2.1

Overview of Trace Distance Security Criterion

Firstly, consider the quantum state ρ_ABE actually distributed between Alice and Bob under Eve’s interactions, and the ideal quantum state τ_ABE, in which the shared key between Alice and Bob is IID with Eve’s quantum system decoupled.

Then, consider an intermediate state σ_ABE in (4) where Alice and Bob share the same key. Then apply a triangle inequality (5) to divide the security problems into two parts, as shown in (5-8).

The inequality (6) is named as “ε-correctness,” which indicates the probability of failure in the key agreement between Alice and Bob. The inequality (7) is named as “ε-security,” which is to be said that the probability of failure in distributing an IID key string, like as seen in the following quotes.

“ε security has an intuitive interpretation: with probability at least 1 – ε, the key S can be considered identical to a perfectly secure key U, i.e., U is uniformly distributed and independent of the adversary’s information. In other words, Definition 1 guarantees that the key S is perfectly secure except with probability ε.”¹⁴

"In this definition, the parameter e has a clear interpretation as the maximum failure probability of the process of key extraction.”¹⁶

“The above definition of security (Definition 2) has the intuitive interpretation that except with probability ε, the key pair (S_A, S_B) behaves as a perfect key, as described by (41).”¹⁷

2.2

Yuen’s warning to the security level of QKDs

However, Yuen warned this would be incorrect in 2009 ¹⁰, and showed a counter example in 2010 ¹¹ and 2016 ¹⁹. This article avoid the detailed explanations but gives simple explanations given by Yuen, as follows. As Appendix A.4.1 in the literature by C. Portmann and R. Renner¹⁸, the expected probability for Eve successfully guessing the correct key is

Because an arbitral operator Γ satisfies the following inequality as Eq. (9.22) in the literature²¹,

Therefore,

As we see, the failure probability for QKDs that Eve guesses the correct key Alice and Bob share, is, larger than the trace distance itself. This gives a clear-cut answer to the perceived explanations that the trace distance itself is “the maximum failure probability in distributing a perfectly secure key,” is not true, because of the existence of the constant factor 2^-|K|. Furthermore, (12) shows the meaning of “the failure of QKDs” very clearly, because it is an expected probability where Eve successfully obtains the correct key.

Yuen also explained the importance of the numerical analysis of (12). In today’s QKDs, the key length |K| is set to 10⁶ bits, while the best experimental value obtained in the past was ε_sec = 2^{-50 22}, archived by Round-Robin DPS QKD, which has been claimed it is almost impossible to eavesdrop, far different from conventional QKDs^{23, 24}. Then from (12), this means

On the other hand, the definition of “perfect secrecy” given by C. E. Shannon was²⁵,

This means, even Eve obtains the chipertext C, she cannot gain any chances to obtain the plaintext X exchanged. Therefore, Eve has to do simple guessing to obtain the plaintext, therefore the probability is

Now, in case of (13), the knowledge Eve obtained from eavesdropping is k_E = k_A, therefore lets rewrite (13) as

This result clearly shows that the obtained key is not IID at all. Consider the simplest example as follows. For Eve, it is like there are 2⁵⁰ patterns of key candidates equally possible, and no other key candidates, which satisfies Pr(K|E) ~ 2^-50. On the other hand, if the distributed key is IID, there are 2^1,000,000 patterns of equally possible keys for Eve. This is what Yuen has been warning. Moreover, this means we can never satisfy the concept called “Universal Composability” because Eve has only 2⁵⁰ possible keys, not 2^1,000,000 keys. The Universal Composability¹⁵ is a concept that any parts of the key are usable to other cryptosystems without threats when one of the systems is under attacks. This is because any parts of the keys are statistically independent from other parts. The above situation explains us that the Universal Composability will never be satisfied unless ε_sec = 0.

Then, change our mind. Now, it is shown that QKD keys are not perfect at all. However, of course, if ε_sec is small enough, we can say the QKD key is information-theoretically secure enough for practical uses. However, consider the following estimations. Assume that a QKD system is running for 24 hours 365 days, at the communication speed of 10⁹ bits/sec with the final key length 10⁶ bits. Then, 3×10¹⁰ keys will be exchanged in a year. Since 2^-|K| ⪡ ε_sec, the expected number of keys leaked to Eve is 3×10^-5. This number looks sufficient for the security. However, 7.5×10³ traffic fatal accidents had been reported in 2008 in Japan²⁶, while there were 7.9×10⁷ cars in the same year²⁷. Therefore, one car caused 9.5×10^-5 traffic fatal accidents in average in 2008. The above values show that the number of potential eavesdropping on one QKD system in a year is about the same order of magnitude of traffic fatal accidents one car may causes in a year. If QKD systems spread over the world as explained in the introduction, the number of potential eavesdropping is close to the number of traffic fatal accidents, if ε_sec = 2^-50 = 8.9×10^-16. See also the past works by the author^{28, 29}. Theoretically, it is often said that ε_sec could be arbitrarily small, so we could enhance the security of QKDs as high as we would wish. The author will discuss this point in the next subsection.

2.3

Criticisms on Derivation of Secure Key Rate

Yuen also questioned on the derivation of the secure key rate. The general procedures of QKDs are well known, but here the author describes as follows³⁰.

In the above process, the key consumption for OTP to hide Alice’s syndrome is often given by

Here, ξ is a factor chosen from 1 to 2, depending on the strength of the error correction code. Typically, it is set to ξ = 1.1 ^{30, 31}. To prove (17) for the case ξ = 1, see the following calculation. Now, let |K_s| be the sifted key length and |M| be the length of information digits. Consider (|K_s|, |M|) linear codes, which can correct up to Q|K_s| errors. From Hamming bound,

Therefore, the following inequality has to be satisfied.

Thus, the key consumption by OTP to hide Alice’s syndrome is |K_s|h₂(Q) bits, where h₂(Q) is shannon binary entropy. However, Yuen explains as follows. If we use (|K_s|, |M|) linear codes, the number of key candidates would shrink down to 2^|M| while we had 2^|K_s| possible candidates before the error correction. This problem would not be solved even if they hide the syndrome by OTP. One may say that there could be 2^|K_s|-|M| patterns of syndromes, and Eve would not know whether Alice and Bob reconcile their keys with which one, therefore the possible patterns of the key still remains 2^|M| × 2^|K_s|-|M| = 2^|K_s|. However, recall that Eve knows the shared key in the previous QKD round with a probability of ε_sec. Thus, there are only ε_sec^-12^|K_s|-|M| patterns of possible keys, not 2^|K_s| ⪢ ε_sec^-12^|K_s|-|M|, even when Eve does only pure guessing. In reality, Eve would guess the most likely key Alice and Bob shared from her measurement results when she needs, therefore the number of possible key patterns is unknown but may be narrowed down further. Therefore, using (|K_s|, |M|) linear error correction codes narrows down the possible patterns of the key for Eve in practice. There are no related studies about this issue as far as the author knows. Therefore, we cannot discuss this problem numerically furthermore.

To solve this problem, Yuen proposed an idea as follows. Consider (|N|, |K_s|) linear codes adding |N| – |K_s| bits of parity check digits to the original sifted key before error correction. Then, even after the error correction, there still may be 2^|K_s| patterns of possible keys for Eve. Instead, we have to consume |N|h₂(Q) bits of the pre-shared key to hide the added parity check digit by OTP to tell Bob. The amount of |N| is given by Hamming bound again as seen in (18, 19). Therefore,

Thus the key consumption by OTP for error correction is

In addition, Yuen pointed out that choosing ξ = 1.1 habitually is not a “proven analysis” against QKD’s original concept.

Here, the author gives some numerical analysis with ε_sec = 10^-24 ~ 2^-80 in Fig. 1 done in the study in the literature³². When we use (21) derived by Yuen gives lower secure key rate especially in case of larger Q. Moreover, if the quantum channel is lossy, there are lower-limit that ε_sec cannot be smaller than certain values³².

Fig. 1.

(a) Key rates with leak_EC in (17), and (b) in (22). From the lowest curve, the sifted key length = 10⁵, 10⁶, 10⁷, 10⁹ bits. In case of Yuen’s LeakEC, the allowable QBER will be stricter.

2.4

Criticisms on Use of Privacy Amplification

Yuen also pointed out that Privacy Amplification may be rather harmful for the security of QKDs. His description¹⁹ is not easy to understand, therefore, the author tries a different explanation. Consider Eve eavesdropped the quantum channel and store the quantum states correlated to the legitimate users’ key in her quantum memory. Assume that, after Alice and Bob finished error correction, Eve measures her quantum memory and obtained the key string k_ER, while Alice and Bob share the key k_R. Now, let Alice choose and announce a hash function f from a set of δ-Almost Two-Universal hash function family F, then

There are two possible cases that Eve obtains the correct key k_ER = k_R, and k_ER ≠ k_R but collision occurs because of the property of hash functions. Therefore, Eve’s success probability in obtaining the correct key in the end is,

The max Pr(K|E) in (23) is larger than Eve’s guessing probability before the Privacy Amplification, that is, Pr(k_ER = k_R) in (23). This is understandable as follows. Even if Eve obtains the wrong key after the error correction, she may obtain the correct key by chance because of the collision probability of the hash function. Therefore, the following question arises: is Privacy Amplification really useful to gain the security of the distributed key? Consider the following example. Let |K_R| be the length of a reconciled key before Privacy Amplification, let |K| be the key length after Privacy Amplification. Because of the characteristics of hash functions, trivially |K_R| > |K|. If Eve does not even eavesdropping on the quantum channel but she guesses the correct key by pure guessing, it is trivial that she has more chance in guessing the correct key after hashing than she had before hashing. Yuen explained that the reason why Privacy Amplification has given misconception that it would enhance the key security was, that the averaging the hashing performance over the hashing family F in Leftover Hash Lemma. However, in reality, Alice announces publically which hash function they use. Therefore, Eve knows exactly which function is used. Therefore, to evaluate the performance of Privacy Amplification, we need to evaluate the performance of a chosen hash function without averaging. Here, the author of this article adds the other reason. Leftover hash lemma surely gives more uniform key probability distribution. However, key-shortening by hashing would raise the average of the probability distribution, giving Eve more chance to guess the correct key.

A more complicating problem is related to the previous topic of error correction. If we regard the sifted key as (|K_s|, |M|) linear codes, then there should be correlations among key bits, because we regard |K_s|-bit key as (|K_s|, |M|) code, there are only 2^|M| patterns of key candidates instead of 2^|K_s| patterns of key candidates. Evaluating the effect of Privacy Amplification is not easy when there are correlations between key bits. Therefore, again, we need to add parity check digits to the sifted key to make it (|N|, |K_s|) code, to have less correlation among key bits, so we have to take the previous problem seriously.

2.5

Authenticity of Communication Channels

There seem to be many people misunderstanding outside of the QKD researcher community because it is a common sense among QKD researchers, thus it is rarely explained. Therefore, the author explicitly writes here. Before starting QKD, Alice and Bob need to have pre-shared authentication key to recognize each other³³. Otherwise, Eve can launch Man-in-the-Middle Attacks by pretending to be Bob to Alice, and same to Bob to be Alice, relaying both classical and quantum signals coming from Alice to Bob, which allows not only perfect eavesdropping but also falsifying the messages. Moreover, some QKD procedures need a pre-shared key for OTP for Error-Correction as explained in Sec. 2.3. In this sense, QKD is not a public key distribution technology to replace conventional public key encryptions like RSA, say, the public key of RSA is known to even Eve, but the authentication key and the pre-shared OTP key in QKDs should not be disclosed to Eve. Therefore, Alice and Bob need to share the pre-shared key secretly in some way before they start QKDs. In this sense, QKDs are similar to symmetric key cryptographies like AES, unlike public key encryptions such as RSA.

Yuen pointed out the importance of the security level of this authentication key. We may be able to share an authentication key with IID at first, but what will happen if we renew the authentication key by the part of the distributed key? As it was explained in Sec. 2.2, Eve guesses the correct key with a probability of about ε_sec. Yuen regards the security of authentication is far more important than the security level of message encryption, therefore he claims ε_sec has to be far smaller than we currently can obtain. Even if ε_sec is small enough, the renewed authentication key is a part of the distributed key known to Eve with a probability of about ε_sec, resulting in security degradation compared to the initial authentication key with IID, and this continues as long as QKD operation is being continued. Furthermore, the part of the distributed key known to Eve with a probability of about ε_sec has to be used in OTP for Error-Correction in Sec. 2.3. Therefore, the influence of the security degradation has to be included in security proofs for the concept of “provable security.”

2.6

Importance of Bit-Error-Rate for Eavesdropper

Yuen raised a question as follows: even if Eve could not obtain the correct key, but she obtained a key close to the key Alice and Bob share, then what will happen? Cannot Eve read the message at all even if her key has just 1-bit error? How about 2 bits? Then 3 bits? Yuen emphasized the importance of Bit-Error-Rate (BER) for Eve, because it corresponds to the BER on the encrypted message by OTP, therefore he named it “BER Guarantee” ^{19, 20}. Clearly, a perfect key for OTP has the IID key so BER is always 1/2 for Eve, therefore she can never read the encrypted message. However, if she knows her BER is far smaller than 1/2, then she may be able to read some part of the encrypted message. Here is an example. suppose you got a message “Tahnks” from your friend. You usually think it was a typo of “Thanks.” We have no difficulties to recover the original message even there were some typos.

Now going back to the topic of QKDs, here the author writes a rough estimation. Suppose Eve can read the message if her key has BER less than the certain BER, B_E. The number of such a situation is expressed by

Therefore, the rough estimation of Eve’s success probability in obtaining a nearly correct message is

As shown in (25), the chance Eve can read a nearly correct message would raise exponentially to the length of the secret key |K|. so, if ε_sec = 2^-50 and |K| = 10⁶ bits, Eve’s probability in obtaining a nearly correct message is almost Pr(K|E) = 1 up to |K|B_E = 2.5 errors, which means Eve has no struggling in reading the encrypted message. Surely, even the author thinks the estimation by (25) is too rough, and Yuen himself wrote that it is an open question how we evaluate the security of QKDs under BER guarantee. We need further studies, and this is the main topic of this article. See an example in Sec. 3.

2.7

Security level of the cryptosystems and impossibility of experimental guarantee for general attacks

There are many experimental reports, thus the author does not list them here that their QKD systems were stably working over months or more. However, can we really confirm that Eve could not steal the key even with unlimited power except the limitations by laws of nature? One may say that the noisy environment itself is the Eve who can freely interacts with flying qubits. Then how we confirm the noisy environment could not steal the key?

Furthermore, these experimental reports said their systems were secure because the generated key rates were positive. On the other hand, we have seen that the security level is evaluated by ε_sec in Sec. 2.2. How much were their ε_sec actually in their experiments? There have been several theories to calculate the key generation rate for the finite key length with corresponding ε_cor and ε_sec. From these theories, we can derive positive key rates even with ε_sec = 1 ^{31, 32}. This means, the key is surely generated, but Eve can steal the key with the probability of 1, as we have seen in Sec 2.2. Therefore, the positive key generation rate never means the key is secure. The problem is always “how much secure the key is.”

National Cyber Security Centre (NCSC), a part of Government Communications Headquarters (GCHQ) in UK uploaded a white paper to suggest not to use QKDs for important communication infrastructures at this phase. Here are some quotes⁵.

“Consequently, QKD seems to be introducing a whole new set of potential avenues for attack that are not yet well understood.” “Do not endorse QKD for any government or military applications.” “Advise against replacing any existing public key solutions with QKD for commercial applications.”

Yuen also described as follows¹⁹.

“Security cannot be proved experimentally, if only because there are an infinite variety of possible attacks, which cannot all be described. There were many surprises in the history of cryptography; thus, whether there is a valid proof in an important issue, especially in QKD, where provable security appears to be the only real advantage compared to conventional cryptography.”

He also quoted from the literature³⁴.

“Don’t blindly trust anything, even if it is in print. You’ll soon see that having this critical mind is an essential ingredient of what we call “professional paranoia.””

The biggest advantage of QKDs is its concept that “the security is proven against general attacks,” regardless how expensive the cryptosystems are and how slow the communication is compared to the current communication technologies. Then, if we cannot experimentally test the security of QKDs against at least variety types of potential attacks, there is a big question why we have to develop them.

2.8

Alternative security measure: quantum min-entropy

There is another possibly meaningful security measure, called min-entropy. However, it is closely connected to Eve’s probability of guessing the correct key³⁵. Therefore, the author thinks there is not so big differences from using the trace distance criterion. Any other abstract security measures should be avoided because your customer would not be convinced by such an abstract security terms; they should be eager to know how much secure your system is.

3.1

Entangling Probe Attack on BB84 protocol

Consider the following four quantum states to operate BB84 protocol for (x_A, b_A) = {0, 1}², where x_A is a key bit to be shared, and b_A indicates the communication basis Alice uses.

Alice chooses one of the four quantum states in (26) with her prior probability of 1/4. On the other hand, Bob sets a measurement operator defined in (27) to yield a received bit x_B choosing his basis b_B randomly.

We omit the sifting process, therefore we regard Alice and Bob already have announced their basis b_A = b_B.

While Alice is transmitting her quantum state described in (26) to Bob, Eve attaches her quantum system and performs unitary operation U with the transmitted quantum system. Therefore,

The U is defined as

Bob receives the following quantum system.

Therefore, Bob’s Quantum-Bit-Error-Rate (QBER) Q is

On the other hand, Eve receives the following quantum state.

Before Eve measures her system, she listens to the classical public channel to know how Alice and Bob reconcile their sifted keys. For example, when Bob corrects errors in his sifted key to obtain Alice’s key, Eve’s BER in her key is, from Helstrom’s quantum binary decision theory⁴¹,

When Aice reconciles her sifted key with Bob’s key, Eve’s BER in her key is,

Therefore, in this case, it is harder for Eve to guess Bob’s key. Thus, assume Alice reconciles her sifted key with Bob’s key. Note, furthermore, that Eve optimizes her unitary operation U to minimize (33). However, this optimization is not the main topic of this paper, and conclusion will remain unchanged. Eve’s success probability in obtaining the correct key is,

If Eve could successfully guessed the correct key after the Error-Correction, she can obtain the correct key even after the Privacy Amplification because she knows the hashing function used from the broadcasting Alice and Bob made. Then the success probability in eavesdropping is,

Now, we are going to evaluate the security of BB84 in BER guarantee. Eve knows her BER before the step of Privacy Amplification. For an announced hashing matrix f, Eve knows which key strings will be projected onto which hashed strings. For instance, suppose Eve chose a key k_ER = k_R + e_R (mod 2) with error string e_R, it will be projected onto the certain final key with errors, f(k_R + e_R) = k + e (mod 2). Then, the same manner in (36) can be applied to

Here, wt(e_R) denotes the number of errors in the error string e_R. Therefore,

Therefore, we see that Eve has an exponentially more chance to obtain the near-perfect plaintext as we have seen in Sec.2.6.

At this phase, B_E, the acceptable BER in the plaintext for Eve, is unknown. However, she may add noise from the outside of the classical authenticated channel without breaking the authentication. Then, Alice and Bob need to utilize error-correcting codes and its parity check matrix for classical communications. This may allow Eve to remove all errors in her near-perfect key up to |K_R|B_E errors utilizing the announced parity check matrix and subtracting noise she added by herself. To prevent this kind of attacks, we may need to monitor the BER in the classical authenticated channel, and abort the protocol when the BER is too high, like the high QBER case in the quantum channel.

Moreover, note that this discussion is under assumptions that Eve perform individual attacks on each qubits, and she performs measurements after the Error-Correction. We are not sure how much secure BB84 is by means of BER guarantee under general attacks, such as collective attacks or coherent attacks.

4.1

Case 1: the standardized definition of the trace distance security criterion

From the definition, consider the following spectral decomposition to calculate the trace distance:

The operator set could be POVM on Eve’s system to obtain k_E. From (39). Furthermore,

Therefore,

Thus the conclusion is, with the result already has been given in Sec. 2.2,

4.2

Case 2: Koashi’s security proof based on Shor-Preskill approach

Case 2 ³⁰ has to satisfy the equality of

Otherwise, the trace distance cannot be upper-bounded because

Here, the Fidelity is defined as

Now, consider the following spectral decomposition

Then, by Cauchy-Schwarz inequality,

Therefore, the equality of (47) is satisfied by choosing in (46) as,

As a result, using an inequality between trace distance and fidelity,

This is the necessary condition for Koashi’s security proof. After this part, we further investigate the condition to make the trace distance equal to the upper-bound of (49).

By monotonicity of Fidelity under a CPTP map Λ, and such Λ is as follows by the definition of quantum states in (3, 4).

Therefore,

Because

To satisfy equality in (51), define the purified quantum systems by adding a virtual system R as

(53) satisfies Uhlmann’s inequalities,

And, for pure quantum states,

Then, to satisfy the equalities in (54),

Again, by Cauchy-Schwarz inequality,

Under the conditions derived in (48), (53), and (60),

Furthermore, choose the POVM for Eve on the given quantum state as with the corresponding condition chosen by Eve with restrictions in (48), (53), and (60)

Then, the expected probability for Eve successfully guessing the correct key is, with the same way in (42),

Note, however, that the necessary condition (48) cannot be satisfied by Alice nor Bob, because it contains the unknown quantum state ζ_ABE. This state is what only Eve knows. Furthermore, conditions in (48), (53), and (60) are not necessary for Alice and Bob, although Eve wishes to satisfy to maximize her guessing probability. This situation tells us that the definition of τ_E can be chosen by Eve. Further generalization as Case 3 is what the author has been questioning.

4.3

Case 3: letting Eve define the trace distance independently from Alice and Bob

Note that, in the second case Eve could choose the independent quantum state τ_E = κ_E to satisfy the equalities in the inequalities to bound the trace distance. This would give her more advantages. Then, here is a question; what if Eve could choose τ_E freely to maximize the trace distance itself independent from the definition by Alice and Bob? This section seeks the possibility. To do so, Eve attaches an imaginary quantum system R, constructing the total system σ_ABER. Then, Eve chooses τ_ER so that its support is not on the support of tr_AB σ_ABER. Furthermore, Eve could choose quantum systems σ_ABER and τ_ABER, to purify like (53) showed. To put these purified quantum systems σ_ABER and τ_ABER on different supports, Eve has to satisfy

Eve could define as

Then, apparently

Now Eve can discard the virtual quantum system R, and measure her system E to guess the correct key most likely. This process is described as follows, using Γ in (11).

Therefore, (67) violates the upper-bound of the trace distance in existing security proofs. More simply, we may consider

Note that the conditions in (67) and (68) are totally different from the condition (60). Thus, actually, as long as Eve can choose her own quantum system τ_E independently from the choice Alice and Bob make, the upper-bound for the trace distance cannot be given from the frameworks of standardized trace distance criterions. Shor and Preskill proved the equivalence of entanglement-based QKDs to the prepare-and-measure QKDs such as BB84 using the Fiderity between the maximally entangled state and entangled-based distributed state, however, it seems their security proof cannot be connected to the trace distance criterion, which has been useful to show the security of prepare-and-measure QKDs. The author throw a question as follows. The modified Lo-Chau protocol and the CSS protocol in Shor-Preskill proof would be perfectly secure with a probability of 1 – ε_sec², because quantum error corrections, especially phase-error-corrections would decouple Eve’s system. However, a classical privacy amplification process would not correct quantum phase errors, even though the complementary analysis approach allows us to estimate the phase-error-rate from the bit-error-rate^{42, 43}. Thus, Eve’s system would not be decoupled in case of prepare-and-measure QKDs. This would explain why Privacy Amplification is actually harmful for QKDs as explained in Sec. 2.4, by contrast with perceived understanding that classical Privacy Amplification is equivalent to phase-error-corrections since Shor-Preskill proof back in 2000. Furthermore, this may explain why Round Robin DPS QKD protocol does not need to monitor quantum signal disturbances to estimate the amount of key sacrifice in Privacy Amplification²³. This may be simply because Privacy Amplification would not be required for prepare-and-measure protocols including the above protocol, as well as the secure key rate derivation based on the phase-error-rate estimation may also be invalid.

4.4

Misconception of “distinguishability advantage” interpretation of trace distance

There is an interpretation that the trace distance is “indistinguishability” of the ideal quantum state and the real quantum state¹⁸. Such an interpretation is justified by citing quantum binary decision theory by C. W. Helstrom⁴¹. The following is the overview.

In Helstrom’s theory, Alice prepare ρ₀ or ρ₁ with prior probabilities of p₀ and p₁. Bob discriminates the quantum states with an optimum measurement basis. The maximum guessing probability for Bob is

If we assume p₀ = p₁ = 1/2, then we see trace distance.

The interpretation is justified as follows. Alice prepares a QKD system which Eve can interact with, or a QKD system with an interface which gives Eve measurement results as if she is interacting with the former system but actually she cannot interact at all. Alice randomly prepares such systems with a prior probability of 1/2, and Eve judges which system is used from her measurement results. If we regard ρ₀ = σ_ABE in (4) and ρ₁ = τ_ABE in (3), then the maximum guessing probability for Eve is given by (70), therefore the trace distance is as advantage for Eve to distinguish the two situations.

The problems with the interpretation are as follows. It is said that Eve’s success probability in guessing the correct system is given by (70), however, this would not give any idea how high the probability is for Eve to guess the correct key. Furthermore, it gives the following problems.

Now let us think the original situation of QKD. Firstly, τ_ABE is a desirable quantum state but it cannot be distributed, and σ_ABE is the quantum state always distributed. However, in the context of this interpretation, Alice and Bob have to prepare such quantum states with a prior probability of 1/2. Such a situation does not meet the actual situation of QKD. Furthermore, if they could prepare the system with which Eve cannot interact with a probability of 1/2, then we are not sure why they do not use the perfect device every time, while we are sure that the system is always the one which Eve can interact. This means, the prior probability is very contrived. One more thing, in the quantum binary decision theory, Bob receives the whole system of the quantum state, but in the context of QKD, Eve receives only the partial system of the quantum state, such as tr_AB σ_ABE. Thus, the situation of the quantum binary decision problem is far different from the situation of QKDs.

Therefore, the indistinguishability interpretation cannot be useful to evaluate the security of QKD.