5 October 2017 On problems in security of quantum key distribution raised by Yuen
Author Affiliations +
Proceedings Volume 10442, Quantum Information Science and Technology III; 1044203 (2017); doi: 10.1117/12.2278625
Event: SPIE Security + Defence, 2017, Warsaw, Poland
In 2007, it was found that Known-Plaintext-Attack would reveal whole the string of the distributed key by Quantum Key Distribution (QKD) when the part of the plaintext was known to the eavesdropper, Eve, under the mutual information security criterion between Eve and legitimate users, Alice and Bob. To overcome, the trace distance criterion was introduced in the paper that the distance between the distributed quantum state and the ideal quantum state with Eve’s quantum system decoupled from the quantum systems shared by Alice and Bob. On the other hand, Shor and Preskill proved in 2000 that entanglement-based QKDs are equivalent to prepare-and-measure QKDs, such as the first QKD, BB84. Their proof employed the mutual information criterion, therefore M. Koashi applied Shor-Preskill approach to the trace distance criterion in 2009. However, H. P. Yuen started criticisms on the security of QKDs from 2009, then completed his criticisms in 2016. He warned the security of QKDs are not sufficient. Furthermore, the trace distance would not provide “universal composability”, which is supposed to guarantee Independent and Identically Distributed (IID) keys. He also proposed a new security criterion “Bit-Error-Rate (BER) guarantee,” to evaluate the BER in the decoded message by Eve with her key close to the correct key. In this work, the author explains Yuen’s criticisms and shows an example of the BER guarantee on BB84. Furthermore, the study revisits whether Shor-Preskill security proof approach really worked.
Iwakoshi: On problems in security of quantum key distribution raised by Yuen



A lot of amount of investments have been done to the quantum technologies and science, especially in the field of quantum computing, recently. On the other hand, it has been often said that such developments of quantum computers would threat the security of the internet, breaking classical cryptography easily and would leak private information to malicious adversaries. Therefore, quantum cryptography and quantum secure communication technologies are also the center of the interests among the investors. Especially, Quantum Key Distribution (QKD) has been said to be unconditionally secure, or provably secure communication technique under the presence of the eavesdropper, Eve, who has unlimited power, except limitations by laws of physics, to break the cryptogram, since the invention of the first QKD protocol BB84 in 1984 1, 2. Many researchers have been involved in this field to realize this exciting concept.

However, recall the first successful hacking on commercial QKD systems in 2010 3. After the study of quantum hacking, Measurement-Device-Independent (MDI) QKD was developed4. However, imagine that commercial QKD systems had been widely used among the world before the discovery of the hacking technique. If it happened, we had to reform physically all quantum communication infrastructures although we saw the result before miserable security breaches happened. National Cyber Security Centre in Britain disclosed a document in 2016 about security risks of QKD and its inefficient cost performance, and possible future threats yet unknown5.

On the other hand, numerous works have been made to remove real device imperfections from theoretical security proofs, such as MDI-QKD mentioned above, and Reference6 to remove attacks on device imperfections. However, since 2009, H. P. Yuen, who theoretically discovered the squeezed state of coherent light7 as well as the theories of M-ary quantum detection and parameter estimation8, 9, has been warning that even the real devices work perfectly along the standardized theories, there are problems even in theories10, 11.

At first, the security of QKDs had been proven based on the negligible amount of the mutual information between Eve and the legitimate users, Alice and Bob12, 13. However, it was found in 2007 that Known-Plaintext-Attacks would reveal whole the string of the distributed key by QKDs when Eve possesses quantum memory14. Therefore, in the same paper, it was proposed as a new security criterion to upper-bound the trace distance between the distributed quantum state and the ideal quantum state with Eve’s quantum system decoupled from the shared quantum system between Alice and Bob with a negligibly small parameter. In the same paper and some other literatures1418, it is often said that the trace distance itself gives the maximum failure probability in distributing the perfect key. Yuen pointed out this statement was incorrect in 2009 10. Honestly, even the author of this article had been wondering why Yuen’s has been claiming so. However, C. Portmann and R. Renner described the proof in details in their Appendix A.4.1 in 2014 18. Since this finding, the author of this article fully understood what Yuen has been warning. Yuen completed his criticisms on the security of QKDs in 2016, and wrote some counterexamples to the perception that the trace distance is the maximum failure probability of QKDs19. His work was written in terms of classical probability theories so that conventional cryptologists can understand. This study tries explanation what Yuen has been warning, in terms of quantum information. Then, the article will give an example of Bit-Error-Rate (BER) Guarantee proposed by Yuen19, 20 as a new security criterion, in case of BB84 protocol. Furthermore, the author will revisit whether Shor and Preskill really proved that entanglement-based QKDs would be equivalent to prepare-and-measure QKDs, such as BB84 protocol, which was not described even in Yuen’s work19.



This section briefly describes the overview of the trace distance security criterion of QKDs to discuss what the main points of Yuen’s claims against the security of QKDs.


Overview of Trace Distance Security Criterion

Firstly, consider the quantum state ρABE actually distributed between Alice and Bob under Eve’s interactions, and the ideal quantum state τABE, in which the shared key between Alice and Bob is IID with Eve’s quantum system decoupled.


Then, consider an intermediate state σABE in (4) where Alice and Bob share the same key. Then apply a triangle inequality (5) to divide the security problems into two parts, as shown in (5-8).


The inequality (6) is named as “ε-correctness,” which indicates the probability of failure in the key agreement between Alice and Bob. The inequality (7) is named as “ε-security,” which is to be said that the probability of failure in distributing an IID key string, like as seen in the following quotes.

ε security has an intuitive interpretation: with probability at least 1 – ε, the key S can be considered identical to a perfectly secure key U, i.e., U is uniformly distributed and independent of the adversary’s information. In other words, Definition 1 guarantees that the key S is perfectly secure except with probability ε.”14

"In this definition, the parameter e has a clear interpretation as the maximum failure probability of the process of key extraction.”16

“The above definition of security (Definition 2) has the intuitive interpretation that except with probability ε, the key pair (SA, SB) behaves as a perfect key, as described by (41).”17


Yuen’s warning to the security level of QKDs

However, Yuen warned this would be incorrect in 2009 10, and showed a counter example in 2010 11 and 2016 19. This article avoid the detailed explanations but gives simple explanations given by Yuen, as follows. As Appendix A.4.1 in the literature by C. Portmann and R. Renner18, the expected probability for Eve successfully guessing the correct key is


Because an arbitral operator Γ satisfies the following inequality as Eq. (9.22) in the literature21,




As we see, the failure probability for QKDs that Eve guesses the correct key Alice and Bob share, is, larger than the trace distance itself. This gives a clear-cut answer to the perceived explanations that the trace distance itself is “the maximum failure probability in distributing a perfectly secure key,” is not true, because of the existence of the constant factor 2-|K|. Furthermore, (12) shows the meaning of “the failure of QKDs” very clearly, because it is an expected probability where Eve successfully obtains the correct key.

Yuen also explained the importance of the numerical analysis of (12). In today’s QKDs, the key length |K| is set to 106 bits, while the best experimental value obtained in the past was εsec = 2-50 22, archived by Round-Robin DPS QKD, which has been claimed it is almost impossible to eavesdrop, far different from conventional QKDs23, 24. Then from (12), this means


On the other hand, the definition of “perfect secrecy” given by C. E. Shannon was25,


This means, even Eve obtains the chipertext C, she cannot gain any chances to obtain the plaintext X exchanged. Therefore, Eve has to do simple guessing to obtain the plaintext, therefore the probability is


Now, in case of (13), the knowledge Eve obtained from eavesdropping is kE = kA, therefore lets rewrite (13) as


This result clearly shows that the obtained key is not IID at all. Consider the simplest example as follows. For Eve, it is like there are 250 patterns of key candidates equally possible, and no other key candidates, which satisfies Pr(K|E) ~ 2-50. On the other hand, if the distributed key is IID, there are 21,000,000 patterns of equally possible keys for Eve. This is what Yuen has been warning. Moreover, this means we can never satisfy the concept called “Universal Composability” because Eve has only 250 possible keys, not 21,000,000 keys. The Universal Composability15 is a concept that any parts of the key are usable to other cryptosystems without threats when one of the systems is under attacks. This is because any parts of the keys are statistically independent from other parts. The above situation explains us that the Universal Composability will never be satisfied unless εsec = 0.

Then, change our mind. Now, it is shown that QKD keys are not perfect at all. However, of course, if εsec is small enough, we can say the QKD key is information-theoretically secure enough for practical uses. However, consider the following estimations. Assume that a QKD system is running for 24 hours 365 days, at the communication speed of 109 bits/sec with the final key length 106 bits. Then, 3×1010 keys will be exchanged in a year. Since 2-|K|εsec, the expected number of keys leaked to Eve is 3×10-5. This number looks sufficient for the security. However, 7.5×103 traffic fatal accidents had been reported in 2008 in Japan26, while there were 7.9×107 cars in the same year27. Therefore, one car caused 9.5×10-5 traffic fatal accidents in average in 2008. The above values show that the number of potential eavesdropping on one QKD system in a year is about the same order of magnitude of traffic fatal accidents one car may causes in a year. If QKD systems spread over the world as explained in the introduction, the number of potential eavesdropping is close to the number of traffic fatal accidents, if εsec = 2-50 = 8.9×10-16. See also the past works by the author28, 29. Theoretically, it is often said that εsec could be arbitrarily small, so we could enhance the security of QKDs as high as we would wish. The author will discuss this point in the next subsection.


Criticisms on Derivation of Secure Key Rate

Yuen also questioned on the derivation of the secure key rate. The general procedures of QKDs are well known, but here the author describes as follows30.

  • 1. The transmitter Alice chooses the bit to send and the encoding quantum basis randomly, then she sends a corresponding quantum state to the receiver, Bob.

  • 2. Bob also chooses the measurement basis randomly, and obtain the classical bit from the measurement.

  • 3. They repeat the above procedures, then they discuss on the classical authenticated channel to discard the bits they chose different communication bases and holds the bits with the same communication bases.

  • 4. Alice and Bob announces the part of their measurement results to estimate Quantum-Bit-Error-Rate, Q. If Q is greater than the certain threshold, they abort the communication regarding they cannot yield secure key strings. When they can, they proceed to error-corrections in the key strings for key agreement.

  • 5. Alice announces the parity check matrix for the error correction, and she calculates her syndrome with it. Then she sends her syndrome to Bob hiding it by One-Time Pad (OTP) using the part of the pre-shared key.

  • 6. Bob also calculates his syndrome using the parity check matrix Alice announced. Then he operates error-correction comparing his syndrome with Alice’s one.

  • 7. Finally, they proceed to Privacy Amplification to eliminate Eve’s knowledge on the shared key, by announcing a hash function in public classical channel.

In the above process, the key consumption for OTP to hide Alice’s syndrome is often given by


Here, ξ is a factor chosen from 1 to 2, depending on the strength of the error correction code. Typically, it is set to ξ = 1.1 30, 31. To prove (17) for the case ξ = 1, see the following calculation. Now, let |Ks| be the sifted key length and |M| be the length of information digits. Consider (|Ks|, |M|) linear codes, which can correct up to Q|Ks| errors. From Hamming bound,


Therefore, the following inequality has to be satisfied.


Thus, the key consumption by OTP to hide Alice’s syndrome is |Ks|h2(Q) bits, where h2(Q) is shannon binary entropy. However, Yuen explains as follows. If we use (|Ks|, |M|) linear codes, the number of key candidates would shrink down to 2|M| while we had 2|Ks| possible candidates before the error correction. This problem would not be solved even if they hide the syndrome by OTP. One may say that there could be 2|Ks|-|M| patterns of syndromes, and Eve would not know whether Alice and Bob reconcile their keys with which one, therefore the possible patterns of the key still remains 2|M| × 2|Ks|-|M| = 2|Ks|. However, recall that Eve knows the shared key in the previous QKD round with a probability of εsec. Thus, there are only εsec-12|Ks|-|M| patterns of possible keys, not 2|Ks|εsec-12|Ks|-|M|, even when Eve does only pure guessing. In reality, Eve would guess the most likely key Alice and Bob shared from her measurement results when she needs, therefore the number of possible key patterns is unknown but may be narrowed down further. Therefore, using (|Ks|, |M|) linear error correction codes narrows down the possible patterns of the key for Eve in practice. There are no related studies about this issue as far as the author knows. Therefore, we cannot discuss this problem numerically furthermore.

To solve this problem, Yuen proposed an idea as follows. Consider (|N|, |Ks|) linear codes adding |N| – |Ks| bits of parity check digits to the original sifted key before error correction. Then, even after the error correction, there still may be 2|Ks| patterns of possible keys for Eve. Instead, we have to consume |N|h2(Q) bits of the pre-shared key to hide the added parity check digit by OTP to tell Bob. The amount of |N| is given by Hamming bound again as seen in (18, 19). Therefore,


Thus the key consumption by OTP for error correction is


In addition, Yuen pointed out that choosing ξ = 1.1 habitually is not a “proven analysis” against QKD’s original concept.

Here, the author gives some numerical analysis with εsec = 10-24 ~ 2-80 in Fig. 1 done in the study in the literature32. When we use (21) derived by Yuen gives lower secure key rate especially in case of larger Q. Moreover, if the quantum channel is lossy, there are lower-limit that εsec cannot be smaller than certain values32.

Fig. 1.

(a) Key rates with leakEC in (17), and (b) in (22). From the lowest curve, the sifted key length = 105, 106, 107, 109 bits. In case of Yuen’s LeakEC, the allowable QBER will be stricter.



Criticisms on Use of Privacy Amplification

Yuen also pointed out that Privacy Amplification may be rather harmful for the security of QKDs. His description19 is not easy to understand, therefore, the author tries a different explanation. Consider Eve eavesdropped the quantum channel and store the quantum states correlated to the legitimate users’ key in her quantum memory. Assume that, after Alice and Bob finished error correction, Eve measures her quantum memory and obtained the key string kER, while Alice and Bob share the key kR. Now, let Alice choose and announce a hash function f from a set of δ-Almost Two-Universal hash function family F, then


There are two possible cases that Eve obtains the correct key kER = kR, and kERkR but collision occurs because of the property of hash functions. Therefore, Eve’s success probability in obtaining the correct key in the end is,


The max Pr(K|E) in (23) is larger than Eve’s guessing probability before the Privacy Amplification, that is, Pr(kER = kR) in (23). This is understandable as follows. Even if Eve obtains the wrong key after the error correction, she may obtain the correct key by chance because of the collision probability of the hash function. Therefore, the following question arises: is Privacy Amplification really useful to gain the security of the distributed key? Consider the following example. Let |KR| be the length of a reconciled key before Privacy Amplification, let |K| be the key length after Privacy Amplification. Because of the characteristics of hash functions, trivially |KR| > |K|. If Eve does not even eavesdropping on the quantum channel but she guesses the correct key by pure guessing, it is trivial that she has more chance in guessing the correct key after hashing than she had before hashing. Yuen explained that the reason why Privacy Amplification has given misconception that it would enhance the key security was, that the averaging the hashing performance over the hashing family F in Leftover Hash Lemma. However, in reality, Alice announces publically which hash function they use. Therefore, Eve knows exactly which function is used. Therefore, to evaluate the performance of Privacy Amplification, we need to evaluate the performance of a chosen hash function without averaging. Here, the author of this article adds the other reason. Leftover hash lemma surely gives more uniform key probability distribution. However, key-shortening by hashing would raise the average of the probability distribution, giving Eve more chance to guess the correct key.

A more complicating problem is related to the previous topic of error correction. If we regard the sifted key as (|Ks|, |M|) linear codes, then there should be correlations among key bits, because we regard |Ks|-bit key as (|Ks|, |M|) code, there are only 2|M| patterns of key candidates instead of 2|Ks| patterns of key candidates. Evaluating the effect of Privacy Amplification is not easy when there are correlations between key bits. Therefore, again, we need to add parity check digits to the sifted key to make it (|N|, |Ks|) code, to have less correlation among key bits, so we have to take the previous problem seriously.


Authenticity of Communication Channels

There seem to be many people misunderstanding outside of the QKD researcher community because it is a common sense among QKD researchers, thus it is rarely explained. Therefore, the author explicitly writes here. Before starting QKD, Alice and Bob need to have pre-shared authentication key to recognize each other33. Otherwise, Eve can launch Man-in-the-Middle Attacks by pretending to be Bob to Alice, and same to Bob to be Alice, relaying both classical and quantum signals coming from Alice to Bob, which allows not only perfect eavesdropping but also falsifying the messages. Moreover, some QKD procedures need a pre-shared key for OTP for Error-Correction as explained in Sec. 2.3. In this sense, QKD is not a public key distribution technology to replace conventional public key encryptions like RSA, say, the public key of RSA is known to even Eve, but the authentication key and the pre-shared OTP key in QKDs should not be disclosed to Eve. Therefore, Alice and Bob need to share the pre-shared key secretly in some way before they start QKDs. In this sense, QKDs are similar to symmetric key cryptographies like AES, unlike public key encryptions such as RSA.

Yuen pointed out the importance of the security level of this authentication key. We may be able to share an authentication key with IID at first, but what will happen if we renew the authentication key by the part of the distributed key? As it was explained in Sec. 2.2, Eve guesses the correct key with a probability of about εsec. Yuen regards the security of authentication is far more important than the security level of message encryption, therefore he claims εsec has to be far smaller than we currently can obtain. Even if εsec is small enough, the renewed authentication key is a part of the distributed key known to Eve with a probability of about εsec, resulting in security degradation compared to the initial authentication key with IID, and this continues as long as QKD operation is being continued. Furthermore, the part of the distributed key known to Eve with a probability of about εsec has to be used in OTP for Error-Correction in Sec. 2.3. Therefore, the influence of the security degradation has to be included in security proofs for the concept of “provable security.”


Importance of Bit-Error-Rate for Eavesdropper

Yuen raised a question as follows: even if Eve could not obtain the correct key, but she obtained a key close to the key Alice and Bob share, then what will happen? Cannot Eve read the message at all even if her key has just 1-bit error? How about 2 bits? Then 3 bits? Yuen emphasized the importance of Bit-Error-Rate (BER) for Eve, because it corresponds to the BER on the encrypted message by OTP, therefore he named it “BER Guarantee” 19, 20. Clearly, a perfect key for OTP has the IID key so BER is always 1/2 for Eve, therefore she can never read the encrypted message. However, if she knows her BER is far smaller than 1/2, then she may be able to read some part of the encrypted message. Here is an example. suppose you got a message “Tahnks” from your friend. You usually think it was a typo of “Thanks.” We have no difficulties to recover the original message even there were some typos.

Now going back to the topic of QKDs, here the author writes a rough estimation. Suppose Eve can read the message if her key has BER less than the certain BER, BE. The number of such a situation is expressed by


Therefore, the rough estimation of Eve’s success probability in obtaining a nearly correct message is


As shown in (25), the chance Eve can read a nearly correct message would raise exponentially to the length of the secret key |K|. so, if εsec = 2-50 and |K| = 106 bits, Eve’s probability in obtaining a nearly correct message is almost Pr(K|E) = 1 up to |K|BE = 2.5 errors, which means Eve has no struggling in reading the encrypted message. Surely, even the author thinks the estimation by (25) is too rough, and Yuen himself wrote that it is an open question how we evaluate the security of QKDs under BER guarantee. We need further studies, and this is the main topic of this article. See an example in Sec. 3.


Security level of the cryptosystems and impossibility of experimental guarantee for general attacks

There are many experimental reports, thus the author does not list them here that their QKD systems were stably working over months or more. However, can we really confirm that Eve could not steal the key even with unlimited power except the limitations by laws of nature? One may say that the noisy environment itself is the Eve who can freely interacts with flying qubits. Then how we confirm the noisy environment could not steal the key?

Furthermore, these experimental reports said their systems were secure because the generated key rates were positive. On the other hand, we have seen that the security level is evaluated by εsec in Sec. 2.2. How much were their εsec actually in their experiments? There have been several theories to calculate the key generation rate for the finite key length with corresponding εcor and εsec. From these theories, we can derive positive key rates even with εsec = 1 31, 32. This means, the key is surely generated, but Eve can steal the key with the probability of 1, as we have seen in Sec 2.2. Therefore, the positive key generation rate never means the key is secure. The problem is always “how much secure the key is.”

National Cyber Security Centre (NCSC), a part of Government Communications Headquarters (GCHQ) in UK uploaded a white paper to suggest not to use QKDs for important communication infrastructures at this phase. Here are some quotes5.

“Consequently, QKD seems to be introducing a whole new set of potential avenues for attack that are not yet well understood.” “Do not endorse QKD for any government or military applications.” “Advise against replacing any existing public key solutions with QKD for commercial applications.”

Yuen also described as follows19.

“Security cannot be proved experimentally, if only because there are an infinite variety of possible attacks, which cannot all be described. There were many surprises in the history of cryptography; thus, whether there is a valid proof in an important issue, especially in QKD, where provable security appears to be the only real advantage compared to conventional cryptography.”

He also quoted from the literature34.

“Don’t blindly trust anything, even if it is in print. You’ll soon see that having this critical mind is an essential ingredient of what we call “professional paranoia.””

The biggest advantage of QKDs is its concept that “the security is proven against general attacks,” regardless how expensive the cryptosystems are and how slow the communication is compared to the current communication technologies. Then, if we cannot experimentally test the security of QKDs against at least variety types of potential attacks, there is a big question why we have to develop them.


Alternative security measure: quantum min-entropy

There is another possibly meaningful security measure, called min-entropy. However, it is closely connected to Eve’s probability of guessing the correct key35. Therefore, the author thinks there is not so big differences from using the trace distance criterion. Any other abstract security measures should be avoided because your customer would not be convinced by such an abstract security terms; they should be eager to know how much secure your system is.



This section describes an example of the BER Guarantee for BB84 protocol under Entangling-Probe Attacks (EPA) studied in the literatures36-40. However, their security criterion was the mutual information, which has been abandoned after the literature14. Therefore, this study tries adjustment of the attack for BER Guarantee. Here, we assume distribution of a sufficiently long key.


Entangling Probe Attack on BB84 protocol

Consider the following four quantum states to operate BB84 protocol for (xA, bA) = {0, 1}2, where xA is a key bit to be shared, and bA indicates the communication basis Alice uses.


Alice chooses one of the four quantum states in (26) with her prior probability of 1/4. On the other hand, Bob sets a measurement operator defined in (27) to yield a received bit xB choosing his basis bB randomly.


We omit the sifting process, therefore we regard Alice and Bob already have announced their basis bA = bB.

While Alice is transmitting her quantum state described in (26) to Bob, Eve attaches her quantum system and performs unitary operation U with the transmitted quantum system. Therefore,


The U is defined as


Bob receives the following quantum system.


Therefore, Bob’s Quantum-Bit-Error-Rate (QBER) Q is


On the other hand, Eve receives the following quantum state.


Before Eve measures her system, she listens to the classical public channel to know how Alice and Bob reconcile their sifted keys. For example, when Bob corrects errors in his sifted key to obtain Alice’s key, Eve’s BER in her key is, from Helstrom’s quantum binary decision theory41,


When Aice reconciles her sifted key with Bob’s key, Eve’s BER in her key is,


Therefore, in this case, it is harder for Eve to guess Bob’s key. Thus, assume Alice reconciles her sifted key with Bob’s key. Note, furthermore, that Eve optimizes her unitary operation U to minimize (33). However, this optimization is not the main topic of this paper, and conclusion will remain unchanged. Eve’s success probability in obtaining the correct key is,


If Eve could successfully guessed the correct key after the Error-Correction, she can obtain the correct key even after the Privacy Amplification because she knows the hashing function used from the broadcasting Alice and Bob made. Then the success probability in eavesdropping is,


Now, we are going to evaluate the security of BB84 in BER guarantee. Eve knows her BER before the step of Privacy Amplification. For an announced hashing matrix f, Eve knows which key strings will be projected onto which hashed strings. For instance, suppose Eve chose a key kER = kR + eR (mod 2) with error string eR, it will be projected onto the certain final key with errors, f(kR + eR) = k + e (mod 2). Then, the same manner in (36) can be applied to


Here, wt(eR) denotes the number of errors in the error string eR. Therefore,


Therefore, we see that Eve has an exponentially more chance to obtain the near-perfect plaintext as we have seen in Sec.2.6.

At this phase, BE, the acceptable BER in the plaintext for Eve, is unknown. However, she may add noise from the outside of the classical authenticated channel without breaking the authentication. Then, Alice and Bob need to utilize error-correcting codes and its parity check matrix for classical communications. This may allow Eve to remove all errors in her near-perfect key up to |KR|BE errors utilizing the announced parity check matrix and subtracting noise she added by herself. To prevent this kind of attacks, we may need to monitor the BER in the classical authenticated channel, and abort the protocol when the BER is too high, like the high QBER case in the quantum channel.

Moreover, note that this discussion is under assumptions that Eve perform individual attacks on each qubits, and she performs measurements after the Error-Correction. We are not sure how much secure BB84 is by means of BER guarantee under general attacks, such as collective attacks or coherent attacks.



As we have seen in Sec. 2.2., the trace distance criterion gives the maximum value of the expected probability in guessing the correct key by Eve. Even though, there are two standardized definitions in the trace distance criterion. In (3),

Case 1 : τE = σE := trAB σABE, which is the widely used definition.

Case 2: τE = κE to hold the equality of F(ζABE,|MES〉〈MES|ABκE) ≤ F(trE ζABE,|MES〉〈MEs|AB), where ζABE is a distributed state by a entanglement-based QKD with a maximally entangled state |MES〉〈MES|AB30.

There is one more possibility, the author thinks.

Case 3: τE is chosen by Eve to maximize her guessing probability of the correct key, Pr(K|E).

Note that, in Case 3, Eve may define a different trace distance from the one Alice and Bob defined as in Case 1 and 2.


Case 1: the standardized definition of the trace distance security criterion

From the definition, consider the following spectral decomposition to calculate the trace distance:


The operator set 00167_PSISDG10442_1044203_page_10_3.jpg could be POVM on Eve’s system to obtain kE. From (39). Furthermore,




Thus the conclusion is, with the result already has been given in Sec. 2.2,



Case 2: Koashi’s security proof based on Shor-Preskill approach

Case 2 30 has to satisfy the equality of


Otherwise, the trace distance cannot be upper-bounded because


Here, the Fidelity is defined as


Now, consider the following spectral decomposition


Then, by Cauchy-Schwarz inequality,


Therefore, the equality of (47) is satisfied by choosing in (46) as,


As a result, using an inequality between trace distance and fidelity,


This is the necessary condition for Koashi’s security proof. After this part, we further investigate the condition to make the trace distance equal to the upper-bound of (49).

By monotonicity of Fidelity under a CPTP map Λ, and such Λ is as follows by the definition of quantum states in (3, 4).






To satisfy equality in (51), define the purified quantum systems by adding a virtual system R as


(53) satisfies Uhlmann’s inequalities,


And, for pure quantum states,


Then, to satisfy the equalities in (54),


Again, by Cauchy-Schwarz inequality,


Under the conditions derived in (48), (53), and (60),


Furthermore, choose the POVM for Eve on the given quantum state as 00167_PSISDG10442_1044203_page_13_7.jpg with the corresponding condition chosen by Eve with restrictions in (48), (53), and (60)


Then, the expected probability for Eve successfully guessing the correct key is, with the same way in (42),


Note, however, that the necessary condition (48) cannot be satisfied by Alice nor Bob, because it contains the unknown quantum state ζABE. This state is what only Eve knows. Furthermore, conditions in (48), (53), and (60) are not necessary for Alice and Bob, although Eve wishes to satisfy to maximize her guessing probability. This situation tells us that the definition of τE can be chosen by Eve. Further generalization as Case 3 is what the author has been questioning.


Case 3: letting Eve define the trace distance independently from Alice and Bob

Note that, in the second case Eve could choose the independent quantum state τE = κE to satisfy the equalities in the inequalities to bound the trace distance. This would give her more advantages. Then, here is a question; what if Eve could choose τE freely to maximize the trace distance itself independent from the definition by Alice and Bob? This section seeks the possibility. To do so, Eve attaches an imaginary quantum system R, constructing the total system σABER. Then, Eve chooses τER so that its support is not on the support of trAB σABER. Furthermore, Eve could choose quantum systems σABER and τABER, to purify like (53) showed. To put these purified quantum systems σABER and τABER on different supports, Eve has to satisfy


Eve could define as


Then, apparently


Now Eve can discard the virtual quantum system R, and measure her system E to guess the correct key most likely. This process is described as follows, using Γ in (11).


Therefore, (67) violates the upper-bound of the trace distance in existing security proofs. More simply, we may consider


Note that the conditions in (67) and (68) are totally different from the condition (60). Thus, actually, as long as Eve can choose her own quantum system τE independently from the choice Alice and Bob make, the upper-bound for the trace distance cannot be given from the frameworks of standardized trace distance criterions. Shor and Preskill proved the equivalence of entanglement-based QKDs to the prepare-and-measure QKDs such as BB84 using the Fiderity between the maximally entangled state and entangled-based distributed state, however, it seems their security proof cannot be connected to the trace distance criterion, which has been useful to show the security of prepare-and-measure QKDs. The author throw a question as follows. The modified Lo-Chau protocol and the CSS protocol in Shor-Preskill proof would be perfectly secure with a probability of 1 – εsec2, because quantum error corrections, especially phase-error-corrections would decouple Eve’s system. However, a classical privacy amplification process would not correct quantum phase errors, even though the complementary analysis approach allows us to estimate the phase-error-rate from the bit-error-rate42, 43. Thus, Eve’s system would not be decoupled in case of prepare-and-measure QKDs. This would explain why Privacy Amplification is actually harmful for QKDs as explained in Sec. 2.4, by contrast with perceived understanding that classical Privacy Amplification is equivalent to phase-error-corrections since Shor-Preskill proof back in 2000. Furthermore, this may explain why Round Robin DPS QKD protocol does not need to monitor quantum signal disturbances to estimate the amount of key sacrifice in Privacy Amplification23. This may be simply because Privacy Amplification would not be required for prepare-and-measure protocols including the above protocol, as well as the secure key rate derivation based on the phase-error-rate estimation may also be invalid.


Misconception of “distinguishability advantage” interpretation of trace distance

There is an interpretation that the trace distance is “indistinguishability” of the ideal quantum state and the real quantum state18. Such an interpretation is justified by citing quantum binary decision theory by C. W. Helstrom41. The following is the overview.

In Helstrom’s theory, Alice prepare ρ0 or ρ1 with prior probabilities of p0 and p1. Bob discriminates the quantum states with an optimum measurement basis. The maximum guessing probability for Bob is


If we assume p0 = p1 = 1/2, then we see trace distance.


The interpretation is justified as follows. Alice prepares a QKD system which Eve can interact with, or a QKD system with an interface which gives Eve measurement results as if she is interacting with the former system but actually she cannot interact at all. Alice randomly prepares such systems with a prior probability of 1/2, and Eve judges which system is used from her measurement results. If we regard ρ0 = σABE in (4) and ρ1 = τABE in (3), then the maximum guessing probability for Eve is given by (70), therefore the trace distance is as advantage for Eve to distinguish the two situations.

The problems with the interpretation are as follows. It is said that Eve’s success probability in guessing the correct system is given by (70), however, this would not give any idea how high the probability is for Eve to guess the correct key. Furthermore, it gives the following problems.

Now let us think the original situation of QKD. Firstly, τABE is a desirable quantum state but it cannot be distributed, and σABE is the quantum state always distributed. However, in the context of this interpretation, Alice and Bob have to prepare such quantum states with a prior probability of 1/2. Such a situation does not meet the actual situation of QKD. Furthermore, if they could prepare the system with which Eve cannot interact with a probability of 1/2, then we are not sure why they do not use the perfect device every time, while we are sure that the system is always the one which Eve can interact. This means, the prior probability is very contrived. One more thing, in the quantum binary decision theory, Bob receives the whole system of the quantum state, but in the context of QKD, Eve receives only the partial system of the quantum state, such as trAB σABE. Thus, the situation of the quantum binary decision problem is far different from the situation of QKDs.

Therefore, the indistinguishability interpretation cannot be useful to evaluate the security of QKD.



Defense Advanced Research Projects Agency (DARPA) in USA announced the requirement to quantum cryptography in 2012 as follows44.

  • - Communication speed: 1-10 Gbps

  • - Communication range: 1,000-10,000 km

These are seriously challenging goals for QKDs.

Meanwhile, National Cyber Security Centre (NCSC), a part of Government Communications Headquarters (GCHQ) in UK uploaded a white paper to suggest not to use QKDs for important communication infrastructures5.

On the other hand, there are other quantum cryptographies than QKDs. Firstly, Yuen himself proposed a protocol named Keyed Communication in Quantum-noise (KCQ)45 (which is called Y-00 because Yuen proposed the protocol in 2000 46, or Quantum Noise Stream Cipher, especially customized one in Tamagawa Univ. is named “Quantum Enigma Cipher”47). S. Lloyd proposed Quantum Enigma Machine48, J. H. Shapiro proposed a quantum cryptography protocol using quantum illumination technology49. These protocols do not use weak signals like single photons, but use macroscopic quantum nature with intensity of current optical communication, therefore they would satisfy DARPA’s requirements. Other known quantum encryption protocol is Quantum Homomorphic Encryption50. There may be more protocols for practical uses.

Now, limiting the topic on KCQ, it is often misunderstood that it is a technology to encrypt messages directly using the initial key, not a technology to distribute secret keys. However, it is possible like QKDs to distribute secret keys by replacing the message by the secret key to be shared. Furthermore, it has often been proposed to combine QKDs and KCQ to distribute the secret key for KCQ by QKDs. However, it may not be so meaningful for KCQ if the security of QKDs still remain in εsec = 2-50; because it means the distributed key by QKDs is like 50-bit key expanded into 106 bits, while KCQ basically uses 128-bits or 256-bit keys expanded by AES or any other key-expansion processes hiding it under quantum noise to enhance the security. Moreover, KCQ uses lasers with its intensity compatible to the conventional optical communications, while QKDs have limitations in the communication distance because of their weak signals. Furthermore, currently, most vulnerable parts of QKDs are the communication nodes not protected by laws of physics, as NCSC documents also mentions5. Moreover, consider the situation that Nation A wants to communicate with Nation B, passing through a communication node set by Nation E less trustworthy. How can we trust the communication channel when the communication node is under control of Nation E? The literature51 may give some answers to the author’s question, though the author is not fully sure yet for general cases. For instance, the literature wrote in its Sec 4.1 as follows.

“Of course, this works only if both sides share measurement results securely. If the eavesdropper can modify or control both the quantum and classical connections between the two parties, she can send false measurement results and fake a Bell inequality violation. To avoid such a man in the middle attack, we assume all classical communications are authenticated and unmodified.”

This assumption may not be satisfied when Eve is pre-installed in the repeaters Nation E possesses. If we are going to build the unconditionally secure quantum internet, we have to take such worst cases into our consideration. Otherwise, the quantum internet would have the same problems as the conventional internet has. Recall that QKDs are expected to be secure against ultimately powerful Eve. In the literature52, the optimum communication rate is derived in terms of the trace distance criterion, however, as the author described, QKDs have been estimating the best performance under the worst scenarios, therefore the next direction of researches of the quantum network should be the derivations of the best performance under the worst scenarios.

It is sure that the QKD researchers those who have pioneered highly secure communication using quantum mechanics are worthy of being honored even if unconditionally secure network based on QKDs would not be realized. Adding to it, the problems in QKD have shown important challenges that what is required for quantum encryption systems. The author of this article is unsure whether unconditionally secure communication is possible based on QKDs or not. However, in practical use, there would be choices of other quantum cryptographies than QKDs. Even in such a case, knowledge obtained in QKD studies will be greatly useful, in the author’s opinion. It is also sure that developments of QKDs can be continued, however, we should take Yuen’s warnings into consideration seriously.



In this article, the author made detailed explanations what H. P. Yuen has been warning on the security of QKDs since 2009. Furthermore, the article showed an example of the Bit-Error-Rate guarantee in BB84, which was suggested by Yuen for a stronger security criterion than the trace distance criterion currently standardized. According to the Bit-Error-Rate guarantee, it seems Eve may have exponentially larger chance of success in nearly perfect eavesdropping compared to the conventional security criterion, the trace distance. Furthermore, the author threw several questions on the definition of the trace distance criterion, by letting the eavesdropper define the trace distance to maximize her success probability in obtaining the correct key. Even more, it might have given us misunderstanding that prepare-and-measure QKDs are equivalent to entanglement-based QKDs using quantum error corrections, since Shor-Preskill’s security proof back in 2000. Therefore, for further security analyses, we may need to abandon the trace distance security criterion.



Bennett, C. H. and Brassard, G., “Quantum cryptography: public key distribution and coin tossing,” Proceedings of IEEE International Conference on Computers, Systems and Signal Processing, 175(0), (1984).Google Scholar


Bennett, C. H. and Brassard, G., “Quantum cryptography: public key distribution and coin tossing,” (rewritten version,) Theoretical Computer Science 560 7–11 (2014).Google Scholar


Lydersen, L., Wiechers, C., Wittmann, C., Elser, D., Skaar, J., and Makarov, V., “Hacking commercial quantum cryptography systems by tailored bright illumination.” Nature photonics 4(10), 686–689 (2010).Google Scholar


Lo, H.-K., Curty, M., and Qi, B., “Measurement-Device-Independent Quantum Key Distribution,” Phys. Rev. Lett. 108, 130503 (2012).Google Scholar


The British governmental white paper, “Quantum Key Distribution,” National Cyber Security Centre, a part of GCHQ in Britain, 4th Oct. (2016). https://www.ncsc.gov.uk/information/quantum-key-distributionGoogle Scholar


Tamaki, K., Curty, M., and Lucamarini, M., “Decoy-state quantum key distribution with a leaky source,” New Journal of Physics, 18(6), 065008 (2016).Google Scholar


Yuen, H. P., “Two-photon coherent states of the radiation field,” Physical Review A, 13(6), 2226, (1976).Google Scholar


Yuen, H., Kennedy, R., and Lax, M., “Optimum testing of multiple hypotheses in quantum detection theory,” IEEE Transactions on Information Theory, 21(2), 125–134, (1975).Google Scholar


Yuen, H., and Lax, M., “Multiple-parameter quantum estimation and measurement of nonselfadjoint observables. IEEE Transactions on Information Theory,” 19(6), 740–750, (1973).Google Scholar


Yuen, H. P., “Universality and The Criterion ‘d’ in Quantum Key Generation,” arXiv:0907.4694v1, quant-ph (2009).Google Scholar


Yuen, H. P., “Fundamental Quantitative Security In Quantum Key Generation,” arXiv:1008.0623v3, quant-ph, (2010), or Physical Review A, 82(6), 062304, (2010).Google Scholar


Bennett, C. H., Brassard, G., Crépeau, C., and Maurer, U. M., “Generalized privacy amplification,” IEEE Transactions on Information Theory, 41(6), 1915–1923, (1995).Google Scholar


Shor, P. W., and Preskill, J., “Simple proof of security of the BB84 quantum key distribution protocol,” Physical review letters, 85(2), 441, (2000).Google Scholar


König, R., Renner, R., Bariska, A., and Maurer, U., “Small accessible quantum information does not imply security,” Physical Review Letters, 98(14), 140502, (2007).Google Scholar


Renner, R., and König, R., “Universally composable privacy amplification against quantum adversaries,” In Theory of Cryptography Conference (pp. 407–425), Springer, Berlin, Heidelberg, (2005, February).Google Scholar


Scarani, V., Bechmann-Pasquinucci, H., Cerf, N. J., Dušek, M., Lütkenhaus, N., and Peev, M., “The security of practical quantum key distribution,” Reviews of modern physics, 81(3), 1301, (2009).Google Scholar


Benatti, F., Fannes, M., Floreanini, R., and Petritis, D. (Eds.), “Quantum information, computation and cryptography: an introductory survey of theory, technology and experiments,” (Vol. 808). Springer, (2010).Google Scholar


Portmann, C., and Renner, R., “Cryptographic security of quantum key distribution,” arXiv preprint arXiv:1409.3525v1, (2014).Google Scholar


Yuen, H. P., “Security of quantum key distribution,” IEEE Access, 4, 724–749, (2016).Google Scholar


Yuen, H., “What The Trace Distance Security Criterion in Quantum Key Distribution Does And Does Not Guarantee,” arXiv:1410.6945v1 [quant-ph], (2014).Google Scholar


Nielsen, M., and Chuang, I., “Quantum information and computation. Quantum Information and Computation,” Cambridge University Press, (2000).Google Scholar


Takesue, H., Sasaki, T., Tamaki, K. and Koashi, M., “Experimental quantum key distribution without monitoring signal disturbance,” Nature Photonics 9, 827–831, (2015).Google Scholar


Sasaki, T., Yamamoto, Y., and Koashi, M., “Practical quantum key distribution protocol without monitoring signal disturbance,” Nature, 509(7501), 475–478 (2014).Google Scholar


Curty, M., “Quantum cryptography: Know your enemy,” Nature Physics, 10(7), 479. (2014).Google Scholar


Stinson, D. R., “Cryptography: Theory and Practice, Third Edition, Edition 3,” CRC Press, (2005).Google Scholar


Automobile Inspection and Registration Information Association Japan https://www.airia.or.jp/publish/file/e49tph00000004sb-att/e49tph00000004si.pdfGoogle Scholar


Iwakoshi, T., “Security of Quantum Key Distribution from Attacker’s View,” The 33rd Quantum Information Technology Symposium, IEICE QIT2015-16 (2015). https://doi.org/10.13140/RG.2.2.12625.74081Google Scholar


Iwakoshi, T., “Yuen’s Criticisms on Security of Quantum Key Distribution and Onward,” SCIs2017, 2017 Symposium on Cryptography and Information security, Naha, Japan, 24-27th, Jan. (2017). https://doi.org/10.13140/RG.2.2.18173.77282Google Scholar


Koashi, M., “Simple Security proof of quantum key distribution based on complementarity,” New Journal of Physics, 11(4), 045018, (2009).Google Scholar


Tomamichel, M., Lim, C. C. W., Gisin, N., and Renner, R. “Tight finite-key analysis for quantum cryptography,” Nature communications, 3, 634, (2012).Google Scholar


Iwakoshi, T., “Trade-off between Key Generation Rate and Security of BB84 Quantum Key Distribution,” Tamagawa University Quantum ICT Research Institute Bulletin, vol.5, no.1, pp.1–4, (2015), or http://www.tamagawa.jp/research/quantum/bulletin/2015.html https://www.researchgate.net/publication/314363534Google Scholar


Abidin, A., and Larsson, J. Å., “Direct proof of Security of Wegman–Carter authentication with partially known key,” Quantum information processing, 13(10), 2155–2170, (2014).Google Scholar


Ferguson, N., Schneier, B., and Kohno, T., “Cryptography engineering: design principles and practical applications,” John Wiley and Sons. (2011).Google Scholar


Konig, R., Renner, R., and Schaffner, C., “The operational meaning of min-and max-entropy,” IEEE Transactions on Information theory, 55(9), 4337–4347, (2009).Google Scholar


Fuchs, C. A., Gisin, N., Griffiths, R. B., Niu, C. S., and Peres, A., “Optimal eavesdropping in quantum cryptography. I. Information bound and optimal strategy,” Physical Review A, 56(2), 1163, (1997).Google Scholar


Brandt, H. E., “Topical Review: Optimum Probe Parameters for Entangling Probe in Quantum Key Distribution,” Quantum Information Processing, 2(1), 37–79, (2003).Google Scholar


Brandt, H. E., “Quantum-cryptographic entangling probe,” Physical Review A, 71(4), 04231, (2005).Google Scholar


Kim, T., genannt Wersborg, I. S., Wong, F. N., Shapiro, J. H., “Complete physical simulation of the entangling-probe attack on the Bennett-Brassard 1984 protocol,” Physical Review A, 75(4), 042327, (2007).Google Scholar


Acharyya, and A., Paul, G. “Revisiting optimal eavesdropping in quantum cryptography: Optimal interaction is unique up to rotation of the underlying basis,” Physical Review A, 95(2), 022326, (2017).Google Scholar


Helstrom, C. W., “Quantum Detection and Estimation Theory,” Journal of Statistical Physics 1.2 231–252 (1969) or Academic press (1976).Google Scholar


Sasaki, T., and Koashi, M., “A Security proof of the round-robin differential phase shift quantum key distribution protocol based on the signal disturbance,” Quantum Science and Technology, Vol 2, Number 2, (2017).Google Scholar


Mizutani, A., Sasaki, T., Kato, G., Takeuchi, Y., & Tamaki, K., “Information-theoretic Security proof of differential-phase-shift quantum key distribution protocol based on complementarity,” arXiv preprint arXiv:1705.00171. (2017).Google Scholar


“Broad Agency Announcement Quiness: Macroscopic Quantum Communications,” DsO DARPA-BAA-12-42, May 15, (2012).Google Scholar


Barbosa, G. A., Corndorf, E., Kumar, P., and Yuen, H. P., “Secure communication using mesoscopic coherent states,” Physical Review Letters, 90(22), 227901, (2003).Google Scholar


Hirota, O., Kato, K., Sohma, M., Usuda, T. S., and Harasawa, K., “Quantum stream cipher based on optical communications,” Proceedings Volume 5551, Quantum Communications and Quantum Imaging II; (2004); doi: 10.1117/12.561778Google Scholar


Futami, F., and Hirota, O., “100 Gbit/s (10× 10 Gbit/s) Y-00 cipher transmission over 120 km for secure optical fiber communication between data centers,” In Optical Fibre Technology, 2014 OptoElectronics and Communication Conference and Australian Conference on (pp. 4–6). IEEE, (2014, July).Google Scholar


Lloyd, S., “Quantum enigma machines,” arXiv preprint arXiv:1307.0380 (2013).Google Scholar


Shapiro, J. H., Zhang, Z., and Wong, F. N., “Secure communication via quantum illumination,” Quantum information processing, 13(10), 2171–2193, (2014).Google Scholar


Liang, M., “Symmetric quantum fully homomorphic encryption with perfect security,” Quantum information processing, 12(12), 3675–3687. (2013).Google Scholar


Satoh, T., Nagayama, S., and Van Meter, R., “The Network Impact of Hijacking a Quantum Repeater,” arXiv preprint arXiv:1701.04587, (2017).Google Scholar


Azuma, K., Mizutani, A., and Lo, H. K., “Fundamental rate-loss trade-off for the quantum internet,” Nature communications, 7, 13523, (2016).Google Scholar

© (2017) COPYRIGHT Society of Photo-Optical Instrumentation Engineers (SPIE). Downloading of the abstract is permitted for personal use only.
T. Iwakoshi, "On problems in security of quantum key distribution raised by Yuen", Proc. SPIE 10442, Quantum Information Science and Technology III, 1044203 (5 October 2017); doi: 10.1117/12.2278625; http://dx.doi.org/10.1117/12.2278625

Quantum key distribution

Information security

Quantum cryptography

Quantum communications

Computer security

Quantum physics

Binary data


Software For A Universal CCD Test Facility
Proceedings of SPIE (November 08 1984)
Using crypts as iris minutiae
Proceedings of SPIE (May 31 2013)
Ranking search for probabilistic fingerprinting codes
Proceedings of SPIE (February 09 2012)

Back to Top