Unconditionally secure relativistic quantum key distribution protocol
Quantum key distribution (QKD), which relies on telltale properties of quantum states to detect eavesdroppers, is the most reliable way of achieving unconditional security in cryptographic communication. Over time, a variety of QKD schemes have been proposed. None of these permit any more than 50% of the quantum bits (qubits) transmitted to be used for key generation (encoding and decoding), which makes the process less efficient. Moreover, the sender (conventionally designated Alice) can choose from only two sets of bases, which limits her choice of operating rules, or protocol. We have devised a relativistic QKD protocol that extends the original concept through the use of synchronously delayed classical signals.1
Our new approach is a kind of modified BB84 (generic) protocol whose security is based not only on quantum mechanics but also the special theory of relativity. Special relativity supposes that the velocity of light in a vacuum is the maximum velocity possible for any signal. Consequently, the classical signals in a vacuum and the quantum signals in fiber have different velocities. That means we can send the two types of signals at different times such that the quantum signals are always in front of the classical ones, and eavesdropping can be detected. Relativistic QKD offers two additional innovations. First, in the ideal case, all of the qubits transmitted can be used for key generation. Second, Alice and Bob (the receiver) may choose any bases they like while executing the protocol.
Here, we present a proof of the unconditional security of our system against coherent (strong) attack using CSS (for Calderban-Shor-Steane) codes.5 We begin by constructing an entanglement-based relativistic QKD system, which helps Alice and Bob—who, again by convention, are each situated in a laboratory—to share information. Under the assumption that the speed of light in a vacuum is the maximum speed of the signal, the corresponding protocol proceeds as follows.
Alice chooses a sequence of coding bases of length n to encode a string of EPR (i.e., entangled) pairs. At time t=0, she sends the second half of the encoded EPR pairs to Bob through a quantum channel. Alice publicly announces her coding bases at time t=τ, where τ is the time delay of a classical signal compared with its quantum counterpart. To assure that Bob receives the classical signals (i.e., random numbers of 0 or 1) in advance of the quantum bits, it is crucial that the following requirement be satisfied:
where ng is the fiber refractive index, l is the optical fiber length from the edge of Alice's laboratory to Bob's, lb is the length of fiber in Bob's laboratory, and d is the transmission distance of the classical signal before being received by Bob.
Bob chooses the correct measuring bases according to the classical information he received, and measures the received photons immediately. Alice chooses some bits randomly, and shares them with Bob. If too many of these bits disagree, they abort the protocol. Alice and Bob employ the residual bits as the raw key, and use classical post-processing to obtain the final secret key.
The proof of the security of this QKD system is similar to that published elsewhere.1 For any security parameters s>0 and l>0 chosen by Alice and Bob, and for any eavesdropping strategy, the success probability of the scheme is at least 1−O[2(−s)], where O is the asymptotic upper bound. Moreover, the information obtained by the eavesdropper even if she manages to crack the final key is no more than 2(−l). The key string is also essentially random.
Our final objective is to show the equivalence between the modified entanglement-based protocol (whose unconditional security can be proved) and the relativistic QKD protocol. But we cannot do it directly. Consequently, we first reduce the modified EPR-based protocol to a CSS-code-based protocol, which we then show to be equivalent to the relativistic QKD protocol. In other words, if Alice measures the check bits (the ones she chooses randomly) before sending them to Bob, that is equivalent to initially selecting an n-bit string of check bits. That is, it starts to look like a CSS-code-based protocol. Similarly, if Alice first measures the syndrome x (error positions) for bit flips (i.e., 1 becomes 0, and 0 becomes 1) and z for phase flips, it is equivalent to selecting a CSS code Qx ; z before sending Bob the quantum bits. Qx ; z is determined by two binary codes C1 and C2, and that the corresponding codeword is: 
where 
and 
.
However, in this protocol, Bob does not need z, as he only cares about the bit values of encoded keys, whereas z is used to correct the phase flips of the encoded bits. Consequently, Alice only needs to select 
, then send a mixed state of jx+w+k ′ > through the quantum channel, and finally deliver the classical information x to Bob. On the other end of the channel, Bob receives 
and subtracts x. After error correction, he will obtain w+k ′ , and he knows that the final key is the coset of C2 in C1 where k ′ is the coset leader (i.e., the common error word for the coset). In this way, the modified CSS-code protocol is reduced to the relativistic QKD protocol.
In summary, we have described a relativistic QKD protocol whose advantage compared with BB84, the existing benchmark, is that all of the qubits can be used for key generation. In addition, Alice and Bob are able to select whatever measuring base they like. We began with a modified EPR-type protocol that can be proved unconditionally secure, reduced it to a CSS-code-based protocol, which in turn we showed to be equivalent to the relativistic QKD protocol. As a next step, we plan to apply the idea of classical signal delay in the relativistic QKD protocol to realize efficient QKD in free space (i.e., a vacuum or air).
