) one can think that the sum runs over the
values of v such that m(v) ⫽ m because p(k, v兩m) ⫽ 0 when m(v) ⫽ m. When
m(v) ⫽ m, we have p(k, v, m) ⫽ p(k, v) and p(k, v兩m) ⫽ p(k, v)/p(m).
Therefore, we have

冘 冘 p共k, v兲
def
H m 共 k兩v兲 ⫽ ⫺ log2共 p共k兩v兲兲
v兩m ⫽ m k僆{0,1}
m p共m兲

We obtain

冘 p 共 m 兲 H 共 k兩v兲 ⫽ ⫺ 冘 p共k, v兲log p共k兩v兲)

m
m
k, v
2

where the length of the key k in the right hand side runs over all nonnegative
integers. Similarly, using p(m) ⫽ 兺 k,v兩m(v)⫽m p(k, v), we have

冘 p共m兲m ⫽ 冘冋 冘
m m k,v兩m共v兲 ⫽ m
p共k, v兲 m ⫽ 册 冘 p共k, v兲m共v兲,
k,v

where, again, the length of the key k in the right-hand side runs over all
nonnegative integers. We obtain

冘 p 共 m 兲共 m ⫺ H 共 k兩v兲兲 ⫽ 冘 p共k, v兲共m共v兲 ⫹ log p共k兩v兲兲,

m
m
k,v
2 (2)

which can be used to reformulate (1). This can be used to check that, if
p(k兩m(v) ⫽ m) ⫽ 2 ⫺m for every k and m, then

冘 p 共 m 兲共 m ⫺ H 共 k兩v兲兲 ⫽ I共k;v兩m兲,
m
m
356 DOMINIC MAYERS

where

I 共 k;v兩m兲 ⫽ 冘 p共k, v兲log 冉p共k兩pm共k,共v兲兲v兩pm共v共v兩m兲兲共v兲兲冊,

k,v
2

is the mutual information (see Appendix B) between v and k given m. To analyze

further our privacy criteria the following definitions will be useful.

Definition 2. Consider any three events A, B and C. If Pr( A ∧ B៮ ) ⱕ ␥ , we

say that the event A probabilistically imply the event B except with probability ␥,
and we write A f ␥ B. If we have Pr( A ∧ B៮ 兩C) ⱕ ␥ , we write A f ␥ 兩C B.
One can easily check the following proposition:

PROPOSITION 1. For any events A, B and C we have (1) A f␥ B and B f␥⬘ C

implies A f␥⫹␥⬘ C, (2) if A f␥ B and A f␥⬘ C, then A f␥⫹␥⬘ (B ∧ C), and (3) if
A f␥ B, then A ∧ C f␥ B. Also A f␥兩C B is equivalent to A ∧ C f␥⫻Pr(C) B.

Definition 3. Consider any number ␴ ⱖ 0. Eve’s view v in a QKD protocol is

␴-informative about k if 兩p(k兩v) ⫺ 1/ 2 m 兩 ⱕ 2 ⫺m ␴ . We denote by ᏺ␴ the event
which is TRUE whenever the view v is ␴-informative about k.
The following lemma connects Definition 3 with our definition of privacy.

LEMMA 1. For every ␴ ⬎ 0, ␰ ⬎ 0 and mmax ⬎ 0, if we have (1) (@v) m(v) ⱕ

max
m and (2) ᏼ f␰ ᏺ␴, then the protocol is f-private with f ⫽ mmax ␰ ⫹ ␴/ln 2.

PROOF. Let Ᏽ ⫽ ᏺ␴ ∧ ᏼ. Using ᏼ f␰ ᏺ␴ we obtain ᏼ f␰ Ᏽ. Using (2), we

obtain

冘 p 共 m 兲共 m ⫺ H 共 k兩v兲兲
m
m

⫽ 冘 p共k, v兲共m共v兲 ⫹ log p共k兩v兲兲 2

k,v

⫽ 冘 p共k, v兲共m共v兲 ⫹ log p共k兩v兲兲 2

k,v兩ᏼ

⫹ 冘 p共k, v兲共m共v兲 ⫹ log p共k兩v兲兲. 2

៮
k,v兩ᏼ

The second term vanishes because v 僆 ᏼ ៮ implies (1) m(v) ⫽ 0 and (2) log2
p(k兩v) ⫽ log2 p(k兩v) ⫽ log2 1 ⫽ 0 since there is only a single value for the null
string. (We recall that we adopted the convention that the key k is set to the null
Unconditional Security in Quantum Cryptography 357

string when the test fails.) Therefore, we have

冘 p 共 m 兲共 m ⫺ H 共 k兩v兲兲
m
m

⫽ 冘 p共k, v兲共m共v兲 ⫹ log p共k兩v兲兲 2

k,v兩ᏼ

⫽ 冘 p共k, v兲共m共v兲 ⫹ log p共k兩v兲兲 2

(k,v)兩Ᏽ

⫹ 冘
(k,v)兩ᏼ∧Ᏽ៮
p共k, v兲共m共v兲 ⫹ log2p共k兩v兲兲.

We bound the first term of the last equation, the sum over (k, v) such that
Ᏽ(k, v) is TRUE, via the relation

Ᏽ 共 k, v 兲 f p 共 k 兩 v 兲 ⫽ 2 ⫺m共1 ⫹ ␴k,v兲,
where 兩 ␴ k, v 兩 ⱕ ␴ . For the second term, the sum over (k, v) such that ᏼ(v) ∧
Ᏽ៮ (k, v) is TRUE, we will drop the nonpositive terms p(k, v) log2 p(k兩v). We get

冘 p 共 m 兲共 m ⫺ H 共 k兩v兲兲 ⱕ 冘 p共k, v兲log 共1 ⫹ ␴ 兲

m
m
(k,v)兩Ᏽ
2 k,v

⫹ 冘 p共k, v兲m共v兲.
(k,v)兩ᏼ∧Ᏽ៮

We finally obtain

冘 p 共 m 兲共 m ⫺ H 共 k兩v兲兲 ⱕ ln␴2 ⫹ m
m
m
max
␰

where we used the inequality log2(1 ⫹ x) ⱕ 兩x兩/ln 2 for any x ⬎ ⫺1 to obtain

the first term, and Pr(ᏼ 艚 Ᏽ៮ ) ⱕ ␰ and m(v) ⱕ m max to obtain the second term.
This concludes the proof. e

3. Some Useful Tools

This section provides a general model and techniques that are useful to analyze
the security of our quantum protocol.
3.1. A FICTIVE TEST LEMMA. Assume that Alice transmits some arbitrary
binary string g 僆 {0, 1} N to Bob over a channel, quantum or classical. Let D 債
{1, . . . , N } be any subset of the positions. For example, if the channel is lossy,
D could be the set of every position i at which Bob detects a bit h[i]. In general,
D is the set of positions i where Bob’s bit h[i] and Alice’s bit g[i] are presumed
identical except for a small probability of error. A typical situation in quantum
protocols is that Alice and Bob need some kind of indication that the number of
errors in some subset E 債 D is small and yet they cannot execute a test on E
because the bits in E must remain private. To address this problem, they pick two
random subsets T and E so that the bits in T can be used for a test while the bits
358 DOMINIC MAYERS

in E remain private. Every position i 僆 D is added in T (initially empty) with

probability p T or in E (initially empty) with probability p E or is ignored with
probability 1 ⫺ p T ⫺ p E . (In our protocol, we will deal with the case p T ⫹ p E ⫽
1, but here we are slightly more general.)
The following lemma is a variation on the principle that says that the number
of errors that one detects in T is a good indication of the number of errors that
exists in E. It is unlikely that the number of errors is small in T and large in E at
the same time.
LEMMA 2. Consider a set of positions D and a string of errors e on D. (In the
above scenario, the string e is g[D] Q h[D].) Let T and E be two random subsets of
D such that every position i 僆 D is in T with probability pT or in E with probability
PE or discarded with probability 1 ⫺ pT ⫺ pE. For X 僆 {T, E}, let nX and dX be the
size of X and the number of errors in X (the weight of e[X]) respectively. Denote ᏼT
the event that dT ⬍ ␦pTnD where ␦ is some fixed parameter that represents the
tolerated error rate. Denote ᏼE the event that dE ⬍ (␦ ⫹ ␤) pEnD where ␤ ⬎ 0 is any
positive real number. We have that

ᏼ T f ␮ ( ␤ ,n D ) ᏼ E (3)
where

␮ 共 ␤ , n D 兲 ⫽ exp 冉 ⫺␤2min兵 pT2 , pE2 其

2␦ ⫹ ␤
nD ⫹
2␤2pE2
共2␦ ⫹ ␤兲2
冊 .

The term 2 ␤ 2 p E
2
/(2 ␦ ⫹ ␤ ) 2 is independent of n D and can be ignored when n D is
large. With regard to the above scenario, the lemma only uses the fact that E and
T are random and not distinguishable until after the transmission. It provides an
upper bound ␮ ( ␤ , n D ) on Pr(ᏼ T ∧ ᏼ ៮ E ) for every variable fixed except E and T.
The upper bound still hold if we average over the other variables, except that we
will not average over n D because the upper bound ␮ ( ␤ , n D ) itself depends upon
n D . The following lemma is a variation on Chernoff’s lemma, a standard tool to
deal with large numbers (e.g., see Kearns [1989]). It is the basic tool used in the
proof of the fictive test lemma.
LEMMA 3 (CHERNOFF). Let X1, . . . , Xn be n independent Bernoulli variables
n
and let S ⫽ 兺i⫽1 Xi. If Pr(Xi ⫽ 1) ⫽ p for 1 ⱕ i ⱕ n, then for all 0 ⱕ ⌬p ⱕ 1, we
have

Pr 共 S ⱖ n 共 p ⫹ ⌬p 兲兲 ⱕ exp共⫺2n共⌬p兲2兲, (4)

Pr 共 S ⱕ n 共 p ⫺ ⌬p 兲兲 ⱕ exp共⫺2n共⌬p兲2兲. (5)

PROOF OF THE FICTIVE TEST LEMMA. The basic idea of the proof is the
following. The number of errors d D in D is either (1) larger or equal to ( ␦ ⫹
␤ / 2)n D  or (2) smaller or equal to ( ␦ ⫹ ␤ / 2)n D . In the first case, the
probability of ᏼ T is small. In the second case, the probability of ᏼ ៮ E is small. In
both cases, the probability of ᏼ T ∧ ᏼ ៮ E is small.
We first do the case where d D ⱖ ( ␦ ⫹ ␤ / 2)n D . The condition ᏼ T hold only
if d T , the number of errors in T, is strictly smaller than ␦ p T n D . We will bound
from above the probability of d T ⱕ ␦ p T n D . Every i 僆 D, in particular every
Unconditional Security in Quantum Cryptography 359

position i with e[i] ⫽ 0, belongs to T with probability p T . That is, each of the
d D ⱖ ( ␦ ⫹ ␤ / 2)n D errors is put in T with probability p T . We may conservatively
assume that d D ⫽ ( ␦ ⫹ ␤ / 2)n D  because a larger value for d D will only
decrease the probability. Let S ⫽ d T be the number of errors in T. We want to
obtain an upper bound on Pr(d T ⱕ ␦ p T n D ) using inequality (5). We substitute n
and p in (5) by d D and p T , respectively. We will find a value for ⌬p such that we
have

␦ p T n D ⱕ d D 共 p T ⫺ ⌬p 兲 , (6)

and thus d T ⱕ ␦ p T n D implies d T ⱕ d D ( p T ⫺ ⌬p) and (5) can be used to bound

Pr(d T ⱕ ␦ p T n D ). Since ( ␦ ⫹ ␤ / 2)n D ⱕ d D , we obtain (6) if we have ( ␦ ⫹
␤ / 2)n D ⫽ ␦ p T n D /( p T ⫺ ⌬p). The solution for ⌬p is ⌬p ⫽ ␤ p T /(2 ␦ ⫹ ␤ ).
Applying Chernoff’s lemma with these values, we obtain that d T is smaller than
␦ p T n D (and thus smaller than d D ( p T ⫺ ⌬p)) with a probability smaller or equal
to

exp 冉 ⫺2␤2pT2
共2␦ ⫹ ␤兲2
dD . 冊
Now, we use the fact ( ␦ ⫹ ␤ / 2)n D ⱕ d D and obtain

Pr共ᏼT兲 ⱕ ␮T共␤, nD兲 ⫽ exp

def

冉 ⫺␤2pT2
2␦ ⫹ ␤
冊
nD .

The second case, d D ⱕ ( ␦ ⫹ ␤ / 2)n Ᏸ , is similar to the first case, except that we
use inequality (4) instead of inequality (5) and p ⫽ p E instead of p ⫽ p T . The
event ᏼ ៮ E occurs when d E , the number of errors in E, is larger than ( ␦ ⫹
␤ ) p E n D . Even though d D , the total number of errors in D, is smaller than ( ␦ ⫹
␤ / 2)n D , we may assume that d D ⫽ ( ␦ ⫹ ␤ / 2)n D  respectively. Now, we find
⌬p such that we have d D ( p E ⫹ ⌬p) ⱕ ( ␦ ⫹ ␤ ) p E n D . Since d D ⱕ ( ␦ ⫹
␤ / 2)n D , we obtain the seeked inequality if we have ( ␦ ⫹ ␤ / 2)n Ᏸ ⫽ ( ␦ ⫹
␤ ) p E n D /( p E ⫹ ⌬p). As in the first case, this equation has the solution ⌬p ⫽
␤ p E /(2 ␦ ⫹ ␤ ). Using (4), we get d T is larger than ( ␦ ⫹ ␤ ) p T n D (and thus larger
than d D ( p E ⫹ ⌬p)) with a probability smaller or equal to

exp 冉 ⫺2␤2pE2
共2␦ ⫹ ␤兲2
dD . 冊
Here, unlike the first case, we don’t have ( ␦ ⫹ ␤ / 2)n D ⱕ d D . We only have
( ␦ ⫹ ␤ / 2)n D ⫺ 1 ⱕ d D . We can do as in the first case, except for an additional
positive term 2 ␤ 2 p E
2
/(2 ␦ ⫹ ␤ ) 2 in the exponent. So we obtain

៮ E兲 ⱕ ␮E共␤, nD兲 ⫽ exp

Pr共ᏼ
def

冉 ⫺␤2pE2
2␦ ⫹ ␤
nD ⫹
2␤2pE2
共2␦ ⫹ ␤兲2
冊 .

We have

៮ E兲 ⱕ ␮共␤, nD兲 ⫽ max兵␮T共␤, nD兲, ␮E共␤, nD兲其.

Pr共ᏼT ∧ ᏼ
360 DOMINIC MAYERS

This concludes the proof. e

3.2. ON PRIVACY AMPLIFICATION. A standard technique for privacy amplifi-
cation is to extract a smaller key k ⫽ K • g of length m out of a nonprivate
string g 僆 {0, 1} n where K is a m ⫻ n binary matrix and the matrix
multiplication use the sum modulo 2. As explained in Bennett et al. [1988] one
must pick the matrix K adequately in view of how much information did leak out
about g, including extra information that might have been announced for error
correction. However, the results obtained in Bennett et al. [1988] do not apply if
information can leak about g in view of K that, as we will see, is the case in our
protocol, and perhaps in other quantum protocols. We use a different approach.
Let us consider a typical situation where extra information s ⫽ F • g, where F
is a r ⫻ n binary matrix, is provided about g for error correction (see Appendix
C). Let G* be the set of linear combinations of rows in F and K, which contains
at the least one row in K, that is, G* ⫽ C ⬜ [F, K] ⫺ C ⬜ [F] where C ⬜ [F, K] is
the set of linear combinations of rows in F and K, and C ⬜ [F] is the set of linear
combinations of rows in F only (see Appendix C). We denote by d W the minimal
weight of the strings in G*. For example, if the parity check matrix F is the 2 ⫻
5 matrix with the two rows [10000] and [01000] and the privacy matrix K is the
1 ⫻ 5 binary matrix with the single row [11111], we obtain that G* ⫽ {[11111],
[01111], [10111], [00111]} so that d W ⫽ 3. It is not hard to see that if Eve
gets a bit g[i] in less than d W positions i, and nothing about the bits at other
positions, she learns nothing about the key K • g even after she receives the
syndrome s ⫽ F • g. The case where Eve learns bits at given positions and
nothing at other positions, though it is not sufficient to understand the principle
in its full generality, at the least suggests that privacy requires a large value for
d W . So, it is not surprising that in our protocol, which as we will see uses this
kind of privacy amplification technique, we will need a lower bound on d W . Note
also that d W ⬎ 0 implies that the rows of K are linearly independent which is
important for privacy. Usually, d W is much larger than 3. The following lemma
provides one way to obtain a lower bound on d W .
LEMMA 4. Consider any ␶ ⬎ 0 and any fixed r ⫻ n parity check matrix F. Let
K be a randomly chosen m ⫻ n binary matrices. The minimal weight dW of
C⬜[F, K] ⫺ C⬜[F] is greater than H⫺1 (1 ⫺ (m ⫹ r)/n ⫺ ␶)n with a probability
greater than 1 ⫺ ␭ where ␭ ⫽ 2⫺␶n.
Remark. The lemma can also be written as True f␭ d W ⱖ H ⫺1 (1 ⫺ (m ⫹
r)/n ⫺ ␶ )n
PROOF. Consider the sphere S of radius d⵮ ⫽ H ⫺1 (1 ⫺ [(r ⫹ m)/n] ⫺ ␶ )n
around the zero string 0. The minimal weight of C ⬜ [F] Q C ⬜ [K]* is smaller or
equal to d⵮ if and only if at the least one string in C ⬜ [F] Q C ⬜ [K]* belongs to
S. Therefore, it is sufficient to show that the probability p that one string in
C ⬜ [F] Q C ⬜ [K]* belongs to S is smaller than 2 ⫺ ␶ n . Let us analyze the random
process by which K is created. Let w i be the ith random row added to K. Let K i
be the matrix which contains the rows w 1 , . . . , w i only. The probability that one
string in C ⬜ [F] Q C ⬜ [K]* belongs to S is smaller than the sum (over i) of the
probability p i that this happens when the string w i is added to K. Each
probability p i takes its maximum value when all the strings w j with j ⬍ i and the
rows of F are independent. When the random string w i is added, we have that
Unconditional Security in Quantum Cryptography 361

one of 2 n⫺r⫺i⫹1 disjoint sets C ⬜ [F] Q C ⬜ [K i ]* is being chosen perfectly at

random. (These are the cosets of C ⬜ [F] Q C ⬜ [K i⫺1 ]). The probability p i is
larger when no two strings in S belongs to the same set C ⬜ [F] Q C ⬜ [K i ]*. In
this extreme case, the number of sets C ⬜ [F] Q C ⬜ [K i ]* which contains a string
in S reaches its maximal value, which of course is 兩S兩. Using Lemma 8, the
number of strings in S is smaller than 2 H(d⵮/n)n ⫽ 2 n⫺r⫺m⫺ ␶ n . Therefore, we
have

2 n⫺r⫺m⫺ ␶ n
pi ⱕ ⫽ 2 ⫺m ⫺ ␶n ⫹ 共i ⫺ 1兲
2 n⫺r⫺i⫹1

Summing over i ⫽ 1, . . . , m, we get

m⫺1

p ⱕ 2 ⫺m ⫺ ␶n 冘 2 ⱕ2
i⫽0
i ⫺␶ñ

This concludes the proof. e

3.3. QUANTUM PRELIMINARIES. Quantum states are denoted by Greek letters

␺, ␾, etc. To lighten the notation, except in some occasions, we do not use the
ket notation “兩䡠典” around quantum states. A linear functional on H is a linear
transformation from H to the space of complex numbers. The bra notation “具䡠兩”
can be seen as the operation that sends a state ␾ into the unique linear
functional 具␾兩 such that, for every ␺, the value of 具␾兩 evaluated at ␺ is the scalar
product 具␾兩␺典 between ␾ and ␺. We often denote this unique linear functional ␾†
rather than 具␾兩. The tensor product of any two quantum states ␺ and ␾ is written
as ␺␾ or ␺ R ␾.
A quantum system is more than an abstract Hilbert space. It is an actual
quantum system in the protocol. Two distinct quantum systems might have the
same abstract Hilbert space. The ordering of the states in an expression such as
␺1 R ␺2 僆 H 1 R H 2 is important, but this ordering can be seen as an association
between the systems H 1 and H 2 and their respective states ␺1 and ␺2, and
therefore not always related to the respective positions of ␺1 and ␺2 in the
notation. In particular, if the association between the systems H i and their
respective state ␺ i is nonambiguous from the context, then ␺1 R ␺2 and ␺2 R ␺1
represent one and the same product state with the same state space association.
If E is an operator on a system H 1 and ␺ is a state that belongs to a product H 1
R H 2 , we adopt the convention that E ␺ ⫽ (E R IH 2 ) ␺ . Similarly, for every ␺ 1 僆
H 1 and ␾ ⫽ ␺ ⬘1 R ␺ 2 僆 H 1 R H 2 , we adopt the convention that 具␺1兩␾典 ⫽
具␺1兩␺⬘1典兩␺2典 僆 H 2 , and this convention can be extended to nonproduct states ␾ 僆
H 1 R H 2 by linearity. In general, every operator E on a state space H can be
written as a linear combination of basic operators 兩␾典具␾⬘兩 with 兩 ␾ 典, 兩 ␾ ⬘典 僆 H.
Therefore, the previous rule can be used to define 具 ␺ 兩E兩 ␺ ⬘典 when E is an
operator on H ⫽ H 1 R H 2 and 兩␺典, 兩␺⬘典 belong to H 1 .
Consider the preparation of a state 兩 ␺ c 典 with probability p(c). As usual, if the
random value c is kept private, except for what can be learn via measurements on
the state 兩 ␺ c 典, this preparation is conveniently represented by the density
operator ␳ ⫽ 兺 c僆V p(c)兩 ␺ c 典 具 ␺ c 兩.
362 DOMINIC MAYERS

The partial trace over the system H 1 , denoted TrH 1 , is a linear mapping from
the space of linear operators on H 1 R H 2 to the space of linear operators on H 2
n
which maps any operator E on H 1 R H 2 into 兺 i 具 ␺ i 兩E兩 ␺ i 典 where {兩 ␺ i 典} i⫽1 is any
orthoglobal basis of H 1 . The (partial) trace operation over the entire system is
denoted Tr. It is a linear functional on the space of operators. The identity
TrH ( A兩 ␺ 典具 ␺ 兩) ⫽ 具 ␺ 兩A兩 ␺ 典, in which A is any operator on H and 兩␺典 any state in
H, is often used.
Any physical process can be seen as a black box which receives an initial state
␺ of some quantum system H and returns two components: a random classical
outcome x and an associated final quantum state ␺ x that lies in some other
quantum system H⬘. The POVM formalism [Peres 1993] describes this kind of
process via a mapping x 哫 E x where x represents the random classical outcome
of the process and E x : H 哫 H is a positive operator on H called the
measurement operator associated with x. Note that the POVM formalism ignores
the final system for the residual state, so H⬘ is not in the formalism. The
mapping x 哫 E x is only a formal trick to compute the probability of the classical
outcomes x. If the initial density operator state is ␳, then the probability of x is
Tr(E x ␳ ). The final state ␳ x is not given by the POVM model (and this is not a
problem because we don’t need to compute any residual state in the proof). Let
y be a deterministic function of the outcome x. Note that y can also be seen as
the outcome of a measurement since the computation of y is also a physical
process. The measurement operator associated with y is

Ey ⫽ 冘
x兩y兩x共 x兲 ⫽ y
Ex . (7)

(For a definition of y兩x see the subsection about random variables in Section 2.)
We will extend a little bit the formalism to encompass the fact that a POVM on
a system H can be executed in view of some classical information y 僆 Y which is
available before the POVM is executed. For every y, we denote by x 哫 E x兩y or
simply E x兩y the POVM which is executed on a system H in view of y and returns
an outcome x. We say that this conditioned POVM is executed on H ⫻ Y. This
notation is useful when the POVM is executed in view of some classical
information y available before the POVM is executed or when some previous
POVM returned an outcome y in view of which the POVM is executed. It is well
known that, in accordance with the basic axioms of quantum mechanics, any
physical process can be described with such a formalism [Peres 1993].
The conjugate transpose E † of an operator E is obtained by first transposing
its matrix representation and then complex conjugating the entries. It can be
shown, that this definition is independent of the basis that we use to represent
the operator as a matrix. We have that (E 1 E 2 ) † ⫽ E †2 E †1 .
For every POVM E x兩y on H, there exist a collapse operation A x兩y on H such
† 1
that E x兩y ⫽ A x兩y A x兩y . Suppose that some POVM E y兩c is executed in view of some
2
classical information c, and next another POVM E x兩y, c is executed in view of c
1 2
and the outcome y of the first POVM. Let A y兩c and A x兩y, c be collapse operations
associated with the first and the second POVMs, respectively. The collapse
operation associated with the overall POVM that describes the effect of both
2 1
POVMs is A x,y兩c ⫽ A x兩y,c A y兩c . Therefore, the overall POVM is
Unconditional Security in Quantum Cryptography 363

E x, y兩c ⫽ A x,† y兩c A x, y兩c

1† 2† 2 1
⫽ A y兩c A x兩y, c A x兩y, c A y兩c

1† 2† 1
⫽ A y兩c E x兩y, c A y兩c .

Note the strange fact that the overall POVM E x, y兩c cannot be expressed directly
1 2
in terms of the consecutive POVMs E y兩c and E x兩y, c . This is one advantage of the
collapse operation formalism over the POVM formalism.

3.4. THE BASIC MODEL. Here, we describe how to represent an attack against
a quantum protocol in terms of the standard POVM formalism [Peres 1993]. The
formalism should allow us to abstract the details and focus on the essential fact.
In the standard model for quantum protocols, Alice and Bob use a set of
registers and at every given step each register is controlled by one and only one
participant. We assume that every transmitted register is first transmitted to the
cheater. When a register is transmitted from a participant X to a participant Y,
the register that was controlled by X is now controlled by Y. Since the cheater
obtains control over the entire system that is transmitted, the details of the
transmission can be safely ignored in the model.
We recall that we denote by v̂ the overall random outcome of the protocol.
This outcome fixes the value of every possible random variable in the protocol,
including any classical announcement and any result of a quantum measurement.
A basic principle in the model is that we will define a view v in the protocol (e.g.,
the view seen by a given participant) as a function v ⫽ v(v̂) of this overall
outcome. As we will see, our model separates the overall outcome v̂ in two parts:
a classical part ĉ that corresponds to a random tape and a quantum part q̂ which
correspond to the outcome of the overall quantum measurement executed jointly
by all participants in the protocol. So a view is a function v on the overall
outcome v̂ ⫽ (ĉ, q̂).
In a way, the separation of v̂ in two components ĉ and q̂ is artificial because it
is always possible to represent every bit in the random tape ĉ as the outcome of
a quantum measurement, a quantum cointoss. In this way, every register, classical
or quantum, could be considered as if it was a quantum register. However, in
some part of our analysis it is convenient to use methods of computation that are
naturally understood in terms of classical information, and thus we don’t want to
always think in terms of quantum information. In any case, the protocol is
described in terms of classical information as well as quantum information and at
some point in the proof one must refer to the classical part of the protocol.
Therefore, a careful understanding of the connection between the classical part
and the quantum part is required. Such a connection is not as trivial as one might
first think.
The state space for the quantum registers is denoted H Q . The quantum system
Q
H contains every quantum register that could eventually be sent in the protocol
as well as any register that could be measured or transformed jointly with such a
register. Therefore, H Q is never entangled with another quantum system. We
denote by ĉ the content of classical random tapes or random registers available
at the beginning of the protocol. We denote by Ĉ the set of possible values for ĉ.
The random variable ĉ has some apriori distribution of probability p(ĉ). The
364 DOMINIC MAYERS

only operation allowed on Ĉ in our context is the computation of some

deterministic function x of ĉ, but there are no constraint on the function x.
We denote by q̂ the outcome of all measurements which are executed on H Q in
view of ĉ. Without loss of generality we assume that all random values in the
protocol can be computed deterministically from v̂ def ⫽ (ĉ, q̂). A view v in the
protocol is any deterministic function of v̂. A view is thus a random variable. We
adopt the convention that v ⫽ v means v(v̂) ⫽ v. So, there is a global view v̂ ⫽
(ĉ, q̂) defined by the protocol, and each participant’s view is simply a determin-
istic function v on v̂ which returns the specific information that belongs to this
participant. This function can be deterministic because the random tape, and
every thing else that is random in the view, is already included in the global view v̂.
We denote by E q̂兩ĉ the conditioned POVM on H Q ⫻ Ĉ that is associated with
v̂ ⫽ (ĉ, q̂). We recall that the notation E q兩c means that the POVM is executed
on H Q in view of c and returns an outcome q. Note that by definition of H Q such
a POVM exists. For a given value ĉ, the overall initial state of the protocol is
兩⌿(ĉ)典 Q ⫽ R X 兩⌿ X (ĉ)典 Q X , a pure state jointly prepared by the participants X ⫽
Alice, Bob, . . . at the beginning of the protocol in view of their share of the
random value ĉ. The probability of the initial state 兩⌿(ĉ)典 Q with ĉ 僆 Ĉ, is p ĉ(ĉ).
In accordance with the POVM formalism, the probability of v̂ ⫽ (ĉ, q̂) given this
initial mixture is

p v̂共 ĉ, q̂兲 ⫽ p ĉ共 ĉ 兲TrQ共Eq̂兩ĉ兩⌿共 ĉ 兲典具⌿共 ĉ 兲兩兲. (8)

3.4.1. The Natural Separation Quantum Vs Classical. We want to provide

formula that respect the natural separation between the classical part and the
quantum part in a protocol. The idea is to take advantage of our classical
intuition whenever possible when we compute probabilities. For this purpose, it
will be convenient to consider views that can be written in the form v ⫽ (c, q)
where
C1 the deterministic function c depends on ĉ and q only, that is, it depends on q̂
only via q ⫽ q(ĉ, q̂) and
C2 the POVM E q兩ĉ on H Q defined via

冘
def
E q兩 ĉ ⫽ Eq̂兩ĉ
q̂兩q共 ĉ, q̂兲 ⫽ q

respects E q兩ĉ ⫽ E q兩c , that is, the mapping (q, ĉ) 哫 E q兩ĉ depends on ĉ only via
c ⫽ c(ĉ, q).
These two conditions allow us to take a point of view where in someway classical
computations and quantum measurements are done separately. Condition C1
says that given the outcome q of the POVM E q兩ĉ one can compute the classical
part c as a function of the random tape ĉ only (i.e., without having to use the
state space H Q ). Condition C2 is similar, but it swaps the role of the random
tape and the state space. These two conditions are respected in the following
typical situation. First, ignoring ĉ, a part q 1 of q is obtained via a measurement
on H Q , then in view of q 1 some function c1 of ĉ is computed and the result c 1 is
included in c, then in view of c 1 another part q 2 of q is obtained, and so on.
These conditions are not respected by every partial view v ⫽ (c, q). For
Unconditional Security in Quantum Cryptography 365

example, suppose that H Q is the state space for a single photon and the random
tape ĉ contains the basis used to measure this photon. The outcome of the
measurement is q̂. If only the outcome of the measurement is announced then
we have q ⫽ q̂ and c ⫽ ␧, the empty string. In this example, one does not know
what basis was used to return the outcome q ⫽ q̂ so the condition C2 is not
respected. If later the basis ĉ is announced, we obtain a new view where the basis
ĉ is part of the classical part, and condition C2 is respected. In our analysis, we
will only consider views in which C1 and C2 are respected.
Definition 4. Let v ⫽ (c, q) be any view that respects C1. We define

冘
def
p 共 c⬊q 兲 ⫽ p共 ĉ 兲.
ĉ兩c共 ĉ,q兲 ⫽ c

Note that p(c⬊q) is not identical to p(c兩q). The following proposition is very
easy to prove, but is nevertheless useful.
PROPOSITION 2. Let v ⫽ (c, q) be any view on v̂ that respects conditions C1 and
C2. We have

p 共 v 兲 ⫽ p 共 c⬊q 兲 TrQ(Eq兩c␳c兩q), (9)

where

冘
def
␳ c兩q ⫽ p共c⬊q兲⫺1 p共 ĉ 兲兩⌿共 ĉ 兲典具⌿共 ĉ 兲兩 (10)
ĉ兩c共 ĉ,q兲 ⫽ c

is the renormalized density matrix on H Q associated with the constraint c(ĉ, q) ⫽ c

on Ĉ.
PROOF. The probability of the view v ⫽ (c, q) is given by

p v共c, q兲 ⫽ 冘 冘
ĉ兩c共 ĉ, q兲 ⫽ c q̂兩q共 ĉ, q̂兲 ⫽ q
p ĉ共 ĉ 兲TrQ共Eq̂兩ĉ兩⌿共 ĉ 兲典具⌿共 ĉ 兲兩兲. (11)

Note that without condition C1 the sum over ĉ and the sum over q̂ in Eq. (11)
could not be separated in this way. Now, the trace operation can be taken in
evidence in front of these two sums. We obtain

p v共c, q兲 ⫽ TrQ 冉 冘
ĉ兩c共 ĉ,q兲 ⫽ c
p ĉ共 ĉ 兲 冘
q̂兩q共 ĉ,q̂兲 ⫽ q
冏 冔 冊
Eq̂兩ĉ ⌿共 ĉ 兲 具⌿共 ĉ 兲兩 .

Because of C2, the sum 兺 q̂兩q(ĉ,q̂)⫽q E q̂兩ĉ is the operator E q兩ĉ ⫽ E q兩c . The
operator E q兩c can be taken in evidence out of the sum over ĉ. We obtain

p v共c, q兲 ⫽ TrQ Eq兩c 冉 冘

ĉ兩c共 ĉ,q兲 ⫽ c
冏 冔
p ĉ共 ĉ 兲 ⌿共 ĉ 兲 具⌿共 ĉ 兲兩 . 冊
After renormalization of the density matrix one obtains the result. This con-
cludes the proof. e
Remark. We emphasize the importance of getting the intuition of what is
going on when we compute ␳ c兩q and p(c⬊q) which are needed in Proposition 2.
366 DOMINIC MAYERS

Let cq be the function on ĉ defined via cq (ĉ) ⫽ c(ĉ, q). The density matrix ␳ c兩q
is exactly the density matrix that you obtain when you prepare ⌿(ĉ) with the
apriori probability p ĉ(ĉ) then compute cq and only keep the states for which cq ⫽
c. This fact is useful to write down an explicit expression for ␳ c兩q . Now, we
consider the probability p(c⬊q), that is, the probability that cq ⫽ c. Since we
defined cq as a function on ĉ, a formal and complicated way to compute the
probability p(c⬊q) would be to determine cq⫺1 (c) ⫽ {ĉ兩cq (ĉ) ⫽ c}, the
pre-image of c, and then compute the probability of this set using the a priori
probability of ĉ. However, given q fixed, cq is a random variable that is typically
defined by the protocol in terms of only a few components of ĉ and it will be
simple to compute p(c⬊q).
3.4.2. Extended Operator Formalism. In a few situations it turns out to be
useful to consider classical registers as a special case of quantum registers. We
denote by 兩ĉ典 C , ĉ 僆 Ĉ, the associated orthogonal states. The state space for the
classical part is denoted H C . The initial random state is 兩ĉ典 C 兩⌿(ĉ)典 with
probability p(ĉ) and we denote by ␳ the associated density matrix. The POVM
that returns (ĉ, q̂) is E v̂ ⫽ P ĉ E q̂兩ĉ where P ĉ is the projection on the state 兩ĉ典 C . In
particular, we have

p 共 v̂ 兲 ⫽ Tr共E v̂␳兲 ⫽ p共 ĉ 兲具⌿共 ĉ 兲兩Eq̂兩ĉ兩⌿共 ĉ 兲典,

which is consistent with (8). In our proof, we will only need the extended
operator formalism to use the simple rule E z ⫽ 兺 v兩z(v)⫽z E v which is valid for
any deterministic function z of v ⫽ (c, q). We will use this rule in a context where
E v is not used to compute a probability. In such a context, at the least from the
author point of view, it is hard to explain this rule without the extended operator
formalism.
However, we don’t want to use the extended operator formalism at every step.
We now explain how to pass from the standard to the extended operator
formalism. The following proposition is easily obtained:
PROPOSITION 3. Let v ⫽ (c, q) be a view on v̂ that respects C1 and C2. We have
that the POVM on HC R HQ associated with v ⫽ (c, q) is Ev ⫽ E(c,q) ⫽ Pc兩qEq兩c
where

P c兩q ⫽ 冘
ĉ 兩c共 ĉ,q兲 ⫽ c
P ĉ .

PROOF. Using condition C1, we obtain

E v ⫽ E (c,q) ⫽ 冘 冘
ĉ 兩c共 ĉ,q兲 ⫽ c q̂兩q共 ĉ,q̂兲 ⫽ q
P ĉEq̂兩ĉ

⫽ 冘
ĉ兩c共 ĉ,q兲 ⫽ c
P ĉ 冘
q̂兩q共 ĉ,q̂兲 ⫽ q
Eq̂兩ĉ

Using condition C2, we obtain

Ev ⫽ 冘
ĉ 兩c共 ĉ,q兲 ⫽ c
P ĉEq兩c ⫽ Pc兩qEq兩c .

This concludes the proof. e

Unconditional Security in Quantum Cryptography 367

Let ⌸ and ⌸⬘ be any two operators on H Q . We need these operators to make our
next equation sufficiently general for our purpose. The following equation will be
useful in our proof to pass from one formalism to the other.

Tr共Ev⌸␳⌸⬘兲 ⫽ Tr共Pc兩qEq兩c⌸␳⌸⬘兲
⫽ p共c⬊q兲TrQ共Eq兩c⌸␳c兩q⌸⬘兲. (12)

The main content of this rule is in the second equality, the first equality being a
direct consequence of Proposition 3. In the particular case ⌸ ⫽ ⌸⬘ ⫽ IE , since
Tr(E v ␳ ) ⫽ p(v), this rule is essentially Proposition 2. In Proposition 2, we have
that the sum over ĉ in the definition of ␳ c兩q is restricted by the condition
c(ĉ, q) ⫽ c. The basic point of formula (12) is that in the extended operator
formalism this restriction is implemented via the projection P c兩q on ␳, the factor
p(c⬊q) being added (in the nonextended formalism) to compensate for the fact
that ␳ c兩q is normalized.

PROOF OF FORMULA (12). Note that Tr ⫽ TrQ TrC , that is, the trace operation
Tr corresponds to a partial trace over H C followed by a trace over H Q . The
operators E q兩c , ⌸ and ⌸⬘ commute with TrC and P c兩q because the former
operator on H Q whereas the latter operate on H C . Therefore, acting on the
left-hand-side, we can first execute P c兩q and TrC . If we expand ␳ as a sum over ĉ,
we obtain that the restriction on ĉ that comes with the projection P c兩q (the same
restriction as in Proposition 2) followed by the partial trace TrC maps ␳ into
p(c⬊q) ␳ c兩q . The factor p(c⬊q) is needed to compensate for the fact that ␳ c兩q is
renormalized. After taking p(c⬊q) in evidence, we are left with the right-hand
side. e

4. The Protocol
To focus on the basic procedure, we first describe the protocol without the
validation constraints. Then we describe the validation constraints on the length
of the key, etc. Next, the maximum error rate that we can tolerate in the protocol
and yet obtain a key of non-zero length is derived from the validation constraints.

4.1. THE PROTOCOL. The protocol analyzed is a variation on the well known
protocol proposed by Bennett and Brassard [1984] (see also Bennett et al.
[1992]).

Step 1. Alice’s Preparation. Alice sends N two dimensional quantum systems

to Bob prepared individually in one of the four BB84 states uniformly picked at
random. For concreteness, one can think that the BB84 states denoted ⌿(0, ⫹),
⌿(1, ⫹), ⌿(0, ⫻) and ⌿(1, ⫻) correspond to photons polarized at 0, 90, 45, and
⫺45 degrees, respectively. Of course, the proof remains the same if Alice uses
any other realization of the BB84 states described in Figure 1. The state of the
photons prepared by Alice is ⌿( g, a) def ⫽ ⌿( g[1], a[1]) R
. . . R ⌿( g[N],
a[N]).
For any string of bits ␣ 僆 {0, 1} E and string of bases ␪ 僆 {⫹, ⫻} E (see
Appendix C), the state 兩⌿(␣, ␪)典 is a state for the photons in E that encodes the
bits ␣ [i] in the bases ␪ [i] for each i 僆 E.
368 DOMINIC MAYERS

FIG. 1. The BB84 states.

Step 2. Bob’s Measurement. Bob measures each photon using either the
rectilinear basis {⌿(0, ⫹), ⌿(1, ⫹)} or the diagonal basis {⌿(0, ⫻), ⌿(1, ⫻)}
uniformly chosen at random. If Bob detects a photon at position i, the associated
outcome is denoted ⬜ and we say that i is a detected position. We adopt the
following notation:
—a 僆 {⫹, ⫻} N : Alice’s string of bases.
—g 僆 {0, 1} N : Alice’s string of bits.
—b 僆 {⫹, ⫻} N : Bob’s string of bases.
—Ᏸ: the set of detected positions, that is, the set of positions i with h[i] ⫽ ⬜.
—h 僆 {0, 1, ⬜} N : Bob’s string of outcomes.

Step 3. Choosing the Tested Bits. Bob picks at random a subset of positions
R 債 {1, . . . , N }: he puts every position i in the set R (initially empty) with
probability p T .

Some notations. We denote by ⍀ 傺 Ᏸ the set of positions i where a[i] ⫽

b[i]. Normally, except for errors in the transmission, for every i 僆 ⍀, we should
have g[i] ⫽ h[i]. We denote by T ⫽ R 艚 ⍀ ⫽ {i 僆 R兩a[i] ⫽ b[i]} the set of
tested positions.

Step 4. Counting the Errors. Bob announces R and b, Alice announces a and
g[R], Bob announces h[R]. Alice and Bob note the value d T ⫽ d T ( g, h), the
Hamming distance between g and h on T.

Remark. The value d T will be used in validation constraints. These validation

constraints specify valid values for the number of redundant bits needed for
error-correction, the length of the key, etc.

Step 5. Error Correction. The positions in R are discarded. The set E ⫽ ⍀ ⫺

R ⫽ {i 僆 兾 R兩a[i] ⫽ b[i]} will be used to define the key. Let n E ⫽ 兩E兩. If no
error occurred, Alice and Bob should share the string g[E] which we call the raw
key. For error correction, Alice computes and announces to Bob the syndrome
s ⫽ F • g[E] where F is a r ⫻ n E parity check matrix for a linear
error-correcting code [MacWilliams and Sloane 1977], and “●” is the binary
matrix multiplication modulo 2 (see also Appendix C). The syndrome s contains
r redundant bits about the raw key g[E]. The value r depends on d T (see the
validation constraints). Bob uses this information to correct the errors in h[E]
and obtain the raw key g[E]. More about error correction is provided in the next
subsection.
Unconditional Security in Quantum Cryptography 369

Step 6. Key Extraction. At this point, Alice and Bob share the string g[E]
which we call the raw key. After error correction, to define a (final) key, Alice
uses a m ⫻ n E binary matrix K. The value of m will depend on d T . Alice and
Bob compute the key k̂ ⫽ K • g[E]. At this stage, in practice the protocol ends.
Eve is interested about the key k̂ ⫽ K • g[E] that is a function of the string g
chosen by Alice. In another variation on this protocol [Bennett et al. 1992]. Alice
and Bob execute an interactive reconciliation procedure in which the parity
check matrix F is a function of the error positions. Such an approach where the
matrix F depends upon the error positions can certainly reduce the number of
redundant bits needed in practice, but it makes the privacy proof more compli-
cated.

4.1.1. More about Error-Correction. The normal way to use an error-correct-

ing code with a r ⫻ n E parity check matrix F is to encode a message x 僆 {0, 1} k
with k ⫽ n E ⫺ r into a codeword c x where by definition a codeword is a string c
such that F • c ⫽ 0 (see Appendix C.2). The announcement of the syndrome F
• g[E] ⫽ s by Alice for error-correction is not the normal way to use an
error-correcting code with parity check matrix F but it is convenient in the proof.
In practice, Alice and Bob can use an alternative approach, which is closer to the
normal way an error-correcting code is used, but is equivalent to the announce-
ment of the syndrome s from an information theoretic point of view. Let g̃ ⫽
g[E] be the raw key. Before error-correction, Bob’s received raw key is h̃ ⫽
h[E]. In this alternative approach, Alice chooses a random string x 僆 {0, 1}k and
compute the associated codeword cx via the standard encoding procedure. She
sends to Bob the redundant information ŝ ⫽ g̃ Q cx . Note that a straightforward
computation of the syndrome s ⫽ F • g̃ via matrix multiplication takes a number
2
of steps in O(n E ), and usually the encoding procedure is more efficient.
Furthermore, in this alternative protocol, the error-correction procedure associ-
ated with the linear code can be used by Bob (together with two additions of the
redundant information ŝ) to obtain the string g̃. Bob simply computes ŝ Q h̃
which is the codeword c x modulo the errors in h̃. He does error-correction on
this string to obtain c x ⫽ ŝ Q g̃ and finally computes g̃ ⫽ c x Q ŝ.
In some cases, the encoding procedure adds the string F̃ • x to the left of a
meaningful message x 僆 {0, 1} n E ⫺r . In this case, one can check that F ⫽ [F̃Ir ]
is a r ⫻ n E parity check matrix for the linear code. Let g[mess] be the first n E ⫺
m bits in g, and g[pari] be the last m bits. The syndrome associated with F is s ⫽
F̃ • g[mess] Q g[pari]. In this case, Alice can actually send the syndrome s and
Bob can compute w ⫽ h[E] Q ŝ with ŝ ⫽ [0s], use the standard error-correction
procedure on w and add again ŝ after error correction.

4.2. THE VALIDATION CONSTRAINTS. To complete the definition of the proto-

col, one must specify the validation constraints. In practice, it does not matter
when these constraints are verified as long as they are verified before the key is
used. However, in the proof, it will be assumed that the constraint are verified at
the very end so that all variables are defined even if the constraints fail.
The basic validation constraint is d T ⬍ ␦ p T n ⍀ where d T ⫽ d T ( g, h) is the
number of errors in T, ␦ ⬎ 0 is some fixed parameter in the protocol and n ⍀ ⫽
兩⍀兩. We denote by ᏼ T the event that this constraint is satisfied. The tolerated
number of errors is a constant fraction p T ␦ of n ⍀ rather than a constant fraction
370 DOMINIC MAYERS

␦ of n T def
⫽ 兩T兩 because this particular choice was convenient in the proof of
Lemma 2. Let p E ⫽ 1 ⫺ p T . Let us define
def
共 @y ⱖ 0兲 d⫹共 y兲 ⫽ 共␦ ⫹ y兲 pEn⍀. (13)

Lemma 2 with D ⫽ ⍀ applies directly to our protocol. Therefore, in a way, that

is, in the sense given by Lemma 2, d ⫹ ( ␤ ) is an upper bound on the number of
errors that can be obtained on E where ␤ is a parameter in the protocol with
valid range ]0, ⬁]. We assume that, for each value of n E ⫽ 兩E兩, Alice and Bob
know the number of errors d⬘ which can be corrected by their error-correction
procedure. The validation constraint ᐄ1 for error-correction is d⬘ ⱖ d ⫹ ( ␤ ).
Under the assumption that the error-correction procedure corrects up to d⬘
errors on E, it is not too difficult to conclude with the help of Lemma 2 that,
except with an exponentially small probability (i.e., smaller than ␮ ( ␤ , n ⍀ )), the
cheater cannot succeed to have Alice and Bob think that they share a key when
they do not.
Now, we give additional validation constraints for privacy. We recall that an
important quantity is the minimal weight d W defined in Section 3.2. Privacy
requires a large value for d W . In our proof, we will see that the constraint
ᐄ 2 ⬊d W ⱖ 2d ⫹ ( ⑀ ), where ⑀ is a parameter in the protocol with valid rangle ]0, ⬁],
is sufficient for privacy. However, one needs to compute d W to check this
constraint. The matrices F and K are determined in view of n E , r and m, and
therefore d W is a function of these parameters. If d W can be computed
efficiently, we can use the validation constraint ᐄ2.
However, the evaluation of d W is in some cases a NP-complete problem [Barg
1997]. Let H( x) ⫽ ⫺[ x log2( x) ⫹ (1 ⫺ x)log2(1 ⫺ x)] be the entropy function.
If we cannot find a choice for K ⫽ K m, n E and F ⫽ F r, n E such that d W can be
computed efficiently, we have an alternative approach to guarantee a lower
bound on d W . We will choose the m ⫻ n E privacy matrix K uniformally at
random and adopt the constraint ᐄ⬘2 which says

冉
H ⫺1 1 ⫺
r⫹m
nE
冊
⫺ ␶ nE ⱖ 2d⫹共⑀兲,

for some parameter ␶ ⬎ 0. The parameter ⑀ was defined before. As for ⑀, the
parameter ␶ can take any positive fixed value in the protocol. We recall that,
given that the m ⫻ n E privacy matrix K is chosen uniformly at random, Lemma
4 tells us that, for any ␶ ⬎ 0, we have

True f␭ dW ⱖ H⫺1 1 ⫺冉 r⫹m

nE
冊
⫺ ␶ nE ,

where ␭ ⫽ 2 ⫺ ␶ n E . Using Proposition 1 and what we have above, one easily

obtains ᐄ⬘2 f␭ ᐄ2. Therefore, as we will see, the criteria ᐄ⬘2 can replace the
criteria ᐄ2. (The value ␭ will contribute to the parameter ␰ that is used in Lemma
1.)

4.2.1. The Validation Constraints: A Summary. The overall validation con-

straint is ᏼ def
⫽ ᏼ T ∧ ᐄ 1 ∧ ᐄ⬘2 ∧ ᐄ 3 where
Unconditional Security in Quantum Cryptography 371

ᏼ T : d T ⬍ ␦ p T n ⍀ where ␦ is the tolerated error rate (slightly above the

expected error rate) and p T is the probability that any position i 僆 ⍀ is tested,
ᐄ1: d⬘ ⱖ d ⫹ ( ␤ ) where p E ⫽ 1 ⫺ p T , d⬘ is the number of errors which can be
corrected by the error correction procedure and ␤ ⬎ 0 is any positive value
fixed in the protocol,
ᐄ⬘2: H ⫺1 (1 ⫺ (r ⫹ m)/n E ⫺ ␶ )n E ⱖ 2d ⫹ ( ⑀ ) where ⑀ ⬎ 0 and ␶ ⬎ 0 are any
positive values fixed in the protocol,
min
ᐄ 3: n E ⱖ n E , n ⍀ ⱖ n min
⍀ and m ⱕ m max where each of n E
min
, n min
⍀ and m max
are deterministic functions of all the parameters, and linear in the security
parameter N.
min
Note that our privacy proof still hold even if the lower bounds n E and n min
⍀ are
so big that they are unlikely to be respected. In fact, large lower bounds will just
increase privacy. To avoid that the protocol fails most of the time, one must pick
reasonably small lower bounds in view of N and other parameters, but not for
privacy. It is clear that reasonable lower bounds can be linear in N. A natural
choice for m max is the solution of ᐄ⬘2 for m, in which we use ␶ ⫽ ⫺⌬, for some
⌬ ⬎ 0 (say ⌬ ⫽ 1/10), and replace d ⫹ ( ⑀ ), n E and r by d fair fair
⫹ ( ⑀ , p E ), n E and r
fair
,
some fair estimate of their value chosen in view of N and other parameters,
respectively. It is clear that these estimates can be linear in N. The solution is

m max
⫽n fair
E ⫺r fair
⫺H 冉 fair
2d⫹ 共 ⑀ , p E兲
nEfair
冊 nEfair ⫹ ⌬nEfair .

4.3. THE MAXIMUM TOLERATED ERROR RATE. The maximum tolerated error
rate can be obtained as a function of the validation constraints. Only ᐄ⬘2 and ᐄ1
need to be considered because the other constraints do not restrict ␦ from above.
More precisely, we want to find for which values of ␦ ⬎ 0 these constraints have
a significant probability to be satisfied as N increases. Let us first consider ᐄ⬘2.
For N large, one can pick small values for ⑀ and ␶. To compute the maximal
value for ␦, we set ⑀ ⫽ 0 and ␶ ⫽ 0 with the understanding that if we are actually
below the maximal value for ␦, there will be room for positive value for these
other parameters. So, we get d ⫹ ( ⑀ ) ⫽ ␦ p E n ⍀ . For every ⑀⬘ ⬎ 0, in the limit of
large N, we have that 兩p E n ⍀ /n E ⫺ 1兩 ⱕ ⑀ ⬘ occurs with large probability. So we
set ⑀⬘ ⫽ 0 or equivalently p E n ⍀ /n E ⫽ 1 with the same understanding as in the
case of ⑀ and ␶. So, we get d ⫹ ( ⑀ ) ⫽ ␦ n E . Dividing by n E and applying H on both
sides of ᐄ⬘2, we obtain

r⫹m
1⫺ ⱖ H共2␦兲
nE
and thus

m r
ⱕ 1 ⫺ H共2␦兲 ⫺ .
nE nE
Now, we must consider ᐄ1. Using the same principle as before, we set ␤ ⫽ 0 and
use ⑀⬘ ⫽ 0 to obtain that d ⫹ ( ␤ ) ⫽ ␦ p E n ⍀ ⫽ ␦ n E . Shannon’s bound for error
372 DOMINIC MAYERS

correction says that r/n E ⬎ H( ␦ ) is sufficient to correct d⬘ errors with d⬘ ⱖ ␦ n E .

So, if we use an error-correcting code that reaches Shannon’s bound and 1 ⫺
H(2 ␦ ) ⫺ H( ␦ ) ⱖ 0, we have that, for sufficiently small value of ⑀, ␤ and ␶, we
can get m/n E ⱖ 0 and satisfy ᐄ1 and ᐄ⬘2 with large probability in the limit of
large N. Solving for ␦, we obtain that any value ␦ below 7.4% will do.

5. The Privacy Proof

Privacy in the protocol is expressed by the following theorem.

THEOREM 1. Let ␦ ⬎ 0 be the tolerated error rate and pT ⬎ 0 be the probability

that any given position i 僆 ⍀ is tested, that is, ␦ and pT are the parameters used in
the validation constraint ᏼT. Let pE ⫽ 1 ⫺ pT. Let ⑀ ⬎ 0 and ␶ ⬎ 0 be the fixed
min
parameters used in the validation constraint ᐄ⬘2. Let nE , nmin
⍀ be the lower bounds
max
and m be the upper bound used in the validation constraint ᐄ3. Let ␮ be the
following function of these parameters

␮ ⫽ exp 冉 ⫺⑀2 min兵 pT2 , pE2 其

2␦ ⫹ ⑀
n⍀min ⫹
2⑀2pE2
共2␦ ⫹ ⑀兲2
冊 .

The same function that was defined in Lemma 2 except that here ␤ and n D are min
replaced by ⑀ and n ⍀ respectively. Let ␥ ⫽ ␮ 1/ 2 , ␩ ⫽ 2 公␥ ⫹ ␥ , ␭ ⫽ 2 ⫺ ␶ n E ,
␰ ⫽ ␥ ⫹ ␭ ⫹ ␩ ⫹ 2 公2 ␩ and ␴ ⫽ ␩ ⫹ 公2 ␩ . The protocol if f-private where f ⫽
␴ /ln(2) ⫹ m max ␰.
This privacy result provides a bound on the amount of information that Eve
can obtain about the final key. This bound holds as long as the length of the key
is set by Alice and Bob in accordance with the validation constraints. As we
mentioned earlier, the maximum value for the tolerated error rate ␦ is also
determined by these validation constraints (see previous section).
On top of a perfect source, the only additional assumption required in the
proof is, for every state of Bob’s system H B , the distribution of probability of (Ᏸ,
h[R]) returned by Bob’s measurement is the same whether this measurement
uses the bases b or the bases b̃. We believe that this assumption is very
reasonable. If we had that the measurements executed by Bob at different
positions are independent (which is not too hard to obtain from an experimental
point of view), we would only need the assumption that whether or not a photon
is detected does not depend on the basis that is used to measure this photon.
One can check that this alternative assumption together with the independence
of Bob’s measurements implies our assumption. Though it is not sufficient alone
for our proof, this alternative assumption is the essential idea behind our
assumption. This alternative assumption is always true, and thus not an assump-
tion anymore, if no loss is tolerated in the transmission.

5.1. AN OVERVIEW OF THE PROOF AND SOME INTUITION. The main ingredient
in the proof of privacy is that of complementarity. In our protocol, Alice encodes
a string of bits in a certain choice of bases. From Alice’s point of view, these
bases are known and fixed at the beginning of the protocol. We call these bases
the original bases. Eve does not know which bases are used by Alice and, as far
as Eve is concerned, Alice could have used the opposite bases. The principle of
Unconditional Security in Quantum Cryptography 373

complementarity tells that, if a measurement would give a lot of information

about Alice’s string had Alice chosen the opposite bases, the conjugate bases,
then the same measurement can only provide little information about this string
(which is encoded in the original bases).
Consider now the measurement that describes collectively the measurement
executed by Eve and Bob on Alice’s photons. The previous point implies that if
Bob gets a lot of information about Alice’s string had Alice chosen the conjugate
bases, then Eve can only get little information about Alice’s string encoded in the
original bases. This suggests that we consider a scenario in which Alice uses the
conjugate bases. However, that is not sufficient. To apply the complementary
principle to this scenario, Bob must obtain a lot of information (when Alice uses
the conjugate bases). Therefore, in this scenario, Bob must use the same bases as
Alice, the conjugate bases. Considering such a scenario will allow us to use the
complementary principle to show the security of a protocol that is slightly
different from the original protocol, a protocol in which Bob uses the wrong
bases. (Alice’s bases return back to the original bases in the conclusion of the
complementary principle.) This explains why an important aspect of our proof is
the analysis of a modified protocol in which Bob uses the wrong bases. It also
explains why the analysis of this modified protocol requires that we consider a
scenario in which Alice also uses the wrong bases.
We said that to apply the complementary principle we must have that Bob
obtains a lot of information. It is not sufficient that Bob uses the same bases as
Alice to guarantee that he obtains a lot of information. For example, Eve could
keep Alice’s photons and send other photons to Bob. It is here that the test on a
random set R and the randomness of Alice’s bases are important. As explained in
Lemma 2, it is very unlikely in the above scenario (where Alice and Bob use the
same bases) that the test on R is successful and yet Bob obtains little information
about Alice’s bits outside R. So essentially there are two cases to consider: (1)
the test fails and (2) Bob has a lot of information. We do not have to worry about
what happens when the test fails. When the test is successful we apply the
complementary principle.
Thus far, we explained how the complementary principle can be used to prove
privacy in the modified protocol. To conclude, we need to return to the original
protocol. Fortunately, as we will see, Bob’s measurement on the nontested
positions does not influence Eve’s measurement and the classical data that is
received by Eve, nor Alice’s private key. Therefore, one can swap Bob’s bases on
the nontested positions back to their original orientation in the above conclusion
without altering Alice’s private key, nor Eve’s knowledge on Alice’s private key.
However, we cannot swap Bob’s bases on the tested positions without modifying
Eve’s view and, in fact, even the test result would not be identical. To solve this
problem we will use the complementary principle as we explained above but only
on the nontested positions, that is, only the bases in the nontested positions will
be flipped in the modified protocol. Bob’s modified string of bases (flipped
outside R) will be denoted b̃. As we will see, this partial flip of bases will not be
a problem.
Formally, the proof will look as follows: First, privacy in the protocol is
reduced to privacy in the modified protocol where Bob uses the flipped bases b̃.
Second, we apply our general model to the modified protocol to obtain a POVM
374 DOMINIC MAYERS

description of the attack. Third, privacy in the modified protocol is proven by

considering our scenario in which Alice also uses the flipped bases b̃.

5.2. THE MODIFIED PROTOCOL. Here, we define the modified protocol and
reduce privacy in the original protocol to privacy in the modified protocol. Note
that the modified protocol that we will define is not a QKD protocol because
Bob does not learn the final key. The modified protocol does not accomplish any
practical task, but nevertheless a key is defined and kept secret by Alice. Privacy
in this modified protocol means privacy of this key. We will show that, for every
eavesdropping strategy in the original protocol, there is a corresponding strategy
in the modified protocol so that Eve can obtain as much or more information
about the key in the modified protocol as in the original protocol. We will then
bound Eve’s information in the modified protocol.
We first define an intermediary protocol and next the modified protocol. The
intermediary protocol is identical to the original protocol except that Bob uses
the opposite basis on the untested positions i 僆 兾 R. The basic idea behind this
approach was first explained and used in Mayers [1995]. To be more precise, let

b̃关i兴 ⫽ 再 b关i兴 if
៮
b 关i兴 if
i僆R
i 僆
兾 R.

In the intermediary protocol, Bob does as before except that he executes the
measurement with the string of bases b̃ rather than b. The same string b is
announced so that the key is defined as before by Alice. This description entirely
determines the behavior of the protocol as a random experiment. The set E and
T are defined as before in terms of b, not b̃. We will now show the following
proposition.

PROPOSITION 4. If the algorithm used by Eve to cheat in the intermediary

protocol is the same as in the original protocol, the distribution of probability of
(v, k) will be identical in both protocols.

PROOF. For precision, the proof will use the POVM formalism and the
terminology of Section 3.4, but the intuition in the proof can be understood
without making use of this formalism. The idea is to follow the protocol and see
that at every step, whether Bob uses the bases b or the bases b̃ to measure the
photons, the information that Eve has about the string g is the same in both
cases. In particular, it is clear that just after the quantum transmission, before
Bob measures the photons, the two cases cannot be distinguished. Next, one can
argue that, if we assume that the pair (Ᏸ, h[R]) announced by Bob has the same
distribution of probability whether b or b̃ is used, then Eve cannot see any
difference. She cannot see any difference because only the bases in {1, . . . ,
N } ⫺ R are flipped and only (Ᏸ, h[R]) is announced.
The proof formalizes this idea in the POVM formalism. We first describe Eve’s
attack. The overall quantum system is H Q ⫽ H A R H B R H E where H A is the
state space for the photons, H B is Bob’s received system and H E is an extra
system used by Eve. In the honest protocol, we have H B ⫽ H A because, in our
model of communication, the control over the system H A (Alice’s photons) is
simply passed to Bob. In the dishonest case, without loss of generality, we can
consider that H A and H B are different systems. At the beginning, H A is
Unconditional Security in Quantum Cryptography 375

controlled by Alice whereas H B and H E are controlled by Eve. During the

quantum transmission, every thing is controlled by Eve. After the quantum
transmission, Eve controls H E (and H A ) and the control over H B is passed to
Bob. Without loss of generality, we assume that no information is left in H A after
the quantum transmission.
The initial random classical information in the protocol (see Section 3.4) is
ĉ ⫽ (a, b, R, g, K̂), where K̂ denotes the random bits that will be used to pick
the matrix K. The overall quantum measurement outcome (see Section 3.4) is
q̂ ⫽ (Ᏸ, h, j). Eve’s view v ⫽ (c, q) is the deterministic function of v̂ ⫽ (ĉ, q̂)
defined by

c ⫽ 共 a, b, R, g 关 R 兴 , s, K 兲 and q ⫽ 共Ᏸ, h关R兴, j兲,

where s ⫽ K • g[E] in which E ⫽ ⍀ ⫺ R. One must see that it is possible to
compute c given v̂. It is possible to compute E given Ᏸ and ĉ. The details of the
computation of K are not given.
Now, we consider the overall sequence of operations executed in the protocol.
We will consider Eve’s view later. We denote by U the unitary transformation on
H Q executed by Eve during the quantum transmission. We denote by E Ᏸ, B
h兩b
B
Bob’s honest (but possibly defective) measurement operator on H , which
E E
depends on b. We denote by E j兩c, Ᏸ, h[R] Eve’s final measurement operator on H
executed in view of (c, Ᏸ, h[R]). In accordance with the extended operator
formalism described in Section 3.4, the POVM on H C R H Q returning v̂ ⫽
(ĉ, q̂) has the form

E v̂ ⫽ E ĉ , q̂ ⫽ P ĉ E Ᏸ, h, j兩 ĉ , (14)
where

E Ᏸ, h, j兩 ĉ ⫽ U † E j兩Eĉ , Ᏸ, h[R( ĉ )] 丢 E Ᏸ,
B
h兩b( ĉ ) U. (15)
To derive Eq. (15), one must use the collapse operation formalism. In accor-
E E
dance with this formalism, the POVM E j兩ĉ, Ᏸ, h[R(ĉ)] on H can be written in the
form
†
E j兩Eĉ , Ᏸ, h[R( ĉ )] ⫽ A j兩Eĉ , Ᏸ, h[R( ĉ )] A j兩Eĉ , Ᏸ, h[R( ĉ )] ,
E E
where A j兩ĉ, Ᏸ, h[R(ĉ)] is the collapse operation on H associated with E j兩ĉ, Ᏸ, h[R] .
Similarly, there is a collapse operation A Ᏸ, h兩b(ĉ) on H B associated with
B
B
E j兩ĉ, Ᏸ, h兩b(ĉ) . In accordance with Section 3.3, the overall collapse operation on the
quantum part H Q , including the initial unitary operation U, is

A Ᏸ, h, j兩 ĉ ⫽ A j兩Eĉ , Ᏸ, h[R( ĉ )] 丢 A Ᏸ,
B
h兩b( ĉ ) U.

So the overall POVM on H Q is

† † E B
E Ᏸ, h, j兩 ĉ ⫽ A Ᏸ, h, j兩 ĉ A Ᏸ, h, j兩 ĉ ⫽ U E j兩 ĉ , Ᏸ, h[R( ĉ )] 丢 E Ᏸ, h兩b( ĉ ) U,

which is consistent with (15).

Now, let us consider the POVM for Eve’s view v. The only components of v̂ ⫽
៮ ], where R
(ĉ, q̂), which is not a function of v are g[R ៮ ⫽ {1, . . . , N } ⫺ R, and
h[Ᏸ ⫺ R], that is, we can write
376 DOMINIC MAYERS

៮ 兴, h关Ᏸ ⫺ R兴, v兲.

v̂ ⫽ v̂ 共 g 关 R
៮ ], h[Ᏸ ⫺
Using formula (7) in Section 3.3 for the first equality and v̂ ⫽ v̂( g[R
R], v) for the second equality, we obtain

Ev ⫽ 冘 E
v̂ 兩v共 v̂ 兲 ⫽ v
v̂

⫽冘 冘 E ៮ ],h[Ᏸ⫺R],v)
v̂( g[R
៮ ] h[Ᏸ⫺R]
g[R

We must obtain that the POVM E v (the sum of E v̂ over all v̂ ⫽ v̂(h[Ᏸ ⫺ R],
g[R៮ ], v)) is the same in both protocols. We recall that the only difference
between the protocols is that b is replaced by b̃. The sum is over h[Ᏸ ⫺ R] and
g[R៮ ], but it will be enough to consider the sum over h[Ᏸ ⫺ R] only. The only
terms in E v̂ ⫽ E ĉ, q̂ , in formula (14) and (15), which depends upon h[Ᏸ ⫺ R] is
B B
E Ᏸ, h兩b(ĉ) , the operation on Bob’s system H . This fact corresponds to our
intuition that what is going on before Bob measures the photons cannot make
any difference. Therefore, we must consider the sum

冘
h[Ᏸ⫺R]
B
E Ᏸ, h兩b ,

and show that it is the same if we replace b by b̃. (In the above sum and from
there on, we will not write explicitly the dependence on ĉ.) To better interpret
this sum, note that h is uniquely determined by Ᏸ, h[R] and h[Ᏸ ⫺ R], that is,
B B
we can replace E Ᏸ, h兩b by E Ᏸ, h[R], h[Ᏸ⫺R]兩b . Now, in accordance with formula (7),
B
we have that this sum is nothing else than E Ᏸ, h[R]兩b , the POVM associated with
the partial outcome (Ᏸ, h[R]) given b, that is,

冘
def
B B
E Ᏸ, h[R]兩b ⫽ EᏰ,h[R],h[Ᏸ⫺R]兩b .
h[Ᏸ⫺R]

B
The operator E Ᏸ, h[R]兩b implicitly depends on R because the choice of the set R is
part of its formal definition.3 It is a fact of linear algebra that the requirement
B B
that E Ᏸ, h[R]兩b is the same as E Ᏸ, h[R]兩b̃ is equivalent to our assumption that, for
B
every state in H , the distribution of probability of (Ᏸ, h[R]) is the same
whether b or b̃ is used to measure the photons. We have obtained under this
assumption that Eve’s information is the same in the intermediary protocol as in
the original protocol. This concludes the proof. e
Now we use the intermediary protocol to describe the modified protocol. In
the intermediary protocol, one can assume that there is a box on Bob’s side that
computes (R, b, b̃). This box secretely unveils b̃ to Bob at the beginning so that
Bob can execute his measurements in these bases. Just before the test, this box
publicly announces R and b so that Bob can execute the test with Alice as in the
original protocol. This alternative description of the intermediary protocol makes
no difference at all for Eve since she does not care about who computes (R, b,

3
This is not the same thing as saying that the measurement itself is executed in view of R in the
protocol. The dependence on R is OK because R is in v and we are interested in E v .
Unconditional Security in Quantum Cryptography 377

b̃) and who makes the announcements, as long as the distribution of (R, b, b̃),
the measurements and the announcements are the same.
The modified protocol is like this intermediary protocol except that (1) Bob
publicly announces b̃ at the beginning, (2) Bob publicly announces h just before
the announcement of R by the box, (3) Alice publicly announces g[E ៮ ] where E៮ ⫽
{1, . . . , N } ⫺ E after the announcement of E (i.e., of b, R and a), and (4) Eve
can corrupt Bob, but not the box. It is not hard to see that, after each
modification, Eve can only have more information or power than she had
previously, but even so we shall bound the total information available to Eve in
the modified protocol. We gain the advantage that Eve and Bob become like a
single participant called Eve–Bob who can use any measurement s/he wants to
learn about the key. The new situation, which contains only two participants, is
much simpler. The first participant, Alice, sends photons that encode a key, and
the second participant, Eve–Bob, tries to find out what is this key via an
appropriate measurement. The constraint on Eve–Bob is that h and b̃ must be
announced before the tested positions R and the string of bases a are known.
5.3. THE MODIFIED PROTOCOL IN OUR MODEL. Essentially, in this section, we
apply the basic mechanisms of Section 3.4 to the modified protocol and then
provide basic formula that will be useful later in our proof. Let H A be Alice’s
original system. In principle, when Eve–Bob receives control over H A s/he is free
to use an extra system H B ⫽ H E . However, Eve–Bob’s system H B ⫽ H E can be
considered as an auxiliary system used by Eve–Bob to execute the most general
POVM [Peres 1993]. We already use the POVM formalism to describe Eve–
Bob’s measurement, so without loss of generality, we do not need the extra
system H B ⫽ H E . This extra system is implicit in the POVM formalism.
The overall measurement outcome is q̂ ⫽ (Ᏸ, h, j). We have that ĉ ⫽ (b̃, a,
R, g, K̂) where, K̂ represents the random bits that will be used to generate K
(and possibly F if we use a random error-correcting code). The string b is a
function of R and b̃ and so is not included in ĉ (but there would be no harm to
include it). The string of classical announcements received by Eve–Bob is c ⫽ (b̃,
a, R, E, g[E ៮ ], K, F, s). Eve–Bob’s quantum outcome is q ⫽ q̂ ⫽ (Ᏸ, h, j)
where h is the outcome of the measurement executed by Eve–Bob on H A to pass
the test and j is the outcome of the measurement executed by Eve–Bob on the
residual system after the first measurement. Eve–Bob’s view is v ⫽ (c, q).
It is not hard to see that v respects conditions C1 and C2. Without loss of
generality, we conservatively consider that the operator E q兩c on H A has rank one,
that is, E q兩c ⫽ 兩 ␾ c, q 典具 ␾ c, q 兩 for some nonnormalized state 兩 ␾ c, q 典. The initial
random state is 兩ĉ典 C 兩⌿( g, a)典 with probability p(ĉ) (which probability we will
not need to compute). The corresponding density matrix is denoted ␳. We have
E v ⫽ P c兩q E q兩c . We denote by TrA the trace over H A .
Our first basic formula is for p(v). Using Proposition 2, we obtain

p 共 v 兲 ⫽ p 共 c⬊q 兲 TrA共Eq兩c␳c兩q兲. (16)

We compute ␳ c兩q as explained in Section 3.4 (see remark after Proposition 2).
The density matrix ␳ c兩q is the density matrix that is obtained when we prepare
兩⌿(ĉ)典 uniformly at random and only keep the states with cq ⫽ c. We recall that
cq def
⫽ c(ĉ, q). We think of ĉ as the outcome of a random experiment on which we
define the random variable cq (with parameter q). In our protocol, we have
378 DOMINIC MAYERS

⌿(ĉ) ⫽ ⌿( g, a) and, for given c and q, one can check that the constraint cq ⫽
c ⫽ (b̃, a, R, . . . , s) on (g, a) corresponds to the three constraints a ⫽ a,
g[E៮ ] ⫽ g[E
៮ ] and F • g[E] ⫽ s, where E ៮ ⫽ {1, . . . , N } ⫺ E. Note that, for
given c and q, the set E and the matrix F are uniquely determined so that E and
F can be interpreted as fixed parameters in the above constraints. Let

C s ⫽ 兵 ␣ 僆 兵 0, 1 其 E 兩 F • ␣ ⫽ s 其 .

We obtain that ␳ c兩q is the product 兩⌿ E៮ 典具⌿ E៮ 兩 R ˜␳ s , where

៮ 兴, a关E
兩⌿ E៮ 典 ⫽ 兩⌿ 共 g 关 E ៮ 兴兲 典 (17)
៮ ⫽ {1, . . . , N } ⫺ E and ˜␳ s correspond to
is the pure state for the photons in E
a uniform distribution over the states 兩⌿( ␣ , a[E])典 with ␣ 僆 C s :

␳˜ s ⫽ 兩C s 兩 ⫺1 冘 兩⌿共␣, a关E兴兲典具⌿共␣, a关E兴兲兩.

␣僆Cs
(18)

The state

˜ c, q ⫽ 具 ⌿ E៮ 兩
␾ ␾c,q (19)
Ç Ç
៮
On E On兵1,. . .,N 其

appears naturally in the computation of p(v) because ␳ c兩q corresponds to the

pure state ⌿ E៮ on E ៮ and, we recall, E q兩c ⫽ 兩 ␾ c, q 典具 ␾ c, q 兩. The component in E
៮ of
˜
␾ c, q is used in the inner product with ⌿ E៮ so that ␾ c, q is the residual state for the
photons in E (see Section 3.3). We obtain

TrA(Eq兩c␳c兩q) ⫽ 具␾c,q兩␳c兩q兩␾c,q典
˜ c,q兩␳˜s兩␾
具␾ ˜ c,q典. (20)
⫽Ç
On E

So, using (16) and (20), we obtain

˜ c, q 兩 ␳˜ s 兩 ␾
p 共 v 兲 ⫽ p 共 c⬊q 兲具 ␾ ˜ c, q 典 . (21)

We now prove a generalization of (20). Let ⌸ and ⌸⬘ be any two operators on

the state space for the photons in E. The generalization of (20) is

˜ c,q兩⌸␳˜s⌸⬘兩␾
TrA共Eq兩c⌸␳c兩q⌸⬘兲 ⫽ 具␾ ˜ c,q典. (22)

We recall that ␳ c兩q corresponds to the pure state ⌿ E៮ on E ៮ (and to ˜␳ s on E), and
E c兩q ⫽ 兩 ␾ c, q 典具 ␾ c, q 兩. Also, by hypothesis, ⌸ and ⌸⬘ are only defined on E.
Therefore, the inner product between ⌿ E៮ and ␾ c, q will return the residual state
˜ c, q on E as in (21). So we have obtained (22).
␾
It is easy to compute p(k, v) using the same technique. The only difference is
that k is added to the view. It is as if the new syndrome was (s, k) rather than s
only. We obtain

˜ c, q 兩 ␳˜ s, k 兩 ␾
p 共 k, v 兲 ⫽ p 共 c, k⬊q 兲具 ␾ ˜ c, q 典 . (23)
Unconditional Security in Quantum Cryptography 379

The normalized density matrix ˜␳ s, k is defined as ˜␳ s via (18) except that instead of
C s we use

C s, k ⫽ 兵 ␣ 僆 兵 0, 1 其 E 兩 F • ␣ ⫽ s ∧ K • ␣ ⫽ k 其 .

In accordance with Section 3.4 (see remark after Proposition 2), p(c, k⬊q) in
(23) is the probability that (c, k) q ⫽ (c, k) where (c, k) q is a function of ĉ which
is defined in the protocol when q ⫽ (Ᏸ, h, j) is fixed. We can take the point of
view that (c, k) q is a random variable defined on ĉ. For a given q, the value of
this random variable can be computed by first obtaining c ⫽ c(ĉ, q) and then k
using k ⫽ K • g[E]. By definition, the probability of obtaining c in this
computation is p(c⬊q). The probability of every k is 2 ⫺m independently of the
view v ⫽ (c, q). So, we have

p 共 c, k⬊q 兲 ⫽ 2 ⫺mp共c⬊q兲 (24)

5.4. PRIVACY IN THE MODIFIED PROTOCOL. In this section, we prove privacy

in the modified protocol. The proof follows the work of Mayers [1995; 1996],
Mayers and Salvail [1994], and Yao [1995]. There are three important lemmas in
the proof: Lemmas 5, 6, and 7. A variation on Lemma 5 for the case r ⫽ 0 and
m ⫽ 1 and a statement close to Lemma 6 (also for the case r ⫽ 0 and m ⫽ 1)
was provided in Yao [1995] in the context of a different cryptographic applica-
tion called quantum oblivious transfer. No variation on Lemma 7 was proven
before.
In accordance with Section 2, it is sufficient to obtain that ᏼ f␰ ᏺ␴ where
ᏼ def
⫽ ᏼ T ∧ ᐄ⬘2 ∧ ᐄ 3 and both ␰ and ␴ must be exponentially small. The proof
breaks the (probabilistic) implication from ᏼ f␰ ᏺ␴ in two implications, ᏼ T f ␥
᏿ and (᏿ ∧ ᐄ⬘2 ∧ ᐄ3) f␭⫹␩⫹2公2␩ ᏺ␴, where ᏿ is called the small sphere property
and ␰ ⫽ ␥ ⫹ ␭ ⫹ ␩ ⫹ 2公2␩. The small sphere property as well as ␥, ␭, ␴ and ␩
will be defined later.

5.4.1. Some Intuitions. In the modified protocol, Bob’s bases are flipped. We
already explained (see Section 5.1) the intuition that in the proof we need to flip
Alice’s bases as well. Here, we provide some intuitions from the point of view of
Eve–Bob, that is, we start with the modified protocol. We will obtain the same
conclusion and more. To go into the essential of the problem we analyze the case
where Eve–Bob attacks each photon individually (see Mayers and Salvail [1994]
and reference therein for previous analysis). Consider the ith photon sent from
Alice to Eve–Bob. When Eve–Bob attacks one photon at a time, s/he wants to
maximize her information about the bit g[i] for the case where i 僆 E (i.e., a[i]
⫽ b̃[i]), but at the same time she wants to minimize the probability of creating
an error for the case i 僆 T (i.e., a[i] ⫽ b̃[i]).
The problem is how to obtain a constraint for the case i 僆 E using a constraint
that results from the case i 僆 T. This issue becomes more important when we
consider the most general attack, but it is already not so obvious when we
consider the individual attack. In the case of the individual attack, this issue is
addressed [Mayers and Salvail 1994] by first obtaining a constraint on Eve–Bob’s
measurement operators. As a first step, the constraint will only apply to the
measurement operators associated with the outcomes h[i]. It will not apply to
380 DOMINIC MAYERS

the measurement operators associated with the entire data received by Eve about
the bit g[i].
The idea used in Mayers and Salvail [1994] is that this constraint will also be
valid in the case i 僆 E, because the measurement operators associated with the
outcomes h[i] must be defined by Eve–Bob independently of whether i belongs
to T or E. This is the case because Bob (in Eve–Bob) immediately notes the
value of h[i] when he receives the photons which happens before the announce-
ment of R and a. Therefore, this constraint applies to the case i 僆 E despite the
fact it comes from the fictive situation i 僆 T. However, this constraint applies to
the outcome h[i] only; it does not directly apply to Eve–Bob’s final view after
s/he made her final measurement on the photon. This issue can be addressed
using the fact that the final measurement operator is a refinement of the
incomplete measurement operator associated with h[i] [Mayers and Salvail
1994]. In the case of the most general attack, we will see that a related issue will
be addressed in a similar way.
However, one should not look for an exact correspondence between the proof
against individual attacks and the proof against all attacks. Here the main ideas
that we wanted to emphasize are (1) as in the case of the individual attacks, a
fictive test associated with flipped bases on Alice’s side will be used to obtain a
constraint on Eve–Bob’s measurement operator and (2) we need to consider a
partial view to connect the fictive test with the real situation.
In this fictive test, Alice prepares the initial random state of the photons in
Bob’s fixed bases b̃[i], rather than in the random bases a[i]. However, b̃ is only
used for the quantum preparation. The string of bases announced by Alice is a as
before, not b̃. She uses ( g, b̃) for the photons. This fictive situation is easier to
analyze because (as in the case of the individual attack) we have that Alice and
Bob use the same bases to encode and measure the photons respectively.
We will use Lemma 2 to obtain a bound on the number of errors that would be
created on E in this fictive situation, the idea being that such a bound will give us
a constraint on Eve–Bob’s measurement operator, the small sphere property. As
in the case of individual attacks, we will have to swap from the fictive situation to
the real situation using the fact we consider only a part of Eve’s view. The main
ingredient that we will use is the fact the initial density matrices for the photons
needed to obtain the probability of the partial view z ⫽ (b̃, Ᏸ, a, R, h) via
Proposition 2 are one and the same density matrix, the fully mixed density
matrix, in both situations (the fictive and the nonfictive). Note that it is sufficient
to swap the bases used in the quantum preparation because Alice’s announce-
ments for the bases are the same in the fictive as in the real situation. The bases
b̃ are only used by Alice in the quantum encoding, not in the classical
announcement.

5.4.2. The Strong Small Sphere Property. Before analyzing any statement that
involves the small sphere property ᏿, we will prove Lemma 5, which is about a
closely related property, called the strong small sphere property. This lemma will
provide some intuition about how the small sphere property ᏿ works and it will
directly be used later in the proof of the implication ᏿ ∧ ᐄ⬘2 ∧ ᐄ3 f␭⫹␩⫹2公2␩ ᏺ␴.
As explained before, the property is given in terms of a fictive preparation where
Alice uses Bob’s bases b̃. For any ␣, we denote by 兩 ␣ 典 ⫽ ⌿( ␣ , b̃[E]) the string
␣ encoded in E using Bob’s bases b̃[E].
Unconditional Security in Quantum Cryptography 381

Definition 5. Consider any state ␾ ˜ in the state space for the photons in E
˜ ˜ has the strong small
(not necessarily the state ␾ c, q given by (19)). We say that ␾
E
sphere property with radius d⬙ if whenever ␣ 僆 {0, 1} does not lie strictly
inside the sphere of radius d⬙ around h[E] (in the Hamming distance), we have
˜ 兩␣典 ⫽ 0.
that 具␾
Remark. In accordance with the basic intuition that was given at the very
beginning of the proof, we want to show that Bob receives a lot of information
when Alice uses the string of conjugate bases ã[E] ⫽ b̃[E] on E. (In the
modified protocol, Bob already uses the conjugate bases b̃[E] on E). The strong
small sphere property (strong ssp) implies that Bob has a lot of information
because it puts an upper bound on d E ( g, h), the number of errors in Bob’s string
h restricted at E. The strong ssp says that, given that Alice’s initial state is
encoded in the string of conjugate bases b̃, the outcome associated with 兩␾ ˜ 典具␾
˜兩
ensure that the number of errors is strictly smaller than d⬙, being implicit here
˜ 典具␾
that 兩␾ ˜ 兩 is a measurement operator that returns the outcome h[E].

An Example. The goal here is to illustrate the strong small sphere property.
This example should not be considered as an illustration of the entire proof, only
the strong small sphere property is illustrated. We consider a simple kind of
attacks where Eve–Bob announced the string of bases b̃[E] ⫽ ⫹ ⫹ . . . ⫹ ⫹ on
E at the beginning, but Eve–Bob cheated and actually measured in the flipped
string of bases b̃*[E] ⫽ ⫻ ⫻ ⫹ . . . ⫹ ⫹: the bases for the two first positions in
E have been flipped with respect to the bases b̃[E]. (Eve–Bob can obtain such a
situation with a significant probability by flipping few bases at random.) Let us
assume that the outcome on E is h[E] ⫽ 00 . . . 0. We will see that the state
⌿(h[E], b̃*[E]) has the strong small sphere property with radius 3. The
associated “bra” operation is

具 ⌿ 共 h 关 E 兴 , b̃* 关 E 兴兲兩
⫽1/ 2共具000 · · · 0兩 ⫹ 具010 · · · 0兩 ⫹ 具100 · · · 0兩 ⫹ 具110 · · · 0兩兲.

There are only four strings ␣ 僆 {0, 1} E on E such that

兩 具 ⌿ 共 h 关 E 兴 , b̃* 关 E 兴兲兩 ␣ 典 兩 ⫽ 0.

These are the four strings that label the four components of 具⌿(h[E], b̃*[E])兩.
These four strings lie strictly inside a sphere of radius 3 around h[E]. Therefore,
the state ⌿(h[E], b̃*[E]) has the strong small sphere property with radius 3. e
The strong small sphere property is too strong to be a property of the actual
collapse operation executed by Eve–Bob on the photons in E. This property
cannot be obtained, not even probabilistically. It corresponds to the ideal
requirement that the test on E passes with probability exactly 1 given that this
collapse operation occurred. Nevertheless, it will be useful in the proof to first
consider this ideal situation. The next lemma says that if a state 兩␾典 has the
strong small sphere property then the associated collapse operation provides no
information at all about the final key. This lemma combines together privacy
amplification and the complementary principle in an intricated manner. The
complementary principle is used in the following sense that the strong small
382 DOMINIC MAYERS

sphere property on 兩␾典 says that the associated collapse operation provides
faithful information about Alice’s string g[E] if Alice uses the flipped bases b̃.
Privacy amplification is used because we directly consider the density matrix
associated with the final key. We emphasize that the approach in which one first
obtains a bound on some kind of information (such as the collision information)
about Alice’s raw key g[E] and then separately use standard privacy amplifica-
tion techniques [Bennett et al. 1988] to obtain a much smaller bound on the final
key didn’t succeed thus far in quantum cryptography.

LEMMA 5. For every key k 僆 {0, 1}m and syndrome s 僆 {0, 1}r, consider the
density matrix

冘 兩⌿共␣, a关E兴兲典具⌿共␣, a关E兴兲兩,

def
␳˜ s, k ⫽ 兩Ck,s兩⫺1
␣僆Ck, s

where C s, k is the set of string ␣ 僆 {0, 1} D consistent with the key k and the
syndrome s, that is, for which F • g[E] ⫽ s and K • g[E] ⫽ k. Consider any state
␾ ˜ c, q ). If ␾
˜ on the state space for the photons in E (not necessarily the state ␾ ˜ has
the strong small sphere property with radius d⬙ ⱕ d W / 2, then 具 ␾ ˜ 兩 ˜␳ k, s 兩 ␾
˜ 典 is
independent of k.
˜ c, q given by (19) has the strong small
Consider a fixed view v ⫽ (c, h, j). If ␾
sphere property with radius d⬙, we say that the view v has the strong small sphere
property with radius d⬙.

COROLLARY 1. If v has the strong small sphere property with a radius d⬙ ⱕ

dW/ 2, then v is 0-informative about every k, that is, p(k兩v) ⫽ 2⫺m for every k.

PROOF OF THE COROLLARY. It will be sufficient to show that p(k兩v) is

independent of k. Using (23), we obtain

˜ c,q兩␳˜s,k兩␾
p 共 k 兩 v 兲 ⫽ p 共 v 兲 ⫺1p共k, v兲 ⫽ p共v兲⫺1p共c, k⬊q兲具␾ ˜ c,q典.

Using (24), we obtain that p(c, k⬊q) ⫽ 2 ⫺m p(c⬊q) is independent of k. Using

˜ c, q 兩 ˜␳ s, k 兩 ␾
Lemma 5, we also have that 具 ␾ ˜ c, q 典 is independent of k. This concludes
the proof of the corollary. e

Unlike Lemma 5, this corollary will not be used in the proof of privacy because
a successful test does not imply that v has the strong small sphere property, not
even probabilistically. This corollary is only provided to support the intuition. It
says that something like the strong small sphere property is desired for privacy.

PROOF OF LEMMA 5. We first do the case where r ⫽ 0 (no error-correction),

m ⫽ 1 and the one-row binary matrix K is [11 . . . 11]. In this case, we have d W ⫽
n E . Also, one can easily compute the density matrices ˜␳0 and ˜␳1, respectively,
associated with Alice’s preparation for the photons in E when the key is k ⫽ 0
and k ⫽ 1. We recall that, for every ␣ 僆 {0, 1} n E , we defined 兩␣典 def ⫽ ⌿( ␣ ,
b̃[E]). One obtains that the matrix [⌬˜␳]{兩␣典} of ⌬˜␳ def
⫽ ␳
˜ 0 ⫺ ␳
˜ 1 in Bob’s basis
{兩␣典} def
⫽ {兩 ␣ 典兩 ␣ 僆 {0, 1} E
} is
Unconditional Security in Quantum Cryptography 383

in which there are 0 everywhere except when indicated otherwise by the dotted
line. The indices ␣ 僆 {0, 1} E for the rows in the matrix are ordered in such a
way that any two indices ␣ 1 , ␣ 2 僆 {0, 1} E that are at maximal Hamming
distance n E are always adjacent, and the same ordering is used for the indices ␣ ⬘
僆 {0, 1} E for the columns. The entries in the matrix are 具␣兩⌬˜␳兩␣⬘典, where ␣ , ␣ ⬘
僆 {0, 1} E . We have that 具␣兩⌬˜␳兩␣⬘典 ⫽ 0 unless d( ␣ , ␣ ⬘) ⱖ d W ⫽ n E . The matrix
(n E )
[⌬ ˜␳ ] {兩 ␣ 典} ⫽ [⌬ ˜␳ ] {兩 ␣ 典} can be obtained using the recurrence formula

⌬ ␳˜ (n) ⫽ 冉冊1
2
⌬ ␳˜ (n⫺1) 丢 共 ␳˜ (1) ˜ (1)
0 ⫺ ␳ 1 兲,

which can be obtained with some algebra using the formula

␳˜ b(n) ⫽ 冉冊
1
2
关 ␳˜ (n⫺1)
0 丢 ␳˜ b(1) ⫹ ␳˜ (n⫺1)
1 丢 ␳˜ b៮ 兴 .
(1)

Now, we want to show that the probability of v is the same given both density
˜ c, q 兩⌬ ˜␳ 兩 ␾
matrices. So, we want to show that 具 ␾ ˜ c, q 典 ⫽ 0. We have that

˜ c, q 兩 ⌬ ␳ 兩 ␾
具␾ ˜ c, q 典 ⫽ 冘 具 ␾˜
␣,␣⬘
c, q
˜ c, q 典 .
兩 ␣ 典具 ␣ 兩 ⌬ ␳˜ 兩 ␣ ⬘ 典具 ␣ ⬘ 兩 ␾

We show, in two cases, that every term in the sum is 0.

Case 1. If d( ␣ , ␣ ⬘) ⱖ d W ⫽ n E , then, because ␾ ˜ c, q has the strong small
˜ c, q 兩 ␣ 典 ⫽ 0 or 具 ␣ ⬘兩 ␾
sphere property with radius d W / 2, either 具 ␾ ˜ c, q 典 ⫽ 0.

Case 2. If d( ␣ , ␣ ⬘) ⬍ n E , then 具␣兩⌬␳兩␣⬘典 ⫽ 0. This concludes the proof for

the simple case where m ⫽ 1 and r ⫽ 0.
Now we do the proof for the general case where m, r ⬎ 0. The matrix
[ ˜␳ s, k ] ␣ , ␣ ⬘ is given by

共 ␳˜ s, k 兲 ␣ , ␣ ⬘

⫽2⫺nE 再 0
共⫺1兲 ␭(␣Q␣⬘)•(s,k)
otherwise,
兾 C ⬜关 G 兴
if 共␣ 丣 ␣⬘兲 僆

where

G⫽ 冉冊 F
K
,

C ⬜ [G] is the code generated by G (see Appendix C) and ␭ is the coordinate

function that when evaluated on any string ␣ 僆 C ⬜ [G] returns the string
coordinate ␭(␣) such that ␭ ( ␣ ) • G ⫽ ␣ . The computation is provided in
384 DOMINIC MAYERS

Appendix D. By definition of d W , if the weight of (␣ Q ␣⬘), which is the same as

d( ␣ , ␣ ⬘), is strictly smaller than d W , then ␭(␣ Q ␣⬘) vanishes in its K-section. We
obtain that, for (␣, ␣⬘) fixed, the sign of the entry [ ˜␳ s, k ] ␣ , ␣ ⬘ depends only on s.
Therefore, d( ␣ , ␣ ⬘) ⬍ d W implies that [⌬ ˜␳ ] ␣ , ␣ ⬘ ⫽ [ ˜␳ s, k ] ␣ , ␣ ⬘ ⫺ [ ˜␳ s, k⬘ ] ␣ , ␣ ⬘
vanishes. The remainder of the proof is identical the proof in the simple case,
and this can be easily checked by the reader. e

5.4.3. The First Implication. Here we define and discuss the small sphere
property ᏿ and prove the implication ᏼ T f ␥ ᏿ (see Lemma 6). For any set of
positions X and any integer d⬙ ⱖ 0, let ⌸0[X, d⬙] be the projection on the span
of {⌿( ␣ , b̃)兩d X ( ␣ , h) ⱖ d⬙} where d X ( ␣ , h) is the Hamming distance between
␣ and h on X.

Definition 6. Let ˜␳ s be defined as in Section 5.3. The view v has the small
sphere property ᏿ with radius d⬙ ⬎ 0 and precision ␥ ⬎ 0 if

˜ c, q 兩 ⌸ 0 关 E, d⬙ 兴 ␳˜ s ⌸ 0 关 E, d⬙ 兴兩 ␾
p 共 c⬊q 兲具 ␾ ˜ c, q 典 ⱕ ␥ p 共 v 兲 (25)

or equivalently

˜ c, q 兩 ⌸ 0 关 E, d⬙ 兴 ␳˜ s ⌸ 0 关 E, d⬙ 兴兩 ␾
具␾ ˜ c, q 典 ⱕ ␥ 具 ␾
˜ c, q 兩 ␳˜ s 兩 ␾
˜ c, q 典 . (26)

We have already given part of the intuition for the small sphere property when
we discussed the strong small sphere property. Now, we explain the connection
with this intuition. We recall that the strong small sphere property says that any
state encoded in Bob’s basis b̃[E] on or outside the small sphere is rejected by
˜ c, q . In this way the strong small sphere property says that v provides faithful
␾
information about Alice’s string g[E] if Alice uses Bob’s basis b̃[E]. Lemma 5 is
in fact a strong version of the complementary principle because it concludes that
the view v provides no information at all about the key encoded in Alice’s
original bases. The states that are on or outside the small sphere span the space
associated with the projection ⌸ 0 [E, d⬙]. Modulo some small imprecision (that
is quantified by a small value ␥), if we expand the density matrix ␳ s , we see that
the small sphere property expresses a similar requirement as the strong small
sphere property, except that this requirement is now expressed in terms of a
mixture of states ⌸ 0 [E, d⬙]⌿( ␣ , a[E]), ␣ 僆 R C s , obtained from Alice’s bases
a[E], not Bob’s bases. The indirect connection with Bob’s bases is provided by
the projection ⌸ 0 [E, d⬙], which is defined in Bob’s basis b̃[E]. As we will see,
this will be close enough to the strong small sphere property. The (not strong)
small sphere property has the technical advantage that it is written in terms of
Alice’s original preparation: the matrix ˜␳ s . An alternative small sphere property
stated in terms of Bob’s bases could have been more in accord with the
complementary principle but it would have been difficult to use, and even to
obtain. It works better to only have an indirect connection with Bob’s bases via
the projection ⌸ 0 [E, d⬙].
Note that in the case r ⫽ 0 (no error-correction), ˜␳ s is proportional to the
identity matrix and therefore, when r ⫽ 0, the small sphere property with radius
d⬙ is equivalent to

˜ c, q 储 2 ⱕ ␥ 储 ␾
储⌸ 0 关 E, d⬙ 兴 ␾ ˜ c, q 储 2 .
Unconditional Security in Quantum Cryptography 385

In the exact case ␥ ⫽ 0, the last inequality is the strong small sphere property on
v. The basic idea for the (strong) small sphere property was first published in
Yao [1995] in the context of the security of QOT. Historically, the small sphere
property ᏿ was obtained by trying to prove an implication of the form ᏼ T f ␥ ᏿
where ᏿ is as close as possible to the strong small sphere property on v [Mayers
1996].
Some brief recapitulation. The next lemma, Lemma 6, says how the test
probabilistically implies the small sphere property ᏿. We just explained that this
small sphere property is the kind of hypothesis that is required to apply the
complementary principle. This complementary principle will be expressed in
Lemma 7, the small sphere property ᏿ being the required hypothesis. The proof
of Lemma 7 makes use of Lemma 5, its strong version in which the strong small
sphere property is the required hypothesis.
LEMMA 6. Let ␥ ⫽ ␮(⑀, nmin
⍀ )
1/ 2
where the function ␮ is defined as in Theorem
1. We have ᏼT f␥ ᏿, where ᏿ is the small sphere property with radius d⬙ ⫽ d⫹(⑀)
and precision ␥.
PROOF OF LEMMA 6. Let ᏼ E be the event that the number of errors in E is
smaller than d ⫹ ( ⑀ ). All the ingredients that are mentioned above suggest that in
the proof we must use the probabilistic implication

ᏼ T f ␮ ( ⑀ ,n ⍀ ) ᏼ E (27)
in which Alice uses the basis {⌿( g, b̃)兩g 僆 {0, 1} N } rather than the basis
{⌿( g, a)兩g 僆 {0, 1} N }. (In this fictive test, we flip Alice’s bases when a[i] ⫽
b̃[i]).
We first explain how Lemma 2 applies to this fictive situation. The important
ingredient in this lemma is the distribution of probability of the two sets E and T
for a fixed set D and error string g[D] Q h[D]. The fictive preparation is an
encoding in the bases b̃ which is fixed. Eve–Bob determines and executes the
measurement without knowing a and R. We fix Ᏸ, ⍀ and the error string on ⍀,
but keep a and R random. The set ⍀ will play the role of the set D in the lemma.
It will be sufficient that the distribution of probability for E ⫽ ⍀ ⫺ R and T ⫽
⍀ 艚 R is as required in the lemma. This is exactly the case because every
position in ⍀ is put in R with probability p T . One might find strange that it seems
that it is not required that the bases a are chosen at random. In fact, they also
have to be chosen at random because (b̃, ⍀, a) uniquely determines R. So we
have obtained that Lemma 2 applies with D ⫽ ⍀ and thus we have obtained
inequality (27).
Note that it is implicit in (27) that we consider the context where ⍀ is fixed
because the statement in Lemma 2, in particular the definition of ␮ ( ␤ , n D ),
assume that the set D is fixed (and ⍀ plays the role of D). We define ᐄ⬊⍀ ⫽ ⍀.
In fact, instead of (27), what we have is ᏼ T f ␮ ( ⑀ ,n ⍀ )兩ᐄ ᏼ E . Note that ᏼ T f ␮ 兩ᐄ
ᏼ E is equivalent to ᏼ T ∧ ᐄ f ␮ ⫻Pr(ᐄ) ᏼ E . Let ᏼ⬘T ⫽ ᏼ T ∧ ᐄ. The starting point
is in fact

ᏼ⬘T f ␮ ( ⑀ ,n ⍀ )⫻Pr共ᐄ兲ᏼE . (28)

Note that Eve–Bob’s attack is uniquely determined by the POVM E q兩c . We
must show that the probabilistic implication ᏼ T f ␥ ᏿ hold for all POVM E q兩c
386 DOMINIC MAYERS

that corresponds to an attack in the real protocol where Alice uses the basis
{⌿( g, a)兩g 僆 {0, 1} N } (not the basis {⌿( g, b̃)兩g 僆 {0, 1} N }). Let us consider
any such POVM in the real protocol (this POVM will not be further restricted so
that the proof will apply to any such POVM). The interesting point is that any
such POVM E q兩c still corresponds to an attack in the protocol even if Alice uses
the basis {⌿( g, b̃)兩g 僆 {0, 1} N }. In fact, if we don’t tell Eve–Bob that a
different preparation was used for the photons, then the same POVM will be
executed. Therefore, because the probabilistic implication (28) is valid against all
attacks, this probabilistic implication must apply to the POVM E q兩c . Here, we
translate (28) in terms of density matrices and projections operators. Let ␳ b̃ be
the density matrix that corresponds to the state ⌿( g, b̃) with probability 2 ⫺N .
This is the fully mixed density matrix 2 ⫺N I. Let ⌸̂1 ⫽ I ⫺ ⌸ 0 [T, d] and ⌸̂ 0 ⫽
⌸[E, d ⫹ ( ⑀ )]. These two projections are respectively associated with the success
of the test on T and the failure of the test on E (when Alice uses the basis
{⌿( g, b̃)兩g 僆 {0, 1} N }). Let z be the partial view (b̃, Ᏸ, h, a, R). Note that z
contains all the necessary information to define the projections ⌸̂0 and ⌸̂1. We
obtain

៮ E兲
Pr共ᏼ⬘T ∧ ᏼ

⫽ 冘
(b̃,a,R,Ᏸ,h)兩ᐄ
p共b៮ , a, R兲TrA共EᏰ,h兩a,R⌸̂1⌸̂0␳b̃⌸̂0⌸̂1兲

in which ᐄ is the constraint ⍀( z) ⫽ ⍀ on z ⫽ (b̃, Ᏸ, h, a, R). This last equality

can easily be verified by expanding the density matrix ␳ b̃ as a sum over state and
noting that each term in the sum is annihilated by ⌸̂1⌸̂0 if and only if the
corresponding state is not consistent with ᏼ T ∧ ᏼ ៮ E . Formula (28), which
corresponds to the inequality Pr(ᏼ T ∧ ᏼ ៮ E ) ⱕ ␮ ( ⑀ , n ⍀ )Pr(ᐄ), becomes

冘
(b̃,a,R,Ᏸ,h)兩ᐄ
p 共 b̃, a, R 兲 TrA共EᏰ,h兩b̃,a,R⌸̂1⌸̂0␳b̃⌸̂0⌸̂1兲

ⱕ␮共⑀, n⍀兲Pr共ᐄ兲. (29)

Note that we have chosen the partial view z so that it contains no classical
announcement about g. This is a key ingredient which implies that the density
matrix for the photons given the classical part (b̃, a, R) in z is 2 ⫺N I. We can
replace ␳ b̃ by ␳ a because these two density matrices are one and the same density
matrix, the fully mixed density matrix. (Note that the string g is independent of ⍀
so that g is still uniformly distributed in the context ᐄ⬊⍀ ⫽ ⍀.) The reader can
easily compute this density matrix because it is a product of two dimensional
density matrices, each of them corresponding to a state uniformly picked at
random in the corresponding basis. By definition a uniform mixture of state in a
given basis corresponds to the matrix ␳(2) ⫽ (1/2)兩0典具0兩 ⫹ (1/2)兩1典具1兩 in that basis.
The reader can easily check that, keeping the same representational basis for the
density matrix, but considering a uniform mixture of states in the conjugate basis
(or any other basis) one obtains the same density matrix. The density matrix ␳ a
corresponds to Alice’s preparation in the real protocol. We have indirectly
obtained a property on the view z for most z since we have an upper bound on
the sum in (29). The idea is that it is not possible that many terms in the sum are
Unconditional Security in Quantum Cryptography 387

large when the sum is small. However, what we need is a property on the final
view v. So, we need to replace the sum over z by a sum over v. In this way, we
will obtain a property on most v. To pass from a sum over z to a sum over v, we
need to use the extended operator formalism. We will use (12) with the view

z ⫽ 共共Ç
b̃, a, R 兲 , 共Ç
Ᏸ, h 兲 兲
c q

in which c and q refer to the generic notions of Section 3.4, not to c and q
defined in this section. Working on the left-hand side of (29), we obtain

冘 Tr 共E ⌸̂ ⌸̂ ␳ ⌸̂ ⌸̂ 兲 ⱕ ␮共⑀, n 兲Pr共ᐄ兲.
z兩ᐄ
A z 1 0 a 0 1 ⍀

Now, we can use the formula E z ⫽ 兺 v兩z⫽z E v to obtain

冘 Tr 共E ⌸̂ ⌸̂ ␳ ⌸̂ ⌸̂ 兲 ⱕ ␮共⑀, n 兲Pr共ᐄ兲.
v兩ᐄ
A v 1 0 a 0 1 ⍀ (30)

To return to the standard formalism, we apply again (12), but this time with the
complete view v ⫽ (c, q). We obtain

冘
(c,q)兩ᐄ
p 共 c⬊q 兲 TrA共Eq兩c⌸̂1⌸̂0␳c兩q⌸̂0⌸̂1兲 ⱕ ␮共⑀, n⍀兲Pr共ᐄ兲.

We recall that a mixture associated with ␳ c兩q corresponds to the pure state
⌿( g[T], a[T]) on T. The projection ⌸̂1, which is associated with the success of
ᏼ T , is also defined in the bases a[T] on T. Therefore, every term in the sum with
v 僆
兾 ᏼ T vanishes. For the other terms we have

TrA共Eq兩c⌸̂1⌸̂0␳c兩q⌸̂0⌸̂1兲 ⫽ TrA共Eq兩c⌸̂0␳c兩q⌸̂0兲.
So we have

冘
(c,q)兩ᏼ⬘T
p 共 c⬊q 兲 TrA共Eq兩c⌸̂0␳c兩q⌸̂0兲 ⱕ ␮共⑀, n⍀兲Pr共ᐄ兲.

At this point, the following lemma must be used. It says that it is not possible
that a sum with positive terms contains many large terms when the sum is small.
PROPOSITION 5. Consider any ␮ ⬎ 0 and let p( y) be any distribution of
probability on a set Y. Let ay, y 僆 Y, be positive real numbers such that 兺y僆Y ay ⱕ ␮.
Consider any positive number q ⬎ 0. We have that

1
Pr 共 a y ⱖ q ␮ p 共 y 兲兲 ⱕ ,
q
that is, except with a probability smaller than 1/q, a y ⬍ q ␮ p( y).
PROOF OF PROPOSITION 5. Let us denote

S ⫽ 兵 y 僆 Y 兩 a y ⱖ q ␮ p 共 y 兲其 .
388 DOMINIC MAYERS

Assume to the contrary that Pr(S) ⬎ 1/q. We obtain

冘a ⫽冘a ⫹ 冘
y
y
y僆S
y
yⰻS
ay

ⱖ 冘 a ⱖ q ␮ 冘 p 共 y 兲 ⬎ 冉 q1 冊 q ␮ ⫽ ␮ ,
y僆S
y
y僆S

which contradicts the hypothesis of the lemma. e

Let ␥ ⫽ ␮ ( ⑀ , n ⍀ ) 1/ 2 . At this stage ␥ depends on n ⍀ , not on n min
⍀ , but we will
take care of this issue later. We will use Proposition 5 with q ⫽ Pr(ᏼ⬘T )/
( ␥ Pr(ᐄ)) ⫽ Pr(ᏼ T 兩ᐄ)/ ␥ and p( y) ⫽ p(v)/Pr(ᏼ⬘T ), that is, p( y) is the probabil-
ity of v conditioned with the event ᏼ⬘T . We obtain that, conditioned with the
event ᏼ⬘T , except with probability ␥/Pr(ᏼ T 兩ᐄ), we have

p 共 c⬊q 兲 TrA共Eq兩c⌸̂0␳c兩q⌸̂0兲 ⱕ ␥ ⫻ p共v兲. (31)

Using (22), we obtain that (31) is equivalent to

˜ c, q 兩 ⌸̂ 0 ␳˜ s ⌸̂ 0 兩 ␾
p 共 c⬊q 兲具 ␾ ˜ c, q 典 ⱕ ␥ ⫻ p 共 v 兲 ,

which is the small sphere property ᏿ with radius d ⫹ ( ⑀ ) and precision ␥. We have
obtained that ␥/Pr(ᏼ T 兩ᐄ) is an upper bound for the probability that the small
sphere property ᏿ fails given ᏼ⬘T . We obtain that

៮ 兩ᐄ兲 ⫽ Pr共᏿
Pr共ᏼT ∧ ᏿ ៮ 兩ᏼ⬘T兲Pr共ᏼT兩ᐄ兲 ⱕ ␥.

Thus, we have

៮ 兩 n ⍀ ⫽ n ⍀兲 ⱕ ␥
Pr共ᏼT ∧ ᏿

or equivalently

ᏼ T f ␥ 兩n⍀ ⫽ n⍀S.

The value ␥ depends on the value n ⍀ . We can easily take care of this problem
and replace n ⍀ by n min
⍀ using Proposition 6 in Appendix E (we must think of S as
an event-valued function, where n ⍀ in the precision ␥, not in the radius d ⫹ ( ⑀ ),
plays the role of the integer l in Proposition 6). The radius d ⫹ ( ⑀ ) will still
depend upon the random value n ⍀ (but we will take care of this problem in the
next lemma). This concludes the proof of ᏼ T f ␥ ᏿. e

5.4.4. The Second Implication. Here we prove that the small sphere property
probabilistically implies that Eve’s view v is ␴-informative.

LEMMA 7. Let ⑀ ⬎ 0 and ␶ ⬎ 0 be the (nonphysical ) parameters

min
chosen in the
validation constraint ᐄ⬘2. Consider any ␥ ⬎ 0. Let ␭ ⫽ 2⫺␶nE , ␩ ⫽ 2公␥ ⫹ ␥ and
␴ ⫽ ␩ ⫹ 公2␩. Except with probability ␭ ⫹ ␩ ⫹ 2公2␩, if we have the constraint ᐄ⬘2
∧ ᐄ3 and the view v has the small sphere property ᏿ with radius d⫹(⑀) and precision
␥, then the view v is ␴-informative.
Unconditional Security in Quantum Cryptography 389

Remark. Later, we will use this lemma with ␥ that was defined in Lemma 6,
but the lemma hold for every ␥ ⬎ 0. Lemma 7 corresponds to the implication ᏿ ∧
ᐄ⬘2 ∧ ᐄ3 f␭⫹␩⫹2公2␩ ᏺ␴.

PROOF OF LEMMA 7. The basic idea of the proof is simple. Consider again
formula (23):

˜ c, q 兩 ␳˜ s, k 兩 ␾
p 共 v, k 兲 ⫽ p 共 c, k⬊q 兲具 ␾ ˜ c, q 典 .

We insert the identity operator ⌸ 0 [E, d W / 2] ⫹ ⌸ 1 [E, d W / 2] on both sides
of ˜␳ s, k , and we rewrite the expression using terms that contain only ⌸ 0 [E,
d W / 2] or only ⌸ 1 [E, d W / 2], not both projections. The term with the
projection ⌸ 1 [E, d W / 2] will be taken care by Lemma 5, because the state
˜ c, q 典 has the strong small sphere property with radius d⬙ smaller
⌸ 1 [E, d W / 2]兩 ␾
than d W / 2. The other terms will be small because of the definition of the small
sphere property.
However, before we do that, we must take care of some technical issue related
to the use of ᐄ⬘2 in place of ᐄ2. We recall that, given that the m ⫻ n E privacy
matrix K is chosen uniformly at random, Lemma 4 tells us that, for any ␶ ⬎ 0, we
have

True f␭ dW ⱖ H⫺1 1 ⫺ 冉 r⫹m

nE
冊
⫺ ␶ nE , (32)

where ␭ ⫽ 2 ⫺ ␶ n E . We recall that ᐄ⬘2 says

冉
H ⫺1 1 ⫺
r⫹m
nE
冊
⫺ ␶ ⫻ nE ⱖ 2d⫹共⑀兲 (33)

for some fixed ␶ ⬎ 0 and ⑀ ⬎ 0. By transitivity, the inequalities in (32) and (33)
implies ᐄ2 which states d W ⱖ 2d ⫹ ( ⑀ ). Therefore, we have ᐄ⬘2 f␭ ᐄ2 and thus
(᏿ ∧ ᐄ⬘2) f␭ (᏿ ∧ ᐄ2). Here, the probability ␭ is conditioned by n E , but we can
min
replace n E by n E in the definition of ␭ using Proposition 6 in Appendix E,
adding the constraint ᐄ3 on the left-hand side. Let ᏿⬘ be the small sphere
property with radius d W / 2 and the same precision ␥ as for ᏿. We have that ᏿ ∧
ᐄ2 ∧ ᐄ3 f ᏿⬘ because the radius in ᏿⬘ is greater (a weaker constraint). So it will
be sufficient to show ᏿⬘ f␩⫹2公2␩ ᏺ␴, where ᏿⬘ is the small sphere property with
radius d W / 2 and precision ␥.
We start by finding out what can be obtained nonprobabilistically from ᏿⬘,
keeping in mind that we want to bound 兩p(k兩v) ⫺ 2 ⫺m 兩 ⫽ p(v) ⫺1 兩p(v, k) ⫺
2 ⫺m p(v)兩 probabilistically. We will start by considering the quantities p(v, k)
and 2 ⫺m p(v) separately. We begin by p(v, k). Using (23), one obtains

˜ c, q 兩 ␳˜ s, k 兩 ␾
p 共 v, k 兲 ⫽ p 共 c, k⬊q 兲具 ␾ ˜ c, q 典 .

Now, let us define ⌸̃ 0 ⫽ ⌸ 0 [E, d W / 2] and ⌸̃1 ⫽ I ⫺ ⌸̃0. The projections ⌸̃0
and ⌸̃1 are respectively associated with the failure and the success of the test on
E with a tolerated number of errors d W / 2. If one puts the identity operator I ⫽
390 DOMINIC MAYERS

⌸̃0 ⫹ ⌸̃1 on both sides of ˜␳ k, s , after some algebra, one obtains

p 共 v, k 兲 ⫽ 2 ⫺mp共c⬊q兲

˜ c,q兩⌸̃1␳˜s,k⌸̃1兩␾
关具␾ ˜ c,q典 ⫹ 具␾
˜ c,q兩⌸̃0␳˜s,k兩␾
˜ c,q典

˜ c,q兩␳˜s,k⌸̃0兩␾
⫹ 具␾ ˜ c,q典 ⫺ 具␾
˜ c,q兩⌸̃0␳˜s,k⌸̃0兩␾
˜ c,q典兴,

where we used (24) to replace p(c, k⬊q) by 2 ⫺m p(c⬊q). Note that ⌸̃ 1 ␾ ˜ c, q is a

state that has the strong small sphere property with radius d W / 2. Therefore,
using Lemma 5, one obtains that

˜ c,q兩⌸̃1␳˜s,k⌸̃1兩␾
p ⫽ 2 ⫺mp共c⬊q兲具␾ ˜ c,q典

is independent of k. In particular, after a sum over k on both sides, we have

˜ c, q 兩 ⌸̃ 1 ␳˜ s ⌸̃ 1 兩 ␾
2 m p ⫽ p 共 c⬊q 兲具 ␾ ˜ c, q 典

or equivalently

˜ c,q兩⌸̃1␳˜s⌸̃1兩␾
p ⫽ 2 ⫺mp共c⬊q兲具␾ ˜ c,q典.

We denote ⌬ s, k ⫽ 兩p(v, k) ⫺ p兩. Since

˜ c, q 兩 ⌸̃ 0 ␳˜ s, k 兩 ␾
兩具␾ ˜ c, q 典 兩 ⫽ 兩 具 ␾
˜ c, q 兩 ␳˜ s, k ⌸̃ 0 兩 ␾
˜ c, q 典 兩,

we have

⌬ s, k ⱕ 2 ⫺mp共c⬊q兲

˜ c,q兩⌸̃0␳˜s,k兩␾
⫻ 关2兩具␾ ˜ c,q典兩 ⫹ 兩具␾
˜ c,q兩⌸̃0␳˜s,k⌸̃0兩␾
˜ c,q典兩兴. (34)

Now we bound the first term in the square bracket. We use

˜ c, q 兩 ⌸̃ 0 ␳˜ s, k 兩 ␾
兩具␾ ˜ c, q 典 兩 ⫽ 兩 具 ␾
˜ c, q 兩 ⌸̃ 0 ␳˜ s,1/k2 ␳˜ s,1/k2 兩 ␾
˜ c, q 典 兩.
Ç Ç
␰† ᐄ

Using Schwartz inequality, 兩␰†ᐄ兩 ⱕ 储␰储 ⫻ 储ᐄ储, one obtains

˜ c, q 兩 ⌸̃ 0 ␳˜ s, k 兩 ␾
兩具␾ ˜ c, q 典 兩

˜ c, q 典储 储 ␳˜ s,1/k2 兩 ␾
ⱕ 储 ␳˜ s,1/k2 ⌸̃ 0 兩 ␾ ˜ c, q 典储

˜ c, q 兩 ⌸̃ 0 ␳˜ s, k ⌸̃ 0 ␾
⫽ 具␾ ˜ c, q 典 1/ 2 具 ␾
˜ c, q 兩 ␳˜ s, k 兩 ␾
˜ c, q 典 1/ 2 .

Therefore

⌬ s, k ⱕ 2 ⫺mp共c⬊q兲
˜ c,q兩⌸̃0␳˜s,k⌸̃0兩␾
关2具␾ ˜ c,q典1/ 2具␾
˜ c,q兩␳˜s,k兩␾
˜ c,q典1/ 2
˜ c,q兩⌸̃0␳˜s,k⌸̃0兩␾
⫹具␾ ˜ c,q典].
Unconditional Security in Quantum Cryptography 391

Now, we define ⌬ s ⫽ 兩p ⫺ 2 ⫺m p(v)兩. We have

兩p 共 v, k 兲 ⫺ 2 ⫺mp共v兲兩 ⱕ ⌬s ⫹ ⌬s,k ,

so that the property ᏺ␴ is equivalent to ⌬ s ⫹ ⌬ s, k ⱕ 2 ⫺m p(v) ␴ . Using the same

technique that we used for ⌬ s, k , we obtain

⌬ s ⱕ 2 ⫺mp共c⬊q兲
˜ c,q兩⌸̃0␳˜s⌸̃0兩␾
关2具␾ ˜ c,q典1/ 2具␾
˜ c,q兩␳˜s兩␾
˜ c,q典1/ 2
˜ c,q兩⌸̃0␳˜s⌸̃0兩␾
⫹ 具␾ ˜ c,q典.

Using (21), which states p(c⬊q)具 ␾ ˜ c, q 兩 ˜␳ s 兩 ␾

˜ c, q 典 ⫽ p(v), and the small sphere
property (Definition (6)), which states

˜ c, q 兩 ⌸̃ 0 ␳˜ s ⌸̃ 0 兩 ␾
p 共 c⬊q 兲具 ␾ ˜ c, q 典 ⱕ ␥ p 共 v 兲 ,

we obtain

冑
⌬ s ⱕ 2 ⫺m共2 ␥ ⫹ ␥兲 p共v兲.

Since the expression (2公␥ ⫹ ␥) will appear often, we denote ␩ ⫽ 2公␥ ⫹ ␥. We

obtain

⌬ s ⱕ 2 ⫺m␩p共v兲. (35)

Now, to bound ⌬ s, k , it will be useful to define

˜ c,q兩⌸̃0␳˜s,k⌸̃0兩␾
a 0 共 v, k 兲 ⫽ 2 ⫺mp共c⬊q兲具␾ ˜ c,q典

and

˜ c,q兩␳˜s,k兩␾
a 1 共 v, k 兲 ⫽ 2 ⫺mp共c⬊q兲具␾ ˜ c,q典.

We obtain

冑
⌬ s, k ⱕ 2 a 1 共 k, v 兲 a 0 共 k, v 兲 ⫹ a 0 共 k, v 兲 . (36)

Thus far, we have shown

᏿⬘ f ⌬ s ⱕ 2 ⫺m␩p共v兲
∧ ⌬s,k

冑
ⱕ 2 a1共k, v兲a0共k, v兲 ⫹ a0共k, v兲.

In the remainder of the proof, we will define an event ᏹ q with a parameter q ⬎

0 so that ᏹ q f ᏺ ␩ ⫹q ␩ , and, for q ⫽ 公2/ ␩ , we will show ᏿⬘ f ␩ ⫹2 公2 ␩ ᏹ q . This
will be sufficient to conclude ᏿⬘ f␩⫹2公2␩ ᏺ␴. We recall that ␴ ⫽ ␩ ⫹ 公2␩.
392 DOMINIC MAYERS

Now, we define ᏹ q . To obtain ᏺ␴ from ᏹ q , the event ᏹ q must provide upper

bounds for a 0 (k, v) and a 1 (k, v). 4 For every q ⬎ 0, we define the events

ᏹ q(0) ⬊a 0 共 k, v 兲 ⱕ q ␥ p 共 v 兲 2 ⫺m,

and

ᏹ q(1) ⬊a 1 共 k, v 兲 ⱕ qp 共 v 兲 2 ⫺m,

and ᏹ q ⫽ ᏹ q(0) ∧ ᏹ q(1) . It is not hard to see that

冑
ᏹ q f ⌬ s, k ⱕ 2 q ␥ p 共 v 兲 2 ⫺mqp共v兲2⫺m ⫹ q␥p共v兲2⫺m

⫽ qp共v兲2⫺m共2 ␥ ⫹ ␥兲 冑
⫽ qp共v兲2⫺m␩.

Therefore,

ᏹ q f 兩p 共 v, k 兲 ⫺ 2 ⫺mp共v兲兩 ⱕ ⌬s,k ⫹ ⌬k
(37)
ⱕ 共1 ⫹ q兲 p共v兲2⫺m␩,

which is the event ᏺ ␩ ⫹q ␩ . Now, we do the probabilistic part. We will show that
᏿⬘ probabilistically implies ᏹ q . We must compute Pr(᏿⬘ ∧ ᏹ ៮ q ). We will use
៮
Pr(᏿⬘ ∧ ᏹ q ) ⫽ Pr(᏿⬘) ⫺ Pr(᏿⬘ ∧ ᏹ q ). So we will compute Pr(᏿⬘ ∧ ᏹ q ). For
every v fixed, let M q(0) (v) and M q(1) (v) respectively denote the set of values k
such that ᏹ q(0) (k, v) and ᏹ q(1) (k, v) are TRUE. We obtain

M q(0) 共 v 兲 ⫽ 兵 k 兩 a 0 共 k, v 兲 ⱕ q ␥ p 共 v 兲 2 ⫺m其,

and

M q(1) 共 v 兲 ⫽ 兵 k 兩 a 1 共 k, v 兲 ⱕ qp 共 v 兲 2 ⫺m其.

Let M q (v) ⫽ M q(0) (v) 艚 M q(1) (v). We will use Proposition 5 to obtain a lower
bound on the size of these sets for every v for which ᏿⬘ is TRUE. It is not too hard
to see that 兺 k 2 ⫺m a 1 (k, v) ⫽ p(v). For v fixed, using Proposition 5 with y ⫽
k 僆 {0, 1}m, a y ⫽ a 1 (k, v), p( y) ⫽ 2 ⫺m , and ␮ ⫽ p(v), we obtain that
2 ⫺m 兩M q(1) (v)兩 ⱖ (1 ⫺ 1/q). Similarly, 兺 k 2 ⫺m a 0 (k, v) ⫽ ␥ p(v). For v fixed,
using Proposition 5 with y ⫽ k, a y ⫽ a 0 (k, v), p( y) ⫽ 2 ⫺m and ␮ ⫽ ␥ p(v) we
obtain that 2 ⫺m 兩M q(0) (v)兩 ⱖ (1 ⫺ 1/q). Therefore, we have

冉 冊
兩M q 共 v 兲 兩 ⱖ 2 m 1 ⫺
2
q
. (38)

Using (37) for the second inequality and (38) for the third inequality, we obtain

4
In a previous version of the proof, the bounds on a 0 and a 1 included a large factor 2 m . For m fixed,
this factor was a constant, but it was nevertheless annoying. This large factor was taken out with the
precious help of Hitoshi Inamori.
Unconditional Security in Quantum Cryptography 393

Pr共᏿⬘ ∧ ᏹq兲
ⱖ冘 冘 p共k, v兲
v僆᏿⬘ k僆Mq(v)

ⱖ 冘 p共v兲 冘 2 ⫺m
共1 ⫺ 共1 ⫹ q兲␩兲
v僆᏿⬘ k僆Mq(v)

ⱖ 冘 p共v兲2 冉1 ⫺ q2冊2
v僆᏿⬘
m ⫺m
共1 ⫺ 共1 ⫹ q兲␩兲

ⱖ 冘 p共v兲冉1 ⫺ q2 ⫺ 共1 ⫹ q兲␩冊
v僆᏿⬘

2
ⱖ Pr共᏿⬘兲 ⫺ ⫺ 共1 ⫹ q兲␩.
q

We obtain

2
៮ q兲 ⫽ Pr共᏿⬘兲 ⫺ Pr共᏿⬘ ∧ ᏹq兲 ⱕ ⫹ 共1 ⫹ q兲␩.
Pr共᏿⬘ ∧ ᏹ
q

If we set q ⫽ 公2/ ␩ , we obtain

៮ q兲 ⱕ ␩ ⫹ 2 2 ␩
Pr共᏿⬘ ∧ ᏹ 冑
or equivalently ᏿⬘ f␩⫹2公2␩ ᏹ q . Now, we recall that ᏹ q with q ⫽ 公2/ ␩ implies
the event ᏺ␴. We have thus shown ᏿⬘ f␩⫹2公2␩ ᏺ␴. This concludes the proof. e
One obtains Theorem 1 by combining the two probabilistic implications (i.e.,
Lemma 6 and Lemma 7) and Lemma 1.

6. Conclusion
The techniques that we have described here, some of them taken in Yao [1995],
were proven to be efficient to analyze the security of quantum key distribution.
However, these techniques were first used in Mayers [1996] to analyze a quantum
protocol for a different application, a quantum string oblivious transfer protocol
[Bennett et al. 1992]. For some time this quantum string oblivious transfer was
ignored because it was built on top of a task called bit commitment. This was
proven to be unsecure given that the participants, potential cheaters, have
unlimited computational power [Mayers 1997]. However, recently a quantum
protocol was proposed [Dumais et al. 2000] for bit commitment under some
computational assumption and this raises the important question of the security
of the quantum string oblivious transfer protocol on top of a computationally
secure quantum bit commitment. We hope that the technique described here
would be useful to address this question.
There is also the serious issue of defective and unreliable quantum apparatus.
A more practical protocol were the encoding must still respect the exact
polarization angle specified in the protocol, but not necessarily for a single
photon, was proven secure in Inamori et al. [1999] using the techniques described
394 DOMINIC MAYERS

here. The most powerful and global approach to address this problem is
proposed in Mayers and Yao [1998] and Mayers [2001a]. However, the results in
Mayers and Yao [1998] and Mayers [2001a] are general and their applicability to
a given protocol is still an open question. Again, we hope that the techniques
provided here will be useful to establish the connection.

Note added. An alternative proof for the security of the BB84 protocol was proposed
by Shor and Preskill [2000]. This last security result is weaker than the result here because
their proof requires the assumption that Bob’s measuring apparatus is perfect (or close to
perfect eventually). This assumption can certainly help to simplify the proof, but it is a
step backward with respect to the ultimate objective, which is to trust only restricted and
simple properties of the apparatus used. Here, we need to trust only a very natural
property of Bob’s measuring apparatus, and the problem of the untrusted source is taken
care in Mayers and Yao [1998] and Mayers [2001a].

Appendixes

Appendix A Notations

A.1. Integers and Integer-Valued Function

N: The number of photons sent in the protocol.
m: The length of the key.
n E: The integer 兩E兩. The length of the raw key.
d X ( g, h): The Hamming distance between g and h on X, that is,
d X ( g, h) ⫽ 兩{i 僆 X兩g[i] ⫽ h[i]}兩.
d ⫹ ( y): An integer valued function that is convenient in the proof. For
every y ⬎ 0, d ⫹ ( y) ⫽ ( ␦ ⫹ y) p E n ⍀ .
d: The number  ␦ p T n ⍀ . It is the number of errors tolerated in the
test executed on T.
d⬘: The number d ⫹ ( ␤ ). The number of errors on E that is tolerated
by the error-correction code.
d T: The number of errors that actually occur on T.
d E: The number of errors that actually occur on E.
r: The number of bits for error-correction, that is, the length of the
syndrome.
d W: The minimal weight of the strings in G*.
A.2. Real Numbers
p T: The probability that a position i 僆 ⍀ is tested (i.e., included in
R).
␦: A parameter in the protocol that determines the number of errors
d tolerated in the test via the formula d ⫽ ␦ p T n ⍀ . Normally, ␦
should be slightly greater than the expected error rate in the
quantum channel.
␤: A parameter in the protocol that uniquely determines d⬘, the
number of errors tolerated by the error-correcting code.
⑀: A parameter similar to ␤ but used to determine d ⫹ ( ⑀ ), the
number of errors tolerated in a fictive test executed on E.
Unconditional Security in Quantum Cryptography 395

␮ ( ␤ , n ⍀ ): Exponentially small number that corresponds to the probability of

d E ⱖ d ⫹ ( ␤ ) where d E is the number of errors in E and p E ⫽
1 ⫺ p T is the probability that a position i is not tested.
␭: The real number 2 ⫺ ␶ n E . It is an exponentially small upper bound
on the probability that d W ⬍ H ⫺1 (1 ⫺ (m ⫹ r)/n E ⫺ ␶ ) ⫻ n E .
␥: The real number ␮ ( ⑀ , n ⍀ ) 1/ 2 . It is an exponentially small number
that occurs in the proof of privacy because of Proposition 5.
␩: The sum 2公␥ ⫹ ␥.
␰: The sum ␥ ⫹ ␭ ⫹ ␩ ⫹ 2公2␩. It is an exponentially small
parameter used (together with ␴) to indicate the level of privacy.
␴: The exponentially small number ␩ ⫹ 公2␩ used (together with ␰)
to indicate the level of privacy.

A.3. Strings and String-Valued Function

a: Alice’s string of bases.

g: Alice’s string of bits.
b: Bob’s string of bases.
h: Bob’s string of bits (outcomes of measurements).
g̃: The substring g[E] of g. It is called the raw key.
s: The string F • g̃, where g̃ ⫽ g[E]. It is called the syndrome.
k: The (final) key shared by Alice and Bob.
b̃: The string of bases used by Bob in the modified protocol. The bases used
for the positions outside R are flipped.
␭: The string valued function that on any ␣ 僆 C ⬜ [G] returns the unique
string ␭(␣) such that ␭ ( ␣ ) • G ⫽ ( ␣ ).
K̂: The random bits in Alice’s random tape that will be used to generate the
matrix K.

A.4. Composites Values

Formally, any value can be represented by a string over some alphabet. It is
only with respect to the description of the protocol that the following values are
said to be “composite.”

ĉ: The content of the random tape initialized at the beginning of the
protocol. Each participant has a part of ĉ. In the modified protocol, ĉ ⫽
(b̃, a, R, g, K̂).
q̂: The outcome of the overall measurement executed jointly by all
participants in view of ĉ. In the modified protocol, q̂ ⫽ (Ᏸ, h, j).
v̂: The overall classical outcome of the protocol. It includes both ĉ and q̂:
v̂ ⫽ (ĉ, q̂).
c: The classical information received by Eve (i.e., Eve–Bob in the modified
protocol) and that is not the direct result of a quantum measurement. It is
also a function of v̂, not necessarily of ĉ alone. In the modified protocol,
c ⫽ (b̃, a, R, g[E ៮ ], K, s).
j: The outcome of the final measurement executed by Eve–Bob.
q: The quantum outcome received by Eve (i.e., Eve–Bob in the modified
protocol). In the modified protocol, q ⫽ (Ᏸ, h, j).
396 DOMINIC MAYERS

v: Eve’s view, that is, all classical data received by Eve including outcomes of
measurements: v ⫽ (c, q). It is a deterministic function of v̂. The same
notation is used in the original as in the modified protocol, but in the
modified protocol it is called Eve–Bob’s view.
z: The partial view (b̃, Ᏸ, h, a, R). It is a part of Eve–Bob’s view that is
important in the proof because it contains no information about the string
g and yet contains enough information to uniquely determine ⌸̂0 and ⌸̂1.
A.5. Set of Strings and Binary Matrix
G*: The set of linear combinations of rows in F or K with at the least one
row in K.
C s: The set of codewords { ␣ 僆 {0, 1} E 兩F • ␣ ⫽ s}. It is the set of
codewords ␣ 僆 {0, 1} E consistent with the syndrome s.
F: A r ⫻ n E matrix used to define the syndrome s.
K: A m ⫻ n E matrix used to define the key k via k ⫽ K • g̃, where g̃ ⫽
g[E].
A.6. Set of Positions
Ᏸ: The set of positions where a photon is detected by Bob.
⍀: The set of positions i 僆 Ᏸ such that a[i] ⫽ b[i].
R: Random set of positions used for testing. Every i ⫽ 1, . . . , N is put in
R with probability p T .
T: The set ⍀ 艚 R. It is the set of tested positions.
E: The set ⍀ ⫺ R. It is the set of positions used to define the raw key g̃ ⫽
g[E].
A.7. Events
N ␴: The event that the view v is ␴-informative about the key k: 兩p(k兩v) ⫺
(1/ 2 m )兩 ⱕ ␴ / 2 m .
ᏼ T: The event d T ⱖ ␦ p T n ⍀ . It is the event that is TRUE when the test on T
passes.
ᏼ E: The event d E ⱖ ␦ p E n ⍀ . It is the event that is TRUE when the fictive
test on E passes.
ᐄ 1: The validation constraint d⬘ ⱖ d ⫹ ( ␤ ) that is required by the error
correction procedure.
ᐄ 2: The validation constraint d W ⱖ 2d ⫹ ( ⑀ ). This constraint satisfies the
hypothesis of Lemma 5, but unfortunately it is a hard problem to check
if this constraint holds.
ᐄ⬘2 : The validation constraint H ⫺1 (1 ⫺ (r ⫹ m)/n E ⫺ ␶ )n E ⱖ 2d ⫹ ( ⑀ ),
where ⑀ ⬎ 0 and ␶ ⬎ 0 are any positive values fixed in the protocol. It is
an alternative to ᐄ2 because d W / 2 ⱖ H ⫺1 (1 ⫺ (r ⫹ m)/n E ⫺ ␶ )n E
can be obtained probabilistically.
min
ᐄ 3: The validation constraint n E ⱖ n E , n ⍀ ⱖ n min
⍀ and m ⱕ m max, which
is necessary so that the bound on Eve’s information is a fixed number,
not a random number.
A.8. States and Density Matrices
⌿( g, a): For any string of bits g and string of bases a, ⌿( g, a) is the BB84
encoding of the string g in the bases a.
Unconditional Security in Quantum Cryptography 397

⌿ E៮ : The state ⌿ E៮ ⫽ ⌿( g[E ៮ ], a[E

៮ ]) for the photons prepared by Alice
៮ ៮
in E , where E ⫽ 1, . . . , N ⫺ E.
兩 ␾ v典: The state so that 具 ␾ c, q 兩 is the collapse operation on the photons
associated with the view v ⫽ (c, q). We have 兩 ␾ c, q 典 具 ␾ c, q 兩 def
⫽ E q兩c .
(See definition of the collapse operation E q兩c .)
˜ c, q :
␾ The state 具⌿ E៮ 兩 ␾ c, q 典 for the photons in E.
␳ a: Density matrix for the original random state ⌿( g, a) with a fixed.
It’s the fully mixed density matrix 2 ⫺N I.
␳ b̃ : Density matrix similar to ␳ a except that it is for the random state
⌿( g, b̃). It’s also the fully mixed density matrix 2 ⫺N I.
␳ c兩q : It is the density matrix for all the photons given that the classical
information c is known. The dependence on q is related to the fact
that the function c on the overall classical random tape ĉ used in
the protocol might itself depend on the outcome of a quantum
measurement.
˜␳ s : The matrix 兩C s 兩 ⫺1 兺 ␣ 僆C s 兩⌿( ␣ , E)典具⌿( ␣ , E)兩. It is the density
matrix of the photons in E given that the syndrome s is known.
˜␳ s, k : A density matrix for the photons in E like ˜␳ s but given that s and k
is known.

A.9. Operators and Projections

E q兩c : It is the positive operator on the state space H Q of

the photons associated with the measurement
outcome q executed in view of c.
P c兩q : The projection operator on the classical part H C
associated with the classical announcement c in the
view v ⫽ (c, q).
E v ⫽ E (c,q) : The operator P c兩q R E q兩c associated with the view
v ⫽ (c, q). It acts on the state space H C R H Q
where H C is the classical part and H Q ⫽ H A is the
quantum part.
⌸ 0 [X, d] and ⌸ 1 [X, d]: For any set of positions X and integer d ⬎ 0,
⌸ 0 [X, d] is the projection on the span of
{⌿( g, b)兩d X ( g, h) ⱖ d}, and ⌸ 1 [X, d] ⫽ I ⫺
⌸ 0 [X, d].
⌸̂ 0 : The projection ⌸ 0 [E, d ⫹ ( ⑀ )].
⌸̂ 1 : The projection ⌸ 1 [T, d].
⌸̃ 0 : The projection ⌸ 0 [E, d W / 2].
⌸̃ 1 : The projection I ⫺ ⌸̃0.

Appendix B. Mutual Information

Privacy is often expressed in terms of mutual information or Shannon’s entropy. It
is impossible to do justice in one small subsection to the concepts of mutual
information and Shannon’s entropy. Here some simple techniques and formulas
are listed. Let X, Y, and Z be any three random variables. Let p( x, y) ⫽ Pr(X ⫽
x ∧ Y ⫽ y), p( x) ⫽ Pr(X ⫽ x), p( y) ⫽ Pr(Y ⫽ y), p( x兩y) ⫽ Pr(X ⫽ x兩Y ⫽
y), p( x, y, z) ⫽ Pr(X ⫽ x ∧ Y ⫽ y ∧ Z ⫽ z), etc.
398 DOMINIC MAYERS

Definition 7. The mutual information between X and Y is given by

I 共 X;Y 兲 ⫽ 冘 p 共 x, y 兲 log 冉pp共 x共 兲x,p共y兲y兲冊.

x,y
2

Definition 8. The Shannon entropy of X is given by

H 共 X 兲 ⫽ I 共 X;X 兲 ⫽ ⫺ 冘 p 共 x 兲 log p共 x兲.

x
2

Definition 9. The conditional Shannon entropy of X given Y is given by

H共X兩Y兲 ⫽ ⫺ 冘 p 共 x, y 兲 log p共 x兩y兲.

x,y
2

One can easily verify that I(X;Y) ⫽ H(X) ⫺ H(X兩Y) as follows: Note that
I(X;Y) is the expected value of log2 ( p( x, y)/p( x) p( y)):

I 共 X;Y 兲 ⫽ E log2 冉 冉 p共 x, y兲
p共 x兲 p共 y兲
冊冊 .

Similarly, one has

H 共 X 兲 ⫽ E 共 ⫺log2 p共 x兲 and H共X兩Y兲 ⫽ E共⫺log2 p共 x兩y兲兲.

Thus, one obtains

H 共 X 兲 ⫺ H 共 X 兩 Y 兲 ⫽ E 共 ⫺log2 p共 x兲兲 ⫺ E共⫺log2 p共 x兩y兲兲

⫽ E共⫺log2 p共 x兲 ⫹ log2 p共 x兩y兲兲

⫽ E log2冉 p共 x, y兲
共 p共 x兲 p共 y兲
冊 ⫽ I共X;Y兲.

By symmetry one has also I(X;Y) ⫽ H(Y) ⫺ H(Y兩X).

Definition 10. The conditional mutual information between X and Y given an
event Ᏹ is

I 共 X;Y 兩 Ᏹ 兲 ⫽ 冘 p 共 x, y 兩 Ᏹ 兲 log 冉p共px兩共Ᏹx,兲 py兩共Ᏹy兩兲Ᏹ兲冊.

x,y,z
2

Definition 11. The conditional mutual information between X and Y given Z

is

冘 p共 x, y, z兲log 冉p共px共兩zx,兲 py共兩zy兲兩z兲冊

def

I 共 X;Y 兩 Z 兲 ⫽ 2
x,y,z

⫽ 冘 p共 z兲I共X;Y兩Z ⫽ z兲.
z
Unconditional Security in Quantum Cryptography 399

One can verify that

I 共 X;Y, Z 兲 ⫽ I 共 X;Y 兩 Z 兲 ⫹ I 共 X;Z 兲 . (39)

Many other formulas of the same kind can be obtained. For instance,

I 共 X;Y 兲 ⫽ I 共 X;Y 兩 Z 兲 ⫹ I 共 X;Z 兲 ⫹ I 共 Y;Z 兲 ⫺ I 共 X, Y;Z 兲 ,

because

p 共 x, y 兲 p 共 x, y 兩 z 兲 p 共 x, z 兲
⫽ ⫻
p共 x兲 p共 y兲 p共 x兩z兲 p共 y兩z兲 p共 x兲 p共 z兲
p 共 y, z 兲 p 共 x, y 兲 p 共 z 兲
⫻ ⫻ .
p共 y兲 p共 z兲 p 共 x, y, z 兲

Appendix C. Linear Codes

In this appendix, we give some minimal about binary linear codes.

C.1. Binary Strings and Matrices

A binary string x of length n is a mapping from {1, . . . , n} into {0, 1} or
alternatively an n-tuple in {0, 1} n . The length of x is denoted by 兩x兩. The weight
of x, that is, the number of 1 in x, is denoted by #( x). We define the minimal
weight of a set A 債 {0, 1} n E as the minimum of #(w) over all w 僆 A. The ith
element of x is x[i]; the sum x Q y where x, y 僆 {0, 1} n is given by
def
共 x 丣 y 兲关 i 兴 ⫽ x关i兴 丣 y关i兴 ⫽
def

再 0 if
1 if
x关i兴 ⫽ y关i兴
x关i兴 ⫽ y关i兴.

A sum of two or more strings is also called a linear combination. If A and B are
two sets of strings in {0, 1} n , we define A Q B ⫽ {w兩w ⫽ w 1 Q w 2 where w 1 僆
n
A and w 2 僆 B}. The inner product of x and y is x • y ⫽ Q j⫽1 x[ j] y[ j].
E
For every set E 債 {1, . . . , n}, we denote by {0, 1} the set of mappings
from E to {0, 1}. These mappings are also called binary strings. For every subset
E 債 {1, . . . , n}, we use x[E] to denote the substring of x restricted to E. The
substring x[E] is the unique mapping x̃ from E to {0, 1} such that x̃[i] ⫽ x[i] for
all i 僆 E.
An n 1 ⫻ n 2 binary matrix M is a mapping from {1, . . . , n 1 } ⫻ {1, . . . , n 2 }
into {0, 1}. The (i, j)th element of a matrix M is denoted as M[i, j]. A r ⫻ r
square matrix that contains 1 everywhere in the diagonal and 0 elsewhere is
denoted Ir . A r ⫻ k matrix which contains 0 everywhere is denoted 0r, k . The ith
row and the jth column of M are strings noted M[i, 䡠] and M[䡠, j] respectively.
The transpose M T of the n 1 ⫻ n 2 matrix M is the n 2 ⫻ n 1 matrix given by
M T [i, j] ⫽ M[ j, i]. If M is an n 1 ⫻ n 2 binary matrix and x is a binary string of
length n 2 , the product M • x is the string of length n 1 given by
def n2
M • x 关 i 兴 ⫽ 丣 M关i, j兴 x关 j兴.
j⫽1
400 DOMINIC MAYERS

We could also write M • x ⫽ Q j x[ j]M[䡠, j] (i.e., as the linear combination of

the columns M[䡠, j], where x[ j] ⫽ 1). If x is a string of length n 1 , then x • M is
the string of length n 2 given by
def n1
x • M 关 j 兴 ⫽ 丣 x关i兴M关i, j兴.
i⫽1

We could also write ( x • M) ⫽ Q i x[i]M[i, 䡠] (i.e., as the linear combination of

the rows M[i, 䡠] where x[i] ⫽ 1). Note that the string x • M T and the string
M • x are exactly the same string. The product of a k ⫻ n matrix G with a n ⫻
r matrix F is the k ⫻ r matrix G • H given by
def n def
G • H 关 i, j 兴 ⫽ 丣 G关i, z兴H关 z, j兴 ⫽ G关i, 䡠 兴 • H关 䡠 , j兴.
z⫽1

The strings x 1 , . . . , x r are linearly independent if no linear combination over a

subset of these strings is the string 0. One can easily check that the rows of a r ⫻
n binary matrix M are linearly independent if and only if, for any two distinct
strings x, y of length r, x • M ⫽ y • M. So, if the rows of M are linearly
independent, there are 2 r distinct linear combinations of this kind.
Let E 傺 {1, 2, . . . , n}. For every pair of strings ␣ , ␣ ⬘ 僆 E {0,1} , for every
subset X 債 E, we define d X ( ␣ , ␣ ⬘) ⫽ #( ␣ [X] Q ␣ ⬘[X]) ⫽ 兩{i 僆 X兩 ␣ [i] ⫽
␣ ⬘[i]}兩. If X ⫽ E ⫽ {1, . . . , r}, then d X ( ␣ , ␣ ⬘) is the usual Hamming distance
on strings of length r. The following lemma is a useful tool.

LEMMA 8. Let Sd be the set of strings w 僆 {0, 1}n with #(w) ⱕ d. Let p ⫽ d/n
and q ⫽ 1 ⫺ p. If d ⬍ n/ 2, then

2 H( p)⫻n
ⱕ 兩S d 兩 ⱕ 2 H( p)⫻n ,
冑8pqn
where H( p) ⫽ ⫺( p log2 p ⫹ q log2 q).
Lemma 8 follows from the standard bounds on binomial coefficients [MacWil-
liams and Sloane 1977].

C.2. Error-Correcting Code

Let 1 ⱕ r ⱕ n and k ⫽ n ⫺ r. Consider any r ⫻ n binary matrix F with r
linearly independent rows. The set C[F] ⫽ {w 僆 {0, 1} n 兩F • w ⫽ 0} is called
a (n, k)-linear code. There are 2 k codewords in C[F]. The matrix F is called the
parity-check matrix of the (n, k)-linear code C[F]. For every linear code C and
every string w of length n, the set C Q w ⫽ {u Q w兩u 僆 C} is a coset of C. One
can easily check that, for every string s of length r, the set {w 僆 {0, 1} n 兩F •
w ⫽ s} is a coset of C[F]; we denote this coset by C[F, s]. The string s ⫽ F •
w is called the syndrome of w associated with F.
For any (n, k)-linear code C, the dual of C, denoted as C ⬜ , is the set of
strings x such that (@w 僆 C) w • x ⫽ 0. The dual C ⬜ is a (n, r)-linear code.
We denote by C ⬜ [F] ⫽ {w 僆 {0, 1} n 兩w ⫽ ␭ • F, ␭ 僆 {0, 1} r } the set of
linear combinations of rows F[i, 䡠] in the r ⫻ n matrix F. One can easily check
that the dual of C[F] is the set of linear combinations of rows in F, that is,
Unconditional Security in Quantum Cryptography 401

C[F] ⬜ ⫽ C ⬜ [F]. The matrix F is called a generator matrix of the (n, r)-linear
code C ⬜ [F]. So the r ⫻ n matrix F is both a parity-check matrix for the
(k, n)-linear code C[F] and a generator matrix for the (n, r)-linear code C ⬜ [F].
There are 2 r codewords in C ⬜ [F]. One can also construct a matrix G that is both
a parity check matrix for C ⬜ [F] and a generator matrix for C[F]; any k ⫻ n
matrix G that contains k independent rows in C[F] will suffice.
An (n, k)-linear error-correcting code C usually comes with an encoding
procedure Enc that maps a message x 僆 {0, 1} k into a codeword w ⫽ Enc( x) 僆
C. Of course, the mapping defined by Enc must be one-to-one otherwise some
information about w would be lost. The codeword w is sent into some channel
and a string w⬘ is obtained on the other side. Then usually an error-correcting
procedure is executed to map the string w⬘ 僆 {0, 1} n into a codeword in C. If
the number of errors in w⬘ is sufficiently small then, with probability almost 1 (if
not 1), this codeword is the original codeword w. Then the codeword w is
mapped back into the original message x.

Appendix D. The Density Matrices ˜␳

Consider a linear code C[G] 債 {0, 1} n of dimension q and a coset C[G, x] of
this code (G is the parity check matrix and x is the syndrome). Here, we analyze
the general situation where a string g̃ uniformly chosen at random in the coset
C[G, x] is sent from Alice to Bob using a fixed string of bases a 僆 {⫹, ⫻} n . We
want to find the matrix representation of the density operator

␳˜ x ⫽ 2 ⫺q 冘
g̃僆C[G, x]
⌿̃共 g̃, a兲⌿̃共 g̃, a兲†

in the basis {⌿̃( ␣ , b)兩 ␣ 僆 {0, 1} n }, where b ⫽ a៮ . To apply this result to this
paper, one must use

G⫽ 冉冊
F
K
,

x ⫽ (s, k) and q ⫽ n ⫺ r ⫺ m but the computation for the general case is the
same. A key ingredient is that if a string g belongs to a code C ⫽ C[G] for which
G is the parity check matrix then we have g ⫽ ␭ • G ⬜ where ␭ 僆 {0, 1}dimC and
G ⬜ is a parity check matrix for the dual code. We will apply this principle twice,
once with the code and once with its dual. We have

␳˜ x ⫽
兩C兩
1
冘
g僆C[G, x]
兩w典 具 w 兩 .

We will use the fact that in the conjugate basis we have

兩w典 ⫽ 2 ⫺n 冘 共⫺1兲
t僆{0,1}
n
g•t
兩t典.

We obtain

␳˜ x ⫽
2 ⫺n
兩C兩
冘 共⫺1兲
t,t⬘,g僆C
g•(tQt⬘)
兩t典具t⬘兩.
402 DOMINIC MAYERS

Let g 0 be any string in the coset C[G, x]. We will use the fact that the sum over
g 僆 C[G, x] can be replaced by a sum over ␥ 僆 {0, 1}dimC with the change of
variable g 哫 ( ␥ • G ⬜ ) Q g 0 . We get

␳˜ x ⫽
2 ⫺n
冘
兩C兩 t,t⬘,␥僆{0,1}dimC
共⫺1兲( g0Q␥•G
⬜
)•(tQt⬘)
兩t典具t⬘兩.

After simple algebra, we get

␳˜ x ⫽
2 ⫺n
兩C兩
冘共⫺1兲
t,t⬘
g0•(tQt⬘)
冘 共⫺1兲
␥僆{0,1}
Ç
兩t典具t⬘兩.
dimC
␥•G⬜•(tQt⬘)

k(t,t⬘)

Now, consider the coefficient k(t, t⬘). This coefficient vanishes if G ⬜ • (t Q

兾 C ⬜ . If (t Q t⬘) 僆 C ⬜ , we have k(t, t⬘) ⫽ 兩C兩. We
t⬘) ⫽ 0, that is, if (t Q t⬘) 僆
obtain

␳˜ x ⫽ 2 ⫺n 冘
t,t⬘兩(tQt⬘)僆C
⬜
共⫺1兲g0•(tQt⬘)兩t典具t⬘兩,

where we used g 0 • (t Q t⬘) ⫽ (t Q t⬘) • g 0 . Now, we will use the fact that
(t Q t⬘) is a string in C ⬜ . We obtain that t Q t⬘ ⫽ ␭ (t Q t⬘) • G, where
␭ (t Q t⬘) is the unique string with this property. The exponent (t Q t⬘) • g 0
becomes ␭ (t Q t⬘) • G • g 0 ⫽ ␭ (t Q t⬘) • x, by definition of g 0 . We obtain

␳˜ x ⫽ 2 ⫺n 冘
t,t⬘兩(tQt⬘)僆C
⬜
共⫺1兲␭(tQt⬘)•x兩t典具t⬘兩.

or equivalently

具 t 兩 ␳˜ x 兩 t⬘ 典 ⫽ 2 ⫺n 再 共⫺1兲␭(tQt⬘)•x if 共t 丣 t⬘兲 僆 C⬜
0 otherwise.

D.1. An Alternative Computation

Here is an alternative computation (the one that was used in the original proof
[Mayers 1966]). We need some definitions. For every vector ␪ 僆 {0, 1} n , let us
define a unitary transformation U ␪ on the state space of the photons:

U ␪ ⌿̃ 共 g̃ , a 兲 ⫽ ⌿̃ 共 ␪ 丣 g̃ , a 兲 .

One can easily check that U ␪ is in fact a product of unitary mappings U ␪ ⫽ U ␪ [1]
. . . U ␪ [n] where U ␪ [i] is defined on the state space for the ith photon. For every
position i where ␪ i ⫽ 1, the transformation U ␪ [i] maps the state ⌿̃ [i] (0, b[i])
into itself and the state ⌿̃ [i] (1, b[i]) into ⫺⌿̃ [i] (1, b[i]). So, if there is an even
number of positions i where ␣ i ⫽ ␪ i ⫽ 1, one has

U ␪ ⌿̃ 共 ␣ , b 兲 ⫽ ⌿̃ 共 ␣ , b 兲 ;
Unconditional Security in Quantum Cryptography 403

otherwise, one has

U ␪ ⌿̃ 共 ␣ , b 兲 ⫽ ⫺⌿̃共␣, b兲.

In terms of the inner product ● on the vector space {0, 1} n , one has

U ␪ ⌿̃ 共 ␣ , b 兲 ⫽ 再 ⌿̃ 共 ␣ , b 兲
⫺⌿̃共␣, b兲 if
if ␪•␣⫽0
␪ • ␣ ⫽ 1.

For every ␪ 僆 C[G, x], one has C[G, x] ⫽ C[G, 0] Q ␪. Therefore, for every
␪ 僆 C[G, x],

␳ˆ x ⫽ U ␪ ␳ˆ 0U␪ , (40)

where U †␪ ⫽ U ␪ was used. For any operator ˆ␳ and any ␪, one may easily check
that, in the basis {⌿̃( ␣ , b)兩 ␣ 僆 {0, 1} n },
def
共 U ␪ ␳ˆ U ␪ 兲 ␣ , ␣ ⬘ ⫽ ⌿̃共␣, b兲†共U␪␳ˆU␪兲⌿̃共␣⬘, b兲
(41)
⫽ 共⫺1兲(␣Q␣⬘)•␪ ⫻ 共␳ˆ兲␣, ␣⬘ .

Therefore, in view of (40) and (41), it is sufficient to obtain the matrix

representation of the density operator ˆ␳0 in Bob’s basis.
Let q be dimension of C[G] (in this paper q ⫽ n ⫺ r ⫺ m is the dimension of
the code C[F] 艚 C[K]). Let { ␪ 1 , . . . , ␪ q } be q independent strings in C[G].
For every j ⫽ 1, . . . , q, let G ( j) be the span of { ␪ 1 , . . . , ␪ j } and ˆ␳ ( j) ⫽ 2 ⫺j
兺 ␪ 僆G ( j) ⌿̃( ␪ , a) ⌿̃( ␪ , a) † . Note that ˆ␳0 ⫽ ˆ␳(q) and C[G] ⫽ G (q) . We will show
by induction on j, that for j ⫽ 0, . . . , q̃,

共 ␳ˆ ( j) 兲 ␣ , ␣ ⬘ ⫽ 2 ⫺n ⫻ 再 1 if 共␣ 丣 ␣⬘兲 僆 G( j)⬜
0 otherwise.
(42)

The case j ⫽ 0 can be easily computed: G (0) ⫽ {0} and G (0)⬜ ⫽ {0, 1} n . Let
us assume that (42) holds for j and obtain it for j ⫹ 1. Because G ( j⫹1) ⫽ G ( j) 艛
(G ( j) Q ␪ j⫹1 ), one has that

1
␳ˆ ( j⫹1) ⫽ 共 ␳ˆ ( j) ⫹ U ␪ j⫹1 ␳ˆ ( j) U ␪ j⫹1 兲 . (43)
2

Therefore, using formula (41), one obtains

1
共 ␳ˆ ( j⫹1) 兲 ␣ , ␣ ⬘ ⫽ 共 ␳ˆ ( j) 兲 ␣ , ␣ ⬘ 共 1 ⫹ 共 ⫺1兲(␣Q␣⬘)•␪j⫹1兲.
2

Note that ( ˆ␳ ( j⫹1) ) ␣ , ␣ ⬘ is either 0 or 2 ⫺n . One obtains that ( ˆ␳ ( j⫹1) ) ␣ , ␣ ⬘ ⫽ 2 ⫺n if

and only if ( ˆ␳ ( j) ) ␣ , ␣ ⬘ ⫽ 0 and ( ␣ Q ␣ ⬘) • ␪ j⫹1 ⫽ 0. So, ( ˆ␳ ( j⫹1) ) ␣ , ␣ ⬘ ⫽ 2 ⫺n if
and only if, for every ␪ 僆 G ( j⫹1) , ( ␣ Q ␣ ⬘) • ␪ ⫽ 0. This last condition is
equivalent to ( ␣ Q ␣ ⬘) 僆 G ( j⫹1)⬜ . This concludes the induction.
Now, using the formula for ˆ␳0 ⫽ ˆ␳ (q) given by (42), together with formula (40)
and (41), one obtains that, for every ␪ 僆 C[G, x],
404 DOMINIC MAYERS

共 ␳ˆ x 兲 ␣ , ␣ ⬘ ⫽ 2 ⫺n ⫻ 再 0 if 共␣ 丣 ␣⬘兲 ⰻ C⬜关G兴
共⫺1兲(␣Q␣⬘)•␪ otherwise.

Now, because the rows in G are independent, for every ␣ 僆 C ⬜ [G], there is a
unique string ␭ ( ␣ ) 僆 {0, 1} r⫹m such that ␭ ( ␣ ) • G ⫽ ␣ . Let ␭(␣ Q ␣⬘) be such
that

␭共␣ 丣 ␣⬘兲 • G ⫽ 共␣ 丣 ␣⬘兲.

By definition of ␪, one has that G • ␪ ⫽ x. So, one obtains

共 ␳ˆ x 兲 ␣ , ␣ ⬘ ⫽ 2 ⫺n ⫻ 再 0 if 共␣ 丣 ␣⬘兲 ⰻ C⬜关G兴
共⫺1兲␭(␣Q␣⬘)•x otherwise.
(44)

Appendix E. On Probabilistic Implications

In our proof, the number n D in the fictive test lemma is itself random, whereas
we want a fixed upper bound on Eve’s information. To address this issue, we
min
could use the law of large number to obtain a lower bound n D for n D and use
this lower bound instead of n D , but, as we now explain, this approach would
somehow ignore an essential mechanism used in the protocol. If we used the law
of large numbers, it would mean that we want a bound on n D that is respected
with probability almost one. This approach would be justified if whenever this
bound is not respected, Eve receives too much information. However, this is not
the way the protocol works. In our protocol, Eve receives no information when
the bound is not respected because m is set to 0 when it happens. Note that, as
far as privacy is concerned, this mechanism works even if the lower bounds are
very large and fails most of the time. Therefore, we should not have to use the
law of large number in this particular context to prove privacy. One should use
the law of large numbers to prove that m is larger than 0 with a reasonable
probability, but this is a different issue that is not related to privacy. The
following proposition explains the basic mechanism that is used in our protocol,
as far as privacy is concerned, to address the issue of random parameters such as
n D.
For concreteness, one can think that this proposition is used with the events
ᏺ(l )⬊兩p(k兩v) ⫺ 2 ⫺m 兩 ⱕ ␴ (l ), l ⫽ 1, 2, . . . , where ␴ (l ) is some nonincreasing
function of the integer l. The event 兩p(k兩v) ⫺ 2 ⫺m 兩 ⱕ ␴ (for some ␴ ⬎ 0) is
used in Lemma 1. With this particular choice for ᏺ(l ), the conclusion in
Proposition 6 is essentially the kind of hypothesis that is required in Lemma 1.

PROPOSITION 6. Consider a fixed protocol (i.e., consider that all parameters are
fixed). Let ␰ ⫽ ␰(l ) be a nonincreasing real valued function defined on the set of
positive integers l. Let ᏺ(1), ᏺ(2), . . . be events that are (simultaneously) defined by
the protocol. Assume furthermore that, if l⬘ ⱖ l, we have ᏺ(l⬘) f ᏺ(l ). Let n be a
random integer defined in the protocol. (The letter n is often used to denote a
security parameter but here n is not a security parameter.) Consider some fixed
integer nmin ⬎ 0. Consider any event ᏼT such that we can prove ᏼT f␰(n)兩n⫽n ᏺ(n)
for every n ⬎ nmin (see Definition 2). Let ᐄ be the event which is TRUE when n ⱖ
nmin. We have ᏼT ∧ ᐄ f␰(nmin) ᏺ(nmin).
Unconditional Security in Quantum Cryptography 405

Remark. We actually have a more complicated situation in our proof. We

have two probabilistic implications: (1) ᏼ T f ␥ (n 1 )兩n1 ⫽n 1 ᏿(n 1 ), for every n 1 and
(2) ᏿(n 1 ) f ␭ (n 2 )兩n2 ⫽n 2 ᏺ(n 1 , n 2 ), for every n 1 , n 2 , where ᏿(n 1 ) is some
intermediary event. We apply Proposition 6 on each implication separately (and
thus avoid mutual conditioning of variables) and then use Proposition 1 to obtain
the hypothesis of Lemma 1.
PROOF OF PROPOSITION 6. We first show ᐄ ∧ ᏼ T f ␰ (n min) ᏺ(n), in which we
do not yet consider the event ᏺ(n min), that is, we first show Pr(ᏺ(n) ∧ ᐄ ∧
ᏼ T ) ⱕ ␰ (n min). The event ᏺ(n) is TRUE in a particular run of the protocol if n
takes a value n such that ᏺ(n) is TRUE. Therefore, we have

Pr共ᏺ共n兲∧ᐄ∧ᏼT兲
⫽ 冘
Pr共ᏼT∧ᏺ共n兲兩n ⫽ n兲Pr共n ⫽ n兲
nⱖn
min

ⱕ 冘
nⱖn
min
␰共n兲Pr共n ⫽ n兲

ⱕ ␰共nmin兲 冘
nⱖn
min
Pr共n ⫽ n兲

⫽ ␰共nmin兲Pr共n ⱖ nmin兲 ⱕ ␰共nmin兲.

So, using Proposition 1, we obtain ᐄ ∧ ᏼ T f ␰ (n min) ᏺ(n) ∧ ᐄ. We have proven
the proposition since ᏺ(n) ∧ n ⱖ n min f ᏺ(n min). e
ACKNOWLEDGMENTS. The author is grateful to Charles Bennett, Howard E.
Brandt, Gilles Brassard, Claude Crépeau, David Divincenzo, Hitoshi Inamori,
Peter Shor, John Smolin, Alain Tapp, and Andrew Yao for helpful discussions
and advice.
REFERENCES

BARG, A. 1997. Complexity issues in coding theory. Electronic Colloquium on Computational

Complexity Report TR97-046 (ISSN 1433-8092, 4th Year, 46th Report), ftp://ftp.eccc.uni-trier.de/
pub/eccc/reports/1997/TR97-046/index.html.
BENNETT, C. H. 1992. Quantum cryptography using any two nonorthogonal states. Phys. Rev. Lett.
68, 21, May 25, 1992, 3121–2124.
BENNETT, C. H., BESSETTE, G., BRASSARD, G., SALVAIL, L., AND SMOLIN, J. 1992. Experimental
quantum cryptography. J. Crypt. 5, 1, 3–28.
BENNETT, C. H., AND BRASSARD, G. 1984. Quantum cryptography: Public key distribution and coin
tossing. Proceedings of IEEE International Conference on Computers, Systems and Signal Processing
(Bangalore, India, Dec.). IEEE Computer Society Press, Los Alamitos, Calif., pp. 175–179.
BENNETT, C. H., BRASSARD, G., CRÉPEAU, C., AND SKUBISZEWSKA, M.-H. 1992. In Practical
Quantum Oblivious Transfer. Advances in Cryptology: CRYPTO ’91: Proceedings. Lecture Notes in
Computer Science, vol. 576. Springer-Verlag, New York, pp. 362–371.
BENNETT, C. H., BRASSARD, G., POPESCU, S., SCHUMACHER, B., SMOLIN, J., AND WOOTTERS, W. K.
1966. Phys. Rev. Lett. 76, 722–725.
BENNETT, C. H., BRASSARD, G., AND ROBERT, J.-M. 1988. Privacy amplification by public discus-
sion. SIAM J. Comput. 17, 2 (Apr.). 210 –229.
BIHAM, E., BOYER, M., BRASSARD, G., VAN DE GRAAF, J., AND MOR, T. 1998. Security of quantum
key distribution against all collective attacks. LANL archives quant-ph/9801022.
BIHAM, E., AND MOR, T. 1996. On the security of quantum cryptography against collective attacks.
Phys. Rev. Lett. 78, pp. 2256 –2259.
BRASSARD, G., AND CRÉÉPEAU, C. 1996. Cryptology column—25 years of quantum cryptography.
SIGACT News 27, 3 (Sept.). 13–24.
406 DOMINIC MAYERS

DEUTSCH, D., EKERT, A. K., JOZSA, R., MACCHIAVELLO, C., POPESCU, S., AND SANPERA, A. 1996.
Phys. Rev. Lett. 77, 2818 –2821.
DUMAIS, P., SALVAIL, L., AND MAYERS, D. 2000. Perfectly concealing quantum bit commitment
from any quantum one-way permutation. In Eurocrypt ’2000. (to be published).
EKERT, A. 1991. Quantum cryptography based on Bell’s theorem. Phys. Rev. Lett. 67, 661.
INAMORI, H., LUTKENHAUS, N., AND MAYERS, D. 1999. Security of Practical Quantum Key
Distribution, presented at the NEC Workshop on Quantum Cryptography, December 1999 (no
proceedings).
KEARNS, M. J. 1989. The computational complexity of machine learning. MIT Press, (Original
proof in: H. Chernoff, A measure of asymptotic efficiency for tests of a hypothesis based on the
sum of observations. Ann. Math. Stat. 23, 493 (1952).
LO, H.-K., AND CHAU, H. F. 1998. Security of quantum key distribution. Los Alamos preprint
archive quant-ph/9803006, March.
MACWILLIAMS, F. J., AND SLOANE, N. J. A. 1977. The theory of error-correcting codes. North-
Holland, Amsterdam, The Netherlands.
MAYERS, D. 1995. On the security of the quantum oblivious transfer and key distribution
protocols. Advances in Cryptology—Proceedings of Crypto ’95 (Aug.). Springer-Verlag, New York,
pp. 124 –135.
MAYERS, D. 1996. Quantum key distribution and string oblivious transfer in noisy channels.
Advances in Cryptology—Proceedings of Crypto ’96 (Aug.). Springer-Verlag, New York, pp. 343–357.
MAYERS, D. 1997. Unconditionally secure quantum bit commitment is impossible. Phys. Rev. Lett.
78, 17 (Apr.), pp. 3414 –3417.
MAYERS, D. 2001a. Self-Checking Quantum Apparatus and Violation of Classical Locality. (manu-
script).
MAYERS, D. 2001b. Quantum key distribution is unconditionally secure. Tech. Rep. (in prepara-
tion).
MAYERS, D., AND SALVAIL, L. 1994. Quantum oblivious transfer is secure against all individual
measurements. Proceedings of the Workshop on Physics and Computation, PhysComp’94, (Dallas,
Tex., Nov.). pp. 69 –77.
MAYERS, D., AND YAO, A. 1998. Quantum cryptography with imperfect apparatus. In Proceedings
of the 39th IEEE Conference on Foundations of Computer Science. IEEE Computer Society Press,
Los Alamitos, Calif.
PERES, A. 1993. Quantum Theory: Concepts and Methods. Kluwer Academic Press, Dordrecht,
Germany.
SHOR, P. W., AND PRESKILL, J. 2000. Simple proof of security of the BB84 quantum key
distribution protocol. Phys. Rev. Lett. 85, 441.
WEGMAN, M. N., AND CARTER, J. L. 1981. New hash function and their use in authentication and
set equality, J. Comput. Syst. Sci. 22, 265–279.
YAO, A. 1995. In Proceedings of the 26th Symposium on the Theory of Computing, (June) ACM,
New York, pp. 67–75.

RECEIVED FEBRUARY 1999; REVISED FEBRUARY 1999; ACCEPTED FEBRUARY 1999

Journal of the ACM, Vol. 48, No. 3, May 2001.