Security analysis of measurement-device-independent quantum secure direct communication

Abstract

Quantum secure direct communication (QSDC) is an important branch of quantum communication that transmits confidential messages directly in a quantum channel without utilizing encryption and decryption. It not only prevents eavesdropping during transmission, but also eliminates the security loophole associated with key storage and management. Recently measurement-device-independent (MDI) QSDC protocols in which the measurement is performed by an untrusted party using imperfect measurement devices have been constructed, and MDI-QSDC eliminates the security loopholes originating from the imperfections in measurement devices so that enable applications of QSDC with current technology. In this paper, we complete the quantitative security analysis of the MDI-QSDC protocols, one based on EPR pairs and one based on single photons. In passing, a security loophole in one of the MDI-QSDC protocols (Niu et al. in Sci Bull 63(20):1345–1350, 2018) is fixed. The security capacity is derived, and its lower bound is given. It is found that the MDI-QSDC secrecy capacity is only slightly lower than that of QSDC utilizing perfect measurement devices. Therefore, QSDC is possible with current measurement devices by sacrificing a small amount in the capacity.

Derivation details of secrecy capacity

In this appendix, the derivation details of secrecy capacity are presented.

1.1 MDI-TS protocol

For MDI-TS protocol, the derivation focuses on the mutual information between Alice and Eve, i.e., the Holevo bound in Eq. (6) in the main body, which can be simplified through the subadditivity of entropy.

The first term on the right hand side is the von Nuemann entropy of \(\sum _{\zeta } p_{\zeta } \rho _{ABE}^{\zeta } \), which is a result of the cover operation followed with the encoding operation. It is worth noting that the above operations can fully mix the system A and B, respectively, or in other words, they are totally depolarizing channels with the following form,

$$\begin{aligned} \mathcal {N}(\rho ) = \frac{1}{4}(\rho + \sigma _x \rho \sigma _x + \sigma _z \rho \sigma _z + \sigma _y \rho \sigma _y). \end{aligned}$$

(11)

Take the purified state \(|\varPhi _{ABE}\rangle \) as input, we have

$$\begin{aligned} \mathcal {N}_A \circ \mathcal {N}_B (|\varPhi _{ABE}\rangle \langle \varPhi _{ABE}|) = \rho _{AB}^{\mathrm {mix}} \otimes \mathrm {Tr}_{AB}(|\varPhi _{ABE}\rangle \langle \varPhi _{ABE}|), \end{aligned}$$

(12)

where \(|\varPhi _{ABE}\rangle = \sum _i \sqrt{\delta _i} | \varPsi _i \rangle |E_i \rangle \) and \(\rho _{AB}^{\mathrm {mix}}\) is the fully mixed state of system AB. The result of the partial trace is

$$\begin{aligned} \mathrm {Tr}_{AB} \left( |\varPhi _{ABE}\rangle \langle \varPhi _{ABE}| \right) = \sum _i \delta _i |E_i \rangle \langle E_i |. \end{aligned}$$

(13)

Then the first term on the right-hand side of Eq. (6) is

$$\begin{aligned} \begin{aligned} S\left( \sum _{\zeta } p_{\zeta } \rho _{ABE}^{\zeta } \right)&= S\left( \rho _{AB}^{\mathrm {mix}} \right) + S\left( \sum _i \delta _i |E_i \rangle \langle E_i |\right) \\&= 2 + H(\left\{ \delta _i \right\} )\\&= 2 + h(\delta _3 +\delta _4) +(\delta _1+\delta _2)h\left( \frac{\delta _2}{\delta _1+\delta _2}\right) + (\delta _3 + \delta _4)h\left( \frac{\delta _4}{\delta _3+\delta _4}\right) \\&\le 2 + h(\epsilon _z) + h(\epsilon _x), \end{aligned} \end{aligned}$$

(14)

where \(\epsilon _z = \delta _3 + \delta _4\), \(\epsilon _x = \delta _2 +\delta _4\).

Therefore, the mutual information of A and E is

$$\begin{aligned} I(A:E) \le h(\epsilon _z) + h(\epsilon _x). \end{aligned}$$

(15)

The definition of secrecy capacity leads to Eq. (8) in the main body.

1.2 MDI-DL04 protocol

The derivation for secrecy capacity of MDI-DL04 is similar with Ref. [43]. We also present it here to make this appendix self-contained. For MDI-DL04 protocol, the state \(\rho _{AE}\) has the form

$$\begin{aligned} \rho _{AE}= \mathrm {Tr}_B(| \psi _{ABE} \rangle \langle \psi _{ABE}|) = \frac{1}{2} ( P_{|\varphi _1\rangle } + P_{|\varphi _2 \rangle }), \end{aligned}$$

(16)

where \(P_{|\cdot \rangle }\) is the projection operator of state \(|\cdot \rangle \) and we have defined:

$$\begin{aligned} \begin{aligned} |\varphi _1 \rangle&\equiv |0\rangle _A (\sqrt{\delta _3}|E_3\rangle + \sqrt{\delta _4}|E_4\rangle ) \\&\quad + |1\rangle _A ( \sqrt{\delta _2}|E_2\rangle - \sqrt{\delta _1}|E_1\rangle ), \\ |\varphi _2 \rangle&\equiv |0\rangle _A ( \sqrt{\delta _1}|E_1\rangle + \sqrt{\delta _2}|E_2\rangle ) \\&\quad + |1\rangle _A ( \sqrt{\delta _4}|E_4\rangle - \sqrt{\delta _3}|E_3\rangle ). \end{aligned} \end{aligned}$$

(17)

The encoded states are

$$\begin{aligned} \begin{aligned} \rho _{AE}&= \frac{1}{2}(P_{|\varphi _1 \rangle } + P_{|\varphi _1 \rangle }),\\ \sigma _u\rho _{AE} \sigma _u&= \frac{1}{2}(P_{\sigma _u|\varphi _1 \rangle } + P_{\sigma _u|\varphi _2}\rangle ). \end{aligned} \end{aligned}$$

(18)

Now we consider \(\sigma _u = i \sigma _y\) for brevity, and other situations follow in a similar way. The Holevo bound of AE is

$$\begin{aligned} \begin{aligned} I(A:E)&\le S \left( \sum _{k} {p_k \rho _{AE}^k} \right) - \sum _{k} {p_k S \left( \rho _{AE}^k \right) }. \end{aligned} \end{aligned}$$

(19)

The Gram matrix method [50] is used to calculate the first term, and the Gram matrix of \(\sum _{k} p_k \rho _{AE}^k\) is

$$\begin{aligned} \mathbf {G} = \frac{1}{4}\begin{bmatrix} 1 &{} 0 &{} 0 &{} \delta _1-\delta _2-\delta _3+\delta _4 \\ 0 &{} 1 &{} -\delta _1+\delta _2+\delta _3-\delta _4 &{} 0 \\ 0 &{} -\delta _1+\delta _2+\delta _3-\delta _4 &{} 1 &{} 0 \\ \delta _1-\delta _2-\delta _3+\delta _4 &{} 0 &{} 0 &{} 1 \end{bmatrix}. \end{aligned}$$

(20)

Then we have the eigenvalues (noting that \(\delta _1-\delta _2-\delta _3+\delta _4 = 1 - 2\epsilon _y\))

$$\begin{aligned} \frac{1}{4} \times \begin{pmatrix} &{} 1+(1 - 2\epsilon _y)\\ &{} 1+(1 - 2\epsilon _y)\\ &{} 1-(1 - 2\epsilon _y)\\ &{} 1-(1 - 2\epsilon _y) \end{pmatrix}, \end{aligned}$$

(21)

and the entropy \(S\left( \sum _{k} p_k \rho _{AE}^k\right) = 1 + h(\epsilon _y)\). Then we have

$$\begin{aligned} I(A:E) \le h(\epsilon _y), \end{aligned}$$

(22)

and the secrecy capacity in Eq. (10) in the main body follows naturally.