A New and Feasible Protocol for Semi-quantum Key Distribution MichelBoyer1,3,MattyKatz2,RotemLiss2,4,andTalMor2,5 1 DépartementIRO,UniversitédeMontréal,Montréal(Québec)H3C3J7,Canada 2 ComputerScienceDepartment,Technion,Haifa3200003,Israel 7 3 [email protected] 1 4 [email protected] 0 5 [email protected] 2 n a J 4 2 ] h p - t n a u q [ 1 v 4 4 0 7 Abstract. QuantumKeyDistribution(QKD)protocolsmakeitpossiblefortwo 0 quantumpartiestogenerateasecretsharedkey.Semi-quantumKeyDistribution 1. (SQKD) protocols, such as “QKD with classical Bob” and “QKD with classi- 0 calAlice”(thathavebothbeenprovenrobust),achievethisgoal evenifoneof 7 thepartiesisclassical.However,thecurrentlyexistingSQKDprotocolsarenot 1 experimentallyfeasiblewiththecurrenttechnology.Herewesuggestanewpro- : tocol (“Classical Alice with a controllable mirror”) that can be experimentally v implementedwiththecurrenttechnology,andproveittoberobust. i X r a 2 MichelBoyer,MattyKatz,RotemLiss,andTalMor 1 Introduction Quantum Key Distribution (QKD) makes it possible for two legitimate parties, Alice andBob,togenerateaninformation-theoreticallysecurekey[1],thatissecureagainst any possible attack allowed by the laws of quantum physics. Alice and Bob use an insecure quantum channel and an authenticated classical channel. The adversary Eve mayinterferewiththequantumchannelandislimitedonlybythelawsofnature;she maynot,however,modifythedatasentintheauthenticatedclassicalchannel(shecan onlylistentoit). Semi-quantum Key Distribution (SQKD) protocols limit one of the parties to be classical,yetgivingasecurekey[4].ThefirstSQKDprotocolwas“QKDwithclassical Bob”[4];later,the“QKDwithclassicalAlice”[22,8]protocolwassuggested,aswell as various other SQKD protocols (see for example [12,19,21]). Most of the SQKD protocolshavebeenproven“robust”:namely[4],anysuccessfulattackbyanadversary necessarilyinducessomenoisethatthelegitimatepartiesmaynotice(seealsotheformal definitioninSect.2.3).Afewofthemhavealsobeenprovensecure[11]. However,tothebestofourknowledge,allthecurrentlyexistingSQKD protocols cannotbeexperimentallyconstructedinasecurewaybyusingthecurrenttechnology, asexplainedinSect.1.3.Inotherwords,despitethefactthatSQKDprotocolsshould have been easier to implement than QKD protocols (because only one party requires quantumabilities),itturnsoutthatsomeofthe“classical”operationsareveryhardto implementinasecureway. WepresentanewSemi-quantumKeyDistributionprotocolthatcanbeexperimen- tally constructedbyusinga “controllablemirror”.Itisbasedon“QKD with classical Alice”[22,8],butitismorecomplicated,becauseitallowsAlicetochooseoneoffour operations(insteadoftwo).Weprovethisprotocoltoberobust. 1.1 QuantumKeyDistributionProtocols QKD protocols achieve the classically-impossible goal of distributing a secret key to two parties (Alice and Bob), in a way that is secure against all the possible attacks. Moreover,the key shared by Alice and Bob remainssecret even if weaknesses in the devices(currentlyunknownto anyone,includingthe adversary)are discoveredin the future:namely,fortheadversaryEvetofindthe key,she mustattackwhenAlice and Bobapplytheprotocol,andnotlater(whileforencryptionmethodssuchasRSA,Eve may keep the ciphertextuntil she is able to find the privatekey, e.g., by factorizinga largenumber). ThefirstQKDprotocolwasBB84[1]: Protocol1 (BB84). The BB84 protocol, operated by the two parties Alice and Bob, consistsofthefollowingsteps: 1. AlicesendstoBobNquantumstates,allofthemrandomlychosenfromthefollowing set: 0 , 1 , + , |0i+|1i, − , |0i−|1i {| i | i | i √2 | i √2 } 2. Bobmeasuresallthereceived states;for eachofthe states, hechoosesrandomly whether to measure it in the computational basis 0 , 1 or in the Hadamard {| i | i} ANewandFeasibleProtocolforSemi-quantumKeyDistribution 3 basis + , − .IfBobmeasuresinthecomputationalbasis,heidentifies 0 and 1 wi{th|ceirt|aini}ty,butgetsarandomresultif + or − issent;theconverse|isitrue | i | i | i fortheHadamardbasis. 3. Now Alice and Bobeach holdsa (classical) bit string: Alice holdsthe list of bits shesent(bit0correspondingtothestates 0 and + ,andbit1correspondingto the states 1 and − ), and Bob holds the| liist of|bitis he measured (with similar | i | i interpretationsasAlice).Inaddition,Aliceknowsthebasissheusedtosendeach state,andBobknowsthebasisheusedtomeasureeachstate. 4. AliceandBobreveal(byusingtheclassicalchannel)theirbasischoices,anddiscard allthestatesthatBobmeasuredinabasisdifferentfromtheonesentbyAlice. 5. Alice and Bob reveal some random subset of their bit string, compare the bits, and estimate the error rate. They abort the protocol if the error rate is above a specified threshold (in BB84, the asymptotic threshold (for infinite key-length) is 11%[17,18]).Theydiscardtherevealedbits. 6. NowAlice andBobkeep onlythestring ofbitsthatwere measuredbyBobinthe samebasistheyweresentbyAlice(andthatwerenotdiscarded).Ifthereisnonoise oreavesdropping,thisbitstringshouldbethesameforAliceandBob. 7. AlicesendstoBoberrorcorrectioninformation,andBobcorrectstheerrorsinhis bitstring,sothatitisthesameasAlice’s. 8. AliceandBobperformaprivacyamplificationprocess,yieldingafinalkeythatis identicalandisfullysecurefromanyeavesdropper. The notion of “(composable)full security” of a protocol(informally)means that, exceptwithanexponentially-smallprobabilitye ,oneofthetwofollowingeventshap- pens:theprotocolisaborted,orthesecretkeygeneratedbytheprotocolisthesameasa perfectkeythatisuniformlydistributed,isthesameforbothparties,andisindependent oftheadversary’sinformation[17,16](seeearlierdefinitionsof“fullsecurity”,thatwere notcomposable,in[14,2,18]). Many QKD protocols have been provenfully (and unconditionally)secure in the theoreticalsense[17,16]. However,practicalimplementationsdeviatefrom the theoreticaldescriptions,and may thus be insecure. Two important attacks that take advantage of this fact are the “PhotonNumberSplitting”attack[10,9]andthe“BrightIllumination”attack[13].The “PhotonNumberSplitting”attacktakesadvantageofthefactthatAlicecannotgenerate onlyone-photonpulses,butsometimesgeneratespulsesoftwo(ormore)photons:Eve can, under certain conditions,getfull informationon the secret key withoutinducing errors. The “Bright Illumination”attack uses a weakness of Bob’s detectors, existing in some practical implementations, to get full information on the secret key without inducingerrors. OtherQKDprotocols,eithersimilartoBB84oronesthatusedifferentapproaches, havealsobeensuggested,andinsomecaseshavealsobeenprovenfullysecure. 1.2 ExistingSemi-quantumKeyDistributionProtocols Thenotionofa “Semi-quantumKeyDistribution”(SQKD)protocol,in whichoneof thepartiesusesonlyclassicaloperations,wasintroducedin[4,5]. 4 MichelBoyer,MattyKatz,RotemLiss,andTalMor ForthepurposeofthedefinitionofSQKDprotocols,theterm“classicaloperations” referstothefollowingoperations[3]: 1. Measuringastateinthecomputationalbasis 0 , 1 . 2. Generatingastateinthecomputationalbasis{| 0i |, 1i} andsendingittotheother {| i | i} party. 3. Reordering quantum states, without measurement. (This operation is not used in this paper, but is useful for randomization-basedprotocols, such as the protocols describedin[5,3].) 4. Movingorreflectingaquantumsystemorsubsystem,withoutchangingit. 5. Choosingarandombit. 6. Alltheregularoperationsontheclassicalchannel,classicalcomputation,etc. Theoperationsare“classical”inthesensethattheyonlytreatthecomputationalbasis 0 , 1 (or do nothing). If both Alice and Bob are classical in that sense, and the {| i | i} only interaction is between them, then the protocol is classical, and thus secure key distributionisimpossible;however,if onepartyis classicalandthe otheris quantum, thekeydistributionprotocolmaybesecure. QuantumKeyDistributionwithClassicalBob. TheSQKDprotocol“QuantumKey DistributionwithclassicalBob”[4]isdefinedasfollows: Definition2 (Classical Operations in “QKD with Classical Bob”). The classical operationsofBobinthe“QKDwithclassicalBob”protocolare: CTRL Return the received state to Alice, without modifying or measuring it. (Here, Bobusestheclassicaloperation4.) SIFT(measure+resend) Measurethereceivedstateinthecomputationalbasis 0 , 1 , prepare a newstate (0 or 1 ) accordingto the measured bit, and send{th|ein|ewi} | i | i statebacktoAlice.(Here,Bobusestheclassicaloperations1+2.) Protocol3 (“QKD with Classical Bob”). The “QKD with classical Bob” protocol (usingatwo-wayquantumchannel),operatedbythetwopartiesAliceandBob(where Bobisclassical,inthesensedefinedabove),consistsofthefollowingsteps: 1. AlicesendstoBobNquantumstates,allofthemrandomlychosenfromthefollowing set: 0 , 1 , + , |0i+|1i, − , |0i−|1i {| i | i | i √2 | i √2 } 2. Foreachofthereceivedstates,Bobrandomlychooses(byusingtheclassicaloper- ation5)oneofthetwoclassicaloperationslistedinDefinition2(CTRLorSIFT). 3. Alicemeasuresallthestatesshereceivesinthesamebasisshesentthem. 4. Now Alice and Bobeach holdsa (classical) bit string: Alice holdsthe list of bits shesent(bit0correspondingtothestates 0 and + ,andbit1correspondingto the states 1 and − ), and Bob holdsthe|liist of b|itsihe measured when he used | i | i SIFT. In addition,Alice knows the basis she used to send each state; Bob knows theoperationheusedforeachstate(SIFTorCTRL);andAliceholdsabitstring representingherfinalmeasurements,thatwillbeusedlaterforcheckingtheerror rate. ANewandFeasibleProtocolforSemi-quantumKeyDistribution 5 5. AliceandBobreveal(byusingtheclassicalchannel)Alice’sbasischoicesandBob’s operationchoices. 6. AlicecheckstheerrorrateintheCTRLbits. 7. Alice and Bob reveal some random subset of the SIFT bits sent by Alice in the computationalbasis, compare them, and estimate the error rate (both in the way fromAlicetoBobandinthewayfromBobbacktoAlice).Theyaborttheprotocolif theerrorrateinthoseSIFTbitsorintheCTRLbitsisaboveaspecifiedthreshold. Theydiscardtherevealedbits. 8. NowAliceandBobkeeponlythestringofSIFTbitsthatweresentbyAliceinthe computationalbasis (and that were not discarded). If there is no noise or eaves- dropping,thisbitstringshouldbethesameforAliceandBob. 9. AlicesendstoBoberrorcorrectioninformation,andBobcorrectstheerrorsinhis bitstring,sothatitisthesameasAlice’s. 10. AliceandBobperformaprivacyamplificationprocess,yieldingafinalkeythatis identicalandisfullysecurefromanyeavesdropper. Thisprotocolwasprovedtoberobustin[4],andwaslaterprovedtobesecure[11]. QuantumKeyDistributionwithClassicalAlice. Anextensionto“QKDwithclassical Bob”,inwhichtheoriginatoralwayssendsthesamestate + , wassuggestedin[22]. | i Following[8],we prefertocalltheoriginatorin[22]Bob(andnotAlice),andtocall theclassicalpartyAlice.Thus,wecalltheSQKDprotocolof[22]“QKDwithclassical Alice”. Definition4 (Classical Operations in “QKD with Classical Alice”). The classical operationsofAliceinthe“QKDwithclassicalAlice”protocolare: CTRL ReturnthereceivedstatetoBob,withoutmodifyingormeasuringit. SIFT(measure+resend) Measurethereceivedstateinthecomputationalbasis 0 , 1 , prepare a newstate (0 or 1 ) accordingto the measured bit, and send{th|ein|ewi} | i | i statebacktoBob. Protocol5 (“QKDwithClassicalAlice”).The“QKDwithclassicalAlice”protocol (usingatwo-wayquantumchannel),operatedbythetwopartiesAliceandBob(where Aliceisclassical,inthesensedefinedabove),consistsofthefollowingsteps: 1. BobsendstoAliceN quantumstates,allequalto + , |0i+|1i. | i √2 2. For each of the received states, Alice randomly chooses one of the two classical operationslistedinDefinition4(CTRLorSIFT). 3. Bobmeasuresallthestateshereceives,choosingrandomlyforeachstatewhetherto measureitinthecomputationalbasis 0 , 1 orintheHadamardbasis + , − . {| i | i} {| i | i} 4. Now Alice and Bobeach holdsa (classical) bit string: Alice holdsthe list of bits she measured when she used SIFT (bit 0 corresponding to the state 0 , and bit 1 corresponding to the state 1 ), and Bob holds the list of bits he m|eaisured. In | i addition,Alice knowsthe operationshe used foreachstate (SIFTorCTRL), and Bobknowsthebasisheusedtomeasureeachstate. 6 MichelBoyer,MattyKatz,RotemLiss,andTalMor 5. AliceandBobreveal(byusingtheclassicalchannel)Alice’soperationchoicesand Bob’sbasischoices. 6. BobcheckstheerrorrateintheCTRLbitsthathemeasuredintheHadamardbasis. 7. AliceandBobrevealsomerandomsubsetoftheSIFTbitsmeasuredbyBobinthe computationalbasis, compare them, and estimate the error rate (in the way from AlicebacktoBob).TheyaborttheprotocoliftheerrorrateinthoseSIFTbitsorin theCTRLbitsisaboveaspecifiedthreshold.Theydiscardtherevealedbits. 8. Now Alice and Bob keep only the string of SIFT bits that were measured by Bob in the computational basis (and that were not discarded). If there is no noise or eavesdropping,thisbitstringshouldbethesameforAliceandBob. 9. AlicesendstoBoberrorcorrectioninformation,andBobcorrectstheerrorsinhis bitstring,sothatitisthesameasAlice’s. 10. AliceandBobperformaprivacyamplificationprocess,yieldingafinalkeythatis identicalandisfullysecurefromanyeavesdropper. Notethatadifferentprotocol(alsonamed“ClassicalAlice”)wassuggestedin[12], independentlyof[22]. As proven in [8], “QKD with classical Alice” [22] is completely robust against eavesdropping.Theproofofrobustnesswasextendedin[7]toincludephotonicimple- mentationsandmulti-photonpulses. 1.3 TheExperimentalInfeasibilityoftheSIFTOperationinSQKDProtocols InmanySQKDprotocols(suchas“QKDwithclassicalBob”and“QKDwithclassical Alice”describedabove),itisassumedthattheclassicalpartycaneitherdonothing(the CTRLoperation)ormeasureinthecomputationalbasis 0 , 1 andthenresend(the {| i | i} SIFT operation).In practical (photonic)implementations, and especially if limited to theexistingtechnology,itisquiteimpossiblefortheclassicalpartytodothat,andthe photongeneratedbyhimorherduringtheSIFToperationwillprobablybeatadifferent timingorfrequency,thusleakinginformationtotheeavesdropper;seecommenton[4] andthereply[20,6]. For example, let us look at the “QKD with classical Alice” protocol, and assume thatthetwoclassicalstates, 0 and 1 ,describetwopulses(intwodistincttime-bins) | i | i onthe same arm,such thatthe photoncan eitherbe inone pulse,in theother,orin a superposition(thatisanon-classicalstate). Giventhatimplementation,itisindeedverydifficultforAlicetoregeneratetheSIFT photonsattherighttiming.Furthermore,in[20]itisshownthatevenifAlicecouldhave the machinery to SIFT with perfect timing, Eve can make use of the fact that Alice does not detect the state with perfect qubit-detectors: Eve can modify the frequency of the photon generated by Bob. Then, if Alice SIFTs, she generates a photon in the originalfrequency,whileifsheperformstheCTRLoperation,thereflectedphotonisin thefrequencymodifiedbyEve.Then,bymeasuringthefrequency,Evecantellwhether AliceusedtheSIFTortheCTRLoperation;ifEvefindsoutthatAliceusedCTRL,she shiftsthefrequencybacktotheoriginalfrequency,whileifshefindsoutthatAliceused SIFT,shecancopythebitsentbyAliceinthecomputationalbasis.This“tagging”attack makesitpossibleforEvetogetfullinformationonthekeywithoutinducingnoise. ANewandFeasibleProtocolforSemi-quantumKeyDistribution 7 1.4 OurContribution WesuggestanewSQKDprotocol,similarto“QKDwithclassicalAlice”,thatisexper- imentallyfeasible:intheoriginalprotocolof“QKDwithclassicalAlice”,Alicecould choose only between two operations (CTRL and SIFT); in our new protocol, Alice may choose between four operations (CTRL, SIFT-1, SIFT-0, and SIFT-ALL), some ofthem(SIFT-1andSIFT-0)correspondingtopossiblereflectionsofpulsesbyusinga controllablemirror,ratherthanreflectingaqubitasawhole(CTRL). Wecandescribethenewprotocolinthetermsofphotonpulsesthatcorrespondto distincttime-bins:thestate 0 correspondstoonephotoninthefirsttime-bin;thestate 1 correspondstoonephot|oniinthesecondtime-bin;andthestates + , |0i+|1i and | i | i √2 − , |0i−|1i correspondtosuperpositionsofpulsesinthetwotime-bins.Therefore, 0 | i √2 | i and 1 canbeseenasclassicalstates,while + and − arestrictlyquantumstates.Inthis | i | i | i case,theCTRLoperationcorrespondstooperatingthemirroronbothpulses(reflecting bothpulsesbacktotheoriginator,Bob);theSIFT-1(SIFT-0)operationcorrespondsto operatingthe mirroronlyonthe 0 (1 )pulse, while measuringthe otherpulse;and | i | i theSIFT-ALLoperationcorrespondstomeasuringallthepulses,withoutreflectingany ofthem. Thisprotocolisexperimentallyfeasibleandissafe againstthe attackdescribedin [20].Moreover,weprovethisprotocoltobecompletelyrobustagainstanattackerEve that is allowed to do anythingallowedby the laws of quantumphysics, includingthe possibility of sending multi-photon pulses (namely, assuming that Eve may use any quantumstateconsistingofthetwomodes(i.e.,twoqubit-states) 0 and 1 ). | i | i 2 Preliminaries 2.1 TheNotationsofQuantumInformation Inquantuminformation,informationisrepresentedbyaquantumstate.Aquantumpure stateisdenotedby y ,andisanormalizedvectorinaHilbertspace.ThequbitHilbert spaceisH =Span| 0i , 1 ,with 0 and 1 beingtwoorthonormalvectors;twoother 2 importantstatesinH{|2iar|ei|}+i, |0|i√+i2|1i an|di|−i, |0i√−2|1i. A quantum mixed state is a probability distribution of several pure states, and is represented by a density matrix: r =(cid:229) p y y , where p is the probability that j j j j j the system is in the pure state y (this de|finiithion|should not be confused with the j | i probabilities of measurement results). For example, if the mixed state of a system is r = 1 0 0 +2 + +,thismeansthatthesystemisinthe 0 statewithprobability 1 1 3| ih | 3| ih | | i 3 andinthe + statewithprobability 2. | i 3 ThemostgeneraloperationsallowedbyquantumphysicsfortheHilbertspaceH are:performinganyunitarytransformationU:H H;addinganancillarystateinside → anotherHilbertspace; measuringa state with respectto some orthonormalbasis; and tracingoutaquantumsystem(namely,ignoringandforgettingaquantumsystem). See[15]formorebackgroundaboutquantuminformation. 8 MichelBoyer,MattyKatz,RotemLiss,andTalMor 2.2 TheFockSpaceNotations TheFockspacenotations,thatserveasanextensionofthequbitstates,areasfollows: theFockbasisvector 0,1 standsforasinglephotoninaqubit-state 0 ,andtheFock basisvector 1,0 stand|sfoirasinglephotoninaqubit-state 1 .Natural|lyi,theHadamard | i | i basisqubit-statesaregivenbythesuperpositionsofthoseFockstates,sothat |0,1i±|1,0i √2 stand fora single photonin a qubit-state ± . The generalstate ofthis photonicqubit canthenbewrittenasa 0,1 +b 1,0 ,w|ithi a 2+ b 2=1. | i | i | | | | Qubitsareembeddedinthe2-modeFockspace F =Span m1,m0 m1 0,m0 0 , (1) {| i| ≥ ≥ } wherem1andm0arenon-negativeintegers.Thestate m1,m0 representsm1indistin- guishablephotonsinthequbit-state 1 andm0 indistin|guishabilephotonsinthequbit- state 0 . | i M|oireformally,thelinearembeddings :H F ofthequbitsintheFockspace 2 isdefinedbys 0 = 0,1 ands 1 = 1,0 ,and→consequently | i | i | i | i H s (H )=Span 0,1 , 1,0 . (2) 2 2 ≃ {| i | i} Inparticular,thestate 0,0 F isusedfordescribingabsenceofphotons(the“vacuum | i∈ state”). 2.3 RobustnessandSecurityofQKDProtocols A QKD (or SQKD) protocol is operated by two legitimate parties, normally called AliceandBob,thattrytogenerateasecretkeysharedbythem.Theadversary(Eve)is computationallyandtechnologicallyunlimitedandcandoanythingallowedbythelaws ofnature. Following[4],therobustnessofQKDandSQKDprotocolsisdefinedasfollows: Definition6 (RobustnessofaQKDProtocol). – AQKDorSQKDprotocoliscompletelyrobustif,assumingthattheparties’proba- bilityoffindinganyerrorinthebitstestedbytheprotocolequalstozero,Evecannot obtainanyinformationontherawkey(namely,onthebitstringheldbyAliceand Bob before the error correction and the privacy amplificationsteps, thatgive the finalkey). – A QKD orSQKD protocolis completelynonrobust if, assumingthatthe parties’ probabilityoffindinganyerrorinthebitstestedbytheprotocolequalstozero,Eve canstillgetfullinformationontherawkey. – AQKDorSQKDprotocolispartlyrobustif,assumingthattheparties’probability offindinganyerrorinthebitstestedbytheprotocolequalstozero,Evecanacquire somelimitedinformationontherawkey. Incontrast,a“security”ofaQKDprotocol(informally)meansthat,exceptwithan exponentially-smallprobabilitye , the protocoleither aborts or generatesa secret key ANewandFeasibleProtocolforSemi-quantumKeyDistribution 9 thatisthesameasaperfectkey:namely,itisuniformlydistributed,isthesameforAlice andBob,andisindependentofEve’sinformation[17,16]. Assaidin[4],a completelynonrobustprotocolisautomaticallyinsecure,because Evemaystealthewholerawkey,whileAliceandBobcannotnoticethatandwillnot aborttheprotocol.However,acompletelyrobustprotocolisnotnecessarilysecure. 3 The “ClassicalAlicewitha ControllableMirror” Protocol 3.1 DescriptionoftheProtocol TheClassicalOperations. Definition7 (ClassicalOperationsin“ClassicalAlicewithaControllableMirror”). The classical operations of Alice in the “Classical Alice with a controllable mirror” protocol,givenherinitialprobestate 0,0 AandastatesentfromBob m1,m0 B(both | i | i representedbyusingtheFockspacenotations),are: I(CTRL) Donothing:(usingtheclassicaloperation4describedinSect.1.2) I 0,0 A m1,m0 B= 0,0 A m1,m0 B (3) | i | i | i | i S1 (SIFT-1) SwaphalfofAlice’sprobewiththe m1 B halfofBob’sstate:(usingthe | i classicaloperations1+4describedinSect.1.2,eachappliedononeofthetwopulses only) S1 0,0 A m1,m0 B= m1,0 A 0,m0 B (4) | i | i | i | i S0 (SIFT-0) SwaphalfofAlice’sprobewiththe m0 B halfofBob’sstate:(usingthe | i classicaloperations1+4describedinSect.1.2,eachappliedononeofthetwopulses only) S0 0,0 A m1,m0 B= 0,m0 A m1,0 B (5) | i | i | i | i S(SIFT-ALL) SwaptheentireprobeofAlicewiththeentirestate m1,m0 B ofBob: | i (usingtheclassicaloperation1describedinSect.1.2) S 0,0 A m1,m0 B= m1,m0 A 0,0 B (6) | i | i | i | i Aftereachofthoseoperations,Alicemeasuresherprobe(theAstate)inthecomputa- tionalbasisandsendstoBobtheBstate. Intheprotocol,Alice’sactionsaredescribedasattachingaprobeinFockspaceF, applyinga swap transformation,and performinga measurementin the computational basis. This description is meant to match the general framework of measurements in quantuminformation,anditcorrespondstotheoperationperformedbyAlice:thisisa gooddescriptionof the usage of a mirror(with 0 and 1 beingtwo photonpulses), | i | i suchthatAlicecandecidewhetherthemirrorreflectsbothpulses(CTRL),justthefirst pulse(SIFT-1),justthesecondpulse(SIFT-0),ornoneofthepulses(SIFT-ALL). 10 MichelBoyer,MattyKatz,RotemLiss,andTalMor ALimitationoftheMeasurementDevices. Inthecurrentreliableimplementationsof QKDthatusethecurrenttechnology,AliceandBobarelimitedinthesensethatthey cannotcountthenumberofphotonsineachqubit-state(e.g.,counthowmanyphotons they detectin the qubit-state 0 and how manyphotonsthey detectin the qubit-state 1 ),butcanonlycheckwhethe|ritheygetanyphotoninthequbit-state 0 ornot,andalso |chieckwhethertheygetanyphotoninthequbit-state 1 ornot.Forou|riprotocol(andits | i robustnessanalysis)to bepractical,we assume thatAlice andBob areindeedlimited inthatsense.Therefore,whenAliceandBobmeasureinthecomputationalbasis,their measurementresultsaredenotedasmˆ1mˆ0,withmˆ0,mˆ1 0,1 .Similarly,whenBob ∈{ } measuresintheHadamardbasis,hismeasurementresultismˆ mˆ ,withmˆ ,mˆ 0,1 . + + − −∈{ } Thislimitationleadstothefollowingdefinition: Definition8 (“Count”ofaMeasurementResult).Letuslookatameasurementresult ofAliceorBob(thatis00,01,10,or11).The“count”ofthismeasurementresultisthe numberofdistinctqubit-statesdetectedduringthemeasurement. TheabovedefinitionsaresummarizedinTable1. Table1.ThefourpossiblemeasurementresultsbyAliceorBob(measuringinthecomputational basis),dependingonthestateobtainedhimorher(thatisrepresentedintheFockspacenotations) ObtainedState MeasurementResult “Count” 0,0 00 0 | i 0,m0 (m0>0) 01 1 | i m1,0 (m1>0) 10 1 | i m1,m0 (m1>0,m0>0) 11 2 | i TheProtocol. Protocol9 (“ClassicalAlicewithaControllableMirror”).The“ClassicalAlicewith a controllable mirror” protocol(using a two-way quantum channel),operated by the twopartiesAliceandBob(whereAliceisclassical,inthesensedefinedinsection1.2), consistsofthefollowingsteps: 1. BobsendstoAliceN quantumstates,allofthemequalto |+iB, |0iB√+2|1iB;or,in theFockspacenotations,tos |+iB= |0,1iB√+2|1,0iB. 2. Foreachofthereceivedstates,Aliceaddsaprobestate 0,0 (sothattheglobal A stateshouldbe 0,0 s + ),andthenrandomlychoose|sonieofthefourclassical A B | i | i operationslistedinDefinition7(CTRL,SIFT-1,SIFT-0,orSIFT-ALL).(SeeTable2 foralistofthestatesthatshouldbeobtainedbyBobafterthisstep.) 3. Bobmeasuresallthestateshereceives,choosingrandomlyforeachstatewhetherto measureitinthecomputationalbasis 0 , 1 orintheHadamardbasis + , − . {| i | i} {| i | i}