The BB84 protocol
The BB84 protocol was originally suggested in 1984 by Bennett and Brassard. It allows two parties, Alice and Bob, to generate and distribute a classical binary key over a quantum channel. Additionally, they require a verified and authenticated classical channel. Even in the presence of an eavesdropper Eve, the security of the transmission can be guaranteed in a well-defined range of circumstances based on the laws of physics (e.g., no-cloning theorem) and appropriate post processing. The n-th bit of the secret key is established with the following steps:
-
1.
State preparation: Alice randomly chooses a bit value x ∈ {0, 1} followed by another random bit bA ∈ {0, 1} that determines one of two orthogonal bases – the Z-basis (bA = 0) or X-basis (bA = 1) – used to encode the bit x as a quantum state. For x = 0, the prepared qubit is \(| 0\left.\right\rangle\) for bA = 0 and \(| +\left.\right\rangle\) for bA = 1. For x = 1, the prepared qubit is \(| 1\left.\right\rangle\) for bA = 0 and \(| -\left.\right\rangle\) for bA = 1.
-
2.
Transmission: The quantum state is sent through the quantum channel from Alice to Bob.
-
3.
Measuring: Bob randomly selects bB ∈ {0, 1} that determines one of the two orthogonal bases Z (bB = 0) or X (bB = 1) to measure the received quantum state and store the binary result.
-
4.
Sifting: Alice and Bob reveal their basis choices over the classical channel. If the basis coincides, i.e., bA = bB, the measured bit is used as the n-th bit of their raw key. Otherwise, they discard the bit and start over with the process for the n-th bit.
Note that the sifting step can be performed after the transmission of each individual bit or just once for an entire block of bits.
With an ideal quantum channel, Alice and Bob would always end up with identical raw keys. However, in a realistic scenario, errors occur in the quantum channel, either due to environmental noise or the actions of an eavesdropper, causing some bits in Bob’s key to differ from Alice’s. Therefore, after the transmission of the quantum states, Alice and Bob have to apply additional post-processing steps to obtain identical and secure keys. First, Alice and Bob will communicate classical information over the verified channel in order to detect and correct any errors between their raw keys obtaining an error-free reconciled key. This can be achieved with a variety of error reconciliation protocols, such as, for example Cascade9 or protocols based on Low-Density Parity-Check (LDPC)10 codes. This will necessarily reveal information about the raw key and we show in the section about collective attacks how it can be used by an eavesdropper. A necessary condition for a secure key is that an attacker cannot obtain the reconciled key in full. Privacy amplification aims at reducing the information obtained by an eavesdropper by distilling the reconciled key. However, privacy amplification will not play a role in our consideration.
Quantum circuit learning and attacks on the BB84 protocol
In our examples, we deal with two types of attacks: individual attacks, in which Eve uses the same quantum circuit to interact with the quantum channel for every qubit that is transmitted. Further, for each such qubit transmission, the measurement she applies to her quantum system is independent of all other qubit transmissions. In collective attacks, Eve still applies the same quantum circuit for each qubit, but the quantum system she measures in the end may now depend on all the qubits that were transmitted. Collective attacks are generally more powerful than individual attacks, as one of our examples illustrates.
We model an individual attack on the BB84 protocol with a quantum circuit as shown in Fig. 1. The communication channel is represented by a single qubit with the two parties Alice and Bob at each end. Eve has access to an ancillary quantum register and can interact with the QKD line (we assume that this process is error-free) during the transmission using the unitary operation U(Θ). With access to quantum memory, Eve may also delay another unitary operation V(Λ) and measurement until further classical information is broadcasted by Alice and Bob. Eve can then perform operations and measurements on the ancilla system that make use of this information. For example, in an individual attack such as the ones described in the first two examples, Eve uses two sets of weights for V(Λ) depending on the basis that was used by Alice and Bob. We extend this approach to collective attacks in the last section.
Similarly, Bob can measure in the Z-basis (bB = 0) or the X-basis (bB = 1).
A full analysis includes eight different quantum circuits corresponding to all possible choices in state preparation, i.e., \(| 0\left.\right\rangle ,| 1\left.\right\rangle ,| +\left.\right\rangle ,| -\left.\right\rangle\), and Bob’s choice of measurement basis. For each configuration we compute the density matrix of the system. Bob’s fidelity is defined as the probability to measure Alice’s bit choice. This equals the quantum fidelity
$$F({\rho }_{A},{\rho }_{B})={\left({\text{Tr}}\sqrt{\sqrt{{\rho }_{A}}{\rho }_{B}\sqrt{{\rho }_{A}}}\right)}^{2}$$
(1)
where ρA is Alice’s density matrix and ρB represents Bob’s density matrix after Eve’s attack and before his measurement basis choice.
Since only cases with matching bases are sifted, we restrict our analysis to cases where Alice and Bob have chosen the same basis. As the four different configurations \(| 0\left.\right\rangle ,| 1\left.\right\rangle ,| +\left.\right\rangle ,| -\left.\right\rangle\) are equally likely to happen, we define FAB(Θ, Λ) as the average fidelity over the four possible cases. The average error rate observed by Alice and Bob can then be written ε = 1 − FAB. Similarly, we define Eve’s fidelity as FAE(Θ, Λ).
These values define the properties of the attack and can be optimized with QCL using the unitaries U(Θ) and V(Λ) as parametrized quantum circuits. To do so, we define an appropriate loss \({\mathcal{L}}(\Theta ,\Lambda )\) as a function of Bob and Eve’s fidelities. We minimize it with gradient-based methods over a fixed number of steps by optimizing the weights of the parametrized unitaries. We choose a circuit ansatz such as in Fig. 2 for U(Θ) and V(Λ) consisting of alternating layers of single-qubit rotations and entangling CNOT gates arranged in a ring topology. Each single qubit gate carries a trainable parameter. This architecture is referred to as Hardware-Efficient Ansatz (HEA)18,19. It is used in many QML applications20. We use a two-qubit HEA in all examples presented in this paper. Since the HEA for two qubits can implement any two-qubit unitary (if several layers are used), our ansatz is general enough to find the optimal two-qubit attacks.
Each single-qubit rotation is associated with a trainable parameter. The example is shown for two qubits (a) and three qubits (b).
Optimal individual attacks on BB84
The security of prepare-and-measure QKD protocols like BB84 rests on the no-cloning theorem21,22,23. It implies that even optimal attacks can only make approximate copies (clones) of the quantum states used in such protocols. The quantum circuits which produce such clones are called cloning machines. For a review of quantum cloning see ref. 24. Optimal clones of states that are restricted to a circle on the Bloch sphere are produced by Phase Covariant Cloning Machines (PCCMs). In the case of an error-free transmission channel, the optimal individual attack on BB84 is given by PCCMs15. A quantum circuit for implementing the PCCM is shown in Fig. 3. The fidelities for Bob and Eve are functions of a single rotation angle θ:
$${F}_{AB}=\frac{1+\cos \theta /2}{2}$$
(2)
$${F}_{AE}=\frac{1+\sin \theta /2}{2}$$
(3)
The symmetric case FAB = FAE ≈ 0.853 is given by θ = π/2.
The additional H gate is delayed by Eve until the basis reveal happens and only applied if Alice and Bob have used the X-basis.
This optimal individual attack is easily reproduced using QCL. With a single ancillary qubit for Eve, we implement U(Θ) with two layers of the circuit shown in Fig. 2 resulting in a total of 12 parametrized rotations and 2 entangling CNOT gates. For V(Λ) we use only 3 parametrized rotations and two sets of weights, one for when Alice and Bob used the Z-basis, the other for the X-basis. This brings the total of trainable parameters in the circuit to 18. For the optimization of the attack we use the following loss function:
$${\mathcal{L}}(\Theta ,\Lambda )=\alpha {\left({F}_{AB}(\Theta ,\Lambda )-f\right)}^{2}-{F}_{AE}(\Theta ,\Lambda )$$
(4)
where α is a weighting parameter and f is the target value for FAB(Θ, Λ). With the first term we can force the optimization to target a specific fidelity for Bob while the second term is used to maximize Eve’s fidelity.
Algorithm 1: QKD attack optimization with QCL
Parameters: f target fidelity for Bob, α weighting parameter
Initialize weights Θ, Λ from a normal distribution
for step = 1, …, nsteps do
Simulate density matrices {ρ(x, bA = bB, Θ, Λ)} ⊳One density matrix per combination of transmitted state and chosen basis (4 in total)
Compute average fidelities FAB and FAE
Compute loss function \({\mathcal{L}}(\Theta ,\Lambda )=\alpha {\left({F}_{AB}-f\right)}^{2}-{F}_{AE}\)
Compute gradients \({\nabla }_{\Theta }{\mathcal{L}}(\Theta ,\Lambda )\) and \({\nabla }_{\Theta }{\mathcal{L}}(\Theta ,\Lambda )\) using the parameter-shift rule
Update Θ and Λ with the chosen optimizer
end for
For each choice of hyperparameters α and f, a gradient descent optimization is conducted on the parameters of the circuit ansatz according to algorithm 1. We use the Adam optimizer25 to minimize the loss function \({\mathcal{L}}\) over 100 iterations with a learning rate of 0.1. For the target fidelity we used random values in [0.5, 1] and the weight α was heuristically set to 10. For the simulation of the circuit and for the optimization we use a simulator for mixed-states from the Pennylane framework26.
The results are shown in Fig. 4. We performed 8 training rounds, each one for a different target fidelity f for Bob. For each round, we display the intermediate results during the training phase in light colors, while the final result of the training is dark. We conclude that QCL converges to the same fidelities as the PCCM thus resulting in an optimal individual attack on BB84 with little effort.
The blue line represents the fidelities of a PCCM with different rotation angles θ. We conducted 8 QCL rounds with varying target fidelities for Bob. Optimization results are marked by diamonds, colored according to the training step.
QCL attacks on BB84 with noisy quantum channels
We now assume the presence of noise in the quantum channel which is not caused by Eve. The noise can occur between Alice and Eve or Eve and Bob. It can be caused by environmental factors or have directly been introduced by Alice and Bob to increase the robustness of BB84 against attacks27. We assume that Eve was not able to eliminate the noise. For this analysis, we choose different error models that are readily available in the Pennylane framework like bit- or phase-flip errors, amplitude- or phase-damping errors. We consider different error strengths.
For each scenario, we conduct 25 different QCL training rounds utilizing identical ansätze, loss functions and parameters as detailed previously. As an example, we present details of a scenario where a bit-flip error has a 25% chance of occurring prior to Eve’s attack. The results of the QCL optimization are compared to the fidelities obtained with the PCCM in that scenario in Fig. 5. The final step of the optimization is displayed and marked by a diamond symbol.
The cloning performance is different for the two bases of the BB84 protocol.
Considering the average fidelity over both possible bases of the BB84 protocol, we observe that QCL generally slightly outperforms the PCCM. Note that bit-flip errors affect the two bases of the BB84 protocol differently. While inducing flips from \(| 0\left.\right\rangle\) to \(| 1\left.\right\rangle\) and from \(| 1\left.\right\rangle\) to \(| 0\left.\right\rangle\), it does not alter the states of the X-basis up to a phase factor that does not affect Bob’s measurement. QCL is able to beat the PCCM by sacrificing fidelity in the Z-basis for an increased fidelity in the unaffected X-basis.
The found solution is an example of what we refer to as imbalanced cloner, because the cloning fidelity depends on the basis. Note that the imbalanced cloner will perform worse than a PCCM in the absence of noise.
For more general error models, we found that when the errors affect the two bases of the BB84 protocol differently, a QCL ansatz beats the PCCM which therefore is not the optimal individual attack anymore.
We will now further investigate how the QCL solution is able to beat the PCCM in such scenarios. For notational convenience, we define the centered fidelity CAB,Z ≔ 2FAB,Z − 1, where FAB,Z denotes the average fidelity of Bob when Alice uses the Z-basis (eq. (1)). We characterize the effects of noise using parameters α, β, γ, δ ∈ [0, 1] such that the centered fidelity between Alice and Bob in the Z-basis CAB,Z becomes \({\tilde{C}}_{AB,Z}=\alpha {C}_{AB,Z}\), while simultaneously:
$${C}_{AE,Z}\to {\tilde{C}}_{AE,Z}=\gamma \,{C}_{AE,Z}$$
(5)
$${C}_{AB,X}\to {\tilde{C}}_{AB,X}=\beta \,{C}_{AB,X}$$
(6)
$${C}_{AE,X}\to {\tilde{C}}_{AE,X}=\delta \,{C}_{AE,X}$$
(7)
After verifying that increasing the size of the HEA described in the previous sections to more qubits and more layers does not further improve the performance of the QCL solution, we tried to simplify the quantum circuit as much as possible. We removed quantum gates that did not improve the performance, and we reduced the number of qubits. The result of those efforts is the much simpler circuit for the imbalanced cloner in Fig. 6. This cloner has two parameters ψ and ϕ and using equation (1), we can calculate the centered fidelities \({C}_{AB,Z}=\sin \psi\), \({C}_{AB,X}=\cos \phi\), \({C}_{AE,Z}=-\sin \phi\) and \({C}_{AE,X}=\cos \psi\). This circuit outperforms the PCCM when αγ ≠ βδ. The RX(3π/2) gate is only applied if Alice and Bob have used the X-basis.
Quantum circuit for the imbalanced cloner with two parameters ψ and ϕ.
As opposed to the PPCM, which has only one free parameter, the imbalanced cloner has two free parameters, ψ and ϕ. This enables it to adapt to two degrees of freedom: the fidelity between Alice and Bob and the particular error model at at hand. Given a fixed value of ψ, we determine the optimal choice for ϕ as a function of the noise characteristics α, β, γ, δ. To maximize \({\tilde{C}}_{AB}=\frac{1}{2}({\tilde{C}}_{AB,Z}+{\tilde{C}}_{AB,X})\) and \({\tilde{C}}_{AE}=\frac{1}{2}({\tilde{C}}_{AE,Z}+{\tilde{C}}_{AE,X})\), we solve for a vanishing determinant of the Jacobian:
$$\det \left| \begin{array}{cc}\frac{\partial {\tilde{C}}_{AB}}{\partial \psi }&\frac{\partial {\tilde{C}}_{AB}}{\partial \phi }\\ \frac{\partial {\tilde{C}}_{AE}}{\partial \psi }&\frac{\partial {\tilde{C}}_{AE}}{\partial \phi }\end{array}\right| =\frac{1}{4}\det \left| \begin{array}{cc}\alpha \cos \psi &-\beta \sin \phi \\ -\delta \sin \psi &-\gamma \cos \phi \end{array}\right|$$
(8)
This yields the relationship:
$$\phi =-\arctan \left(\frac{\alpha \gamma }{\beta \delta }\cdot \frac{\cos \psi }{\sin \psi }\right)$$
(9)
Using this result, one can find out the maximal value of \({\tilde{C}}_{AE,Z}\) (resp. \({\tilde{C}}_{AE,X}\)) as a function of \({\tilde{C}}_{AB,Z}\) (resp. \({\tilde{C}}_{AB,X}\)).
$${\tilde{C}}_{AE,Z}=\frac{\gamma }{\sqrt{1+{\left(\frac{\beta \delta }{\alpha \gamma }\right)}^{2}\frac{{\tilde{C}}_{AB,Z}^{2}}{{\alpha }^{2}-{\tilde{C}}_{AB,Z}^{2}}}}$$
(10)
$${\tilde{C}}_{AE,X}=\frac{\delta }{\sqrt{1+{\left(\frac{\alpha \gamma }{\beta \delta }\right)}^{2}\frac{{\tilde{C}}_{AB,X}^{2}}{{\beta }^{2}-{\tilde{C}}_{AB,X}^{2}}}}$$
(11)
Note that when α = β and γ = δ, one obtains the equations of the PCCM and a quantum circuit equivalent to that of the PCCM in Fig. 3. The imbalanced cloner circuit in Fig. 6 can thus be understood as a generalization of the PCCM with a new degree of freedom that allows the cloner to adapt to the imbalance between the two BB84 bases.
Collective attacks on BB84
For an eavesdropper, individual attacks on BB84 are not optimal17,27 and so we make a simple ansatz for a stronger attack as follows: Eve uses a PCCM on each qubit that Alice sends to Bob and stores her approximate copies in her quantum memory. Following the transmission, Eve performs a measurement on the whole register. This type of attack is referred to as collective. The classical information exchanged by Alice and Bob during error reconciliation can be used by Eve for optimizing the measurement. Here, we consider an example were the Cascade protocol is used9. The Cascade algorithm works by exchanging parities of blocks of the raw key in order to detect and correct errors in it.
What follows can be viewed as one of two scenarios: In the first scenario, we consider a toy model, in which Alice and Bob use BB84 to generate a key with a length of just 2 bits. In this case, the Cascade algorithm collapses to the transmission of a single bit of parity information about that pair. If the parity does not match between Alice and Bob, Cascade would reveal the full key in this example, and the key therefore is abandoned. In the second scenario, Alice and Bob generate a much longer key, and Eve uses the parity information generated by Cascade to identify pairs and larger tuples of key bits, for each of which Eve tries to use the parity extracted from Cascade to perform the optimal measurement. Our example here is restricted to the parities of pairs of bits. For larger tuples Eve could either drop the extra information (which is the worst choice, of course), use a pretty good measurement28, or use QCL to learn the best possible attack, just like in our two qubit example here.
The construction of the collective attack (or part of the collective attack, see above) reduces to the following problem: Eve has two PCCM copies of two BB84 states that Alice sent and she knows the parity of those states. What is the optimal measurement for Eve to distinguish either 00 from 11 in the case of even parity or 01 from 10 in the case of odd parity? As an example, we investigate the case where the average fidelity FAB that Alice and Bob measure for their channel is 0.892. This number is chosen such that the widely known lower bound for the Quantum Bit Error Rate (QBER) of 11% is realized.
Given the values a0a1 of the two bits Alice sent, the values b0b1 that Bob measured and the values e0e1 that Eve obtained from her attack, we define the success probability PE for Eve by \({P}_{E}=\frac{P({a}_{0}{a}_{1}={b}_{0}{b}_{1}={e}_{0}{e}_{1})}{P({a}_{0}{a}_{1}={b}_{0}{b}_{1})}\). Events where a0a1 ≠ b0b1 are excluded from the statistics. We assume that only Bob uses the key for encryption, so Eve will only benefit from cloning the transmission successfully if Bob’s bit values also agree with Alice’s. We begin by examining individual attacks on the two-qubit setup. Eve can achieve the optimal result by measuring only the first qubit, and deducing the value of the second qubit using the parity. According to equations (2) and (3), Eve measures the qubit with a fidelity of FAE ≈ 0.810, which then also is the probability for getting both bits correct.
To try and beat the result from the individual attack, we again use QCL to optimize Eve’s attack. We take one intermediate step: we simplify the output of Eve’s two PCCMs which she has in her quantum memory. Eve knows the basis of the states Alice sent and applies the following operations on each of her approximate copies:
Then, regardless of the basis Alice chose for the transmission, Eve’s approximate copies of “0″ or “1″ sent by Alice are the density matrices ρ0 or ρ1, given by
$${\rho }_{0}=\left(\begin{array}{cc}0.810&0.392\\ 0.392&0.190\end{array}\right)\quad {\rm{and}}\quad {\rho }_{1}=\left(\begin{array}{cc}0.190&0.392\\ 0.392&0.810\end{array}\right)$$
Note that these density matrices are not obtained from the PCCM system by tracing out Bob. Rather, they describe the system that Eve obtains when Bob has correctly measured the state that Alice prepared.
Now Eve uses an HEA for V(Λ) with two qubits (i.e., there are no ancillary qubits) and two layers for a total of 12 parametrized rotations and two entangling CNOT gates. We use two distinct sets of weights depending on the parity transmitted by Alice, leading to a total of 24 trainable parameters. This setup is shown in Fig. 7. Since Eve wants to distinguish two states for a given parity, she only measures one of her two qubits, without loss of generality, the first one. In a case where the parity is 0, a measurement result of 0 indicates 00 as the state Alice sent, while measuring 1 indicates 11, and similarly for the case where the parity is 1. The loss function is then given by the (negative) success probability \(-{P}_{E}=-\frac{P({a}_{0}{a}_{1}={b}_{0}{b}_{1}={e}_{0}{e}_{1})}{P({a}_{0}{a}_{1}={b}_{0}{b}_{1})}\), which we obtain from Eve’s density matrix in the simulation. As in the earlier examples, the training is done with 100 iterations of the Adam optimizer and a learning rate of 0.1. We find that the resulting, optimized circuit obtains the correct result for both bits in 89.4% of the cases. As expected, this is significantly better than the 81.0% Eve can obtain from the individual attack.
Eve uses a PCCM attack with the same angle θ on both qubits. She then delays another unitary V that depends on the bases that were used by Alice and Bob as well as the parity information.
Finally, we compare this to the optimal solution for distinguishing Eve’s two quantum states, which is known to be given by the Helstrom measurement29. A brief calculation yields
$$0.5+0.5\,{\parallel 0.5{\rho }_{0}\otimes {\rho }_{0}-0.5{\rho }_{1}\otimes {\rho }_{1}\parallel }_{1}=89.4 \%$$
(12)
as the optimal success rate for Eve to distinguish the states 00 and 11. The same result holds for odd parity, that is 10 and 01. Note that the norm ∥ ⋅ ∥1 is the trace norm, with \({\parallel M\parallel }_{1}=\,{\text{Tr}}\,\sqrt{{M}{*}M}\).
So again, our approach for constructing Eve’s attack with the HEA and QCL gave the optimal result.
