Methods for analysing the security of quantum key distribution (QKD) schemes/protocols are still being developed [PAB+20, PR22].

• These methods combine existing cryptographic notions and techniques with quantum information theory.
• Depending on the implementation of the QKD scheme, physical laws governing the implementation (e.g., quantum-optical laws) also play a role.
• Compared to computational security, which can be reduced to complexity-theoretic reasoning based on the Turing machine, methods for analysing the security of QKD schemes are thus more involved and, in terms of the transdisciplinary effort required, more challenging.

The security of a QKD scheme is typically analysed in terms of the level of success of 1️⃣ individual attacks, 2️⃣ collective attacks and 3️⃣ coherent attacks; in 🔼 increasing order of power given to the adversary [Wol21, Sec. 5.3.1].

• Individual and collective attacks are usually considered in order to simplify the security analysis, but it is necessary to also consider coherent attacks in order to prove the security of a QKD scheme.
• We can analyse the different types of attacks by the way 😈 Eve interacts with 👩 Alice’s signals and how Eve processes the information she gets in this way.

• General procedure for extracting information from a quantum system:

  1. 😈 Eve attaches an ancilla system in the predefined state $|E\rangle_E\langle E|$ to the quantum state $\rho_A$ transmitted by 👩 Alice; $|E\rangle_E\langle E|$ and $\rho_A$ are density-matrix representations of quantum states.

     Please spend time understanding pure state, mixed state and density matrix.

  2. 😈 Eve then performs a unitary operation $\mathbf{U}$ on the composite system, which leaves the state of the ancilla system in the form:

     $\rho_E = \text{tr}_A\left(\mathbf{U}^\dagger \rho_A\otimes|E\rangle_E\langle E| \mathbf{U}\right),$

     where $\otimes$ is the Kronecker operator and $\text{tr}_A$ denotes partial trace.

     Please spend time understanding reduced density matrix and partial trace.

The security of a QKD scheme is also often analysed in terms of composability, short for universally composable security.

• Informally, we say a QKD scheme is composable if the key it produces is almost as good as if it were distributed with an ideal key distribution protocol [Van06, Sec. 12.2.6].
• A cryptographic primitive, which is secure when used with an ideally secret key, must still be secure if used with a QKD-distributed key.
• Composability is critical since QKD-derived secret keys are used in other applications, e.g., data encryption [JCM+22].

TODO: Trace distance criterion [PR22], security = correctness + secrecy [Gra21]. Asymptotic vs finite-key security analysis.

Security evaluation of practical QKD implementations involves evaluating the level of success of “quantum hacking” (i.e., side-channel attacks on QKD).