Measurement-Device-Independent Two-Party Cryptography with Error Estimation

We present an innovative method for quantum two-party cryptography. Our protocol introduces joint measurement and error estimation to improve the security of two-party cryptographic protocols. Our protocol removes the assumption of the attacker’s limited power and catches the attacking actions through highly estimated bit error rate. Our protocol is formally proved to be secure against both eavesdroppers and dishonest communication parties. We also utilize our designed protocol to construct two specific two-party cryptographic applications: Quantum bit commitment and quantum password identification.


Introduction
Two-party cryptographic protocol is a significant branch of modern cryptography. It can realize communication between mutually distrustful parties [1][2][3]. However, the advent of a quantum computer will pose a huge threat to cryptographic protocols that originally rely on computational complexity. Fortunately, Bennett and Brassard proposed the first quantum cryptographic protocol in 1984, known as BB84 quantum key distribution (QKD) protocol [1]. BB84 protocol allows two mutually trusted parties to generate identical secret keys for encryption. Quantum cryptography, laying its foundation on quantum mechanics, can provide unconditional security in the communication process. Therefore, studies over quantum cryptography have aroused worldwide attention.
While QKD has gained extensive concern nowadays, researchers also consider introducing quantum technology into two-party cryptographic protocols. However, Lo and Mayers independently demonstrated that unconditionally secure two-party cryptographic protocol does not exist without restricting the attacker's ability [4][5][6][7]. Therefore, a perfect two-party cryptographic protocol is more difficult to be realized than key distribution. Even so, several solutions were proposed to seek more secure quantum two-party cryptographic schemes, among which there are mainly three types. The first solution introduces the relativity theory to restrain attacker's behavior [3,[8][9][10]. The second solution weakens the demand for security. In other words, it gives up the pursuit of perfect security and allows the attacker's behavior to succeed with negligible probability. The most representative example is the cheat-sensitive quantum bit commitment (CSQBC) protocol [11][12][13][14]. The third solution is limiting the attacker's power to current technologies. For example, in 2005, Damgård demonstrated secure two-party cryptography under the assumption that the attacker's capability of storing quantum states was limited. In this so-called bounded storage model [15,16], the attacker is equipped with perfect quantum storage, but the storage capacity is limited because of unaffordable cost. Later, Schaffner where p guess (X|E) is the probability of guessing X when given register E, and its maximization is over all positive operate-valued measurements (POVMs) {M x } acting on register E. Then we can easily get that the conditional min-entropy of X given E is: H min (X|E) = −log 2 p guess (X|E), and also the definition of conditional smooth min-entropy is: where for any event E , we have: Next, we discuss min-entropy-splitting lemma used in Ref. [2,17] for the security proof of 1-2 ROT and WSE protocol.
Lemma 1 (Entropy splitting [2,17]). Let ε ≥ 0, and X 1 , X 2 , . . . , X m and Z are random variables subjected to H ε min (X i X j |Z) ≥ α (i = j). There exists a random variable V ⊆ {1, . . . , m} such that for any independent random variable W ⊆ {1, . . . , m} with H min (W) ≥ 1, Lemma 2 (Min-entropy splitting [2,17]). Let ε ≥ 0, and X 0 , X 1 , and Z are random variables subjected to H ε min ≥ α. Then there exists a random variable D ∈ {0, 1}, such that: Finally, we introduce quantum uncertainty relation as the core of security proof for our redesigned protocol. Theorem 1 (Quantum uncertainty relation [24]). Suppose Q is an arbitrary fixed n-qubit state, and θ is a random basis (θ ∈ R {0, 1}), and X ∈ R {0, 1} n is a random variable for the outcome of measuring Q in basis θ n , then it has δ > 0, and the conditional smooth min-entropy has a lower bound such that: Here,

Joint Measurement
Joint measurement and phase-matching are widely used in QKD, and we introduce them to our two-party cryptographic protocol. Next, we explain these two methods.
Prior to 2012, most quantum cryptographic protocols, including QKD and many two-party cryptography protocols, used single-state measurement. The earliest application of joint measurement to quantum protocols is introduced by Hoi-Kwong Lo [19]. In Ref. [19], he presented the idea of MDI-QKD using joint measurement. The measurement method is shown in Figure 1.
. Figure 1. The basic setup of a measurement-device-independent QKD (MDI-QKD) protocol is in Ref. [19]. Alice and Bob use three devices to prepare their photons, and the third party will make a joint measurement and announce measurement output.
In Figure 1, Alice and Bob will prepare a single quantum state and send it to the third party, Charlie. Charlie will measure those quantum states in Bell basis. The state |φ − = 1 is joint by a click in D 1H and D 2V or D 1V and D 2H , and |φ + = 1 √ 2 (|HV + |V H ) is joint by a click in D 1H and D 1V or D 2H and D 2V . Therefore, Alice and Bob can get the raw key based on measurement outcomes and prepared basis, which is shown in Table 1. Table 1. Alice or Bob flip their key based on the outcomes of measurement and announced prepared basis [19]. Another joint measurement method uses phase coding, which is generally used in the continuous variable QKD. The representative protocols are PM-QKD [22] and TF-QKD [23]. The measurement method is shown in Figure 2. Phase-matching QKD uses coherent state to send information. We define that δ a = | √ µ a e i(φ a +πk a ) and  According to Mach-Zehnder interference, the detector D 1 clicks when the phase difference of δ a and δ b is an even multiple of π, and the detector D 2 clicks when the phase difference of δ a and δ b is an odd multiple of π. When a phase difference of δ a and δ b is not a multiple of π, a random click occurs. Bob will flip his key when detector D 2 click because only |k a − k b | = 1 will cause the phase difference to be an odd multiple of π.

Error Estimation
Error estimation is one of the most important methods to ensure security in quantum cryptographic protocols. However, so far, in the two-party quantum encryption protocol, no method to improve the security of the protocol by error estimation has been seen. This is due to the asymmetry of the information in the two-party encryption protocols and the coupling between the measurement results and final key. We find that joint measurement reduces this coupling and try to introduce the error estimation method into the two-party encryption protocol. In this paper, because of the asymmetry of the information, we use the random sampling method for error estimation.
In QKD, the operation process of the random sampling method can be described as follows: Among the raw key (k 0 , . . . , k l−1 ) A and (k 0 , . . . , k l−1 ) B owned by Alice and Bob, randomly extract a certain percentage p of the key at the corresponding positions and publishing these bits through the classical channel with trusted authentication. The inconsistency rate of the sampling key can be regarded as the code error rate of the raw key (since the extracted key has been published, it cannot be used in subsequent processing steps and needs to be discarded). In the two-party quantum cryptographic protocol, due to the asymmetry of information (for example, in the ROT protocol, after performing base matching, Bob does not discard the key that failed to match, but performs key separation according to his chosen c), Alice will perform random sampling from all keys, and require that the preparation base and key of the sampling part be made public, and then calculate the code error rate.
Assume that the error rate of the raw key owned by Alice and Bob is e and the key length is l, compared with the Alice's key, Bob's raw key has el errors. The amount of randomly extracted key bits is pl and satisfies el < pl, that is, e < p. Assume that there are m bit errors in the extracted pl keys, then consider that the error rate of the raw key is: In this paper, in order to ensure the security of the two-party encryption protocol, we put the error estimation process before the base matching. Thus, we can get:

Privacy Amplification
Generally speaking, we will use two-universal hash function for privacy amplification. The definition of two-universal hash function is as follows: If for all x = y ∈ R {0, 1} n , we have: Then we say that F is two-universal.
Using two-universal hash function for privacy amplification, we also have privacy amplification theorem [2].
Firstly, we know the security of a key is defined with respect to its L1-distance from a perfect key which is uniformly distributed and independent of the adversary's state. Then the L1-distance from uniform of ρ XQ given Q is : where ρ U is the fully mixed state .

Weak String Erasure
In order to better demonstrate the application of joint measurement and error estimation technology in two-party cryptographic protocols, we first discuss its enhancement to the security performance of weak string erasure (WSE), which was originally proposed by Konig [2], and studied as the basic protocol of other two-party cryptographic protocols.

Definition
Before introducing our redesigned WSE protocol, we first introduce its definition. WSE is a basic two-party cryptographic protocol between Alice and Bob that can be used to construct other two-party cryptographic protocols, such as bit commitment, oblivious transfer, etc. The ideal functionality of WSE is shown in Figure 3   The process of WSE can be seen as a black box, with no inputs from Alice and Bob. As outputs, Alice gets a randomly chosen bits string X n and Bob obtains a randomly chosen subset of indices I ⊆ [n] and the bits X I ∈ {0, 1} |I| . Next, we denote A and B as honest Alice and Bob, and A and B as dishonest Alice and Bob. ρ represents the joint state generated in the actual protocol operation, and σ represents the state generated in the ideal protocol operation.
The specific definition of WSE is as follows [2]: Definition 3 (Weak string erasure [2]). A (n, λ, ε)-weak string erasure (WSE) scheme is a protocol between Alice and Bob satisfying the following properties: 1.
Correctness: If both parties are honest, then for any attack strategy of the third-party attacker, Alice always gets a uniformly distributed string X n ∈ R {0, 1} n and Bob will get an index I ∈ [n] and X I ∈ {0, 1} |I| ; 2.
Security for Alice: If Alice is honest, then for any attack strategy of dishonest Bob, we have: 3. Security for Bob: If Bob is honest, then for any attack strategy of dishonest Alice, there exists α ≥ 0:

Protocol
In the previous protocol, there is a no error estimation process because the measurement results of the BB84 protocol are directly related to the final key. We redesign the WSE protocol by using the independence of key and measurement results of the MDI-QKD and PM-QKD protocols, adding a error estimation process to improve the security of the protocol.
The specific agreement is as follows: 1.
Alice chooses a string x n ∈ R {0, 1} n and bases the specifying string θ n A ∈ R {+, ×} n randomly. She encodes each bit x i in the basis given by θ A i (as H θ A i |x i ) and sends it to the third party Charlie; 2.
Similarly to Alice, Bob chooses a string y n ∈ R {0, 1} n and bases specifying string θ n B ∈ R {+, ×} n randomly. He encodes each bit y i in the basis given by θ B i (as H θ B i |y i ), and sends it to the third party Charlie; 3.
Charlie performs a Bell measurement, and announces the outcome; 4.
Alice selects a subset of the measurement outcome as the error estimator (about m qubits) and sends a subset of the measurement outcome I check to Bob. Bob sends θ B check and a subset of the measurement outcome y check (y check , θ B check = {y i , θ B i |i ∈ I check }) to Alice. Then, they initiate error estimation process and compute:

5.
If Q u > e r , the communication is terminated, otherwise, the process continues; 6.
Alice sends the remaining bases θ n−m A to Bob and outputs the remaining string x n−m ; 7.

Security Proof of WSE
Before analyzing the security of WSE protocol, we need to explain the constraint of Bob's storage capacity under joint state measurement and error estimation. When we remove any assumption about storage devices, we need other approaches to limit Bob's ability to store quantum states sent by Alice. Due to the constraints of the protocol process, we naturally think that Bob would cause the error rate increasement of the final key when he stores the quantum state and the error estimation is used to detect this attack. Next, we need to explain an important conception of the error correction upper bound of any channel error correction code. From [26] we know that: where f is the reconciliation efficiency which is given by the redundancy of disclosed information to the theoretical limit necessary for successful error correction, R is the code rate of a given channel error correction code, e is the error rate, and function h is the Shannon binary entropy. Then we can get the error correction upper bound when f approaches 1, i.e., its Shannon limit: where h −1 is the inverse function of h.
We consider when Bob stores the quantum state because the joint measurement cannot be performed and the published detection results are random. The increasement of error rate is explained the Lemma 3.

Lemma 3.
Assume that Bob has a perfect and unlimited capacity of quantum memory. Our protocol has a storage rate v , where v ≤ 2e r .
Proof. In our protocol, the measurement outcomes are jointly measured by a third party in the bell state and published before Alice sends the bases θ A . Alice will ask Bob to publish partial information for error estimation before sending bases θ A . Now, we assume that Bob's storage rate is v, which means Bob will store vn quantum state in his memory. If Bob stores the quantum states, it means that he can not measure these quantum states, because quantum mechanics tells us that the measurement will cause the collapse of the quantum states and the loss of information. Therefore, Bob can publish a random fake outcome, and we have error rate introduced by this: where e c is error rate that caused by channel noise.
In fact, with Lemma 3, we can easily convert our protocol into a WSE protocol under the bounded-storage model. Therefore, we can use the proof methods and results in Ref. [2,17] to prove the security of our protocol.
Proof. According to the conclusion in Ref. [2], we have: where we have: and in our protocol, we have parameters δ ∈ [0, 1 4 ], v = 2e r ,C N = 1, r = 1, and d = 2. So, we have: Next, we will discuss the security for Bob. Proving the security for Bob is relatively simple because Bob has no other leaked information besides his quantum state information during the protocol.
Lemma 5 (Security for Bob). According to [2,27], for any attack of dishonest Alice with any storage model F : B(H in ) → B(H out ), then we have:

1-2 Random Oblivious Transfer
In this section, we further investigate 1-2 random oblivious transfer (ROT), which is also a basic two-party cryptographic protocol as WSE. Similarly, we give its definition first and then propose our protocol based on joint measurement and error estimation followed by its security proof.

Definition
As in Figure 4, like the WSE protocol, the 1-2 random oblivious transfer (ROT) protocol is also a basic two-party cryptographic protocol and is a random version of the 1-2 oblivious transfer (OT). Based on the 1-2 ROT protocol, we can easily implement the 1-2 OT protocol and the bit commitment (BC) protocol. In the 1-2 ROT protocol, instead of inputting two information strings m 0 , m 1 ∈ {0, 1} l , Alice obtains two random key strings S 0 , S 1 ∈ {0, 1} l . At the same time, Bob obtains the random key string S c according to its input c. If we want to implement the 1-2 OT protocol, just after running the 1-2 ROT protocol, Alice encrypts the information strings m 0 and m 1 with the two strings of keys S 0 and S 1 obtained by ROT protocol. Bob can use S c for decryption to obtain m c . In the security definition of the 1-2 ROT protocol, Alice cannot obtain Bob's input c, and Bob cannot obtain another string of keys S 1−c except S c . The specific definition of security is as follows: Definition 4. An ε -secure 1-2 ROT is a protocol between Alice and Bob, where Bob has input c ∈ {0, 1}, and Alice has no input, satisfying:

1.
Correctness: If Alice and Bob are honest, then for any distribution of Bob's input c which is unknown to Alice, Alice gets outputs S 0 , S 1 ∈ {0, 1} l which are ε-close to randomness and independent of c, and Bob obtains Y = S c with probability ε; 2.
Security for Alice: If Alice is honest, then for any cheating strategy of Bob resulting in his state ρ B , there exists a random variable D ∈ {0, 1}, and λ > 0 such that: 3. Security for Bob: If Bob is honest and obtains output Y, then for any cheating strategy of Alice resulting in her state ρ A , there exists a random variable D ∈ {0, 1}, such that: and

Protocol
We now give the specific 1-2 ROT protocol using error estimation as follows: If Q u > e r , they stop communication, otherwise they continue where e r is the error correction upper bound; 4.
Key division: Both parties discard the data that used in error estimation. Alice sends θ n−m A to Bob, Bob divides the key according to θ n−m Bob sends I 0 , I 1 to Alice; 5.

Security Proof of 1-2 ROT
According to the definition, we will prove the security of our proposed ROT protocol from the perspective of correctness, security for Alice, and security for Bob successively.
For correctness, if both parties are honest, Bob can calculate I 0 , I 1 according to c, and S c , and Alice can also get S 0 , S 1 . The focus is mainly on security for Alice and Bob.
Lemma 6 (Security for Alice). In 1-2 ROT protocol, n represents the number of bits transmitted during the protocol. σ B X n represents the state generated in the ideal protocol operation which consists of dishonest Bob and the variable X n of n transmitted bits. ρ X n B represents the joint state generated in the actual protocol operation which consists of dishonest Bob and the variable x n of n transmitted bits. If Alice is honest, n → ∞ and the trace distance between these two states ||σ B X n − ρ B X n || ≤ ε with ε = 2exp − δ 2 32(2+log 2 δ) 2 . Then we fix δ ∈ {0, 1 4 }, we can get : Proof. With uncertainty relation theorem, we have: where M is the outcome that announced by Charlie. According to entropy sampling theorem: and in our protocol, according to Lemma 3, we have the storage rate v = 2e r , then: By using privacy amplification theorem: and let the above formula be less than 2ε, we can get: Lemma 7 (Security for Bob). In 1-2 ROT protocol, n represents the number of bits transmitted during the protocol. σ A c represents the state generated in the ideal protocol operation which consists of dishonest Alice and commit bit c. ρ A ⊗ τ{0, 1} represents the joint state generated in the actual protocol operation which consists of dishonest Alice and commit bit c that is uniformly distributed on {0, 1}. If Bob is honest, n → ∞ and the trace distance between these two states ||(σ A c ) − ρ A ⊗ τ{0, 1}|| ≤ ε , and there exits ε ≥ 0, then the conditional entropy with respect to c and A , we have: According to the definition of ROT protocol, if Alice is dishonest, then her purpose is to get c chosen by Bob. In our protocol, Bob's information leakage to Alice are ρ B , y check , θ check , I 0 and I 1 .

Applications for Two Party Cryptography
In this section, we redesign two specific two-party cryptographic protocols using a joint measurement method and briefly analyze their security. The first protocol is bit commitment which is proposed by [1]. The second protocol is password-based identification, which allows us to use passwords for authentication without revealing passwords.

Bit Commitment
In this subsection, we redesign bit commitment protocol using joint measurement and prove the security of this protocol. Quantum bit commitment protocol is one of the earliest proposed quantum two-party encryption protocols. The original version of quantum bit commitment is a variant of quantum coin tossing proposed by Bennett and Brassard [1]. In fact, quantum bit commitment is easy to adapt from 1-2 ROT protocol.

Definition and Protocol
Informally, a standard bit commitment scheme consists of two sub-protocols called commitment protocol and revealing protocol. First, Alice and Bob execute the commitment protocol. Alice has commit bit c ∈ {0, 1} as input, and Bob has no input. As a result of this protocol, Bob will get some evidence about c. In the second phase, Alice and Bob execute the revealing protocol, where Alice has an input for remaining evidence and commit bit c and Bob also has no input. At the end of this protocol, Bob will output accept or reject according to Alice's inputs from the commitment protocol and revealing protocol.
If both parties are honest, Bob always accepts the bit c. If Alice is dishonest, however, Bob should not output accept. If Bob is dishonest, he should not be able to gain any information about c before the revealing protocol is executed. The definition of security in bit commitment protocol is as follows.
Definition 5 (Bit commitment [17]). An ε-secure bit commitment is a protocol between Alice and Bob, where Alice has input c ∈ {0, 1}, and Bob has no input.

1.
Correctness: If both parties are honest, then the ideal state δ cans is defined as: The distribution of commit bit c for Bob is uniform when Bob gets no information about distribution of c besides the information leakage by this protocol, and Bob accepts the commitment:

2.
Security for Alice (ε-hiding): If Alice is honest, then for any joint state ρ cB created by the commit protocol, Bob does not learn c. Here, and the entropy of c:

3.
Security for Bob (ε-Binding): If Bob is honest, then there exists an ideal cq-state δ cA V such that for all operations for ρ A , we have: We have rewritten the QBC agreement based on the contents of the ROT agreement as shown below.

1.
Preparation: Alice chooses x n ∈ R {0, 1} n and θ n A ∈ R {+, ×} n furthermore, Bob chooses y n ∈ R {0, 1} n and θ n B ∈ R {+, ×} n . Both parties send the encoding quantum state |x n If Q u > e r , they stop communication, else they continue. Here e r is error correction upper bound; 4.
Key division: Both parties discard the bits that used in error estimation. Bob sends θ n−m B to Alice. Alice divides the key according to θ n−m and sends I 0 , I 1 to Bob; 5.
Bit commitment-revealing phase: The input is S c for Alice. The outputs are c ∈ {0, 1} and ans ∈ {accept, reject} to Bob.

1.
Alice: Alice sends S c and c to Bob; 2.
Bob: If S c = S c , then Bob obtains c and ans = accept. Otherwise, he outputs ans = reject.

Security Analysis
The correctness of the protocol does not need to be proven because the protocol is designed according to the definition of bit commitment protocol. Its ε-hiding is guaranteed by the security of the ROT protocol. Lemma 8 (Security for Alice). n represents the number of bits transmitted during the protocol. Let n → ∞, we have: (1) δ cB ≈ ε τ {0,1} ⊗ ρ B , (2) H min (c|B ) ≥ 1 − ε.
Proof. Our Commitment protocol is adopted from the 1-2 ROT, and according to Definition 5, we have H min (c|B ) ≥ 1 − ε.
Proof. According to Lemma  Compared with the protocol mentioned in [2,17,28,29], our protocols discarded the assumption that the attacker's storage device was defective, but instead employed a combination of joint measurement and error estimation to limit the quantum storage of the attacker. Our protocols had no assumptions, were more secure, and had wider applicability. The two basic two-party cryptographic protocols mentioned in this paper could easily be extended to other two-party encryption protocols, such as 1-2 OT and quantum identification protocols. We eliminated the assumption that the attack was bounded by the attacker's technology, and employed the technique of joint measurement and error estimation to improve two basic quantum two-party cryptographic protocols. We demonstrated that our improved protocols offered stronger security and is applicable to many specific quantum two-party cryptographic protocols such as BC and PID.
Inspired by [30,31], we learned that quantum coherence plays an important role in quantum key distribution and quantum random number generation, and this might also be used to improve our work. Future work will also begin with this aspect.