High-Dimensional Semi-Quantum Cryptography

A semi-quantum key distribution (SQKD) protocol allows two users, one of whom is restricted in their quantum capabilities, to establish a shared secret key, secure against an all-powerful adversary. In this paper, we design a new SQKD protocol using high-dimensional quantum states and conduct an information theoretic security analysis. We show that, similar to the fully-quantum key distribution case, high-dimensional systems can increase the noise tolerance in the semi-quantum case. Along the way, we prove several general security results which are applicable to other SQKD protocols (both high-dimensional ones and standard qubit-based protocols).


Introduction
It is well known that secure key distribution, using only classical communication, is impossible unless computational assumptions are placed on the power of the adversary.If both A and B are able to communicate using quantum resources, however, perfect security is possible and the only assumption on the adversary required is that she obey the laws of quantum physics.Quantum Key Distribution (QKD) protocols allow two parties (Alice, A, and Bob, B) to establish a shared secret key, secure against an all-powerful adversary (Eve, E).Since the first QKD protocol developed by Bennett and Brassard in 1984 (the so-called BB84 protocol [1]), both the theory and practice of QKD has been increasing dramatically.For a general survey of QKD, both the theory and practice, the reader is referred to [2,3,4].
Since perfect security for key distribution is impossible if both A and B are restricted to classical communication while it is possible if both A and B are "quantum capable," a natural question to ask is "what is the middle ground?"A communication model designed to help answer this question is the so-called semi-quantum model of cryptography, first introduced in 2007 by Boyer et al. [5].In this model, one party is "fully quantum" in that they can do anything the protocol requires of them so long as it is possible according to quantum mechanics.The second party, however, is restricted to operations which are mathematically equivalent to classical communication.Thus, one party is quantum while the other party is "classical."Since its original introduction in 2007, there have been numerous new semiquantum key distribution (SQKD) protocols developed [6,7,8,9,10,11,12].There have also been extensions to the model beyond basic key distribution including secret sharing [13,14,15] and state comparison [16,17,18].
(S)QKD protocols operate in two stages: first is a quantum communication stage whereby users utilize the quantum channel, along with the classical authenticated channel (which is a classical communication channel that is authenticated, but not secret), to establish a raw key.A and B both have their own raw key which is a string of classical bits that are partially correlated (there may be some errors due to an adversary's attack or just natural noise) and partially secret (an adversary may have some information on this raw key).Thus this rawkey by itself cannot be used directly as a secret key.Users, therefore, must run a second stage where, at a minimum, they will execute an error correction protocol using the authenticated classical channel (leaking additional information to E) followed by a privacy amplification protocol which takes the error-corrected raw key and hashes it down to a smaller secret key.The relative size of the secret key compared to the initial raw-key (called the key-rate of the protocol) is a statistic of great importance in QKD research and bounding it, as a function of observed noise in the quantum channel, is the main challenge in any (S)QKD security proof.A related statistic is the noise tolerance of the protocol which specifies the noise threshold after which the adversary has too much information and so users must simply abort (e.g., BB84's noise tolerance is 11% [19,20]).Before this tolerance threshold is reached, privacy amplification is able to give a positive, though potentially small, key (the size of the secret key decreases as the noise increases due to the direct correlation between noise and adversarial information gain).
As far as semi-quantum cryptography is concerned, there have been, by now, several proofs of security based on key-rate computations for SQKD protocols and, rather surprisingly, despite the limitations on one of the users, along with the increased attack strategy space afforded to the adversary (due to the requirement of a two-way quantum channel allowing quantum resources to travel from A, to B, then back to A), noise tolerances compare favorably to several fully quantum protocols.In particular, in [21], the noise tolerance of the original Boyer et al., protocol can approach 11%, the same as BB84.However, this optimistic result required looking at numerous mismatched statistics (a technique introduced in [22], extended for one-way channels in [23,24,25], and expanded for two-way quantum channels in [21]).Without these statistics, and only looking at the error rate, the Boyer et al., protocol has a noise tolerance of 6.14%, though this is only a lower-bound and future refinements to the security proof techniques may improve this to the 11% found with mismatched measurements.Currently, the best-known noise tolerance for an SQKD protocol is from [26] which can attain a tolerance of 17.8% or even as high as 26% for certain, practical, quantum channels (a result comparable to BB84 with Classical Advantage Distillation [27,28]).Again, this high tolerance bound required looking at numerous mismatched measurements.
Designing protocols with increased noise tolerance is an important task.Encouraged by recent theoretical successes in fully-quantum QKD using high-dimensional carriers [29,30,31,32,33,34,35,36,37,38,39] and, in particular, these protocols' ability to withstand high channel noise levels (some reaching 50% as the dimension of the quantum carrier approaches infinity), we ask, can a high dimensional quantum communication channel also benefit semiquantum key distribution?Or does this substantial improvement in noise tolerance require two fully quantum users to truly harness?We note that a high-dimensional SQKD protocol was introduced in [33], using a quantum walk as the information carrier, however a noise tolerance computation was not performed due to the great complexity of that protocol and so this question still remained open (though the methods we develop in this paper may be applicable to other protocols such as this quantum-walk based protocol ).
In this paper, we show high dimensional states can benefit semi-quantum communication and in doing so, make several contributions in this work.We design a new highdimensional SQKD protocol and conduct an information theoretic security analysis allowing us to compute a lower-bound on its key-rate based on observed channel noise.Our security proof introduces several new techniques which may be applicable to other (S)QKD protocols (both standard qubit-based and future-developed high-dimensional ones including, perhaps, the quantum-walk SQKD protocol developed in [33]).Semi-quantum protocols rely on a two-way quantum channel giving the adversary a greater attack strategy space making security analyses for semi-quantum protocols difficult, especially in higher dimensions (all past work involving key-rate computations have been for the qubit case).As such, our new methods may prove beneficial not only for other semi-quantum protocols, but also fully-quantum protocols reliant on a two way quantum channel (of which there are several [40,41,42,43,44,45]). Finally, we evaluate our protocol's performance and determine its noise tolerance for varying dimensions and show that, indeed, high dimensional carriers do benefit the noise tolerance of semi-quantum protocols.We show that our protocol's noise tolerance tends to 30% as the dimension increases; this result is without requiring any mismatched statistics.While this is not as high as the 50% achieved in the fully quantum case, this is still higher than any other SQKD protocol to-date and, considering that this is a semi-quantum protocol, where one participant is severely limited in their capabilities, is still a very positive result.This work paves the way for future research in higher-dimensional systems for semi-quantum or two-way quantum cryptography.By analyzing semi-quantum protocols with high dimensional systems, we further map out the "gap" between classical and quantum communication systems.
In this work, we are primarily concerned with a theoretical protocol and not practical attacks or complications involving its implementation.We note that several fully quantum high-dimensional QKD protocols have been experimentally implemented and the experimental generation of high dimensional entangled states has seen rapid progress lately [46,47,48,49].However, we do not concern ourselves with practical implementations of this system.Instead, we are solely interested in understanding how high-dimensional quantum states may benefit the semi-quantum model of cryptography, leaving practical issues as future work.

Preliminaries
If ρ AB is a density operator (i.e., a Hermitian positive semi-definite operator of unit trace) acting on Hilbert space H A ⊗ H B , then we write ρ A to mean the partial trace over the B portion, namely ρ A = tr B ρ AB .Similarly for other, or multiple, systems.Given a system ρ AB which is unmeasured, and an orthonormal basis V = {|v 1 , • • • , |v d } for the A system (which is of dimension d), then we write ρ A V B to mean the density operator resulting from a measurement of the A register in this V basis.
We use H(A) ρ to mean the entropy function -either the classical Shannon entropy (if ρ is a classical state) or the quantum von Neumann entropy (the context will always be clear which we mean).Note this implies ρ is a density operator acting on at least some A register (if it acts on others, we first trace out those additional spaces and compute the entropy in the resulting A space only).The von Neumann entropy is defined: where all logarithms in this paper are base two).The conditional entropy is denoted H(A|B) ρ and defined H(AB) ρ − H(A) ρ .If ρ AB is an unmeasured quantum state, then by H(A V |B) ρ we mean the conditional entropy in the operator resulting from measuring the A portion of ρ AB in the V basis (the B portion remains unmeasured).By H(A V |B V ) ρ we mean the same, but after also measuring the B portion (in which case the entire state is classical and so Shannon entropy is used).If the context is clear, we may drop the subscript.Finally, for a real number x ∈ [0, 1] we write H(x) to mean the binary Shannon entropy, namely H Given operator X, we write ||X|| to mean the trace distance.If X is Hermitian and finite dimensional, then this is simply the sum of the absolute values of the eigenvalues of X.
Finally, let ρ ABE be a quantum state where the A portion is d-dimensional and let be two orthonormal bases.An important entropic uncertainty relation which will be used later, was proven in [50] and states that for any quantum state ρ ABE , it holds that: where c = max i,j | v i |u j | 2 .This will be used in our proof of security later.

Semi-Quantum Cryptography
The semi-quantum model, as introduced in [5], consists of at least one "fully-quantum" user (typically A) and one "classical" or "semi-quantum" user (typically B).This classical user is only allowed to interact with the quantum channel in a very restricted way.In particular, he can choose to do one of two things on receiving any quantum state from A: • Reflect: If he chooses this option, he will disconnect from the quantum channel, creating a loop back to A. In this case, the quantum user is simply "talking to herself" over a large, looped, quantum channel.
• Measure and Resend: If he chooses this option, he will perform a measurement of the quantum state in a single, publicly known, basis (typically the computational basis).
Based on his measurement result, he will then send a new quantum state, prepared in this same basis, back to A.
Clearly, if both users are semi-quantum and can only perform these two operations, the system is mathematically equivalent to a classical communication protocol as both users would be restricted to only operating directly in a single, publicly known, basis.Thus, the interest in semi-quantum cryptography is to see how security holds when one user is quantum, but the other is classical according to the above functionality.
Note that we are not considering practical device security in this work and are only interested in the theoretical properties of semi-quantum communication.Thus we do not concern ourselves with such attacks as the photon tagging attack [51,52] or multi-photon attacks (especially problematic when B chooses Measure and Resend as he must re-prepare qubits in the observed state).Though interesting, these are outside the scope of this worktechniques from [7] may prove beneficial to securing our protocol against these attacks but we leave this as interesting future work.
As mentioned earlier, (S)QKD protocols operate, first, through a quantum communication stage.This stage utilizes the quantum communication channel and the authenticated classical channel to output a raw-key of size N bits.From this error correction and privacy amplification are run outputting a secret key of size (N ) bits.The key-rate is defined to be the ratio (N )/N .We are interested in the theoretical asymptotic limit.In this case, assuming collective attacks (i.i.d.attacks where E is free to store a quantum memory system for measurement at any future point in time [2]), it was shown in [20,53] that: where ρ ABE is a density operator describing a single iteration of the quantum communication stage, conditioned on that iteration being used to distill raw key material (i.e., not on an iteration used only for error checking or an iteration that is later discarded due to an incompatible basis choice).The infimum is over all collective attacks that induce the observed noise statistics.Above, the A and B registers are the actual classical raw-key bit registers and only the E portion is quantum.It is this entropy equation, and in particular the von Neumann entropy H(A|E), that we are interested in computing and is the main challenge (computing H(A|B) is generally trivial given the observed noise statistics).
Our protocol uses higher-dimensional systems and, as such, we must define the bases we work with.For the classical user, we will use the computational basis of dimension 2 n , namely: when needed to simplify notation, we will also label equivalently as The quantum user, of course, is not restricted to operating in only one basis and so we also define the following "F" basis: where |F x = F |x and F is the quantum Fourier transform, namely: Of course, one may consider other bases that the quantum user may utilize.However, our protocol will make use of both the Z and F bases.Note that, for the classical user, if he chooses Measure and Resend or Reflect, that operation is performed on an entire n-qubit signal state (e.g., he cannot reflect "half" the qubits and measure the other half in our model).

The Protocol
Our protocol is shown in Protocol 1.The protocol operates by having A send signals of n-qubits each.For each iteration, B will either Measure and Resend the entire n-qubit state or he will Reflect the entire state.Whenever A sends a Z basis state and B chooses to Measure and Resend, they will add n bits to their raw key.Once a sufficiently large raw key has been established, standard error correction and privacy amplification are run.In the next section we will compute a lower-bound on the key-rate of this protocol.We will consider a noisy, but loss-less, quantum channel and ideal devices.Practical security concerns, though interesting, are outside the scope of this work and would provide interesting future work.Any collective attack against this protocol consists of two unitary operators (U F , U R ) where U F is applied in the forward channel and U R is applied in the reverse.

Security Analysis
We now analyze the security of our protocol.As with other (S)QKD protocols, we show security against collective attacks.We will comment on general attacks later.Our security analysis extends ideas introduced in our conference paper [54] but to the higher-dimensional case and consists of two main parts: First, we will prove that it is sufficient to analyze a particular one-way fully quantum protocol and, once security is proven there assuming the same channel observations are made, security of our SQKD protocol follows immediately.This reduction is very general and can apply to other SQKD protocols.Thus, to analyze security of the two-way semi-quantum protocol, it suffices to consider a particular one-way protocol which is easier to analyze as E only attacks once.Second, we analyze the security of this one-way protocol through the use of entropic uncertainty relations, and continuity of conditional von Neumann entropy.The techniques we develop in both steps are often general and may be applicable to other two-way (S)QKD protocols.
Protocol 1 n-dimensional SQKD: Π SQKD Public Parameters: n: the number of qubits to send per signal; p M , the probability of choosing Measure and Resend; p Z , the probability of A choosing the Z basis.

Quantum Communication Stage:
The quantum communication stage of the protocol will repeat the following until a sufficiently large raw-key has been distilled: 1.With probability p Z , A prepares a randomly chosen Z basis state; otherwise she prepares a randomly chosen F basis state.She records her choice of basis and the choice of state and sends the resulting n-qubit state to B.
2. B chooses, with probability p M to Measure and Resend, measuring all n qubits in the computational basis and recording the result and then resending the observed state back to A. Otherwise, with probability 1 − p M , he chooses Reflect in which case he reflects all n qubits back to A.

3.
A measures the returning n qubit system in the same basis she used to prepare.

4.
A and B, using the authenticated classical channel, divulge their choices (B his choice of "Measure and Resend" or "Reflect" and A her choice of basis).If A chose the Z basis and B chose Measure and Resend, they will use this iteration to contribute towards their raw key; namely, B will append his n-bit measurement result string and A will append her initial state she prepared to their respective raw-keys (in this case, A's subsequent measurement result is not used).We call this a key-distillation iteration.Otherwise, this iteration (along with a suitably chosen random subset of key-distillation iterations) may be used for error detection in the obvious way.

Reduction to a One-Way Protocol
In this section we show how certain SQKD protocols, of arbitrary dimensions, may be reduced to a one-way protocol.Note that in [42], a method of reducing two-way fully quantum protocols to one-way, entanglement based protocols was shown, however that method only applies if the original protocol admits a certain symmetry property which semi-quantum protocols necessarily lack (due to B's use of Measure and Resend).As a first step, we first consider an intermediate, two-way, SQKD protocol, which we denote by Π ent .This intermediate protocol is no longer prepare-and-measure, but instead has A preparing entangled qudits and B performing a CNOT gate whenever he chooses Measure and Resend.The protocol is shown in Protocol 2. It is not difficult to see that security of Π ent implies security of Π SQKD (i.e., Π ent ⇒ Π SQKD where "⇒" means "implies security of").Indeed, A's prepare-and-measure scheme in Π SQKD is equivalent to her preparing the entangled state of 2n qubits a |a, a and sending the right register (consisting of n qubits) to B while keeping the left-half to herself.If B chooses to reflect, this is nothing more than an identity operation whereas if he chooses to Measure and Resend, then by applying CNOT gates targeting his register and then measuring at some future time, this is equivalent to him measuring immediately.Finally, when qubits return to A, she may measure both n qubit registers in the same basis -standard arguments [2,6] show that her measurement of the A 1 register is equivalent to her initially preparing the state she observes at this later point.Furthermore, a collective attack against this protocol is identical to the Π SQKD case, namely two unitary attack operators (U F , U R ).
Next, we introduce our one-way protocol, shown in Protocol 3 and denoted Π OW .At first glance, the two protocols, Π ent (which is semi-quantum and uses a two-way quantum channel) and Π OW (which is one-way and fully quantum) do not appear similar.However, we will prove that security of Π OW implies security of Π ent (which, in turn, implies security of our actual protocol Π SQKD ).We do this by showing that, for any attack against Π ent , there exists an attack against Π OW which causes E to gain as much information on the raw-key as in Π ent and, furthermore, the view according to A, B, and E are identical in both cases (i.e., the two cases are indistinguishable).Thus, if we analyze Π OW (which is easier to do since it is one-way), we automatically cover any attack against Π ent .Ultimately, this technique is an extension of a result in our conference paper [54] to the arbitrary, N -dimensional case (only the qubit, N = 2 case was considered before).However, beyond being more general, our proof here is also more refined as it does not require an additional "simplification" step that was necessary in [54].
Let N = 2 n .An attack against Π OW consists of a probability distribution {p(b)} for all b = 0, 1, • • • , N − 1 along with a single attack operator U acting on 2n qubits and E's quantum ancilla.Note that E gets to choose the values p(b) which B uses to prepare his states -thus, E has partial control over B's source device in Π OW ; the reason for this necessity will be apparent later in our proof.We now prove it is sufficient to consider security of Π OW (in which case we have Π OW ⇒ Π ent ⇒ Π SQKD ).
Theorem 1.Let (U F , U R ) be a collective attack against Π ent and let ρ ABE be the resulting density operator describing a single iteration of Π ent in the event this attack is used.Then, Protocol 2 Entanglement-Based n-dimensional SQKD: Π ent Public Parameters: n: the number of qubits to send per signal; p M , the probability of choosing Measure and Resend; p Z , the probability of A measuring in the Z basis.

Quantum Communication Stage:
The quantum communication stage of the protocol will repeat the following until a sufficiently large raw-key has been distilled: 2 n −1 a=0 |a, a A 1 T and sends the "T " portion to B.
2. B chooses, with probability p M to Measure and Resend in which case he applies the operator CN OT ⊗n , acting on the T space and his own private B register (also of n qubits).Otherwise, with probability 1 − p M , he chooses Reflect and applies I ⊗n to the T portion (thus, his B register will remain independent of the system in this case).
Either way, the T register is then returned to A. Once returned, we rename the T register as the A 2 register.

3.
A chooses to measure in the Z basis (with probability p Z ) or the F basis (with probability 1 − p Z ).She measures both the A 1 register and the returned T register (now called the A 2 register) in the same basis (either both Z or both F).At this point, B will measure his register in the Z basis if he chose Measure and Resend.

4.
A and B divulge their choices (B his choice of "Measure and Resend" or "Reflect" and A her choice of basis).If A choose the Z basis and B chose Measure and Resend, they will save their measurement results and append the resulting value (as a bit-string) to their respective raw-keys (A will use her result from the A 1 register, discarding the A 2 register in this case).Quantum Communication Stage: The quantum communication stage of the protocol will repeat the following until a sufficiently large raw-key has been distilled: 1. B chooses, with probability p M operation "Measure and Resend" otherwise he chooses "Reflect."Note that the terminology Measure and Resend and Reflect do not have any operational meaning in this protocol -we simply use them so that the reduction later from our SQKD protocol Π SQKD makes sense.If he chooses Reflect, he prepares a 3n qubit state of the form: where the right-most B register contains n qubits in the state |0 .Otherwise, if he chooses Measure and Resend, he prepares a 3n qubit state of the form: Regardless of his choice, he sends the A 1 A 2 register (consisting of 2n qubits) to A.
there exists an attack of the form ({p(b)} 2 n −1 b=0 , U ) against Π OW such that, if σ ABE is the resulting density operator of a single iteration of Π OW in this case, it holds that σ ABE = ρ ABE .In particular, there is no advantage to E in either case and, furthermore, no party A, B, or E can distinguish between the two scenarios.
Proof.Fix an attack (U F , U R ).Without loss of generality, we may write U F 's action on basis states as: |b, e a,b , where N = 2 n and |e a,b are arbitrary states in E's ancilla (we assume, without loss of generality in the collective attack case, that E's ancilla starts in some pure state |χ E ).Unitarity, of course, imposes some restrictions on these states.In particular, for every a it holds that: Given this attack, we construct ({p(b)}, U ), an attack against Π OW , that satisfies the theorem statement.To do so, we follow a technique first introduced in our conference paper [54] but generalized here for higher dimensions.First, we set the values p(b) to: Clearly p(b) ≥ 0 for all b.Furthermore, from Equation 7, it follows that: thus this is a valid probability distribution, and so a valid attack setting.Now, consider the following operator Rw which we call the "rewind" operator as, in a way, it "rewinds" the channel so that a state prepared by B in the one-way case (i.e., protocol Π OW ) appears to all three parties as if it had been prepared by A in the two-way case (i.e., Π ent ).In particular, it will "setup" the A 1 register and E's quantum memory as if this had been performed in the two-way Π ent case.The only thing that cannot be "rewound" is B's measurement distribution, thus the need for E to set this separately through the p(b) values.This operator acts on basis states |b, b (sent by B in the one-way protocol Π OW ) as follows:  to the fully-quantum one-way protocol (Π OW bottom).For the SQKD protocol, A prepares qubits at time (1), Eve attacks, and then B performs an operation Measure and Resend or Reflect.Time t * is after B's operation.On the other hand, for the fully-quantum protocol, B prepares two qubits and sends both to A. E attacks with a specially designed Rw operator resulting in a state at time t * .We claim a suitable Rw operator can be constructed so that the density operators in both cases at time t * are identical.Later, when proving general security of the one-way protocol, we do not require any special attack; clearly security of the SQKD protocol, then, would follow.QM stands for E's quantum memory.
Furthermore, we have: Thus, Rw is an isometry and may be extended, using standard techniques, to a unitary operator implying it is an operation that E may do within the laws of quantum physics.We claim that U = (I A 1 ⊗ U R )Rw is the desired attack operator satisfying the theorem statement.
Refer to Figure 1.Consider the case when B chooses Measure and Resend.At time t * (after E attacks with U F and B's Measure and Resend operation, but before E attacks a second time with U R ), the joint state held by A, B, and E using protocol Π ent is found to be: Now, again, referring to Figure 1, consider the same case (namely, B choosing Measure and Resend) but with the Π OW protocol.In this event, B prepares the state b p(b) |b, b, b A 1 A 2 B and E attacks with Rw.The joint system then, at time t * is: (11) Thus, after applying Rw, the state of the joint system for the case of Π OW is identical to that of Π ent .Of course, after applying U R (which happens in both scenarios since we constructed U = (I A 1 ⊗ U R )Rw), the systems will remain the same.Thus, any measurement outcomes or entropy computations will be identical in both scenarios.It is trivial to show the same holds true in the Reflect case for both protocols (in that case, the additional |b term is no longer there but the algebra remains the same otherwise).Thus, if one were to write out a density operator description of both protocols, tracing their evolution, they would be identical as the underlying systems are identical in all cases.Note that the only thing E could not "rewind" with Rw is the probability distribution of B's measurements (since he is now preparing).Thus it is required that E gets to choose the distribution p(b) so that the probability distribution in Π OW matches that observed in Π ent .This completes the proof.
Theorem 1 implies that it is sufficient to prove security of the one-way protocol Π OW .Since any attack against Π ent can also be transformed into an attack against Π OW , if we analyze a general attack against the latter, this automatically gives security against the former.Indeed, there may be more attack strategies for E against Π OW as E has access to both n qubit registers simultaneously; despite this, it is easier to analyze as it is a one-way protocol.Furthermore, note that no party can distinguish between the two scenarios and, as a consequence, observed channel noise in the "real" SQKD protocol Π ent translate directly to observed statistics in the one-way protocol Π OW .Our goal is to prove security of Π ent (which proves security of Π SQKD ) and, given observed noise statistics there, if we prove security of Π OW given those same statistics, the key-rate can only be better in Π ent (since Π OW has potentially more attack strategies as mentioned).

Proof of Security for Π OW
We now prove security of Π OW .In the following, we define N = 2 n where n is the user-defined number of qubits sent per iteration of our protocol.Our proof of security is in three steps.First, we compute the conditional entropy H(A|E) in the case where B chooses Reflect.This, of course, is useless for key distillation as B is completely independent of the state in this case, but it will be used later to argue about the entropy in the actual key-distillation state (i.e., when B chooses Measure and Resend).Second, we argue that E's optimal attack must take on a particular form if A and B use the Z or F basis.Third, and finally, we use these results, along with Winter's continuity bound on conditional entropy [55], to compute the entropy of A's register conditioned on E's quantum memory in the actual key-distillation state when B chooses Measure and Resend giving us the desired key-rate.
First, we need a channel scenario for the real Π ent protocol (which translates, as discussed, to observations for Π OW ).Keeping in line with other high-dimensional QKD analyses [31,33], we consider a symmetric attack modeled as a depolarization channel (which may even be enforced by users): where σ is any N dimensional quantum state.
We will assume the noise in the forward channel and reverse channel are the same and parameterized by Q (though our analysis follows even if they are different, though the algebra complexity increases).In the "reflect" case, we will use a depolarization parameter Q F -this captures the practical case that, for certain fiber channels, reflecting a quantum state back can "undue" some noise (but in the Measure and Resend case this cannot happen as the "measurement" breaks any entanglement in the channel) [42,56].
Let p(x|y) be the probability that a party observes x given the sender sent y (in the Z or F basis) in either the forward or reverse channel.From this model, we have: In Π ent , the probability that A Z 1 (i.e., after measuring) is a, for any particular a, is simply p(a) = 1/N .Furthermore the probability that B measures b is a p(b|a)p(a) = 1 N (1 − Q + (N − 1) Q N −1 ) = 1/N .Thus, we set p(b) = 1/N when analyzing Π OW (E's choice here must conform to the observed statistics in the "real" protocol Π ent ).
Let p(a, b, c) be the probability that, in the case of Measure and Resend, if all parties measure in the Z basis, A 1 measures a, B measures b, and A 2 measures c (recall A 1 is A's first n-qubit register and A 2 is her second register).Then, since this is a classical probability distribution, by the chain rule it holds that: We will assume that in the Measure and Resend case of Π ent , the two channels act independently and, so, p(c|b, a) = p(c|b).That is, A's measurement in the return channel, depends only on what B actually sends.This is a very realistic noise scenario and can even be enforced by the users -A and B will simply abort if they do not observe this (natural) behavior.Of course, as discussed, we do not assume the two channels act independently if B chooses to Reflect (such an assumption would not be natural nor could it be enforced and so we do not make it here).Under these assumptions, it is not difficult to see that: p(b) = 1/N due to our (enforceable) symmetry assumption, we find: where P (z) = zz * .On the other hand, tracing the evolution of the protocol in the case B chooses Measure and Resend, gives us the following operator: Our goal in the remainder of the security proof is to bound the difference between To do so, we will use Winter's continuity bound [55] and in particular, the case derived for classical-quantum states.This bound states that (rewriting in terms of our notation of course): where: Thus, our goal is to determine an upper-bound on the trace distance ∆.Note that an upper-bound will only increase the distance between the two entropies causing the key-rate to drop.Thus by finding an upper-bound, we determine a worst-case key-rate and the actual key-rate can only be higher.
By elementary properties of trace distance, along with the triangle inequality, we have: Second Step -Structure of E's Attack Operator: Before computing ∆, we argue now that E's optimal attack operator has a particular structure to it.As discussed earlier, let p(a, b, c) denote the probability that measuring A 1 results in a; measuring B results in b; and measuring A 2 results in c (where these measurements are performed in the Z basis in the Measure and Resend case; thus a, b, c 2 BE (i.e., the case where B chooses Measure and Resend, but before tracing out A Z 2 and B which we did for Equation 19) is found to be: from which it is clear that p(a, b, c) = e a,b,c |e a,b,c /N .Since N is known and since p(a, b, c) is a value that can be observed by the parties running the protocol, this implies e a,b,c |e a,b,c is also an observable quantity.
We now claim that it is to E's advantage to choose her attack such that for any fixed a, c, it holds that: Indeed, orthogonal ancilla states cannot increase her uncertainty, thus the only reason to make these states non orthogonal would be if, by doing so, she could make some other, potentially "more important" vectors closer to orthogonal (e.g., the non-error cases such as e 0,0,0 |e 1,1,1 ) while still falling within the observed noise statistics.But the inner-product e a,b,c |e a,b ,c does not contribute to the observed noise in any way, assuming basis F is used, and thus she might as well set them to be orthogonal potentially decreasing her overall uncertainty (but certainly not increasing it).
Clearly the inner-product e a,b,c |e a,b ,c does not contribute to the Z basis noise when b = b .We thus consider the F basis noise.Consider the case when B chooses Reflect in which case the state arriving to A, before measuring, is: where |g a,c = b |e a,b,c .Since the above is normalized, it holds that: Now, changing basis, we may write |j = x β x,j |F x , where β x,j = F x |j .Clearly, due to our choice of basis F, it holds that |β x,j | 2 = 1/2 n .Taking Equation 23 and changing basis in both the A 1 and A 2 registers yields: Thus, the probability that A 1 measures F x and A 2 measures F y , for any x, y is: where for the third equality, we use Equation 24.Note that g a,c |g a ,c , for (a, c) = (a , c ) has no terms of the form e a,b,c |e a,b ,c (since either a or c will not equal a or c).Thus the e a,b,c |e a,b ,c inner product cannot affect any observed noise statistic.Therefore there is no advantage to E in making it non-orthogonal as it cannot benefit her by "hiding" other states in the noise of the channel (e.g., she cannot use e a,b,c |e a,b ,c to increase the orthogonality of other vectors to her advantage while still keeping within the observed noise statistics).We may therefore assume the attack operator U is such that Equation 22 applies.Note that this proof would not hold if |β i,j | 2 = 1/2 n for all i, j.Thus, for any fixed a and c, we may define an orthonormal basis {|ν

Third
Step -Continuity Bound Analysis: From the above analysis on the structure of E's optimal attack operator, we may write ∆ a,c , defined in Equation 21, as: where the last equality follows from the fact that trace distance is invariant to changes in basis and, again, we use P (z) = zz * .Recall our description of the channel, and in particular the value of p(a, b, c) given in Equation 15.Note that, if Q = 0, then it is easy to see that ∆ a,c = 0 for all a, c and so we are done.Thus, in the following, we will consider 0 < Q < 1/2.Due to the symmetry in a depolarization channel as clearly seen in the expression for p(a, b, c) in Equation 15(again, this may even be enforced by users), there are two cases to consider, first when c = a and second when c = a.For the first, we have: Since it is Hermitian, we may decompose X as: where {|v j } are orthogonal eigenvectors and λ j are (real) eigenvalues; thus X |v j = λ j |v j for all j = 0, • • • , N − 1 and, of course, ||X|| = j |λ j |.Consider a particular eigenvector |v = |v j = i x i |i .Then: Thus, for λ = λ j to be the corresponding eigenvalue, it must hold that N y b = λx b for all b = 0, • • • , N − 1.Note that, when b = a, it holds that: When b = a, then N y b simplifies to: and thus it must hold that: Now, assume that there exists a k = k such that x k = x k and both k and k are not equal to a (we will handle the case when this is not true afterwards).From Equation 30 we have, using the case when b = k and b = k respectively: Subtracting these two expressions yields: We next claim the geometric multiplicity of this eigenvalue is N −2 and, thus, this eigenvalue appears N − 2 times in Equation 27.Consider the operator X − λI.By choosing a suitable basis we may write this in matrix form as: Substituting λ = −α 2 it is clear that the rank of X − (−α 2 )I is at most two.Thus the geometric multiplicity is at least N − 2 (and indeed is exactly N − 2 except when Q = 0 or Q = 1 − 1/N ; but the first case is considered separately as mentioned, and the second case implies Q > 1/2 which is much larger than our evaluations later and so not considered).Therefore, exactly N − 2 of the eigenvalues of X are −α 2 = − Q 2 (N −1) 2 .The remaining two eigenvalues are found when there does not exist k = k (where k = a and k = a) such that x k = x k .In this case we have x k = x k = x for all k, k not equal to a. Using Equation 29 we find: Note that the above equation forces x = 0 as, otherwise, x a is also 0 and so |v would be the zero vector and not an eigenvector of Hermitian operator X. Substituting this into Equation 30(for any b = a) we find: thus leading us to the two remaining eigenvalues, which we denote λ X ± : Since there was no dependence on a in the above analysis, this leads us to conclude that: We next consider the case when c = a and compute ∆ a,c .Following the same logic as before, fix a particular c = a and consider the operator As with the previous operator X, we break this up into several cases depending on the eigenvector |v .For the first case, assume there exists k = k with k = a, c and k = a, c such that x k = x k .Then, using Equation 36, for b = k and b = k and subtracting the resulting expressions yields: We claim this eigenvalue has geometric multiplicity N − 3. Consider the operator Y − λI and, as before, by considering a suitable basis, we may write this in matrix form as: From this, it is evident that the rank of Y −(−α2 )I is three and so the geometric multiplicity of the eigenvalue −α 2 is N − 3 (again, assuming Q = 0 and Q = 1 − 1/N which holds since 0 < Q < 1/2.Thus, there are 3 more eigenvalues.Next, consider the case if x a = x c .In this case, subtracting Equation 34 and 35 yields: Finally, consider the case where x a = x c = x 1 and x k = x k = x 2 for every k = k and k, k = a, c.In this case, Equation 36 simplifies to: Equation 34 yields: αβx 1 + (N − 2) α 3 βx 2 = λx 1 Note that the above equation also implies that λ = αβ since if it were, we would have x 2 = 0 which, as already discussed, is not true.Thus we may solve: Solving the above quadratic for λ gives us the two remaining eigenvalues which we denote λ Y ± .After some algebra, these eigenvalues are found to be: Since the above arguments were for arbitrary a = c, this gives us the following: Thus, we conclude: At first glance, this expression may seem to scale exponentially with n (since N = 2 n ).However, note that λ ± (for both the X and Y operators) are multiples of α, which, itself, is a multiple of 1/(N − 1).
Returning to Π OW , we apply the Winter continuity bound (Equation 20) to attain:  3. We note that, similar to the fully-quantum case [31,32], as the dimension increases, the noise tolerance also surpasses the single qubit case.Thus, we prove that this high-dimensional advantage, known for fully-quantum protocols, also applies to the semi-quantum model.We also observe numerically that, as n increases, the maximal noise tolerance tends to approach 26% in the independent case and 30% in the dependent case.As mentioned, fully-quantum high dimensional QKD protocols can tolerate up to 50% error as the dimension increases; thus, while not as high as the fully-quantum case (which, perhaps, is to be expected), it is higher than any other semi-quantum protocol to-date.Indeed, the highest known semiquantum protocol [26] can tolerate up to 17.8% in the independent case (as opposed to 26% here) and 26% in the dependent case (as opposed to 30% here).Of course, our Equation 47is only a lower-bound -future work may improve this.In particular, the use of mismatched measurements (needed to attain a high noise tolerance in [26]) may greatly benefit our analysis here.This we leave as an interesting future research direction.

Closing Remarks
In this paper, we designed a new high-dimensional semi-quantum key distribution protocol and performed an information theoretic security analysis.To conduct this security analysis, we developed several new techniques for high-dimensional protocols over two-way quantum channels which may be applicable to other (S)QKD protocols.In particular we showed how one may reduce a two-way, high dimensional, semi-quantum protocol to a one-way protocol which is easier to analyze.Thus, we produced new security results of broad application.We also proved that high-dimensional quantum systems can benefit communication in the semi-quantum model just as they do in fully-quantum key distribution.
Many interesting future problems remain open.For one thing, it would be interesting to see if our proof technique can be applied to the high-dimensional quantum-walk based SQKD protocol introduced in [33].If so, we would then be able to compare noise tolerance properties of the two protocols.It would also be interesting to see if we can improve our bound and technique here.One factor contributing to a potentially lower key-rate bound is our use of a continuity bound.Other methods may produce more optimistic results.

Protocol 3
One-Way n-dimensional QKD: Π OW Public Parameters: n: the number of qubits to send per signal; p M , the probability of choosing Measure and Resend; p Z , the probability of A measuring in the Z basis; {p(b)} 2 n −1 b=0 , probability values set by the adversary but known to all parties.

)
It is not difficult to see that Rw is an isometry.Indeed, given |b, b and |b , b for b = b , we have: 0 = b, b|b , b = 1 N p(b)p(b ) a,a a, b, e a,b |a , b , e a ,b = 0.

Figure 1 :
Figure1: Showing the reduction from the semi-quantum protocol (Π SQKD and Π ent , top) to the fully-quantum one-way protocol (Π OW bottom).For the SQKD protocol, A prepares qubits at time (1), Eve attacks, and then B performs an operation Measure and Resend or Reflect.Time t * is after B's operation.On the other hand, for the fully-quantum protocol, B prepares two qubits and sends both to A. E attacks with a specially designed Rw operator resulting in a state at time t * .We claim a suitable Rw operator can be constructed so that the density operators in both cases at time t * are identical.Later, when proving general security of the one-way protocol, we do not require any special attack; clearly security of the SQKD protocol, then, would follow.QM stands for E's quantum memory.

1 N
, e a,b |a , b, e a ,b = • p(b) a e a,b |e a,b = 1.

} N − 1
b=0 and write: |e a,b,c = N • p(a, b, c) |ν (a,c) b .Note that we do not assume any relation between these vectors for differing a and c.I.e., we do not make any assumptions on the value ν (a,c) b |ν (a ,c ) b when a = a or c = c .
To satisfy the equation Y |v = λ |v we require N z b = λx b for all b = 0, • • • , N − 1.There are three cases of b to consider here: b = a, b = c and b = a, c.For each of these cases we find: b

Figure 3 :
Figure 3: Key-rate of our high-dimensional SQKD protocol when Q F = Q.Here we plot the case for n = 1, 2, 5, and 50.