Security of quantum secure direct communication based on Wyner's wiretap channel theory

1 INTRODUCTION

In traditional cryptography, distributing a secret key is a vulnerable process. Quantum key distribution (QKD)1 can ensure the information-theoretic security of the distributed key based on the principle of quantum mechanics, thus ensuring the security of the message transmitted in the classic channel with one-time-pad encryption. An alternative way is to transmit the message in quantum channels directly. Such an idea has motivated a batch of protocols called quantum secure direct communication (QSDC), including the entanglement-based two-step protocols2, 3 and the single-photon–based DL04 protocol,4 and attracts widespread attention. Multistep QSDC with Greenberger-Horne-Zeilinger state and high-dimension QSDC with superdense coding have been proposed.5, 6 Lum et al explored the use of quantum data locking in QSDC.7 Massa et al proposed a QSDC protocol where the direction of transmission is anonymous.8 Shapiro et al investigated the use of quantum low probability of intercept to realize high rate QSDC.9 Furthermore, the measurement-device-independent protocols for QSDC, which could eliminate security loopholes with imperfect measurement devices, have been proposed.10-12 Device-independent QSDC protocol, which could eliminate all possible security loopholes associated with imperfect devices, has also been proposed quite recently.13

In recent years, there has been remarkable progress in practical realization of QSDC. In 2016, Hu et al completed the first experimental demonstration of DL04 protocol with faint laser, validating the feasibility of QSDC in a noisy environment.14 The two-step protocol was realized over 0.5-km optical fiber, showing the potential of its long-distance transmission.15 Zhang et al demonstrated the application of atomic quantum memory in the entanglement-based protocol.16 However, practical quantum memory is far from available. Sun et al solved the problem by proposing a practical scheme without quantum memory based on classical coding theory.17

In contrast to QKD, whose security has been proven over the last two decades,18-24 the security analysis of QSDC protocols has only recently debuted.25, 26 Qi et al26 analyzed the security of DL04 QSDC protocol using Wyner's wiretap channel theory,27 and set up a practical prototype, which can send secure messages directly at a distance of over 1.5 km with a transmission rate of 50 bps.

Since QSDC transmits secret messages directly over quantum channels, post-processing is not possible. Therefore, the security analysis of QSDC is completely different from that of QKD. Fortunately, there are many powerful tools in information theory that can help to complete this task. Wyner's wiretap channel theory proves that there exist coding schemes that can ensure the secure transmission of the messages if the secrecy capacity is greater than zero. The wiretap channel model includes a main channel from Alice to Bob and a wiretap channel from Alice to Eve, as shown in Figure 1. The model gives a secrecy capacity, which is the maximal secure transmission rate between Alice and Bob.

The whole communication process of the two-step protocol3 includes the quantum part and the classical part. In the quantum part, Alice prepares N Einstein-Podolsky-Rosen (EPR) pairs and sends each half of them to Bob. On receiving the particles, Bob checks the error rates by sampling some of the qubits and measuring them in the σ_x or σ_z bases. Alice encodes her classical bit sequence A on the EPR pairs using dense coding and sends the remaining halves to Bob. Bob decodes the EPR pairs to get sequence B, which is the message received by Bob. The whole quantum part can be treated in a wiretap channel model, in which Alice sends some messages to Bob, while an eavesdropper tries to eavesdrop it. In the classical part, the information of eavesdropping checking is transmitted in a public channel where Eve can get all the information. The secrecy capacity, which is the maximal difference between the capacity of the main channel and the wiretap channel, can be calculated using the parameters from eavesdropping checking. This is in sharp contrast to classical communication where it is almost impossible for legitimate users to acquire the capacity of the wiretap channel. The quantum channel provides a powerful tool to probe eavesdropping, thus gives a tight estimation of the channel capacity.

In the following, we give a proof of the security of two-step QSDC based on the wiretap channel theory and calculate its secrecy capacity. We find that this capacity is slightly smaller than that obtained from the entanglement distillation scheme,18, 19 which is expected because of the complicated quantum processing involved. Wyner's theory is more appealing for practical applications as it does not use the complicated quantum operations as in the quantum distillation process. Moreover, the secrecy capacity of generic single-photon–based QSDC protocols is also obtained through the equivalence between entanglement-based protocols and single-photon–based protocols. Based on the result, we propose some modification on DL04 protocol to increase its secrecy capacity.

This paper is organized as follows. In Section 2, we describe the detailed process of two-step protocol. Then, we estimate the information leakage in the quantum part and give the secrecy capacity of the channel. In Section 3, the security of DL04 protocol is given. By modifying the DL04 protocol, we can get a larger secrecy capacity. In Section 4, we give a concise summary.

2 SECURITY ANALYSIS OF THE TWO-STEP QSDC PROTOCOL

The degree of eavesdropping can be estimated through the QBER. It is worth noting that classical privacy amplification,28 which is used in QKD, is unsuitable for direct communication because part of intelligible information may be lost. In practical application, forward coding will be implemented.26 However, we will not go into the details here. In this section, we will estimate the lower bound of the secrecy capacity of two-step protocol.

In a general sense, any secret communication protocol can be treated in a wiretap channel model. For a QSDC protocol, the transmission of messages in the quantum channel between Alice and Bob is modeled as a main channel and the eavesdropping and environmental noises are modeled as a wiretap channel. Then, according to Wyner's wiretap channel theory,27, 29, 30 there exists a coding method that allows the secure transmission of information at a rate lower than the secrecy capacity, provided that the secrecy capacity is positive. The secrecy capacity can be calculated as follows:

()

where C_M and C_W are the capacity of the main channel and the wiretap channel, respectively.

To estimate the wiretap channel capacity, we need to analyze the detailed process of eavesdropping. Our analysis follows the method of Renner et al.21 Firstly, we assume Eve performs a coherent attack. Specifically, Eve attaches her auxiliary system |E⟩ to system B and performs a unitary operation U_BE, then she sends system B to Bob. The entire state of system B before the operation is the direct product of independent and identically distributed (i.i.d.) systems, ρ_B=[(|0⟩⟨0|+|1⟩⟨1|)/2]^⊗2n. If a randomized permutation is applied to the qubits, the joint state of B and E, ρ_BE, can be seen as a direct product of i.i.d. subsystems ρ_BEsub asymptotically, according to quantum De Finetti theorem.31 In other words, we can construct a state ρ_BEsub to approximate ρ_BE: . It is sufficient to consider Eve's operation U_BE on every subsystem separately, which is the case of collective attack. For convenience, subscript sub is neglected in the following discussion.

After the operation of Eve, the state of EPR pair becomes

()

To simplify the effect of the attack on the system, we introduce an additional operation that Alice and Bob both apply the same transformation chosen randomly from I,σ_x,σ_z,σ_xσ_z. Such operation can eliminate all the nondiagonal elements of ρ_AB in Bell basis,22 then it has the following matrix form in the basis {|ψ⁻⟩,|ψ⁺⟩,|ϕ⁻⟩,|ϕ⁺⟩}:

()

Consider a purification |ψ_ABE⟩ of state ρ_AB

()

where |Φ_i⟩ is the Bell state of system AB and {|E_i⟩} is a set of orthogonal states of Eve's auxiliary system. The parameters λ_i are constrained by QBER ε_x and ε_z: ε_z=λ₃+λ₄,ε_x=λ₂+λ₄. The state after the dense coding of Alice is U_a|ψ_ABE⟩, where U_a∈{U₀₀,U₀₁,U₁₀,U₁₁}.

Finally, Eve intercepts all the qubits from Alice in the last step to obtain maximal information about the message and measure them, ie, Eve acquires system AE. Tracing out system B from system ABE, we get

()

where P_|ψ⟩ is the projection operator of state |ψ⟩ and we have defined

The encoded states are

Eve can measure all the subsystems ρ_AE,a jointly. However, the information acquired from one subsystem on average in adjoint measurement cannot exceed that in single measurement of one subsystem. To explain this, consider the situation when the classical bit string is encoded in some manner and assume , with a distribution , where a_i is a two-bit word. Applying Holevo bound,32 we get

()

where is system AE encoded with bit string {a_i} and we have assumed each word a_i has the same distribution p_a. Therefore, it is sufficient to estimate the maximum of I(A:E) by analyzing one subsystem. The upper bound on I(A:E) gives the wiretap channel capacity (see Appendix A for details)

()

The capacity of the main channel C_M depends on the bit error rate between classical information A and B. We can reasonably assume that the main channel is a symmetric channel, and then, considering the channel loss, the lower bound of the secrecy capacity is

()

where h₄(e) is four-array Shannon entropy, Q_B and Q_E are the reception rates of the main channel and the wiretap channel, respectively, and e is the error rate distribution of the main channel. The error distribution e can be obtained through the decoding process.

In addition, the random permutation to reduce coherent attack to collective attack and random local operation to eliminate nondiagonal elements of ρ_AB can be removed from the protocol. From the perspective of Alice and Bob, any random operation on system AB will introduce an external auxiliary system. Since the details of the operation are transmitted in the public channel, the auxiliary systems can be utilized by Eve and may increase her power. If the operations above are removed, the secrecy capacity above remains a lower bound.

Another method to ensure security is entanglement distillation originated from the works of Lo and Chau18 and Shor and Preskill.19 After the distribution of EPR pairs, they do an additional operation of entanglement distillation according to the result of eavesdropping checking. The achievable efficiency of entanglement distillation is 1−h(ε_x)−h(ε_z), then the secrecy capacity is C_s=[1−h(ε_x)−h(ε_z)][2−h₄(e)], where the second item is the classical capacity between Alice and Bob after entanglement distillation. To make comparison, we can reasonably assume the qubits of each EPR pair go through the same quantum channel independently without loss. If the quantum channel is modeled as a lossless depolarizing channel , the error rates of σ_x and σ_z measurement in eavesdropping checking are p/2. After both qubits of an EPR pair pass the channel, the depolarizing probability is 2p−p².33 The secrecy capacities are plotted in Figure 2. The secrecy capacity of the wiretap channel method has less tolerance for error rate, but it can utilize practical classical coding, while the entanglement distillation method requires a quantum computer.

3 SECURITY OF THE SINGLE-PHOTON QSDC PROTOCOL

Generally speaking, single-photon–based protocols are more practical than entanglement-based protocols. Therefore, we construct a generic single-photon–based QSDC protocol and prove its security through the equivalence between the two kinds of protocols.

Firstly, we need to construct an equivalent two-way entanglement-based protocol. The protocol works as follows: (1) Bob prepares the EPR pairs in state . (2) Bob sends each half of the pairs to Alice and does parameter estimation. (3) Alice applies encoding operation U_k on her halves and sends them to Bob. (4) Bob measures the pairs to decode. It is easy to find the equivalence between this two-way protocol and the original two-step protocol. Additionally, if Alice abandons dense coding and uses two operations, eg, I and σ_x, to encode the message, Bob simply needs to measure the two qubits separately to decode.

The generic two-way single-photon–based protocol is constructed as follows: (1) Bob prepares each qubit randomly in state and sends them to Alice, where i∈{0,1} and forms the basis of operator σ_j. (2) After Alice receives the qubits, they do parameter estimation by selecting some pairs randomly and measuring some observables such as σ_x or σ_z. (3) They sift out the qubits that cannot be effectively encoded by Alice. For example, if Alice is to apply U_k∈{I,σ_x} to encode, they sift out the qubits in σ_x basis since the states remain unchanged under σ_x operation. (4) Alice applies encoding operation U_k and sends them to Bob. (5) Bob measures the qubits in the basis in which they are prepared to decode.

Next, we prove the equivalence between the two protocols above. For the generic two-way single-photon–based protocol, Eve interacts with the qubits sent by Bob and gets the state . After the encoding operation of Alice, Eve intercepts all the qubits and gets the state . For the two-way entanglement-based protocol without dense coding, the state of the whole system after the interaction of Eve and the encoding of Alice is |Φ^k⟩_ABE=U_kU_AE|ψ⁻⟩|E⟩. Then, Bob measures his qubits in basis σ_j. If the measurement result is , we can verify , neglecting the normalization factor.

Based on the equivalence, the lower bound of the secrecy capacity of the typical two-way single-photon–based QSDC protocol, ie, the DL04 protocol,4 can be obtained (see Appendix B for details)

()

where e is the bit error rate of the binary main channel. This capacity is the same as the previous result.26 However, a higher capacity can be reached if the eavesdropping checking part is modified. The modified DL04 protocol works as follows: (1) Bob prepares qubits randomly in basis σ_x, σ_y, or σ_z and sends them to Alice. (2) Bob tells Alice which qubit is prepared in basis σ_y, then Alice measures those qubits in basis σ_y to get an error rate ε_y. (3) Alice applies encoding operation I,σ_y on the remaining qubits and sends them to Bob. (4) Bob measures the returned qubits in the basis in which he prepares them to decode. The lower bound of the secrecy capacity of this modified DL04 protocol is

()

The performance of DL04 protocol and modified DL04 protocol under lossless depolarizing channel is shown in Figure 3.

In a general form, when they check the error rate in σ_u (u=x,y,z) basis and Alice uses {I,σ_u} as encoding operation, the secrecy capacity is C_s=Q_B[1−h(e)]−Q_Eh(ε_u). Actually, the secrecy capacity is only constrained by the error rate of the corresponding basis of encoding operation.

4 CONCLUSION

We have applied the wiretap channel theory on security analysis of QSDC. The security of two-step protocol against coherent attack is proven with the secrecy capacity

()

Our analysis is completed under the following assumptions. (1) There exist noise and loss in the quantum channel. (2) The entanglement source and measurement device are perfect. (3) The EPR pairs transmitted in a round are infinite. Compared with the method of entanglement distillation, the error rate threshold based on the wiretap channel theory is slightly smaller. This result implies the superiority of quantum coding to some extent since one-way entanglement distillation is equivalent to quantum error correction code.34

Furthermore, we have established the equivalence between entanglement-based QSDC protocols and single-photon–based QSDC protocols, thus obtaining the secrecy capacity of the latter ones. Specifically, we have analyzed and modified the DL04 protocol to get a higher secrecy capacity

()

An in-depth analysis indicates that the eavesdropping capability of Eve can be fully described by the error rate in the basis of the encoding operator or, in other words, the phase error rate. The reason for the high performance of modified DL04 is that it can estimate Eve's eavesdropping capability more accurately.

The application of Wyner's wiretap channel theory to the security of QSDC provides a quantitative analysis of security for transmitting information deterministically. QSDC requires a forward coding scheme, which is different from QKD where only random numbers are transmitted. Forward coding has been studied in information theory, typical example was presented in the work of Tyagi and Vardy.30 As QSDC is the direct transmission of meaningful message rather than random strings, there exist potential wide applications in communication. The analysis presented here is a step toward the practical application of QSDC in realistic conditions.