A simple proof of the unconditional security of

quantum key distribution

Hoi-Kwong Lo
Hewlett-Packard Labs, Filton Road, Stoke Gifford, Bristol, UK, BS34 8QZ.
E-mail: [email protected]
(July 31, 2018)
arXiv:quant-ph/9904091v1 27 Apr 1999

Abstract

Quantum key distribution is the most well-known application of quantum

cryptography. Previous proposed proofs of security of quantum key distribu-
tion contain various technical subtleties. Here, a conceptually simpler proof
of security of quantum key distribution is presented. The new insight is the
invariance of the error rate of a teleportation channel: We show that the error
rate of a teleportation channel is independent of the signals being transmitted.
This is because the non-trivial error patterns are permuted under teleporta-
tion. This new insight is combined with the recently proposed quantum to
classical reduction theorem. Our result shows that assuming that Alice and
Bob have fault-tolerant quantum computers, quantum key distribution can be
made unconditionally secure over arbitrarily long distances even against the
most general type of eavesdropping attacks and in the presence of all types
of noises.

I. INTRODUCTION

Perfectly secure communication between two users can be achieved if they share before-
hand a common random string of numbers (a key). A big problem in conventional cryptog-
raphy is the key distribution problem: In classical physics, there is nothing to prevent an
eavesdropper from monitoring the key distribution channel passively, without being caught
by the legitimate users. Quantum key distribution (QKD) [1,11] has been proposed as a
new solution to the key distribution problem. In quantum mechanics, there is a well-known
“quantum no-cloning theorem” which states that it is impossible for anyone (including an
eavesdropper) to make a perfect copy of an unknown quantum state [8,21]. Therefore, it
is generally thought that eavesdropping on a quantum channel will almost surely produce
detectable disturbances.

A. Prior work on security of QKD

“The most important question in quantum cryptography is to determine how secure

it really is.” (p. 16 of [6]) Indeed, there have been many investigations on the issue of
security of QKD. Most analyses have dealt with restricted classes of attacks such as single-
particle eavesdropping strategies (For a review, see, for example, [13].), and also the so-
called collective attacks [4,5], where Eve brings each signal particle into interaction with
a separate probe, and after hearing the authenticated public discussion between Alice and
Bob, measures all the probes together. More recently, the most general type of attacks

1
have been considered. There have been a number of proposed proofs of the unconditional
security of QKD [9,15–17,19] based on the laws of quantum mechanics. Note that one should
also consider problems of imperfect sources, imperfect measuring devices and noisy channels
employed by Alice and Bob.

1. Why is a proof of security of QKD so difficult?

There are many types of eavesdropping strategies. One could imagine that Eve has a
quantum computer. In the most general eavesdropping strategy, Eve regards the whole
sequence of quantum signals as a single entity. She couples this entity with her probe and
then evolves the combined system using a unitary transformation of her choice. Finally, she
sends a subsystem to the user(s) and keeps the rest for eavesdropping purposes. Notice that
Eve can choose any unitary transformation she likes and yet a secure QKD scheme must
defeat all of them. Two major difficulties are expected in a proof of security of QKD. First,
Eve tries to evade detection by attributing noises caused by her eavesdropping attack to
normal transmission noise. Second, owing to the subtle quantum correlations between Eve
and the users, a naı̈ve application of classical arguments may be fallacious. Indeed, there is
a well-known paradox—Einstein-Podolsky-Rosen paradox [10]—which illustrates clearly the
general failing of naı̈ve classical arguments in quantum mechanics.

2. Two alternative approaches to proving security

Roughly speaking, there are two main alternative approaches to proving the uncondi-
tional security of QKD. The first approach deals with the most well-known QKD scheme
BB84 proposed by Bennett and Brassard [1]. The advantage of this approach is that it
does not require the employment of quantum computers by Alice and Bob. However, all
versions of current proposed proofs of unconditional security based on this approach require
the assumption of a perfect photon source [19]. (Earlier versions of [19] have appeared as
[16,17] but they are less definite.) Given that a perfect photon source is beyond current tech-
nology, proofs based on the first approach (just like those based on the second approach)
cannot be directly applied to real-life experiments. See also [20]. The second approach
deals with QKD schemes that employ the subtle quantum mechanical correlations—known
as “entanglement”–which have no classical analog. This approach was first suggested in
[9], which, however, assumes perfect quantum devices. A more recent paper [15] addresses
this issue of imperfect devices using the idea of fault-tolerant quantum computation and
quantum repeaters (i.e., relay stations) [7]. It also derives a rigorous bound on Eve’s infor-
mation under the assumption of reliable local quantum computations. Note that the second
approach requires Alice and Bob to possess quantum computers, which are well beyond
current technology. However, the second approach, as rigorously developed in [15], has a
number of advantages. First, it extends the range of secure QKD to arbitrarily long dis-
tances even with insecure “quantum repeaters” (i.e., relay stations). In contrast, such an
extension with the first approach will require perfectly secure quantum repeaters. Second,
when implemented over a noisy channel, QKD schemes based on the second approach tend
to tolerate a larger error rate. Third, a proof of security and the tradeoff between noise and

2
key rate are much easier to work out in the second approach. Fourth, the second approach
is conceptually simpler. Finally, some of the techniques developed in the second approach
have widespread applications. Indeed, it is plausible that some of those techniques, when
properly generalized, can be applied to the first approach.

B. Significance of Our results

It has to be said that all previously proposed proofs of security of QKD involve various
technical subtleties. Here we present a simple proof of the unconditional security of QKD.
The proof, based on the second approach, not only enjoys all the fundamental advantages
mentioned above of the recently proposed proof [15], but also is conceptually simpler.
Besides, our proof gives us an extremely interesting new insight on the well-known “tele-
portation” channel [2]: With a classical random sampling method, one can assign a set of
classical probabilities to the various error pattern of a quantum teleportation channel. Be-
sides, the error rate (the probability of having a non-trivial error pattern) for each signal
is independent of the identity of the signal being transmitted. This is highly non-trivial
because, as noted in subsubsection I A 1, the well-known Einstein-Podolsky-Rosen paradox
demonstrates that applications of classical arguments to a quantum problem often lead to
fallacies [10].
Another potential advantage of our proof is that, with imperfect local quantum compu-
tations, it is probable that a longer key can be generated by the current scheme with the
same quantum channel.

II. SECURITY REQUIREMENT AND IDEAS TOWARDS A PROOF

Definition: A QKD scheme is said to be unconditionally secure if, for any security
parameters k, l > 0 chosen by Alice and Bob, they can follow the protocol and construct a
verification test such that, for any eavesdropping attack by Eve that will pass the test with
a non-negligible amount of probability, i.e., more than e−k , the two following conditions are
satisfied: (i) Eve’s mutual information with the final key is always negligible, i.e., less than
e−l and (ii) the final key is, indeed, essentially random.
Remark: The security parameters k and l depend on how hard Alice and Bob are willing
to work towards perfect security (e.g., the size of the messages exchanged between Alice
and Bob and the number of rounds of authentication between them) and are, at least in
principle, computable from a protocol.

A. A simple idea, its problems and our solution

Consider the following simple idea of proof of security of QKD. Alice prepares r quantum
signals and encodes their state into a quantum error correcting code (QECC) (see, for
example, [3]) of length n which corrects say t errors. In addition, she also prepares m
other quantum signals which will be used as test signals. She then randomly permutes the
N = n+m signals and sends them to Bob via a noisy channel controlled by an eavesdropper.
Bob publicly announces that he has received all the N signals from Alice. Upon Bob’s

3
confirmation of the receipt, Alice publicly announces the location of the m test signals and
their specific state. Now, Bob measures the m test signals and computes their error rate, e1 .
Using the error rate e1 , Alice and Bob apply classical random sampling theory in statistics
to establish confidence levels for the error rate of the n remaining (i.e., untested) signals
and, hence, produce a probabilistic bound on the amount of eavesdropper’s information on
the encoded r quantum signals. [The point is that, unless there are more than t errors in
the QECC, Eve knows absolutely nothing about the encoded state.] If Alice and Bob are
satisfied with the degree of security, they measure the r quantum signals to generate an r-bit
key.
This raw idea looks simple, but it is essentially classical. It will work if the following three
requirements are satisfied. (1) Each error pattern can be assigned with a classical probability;
(2) Error rate of the signals are independent of the actual signals being transmitted (i.e.,
Eve cannot somehow change a non-trivial error operator to a trivial one depending on which
signals are transmitted); (3) The quantum error correction and key generation can be done
fault-tolerantly.
Since applications of classical arguments could be fallacious, it would be naı̈ve to assign
a probability distribution to the set of error patterns without a rigorous mathematical jus-
tification. In fact, rather disappointingly, we are unable to establish requirements (1) and
(2) for the most general quantum channel.
Nonetheless, we manage to complete our proof of security of QKD by the following line of
arguments. We notice that requirement (1) has already been established in [15] for the special
case of the transmission of some standard states (halves of so-called EPR pairs). Moreover, it
is well-known in quantum information theory that the transmission of any general quantum
state can be reduced to that of the standard state and classical communication via a process
called teleportation [2], (which will be discussed in subsection IV A).
Our line of attack is, thus, to establish requirements (1) and (2) for the special case
of a teleportation channel only. In other words, we show that, by using teleportation to
transmit quantum states through a noisy quantum channel (which may be controlled by an
eavesdropper), the error rate [i.e., the probability of having a non-trivial error operator (or
Pauli matrix) acting on the transmitted signal, as can be estimated by a classical random
sampling procedure] is independent of the quantum state being transmitted. This invariance
result ensures that, for a quantum teleportation channel, even an ingenious eavesdropper
cannot change its underlying error rate and make it dependent on the identity of the quantum
signals being transmitted. This new insight of ours—the “invariance of the error rate of a
quantum teleportation channel”—will be stated as Proposition 5 and discussed in subsequent
sections.

B. Einstein-Podolsky-Rosen pairs

Readers who are unfamiliar with quantum information should refer to appendix A. One
can measure a quantum bit (or qubit) along any direction and each measurement can give two
possible outcomes. An Einstein-Podolsky-Rosen pair of qubits has the following interesting
property. If two members of an EPR pair are measured along any common axis, each
member will give a random outcome, and yet, the outcomes of the two members will always
be anti-parallel. This is so even when the two members are distantly separated. Such an

4
action at a distance is at the core of the Einstein-Podolsky-Rosen paradox and it defies any
simple classical explanation.
Now, if two persons, Alice and Bob, share R EPR pairs, they can generate a common
random string of number (an R-bit key) by measuring each member along some common
axis. The laws of quantum mechanics guarantees that, provided that the R pairs are of
almost perfect fidelity, the key generated will be almost perfectly random and that Eve will
have a negligible amount of information on its value. In fact, we have
Lemma 1: (Note 28 of [15]) If Alice and Bob share R EPR pairs of fidelity at least
1 − 2−k , for a sufficiently large k, and they generate an R-bit key by measuring these pairs
along any common axis, then Eve’s mutual information on the final key will be bounded by
2−c + 2O(−2k) where c = k − log2 [2R + k + (1/ loge 2)].
Proof: In supplementary material of [15].
So, the Holy Grail of the second approach to secure QKD is to construct a scheme for
distributing R almost perfect EPR pairs even in the presence of noises and Eve.

III. QUANTUM TO CLASSICAL REDUCTION THEOREM

A. Theory

A proof of security of QKD can be simplified greatly if one can apply well-known powerful
techniques in classical probability theory and statistical theory to the problem. However, as
noted in subsection I A 1, applications of classical arguments to a quantum problem often
lead to fallacies. A key ingredient of our current proof is, therefore, a quantum to classical
reduction theorem proven in [15], which justifies the usage of classical arguments.
Let us recapituate this quantum to classical reduction theorem from the viewpoint of
“commuting observables”: Conceptually, classical arguments work because all the observ-
ables Oi ’s under consideration are diagonal with respect to a single basis, which we shall
call B. More concretely, let M be the observable that represents the complete von Neumann
measurement along the basis B. Since Oi ’s and M are all diagonal with respect to the basis
B, they clearly commute with one another. Therefore, the measurement M along basis B will
in no way change the outcome of subsequent measurements Oi ’s. Without loss of generality,
we can imagine that such a measurement M is always performed before the measurement of
subsequent Oi ’s. Consequently, the initial state is always a classical mixture of eigenstates
of M and, hence, classical arguments carry over directly to a quantum problem. In this
sense, the quantum problem has a classical interpretation.1 Mathematically, this quantum

1 This quantum to classical reduction theorem is rather subtle. First, the observables Oi ’s under
consideration are coarse-grained observables (i.e. observables with degenerate eigenvalues), rather
than fine-grained ones (i.e. observables with non-degenerate eigenvalues). It is a priori surprising
that coarse-graining as a mathematical technique will give a classical interpretation to a quantum
problem. Second, the eigenstates of M employed in [15] are, in fact, the so-called Bell states (see
subsection III B and appendix B), which exhibit non-local quantum mechanical correlations. It is
a prior surprising that such a non-local (or quantum mechanical) Bell basis can have a classical

5
to classical reduction theorem can be stated as the following theorem.
Theorem 2: [15] Consider a mixed quantum state described by ρ and a set of one-
dimensional non-commuting projection operators Qj on it. Suppose there exists a complete
set of coarse-grained observables Oi of Qj such that all the Oi ’s commute with one another.
[Here, by coarse-graining, one means that each Oi can be written as a sum of a set of
orthogonal projectors Qj and by completeness, one means that i Oi = I.] Let us consider
P

a complete von Neumann measurement M which commutes with all Oi . [Because of the
commutativity of Oi ’s, such M must exist.] Let |vk i be the basis vectors of M. Then,
Theorem 2 says that, for all i, we have
!
X
Tr (Oi ρ) = Tr Oi |vk ihvk |ρ|vk ihvk | . (1)
k

Remark: Physically, Theorem 2 says that the probability of all the coarse-grained out-
come Oi ’s are unchanged by a prior complete von Neumann measurement M. The full power
of Theorem 2, will be demonstrated in Propostion 3.
Proof: Sketch. By construction, for each Oi there exist a coefficient λi and a set Ki
such that Oi = λi l∈Ki |vl ihvl |. From the definition of TrA as m hvm |A|vm i, it is now a
P P

simple exercise to establish Eq. (1).

B. Application to random sampling

Consider the following example (example (i) on p. 2054 of [15]). Suppose two distant
observers, Alice and Bob, share a large number, say N, pairs of qubits, which may be
prepared by Eve. Those pairs may, thus, be entangled with one another in an arbitrary
manner and also with the external universe, for example, an ancilla prepared by Eve. How
can Alice and Bob estimate the number of singlets in those N pairs? (By the number of
singlets, here we mean the expected number of “yes” answers if a singlet-or-not measurement
were made on each pair individually.)
The solution is the following random sampling procedure and proposition.
Procedure: Suppose Alice and Bob randomly pick m of the N pairs and, for each pair,
choose randomly one of the three (x, y and z) axes and measure the two members along
it. They publicly announce their outcomes. Let k be the number of anti-parallel outcomes
obtained in this random sampling procedure.
Proposition 3: (in Section VI of supplementary material of [15]) The fraction of singlets,
fs , in the N pairs can be estimated as (3k − m)/2m. Furthermore, confidence levels can be
deduced from classical statistical theory for a finite population (of N objects).
Proof: A direct application of Theorem 2. Let us order the N pairs. Consider, for the
i i
i-th pair, the projection operations Pk,a and Panti−k,a for the two coarse-grained outcomes
(parallel and anti-parallel) of the measurements on the two members of the pair along the
a axis where a = x, y or z. A simple but rather important observation is the following:
each of these projection operators can be mathematically re-written as linear combination

interpretation.

6
of projection operators along a single basis, namely Bell basis. (See appendix B for details.)
A basis for N ordered pairs of qubits (what we shall call N-bell basis) consists of products
of Bell basis vectors, each of which is described by a 2N-bit string. Now, let us consider
the operator MB that represents the action of a complete von Neumann measurement along
i i
N-Bell basis. Since MB , Pk,a and Panti−k,a are diagonal with respect to a single basis (N-
Bell basis), they clearly commute with each other. Thus, a pre-measurement MB by Eve
i i
along N-Bell basis will in no way change the outcome for Pk,a and Panti−k,a . With any loss
of generality, we can assume that such a pre-measurement is always performed before the
i i
subsequent measurement of Pk,a and Panti−k,a . In other words, we have a classical mixture of
N-Bell basis vectors and classical probability theory refering only to the N-Bell basis vectors
is, thus, valid. For this reason, estimation of the number of singlets as well as confidence
levels of such an estimation can be done by classical statistical theory. QED.

IV. OUR SECURE QKD SCHEME

We remark that the fraction of singlets, fs , in Proposition 3 has the significance as being
the fraction of uncorrupted qubits in a quantum communication channel shared between
Alice and Bob in the following situation. Suppose Alice prepares N EPR pairs locally and,
afterwards, sends a member of each pair to Bob via a noisy quantum channel controlled Eve.
As a result of channel noises and eavesdropping attack, some of the N EPR pairs may be
corrupted. Proposition 3 gives us a mathematical estimate of the number of uncorrupted
qubits in the actual transmission, based on the random sampling of a small number of
transmitted signals.
Since quantum error correcting codes (QECCs) exist, it is tempting to construct a secure
QKD scheme by, first, using the random sampling procedure to estimate the error rate of
the transmission and, second, using a QECC to correct the appropriate number of errors.
To ensure that the sampling procedure is, indeed, random, Alice should mix up the test
pairs with the pairs in the actual QECC randomly.
However, as briefly noted in the Introduction, the above idea implicitly assumes that the
following conjecture is true. Let us consider the four error operators I, σx , σy and σz for
each quantum signals transmitted. (See appendix A for notations.)
Conjecture 4: The error rate of a quantum communication channel is independent of
the signals being transmitted. More precisely, in the current case, one can safely assign a
probability for each error pattern in analyzing the security issue of QKD scheme.
While such a conjecture is intuitively plausible, we are unaware of any rigorous proof
for a general quantum channel. To address this problem, we prove a related but perhaps
weaker result concerning a teleportation channel. We make use of the well-known fact that,
any quantum signals can always be transmitted to a quantum communication channel via
teleportation.

A. Teleportation

In teleportation [2], a quantum signal is transported via a dual usage of prior “entangle-
ment” (i.e. standard EPR pairs shared between the sender, Alice, and the receiver, Bob) and

7
a classical communication channel. The quantum signal in Alice’s hand is destroyed by her
local measurement, which generates a classical message. This message is then transmitted
to Bob via a classical communication channel. Depending on the content of this message,
Bob can then re-construct the destroyed quantum signal by applying one of the unitary
transformations I, σx , σy and σz to each of his member of the EPR pairs originally shared
with Alice.
Two points are noteworthy. First, in teleportation the same prior entanglement is shared
by Alice and Bob, independent of the actual quantum signal that will subsequently be
transported. Now, since Alice always sends the same standard quantum signal to Bob
during the prior sharing part of the teleportation process, the discussion of classical random
sampling theory in subsection III B can be applied directly. Second, the re-construction step
in teleportation, if done with reliable quantum computers, will not introduce new errors into
the quantum system. Indeed, if Alice and Bob use a noisy quantum state shared between
them for teleportation, for each transmitted signal, the three types of errors σx , σy and σz
are simply permuted to one another during the re-construction process. This idea is true
even for a quantum superposition of error patterns and entanglement with external universe
(as specified by the original noisy quantum state shared between them).
Let us formulate this result mathematically. Consider the teleportation of a system S
consisting of N qubits from Alice to Bob with the most general mixed state ρu . Without
loss of generality, a system decribed by a mixed state can be equivalently described by
a pure state of a larger system consisting of the original system and an ancilla. (John
Smolin has coined the name “the Church of the larger Hilbert space” for this simple but
useful observation, which has recently been extensively used [9,14,18,12]. For instance, the
generality of the recent proofs of the impossibility of bit commitment [14,18] and one-out-
of-two oblivious transfer [12] follows from this idea.) Applying this idea to our current case,
the state of original system S (plus an ancilla R with which it is entangled) can be written
in the following form (so-called Schmidt decomposition):
X
|viRS = cm |wm iR |vm iS , (2)
m

where cm are some complex coefficients, |wm iR and |vm iS are some basis vectors of the two
systems R and S respectively. The initial state ρu of the N pairs shared by Alice and Bob
can also be purified in “the Church of the larger Hilbert space” as
X X
|ui = αi1 ,i2 ,···,iN ,j |i1 , i2 , · · · , iN i ⊗ |ji, (3)
i1 ,i2 ,···,iN j

where ik denotes the state of the k-th pair and it runs from 0̃0̃ to 1̃1̃, the |ji’s form an
orthonormal basis for the environment (or an ancilla prepared by Eve), and αi1 ,i2 ,···,iN ,j are
some complex coefficients. Each state |ui represents a particular mixed state. Note that |ui
can be re-written as an entangled sum of a linear superposition of various error patterns.
i.e.,
(k)
σik )|Ψ− iN ⊗ |ji,
X X Y
|ui = αi1 ,i2 ,···,iN ,j ( (4)
i1 ,i2 ,···,iN j k
(k)
where σik acts on Bob’s member of the k-th pair as either I, σx , σy or σz depending on the
value of ik , and |Ψ− i denotes an EPR pair. With such notations, one can prove our main
proposition.

8
 Proposition 5: Invariance of error rate under teleportation. In the above no-
tations, suppose the system S (described by |viRS = m cm |wm iR |vm iS of the combined
P

system R and S in Eq. (2)) is teleported using the N pairs shared by Alice and Bob (de-
scribed by |ui of the combined system of the N pairs and Eve’s ancilla in Eq. (4)). Suppose
further that the classical outcome of Alice’s measurements is {jk }. i.e., she informs Bob to
Q (k)
use the operator k σjk for the re-contruction process. Then, Bob’s re-constructed state for
the combined system R, S and E can be described by
" #
Y (k) (k) (k)
X X X 
cm |wm iR αi1 ,i2 ,···,iN ,j σjk σik σjk |vm iS ⊗ |ji. (5)
m i1 ,i2 ,···,iN j k

Remark: The set of complex coefficients cm αi1 ,i2 ,···,iN ,j remain totally unchanged under
teleportation. For each teleportation outcome labelled by {jk }, the only real change lies
(k)
in the conjugation action in the error operator acting on the subsystem S. i.e., σik →
(k) (k) (k) (k)
σjk σik σjk for each k. (Recall that σjk is always its own inverse.) Since under such
conjugation the trivial error operator (i.e., the identity I) is invariant and the three non-
trivial error operators σx , σy and σz are permuted to one another, the error rate of the
teleported signal is exactly the same as the original N EPR pairs.
Proof of Proposition 5: A straightforward exercise in quantum information theory
[2], which we will skip here.

B. Procedure of our secure QKD scheme

Having established Proposition 5, we now present the procedure of our secure QKD
scheme.
1) Alice prepares N EPR pairs and sends a member of each pair to Bob through a noisy
channel. [In theory, quantum repeaters [7] and two-way schemes for so-called entanglement
purification [1] (a generalization of quantum error correcting codes) could be used in this
step. The error rate here can, therefore, be made to be very small and the scheme works
even for arbitrarily long distances.)
2) Bob publicly announces his receipt of the N quantum signals.
3) Alice randomly picks m of the N EPR pairs for testing. She publicly announces her
choice to Bob. For each pair, Alice and Bob randomly pick one of the three (x, y, and z)
axes and perform a measurement on the two members along it.
4) Alice and Bob publicly announce their measurement outcomes and use classical sam-
pling theory to estimate the error rate in the transmission.
Remark: Proposition 3 allows Alice and Bob to apply classical sampling theory to the
quantum problem at hand to estimate the error rate of the untested particles. Alice and
Bob then proceed with quantum error correction in the next step.
5) Alice prepares say R EPR pairs and encodes the R halves of the pairs (i.e., one member
from each pair) by a quantum error correcting code (QECC) into N − m qubits.
Remark: The requirement of QECC will be discussed in subsection IV C.
6) Alice teleports the N − m qubits to Bob via the remaining N − m pairs that they
share.

9
 Remark: Proposition 5 guarantees the invariance of error rate under teleportation. So,
the estimate done by Alice and Bob in step 4) remains valid.
7) Alice and Bob perform fault-tolerant quantum computation to generate a random
R-bit key by measuring the state of the R encoded EPR pairs along a prescribed common
axis (say the z axis).

C. Fault-tolerant quantum computation

From Proposition 3 and 5, it is quite clear that, assuming reliable local quantum com-
puters, our scheme works perfectly. However, since local quantum computations may be
imperfect, errors may be generated during the teleportation and key generation, i.e., steps
6) and 7). One can easily take those local errors into account by a choice of QECC with
generous error-correcting and fault-tolerant capabilities. The point is that we have a very
specific and short computation in mind (measurement along z axis only and no unitary
computation at all). Based on any realistic error model for quantum computers and con-
crete choice of QECC, one can give a generous upper bound on the number of local errors
due to imperfect quantum computation. With a fault-tolerant implementation, the total
number of errors in the whole process (transmission, teleportation and key generation) can
be bounded. Therefore, provided that our QECC has a sufficiently generous error-correcting
and fault-tolerant capabilities, security is guaranteed. [To be precise, in step 5), the R EPR
pairs should be prepared fault-tolerantly in an encoded form rather than in an unencoded
form.] We remark that, since the required quantum computation here is much simpler than
in [15], the present QKD scheme may be more efficient than the one there.

V. CONCLUDING REMARKS

In summary, we have presented a simple proof of the unconditional security of quantum

key distribution, i.e., ultimate security against the most general eavesdropping attack and the
most general types of noises. Our scheme allows secure QKD over arbitrarily long distances,
but it requires Alice and Bob to have reliable quantum computers, which is far beyond
current technology. However, to put things in perspective, all proposed proofs of security of
QKD involve assumptions (such as ideal sources) that are beyond current technologies.
Notice that some of the techniques developed here and in [15] have widespread applica-
tions. For example, Note 21 of [15] shows that teleportation is a powerful technique against
the quantum Trojan Horse attack. A new application—use random sampling and random
teleportation to prove the feasibility of a general two-party fault-tolerant quantum compu-
tation even in the presence of eavesdroppers—will be discussed in appendix C. In fact, some
of the results are applicable even to the case when Alice and Bob do not have a quantum
computer. A good example is a quantitative statement on the tradeoff between information
gain and disturbance in BB84 [15].
We particularly thank P. W. Shor for inspiring discussions. Very helpful comments from
C. H. Bennett, H. F. Chau, and John Smolin are also gratefully acknowledged.

10
 REFERENCES
[1] C. H. Bennett and G. Brassard, in Proceedings of IEEE Int. Conf. on Computers,
Systems, and Signal Processing, (IEEE, New York, 1984), 175.
[2] C. H. Bennett et al., Phys. Rev. Lett. 70, 1895 (1993).
[3] C. H. Bennett, D. P. DiVincenzo, J. A. Smolin, W. K. Wootters, Phys. Rev. A 54,
3824 (1996).
[4] E. Biham and T. Mor, Phys. Rev. Lett. 78, 2256 (1997).
[5] E. Biham, M. Boyer, G. Brassard, J. van de Graaf, T. Mor, Los Alamos preprint archive
quant-ph/9801022 (1998).
[6] G. Brassard and C. Crépeau, SIGACT News, 27, no. 3, 13 (1996).
[7] W. Dür, H.-J. Briegel, J. I. Cirac, P. Zoller, Phys. Rev. A 59, 169 (1999).
[8] D. Dieks, Phys. Lett. A 92, 271 (1982).
[9] D. Deutsch et al., Phys. Rev. Lett. 77, 2818 (1996); 80, 2022 (1998).
[10] A. Einstein, B. Podolsky, N. Rosen, Phys. Rev. 47, 777 (1935).
[11] A. K. Ekert, Phys. Rev. Lett. 67, 661 (1991).
[12] H.-K. Lo, Phys. Rev. A 56, 1154 (1997).
[13] H.-K. Lo, in Introduction to quantum computation and information, eds. H.-K. Lo, S.
Popescu, and T. Spiller (World Scientific, Singapore, 1998), p. 76.
[14] H.-K. Lo and H. F. Chau, Phys. Rev. Lett. 78, 3410 (1997).
[15] H.-K. Lo and H. F. Chau, Science 283, 2050 (1999); with supplementary material
available at www.sciencemag.org/feature/data/984035.shl .
[16] D. Mayers, in Advances in Cryptology: Proceedings of Crypto’95, Lecture Notes in
Comp. Sci., Vol. 963, (Springer-Verlag, Berlin, 1995), 124.
[17] D. Mayers, in Advances in Cryptology: Proceedings of Crypto’96, Lecture Notes in
Comp. Sci., Vol. 1109, (Springer-Verlag, Berlin, 1996), 343.
[18] D. Mayers, Phys. Rev. Lett. 78, 3414 (1997).
[19] D. Mayers, Los Alamos preprint archive quant-ph/9802025 version 4, Sept. 15, 1998.
[20] D. Mayers and A. C.-C. Yao, in Proceedings of 39th Annual Symposium on Foundations
of Computer Science, 503 (1998); also available at Los Alamos preprint archive quant-
ph/9809039.
[21] W. K. Wootters and W. Zurek, Nature 299, 802 (1982).

APPENDIX A: PHYSICS BACKGROUND: EINSTEIN-PODOLSKY-ROSEN

PAIRS

The fundamental unit of quantum information is called a quantum bit or “qubit”. Phys-
ically, it is often represented by a two-level microscopic system such as an atom or nuclear
spin or a polarized photon. Mathematically, a pure quantum state of a qubit simply given
by a unit vector in a two-dimensional Hilbert space H2 : Let us consider any basis |0i and
|1i. A single qubit in a pure state can be in any superposition of the two basis vectors, i.e.,
a|0i + b|1i where a and b are complex coefficients with the normalization |a|2 + |b|2 = 1.
4 2 2
A pair of qubits is described by a unit vector in the tensor product space qH = H ×H .
with the basis states |00i, |01i, |10i and |11i. Consider the state |Ψ− i = 1/2(|01i − |10i).

11
The important point to note is that it is impossible to re-write |Ψ− i into the form of a
direct product |ui ⊗ |vi. The state |Ψ− i is called entangled because it is impossible to assign
a definite state to the individual subsystems. |Ψ− i is called an Einstein-Podolsky-Rosen
(EPR) pair. !
a
It is common to write a|0i + b|1i also as a column vector . The non-trivial error op-
b
! ! !
0 1 0 −i 1 0
erators (or Pauli matrices) are defined as σx = , σy = , and σz = .
1 0 i 0 0 −1

APPENDIX B: BELL BASIS

The basis vectors of the Bell basis are Ψ± and Φ± , where

1
Ψ± = √ (| ↑↓i ± | ↓↑i) (B1)
2
and
1
Φ± = √ (| ↑↑i ± | ↓↓i). (B2)
2
With the convention in Ref. [3], Bell basis vectors are represented by two classical bits:

Φ+ = 0̃0̃,
Ψ+ = 0̃1̃,
Φ− = 1̃0̃,
Ψ− = 1̃1̃. (B3)

Since Bell basis vectors are highly entangled, one should not think of them as direct product
states.

APPENDIX C: TWO-PARTY FAULT-TOLERANT QUANTUM COMPUTATION

IN THE PRESENCE OF AN EAVESDROPPER

Here we show that random sampling and random teleportation can be used to prove the
feasibility of a general two-party fault-tolerant quantum computation even in the presence
of eavesdroppers. This may look hard because the usual requirements of fault-tolerant
quantum computation demand that the errors of different signals are independent and that
the error rate for each error to happen is smaller than some threshold value. In contrast, an
eavesdropper can introduce collective noises into the system.
Proposition 6: In the large N limit, the procedure in Proposition 3 can be used to
establish that, with a very high confidence level, the error rates of the transmitted signals
are well below the threshold value required for a general fault-tolerant quantum computation
and that the error rates for different signals are essentially independent.
Proof: Suppose N quantum signals are teleported via N EPR pairs such that each signal
is teleported by a random pair (without replacement, of course) chosen by Alice and Bob.

12
By Propositions 3 and 5,we can apply classical sampling theory to our current quantum
problem. Now, since the signals are randomly sampled, in the large N limit of classical
sampling theory, they have identical and independent error probabilities. Therefore, by
random sampling and random teleportation, Alice and Bob can establish confidence levels
for the smallness and independence of the error rates of different signals, thus allowing
subsequent fault-tolerant quantum computations.
Remark: The fact that our claim is valid is not that surprising. In classical computation,
it is natural and often implicit to assume that reliable two-party classical computation
(such as authentication) can be performed with imperfect computing components and noisy
classical communication channels controlled by an eavesdropper. It is only natural that the
same assumption can be made for two-party quantum computation.

13