- freely available
- re-usable

*Entropy*
**2015**,
*17*(5),
2723-2740;
doi:10.3390/e17052723

^{1}

^{2}

^{3}

^{*}

## Abstract

**:**Quantum cryptographic protocols solve the longstanding problem of distributing a shared secret string to two distant users by typically making use of one-way quantum channel. However, alternative protocols exploiting two-way quantum channel have been proposed for the same goal and with potential advantages. Here, we overview a security proof for two-way quantum key distribution protocols, against the most general eavesdropping attack, that utilize an entropic uncertainty relation. Then, by resorting to the “smooth” version of involved entropies, we extend such a proof to the case of finite key size. The results will be compared to those available for one-way protocols showing some advantages.

## 1. Introduction

Two-way quantum key distribution (QKD) schemes have evolved from a theoretic framework in the context of deterministic schemes to experimental realizations for QKD purposes [1]. The protocol is described by a qubit being sent from one party, say, Bob, to another, Alice, for her encoding before being sent back to him for a measurement to ascertain Alice’s encoding. Standing in stark contrast to BB84 like prepare and measure schemes where information encoding is simply in the choice of states and bases of qubits to be sent from the encoding party to the receiver [2], the case for two-way QKDs is really in the choice of unitary transformations by an encoding party that would act on the qubits traveling to and fro between the legitimate parties. This naturally makes use of the quantum channel twice. Another peculiarity of the above-mentioned two-way protocols would be how its security is to be ensured. The protocols’ runs are divided into two modes, namely the encoding mode (EM) where message encoded by Alice is followed by measurements by Bob for decoding purposes and the control mode (CM) where Alice would make projective measurements in randomly selected bases such that when the bases coincide with Bob’s then errors can be ascertained. The distribution of the EM and CM would be determined by a factor c, with 0 < c < 1, i.e., the probability of Alice randomly choosing an EM. While messages (bits of raw key) are transmitted via the EM, CM has the critical role of estimating the amount of errors in the channels to ascertain Eve’s information gain.

However, despite its early introduction in 2002 [3], and varying versions that followed, it was only about a decade later that a proper proof for one specific two-way protocol was found for unconditional security in [4] and a proof for a purified version was reported in [5]. In [4], the proof was done for the specific case of non-entangled qubits in one of four states coming from two mutually unbiased bases (this protocol has been referred to as LM05 [6] and we shall refer to it as such hereafter). In [5], a purification of two two-way QKD protocol, namely the Super Dense Coding scheme (SDC) and LM05 was done in order to provide a security proof.

Unconditional security proofs provide for an information theoretic security picture of QKD. However, a very important fact that sets constraints within the operational context would be the issue of how such proofs are based on asymptotic analysis that holds true only for infinitely long keys; the concern regarding the security nature of realistic keys, which are finitely long, becomes evident. This has spurred a number of studies including [7–9].

The central feature of this work is a review of the security analysis done based on protocol purifications in [5] and a natural generalization to the the case for finite sized keys. We begin with a quick description of two most relevant two-way QKD protocols followed by their purifications. After a brief on smooth entropies and its application to deriving finite key rates, we provide finite secure key rates in terms of efficiency for both protocols. These will then be compared to an asymmetrical BB84; essentially a BB84 protocol with one basis preferred over another mainly for a more efficient scenario compared to a standard BB84 where choices of bases are equiprobable [8,10].

## 2. Two-Way Protocols

The SDC protocol in some sense is closer to the earlier instances of two-way protocols, namely the Ping-Pong [3] and more specifically its improved version [11] which provides for a higher protocol capacity in terms of the number of classical bits encoded in each EM run. It is however more resource demanding as it requires the use of a quantum memory on Bob’s side. Our description of SDC here follows closely that of [5]. Very simply, the SDC protocol sees Bob sending half a Bell pair to Alice (while storing the other half in a quantum memory) for her to encode by virtue of a randomly chosen unitary transformation from the set containing the identity operator and the three Pauli operators, {I, σ_{x}, σ_{y}, σ_{z}}. She would subsequently submit the qubit back to Bob for measurements. Alternatively, she could measure the received qubit in the Z basis and prepare another in the X basis to be sent to Bob. The former process, done with probability c ≈ 1, corresponds to her actions in EM, while the latter, done with probability 1 − c, corresponds to CM. Despite the use of 4 unitaries imply a larger alphabet used, particularly elements of ℤ_{4} 0, 1, 2, 3 mapped to I, σ_{x}, σ_{y}, σ_{z} respectively as opposed to bits for encoding, Alice could in fact assign logical bits (in pairs) 00, 10, 11 and 01 to the unitaries. However the mapping
$f:\mathbb{Z}\to {\mathbb{Z}}_{2}^{2}$ to bits should be done only at the end of the protocol to avoid any possibility of Eve capitalizing on the correlation of bits given any pair [12].

Bob, on the other hand would, with a probability c make a Bell measurement and with probability 1−c measure his stored and received qubit in the Z and X basis respectively. A protocol run which sees Bell measurements by Bob coinciding with Alice’s unitary transformations would allow Bob to distinguish between Alice’s unitaries perfectly (given that the Pauli matrices would shift between orthogonal Bell states). Assigning logical symbols 0, 1, 2 and 3 to the Bell states |ψ^{+}〉, |ψ^{−}〉, |ϕ^{+}〉 and |ϕ^{−}〉 respectively, these instances referred to as EM provide for sharing of a raw key between Alice and Bob. Again, it is possible for Bob to use bits instead when Alice submits the mapping information to Bob at the end of the protocol runs. The instances when Alice’s and Bob’s measurements in the Z and X bases coincides would allow for a meaningful CM. Hence a successful EM happens only with probability c^{2} and CM happens with probability (1 − c)^{2}. A schematic diagram for SDC is illustrated in Figure 1 below.

The case for a two-way QKD without using entanglement, namely the LM05, sees a qubit prepared by Bob in a particular bases randomly chosen from either the X or Z with probabilities p_{X} and p_{Z} respectively to be sent to Alice for her encoding. In the original LM05 protocol, apart from p_{X} = p_{Z}, only two unitary transformations were considered, namely the passive I and iσ_{y}. In [5], a generalization was made to include another two unitary transformation, namely the σ_{x} and σ_{z}, and the possibility of having different probabilities p_{X} and p_{Z}. In this protocol, upon executing her unitary transformation, Alice would resubmit the qubit to Bob who would measure in the same basis he prepared in. Defining the eigenstates of σ_{z} and σ_{x} as |z±〉 and |x±〉 respectively, bit values 0 may be assigned to the states |z+〉 or |x+〉 and 1 to the states |z−〉 or |x−〉. Bob then adds (modulo 2) the bit value corresponding to his prepared state (prior sending to Alice) to the bit value corresponding to his measurement result of the state (after Alice’s encoding). We will mention shortly what Alice needs to do in order to share bit-wise information with Bob. This run of the protocol corresponds to an EM.

With the probability 1 − c, Alice would make measurements of the qubit she receives instead in either the Z or X bases for CM purposes. A schematic diagram for LM05 is shown in Figure 2 below.

Apart from the use of non entangled qubits by Bob, another obvious difference with the SDC is in the possible options in the post processing feature of the protocols. In SDC, post processing only includes Alice’s and Bob’s discussion to ascertain which signals were to be used for EM and CM purposes apart from error estimations, error corrections and privacy amplifications. In the LM05 on the other hand, Alice and Bob have the option to commit to either direct reconciliation (DR) or reverse reconciliation (RR) which would determine the type of information to be disclosed over an authenticated public channel. In the case of RR, Bob should disclose the bases he prepared and measured qubits in. Using the same assignment of logical bit pairs to unitary transformations as in SDC, Alice would keep only the first bit of the pair when Bob uses Z and the second when Bob uses X. On the other hand, if a RR is considered, then Alice would reveal from which of the two sets, S_{0} = {I, iσ_{y}} and S_{1} = {σ_{x}, σ_{z}} was the transformation she had used and only the first bit of the bit pair for each transformation is used. This revelation is necessary given Bob’s measurement in the X basis would give him an erroneous bit when Alice uses S_{1}. In these cases, Bob would need to flip his bit.

#### 2.1. Purifications of Two-Way Protocols

The approach to the security proof presented in [5] is based on the notion of purification of protocols where the protocols can be described by the measurements made by Alice and Bob on a system provided to them by Eve [13]. Writing the measurements of Alice and Bob as Probability Operator Value Measure (POVM) maps ${M}_{A}^{\mathrm{EM}}$ and ${M}_{B}^{\mathrm{EM}}$ respectively in EM (or ${M}_{A}^{\mathrm{CM}}$ and ${M}_{B}^{\mathrm{CM}}$ in CM), the state after the measurements is given by

_{ABE}is a state in the Hilbert space $\mathscr{H}$

_{A}⨂ $\mathscr{H}$

_{B}⨂ $\mathscr{H}$

_{E}(Alice’s, Bob’s and Eve’s respectively) and $\mathscr{H}$

_{A}and $\mathscr{H}$

_{B}are Hilbert spaces for two qubit systems each. Alice’s measurement ${M}_{A}^{\mathrm{EM}}$, in EM which acts on a two qubit system must be in such a way that it is equivalent to her encoding operation in the protocols. If we recall how in both protocols, Alice receives a state from Bob and resends after a unitary encoding on the state, ${M}_{A}^{\mathrm{EM}}$ can be understood as a (POVM) acting on the received state with half of some entangled state so as the other half of the entangled state (after the measurement ${M}_{A}^{\mathrm{EM}}$) is the same as the output from Alice’s encoding to be sent to Bob [14]. Thus we can imagine ρ

_{ABE}as that pure state which distributes a pair of qubits to Alice and Bob each. Alice’s measurement on the two received qubits, tr

_{BE}(ρ

_{ABE}) would ensure that Bob’s measurement, ${M}_{B}^{\mathrm{EM}}$ on his received pair, tr

_{AE}(ρ

_{ABE}) is equivalent to Alice making a unitary transformation on Bob’s prepared qubit for his subsequent decoding measurement. With regards to Bob’s measurements, ${M}_{B}^{\mathrm{EM}}$, it is instructive to note that in SDC, ${M}_{B}^{\mathrm{EM}}$ is really the Bell measurement for decoding purposes while in LM05, Bob’s measurement on the first half of tr

_{AE}(ρ

_{ABE}) effectively prepares the qubit state sent to Alice (in the forward path) while his other measurement is on the other half of tr

_{AE}(ρ

_{ABE}). The measurements ${M}_{A}^{\mathrm{CM}}$ and ${M}_{B}^{\mathrm{CM}}$ would then correspond to relevant local measurements of each qubit in the qubit pairs in CM (detailed in the ensuing section). Given these, the main ingredient in the security proof for the purified protocols is based on bounding Eve’s information gain given Bob-Alice’s using an uncertainty relation which measures the overlap of Bob’s (Alice’s) measurements, i.e., ${M}_{B}^{\mathrm{EM}}$, ${M}_{B}^{\mathrm{CM}}$ ( ${M}_{A}^{\mathrm{EM}}$, ${M}_{A}^{\mathrm{CM}}$) in a reverse (direct) reconciliation scenario.

#### 2.2. Measurements and Entropic Uncertainty Relations

Entropic uncertainty relations are used in some security proofs of particular QKD protocols given its power to describe bounds of uncertainty parties may share of a certain quantum system, say B. In its simplest description, it is simply Heisenberg’s uncertainty principle in an entropic form first proven by [15]. It was later generalized [16–18] to include correlation of the system to be measured with disjoint (possibly quantum) systems A and E given by

Equation (2) together with the Devatak-Winter security bound [19] is employed in [5] to provide a security proof for the purified SDC and LM05 protocols. In order to make use of such an entropic relation, [5] necessarily describes the term
$\mathcal{C}$ as the (effective) overlap between Bob’s measurements in a RR picture. Given the assumptions in [5], Bob’s measurements in the purified SDC protocol are either the Bell measurements or a measurement that can be described as σ_{z} ⨂ σ_{x} where the overlap between the POVM elements as defined in Equation (3) is 1/4. This maximal overlap is achieved when considering the overlap between the POVM elements in EM and that of in CM. If we let the measurements by Alice and Bob to result in the strings
${S}_{A}^{\mathrm{EM}}$ and
${S}_{B}^{\mathrm{EM}}$ respectively from EM and
${S}_{A}^{\mathrm{CM}}$ and
${S}_{B}^{\mathrm{CM}}$ respectively from CM, and Eve’s system as E we can bound Eve’s information based on Equation (2) as

The key rate of the SDC, R_{SDC}, is given by the Devetak-Winter rate [19]

With
$H({S}_{B}^{\mathrm{CM}}|{S}_{A}^{\mathrm{CM}})$ upper bounded by
${h}_{4}({\overline{q}}_{\mathrm{CM}})$,
$H({S}_{B}^{\mathrm{EM}}|{S}_{A}^{\mathrm{EM}})$ by
${h}_{4}({\overline{q}}_{\mathrm{EM}})$ where h_{4} is the 4-ary Shannon entropy and
${\overline{q}}_{\mathrm{CM}}$ and
${\overline{q}}_{\mathrm{EM}}$ are errors in Alice’s and Bob’s strings in CM and EM respectively, applying the bound of Equation (4) we arrive at

It is instructive to note that the errors ${\overline{q}}_{\mathrm{CM}}$ and ${\overline{q}}_{\mathrm{EM}}$ affects a two-bit message transmission resulting from a use of two noisy channels and thus comes as a triple; namely error exclusively in either one channel, say ${q}_{1}^{a}$ and ${q}_{2}^{a}$ as well as errors in both channels, ${q}_{3}^{a}$ for a = CM, EM. Hence,

It is certainly possible to consider the entropic bounds dictated by the overlap of Alice’s measurements instead of Bob’s as shown above. The key rate would remain the same nonetheless.

A similar line of argument can be applied to the LM05 protocol; though the measurements made for decoding purposes by Bob would be
$\mathcal{Z}={\sigma}_{z}\u2a02{\sigma}_{z}$ or
$\mathcal{X}={\sigma}_{x}\u2a02{\sigma}_{x}$ followed by an XOR of the measurements’ results to reveal the encoding done by Alice in the EM. Another set of measurements, which would be useful for the CM would be
${\mathcal{Z}}_{\mathcal{C}}={\sigma}_{z}\u2a02I$ or
${\mathcal{X}}_{\mathcal{C}}={\sigma}_{x}\u2a02I$ where the maximal overlap between the POVM elements for measurements made in EM and that in CM is 1/2. Using the relevant entropic bounds (similar to SDC though the overlap is now 1/2 instead of 1/4), the key rate for LM05, R_{LM}_{05} can be easily shown to be

_{2}is the binary Shannon entropy and q

_{CM}and q

_{EM}are the errors in the CM and EM respectively.

The above key rates are derived from inequalities based on terms that are meaningful only within the infinitely long key limits and is thus unsatisfactory from an operational and practical perspective. In the following subsection, we shall review briefly the notion of smooth entropies and relevant entropic bounds that we shall use to derive a finite key rate for SDC and LM05.

#### 2.3. Smooth Entropies and Finite Keys

The smooth entropy is defined based on the conditional entropy. More rigorously, following the definition given in [20] for a bipartite state ρ_{BE} on B and E, the entropy of B given E is defined as

_{E}in E and I

_{B}is the identity on B. The ϵ-smooth min-entropy for ϵ ≥ 0 is then defined as

_{BE}not exceeding ϵ. The smooth max-entropy is defined as the dual of the smooth min-entropy with regards to any purification of ρ

_{BE}.

For the tripartite state ρ_{ABE} and POVMs
$\mathbb{X}$ and ℤ respectively on B (resulting in bit strings X and Z), from [20], the smooth min-entropy of X conditioned on E,
${H}_{min}^{\u03f5}(X|E)$, gives the number of bits contained in X that are ϵ-close [22] to a uniform distribution and independent of E. The smooth max-entropy of Z conditioned on A,
${H}_{max}^{\u03f5}(Z|A)$, gives the number of bits needed to reconstruct Z from A up to a probability of failure ϵ and the generalized uncertainty relation involving smooth entropies is given as [20]

In identifying the measurements and results in both the SDC and LM05 with Equation (11), similar to the above, ${H}_{min}^{\u03f5}(X|E)$ will be identified with Eve’s correlation with Bob’s string (in EM) while ${H}_{max}^{\u03f5}(Z|A)$ is to be identified with Alice’s and Bob’s in CM. There are two points worth mentioning with regards to the measurements made in CM. The first is in particular reference to LM05’s measurements ${\mathcal{Z}}_{\mathcal{C}}$ and ${\mathcal{X}}_{\mathcal{C}}$ where a passive operation is noted on the second qubit (received in the backward path). This does not necessarily require Bob to not measure the qubit in the backward path; rather he could just ignore the measurement made and consider only the result of his first measurement [23]. In other words, in the cases Alice note a particular round of the protocol is a CM, Bob would ignore the result of his measurement on the second qubit. If it was the EM, then both the measurement results would be XOR-ed for decoding purposes.

The second point is that as the σ_{z} ⨂ σ_{x} in SDC and
${\mathcal{Z}}_{\mathcal{C}}$ and
${\mathcal{X}}_{\mathcal{C}}$ in LM05 happens only in CM, one can see the protocol as analogous to the asymmetrical prepare and measure protocol of BB84 where the measurements in EM is seen as measurements in the preferred basis in the asymmetrical BB84. In the case for the latter, in [9], where measurements are made in the X and Z, a gedankenexperiment was considered where all measurements were done in the Z basis to establish an uncertainty relation. Following [9], in the case for the LM05, we can use the bits derived in the CM to provide for an estimation of the errors in the application of the uncertainty relation using a similar gedankenexperiment where all rounds are CM; and since Bob can choose to measure for EM, security follows from the notion that the better Alice could estimate Bob’s bits in CM, the worse would Eve’s estimation of Bob’s bits in EM.

## 3. Efficiency and Secure Key Rates

In what follows, we shall assume implementations of the two-way protocols using depolarizing channels. The depolarizing channel, $\mathcal{D}$ is described by the parameter q, such that 0 ≤ q ≤ 1, which affects a quantum state, ρ independent of the basis as such

For two-way protocols, the use of depolarizing channels can be categorized as either independent or correlated channels. Such a correlation can be understood in terms of the errors estimated in the forward and backward paths in CM against errors in EM. Given bit wise errors e_{1} and e_{2} in the forward and backward paths respectively, we say the channels are independent provided the errors in EM is given by e_{m} = e_{1}(1 − e_{2}) + e_{2}(1 − e_{1}). Otherwise they are correlated [24]. While the case for independent channels are unique by definition, the cases for correlated channels can be infinitely many. However, we shall only consider, as in [5] correlated channels where e_{1} = e_{2} = e_{m}.

To ascertain a finite key rate for the two-way protocols given such implementation, we need to determine the distribution of finite number of bits between the EM and the CM. Choices of the value of c for both protocols would determine this and ultimately how much of a key rate one can have. Hence, in order to determine the optimal value for c, assuming one has a value of k for bits in CM and n in EM (more precisely the cases where Alice’s encoding measurements coincide with Bob’s decoding measurements), the total number qubits, M(n, k) sent [25] before n bits are derived from EM and k for CM estimation can be made is given by probability value $c={(\sqrt{1+k/n})}^{-1}$. This is immediately derived from modelling the protocol based on [9].

Subsequently, the already mentioned gedankenexperiment will provide for an uncertainty relation of Equation (11) and the smooth-max entropy term for an n-bit string, Z given C,
${H}_{max}^{\u03f5}(Z|C)$ would be upper bounded by nh_{2}(Q + μ(n, k)) where

_{S}> 0 is a security parameter as defined in [9].

Strings shared between Alice and Bob in the EM, which one party’s may be characterized as having errors e relative to the other need be subjected to an error correction procedure. This can conventionally be understood as the amount of pre shared secret bits invested in the communications for error correction purposes [26].

The Leftover Hashing Lemma [27] then provides for the length of the secret key as

The efficiency of the protocol, ε can be defined based on the amount of resources in terms of number of qubits required,

It should be noted that for SDC, a factor of 2 should be further multiplied to the denominator reflecting the use of entangled pairs. As in [9], we do not include any classical bits necessary in the protocol unlike [28].

#### 3.1. Finite Key Analysis for SDC

We let a total of 2M(n, k) pairs of qubits travel to and fro between Bob and Alice with the latter committing to encoding with probability c. Thus one gets n amount of quaternary digits from the EM. Following earlier notation, the n quaternary strings of Alice and Bob are ${S}_{A}^{\mathrm{EM}}$ and ${S}_{B}^{\mathrm{EM}}$ respectively while the k quaternary strings derived from the CM are ${S}_{A}^{\mathrm{CM}}$ and ${S}_{B}^{\mathrm{CM}}$ respectively. Considering a gedankenexperiment where all runs are CM lets us bound Eve’s information on the n quaternary string using Equation (11) as

The term ${H}_{min}^{\u03f5}({S}_{B}^{\mathrm{EM}}|E)$ is the smooth min-entropy of ${S}_{B}^{\mathrm{EM}}$ conditioned on E. It reflects Eve’s correlation with Bob’s string in the EM giving the number of bits contained in ${S}_{B}^{\mathrm{EM}}$ that are ϵ-close to a uniform distribution and independent of E. In ascertaining the term ${H}_{max}^{\u03f5}({S}_{B}^{\mathrm{CM}}|{S}_{A}^{\mathrm{CM}})$ reflecting the correlation between Bob’s and Alice’s strings, the case for two way channels with depolarization q each allows us to consider bit error rate in qubit measurements as q/2 for each channel instead of a channel transmitting quaternary digits instead. Thus in this case,

^{2}/4). The number of bits required to reconstruct ${S}_{B}^{\mathrm{CM}}$ from ${S}_{A}^{\mathrm{CM}}$ (as two n bit length strings) up to a probability of failure ϵ,

#### 3.2. Finite Key Analysis for LM05

In this work, we will consider the LM05 protocol with Bob’s choice for qubit preparation and measurement in the Z bases is preferred (p_{Z} > p_{X}) and Alice either encodes with anyone of her transformations with probability c/4 or make measurements in the X bases only with probability 1 − c. Furthermore, the deliberations ensue would be focused on the RR scenario. Alice’s and Bob’s choice of measuring 2M(n; k) qubit pairs in the basis X with probability 1 − c results in
${n}_{e}=n+\sqrt{nk}$ number of bits derived from EM and k for CM. Hence
$\sqrt{nk}$ pairs would be wasted due to bases mismatch when Alice measures in X while Bob chooses Z (notice that
$2\sqrt{nk}$ qubits are wasted in [9] for similar reasons).

Let us write the string Bob has in the EM and CM as ${s}_{B}^{\mathrm{EM}}$ and ${s}_{B}^{\mathrm{CM}}$ respectively as well as Alice’s as ${s}_{A}^{\mathrm{EM}}$ and ${s}_{A}^{\mathrm{CM}}$ A respectively. As described above, let us consider a gedankenexperiment where all qubits are measured using X basis (for CM), we can therefore write an uncertainty relation from Equation (11) to bound Eve’s information as

Similar to earlier discussions, the first term in the left hand side of the above equation is the smooth min-entropy reflecting the number of bits contained in Bob’s string, ${s}_{B}^{\mathrm{EM}}$ that are ϵ-close to a uniform distribution and independent of Eve. The second term ${H}_{max}^{\u03f5}({s}_{B}^{\mathrm{CM}}|{s}_{A}^{\mathrm{CM}})$ reflects the correlation between Bob’s and Alice’s strings and gives the number of bits needed to reconstruct ${s}_{B}^{\mathrm{CM}}$ from ${s}_{A}^{\mathrm{CM}}$ up to a probability of failure ϵ,

With Q_{f} as the error rate in EM, noting
${H}_{max}^{\u03f5}({s}_{B}^{\mathrm{EM}}|{s}_{A}^{\mathrm{EM}})\le {n}_{e}{h}_{2}({Q}_{f})$ and following Equations (14), (20) and (21), the key length after error correction and privacy amplification is given by

## 4. Numerical Results and Comparisons

In making use of the key rate formulae of Equations (19) and (22) above, we need to first assume a value for the security parameter ϵ_{S}, for which we set as 10^{−10}. Then, for a given value for errors in the CM (errors in EM is then immediately defined), setting the number for M(n, k), we determine the value k which achieves the maximal value for secure key length. As M(n, k) approaches infinite for n → ∞, following [9] we could let
$k<\mathcal{K}\sqrt{n}$ for some fixed
$\mathcal{K}$, so that

It is worth noting that the ‘additional’ term $\sqrt{nk}$ for amount of bits that can be derived from EM in LM05 becomes negligible in the infinite key regime and ${\mathrm{lim}}_{n\to \infty}\sqrt{nk}/M(n,k)=0$. Furthermore, for this condition, it would be only the final term (related to error correction) that would determine how one protocol outperforms another.

#### 4.1. Independent Channels

In Figures 1 and 2, we present the results for implementations of the SDC and LM05 for independent channels compared to the asymmetrical BB84 in terms of protocol efficiency against errors. In this case, the error rates for SDC and LM05 in EM are given by 2q/2(1 − q/2) and (2q − q^{2})/4 respectively [5].

We can observe that there are particular regions where LM05 outperforms both SDC and BB84. Generally, this can be understood when considering the competing terms of the extra
$\sqrt{nk}$ contributing to LM05’s raw key versus the amount of bits to be discarded due to error correction. For LM05, this is given by h_{2}[2q/2(1 − q/2)], SDC’s h_{4}[(2q − q^{2})/4]/2 while for BB84, it is simply h_{2}(q/2) where

^{4}. In the same figure we see instances when the errors are big enough and outweighs the contribution from $\sqrt{nk}$, LM05 performs poorly compared to BB84. The error correction term for SDC is only very slightly better than that of LM05 in the infinite key regime, explaining why it still does not exceed LM05’s $\sqrt{nk}$ advantage in the finite key scenario here. Thus LM05 exceeds BB84 up to an error rate of about 2.7%. However, in Figure 4 where the number of qubits used, M(n, k) = 10

^{7}, LM05 exceeds BB84 only up to about 1% and SDC’s up to 3.8%. The plot of the protocols’ efficiency against M(n, k) for the error of 0.01 in Figure 5 exhibits the convergence of the efficiencies as the number of qubits used increases up to 10

^{7}. These results clearly emphasizes LM05’s determinism over the asymmetric BB84’s. It is worth recalling the fact that while LM05 claims deterministic status in terms of the absence for bases mismatch in EM, BB84 only approximates this (in the infinite key regime). Figure 6 exhibits the case for the three protocols in the infinite key regime.

## 5. Conclusions

Protocols making use of bidirectional quantum channels like the ones described in this work have the interesting feature of encodings being embedded in a unitary transformation as opposed to the preparation of a quantum state as well as the added advantage of how a decoding procedure should not see wastage due to bases mismatch unlike the conventional BB84. By conventional we refer to the BB84 in its original form where the choice of bases is equiprobable, resulting in only half of qubits transmitted could be used as a raw key. While asymmetric BB84 is proposed as a remedy and is expected to not perform any less than the two “deterministic” protocols in the infinite key regime, the scenario for finite keys can be different; thus the motivation for this work.

Noting how the choice of relevant probability distribution for EM and CM is immediately analogous to the asymmetric BB84’s choice for the preferred basis and non preferred basis respectively in [9], we extend the security proof based on purified versions of the SDC and LM05 in [5] to the use of smooth entropies for a finite key analysis. We provide for secure key rates in terms of efficiency for the protocols.

In a relatively small number of qubits resources used (order of 10^{4}) as well as lower depolarization of channels, we observe an obvious advantage in LM05 due to having more bits for raw key purpose (derived from EM). This results from LM05’s encoding/decoding process which is independent of Bob’s choice of bases for measurement processes; which is in fact the ‘deterministic’ merit claim of the protocol. This advantage does however diminish in the region of asymptotically long keys when compared to BB84 (as well as the SDC).

The SDC is in some sense very similar to the asymmetric BB84 as bits for key purposes can only be salvaged when both Alice’s and Bob’s encoding and decoding processes respectively coincide (unlike LM05 where Bob’s measurements in CM would be equally meaningful as a decoding measurement in the EM). The only real advantage SDC has over BB84 would be in the correlated channels case due to the error correction procedure. However, one must bear in mind that while efficiency for LM05 and BB84 is measured as key bits per-qubits transmitted, SDC’s is measured as key bits per-entangled pairs used. Practically, this may not set to provide for a promising scenario as quantum memories become a necessity. Apart from our study of independent as well as a specific correlated channels, It is possible to consider variant cases of the latter beyond the one modeled here. Despite how any results thereof would depend strongly on the nature of the correlations, one may roughly deduce that having errors in EM lower than that provided by independent channels may very well result in a higher key rate for SDC and LM05 against BB84. Conversely, when the errors in EM is higher, it is likely the case that LM05 may not perform better than BB84 except for possible very small error rates. We conclude saying that a finite key analysis would be enlightening also for two-way QKD in the framework of continuous variable [29].

## Acknowledgments

The authors would like to thank Normand Beaudry, Siddharth Karumanchi and Marco Lucamarini for fruitful discussions. Jesni Shamsul Shaari would also like to thank the University of Camerino for kind hospitality as well as the International Cooperation and Exchange Office, International Islamic University Malaysia for financial support.

## Author Contributions

The authors have equally contributed to the paper. All authors have read and approved the final manuscript.

## Conflicts of Interest

The authors declare no conflicts of interest.

## References and Notes

- Lucamarini, M.; Mancini, S. Quantum key distribution using a two-way quantum channel. Theor. Comput. Sci.
**2014**, 560, 46–61. [Google Scholar] - Gisin, N.; Ribordy, G.; Tittel, W.; Zbinden, H. Quantum cryptography. Rev. Mod. Phys.
**2002**, 74, 145–195. [Google Scholar] - Boström, K.; Felbinger, T. Deterministic Secure Direct Communication Using Entanglement. Phys. Rev. Lett.
**2002**, 89, 187902. [Google Scholar] - Lu, H.; Fung, C.-H.F.; Ma, X.; Cai, Q.-Y. Unconditional security proof of a deterministic quantum key distribution with a two-way quantum channel. Phys. Rev. A
**2011**, 84, 042344. [Google Scholar] - Beaudry, N.J.; Lucamarini, M.; Mancini, S.; Renner, R. Security of two-way quantum key distribution. Phys. Rev. A
**2013**, 88, 062302. [Google Scholar] - Lucamarini, M.; Mancini, S. Secure Deterministic Communication without Entanglement. Phys. Rev. Lett.
**2005**, 94, 140501. [Google Scholar] - Hayashi, M. Practical evaluation of security for quantum key distribution. Phys. Rev. A
**2006**, 74, 022307. [Google Scholar] - Scarani, V.; Renner, R. Quantum Cryptography with Finite Resources: Unconditional Security Bound for Discrete-Variable Protocols with One-Way Postprocessing. Phys. Rev. Lett.
**2008**, 100, 200501. [Google Scholar] - Tomamichel, M.; Lim, C.C.W.; Gisin, N.; Renner, R. Tight finite-key analysis for quantum cryptography. Nat. Commun.
**2012**, 3. [Google Scholar] [CrossRef] - Lo, H.-K.; Chau, H.F.; Ardehali, M. Efficient quantum key distribution scheme and a proof of its unconditional security. J. Cryptol.
**2005**, 18, 133–165. [Google Scholar] - Cai, Q.-Y.; Li, B.-W. Improving the capacity of the Boström-Felbinger protocol. Phys. Rev. A
**2004**, 69, 054301. [Google Scholar] - Bechmann-Pasquinucci, H.; Tittel, W. Quantum cryptography using larger alphabets. Phys. Rev. A
**2000**, 61, 062308. [Google Scholar] - Lo, H.K.; Chau, H.F. Unconditional security of quantum key distribution over arbitrarily long distances. Science
**1999**, 283, 2050–2056. [Google Scholar] - This is referred to as a purification of Alice’s encoding in [5].
- Maassen, H.; Uffink, J.B.M. Generalized Entropic Uncertainty Relations. Phys. Rev. Lett.
**1988**, 60, 1103–1106. [Google Scholar] - Renes, J.M.; Boileau, J.C. Conjectured strong complementary information tradeoff. Phys. Rev. Lett.
**2009**, 103, 020402. [Google Scholar] - Berta, M.; Christandl, M.; Colbeck, R.; Renes, J.M.; Renner, R. The uncertainty principle in the presence of quantum memory. Nat. Phys.
**2010**, 6, 659–662. [Google Scholar] - Coles, P.J.; Yu, L.; Gheorghiu, V.; Griffiths, R.B. Information theoretic treatment of tripartite systems and quantum channels. Phys. Rev. A
**2011**, 83, 062338. [Google Scholar] - Devetak, I.; Winter, A. Distillation of secret key and entanglement from quantum states. Proc. R. Soc. A
**2005**, 461, 207–235. [Google Scholar] - Tomamichel, M.; Renner, R. Uncertainty relation for smooth entropies. Phys. Rev. Lett.
**2011**, 106, 110506. [Google Scholar] - Tomamichel, M.; Colbeck, R.; Renner, R. Duality between smooth min- and max-entropies. IEEE Trans. Inf. Theory.
**2010**, 56, 4674–4681. [Google Scholar] - According to a distance that is based on the same notion of purified distance, for the classical register X arising from POVM $\mathbb{X}$ on B, given quantum side information E [31].
- The results should coincide with Alice’s measurement in CM when their bases coincide.
- A similar case for correlations between errors in the forward and backward path in CM was studied in [32].
- While for LM05 only a single qubit travels to and fro between the communicating parties, the case for SDC makes use of entangled pairs. Thus M(n, k) for SDC must be understood as number of qubit pairs.
- It is possible to consider a more practical scenario, for example for a bit string with error rate e, a cofactor would be multiplied to the amount bits needed for such a purpose given by h
_{2}(e). - Tomamichel, M.; Schaffner, C.; Smith, A.; Renner, R. Leftover Hashing Against Quantum Side Information. IEEE Trans. Inf. Theory.
**2011**, 57, 5524–5535. [Google Scholar] - Cabello, A. Efficient Quantum Cryptography. Rec. Res. Dev. Phys.
**2001**, 2, 249–257. [Google Scholar] - Pirandola, S.; Mancini, S.; Lloyd, S.; Braunstein, S.L. Continuous-variable quantum cryptography using two-way quantum communication. Nat. Phys.
**2008**, 4, 726–730. [Google Scholar] - An ideal error correction efficiency is considered for convenience; which is also the case for LM05 in the ensuing subsection.
- Tomamichel, M. A Framework for Non-Asymptotic Quantum Information Theory. Ph.D. Thesis, Dissertation ETH No. 20213, ETH Zurich, Zurich, Switzerland.
- Shaari, J.S.; Lucamarini, M.; Mancini, S. Checking noise correlations for safer two-way quantum key distribution. Quantum. Inf. Process.
**2014**, 13, 1139–1153. [Google Scholar]

**Figure 1.**Schematic diagram for SDC. Arrows represent the distribution of qubits in the channels between Alice and Bob. The arrows in Bob’s and Alice’s stations both see branchings with probability c or 1 − c for EM or CM respectively.

**Figure 2.**Schematic diagram for LM05. Arrows represent the distribution of qubits in the channels between Alice and Bob. Note that the arrow in Alice’s station branches off with probability c or 1 − c for EM or CM respectively.

**Figure 3.**Efficiency for Asymmetrical BB84 (blue), LM05 (red) and SDC (green) against error rate q/2 given independent channels for total qubit used as M = 10

^{4}.

**Figure 4.**Efficiency for Asymmetrical BB84 (blue), LM05 (red) and SDC (green) against error rate q/2 given independent channels for total qubit used as M = 10

^{7}.

**Figure 5.**Efficiency for Asymmetrical BB84 (blue), LM05 (red) and SDC (green) against total qubit used, M (for SDC, it is to be understood as total pairs used) for error rate 0.01. The horizontal dashed lines represents the infinite key regime.

**Figure 6.**Efficiency for Asymmetrical BB84 (blue), LM05 (red) and SDC (green) against error rate q/2 given independent channels in the infinite key limit

**Figure 7.**Efficiency for Asymmetrical BB84 (blue), LM05 (red) and SDC (green) against error rate q/2 for total qubit used as M = 10

^{4}for correlated channels specified by e

_{1}= e

_{2}= e

_{m}.

**Figure 8.**Efficiency for Asymmetrical BB84 (blue), LM05 (red) and SDC (green) against error rate q/2 for total qubit used as M = 10

^{7}for correlated channels specified by e

_{1}= e

_{2}= e

_{m}.

**Figure 9.**Efficiency for Asymmetrical BB84 (blue), LM05 (red) and SDC (green) against total qubit used, M (for SDC, it is to be understood as total pairs used) for error rate 0.01 for correlated channels specified by e

_{1}= e

_{2}= e

_{m}. The horizontal dashed lines represents the infinite key regime.

**Figure 10.**Efficiency for Asymmetrical BB84, LM05 (both black) and SDC (green) against error rate q/2 for correlated channels specified by e

_{1}= e

_{2}= e

_{m}in the infinite key limit.

© 2015 by the authors; licensee MDPI, Basel, Switzerland This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution license (http://creativecommons.org/licenses/by/4.0/).