This is a repository copy of Side-Channel-Free Quantum Key Distribution.
White Rose Research Online URL for this paper:
https://eprints.whiterose.ac.uk/75301/
Version: Published Version
Article:
Braunstein, Sam orcid.org/0000-0003-4790-136X and Pirandola, Stefano orcid.org/0000-
0001-6165-5615 (2012) Side-Channel-Free Quantum Key Distribution. Physical Review
Letters. 130502. ISSN 1079-7114
https://doi.org/10.1103/PhysRevLett.108.130502
eprints@whiterose.ac.uk
https://eprints.whiterose.ac.uk/
Reuse
Items deposited in White Rose Research Online are protected by copyright, with all rights reserved unless
indicated otherwise. They may be downloaded and/or printed for private study, or other acts as permitted by
national copyright laws. The publisher or other rights holders may allow further reproduction and re-use of
the full text version. This is indicated by the licence information on the White Rose Research Online record
for the item.
Takedown
If you consider content in White Rose Research Online to be in breach of UK law, please notify us by
emailing eprints@whiterose.ac.uk including the URL of the record and the reason for the withdrawal request.
Supplementary Material for:
Side-channel free quantum key distribution
by Samuel L. Braunstein and Stefano Pirandola
IN DEFENSE OF PRIVATE SPACES
In quantum cryptography unconditional security
proofs are derived under the assumption that Alice’s and
Bob’s apparata (private spaces) are completely inacces-
sible by an eave sd rop per who, therefore, can only at-
tack the signal systems w hi ch are transmitted through
the quantum communication channel connecting the two
parties. Under this assumption, secret-key rates and se-
curity thresholds are derived in both discrete and contin-
uous variable quantum key distribution .
One potential loophole in the security proofs is related
to how a theoretical protocol is actually implemented ex-
perimentall y. Any redundant information encoded in ex-
tra degree of freedom or extra Hilbert space dimensions
outside the theoretical prescription can allow for so-called
side-channel attacks. By their nature, such attacks may
be of cl as si cal or q uantum degrees of freedom and are in-
sidious because even quantifying their threat appears to
involve understanding what have been called unknown
unknowns about the vulnerability of the experimental
set-up.
Progress has been made on eliminating side channel at-
tacks in the quantum communication channels betwee n
private spaces, but this leaves open potential attacks on
the private spaces through their quantum communica-
tion ports. Let us therefore take a step back and consider
private spaces in more details: What goes on in Alice’s
and Bob’s private spaces involves a significant amount of
classical information processing; at the very least the key
itself will be generated and stored as classical informa-
tion. Now with virtually any technology we have today
classical information is stored, proce ss ed and transmitted
in a highly redundant fashion ( many electrons are used
to charge a capacitor to represent a bit value, or many
electrons must pass through the base junction of a tran-
sistor to effect a l ogi cal switching operation, tapping on
a keyboard produces sound waves and elect r omagn et i c
signals in addition to the ‘legitimate’ electrical signals in
the wires, etc). In principle any of this redundant infor-
mation may leak out of the private space through a “par-
asite” channel. An eavesdropper might therefore ignore
the quantum communication channel and directly attack
Alice’s and Bob’s apparata by exploiting the pre se nc e of
parasite channels: this is also a “side-channel attack”.
The implicit assumption in quantum cryptography is
that we could always improve technology in such a way
that Alice’s and Bob’s private spaces are not affected by
the presence of parasite channels, so that the legitimate
participants do indeed have access to absolutely private
spaces. (For instance, Alice and Bob could simulate the
classical information processing on a quantum computer.
A hacked operating system on such a machine could be
tested for by randomly running su b rou t i ne s that confirm
that coherenc e is preserved and that no information is
copied out to where it can be stored or t ran sm it t e d by a
trojan program — see also Ref. [1].)
However, even i f you rely on a perfect isolation tech-
nology, there rem ains a potent ial chink in this armor,
which is th e quantum communication port used either to
transmit a q u antum state out of your private space or to
accept a quantum state for detection into it.
If you open a communication port f or quantum states
to enter or leave you must expl i ci t l y deal with side chan-
nels which can be pr ob in g these links to your private
space. Eve can potentially send trojan systems through
Alice’s and Bob’s communic at i on ports and detect their
reflection to infer both state preparation and measure-
ment settings. As an example, in the standard BB84
protocol, Eve can irradiate Alice’s apparatus by using
optical modes at slightly different frequencies. Then,
from reflection, Eve can infer the polarization chosen in
each round of the protocol. Thanks to this information,
Eve can measure each signal system in t he correct basis.
Another example regards the so-called plug-and-play sys-
tems, where trojan systems can be reflected together with
signal systems, as discussed in Ref. [2].
Our paper shows how to overcome the problem of the
open quantum communication ports, therefore making
feasible the notion of ab sol u t el y private spaces. Note
that this problem is not addressed by current device-
independent q uantum cryptography, where such attacks
on the private space ports are simply considered illegiti-
mate as t he y violate the strong private space assumption.
The key point of our scheme is that detectors are n o
longer “in line” wi t h the quantum communication port
of the private space. For this reason, it is not possible
for an external party to probe the port and obtain detec-
tor settings or readouts from the pro c ess i ng of parasite
systems. In order to explain this key feature i n detail,
we analyze the problem of the quantum communication
ports by comparing standard protocols wit h our scheme.
In Fig. 1, we depict a general prepare-and-measur e pro-
tocol, where Alice’s variable X i s encoded in a quantum
state ρ(X) by modulation. Bob’s variable Y is the out-
put of a quantum measurement. Here, Eve can attack
the quantum communication ports by using two trojan
systems e and f. By me ans of e, Eve can retrieve in-
formation about the state preparation X → ρ(X). By
means of f, she can retrieve information about the mea-
2
surement apparatus of Bob and, therefore, abou t Y .
Alice Bob
Eve
Private SpacePrivate Space
ρ
e f
s
(X)
(Y)
FIG. 1: Port attack in a prepare and measure protocol.
In Fi g. 2, we depict a general entanglement-based pro-
tocol, where an untrusted party (Eve) distributes entan-
glement between two parties. This is done by distributing
an entangled state ρ = ρ
AB
, where system A is sent to
Alice and system B is sent to Bob. Alice and Bob can
perform entanglement distillation and measure the out-
put distilled systems to derive two correlated classical
variables, X and Y , respectively. In this scenario, Eve
can decide not to attack the source ρ but directly the two
quantum communication ports of Alice and Bob. Eve can
probe these por t s by using two trojan systems e and f,
which can retrieve information about Alice’s and Bob’s
distilling and detecting apparata. As a resul t , Eve can
infer information about X and Y .
Alice
Bob
Eve
Private SpacePrivate Space
ρ
e
f
A
B
(X) (Y)
FIG. 2: Port attack in an entanglement -b a s ed p ro t ocol.
In Fig. 3, we depict our protocol where an untrusted
party (Eve) represents an entanglement swapper betwee n
Alice and Bob. This is generally don e by measuring two
public systems, A
′
and B
′
, received from Alice and Bob,
processing the outcome of the measurement, and clas-
sically communicating the processed data back to Alice
and Bob. As a result the two private systems, A and
B, become correlated, so that Alice and Bob can extract
two cor r el at ed classical variables, X and Y , by applying
suitable measurements. In part i cu l ar, if Alice and Bob
can access quantum memories, then they can extract a
secret key at a rate which is at least equal to the coh er -
ent information between A and B. Eve can atte mp t a
side-channel attack against the two ports by sending two
trojan systems e and f. In this case, however, the appa-
rata which detect the two private systems A and B are
inaccessible to Eve. By exploiting reflections from the
ports, Eve can only retrieve information regarding the
reduced states ρ
A
′
and ρ
B
′
of the two public systems A
′
and B
′
. However, these reduced states contain no useful
information about the private system A or B or Alice’s
or Bob ’ s detector settings or outputs.
Alice Bob
ρ
ρ
A
A’ B’
B
T
Private SpacePrivate Space
E
L
Eve
(Y)
(X)
e f
FIG. 3: Port attack in our scheme.
To understand better how the full isolation of the pri-
vate systems might be achieved, we may consider the
procedure dep ic t ed in Fig. 4. It is explained for Alice’s
private space, but steps are identical f or Bob.
Alice
ρ
A
Private Space
A’
QM
DL
(a)
Alice
Private Space
A’
QM
DL
A
(b)
Alice
Private Space
A’
QM
DL
A
(c)
Alice
Private Space
QM
DL
A
(d)
Alice
Private Space
QM
DL
A
A
(e)
Alice
Private Space
QM
DL
A
A
(X)
(f)
FIG. 4: Possible procedure for the full isol a ti o n of the private
systems.
In the first s te p (a), Alice’s port is closed and she pre-
pares an entangled state ρ = ρ
AA
′
where system A is
directed towards a quantum memory (QM), while sys-
tem A
′
is direc t ed towards a delay line (DL). In step (b),
once syst em A is stored in the memory and while system
A
′
is trapped in the delay line, a shutter is used to fully
separate the delay line from the rest of Alice’s appara-
tus. Note that a virtual channel between A and A
′
has
been created. In ste p (c), Alice’s quantum communica-
tion port is opened and system A
′
is transmitted to Eve.
During this stage, trojan systems may enter the port but
3
no detector is in lin e with the port. In step (d ) , the port
is closed with the private system A kept in the mem-
ory. The previous steps (a)-(d) are repeated many times,
so that Alice collects many private systems in her quan-
tum memory. We therefore reach step (e) of the figure.
Finally, once Alice has received all the classical commu-
nications, she applies a collective quantum measurement
on her quantum memory to retrieve the classical variable
X. This measurement can include or be anticipated by
an entanglement d is t il l at i on.
NOTATION AND BASIC FORMULAS
In part of the derivation we adopt the enlarged Hilbert
space (EHS) representation, where stochastic classical
variables are emb ed d ed in quantum systems. Consider a
stochastic variable X = {x, p(x)} which is encoded into
an en se mble of states of some quantum system A, i.e.,
E
A
= {p(x), ρ
A
(x)}. (1)
This ensemble may be equivalently represented by the
classical-quantum (CQ) state
ρ
XA
=
X
x
p(x) |xi hx|
X
⊗ ρ
A
(x), (2)
where the stochastic variable X is embedd ed into the
dummy quantum system X, by using an orthonormal
basis {|xi} in the Hilbert space H
X
of X. We denote
by ρ
A
(x) the state of a system A which is conditioned
by the value x of a stochastic variable X. The notation
ρ
A|X
refers to the conditional stat e ρ
A
(x) where x is not
specified. Clearly, we have
ρ
A
=
X
x
p(x)ρ
A
(x). (3)
Given a quantum sys t em A in a state ρ
A
, its von Neu-
mann entropy S(ρ
A
) is also denoted by H(A). Given a
quantum system X, embedding the stochastic variable
X, its quantum entropy H(X) is just the Shannon en-
tropy H(X). Give n two quantum systems, A and B, we
denote by I(A : B) their quantum mutual information.
This is defined by
I(A : B) = H(B) − H(B|A), (4)
where
H(B|A) = H(AB) − H(A), (5)
is the condi ti on al quantum entropy. Note that H(B|A)
can be negative and it is related to the coherent informa-
tion by the relation
I(AiB) = −H(B|A). (6)
For A = X, the quantum mutual information I(A : X) ,
which is computed over the CQ-st at e of Eq. (2), corre-
sponds to the Holevo i nf orm at ion I(A : X), computed
over the ensemble of Eq. (1). For A = X and B = Y,
embedding two st ochastic variables X and Y , I(X : Y)
is just the classical mutual information I(X : Y ). For
three quantum systems A, B, and C, we can consider
the conditional quantum mutual information
I(A : B|C) = H(AC)+H(BC)−H(ABC)−H(C), (7)
which is ≥ 0 as a consequence of the strong subadditivity
of the von Neumann entropy. For a classically correlated
system C = X, we have a probabilisti c average over mu-
tual informations, i.e.,
I(A : B|X) = I(A : B|X) ≡
X
x
p(x) I(A : B|X = x).
(8)
List of other useful elements:
• Given a tripartite quantum system ABC, we can
use the “chain rule”
I(A : BC) = I(A : B) + I(A : C|B). (9)
• Invariance of the Holevo informat i on under addi-
tion of classical channels, i.e., for a classical chan-
nel
p(y|x) : X → Y, (10)
we have
I(A : X) = I(A : XY ). (11)
• Given a Markov chain X → Y → Z, the class i-
cal mutual information decreases under condition-
ing [3], i.e.,
I(X : Y |Z) ≤ I(X : Y ). (12)
Notice that , for three general stoch ast i c variables,
we have I(X : Y |Z) R I(X : Y ), so that the so-
called “interaction information”
I(X : Y : Z) ≡ I(X : Y |Z) − I(X : Y ), (13)
can be positive, negat i ve or zero.
• Data processing inequality. For a Markov chain
X → Y → Z, we have
H(X) ≥ I(X : Y ) ≥ I(X : Z). (14)
4
Alice BobEve
A
E
B
Private SpacePrivate Space
L’ L’
E
~
X
FIG. 5: Purification. Conditional state Φ
ABE
˜
E|L
′
projected
onto Φ
BE
˜
E|XL
′
.
PROOF OF THE THEOREM
Let us purify the mixed state ρ
ABE|L
′
into the pure
state Φ
ABE
˜
E|L
′
= |Φi hΦ|
ABE
˜
E|L
′
by introducing an an-
cillary system
˜
E which is assumed to be in Eve’s hands
(so t h at Eve’s global system consists of E
˜
E). This sce-
nario is depicted in Fig. 5.
Thus, for the total state ρ
ABE|L
′
, we have
ρ
ABE
(l
′
) = Tr
˜
E
[Φ
ABE
˜
E
(l
′
)] . (15)
For the conditional state ρ
BE|XL
′
, generated by the mea-
surement, we can write
ρ
BE
(x, l
′
) =
1
p(x|l
′
)
Tr
A
h
ˆ
A(x)ρ
ABE
(l
′
)
ˆ
A(x)
†
i
=
1
p(x|l
′
)
Tr
A
˜
E
h
ˆ
A(x)Φ
ABE
˜
E
(l
′
)
ˆ
A(x)
†
i
= Tr
˜
E
[Φ
BE
˜
E
(x, l
′
)] , (16)
where
Φ
BE
˜
E
(x, l
′
) ≡
1
p(x|l
′
)
Tr
A
h
ˆ
A(x)Φ
ABE
˜
E
(l
′
)
ˆ
A(x)
†
i
,
(17)
represents the conditional state Φ
BE
˜
E|XL
′
which is gener-
ated by the measurement in the purified scenario. Clearly
if we discard X, we get the reduced state
Φ
BE
˜
E|L
′
≡
D
Φ
BE
˜
E|XL
′
E
X
= Tr
A
h
Φ
ABE
˜
E|L
′
i
. (18)
Because of Eq. (16), the con di t i onal state Φ
BE
˜
E|XL
′
can
be used to compute R
′
via
R
′
≡ I(X : B|L
′
)
ρ
− I(X : E|L
′
)
ρ
= I(X : B|L
′
)
Φ
− I(X : E|L
′
)
Φ
, (19)
where ρ = ρ
BE|XL
′
and Φ = Φ
BE
˜
E|XL
′
(the computation
is exactly the same up to a trace over
˜
E). In the EHS
representation, the conditional state Φ
BE
˜
E|XL
′
becomes
Ψ
XL
′
BE
˜
E
=
X
x,l
′
p(x, l
′
) |xi hx|
X
⊗ |l
′
i hl
′
|
L
′
⊗ Φ
BE
˜
E
(x, l
′
).
(20)
Thus, we can also set
R
′
= I(X : B|L
′
)
Ψ
− I(X : E|L
′
)
Ψ
, (21)
where Ψ = Ψ
XL
′
BE
˜
E
. From the chain rule we have
I(X : E
˜
E|L
′
)
Ψ
= I(X : E|L
′
)
Ψ
+ I(X :
˜
E|EL
′
)
Ψ
= I(X : E|L
′
)
Ψ
+ γ, (22)
where γ ≡ I(X :
˜
E|EL
′
)
Ψ
≥ 0 is the information con-
tribution due to the p ur i fic at ion [4]. In other words, the
(conditional) Holevo information can only inc r ease with
the purification, i.e.,
I(X : E
˜
E|L
′
) = I(X : E|L
′
) + γ ≥ I(X : E|L
′
). (23)
As a consequence, we have R
′
= R
′′
+ γ, where
R
′′
≡ I(X : B|L
′
)
Φ
− I(X : E
˜
E|L
′
)
Φ
. (24)
In t er ms of conditional entropies, we have
R
′′
= H(B|L
′
)
Φ
− H(B|XL
′
)
Φ
− [H(E
˜
E|L
′
)
Φ
− H(E
˜
E|XL
′
)
Φ
]. (25)
Here H(E
˜
E|L
′
) is computed over Φ = Φ
BE
˜
E|XL
′
dis-
carding X and B, i.e ., over the reduced state
Φ
EE|L
′
= Tr
AB
h
Φ
ABE
˜
E|L
′
i
. (26)
Now since Φ
ABE
˜
E|L
′
is pure, we have H(E
˜
E|L
′
) =
H(AB|L
′
), where H(AB|L
′
) can be computed over
ρ
AB|L
′
= Tr
E
˜
E
[Φ
ABE
˜
E|L
′
]. Clearly, also H(B|L
′
)
Φ
can
be computed over ρ
AB|L
′
. As a consequence we can rec-
ognize in Eq. (25) the conditional coherent informat i on
I(AiB|L
′
) = H(B|L
′
) − H(AB|L
′
),
associated with Alice and Bob ’ s condition al state ρ
AB|L
′
.
Thus, we can set
R
′′
= I(AiB|L
′
) + [H(E
˜
E|XL
′
)
Φ
− H(B|XL
′
)
Φ
]. (27)
Here, we can assume that Alice’ s measurement is a rank
one POVM. As a result, Φ = Φ
BE
˜
E|XL
′
is also a pure
state, and we can set H(E
˜
E|XL
′
)
Φ
= H( B|XL
′
)
Φ
, so
that R
′′
= I(AiB|L
′
). Finally, we can write
R
∗
= R
′′
+ γ + ∆
= I(AiB|L
′
) + γ + ∆
≥ I(AiB|L
′
) + ∆, (28)
where we have used γ ≥ 0 from its defini t ion .
[1] S. Barz et al., Science 335, 303 (2012).
[2] N. Gisin et al., Rev. Mod. Phys. 74, 145-195 (2002)
[3] T. M. Cover and J. A. Thomas, (John Wiley and Sons,
Hoboken, New Jersey, 2006) p. 35.
[4] Note that t h e EHS representation has been mainly intro-
duced to give the correct interpretation to Eq. (), where
a quantum system E conditions a classical variable X
thanks to the embedding in a quantum syste m X.
