arXiv:quant-ph/9906073v1 21 Jun 1999. Quantum Memory in Quantum Cryptography. TAL MOR. D.Sc. work. 16/4/97 ..... In Chapter 6 we discuss new possibili...

1 downloads 69 Views 806KB Size

Quantum Memory in Quantum Cryptography TAL MOR D.Sc. work 16/4/97

Contents Abstract

1

List of Symbols

3

1 Introduction to Quantum Cryptography and Quantum Memory 1.1 Classical Information . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Quantum Information . . . . . . . . . . . . . . . . . . . . . . . 1.3 Classical Cryptography . . . . . . . . . . . . . . . . . . . . . . . 1.4 Quantum Cryptography . . . . . . . . . . . . . . . . . . . . . . 1.4.1 The Four-State Scheme and a Protocol for Quantum Key Distribution . . . . . . . . . . . . . . . . . . . . . . . . . 1.4.2 The EPR Scheme . . . . . . . . . . . . . . . . . . . . . . 1.4.3 The Two-State Scheme . . . . . . . . . . . . . . . . . . . 1.4.4 Weak Coherent Pulses . . . . . . . . . . . . . . . . . . . 1.4.5 Quantum Bit Commitment and Oblivious Transfer . . . 1.5 Quantum Memory . . . . . . . . . . . . . . . . . . . . . . . . . 1.5.1 Defining a Quantum Memory . . . . . . . . . . . . . . . 1.5.2 Basic Uses of a Quantum Memory . . . . . . . . . . . . . 1.5.3 Implementations . . . . . . . . . . . . . . . . . . . . . . 1.6 Quantum Computation . . . . . . . . . . . . . . . . . . . . . . . 1.7 Structure of the Thesis . . . . . . . . . . . . . . . . . . . . . . .

21 24 25 26 27 29 29 30 31 33 34

2 On the Security of Quantum Key Distribution Against a ‘Quantum’ Eavesdropper 2.1 Privacy Amplification and Security Against Existing Technology 2.2 Can a ‘Quantum’ Eavesdropper Learn the Key? . . . . . . . . . 2.3 The Collective Attack . . . . . . . . . . . . . . . . . . . . . . . 2.4 Collective Attacks and the Ultimate Security . . . . . . . . . . . 2.5 An Alternative Approach . . . . . . . . . . . . . . . . . . . . . .

35 36 40 40 42 42

3 The 3.1 3.2 3.3

44 46 50 53

Parity Bit Density Matrices for Parity Bits . . . . . . . . . . . . . . . . . . Optimal Information in a Parity Bit . . . . . . . . . . . . . . . . Information on the Parity Bit of Almost Fully Overlapping States i

5 12 14 17 19

3.4 3.5 3.6

Deterministic Information on the Parity Bit . . . . . . . . . . . Parity Bit for Density Matrices of Mixed States . . . . . . . . . The Connection to Quantum Cryptography . . . . . . . . . . .

4 Security Against Collective Attacks 4.1 The Simplest Case – Eve’s Probes are in One Out Of sible Pure States . . . . . . . . . . . . . . . . . . . . 4.2 Bounds on Information . . . . . . . . . . . . . . . . . 4.3 Security Against Symmetric Collective Attacks . . . . 4.4 Security Against Non-Symmetric Collective Attacks . 4.5 Security Against Any Collective Attack . . . . . . . .

55 57 58 59

Two . . . . . . . . . . . . . . .

5 Quantum Networks for Quantum Cryptography 5.1 A Time-Reversed EPR-Scheme for Quantum Cryptography 5.2 A Quantum Cryptographic Network . . . . . . . . . . . . . 5.3 Implementations . . . . . . . . . . . . . . . . . . . . . . . 5.4 World-Wide Network of Many Centers . . . . . . . . . . . 5.5 Summary and Discussion . . . . . . . . . . . . . . . . . . .

Pos. . . . . . . . . . . . . . .

60 66 69 73 75

. . . . .

77 79 83 85 86 87

. . . . .

. . . . .

6 Quantum Error Correction and Quantum Privacy Amplification 6.1 Quantum Error-Correction . . . . . . . . . . . . . . . . . . . . . 6.1.1 Error-Correction and Error-Reduction . . . . . . . . . . 6.1.2 A Realistic Calculation of the Remainder Error in a Simple Case . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1.3 Application to Quantum Communication and Memory . 6.2 Quantum Privacy Amplification . . . . . . . . . . . . . . . . . . 6.3 Quantum Error Correction as Quantum Privacy Amplification .

88 90 90 93 95 96 98

7 Conclusions

101

Bibliography

102

ii

List of Figures 4.1

5.1

Two ways of finding two pure states Φp from which the two density matrices ρp can be constructed using a third state χn common to both density matrices. . . . . . . . . . . . . . . . . . . . . . .

69

Two processes, which we use to prove the security of the protocol. 80

iii

Abstract Quantum information theory investigates the information content of quantum systems, hence generalizes classical information theory. The classical bits are generalized into quantum bits (two-level systems). Unlike classical bits, each quantum bit can be in a superposition of its two basis states, and several quantum bits can be entangled to each other. Unlike classical bits, quantum bits cannot be duplicated, and furthermore, the state of a quantum bit cannot be identified, unless more (classical) information is available. This property of quantum information was used to suggest new type of cryptography, quantum cryptography, which uses quantum bits to encode classical bits, before providing them to possible adversaries. Quantum cryptography suggests various possibilities which are beyond the abilities of classical cryptography. In particular, it suggests schemes for an information-theoretic secure key distribution, and an alternative to the existing “public/secret key distribution” which cannot be information secure, and are not proven to be computationally secure. The main advantage of quantum schemes over any classical scheme is the fact that quantum information cannot be passively intercepted, hence eavesdropping attempts induce noise. Unfortunately, in the presence of noisy channels and devices, none of the existing schemes for quantum key distribution is proven secure: the eavesdropper can obtain some small amount of information while inducing an acceptable noise; furthermore, the legitimate users must correct their data using some error correction code, and the eavesdropper can obtain this information as well. Classical privacy amplification techniques were suggested to yield a secure final key, but there is no complete proof of security yet. As is common in cryptography, a

1

promising suggestion might be found worthless later on; Future technology, such as the ability to maintain quantum states for a long time, could be destructive (or even fatal) to all such schemes. This thesis investigates the importance of quantum memory in quantum cryptography, concentrating on quantum key distribution schemes. In the hands of an eavesdropper – a quantum memory is a powerful tool, putting in question the security of quantum cryptography; Classical privacy amplification techniques, used to prove security against less powerful eavesdroppers, might not be effective when the eavesdropper can keep quantum states for a long time. In this work we suggest a possible direction for approaching this problem. We define strong attacks of this type, and show security against them, suggesting that quantum cryptography is secure. We start with a complete analysis regarding the information about a parity bit (since parity bits are used for privacy amplification). We use the results regarding the information on parity bits to prove security against very strong eavesdropping attacks, which uses quantum memories and all classical data (including error correction codes) to attack the final key directly. In the hands of the legitimate users, a quantum memory is also a useful tool. We suggest a new type of quantum key distribution scheme where quantum memories are used instead of quantum channels. This scheme is especially adequate for networks of many users. The use of quantum memory also allows reducing the error rate to improve large scale quantum cryptography, and to enable the legitimate users to work with reasonable error rate.

2

List of Symbols BC BCH BEC BM BSC EHPP EP POVM OECC OT QEC QPA RDM RSA qubit XOR i...n L, M, N u, v, x, y d(u, v) {v} H I p, q, P , Q p(x) n ˆ (x) U ⊗ ⊙ ⊕ Hn , Kn

Bit Commitment Generalizations of Hamming codes [73] Binary Erasure Channel Biham and Mor [20] Binary Symmetric Channel Ekert, Huttner, Palma and Peres [45] Entanglement Purification Positive Operator Value Measure Obey Error Corretion Code Oblivious Transfer Quantum Error Correction Quantum Privacy Amplification Reduced Density Matrix Rivest, Shamir and Adleman [91] Quantum bit Exclusive OR Integers Integers Binary strings Distortion measure A set of binary strings Entropy Information, Mutual information Error-rates Parity of a string x Number of 1’s in a string x Unitary transformation A tensor product Bitwise “AND” of two strings Bitwise “XOR” of two strings Hilbert spaces of n dimensions

3

|0i =

1

0

|1i = 01 |Φi; |ui |u′ i ρ α cos θ ; β sin θ cθ , etc. | ↑i, etc.

Basis vectors in H2 Quantum pure states A state orthogonal to |ui A quantum density matrix Pure states in H2 cos θ, etc. A spin-up state in H2 , etc.

4

Chapter 1 Introduction to Quantum Cryptography and Quantum Memory Classical information theory, originated by Shannon [93], quantifies the intuitive concept of information as it appears in a statement like ‘this page contains a lot of information’. It serves as an invaluable tool in communication theory, data processing (e.g., compression), computation theory, cryptography and many other areas in electrical engineering and computer science. Information is deeply related to physical objects; As such, classical information theory can deal only with cases where the carriers of information are classical object (even if underneath there is a deeper quantum reality). In the quantum world it is natural to extend this theory to the more general “quantum information” theory [105, 64, 65, 34, 69, 54, 86, 92], which considers the information content of a quantum system. We are mainly interested in cases where information is encoded into quantum states, and later on decoded back to classical information. The quantum information is transformed to classical information when a test occurs in a laboratory, due to the projection postulate of conventional quantum mechanics. A quantum state (in general, a density matrix) ρ, has a practical meaning: it allows us to predict probabilities regarding various physical tests. Its expectation value regarding a specific state φ, hφ|ρ|φi, can be measured in the laboratory (at least, in principle). In this sense, it is a subjective property of a system: non-pure states are defined as statistical mixtures of pure states1 , hence one considers a state to be non pure due to having partial knowledge on the preparation procedure. If a system is entangled with other systems which are not available to us, then we can only consider measurements on our system, and our prediction ability is more limited; we have to “trace out” the degrees of freedom of the other systems, in order to be 1

Most books use this definition. Unlike most books Landau and Lifshitz [68] use a different definition which assigns objective meaning to the density matrix. In this work we consider only the subjective meaning of the density matrix (namely, prediction abilities which can be verified in the laboratory).

5

able to predict the probabilities of outcomes of various tests performed in our laboratory. The state of our system depends on classical information which we might obtain from people who hold the other systems, since such information could influence our possible predictions. There are various aspects of quantum information, such as entropy of quantum systems [105, 64], the coding theorem for quantum information [92, 63], optimal identification of quantum states [34, 69, 89, 25, 49], quantum noise in transmission channels [29], communication using quantum states and many others. This work deals with quantum communication and cryptography. In communication theory, information is transmitted from one person to another through a channel. Information theory tells us how well a state (say, a string of bits) can be reproduced after it passed through a noisy channel. Thus, it quantifies the reliability of the received state. In classical communication, the information is carried by distinguishable signals, each of which represents a distinct letter of some alphabet (usually binary). Each signal can be duplicated and can also be identified unambiguously unless some noise is added. When a small amount of noise exists, the state could still be identified with excellent probability of success if enough redundancy is added to the transmitted data. In quantum communication, the information is carried by signals which are not necessarily distinguishable [34, 69, 25]. In general, we can omit the specification of the carriers and consider only their quantum states (unless we deal with implementations). For our purposes, it usually suffices to choose an abstract two-level system (with a basis |0i and |1i) to replace the classical bit. A general state of a two-level system α|0i + β|1i with |α|2 + |β|2 = 1, is called a “qubit” (quantum bit) [92]; any larger system consists of many qubits. If one uses non-orthogonal states to represent classical signals ‘0’ and ‘1’, such that the overlap of the two states is not zero, the encoded data cannot be duplicated nor identified unambiguously. In cryptography, information must always remain secret from some people. In this scientific area, human intentions play an important role, and we must always assume that people wish to learn this secret data. For instance, a sender, Alice, wishes to send some data to a receiver, Bob, in a way that an eavesdropper, Eve, cannot learn that data. In this case, information theory may tell us the maximal amount of information available to Eve, depending on her abilities. Thus, it quantifies the security of the secret data. An eavesdropper listening to classical communication can (in principle) remain unexposed, since the data can always be duplicated. Quantum communication allows for more. Using non-orthogonal quantum states to transmit classical bits, the signals cannot be duplicated [107], and any gain of information about them necessarily induces noise. Thus, (unlike classical channels) quantum channels cannot be passively intercepted, when non-orthogonal quantum states are transmitted! This fact was used to suggest a new type of cryptography — quantum cryptography — where the use of non-orthogonal states might permit performing new tasks, which are beyond the ability of classical cryptography. One of the main goals of cryptography, the secure transmission of messages, 6

can be achieved using a secret key known only to the sender, Alice, and the receiver, Bob. The problem is how to distribute the key. Achieving a secure key distribution is among the most important goals of cryptography, and the current ways this is done are either very expensive or not proven secure. The main achievement of quantum cryptography is the design of schemes for secure key distribution. They are using non-orthogonal quantum states, hence, any eavesdropping attempt induces noise and can be noticed by the legitimate users2 . The goal of any quantum key distribution protocol is to generate a common key while not leaking any significant information to an unrestricted adversary; If the amount of information leaked to the eavesdropper is much smaller than a single bit, the key is said to be information-theoretic secure. The classical “public key distribution” and many other protocols in classical cryptography are not designed to withstand adversaries who have unlimited computation abilities; i.e., they can be at most computationally secure. This advantage of quantum cryptography would not be crucial if indeed classical cryptography was computationally secure. However, the existing schemes for classical key distribution rely upon unproven computational assumptions (such as the difficulty of factoring large numbers). In addition to key distribution, it is important to mention a very similar task – namely “key expansion”. In a key expansion protocol some short amount of information (say, m bits) is shared in advance between Alice and Bob, and it is used to derive long common keys (say, of total length n much larger than m). If such an expansion leaks only an exponentially small amount of information to an eavesdropper (say, 2−m bit) the final key is still information-theoretic secure. Quantum key distribution demands, in addition to the quantum channel, also an “unjammable” classical channel in which the transmitted data can possibly be monitored passively, but not modified. This requirement [5] can be derived in principle using schemes for broadcasting the classical messages. Alternatively, it can be fulfilled if the legitimate users can identify each other through the classical channel. In cryptographic terms, it means that they share some information in advance, thus the so called “quantum key distribution” should be better called “quantum key expansion”. Having clarified this point, we shall keep using the “wrong” term as is common. Quantum cryptography was invented in 1969 by Wiesner [106] in his paper on “conjugate coding” (unpublished by that time). Ten years later, a collaboration between Bennett and Brassard (based on Wiesner’s idea) was the actual starting point of quantum cryptography [7], and lead to “quantum key distribution” in 1984 [6]. Their basic idea is to use non-orthogonal quantum states for key distribution since such states cannot be cloned by a potential eavesdropper. They used four possible states, therefore, we refer to their scheme as the fourstate scheme. In 1991 Ekert [44] proposed (following a suggestion of Deutsch) to use quantum nonlocality for cryptographic purposes, and the connection of his scheme to the original quantum key distribution scheme was demonstrated by 2

For a more accurate analysis of this delicate point see [52, 88, 53].

7

Bennett, Brassard and Mermin [11]. We refer to their version of Ekert scheme as the EPR scheme. Another important scheme was later proposed by Bennett [4], showing that quantum key distribution can be performed even if one uses only two non-orthogonal states. We refer to this scheme as the two-state scheme. Any of these schemes can be used to design a quantum key distribution protocol, where a quantum channel and an unjammable classical channels are used to transmit a secret key. If Alice and Bob identify errors (by the discussion over the classical channel) they quit the protocol. Thus, Eve can force them to quit the protocol, but she cannot cheat them into thinking she is not listening, and still get information about their key. The first prototype for quantum key distribution was built in 1989 [5]. It provided a proof of feasibility by performing a distribution over a distance of 30 centimeters. Since then, much more practical prototypes were built for a distance of 30 kilometers [74] in a coil, a distance of 24 kilometers in underground optical fiber [55], and 23 kilometers in underwater optical fiber [84]. The implementations are using either photon polarization (as originally proposed in [6]) or phase and interferometry (as in [4]). Unfortunately, they are mainly using weak pulses of coherent light instead of Fock states of single photons, and this creates various problems of security, due to the use of a Hilbert space which is different from the Hilbert space used in the theoretical schemes. This problem is considered in [58, 110]. It is yet unclear whether future practical quantum key distribution will be based upon weak coherent pulses or upon single photons. The basic theoretical schemes already raise the main fundamental questions regarding quantum key distribution, thus we shall not consider here the more complicated practical schemes which use weak coherent pulses. Most of the fundamental questions in quantum key distribution (and more generally, in quantum cryptography) are due to activities which are permitted by the rules of quantum mechanics, but are not technologically feasible. The ability to maintain quantum states unchanged for long times was ignored till recently, but today it strongly influences any suggestion (or analysis) in quantum cryptography. In this work we investigate the role of quantum memory in quantum cryptography, and mainly in quantum key distribution. The most important question in quantum cryptography is to determine how secure it really is. Any practical implementation must take into account that some errors are inevitable due to errors in creation, transmission and detection of quantum states. The legitimate users must be able to withstand some errors, and furthermore, must correct them to yield a final (shorter) common key. Thus, Eve can gain some information from both the quantum states (if she induce less errors than permitted) and the error-correction data (transmitted through a classical channel). Eve’s total information depends on the permitted error rate, on her attack and on the error-correction code used by Alice and Bob. Clearly, it is not negligible. To overcome this problem, and enable the derivation of a final key which is both reliable, and secure, privacy amplification schemes were designed [5, 13, 9]. Their goal is to reduce Eve’s information to be as small as desired, for the price of shortening the final key even further. To do so, collective 8

properties of substrings of bits (e.g., the parity of a substring) are used as the final key. In early papers on quantum cryptography, the security of quantum key distribution was studied under the assumption that the eavesdropper is performing standard (von Neumann) measurements on the photons on their way from Alice to Bob. Such analysis can be found, for instance, in [57, 5], where in [57] the issue of Eve’s information gain versus the disturbance to Bob’s state was discussed, and in [5] Eve’s information on the final string was also considered. It is rather clear [5, 13] (although, not explicitly proven) that privacy amplification is effective against any attack of that type, implying the security of quantum key distribution against such attacks. Unfortunately, quantum mechanics permits much more sophisticated eavesdropping strategies, against which there are no security proofs3 . Quantum gates are currently under investigation by both theorists [36, 41, 2, 31] and experimentalists [33, 103, 82]. Eve can use quantum gates to perform translucent attacks [45], which are not “opaque” (intercept/resent) as the standard measurements are. In translucent attacks Eve interacts with Alice’s particle as follows: she attaches an auxiliary particle (a probe) to each transmitted particle by performing some unitary transformation on them together. After the interaction, Alice’s particle is sent from Eve to Bob, in a way that Eve does not know its exact state. If the interaction is weak, it results in a very small disturbance to the state of the transmitted particle. Information gain versus disturbance in such attacks is improved compared to “opaque” attacks [45] and was investigated further [51, 48]. When attacking the four-state scheme of [6], the measurement on the probes can be delayed till receiving the data regarding the basis used by Alice. The main advantage of translucent attack over opaque attack is that it can be performed on all the transmitted particles. In this case it provides very little information on each particle, but it might provide much more information on a collective property used as the final key! Fortunately, it is clear [9] that privacy amplification is still effective against such a single particle attack, and a partial proof was also provided [79]. A demonstration of the effectiveness of privacy amplification against such attacks is given in Chapter 2; this is done for an explicit but typical example. Unfortunately, the effectiveness of privacy amplification against single-particle attacks is not sufficient. Eve can do much more than such an attack if she is capable of keeping the particles in quantum memories. In this case she can perform joint attacks which are directed towards the final key, and the effectiveness of privacy amplification against them is in question. Such attacks were considered in some papers [5, 10], and were analyzed only in case of error-free channels [109] (the analysis was done for quantum oblivious transfer, but the proof applies to quantum key distribution [75] as well). In Chapter 2 we explain the security problem in details, and we present a restricted class of joint attacks which we call collective attacks, in which each transmitted particle is attached 3

But see Section 2.5.

9

to a separate probe. All probes are measured together after Eve gets all classical data, and the attacks are directed against the final key. Such joint attacks are much simpler than the most general joint attacks, however, they are still general enough to present the power of joint attacks. Furthermore, we could not find any joint attack which is stronger than the collective attacks. Thus, we suggest a new approach to the security problem: • to prove the security against collective attacks. • to prove that collective attacks are the strongest joint attacks. While we have done a lot of progress regarding the first issue, we didn’t do much progress regarding the second. We only explain the randomization argument which provides the intuition that collective attacks are the strongest joint attacks. The main achievement of this work is to provide various proofs of the security of the final key (the parity bit) against a very powerful eavesdropper who has both quantum gates and quantum memories. In Chapter 3 we find the optimal information regarding the parity bit, obtained by any type of measurement, and we show that the best measurement is indeed a joint measurement in an entangled basis [15]. In Chapter 4 we consider various realistic attacks on the parity bit which use both quantum and classical (error correction) information and we prove security against them. Our results provide strong evidence that quantum key distribution is secure. We consider various collective attacks which leave the eavesdropper with probes in pure states [20] and mixed states [21], and we prove security against them. In parallel to our work, Mayers [76] and a group in England [38] came up with other approaches to the joint attack, and several works studied the singleparticle attacks [71, 51, 72]. The techniques presented in these papers may well prove useful in advancing the issue of the security of quantum key distribution. In addition to studying the use of a quantum memory to the benefit of the eavesdropper in quantum cryptography, we also study other applications of quantum memory, to the benefit of the legitimate users. In Chapter 5 we introduce a new scheme for quantum key distribution which is implemented with quantum memory and does not require quantum channels! It is a time-reversed EPR scheme and correlations between particles are introduced by projecting their states onto entangled states. Our scheme is especially suited for building a quantum cryptographic network of many users. A quantum memory plays an important role in the security problem also when the legitimate users are permitted to use it (ignoring the practicability of the scheme). In Chapter 6 we discuss new possibilities related to quantum memories: first, they become more available due to suggestions for quantum error correction [95], and fault-tolerant error correction [96]. Second, new applications of quantum memories, namely the possibility to purify singlets [12], can be used to design quantum privacy amplification [38]. We connect the two issues together: we suggest quantum privacy amplification based upon quantum error correction, and discuss their 10

implications for quantum cryptography. This discussion corrects wrong impressions that the security problem has already been solved by quantum privacy amplification [38]. Our new quantum privacy amplification suggests the surprising possibility of using “quantum repeaters” for improving secure transmission of non-orthogonal quantum states over a long distance. The practical interest in quantum cryptography is clear. Furthermore, quantum cryptography raises very interesting physical questions: 1. How is information split between two observers (Bob and Eve)? 2. Is secure transmission of data possible under the laws of Physics? 3. How do (reduced) density matrices (thus, predictions regarding the probabilities of various outcomes in any possible test) change due to additional classical information? The intensive research on quantum information, quantum cryptography and quantum computing already yielded (or helped improve) various surprising advances in quantum mechanics such as teleportation, generalized measurements, fast quantum computation, purification of singlets, and preservation of qubits. The protocols considered here and the attacks against them are discussed in mathematical terms, and are required to be consistent only with the mathematical foundations of quantum mechanics. We prefer to simplify the discussion as much as possible, thus we present simplified models (such as two-level systems, and pairs of two level systems), and not the more realistic models which are implemented in laboratories (such as weak coherent states). The only exception is the case of quantum memory. Due to its special role in this work, we give a brief overview of possible implementations. We shall frequently use the terms existing vs. future technologies, where we actually mean feasible in the near future vs. infeasible in the near (foreseeable) future. We follow the common literature of both theorists and experimentalists in order to decide how to classify each operation, without investigating further into the feasibility question. For instance, creating or measuring a singlet state (or any state of two two-level systems), and applying any single unitary transformations onto two two-level systems, are considered as existing although performing them in practice is still a problem. On the other hand, combining several such transformations on more than two two-level systems, and keeping quantum states for long times are considered as future technology. The distinction between existing and future technologies has a special role in quantum cryptography: the legitimate users are normally permitted to use existing technology only, while the opponents are permitted to use any operation consistent with the rules of quantum mechanics. Thus, a proof of security must hold against a “quantum” opponent and a practical protocol is performed by existing technology. In cases we permit the legitimate users to use future technology we explicitly say it, and we explain the motivation for it. In our work, we shall use alternately Dirac’s bracket notation, vector nota 1 0 tion and spin notation |0i = 0 = | ↑i, |1i = 1 = | ↓i, cos θ|0i + sin θ|1i = 11

cos θ sin θ

= cos θ| ↑i + sin θ| ↓i, etc. In case of spin in x direction we also denote √ | →i = (1/ 2)(| ↑i + | ↓i) = √12 11 , etc. The rest of this introduction is organized as follows: The basics of classical information are described in Section 1.1. Quantum information theory, and mainly the use of quantum states for transmitting classical bits, are described in Section 1.2. The principles of classical cryptography are described in Section 1.3. We review the basic quantum key distribution schemes in Section 1.4, where we also explicitly present a key distribution protocol with all its details, and a detailed explanation of basic eavesdropping attacks and the security against them. We introduce quantum memory in Section 1.5, in which we also discuss basic uses of quantum memories in quantum cryptography, and suggest implementations for a quantum memory. Recent progress in quantum computing [35, 94] are deeply related to this work, although indirectly. A brief introduction to the exciting new developments in quantum computing is given in Section 1.6.

1.1

Classical Information

Classical information theory [93, 1] quantifies the idea of information. If one tells us that the temperature on June 25 went up to about 30 degrees (Celsius) in Haifa, we would not gain much new information due to our a priori knowledge about the weather in that season. But if he tells us that it was snowing that day he surely provides us a lot of new information. To quantify this, some definitions are required. The self information of an event u is I(u) = log(1/P (u)), where P (u) is the probability of the event, and where we always use log2 so the basic unit is a bit. A rare event (e.g., snowing in June) has a large amount of self information. A multiplication of probabilities yields summation of information. The entropy of an ensemble A of events (letters) a1 , . . . , an where each letter ai appears with probability P (ai ) is the expected value of the self information H(A) = E[ log2 (1/P (A))] = −

n X

P (ai ) log(P (ai ))

(1.1)

i=1

and can be thought of as a measure of our lack of information on the unknown P event in A. For instance, for a binary alphabet, H = − 2i=1 21 log 21 = 1 if the letters appear with equal probability, and H = 0 if one letter appears with certainty. The entropy of a binary alphabet with probabilities p and (1 − p) is denoted by H(p) H(p) = −p log p − (1 − p) log(1 − p) .

(1.2)

Two ensembles of letters A and B might have dependent probability distributions. The trivial example is when A is the input alphabet for some information channel and B is the output. The source is assumed to be memoryless and stationary. An average distortion between input vector and output vector 12

is a measure for the channel quality. Usually an additive distortion measure is P used d(u, v) = m i=1 d(ui , vi ) where d(ui , vi ) is a one letter distance. It is called the Hamming distance if d(ui , vi ) = 0 for ui = vi and d(ui , vi ) = 1 for ui 6= vi . For instance, the Hamming distance between the strings 000 and 111 is three. This measure can also be used as a measure of distinguishability of two input vectors (code words). In channel coding we increase the number of bits which encode each code word so that the additive Hamming distance between any two legitimate code words is increased. Hence, they can be distinguished even when the channel is noisy. Such techniques (known as error-correction techniques) enable receiving a reliable output when the channel is noisy. The relation between input and output of a transmission channel is described in terms of information [93, 1], and the Hamming distance can be a measure for the distortion of a string transmitted through the channel. The conditional probability of B = bi given that A = aj is P (B = bi |A = aj ) [we write P (bi |aj ) for convenience]. The joint probability for both aj and bi is P (bi , aj ). In case of independent probability distributions it is equal to P (bi )P (aj ), and in general it is given by the Bayes probability law P (bi |aj )P (aj ) = P (bi , aj ) = P (aj |bi )P (bi ) .

(1.3)

The Bayes probability law presents the symmetry of input and output. The conditional entropy is defined by H(B|A) = −

XX j

i

P (aj , bi ) log P (bi |aj )

(1.4)

where the sum is over the size of the input and the output alphabets. When A and B are independent, H(B|A) = H(B), meaning that we gain no information on B by being told what A is. Otherwise H(B|A) < H(B) meaning that our lack of knowledge about B is decreased when A is given. The gain in information when A is given is called the mutual information and is among the most important notions in information theory. The mutual information I(A; B) is symmetric in A and B. I(A; B) = H(B) − H(B|A) = H(A) − H(A|B) XX P (aj , bi ) = P (aj , bi ) log P (aj )P (bi ) i j

(1.5)

In a perfect channel the output signals are completely determined by the input signals. The channel introduces no errors. A Binary Symmetric Channel (BSC) with input A and output B is a channel with binary alphabet where the signals are transported with symmetric distortion (i.e., equal error probabilities Pe ). The optimal mutual information in this case is achieved when the input probabilities are also equal (hence also the output probabilities). It is I(A; B) = H(B) − H(B|A) = 1 − H(Pe ) = 1 + Pe log Pe + (1 − Pe ) log(1 − Pe ) i 1h 2Pe log(2Pe ) + 2(1 − Pe ) log(2(1 − Pe )) , = 2 13

(1.6)

sometimes denoted as I2 (Pe ). For a given channel, the optimal mutual information (over all possible input probabilities) is called the channel capacity. The channel capacity C is a measure of the minimal distortion caused by the channel. For a binary channel C ≤ 1. The ‘Channel Coding Theorem’ states that it is possible to derive an error-free code using a non-perfect channel [93, 1]: for any positive ǫ, we can choose an integer m and N vectors, N < 2mC , of length m (to be used as code words), such that all code words can be distinguished with error probability smaller than ǫ. Another important channel is the Binary Erasure Channel (BEC) which is actually not a binary channel since its output contains, in addition to ‘0’ and ‘1’ also the letter ‘?’ which stands for an inconclusive result. This channel introduces no error but the output of either inputs is inconclusive with probability P? . Channel capacity is derived with equal input probabilities and is calculated using eq.(1.3), (1.4) and (1.5) to be I = H(A) − H(A|B) = 1 + = 1 − P? .

X

P (bj )

j

X i

P (ai |bj ) log P (ai |bj ) (1.7)

Note that the error probability Pe and the probability P? (of an inconclusive result) have a different weight in their contribution to the mutual information.

1.2

Quantum Information

Contrary to a classical state, a quantum state cannot be identified unless additional information is provided. Suppose that a spin measuring device is aligned in the z direction, so that it can identify the spin of an electron unambiguously if it is prepared along the z direction. An electron with some arbitrary (pure) spin state, say |ψi = α|0i + β|1i (1.8)

(with |α|2 + |β|2 = 1), will yield a result ‘0’ (electron went up in a measuring device) or ‘1’ (electron went down in that measuring device), unpredictably. The only clue that the state was as stated is that the probability for each result can be calculated. These probabilities are |α|2 for the result ‘0’ and |β|2 for the result ‘1’. Only if the physical state is taken from a set of orthogonal states in a known basis can it be identified in one measurement as in the classical case. The n letters of a quantum communication channel can be any different (not necessarily orthogonal nor pure) quantum states ρ1 . . . ρn on an N-dimensional Hilbert space HN . The mutual information of such a channel is a function not only of the input probabilities, but also of the choice of measurement performed by the receiver. Even in case of two orthogonal states, the receiver may select a bad choice of measurement direction which will tell him nothing. Therefore, one of the main questions is how to maximize the mutual information. For given signals and given input probabilities of the source, that is, for a given density 14

matrix ρ=

n X

pi ρi ,

(1.9)

i=1

what is the optimal measurement, and what is the mutual information in this case (called accessible mutual information)? In classical information theory, the only parameter controlled by the legitimate users is the input probabilities: optimizing the mutual information over all possible input probabilities yield the “channel capacity”. In quantum information theory, the users control both the input probabilities and the measurement, and optimizing both to maximize the mutual information yields the channel capacity. We usually deal with given (and equal) input probabilities, and care only about the accessible mutual information and not about the channel capacity. The issue of finding the accessible information is frequently considered in the literature. One way to attack this problem is to find upper [64] and lower [62] bounds on this information where the entropy of a quantum system, S = Tr (ρ log ρ) −

X

Tr (ρi log ρi )

(1.10)

i

serves as the upper bound. Another way is to investigate and solve some special cases (subclasses) [69, 34, 25] or concrete examples [34, 65]. Levitin [69] discussed two density matrices with equal determinants in 2-dimensional Hilbert space, and Braunstein and Caves [25] considered density matrices which are close to each other. Various cases of pure states are also solved; Kholevo [65] and Davies [34] presented examples (with n > N) where the optimal mutual information is derived with a non-standard measurement (i.e. non von Neumann measurements) since non-standard measurements [61] can result in more than N results. On the other hand, it seems [69] (but has not been proven) that if the Hilbert space spanned by n pure states is n-dimensional, the measurement which optimizes mutual information is a standard (projection) measurement. With some additional conditions, it probably holds for density matrices as well. Let us consider the simple case of two non-orthogonal pure states in H2 . A generalization of this to HN is trivial since two pure states always span some 2-dimensional subspace of HN . Suppose that the sender of the information, Alice, emits particles in one of the two non-orthogonal states |ui and |vi, which represent bits 0 and 1, respectively (the state of each particle is known to Alice). The states are sent with equal probabilities. Since these two states are not orthogonal, the receiver, Bob, cannot identify with certainty the state of a given photon. By a suitable choice of basis, the two non-orthogonal states |ui and |vi can be written as ! ! cos α cos α , (1.11) and |vi = |ui = − sin α sin α where 0 < α < 45◦ . The angle between the two states is 2α. Note that the overlap between the two states is C = hu|vi = cos2 α − sin2 α = cos 2α . 15

(1.12)

A standard measurement in an orthogonal basis symmetric to the two states optimizes [69] the mutual information; it is analogous to a BSC. This measurement introduces an error 1 − sin 2α π , (1.13) Pe = sin2 ( − α) = 4 2 hence, IBSC = 1 − H(Pe ) = I2 (Pe ) . (1.14) Although a standard measurement is optimal in this case a non standard measurement [60] may be better for certain purposes. The receiver can build a device which gives a definite answer in a fraction of the cases, and an inconclusive answer otherwise. A measurement of this type (with a perfect channel) creates an analogy to the BEC. It lets the receiver derive the optimal deterministic results. It is useful if the receiver is permitted to use a subset of selected bits and throw undesired result. In such a case, a measurement which optimizes the mutual information regarding the selected bits is preferable to the one which optimizes the average mutual information regarding all bits. A simple way to perform a deterministic measurement is to perform a standard measurement in the basis of one of the vectors. We define two vectors, − sin α |u i = cos α ′

!

and

!

sin α , |v i = cos α ′

(1.15)

which are orthogonal to |ui and |vi respectively. Suppose Bob measured in the |ui |u′ i basis: if the result is |u′ i which is orthogonal to |ui, it must have been the other state |vi prior to the measurement; if the result is |ui, it is inconclusive, since it could be either of the two possibilities prior to the measurement. The above can also be described in terms of non standard measurements, a description which is sometimes more appropriate for such analysis. The generalization of the standard projection measurement is called a positive operator valued measure (POVM) [61, 54, 87, 86]. A POVM is a set of positive operators A1 . . . Ak which sum up to the unit matrix 1l. Each operator corresponds to a possible outcome of the measurement. The probability that this generalized quantum measurement yields the µ’th element of the POVM, if the system was prepared in a pure state ψ, is hψ|Aµ |ψi. More generally, for a preparation represented by a density matrix ρ, this probability is Tr (ρAµ ). Contrary to the two positive operators which define a standard (projection) measurement, the operators which build up the POVM do not have to fulfill the condition that Ai Aj = 0 for i 6= j, nor that Ai Ai = Ai . To derive the optimal POVM in our case, we use the vectors |u′ i, |v′ i and a third vector ! 1 , (1.16) |wi = 0 equidistant from |ui and |vi. It is easy to verify that the three positive operators Av = |u′ ihu′|/(1 + C),

Au = |v′ ihv′ |/(1 + C), 16

Aw = 2C |wihw|/(1 + C), (1.17)

(where C = cos 2α) sum up to the unit matrix 1l, and that Au and Av are maximal (increasing them further will violate the conditions for a POVM). A quantum test yielding Av rules out the initial state u which is orthogonal to it. The same is true for Au while Aw yields an inconclusive result. The probability of an inconclusive result is hu|Aw |ui = hv|Aw |vi = C,

(1.18)

IBEC = 1 − C .

(1.19)

hence, It is always possible [87] to extend the Hilbert space of states, H, in which this POVM is defined, in such a way that there exists, in the extended space, K, a set of orthogonal projection operators, Pµ , summing up to the unit operator, and such that each one of the Aµ in Eq. (1.19) is the projection of one of these Pµ from K to H. This is Neumark’s theorem [86]. The physical interpretation of this theorem is that the extended space K corresponds to a combination of the system to be measured with another system, called ancilla, prepared in a known state [60, 87]. Another POVM, less efficient but simpler to realize than the above one, is the one we described earlier (a standard measurement in one of the basis). This POVM is made of the positive operators: Av = (|u′ ihu′ |)/2,

Au = (|v′ihv′ |)/2,

Aw = (|uihu| + |vihv|)/2 . (1.20)

In this case, the ancilla merely registers which basis was used. The optimal mutual information for the two non-orthogonal pure states is derived by a standard projection measurement. The optimal basis is an orthogonal basis symmetric to the two states[69, 70]. An unproven claim of Levitin is that the optimal measurement is a standard measurement also for the case of two density matrices in H2 . Levitin finds the accessible information for the simple case of two density matrices with equal determinant and input probabilities, where, again, the optimal basis is symmetric. Exact solutions for more complicated cases are not known.

1.3

Classical Cryptography

The art of cryptography is almost as old as wars are. First, the transmission of a secret message was done by trusted messengers. Then, people started to use substitution codes which ‘prevented’ the enemy from reading the messages even if he has got them. In this cryptographic method each letter is replaced by another letter using some secret permutation, whose choice is chosen from all the 26! possible permutations. The permutation must be known to the receiver, thus the sender and the receiver must share some secret data (a key) in advance. However, statistical properties of the language can be used to crack such codes. More recently (16th century), a new technique was replacing the substitution 17

codes. In this technique, the data (which for our purposes is always represented by a string of bits) is divided into strings of equal length k, and each string is combined (say, by a bitwise XOR operation) with a random key of length k known to the sender and the receiver. The combined data is sent through the communication channel. The usage of a random key reduces the statistical characteristics, since a letter is not always replaced by the same letter. The one time pad version of the key encoding (also called Vernam cipher), where the random key K is as long as the message M, was invented at the beginning of this century. In this encoding the i’th bit of the message is XORed with the i’th bit of the key to yield the i’th bit of the encoded message C, Ci = Mi ⊕ Ki (so that Ci is zero if Ki = Mi and one otherwise). For example, M K C

001110 101011 100101 001001 110111 100010 111010 010100 001101 011010 . 101100 010001 110001 000100 101101

(1.21)

This cipher cannot be broken at all since the key randomizes the message completely. It is easy to see that knowing the transferred message C = M ⊕ K gives no information about M to an eavesdropper. This is formally proven using information theory; The eavesdropper’s information is not increased since the probability of guessing the message M is independent of C: P (M|C) = P (M). The safety of the transmission depends on the safety of the key, which has to be uniformly random, secret and shared only by the legitimate users. Moreover, safety can be guaranteed only if the key is used only once. The problem is therefore how to distribute the random key between users in a secure way. Classically, the only possibility is either through personal meetings, or through trusted couriers. Therefore, one time pads are very expensive, and are impractical for many applications. Most practical cryptographic systems nowadays rely on different principles, i.e., computational security. This means that the system can be broken in principle, but that the computation time required to do so is too long to pose a real threat. Unfortunately, none of the existing schemes is proven to be computationally secure, and they rely on various computational assumptions. On one hand, they can be adjusted to yield any desired level of security once these assumptions will be proven. On the other hand, the existing schemes might be broken in the future due to technological progress (faster computers), mathematical advances (faster algorithms or future theoretical progress in computation theory), or new type of computers (such as quantum computers) which are not equivalent to the standard computers. The existing public key distribution schemes are based on the very reasonable (but unproven) complexity assumption that there are problems which can be solved in non-deterministic polynomial time but cannot be solved in polynomial time (see explanation in Section 1.6), combined with additional less solid assumptions, such as that factoring large numbers is difficult. While the first assumption is very reasonable, the additional assumption is not. Indeed, some public key cryptosystems have already been broken in the past. The most 18

popular public key cryptosystems nowadays are based on the assumptions that the discrete logarithm and factorization problems are difficult. These assumptions might be found wrong in the future. Furthermore, recent developments in quantum computation enable to use quantum computing devices to crack (at least in principle) all public key cryptosystems which are based on the discrete logarithm and factorization problems (and maybe many others) in polynomial time. The principle of public key cryptography was invented by Merkle [80] and Diffie and Hellman [40]. Later on, this principle had lead to the RSA crytposystem [91] which is the basis for the most important public key schemes. The idea of public key cryptography is that the receiver chooses a pair of mutually inverse transformation E and D, one used for encryption and one for decryption. The sender does not need to know the receiver’s secret key. Instead, the receiver publishes the encryption method E so that any user can use it (by calculating C = E(M) ) to send the receiver any message. The decryption algorithm D remains secret, so that only the receiver can compute it and read the message M = D(C). As we mentioned previously, public key cryptography is not information-theoretic secure, but, based on some computational assumptions, it is designed to be computationally secure. It is based on the presumed existence of ‘one way functions’, E, which are easy to calculate while it is very difficult to calculate their inverse. This would still be fine if we could prove that a huge computing power is indeed required. Unfortunately, this is only assumed, and none of the suggested transformations is proven to yield a reasonable and useful one way function. To be useful for public key cryptography a one way function must have a “trapdoor” which is used by the legitimate users, and sometimes, the same trapdoor helps the adversary in reversing the function. Modern cryptography deals with many other protocols, aside from the secure transmission of messages, such as authentication, identification, electronic signatures, contract-signing, zero-knowledge proofs, and more. Some basic protocols (from which more complicated protocols are built) are coin-tossing, bit commitment and oblivious transfer. Public key cryptography provides beautiful solutions to many such tasks, but usually these implementations suffer from security problems similar to those we previously explained.

1.4

Quantum Cryptography

A different technique for key distribution, which might provide an informationtheoretic secure key distribution is quantum cryptography. The legitimate users of a quantum key distribution scheme use non-orthogonal quantum states as the information carriers. They cannot prevent Eve from listening to their information exchange, but due to the “no-cloning” principle they will notice if she does, and in such a case, they will not use the non-secret information. The no-cloning principle assures us that any eavesdropping attempt induces noise. This noise can be detected by Alice and Bob during the second stage of the transmission, 19

which includes discussion over a classical channel. Let us present the no-cloning principle in more details. The “no-cloning theorem” tells us that a single quanta cannot be cloned [107, 39]: Assuming that (any) quantum state can be cloned contradicts the unitarity of quantum mechanics. Let u and v be two non-orthogonal (and non-identical) quantum states, let A be the initial state of an auxiliary system used for the cloning process, and let U be a general unitary transformation. A cloning process which duplicates both states is [86]: |Ai|ui −→ U(|Ai|ui) = |Bu i|ui|ui |Ai|vi −→ U(|Ai|vi) = |Bv i|vi|vi

(1.22)

with all states normalized. This process is impossible since unitarity implies hu|vihBu|Bv i = 1 (note that the states B live in a smaller dimensional Hilbert space than A). Moreover, even a less ambitious cloning process |Ai|ui −→ U(|Ai|ui) = |Au i|ui |Ai|vi −→ U(|Ai|vi) = |Av i|vi ,

(1.23)

(with |Av i = 6 |Au i) is impossible; In this process one attempts to gain an imprint of the received state (|ui or |vi), without disturbing the original. Unitarity implies hAu |Av i = 1, meaning that no information at all can be gain on the states while keeping them unchanged [11]. There is no duplicating attempt here and we adopt Peres’ suggestion to name this “an imprint process”. Thus the second version of “no cloning” is referred to as the “no clean imprint” theorem: one cannot get an imprint of a quantum state without dirtying the origin. In quantum cryptography Alice and Bob use a quantum channel to transmit the non-orthogonal quantum states. Any attempt by Eve to learn anything about these states induces noise. The information transmitted in a quantum channel may be modified, hence Alice and Bob use also, in addition to the quantum channel, an unjammable classical channel which is not secured against eavesdropping. The quantum channel is used for the distribution of the secret key, while the classical channel is used in particular to verify that there are no errors (hence no eavesdropping), and later on, to send the encoded message. In principle, this is sufficient to ensure the safety of the transmission: Alice and Bob exchange a larger string than required for the key and use the extra part to test for eavesdropping. If they find no errors the channel is secure hence also the transmitted key. This can be verified to any degree of safety by checking a larger fraction of the bits. If they do find errors they know that Eve was listening. Unfortunately, perfect quantum channels do not exist and Alice and Bob may find errors even if no eavesdropper is listening. As a result, a much more complicated protocol is required, and the eavesdropping analysis also becomes much more complicated. At first it seemed that quantum key distribution can still be secure in this case, but it was recently understood that security in noisy 20

channels (and devices) is not guaranteed, if Eve is equipped with a quantum memory! When we use the terms “secure” or “secret” in the rest of the work we refer to being information-theoretic secure (unless stated otherwise). Key distribution is only one of the implementations of quantum cryptography. Many other tasks (and their implementations) have been considered in the literature, based on the four-state scheme. We shall also discuss two tasks which have been the subject of very interesting works in quantum cryptography: oblivious transfer and bit commitment.

1.4.1

The Four-State Scheme and a Protocol for Quantum Key Distribution

The first quantum key distribution scheme is the Bennett–Brassard (BB84) scheme [6] which we call the four-state scheme. We describe it using the terminology of spin 1/2 particles, but it can use any two-level system. A classical two-level system, such as a bistable device, can only be found in one of the two possible states, hence it encodes one bit. In contrast, a quantum two-level system can be prepared in any coherent superposition of the two basis states, which creates a much richer structure. Such a system is now known as a “qubit” [92] (i.e. quantum bit). For each qubit, Alice chooses at random whether to prepare her state along the z or the x axis, i.e., in one of the two eigenstates of either Sˆz or Sˆx . This state, denoted by: | ↑i, | ↓i, | ←i or | →i is then sent to Bob. It is agreed that the two states | ↑i and | ←i stand for bit value ‘0’, and the other two states, | ↓i and | →i stand for ‘1’. Bob chooses, also at random, whether to measure Sˆz or Sˆx . When his measurement is along the same axis as Alice’s preparation (e.g., they both use Sˆz ), the measured value should be the same as hers, whereas when they use conjugate axes, there is no correlation between his result and Alice’s original choice. In addition to the quantum channel, the legitimate users also use a classical channel as previously explained. By discussing over this channel Alice and Bob agree to discard all the instances where they did not use the same axes. The result should be two strings of perfectly correlated bits. These two strings shall be identical in case no natural noise occurs and no eavesdropper interferes. We shall call this resulting string the raw data. As the choice of axis used by Alice is unknown to Eve, any interaction by her will unavoidably modify the transmission and introduce some errors. In practice however, the transmission will never be perfect and there will be some errors, even in the absence of an eavesdropper. Alice and Bob use the classical channel to compare some portion of their data and calculate the error rate. They decide about some permitted error rate, Pe , which they accept, and determine this error rate according to the properties of the channel and their devices. Eve could take advantage of that, and attack some of the bits to gain some information, as long as the error rate she induces, pe , plus the natural errors, do not exceed the permitted error rate. For all further discussions we assume that Eve is powerful enough to replace the channel by a perfect channel

21

so she can induce as many errors as accepted by the legitimate users pe ≈ Pe (or more precisely – a little less): Eve can detect the particles very close to Alice’s cite (where not many channel errors are yet induced) and release her particles very close to Bob’s cite. Assume Alice and Bob used the same basis. When Eve eavesdrops on a fraction η of the transmissions, performing a standard measurement in one of the bases (as Bob does), the error rate created is pe = η/4: when Eve uses the correct basis, she does not introduce any error, while she creates a 50% error rate when she uses the wrong basis. Eve knows the permitted error rate (agreed using the classical channel), thus she chooses η = 4Pe . The average mutual information she obtains is η/2: she has total information when she used the correct basis, and none when she used the wrong one. Note that the scheme is completely symmetric, so that Eve shares the same information with Alice and with Bob. Therefore, we can write the mutual information shared by Alice and Eve and shared by Eve and Bob as a function of the error rate: IAE (Pe ) = IEB (Pe ) = 2Pe . More complicate attacks are discussed in Chapter 2. As long as Pe is not too high, Alice and Bob might be able to use classical information processing techniques, such as error correction and privacy amplification [5, 13, 9], to obtain a reliable and secure final key. It is called reliable if they succeed to reduce the error rate to zero, and it is called secure if they succeed to reduce the information obtained by Eve to zero as well (by “zero” we mean close to zero as they wish). Both techniques are based on the use of parity bits of long strings where the parity of a string is zero if it contains an even number of 1’s and the parity is one if the string contains an odd number of 1’s. For a two-bit string, this is exactly the XOR of the two bits. The simplest error-correction code is the repetition code from one bit to three bits: 0 is encoded as 000 and 1 as 111. It is not efficient (since the amount of transmissions is increased by a factor of three) and it can correct only one error in the three bits; and if two errors occur the “corrected” final bit is wrong. This code uses two additional bits to correct a possible error in one bit. A more efficient code [73] is the Hamming code H3 which uses three parity bits to correct one error in four bits: Alice add to her four bits three parity bits so 16 different words are written using 7 bits. Since this example is explicitly used in Chapter 4, let us present it in more details. The words are easily calculated by taking the fifth bit to be the parity of bits 1, 2, and 3; the sixth bit to be the parity of bits 1, 2, and 4; and the seventh bit to be the parity of bits 2, 3, and 4. For instance: 0 0 0 0 0 0 0 0 0 0 1 0 1 1 0 0 1 0 1 0 1 0 0 1 1 1 1 0 . (1.24) 0 1 0 0 1 1 1 . . . 1 1 1 1 1 1 1 Let us call these seven-bit words wi where i goes from 1 to 16. It can be easily 22

checked (an also proven) that any two words differ by at least three bits, thus any single error can be corrected. (We say that any two words are at a Hamming distance of at least three). When Alice sends a word wi and Bob receives it with a single error he can correct it and re-derive wi . In practice Alice will send Bob seven random bits. If the seven-bit word is in the above set, she (later on) sends 000. If it is 0000 001 or any word which is the bitwise XOR of wi with 0000 001 Alice sends (later on) the string 001. If it is any word which is the bitwise XOR of wi with 0000 010 Alice sends the string 010, etc. Note that Alice actually sends the parity bits of (1, 2, 3, 5); (1, 2, 4, 6); (2, 3, 4, 7). In this case we say that Alice sends the parities of the parity substrings (1110100; 1101010; 0111001). Doing so she also tells the parities of all their linear combinations, such as 1110100 ⊕ 1101010 = 0011110. This Hamming code has generalizations to codes Hr of length 2r − 1 and r parity bits, and generalizations to BCH codes which correct more than one error [73]. Assume that Eve had no knowledge on their string apart of the errorcorrection data. After performing that type of error correction Alice and Bob remain with a corrected word of the same length (e.g., of length of seven bits in the above example), and Eve knows that it is taken from a smaller set of words (16 words, in this example). Alternatively, they can distill a shorter common string (of length four, in the above example), which is completely unknown to Eve (simply by keeping only the four first bits in the above example). In reality, Eve has both the error-correction data, and some data she gained by eavesdropping on the transmitted particles. Alice and Bob perform a privacy amplification technique to reduce Eve’s information to be as small as they wish. The simplest privacy amplification uses the parity bit of a string as the secret bit. The analysis of Eve’s information could be very complicated. Let us start from the simplest case. In case the eavesdropper does not know one (or more) bit(s) of the string, she does not have any information on the parity bit. In other simple cases Eve has either full information or zero information on each bit, and we can calculate the probability P (n) that Eve knows all the bits thus we can calculate her average mutual information I = 1[P (n)] + 0[1 − P (n)] = P (n). If P (n) is exponentially small with n we say that the final bit is exponentially secure4 . In general, the situation is more complicated, and Eve’s information on each bit is neither zero nor one. When Eve has some probabilistic information on the bits, her information on the parity bit is not a simple function as in the example above. Analysis of the privacy amplification in such cases were done in [9, 79] using the concept of collision entropy. Alternatively, one could calculate the probability that Eve guesses the parity bit correctly. When privacy amplification is done after error correction, its analysis is even more complicated since Eve has both the information on the bits and the error-correction data. Furthermore, we might wish to obtain more than one final bit, so that the parity 4

When Eve has a total information which is much smaller than one bit, the key is already information-theoretic secure. An exponential security where I ≈ 2−n is much better than security with I ≈ 1/n.

23

of the whole string is not a good choice, and the final key is usually constructed from parities of several substrings of length of about half the string. Fortunately, for particular symmetric cases, where Eve has the same error probability for each bit, the analysis of privacy amplification is still possible. Let us return to the key distribution scheme: All these operations, error estimation, error correction and privacy amplification, waste many bits (say, l). In order to remain with a final key of L bits Alice should send L′ > 2(L + l) qubits (where the factor 2 is due to the two bases). In more details, Alice and Bob start with L′ qubits, compare basis, and use some bits (of the raw data) to estimate Pe . As a result, n bits remain, from which about Pe n are erroneous. Alice and Bob randomize the order of the bits and correct the errors using an appropriate error-correction code [73]. This process generates parity bits which Alice sends to Bob (using the classical channel), who uses them to obtain an n′ -bit string (n′ could be smaller than n) identical to Alice’s, up to some very small error probability. By that time Eve has both the information she gained in her measurements, and the additional information of the errorcorrection data. Alice and Bob amplify the security of the final key by using privacy amplification: by choosing some parity bits of substrings to be the final key. Both the information available to Eve on the final key, and the probability pf of having error in the final string must be close to zero as much as desired by Alice and Bob. Various eavesdropping techniques, and the efficiency of privacy amplification against them, are discussed in details in the next chapters. Another fact which could be useful to Eve is that some of the transmitted particles do not reach Bob. The easiest way to deal with them is to consider them as errors (but this might affect the practicality of the scheme). By the time we started this work, it was assumed that the privacy amplification of [13] and its extension in [9], indeed provide the ultimate security. Only after intensive discussions with Charles Bennett, Bruno Huttner, Dominic Mayers and Asher Peres, (initiated in Torino, 1994, at the ISI conference), it became clear to us that privacy amplification might not work against a “quantum” eavesdropper equipped with a quantum memory, and the possibility to do any unitary transformation on the qubits. The security problem is explained in Chapter 2, together with our suggestion for a way to approach the security problem. We develop it further in Chapters 3 and 4, providing strong evidence that quantum key distribution is secure, even against a “quantum eavesdropper” equipped with any possible devices, and restricted only by the rules of quantum mechanics. Let us review other schemes for quantum key distribution, and concentrate only on the parts which are different from the above scheme.

1.4.2

The EPR Scheme

The second basic quantum key distribution scheme is based on EPR [43] correlations. It was suggested by Deutsch [35], formalized by Ekert [44] and modified by Bennett, Brassard and Mermin [11]. We describe here the modified version 24

which we call the EPR scheme. In this scheme Alice creates pairs of spin 1/2 particles in the singlet state, and sends one particle from each pair to Bob. When the two particles are measured separately the results obtained for them are correlated. For example, if they are measured along the same axis, the results are opposite, regardless of the axis. Alice and Bob use the same sets of axes as for the four-state scheme, say Sˆz and Sˆx , and keep the results only when they used the same axis. It is noteworthy that, in the EPR scheme, the pairs could be created by any other party, including Eve herself. Let us discuss this point in more details. The singlet state may be written in infinitely many ways. We write it as: Ψ

(−)

=

s

1 (| ↑A ↓B i − | ↓A ↑B i) 2

=

s

1 (| ←A →B i − | →A ←B i) , 2

(1.25)

where the equality follows from | →i = √12 (| ↑i + | ↓i) and | ←i = √12 (| ↑i − | ↓i) , and where the subscripts ‘A’ and ‘B’ stand for Alice and for Bob. When Alice and Bob use the same axis, either z or x, we use the first or the second equation respectively, to see that their measurements always yield opposite results. The singlet state is the only state with this property. Therefore, as Alice and Bob may measure either of these two options, any deviation from the protocol by Eve (i.e., any attempt to create another state), will induce errors. So Eve must create the required singlet state, from which she cannot extract any information about Alice’s and Bob’s measurement (see [44, 11] for more details).

1.4.3

The Two-State Scheme

The last elementary scheme is the two-state scheme [4]. In this scheme, Alice chooses one of two non-orthogonal states, cos θ φ0 = sin θ

!

cos θ or φ1 = − sin θ

!

(1.26)

and sends it to Bob to encode 0 and 1 respectively. As these states are not orthogonal, there is no way for Bob to decode them deterministically. Bob must not use the optimal projection measurements (in the symmetric basis) because then the protocol is unsafe: Eve also measures in that basis and sends Bob photons (according to her results) in the orthogonal symmetric basis; hence her string and his string are the same. Bob expects a certain amount of errors which is exactly the amount of errors in Eve’s string, Therefore Eve introduces no additional errors to what Bob would expect. Bob must obtain deterministic information on Alice’s state in order to notice the presence of Eve. We have already seen how to analyze this system in Section 1.2, and we saw that partial deterministic information is obtained by 25

means of a POVM. When the best possible POVM (1.17) is used, Bob’s mutual information is equal to 1 − P? = 1 − cos 2θ where cos 2θ is the overlap of the two states. When Bob uses the optimal POVM, Eve cannot avoid introducing errors. The safety of the protocol against eavesdropping is ensured by the fact that Eve cannot always get deterministic results either. Therefore, in many instances where she intercepts the transmission she will have to guess Alice’s choice. If the channel is very lossy, Eve could take advantage of it and learn all information: she performs the optimal deterministic attack, and throws away the bits whenever she got an inconclusive result. Thus, in order to use this scheme we must restrict also the losses in addition to the restriction on the error rate, or alternatively use a reference signal [4]. To simplify further discussion of this scheme we redefine Pe to include the losses, thus it is better for Eve to send something (which might not be counted as error) than to keep the particle. In our further discussions we consider a scheme in which Bob does not perform the optimal POVM. Instead, Bob performs a less optimal test which also provides him with a conclusive or inconclusive result. This test was described in Section 1.2 by a less efficient POVM (1.20), but it can also be described using ordinary measurements: Bob performs one of two possible tests with equal probability. In half the cases he tests whether a specific particle is in a state φ0 θ or a state orthogonal to it φ0 ′ = −sin ; A result φ0 is treated as inconclusive cos θ (since it could also be φ1 sent by Alice), but a result φ0 ′ is always identified as φ1 . In the other half he tests a specific particle is in a state φ1 or a whether sin θ ′ state orthogonal to it φ1 = cos θ ; A result φ1 is treated as inconclusive (since it could also be φ0 sent by Alice), but a result φ1 ′ is always identified as φ0 . All the conclusive results are the raw data. Note that Bob can get a correct conclusive result only if he chooses a basis which does not contain Alice’s state (in contrast to the situation in the four-state scheme).

1.4.4

Weak Coherent Pulses

As single photons are difficult to produce experimentally, a “slight” modification of the four-state scheme, using weak pulses of coherent light instead of single photons, was the first one to be implemented in practice [5, 100, 83]. Such schemes are sensitive to losses in the channel and to the existence of two photons in a pulse. In an earlier work [58], not included in this thesis, we focused on quantum cryptographic schemes implemented with weak pulses of coherent light. We compared the safety of the four-state scheme and the twostate scheme, and presented a new system, which is a symbiosis of both, and for which the safety can be significantly increased. In that work we also provided a thorough analysis of a lossy transmission line. A recent work of Yuen [110] suggests that most of the practical schemes implemented in laboratories based on weak coherent pulses are not “slight” modifications since they use a completely different Hilbert space. Yuen actually shows that these implemented schemes 26

are insecure due to that fact. In this thesis we do not deal with weak coherent pulses. Whenever we discuss the four-state or the two-state schemes we refer to the schemes as previously described, which are using two level systems.

1.4.5

Quantum Bit Commitment and Oblivious Transfer

Let us consider two other possible applications of quantum cryptography, Bit Commitment (BC) and Oblivious Transfer (OT). These are defined as follows: BC: Assume Alice has a bit b in mind. She would like to be committed to this bit towards Bob, in a way that she cannot change it, but yet, Bob will have no information on that bit. In a bit commitment scheme Alice provides Bob some evidence through a procedure commit(b) which tells him that she is committed while following these two requirements. At a later time Alice can reveal b to Bob through another procedure unveil(b), which provides Bob, in addition to the value of the bit, with some information from which he can make sure she did not change the bit she was committed to. 2 1

OT [106, 47]: Alice has two bits in mind. She sends them to Bob in a way that he receives only one and knows nothing on the other bit. Alice does not know and can have no control on whether Bob gets the first or the second bit.

OT [90]: Assume Alice has a bit b in mind. She would like to transmit this bit to Bob so that he receives this bit with probability 50%. Bob knows whether he received the bit or not, but Alice must be oblivious to this. Neither of them can control the probability of reception. In the BC protocol, a cheating Alice would like to change her commitment at the unveil stage, and a cheating Bob would like to learn the bit from her commitment. In the 21 OT a cheating Alice would like to control or to know which bit Bob received, and a cheating Bob would like to learn more than one bit. In the OT protocols a cheating Alice would like to control the probability that Bob receive the bit in OT or to learn whether Bob got the bit or not, and a cheating Bob would like to learn the bit with probability better than 50%. The two versions of OT are equivalent[32]: OT is derived from 21 OT by

considering only one bit of the two. A protocol for 21 OT is derived from OT as follows: Alice and Bob perform OT several times. Bob arranges the bits in two strings — a string of bits he knows and a string of bits he doesn’t; He tells Alice the groups but notwhich group is known to him. Then, the parity bits of each string are used for 21 OT.

BC can be derived easily from 21 OT: Suppose Alice sends a string of 2n bits to Bob such that each pair of bits b2i , b2i+1 are transmitted to Bob via 27

2 1

OT scheme. Alice wants to commit to a bit b, so she chooses the pairs of bits to fulfill b = b2i ⊕ b2i+1 . Bob knows nothing on the value of b. Procedure unveil(b) includes the value of b and the value of all the 2n bits. If Alice wants to change the value of b she needs to change one bit in each pair. Unless Bob has accidentally received (in commit(b) ) only the bits she does not change, she will be caught. Her chance to cheat successfully is 2−n , so that this procedure provides exponential security. It is generally believed that OT cannot be derived from BC. The best protocols which are available today for quantum oblivious transfer and quantum bit commitment are severely influenced by the possibility to use quantum memories. On one hand, we do not wish to explain these complicated protocols in details since they are not relevant for our work. On the other hand, their sensitivity to the existence of quantum memory is remarkable, and we wish to show it. As a compromise, we present two toy-models which exhibit the same sensitivity to quantum memories. The four-state protocol for key distribution can be modified to produce a naive 21 OT protocol [32]: Alice sends particles as in the four-state scheme and Bob measures them in one of the two bases. If he measures in the same basis Alice has used he gets a bit, hence he receives each bit with probability 50%. Alice then tells him the basis she used for each photon, so he knows which bits he has received as required. Bob organizes the bits in two sets, one set for those he identified and one for those he didn’t. He tells Alice the members of each set but not which is the identified set. Alice sends him error-correction data for the two sets so that he can correct one of the strings only, but not the other. Finally Alice uses the parity bit of one of the strings to transmit him her secret bit. A naive bit commitment scheme based on using the four-state scheme can also be easily implemented by choosing the basis as representing the secret bit. Alice sends to Bob the bit ‘0’ using either | →i or | ←i, and ‘1’ using | ↑i or | ↓i. In this case, of course, Alice does not tell Bob anything at the commit(b) stage. In the unveil stage she tells him both the bit and the state she used. Bob cannot learn the bit since both possible values are described by the same density matrix (1/2)(| →ih→ | + | ←ih← |) = (1/2)(| ↑ih↑ | + | ↓ih↓ |) .

(1.27)

Alice can cheat with probability of 1/2; for instance she sends ↑ to commit to ‘1’, and in order to change her commitment she later on claims that she has sent ←. Thus the protocol demands that she commit to the same bit n times, so the probability of successful cheating is reduced to 2−n . Both these protocols are insecure, since the parties can cheat using quantum memories as we explain below.

28

1.5

Quantum Memory

In this section we present the quantum memory5 : its definition, basic use, and its possible implementations.

1.5.1

Defining a Quantum Memory

A classical bit or a classical string of bits can be kept in a memory, where their value is preserved for a long time. The main physical feature required for keeping a bit is the huge redundancy used for the two possible bit values. When it comes to the quantum world things become less obvious, but still we can provide an appropriate definition: • A quantum memory is a device where a quantum state can be kept for a long time and be fetched when desired with excellent fidelity. Clearly, both “a long time” and “excellent fidelity” are determined by the desired task for which the state is kept. A quantum state develops in time according to some unitary operation, and is exposed to interactions with the environment. If redundancy is added in a simple way as in the classical case above, we might lose all the advantages of using quantum states. Thus, it is not easy to keep a quantum state unchanged for a long time. The same problem appears when we want to transmit a state over a long distance. However, with existing technology, one can talk about transmissions of quantum states (e.g., sending photons’ polarization states to a distance of more than 10 kilometers), while it does not make much sense to discuss memories where a state can be kept for 10−3 seconds (which is much shorter than a phone talk). Consider a quantum bit (a two level system) in a state ! α ; (1.28) ψ= β If it changes according to some unitary transformation to a state α1 ψ = β1 1

!

(1.29)

we may still be able to use it if we know the transformation, but if it decoheres due to interactions with other systems, in a way which we cannot reverse in time, the state is lost. As in the case of transmission over a long distance — one can choose some acceptable error rate Pe , and agree to work with the experimental system as long as the estimated error rate pe does not exceed Pe . To estimate the error rate, one first does all effort to re-obtain the desired state (e.g., take the unitary transformation into consideration), and then one compares the expected state ψ 1 with the obtained state ρ and defines the error rate as the percentage of failure. In theory, if we consider some irreversible change to the state (due 5

Parts of this section are original.

29

to environment, or an eavesdropper, or any other reason), and we can calculate the obtained state, the error rate is pe = 1 − hψ 1 |ρ|ψ 1 i .

(1.30)

The definition of a quantum memory contains more that just the ability to preserve a quantum state for a long time. Other necessary conditions are the input / output abilities: One must be able to produce a known quantum state; One must be able to input an unknown state into the memory; One must be able to measure the state in some well defined basis, or furthermore, to take it out of the memory (without measuring it) in order to perform any unitary transformation on it (alone, or together with other particles).

1.5.2

Basic Uses of a Quantum Memory

We shall describe here only simple uses known by the time we have started this work. The rest of this work concentrates on other uses of quantum memory, which are much more advanced. While doing this work more fascinating uses of quantum memory were suggested by others, and we will shortly review them in the relevant chapters (mainly in Chapter 6). • Doubling the efficiency of the four-state scheme for QKD: Bob keeps the particles in a memory, and measures them after Alice tells him the bases. • Improving the EPR scheme: instead of measuring the states of their particles, writing the results on a paper and hiding the paper, Alice and Bob keeps them in a quantum memory. This way they are assured that no one else had access to the paper, and therefore, no one else has the key. They perform a measurement only when they want to use the key [44]. • Teleporting [8] a state using singlet pairs prepared in advance. • Suggesting new schemes for quantum key distribution which relies upon the existence of short time quantum memory [16, 52].

• Cheating the naive 21 OT scheme presented in the previous section. Bob delays his measurements till after he receives the classical information regarding the basis used by Alice; In this case he gets full information.

To overcome this problem, the 21 OT protocol was modified [10] to contain a step where Bob commits to the measurement he performed, thus he cannot avoid performing the measurement. However, this “solution” creates a tremendous complication to the protocol, and even worse – it adds an undesired dependence on the existence of secure bit commitment scheme!

30

• Cheating the naive bit commitment scheme. Alice use photons taken from EPR singlet pairs, keeps one particle of a pair in a memory, and sends the other to Bob; she chooses the basis just right before she performs unveil(b); She may thus change her commitment as she wishes to [23]. A better (and much more sophisticated) bit commitment was later suggested [24], but most amazingly – it was recently broken by Mayers [78] due to similar (but deeply hidden) flaws! Mayers’ attack is based on a theorem regarding the classification of quantum ensembles [56]. In terms relevant to quantum cryptography this theorem states that two “different” quantum systems (in Bob’s hands) which are described by the same density matrix [e.g. as in eq. (1.27)] can always be created from one entangled state shared by Alice and Bob, by measurements performed at Alice’s site. Thus, Alice can postpone the decision of whether a state comes from the first or the second system, and change her commitment at the unveil stage. The consequence to bit commitment is that, either the two density matrices are different and Bob can partially learn the commitment, or they are similar and Alice can change her commitment. • Breaking the classical logical chain of achieving a secure protocol by using secure building blocks. Thus, any protocol which is based on secure building blocks must be also checked as a whole. As a result, the importance of the building blocks (such as OT and BC) is reduced. There is a very surprising consequence of breaking the logical chains: Due to the facts that (1) BC can be built upon OT and (2) secure BC probably does not exist [78] one could induce (by reduction) that secure OT cannot exist. However, secure OT might still exist, despite the fact that the BC protocol built upon it is insecure.

1.5.3

Implementations

By the time we began this work, the possibility of implementing a quantum memory was hardly considered. The following discussion is taken from our work [19], and was done with the help of David DiVincenzo. We demand the possibility to program, store and manipulate quantum bits. Any 2-dimensional Hilbert space system can be considered and this opens a variety of possible implementations. Fortunately, apart from a different timing requirement, the same requirements appeared recently in quantum computing, and are being thoroughly investigated by both theorists [36, 41, 2, 31], and experimentalists [33, 103, 82]. The difference in the timing requirements is that the quantum bits in most applications of a quantum memory are subjected only once (or very few times) to a unitary operation of calculation, while the quantum bits in quantum computation are subjected to a huge number of computations; On the other hands, the common tasks where quantum memory is used take long times. As a result, the problem of decoherence is different. For quantum 31

memories we don’t need to consider the switching time versus the decoherence time, but we must require a decoherence time on the time scales of minutes, days, and even years, depending on the applications. It may be possible to implement a working prototype of such a memory within a few years. Such a prototype should enable to keep quantum states for a few minutes (or even hours), and to perform two-bit operations on them. At the moment, the best candidates for combining these two operations are ion traps. In ion traps the quantum bits can be kept in internal degrees of freedom (say, spin) of the ions, and in phononic degrees of freedom of few ions together. It is already possible to keep quantum states in the spin of the ions for more than 10 minutes [22] and in principle it is possible to keep them for years. These ion traps are thus good candidates for implementing quantum memories. Moreover, they are also among the best candidates for quantum manipulations, since there are ways to use the phononic degrees of freedom to perform two-bit operations [31], such as the very important controlled-NOT gate. Barenco et al. [2] realized that a single quantum controlled-NOT logical gate would be sufficient to perform the Bell measurement, a measurement which appears in almost all applications of quantum memories. Thus, using ion traps it is possible to (partially) perform the Bell measurement, and this was shown both in theory [31] and in an experiment [82]. Combining together the two experiments6 to have both long lived quantum states and the possibility to manipulate them will create a useful quantum memory. The way to establish a real working quantum memory which suits for all purposes is still long. The main obstacle is that it is currently impossible to transfer a quantum state from one ion trap to another. A fully operating quantum memory must allow us to put quantum states in a register (that is, a separate ion trap), and pull it out to another register when we want to perform operations on it, together with other qubits (possibly held in other registers). Recently, the possibility of doing this arose from the idea of combining ion-traps (where the ions are well controlled) and QED-cavity together, and to use the same internal degrees of freedom for both [42, 85]. We shall call this combination cavitrap for convenience. In QED cavity [33] the internal degrees of freedom are coupled to photons and not to phonons. Recently, another group [103] has shown that it is possible to use polarization states of photons instead of using the |0i and |1i Fock states. If such photon states are used in a cavitrap, it may be possible to use them to transmit a quantum state from one cavitrap to another [42]. In some sense, this will be an implementation of the nuclear spins based “quantum gearbox” suggested by DiVincenzo [41]. All this discussion would be considered nothing but a fantasy just few years ago. However, similar (and more complicated) ideas are required for using quantum gates in both quantum computing and quantum information, and a lot of effort is invested in both the theory and application of quantum gates. Also, quantum memory is considered more and more seriously, for various purposes, 6

Which were done by the same group in NIST.

32

and the fantasy becomes closer to reality every year.

1.6

Quantum Computation

A classical computer can solve certain problems in a time which is polynomial with the size of the input. Such problems are called easy, and other problems, which are solved only in exponential time are called difficult. Public key cryptography uses one way functions with trapdoors, i.e., functions which are easy to compute while their inverses are difficult to compute unless some secret key is known. Easy problems are not useful for public key cryptography. An important class of problems (which are useful for public key cryptography) is those solvable in non-deterministic polynomial time, for which a given solution can be verified in polynomial time. It is well accepted that the most difficult problems in this class are difficult to solve, although this assumption is not proven. Unfortunately, the popular cryptosystems are not based upon this assumption alone, but on much less solid assumptions. For instance, on the assumption that factoring large numbers and computing discrete logarithms are difficult. More than 20 years ago Feynman raised an important question: Can quantum devices, based on quantum principles, simulate physics faster than classical computers? Deutsch [35] proposed a Turing-like model for quantum computation in 1985, called a quantum Turing machine. He constructed a universal quantum computer which can simulate any given quantum machine (but with a possible exponential slowdown). The quantum Turing machine is different from classical Turing machine in that, in addition to standard abilities, it can also get into superpositions of states. Bernstein and Vazirani [17] constructed an efficient universal quantum computer which can simulate a large class of quantum Turing machines with only polynomial slowdown. Yao [108] developed a complexity model of quantum circuits showing that any function computable in polynomial time by a quantum Turing machine has a polynomial size quantum circuit. Quantum circuits and networks were defined by Deutsch [36] on the basis of reversible classical logic [3]. Yao [108] also developed a theory of quantum complexity which may be useful to address the question whether quantum devices can perform computations faster than classical Boolean devices. There were early attempts of solving problems on quantum computers more efficiently than it is possible on classical computers [18, 37, 97], focusing on problems which are not known to be solved in polynomial time on a classical computer. These works were the groundwork for the recent breakthrough of Shor [94]. Shor succeeded to solve in polynomial time the problems of discrete logarithm and factorization on a quantum computer! As we previously said, these two problems are extremely important since most existing classical cryptosystems rely on the assumption that they are not easy (not polynomial). The interest in quantum cryptography also raised a lot due to the interest in this breakthrough. In addition, many experimentalists are now trying to make quantum gates in their labs, and many implementations for quantum 33

cryptography which looked as fantasy three years ago, are now very close to practice. The question of building practical quantum computers is not only a technological problem, since decoherence and other environmental interceptions could limit the computing abilities very much. However, it seems that quantum errorcorrection codes [95, 98] and their extension to fault-tolerant quantum error correction [96] can overcome the decoherence problem. This issue is still under thorough investigation. We discuss quantum error correction in Chapter 6 but we concentrate on its relevance to quantum memories and quantum cryptography.

1.7

Structure of the Thesis

Chapter 2 describes the security problem in details and our approach to it. Chapter 3 discusses the information on the parity bit in various cases, and proves that it reduces exponentially with the length of the string in the case relevant to eavesdropping analysis. Chapter 4 extends the analysis regarding the information on a parity bit to deal with error correction, and applies the analysis to show the security of quantum key distribution schemes against various attacks. Chapter 5 describes a new scheme for quantum key distribution which is based on the use of a quantum memory. This scheme is especially adequate for building networks of many users. Chapter 6 discusses quantum error correction, quantum privacy amplification and suggests a new quantum privacy amplification based upon quantum error correction. It also develops the surprising possibility of having “quantum repeaters”. Chapter 7 provides our conclusions in brief.

34

Chapter 2 On the Security of Quantum Key Distribution Against a ‘Quantum’ Eavesdropper The security of quantum key distribution in noisy channels and environment is still an open question1 despite the use of privacy amplification; no bound has yet been found on the amount of information obtained by an adversary equipped with any technology consistent with the rules of quantum mechanics (to be called a quantum eavesdropper). In particular, neither of the suggested schemes is proven secure against sophisticated joint attacks, which use quantum memories and quantum gates to attack directly the final key. Note that in order to make quantum key distribution a practical tool one must present a scheme which uses existing technology, and is proven secure against an adversary equipped with any technology. The main achievement of this thesis is to develop a new approach to attack this problem. In this chapter we explain the security problem in more details and we present our approach to it. We separate the complicated security problem into several simpler steps. We define a class of strong attacks which we call collective attacks, and we conjecture that the problem of security against any attack can be replaced by the simpler problem of security against collective attacks. In the next two chapters we discuss security against collective attacks, providing some important security results. Our approach tries to prove the efficiency of privacy amplification against a quantum eavesdropper, by analyzing the density matrices available to her, and bounding the information which can be extracted from them. The security of quantum cryptography is a very complicated and tricky problem. Several security claims done in the past were found later on to contain loopholes. Recently, in parallel to our work, two other attempts were made to solve the security issue [76, 38], based on different interesting approaches. The first one [76] considers the efficiency of privacy amplification as we do (but 1

But see Section 2.5.

35

without analyzing Eve’s density matrices); we discuss it in the last section of this chapter. The other one [38] assumes non realistic perfect devices2 with perfect accuracy, hence provides only a limited security proof. Furthermore, it suggests a quantum privacy amplification hence is not applicable with existing technology. We discuss it in Chapter 6, where we suggest another quantum privacy amplification scheme.

2.1

Privacy Amplification and Security Against Existing Technology

We have seen that, in a realistic protocol, Eve might gain some information on the raw data: she obtains some information on the transmitted data, as long as she induces less errors than permitted3 ; furthermore, she obtains also the error-correction data, since it is transmitted via a classical channel which is accessible to her. Thus, the key common to Alice and Bob is insecure at this stage. Actually, even in an error-free channels, and even when no errors are found at the error-estimation stage, the error correction is still required; for instance, Eve could eavesdrop only on two qubits hence be unnoticed with large probability. To overcome these problems, privacy amplification techniques [13, 9] were suggested. The simplest one uses the parity bit of the full string as the secret bit, so that the final key contains L = 1 bits. Such techniques are designed to reduce Eve’s information on the final key to be exponentially small with the length of the initial string. Currently, they are shown to work only against very restricted attacks. Eve can measure some of the particles and gain a lot of information on them, but this induces a lot of error. Hence, if she performs such an attack, she must restrict herself to attack only small portion of the particles, and thus, her information on the parity of many bits is reduced to zero. Let us explain this in more details: When Eve measures only a small portion of the particles, the probability that no other bit will be used for creating the final key is exponentially small. If, to avoid inducing too much noise, she measures less particles than used for the final string her information on the parity of this string is zero. Alternatively, she can measure all the particles. For instance, when she attacks the four-state scheme and measures all particles, each particle in one of the bases, she gains full information if she guessed the basis correctly for all bits which shall be used for the final key. However, the probability of success is exponentially small with the length of the final key. Furthermore, the probability that she induces less than the permitted error rate when she attacks all 2

This is not clear from [38]. The assumption appears on page 2819, col. 1, line 18, and it is never removed. 3 We assume that the permitted error rate is reasonably small, but not extremely small (say, around 1%).

36

particles is exponentially small as well. Analysis of such attacks were done, for instance, in [57] for the four-state scheme, and in [45] for the two-state scheme. Eve can do much better than measure some of the particles — she can obtain information on each bit without inducing too much noise. Of course, in this case, she must induce only a small amount of noise on each bit. Eve can achieve this task by performing an incomplete measurement: She lets another particle interact with the particle sent by Alice, and performs a measurement on that additional particle. Such translucent attacks were defined in [45]. They are done using quantum gates and the additional particle is called a probe. The analysis in [45] considered the mutual information available to the eavesdropper on a single transmitted particle, and did not deal with the processes of error correction and privacy amplification. Fortunately, it is rather clear [9] that privacy amplification will reduce Eve’s information exponentially to zero also in this case, hence, such an individual translucent attack is ineffective. Let us show in detail that privacy amplification can reduce Eve’s information on the final key (the parity bit of the string) to be exponentially small, when a particular translucent attack is used. Let us consider the “translucent attack without entanglement” of [45], which is applied onto the two-state scheme, and which leaves Eve with probes in a pure state. It uses a two-dimensional probe in 1 an initial state 0 , and transforms the states φ0 and φ1 (defined in Section 1.4 in the introduction) so that !

1 0

!

cos α cos θ −→ ± sin α ± sin θ

!

cos θ′ ± sin θ′

!

(2.1)

with ‘+’ for φ0 , and ‘−’ for φ1 . As a result, θ′ is the angle of the states received by Bob, and α is the angle of the states in Eve’s hand. Using the basis !

1 0

!

1 = 0

1 0 0 0

;

1 0

!

!

0 = 1

0 1 0 0

0 1

;

!

!

1 = 0

0 0 1 0

;

0 1

!

!

0 = 1

0 0 , 0 1 (2.2)

the transformation can be written as

cα cθ ′ cθ

0 0

sα sθ ′ cθ

0

0

cα sθ ′ sθ sα cθ ′ sθ

− sαscθθ′

0

cα sθ ′ sθ

0

− sαcsθθ′ 0 0 cα cθ ′ cθ

,

(2.3)

with cθ = cos θ etc. The error rate is defined as the probability of wrong identification; The sin θ ′ probability that Bob measured φ0 = − cos θ (which is identified as φ1 ) when Alice sent φ0 is pe = Tr

"

cθ ′ 2 cθ ′ sθ ′ cθ ′ s θ ′ sθ ′ 2

!

sθ 2 −cθ sθ −cθ sθ cθ 2 37

!#

= sin2 (θ − θ′ ) .

(2.4)

The connection between this induced error rate and the angle α is calculated using the unitarity condition [45] (preservation of the overlap) cos 2θ = cos 2θ′ cos 2α .

(2.5)

In order to analyze the effect of privacy amplification, suppose that Eve performs this translucent attack on all the bits (with identical transformation for each bit). As result, she gets n probes (for the n bits left from the raw data after error estimation), each in one of the two states ψ0 = scαα or ψ1 =

cα −sα

. Since she attacks all the bits, she must attack them weakly, so that pe and α are small. For weak attacks which cause small error rate we use the approximation 1/ cos 2α ≈ 1 + 2α2 + O(α4 ) in the unitarity condition, to get 2θ′ ≈ arccos(cos 2θ[1 + 2α2 + O(α4 )]) ≈ 2θ − 2α2 cot 2θ + O(α4 ). Thus, the error rate is pe = sin2 (θ − θ′ ) ≈ α4 cot2 2θ + O(α6 ). The angle of Eve’s probe satisfies α = (pe tan2 2θ)1/4 ,

(2.6)

and from this expression we shall obtain the information on the parity bit as a function of the error rate. It is important to note4 that α = O[(pe )1/4 ] since other attacks usually give α = O[(pe )1/2 ]. We have seen in the introduction (Section 1.2) that for these two possible pure states of each probe, ψ0 and ψ1 (called there, u and v), a standard measurement in an orthogonal basis symmetric to the two states optimizes the mutual information. The angle between one basis vector and these polarization state is π ± α. The measurement results in an error with probability 4 Qe =

1 − sin(2α) , 2

(2.7)

and with the same error probability for both inputs, thus, leading to a binary symmetric channel (BSC). The optimal information of such a channel is IBSC = I2 (Qe ), but we care only about the fact that the mean error probability is also optimized (minimized) by this measurement. We denote this error-probability by r ≡ Qe for convenience. Let us calculate Eve’s information on the parity bit by calculating the probability that she guesses it correctly. (Another approach could use the “collision entropy” on each bit [9] to find the optimal mutual information on the parity bit). The probability of deriving the wrong parity bit is equal to the probability of having an odd number of errors on the individual probes Q(n) e

=

n X

j=odd

!

n j r (1 − r)n−j . j

4

We shall see in Chapter 4 that Alice and Bob can use other states (in addition to the two states of the protocol) which are much more sensitive to this attack, so that α ≈ pe 1/2 for a slightly modified scheme. However, this shall become relevant only when we compare the quality of different possible attacks.

38

To perform the sum only over odd j’s we use the formulae n

(p + q) =

n X n n−j n n−j j n p (−q)j , p q and (p − q) = j j=0 j

n X

j=0

to derive

!

!

n X

j=odd

(p + q)n − (p − q)n n n−j j p q = . 2 j !

(2.8)

Assigning q = r and p = 1 − r we get Qe(n)

=

n X

j=odd

1n − (1 − 2r)n 1 (1 − 2r)n n j r (1 − r)n−j = = − , j 2 2 2 !

(2.9)

and finally

1 sinn (2α) − (2.10) 2 2 using 1 − 2r = sin 2α. The mutual information IS in this single-particle measurement is thus ! n sin (2α) 1 . (2.11) − IS = I2 (Q(n) e ) = I2 2 2 Q(n) e =

This is the optimal information obtained by a single particle measurement, performed on n particles each in either of the states ψ0 and ψ1 , and it was calculated by us in [15]. A lot of useless side-information is obtained by this measurement (e.g., on the individual bits). This fact indicates that Eve might be able to do much better by concentrating on deriving only useful information. This will be shown explicitly in Chapter 3. In case of small angle α, let us calculate the optimal information obtained by individual measurements. In that case, equation (2.10) yields Q(n) e ≈

1 (2α)n − . 2 2

(2.12)

For small η the logarithmic function is approximated by ln( 21 ± η) 1 2 2 2 log( ± η) = ≈ −1 ± η− η , 2 ln 2 ln 2 ln 2

(2.13)

from which the mutual information 1 1 1 1 1 1 I2 ( − η) = 1 − H( − η) = 1 + ( + η) log( + η) + ( − η) log( − η) 2 2 2 2 2 2 2 2 η (2.14) ≈ ln 2 is obtained. Using this result and assigning η = (2α)n /2, the information (to first order) obtained by the optimal single-particle measurement is IS =

2 (2α)2n (2α)2n = . ln 2 4 2 ln 2 39

(2.15)

We see that it is exponentially small with the length of the string n. This result is the maximal information Eve can obtain if she has n particles, each in either of the states ψ0 and ψ1 , and she uses single-particle attack. Using α = (pe tan2 2θ)1/4 we finally get the information as a function of the error rate (2.16) IS = O (16pe tan2 2θ)n/2 .

2.2

Can a ‘Quantum’ Eavesdropper Learn the Key?

Eve can do much more than an individual attack if she keeps the probes in a quantum memory! At a later time, she can attack the final key directly using both the classical information regarding the error correction and privacy amplification, and the quantum information contained in the quantum states of her probes. In such a case, she might be able to gain only useful information regarding the desired parity bits. Privacy amplification techniques were not designed to stand against such attacks, hence their efficiency against them is unknown. The most general attack allowed by the rules of quantum mechanics is the following: Eve lets all particles pass through a huge probe (a probe which lives in a very large Hilbert space) and performs transformations which create correlations between the state of the particles and the state of the probe. Eve waits till receiving all classical information (for instance: 1. the relevant bits; 2. the error-correction data; 3. the privacy amplification technique.) Eve measures the probe to obtain the optimal information on the final key using all classical data. Such an attack is called a coherent or a joint attack [5]. (We shall use the term joint attack in this thesis, and keep the term coherent measurement for describing measurements which are done in some entangled basis). Joint attacks are the most general attacks consistent with the rules of quantum mechanics. Doing several measurements in the middle can always be simulated by that system as well, by using measurement gates. The analysis of joint attacks is very complicated, and although security against them is commonly believed, it is yet unproven 5 . For instance, it could well be that Eve would obtain much more information on parity bits by measuring all bits together. If that information is not reduced sufficiently fast with the length of the string, the known quantum key distribution becomes insecure!

2.3

The Collective Attack

In this thesis we suggest a new approach to the security problem. It started as a practical question: if we cannot prove security against the most general 5

But see Section 2.5.

40

attack, what type of restricted security proofs can we achieve? It continued as a very promising direction for approaching the security problem. The results we present here strongly suggest that quantum key distribution is secure. We hope that the steps which still remain open will be soon solved as well. Consider the following attack which we call [20] the collective attack: 1. Eve attaches a separate, uncorrelated probe to each transmitted particle using a translucent attack. 2. Eve keeps the probes in a quantum memory till receiving all classical data including error-correction and privacy amplification data. 3. Eve performs the optimal measurement on her probes in order to learn the maximal information on the final key. The case in which Eve attaches one (large-Hilbert-space) probe to all transmitted particles is the joint attack. No specific joint attacks were yet suggested; the collective attack defined above is the strongest joint attack suggested so far, and there are good reasons to believe that it is the strongest possible joint attack. If this is indeed the case, then security against it establishes an ultimate security. In order to devise a proof of security against collective attacks we shall provide a solution for an example based on the “translucent attack without entanglement” of [45], which leaves Eve with probes in a pure state, and prove security against it. As before we assume that this translucent attack is performed on all the bits. After throwing inconclusive results, and after estimating the error rate, Alice and Bob are left with n bits. As a result, Eve holds an n-qubit state which corresponds to Alice’s string x. For simplicity, we choose the final key to consist of one bit, which is the parity of the n bits. Eve wants to distinguish between two density matrices corresponding to the two possible values of this parity bit. Our first aim is to calculate the optimal mutual information she can extract from them. A priori, all strings are equally probable and Eve needs to distinguish between the two density matrices describing the parities. In the next chapter we show that the optimal information is obtained by a coherent measurement and not by individual measurement. We calculate this information and we prove that it is exponentially small. Thus, we provide the first proof of efficiency of privacy amplification against coherent measurements. In real protocols an error correction must be done. Since Eve is being told what the error-correction code is, all strings consistent with the given error-correction code (the given r subparities) are equally probable, while other strings are excluded. Full analysis of this case is given in Chapter 4, leading to a proof that privacy amplification is still effective when the error-correction data is available to Eve. In Chapter 4 we also extend this result to various other collective attacks, strongly suggesting security against any collective attack.

41

2.4

Collective Attacks and the Ultimate Security

Our approach solves interesting problems regarding security against collective attacks, but the more puzzling question regarding our approach is whether it can also provide a route to the proof of the ultimate security. Unfortunately, the proof is not available yet, but we have intuitive arguments suggesting that it exists, based on a randomization argument. The randomization procedure is a very important step in any protocol for quantum key distribution. Bob chooses randomly the basis in which he performs his measurements (in either of the schemes). Alice and Bob choose randomly the qubits which shall be used and thrown away in the error-estimation step. Also, they randomize the bits before choosing any error-correction code, and they choose randomly which parity bits will form the final key. At the time Eve holds the transmitted particles she has no knowledge of the relevant qubits for each of these steps. A correct guess would surely help her, putting her in a position more similar to Bob’s. However, the probability of guessing each of these random steps (i.e., Bob’s basis, the bits left after error estimation, the error-correction code for a randomized string and the substrings used for privacy amplification) is exponentially small with the length of the string. Hence, the average information which result from such a guess is exponentially small. Thus, we conjecture that she cannot gain information by searching or by creating correlations between the transmitted particles; it is better for her to keep one separate probe for each particle, and to perform the measurements after obtaining the missing information as is done in the collective attacks. Any attempt of creating such coherent correlations at the first step of the attack induces errors, while it cannot lead to a noticeable increase in the resulting average information; Searching for exponentially many such correlations could help Eve, but it would also cause an appropriate induced error rate. Unfortunately, proving this intuitive argument is yet an open problem. A simplified approach to prove this can be based on providing Eve with most of the missing details by choosing in advance (and telling her) all relevant data (the bits used for error estimation, the error correction code, and the privacy amplification code) except for the basis used by Alice and Bob. Furthermore, we can also let her have all the particles together. Despite all this, as long as she does not know the basis used by Alice and Bob, she cannot know which bits will form the raw data, and the collective attack will probably be her best attack.

2.5

An Alternative Approach

As we were working on this research, Yao [109] and Mayers [76] suggested another approach to the security problem.

42

Yao [109] claims to prove security of OT (assuming secure BC) in case of error-free channel, and this proof applies to key distribution (even if secure BC does not exist) based on reduction from OT, suggested by Mayers [75]. This important result is certainly not surprising. It translates the “no clean imprint” theorem to a calculation, which takes error correction and privacy amplification into account: if Eve is not permitted to induce errors, she can gain only exponentially small information. The main achievement of this proof is that it does not limit Eve in any way, thus it is the first work which considers a quantum eavesdropper. It considers the quantum state Eve obtains versus the quantum state she sends further to Bob, and not the density matrices available to Eve. Since the state obtained by Bob must be very similar to the one sent by Alice, Eve gain only exponentially small amount of information. Going to real channels the situation is different, since Eve can certainly gain information on each transmitted particle. When Eve attacks in a way which induces constant (but permitted) error rate, the probability that she will be noticed does not approaches one in the limit of large strings, but remains zero. In this case, we believe that it does not suffice to consider the difference between Bob’s state and Alice’s state, since it shall not be negligible anymore. Instead, one have to investigate Eve’s density matrices as a function of that difference. Surprisingly, Mayers claims [76] that it is possible to extend Yao’s result to real channels, without analyzing Eve’s density matrices. We do not understand Mayers’ proof well enough and at the moment we believe that it cannot be correct. It is important to state that various security proofs claimed in the past were later on found to be wrong (e.g., to be based on a hidden assumption). Mayers’ result is not yet accepted by the general community, and furthermore, it was not published in a refereed journal. Till this claim is clarified, we must assume that the problem is still open. Even if Mayers’ proof will be found correct and complete in the future (or will lead to a complete proof), our approach might still be crucial: it is possible that their approach is limited to deal with extremely small error rates only, or that it requires much longer strings compared to our approach.

43

Chapter 3 The Parity Bit A major question in quantum information theory [65, 34, 54, 86, 69, 49] is “how well can two quantum states, or more generally, two density matrices ρ0 and ρ1 , be distinguished?” In terms of a communication scheme this question is translated to an identification task: A sender (Alice) sends a bit b = i (i = 0; 1) to the receiver (Bob) by sending the quantum state ρi , and the receiver does his best to identify the value of the bit, i.e., the quantum state. The two-dimensional Hilbert space H2 is usually used to implement such a binary channel. The transmitted signals can be polarization states of photons, spinstates of spin-half particles, etc. The transmitted states may be pure states or density matrices, and need not be orthogonal. Usually, the mutual information I is used to describe distinguishability, such that I = 0 means indistinguishable, and I = 1 (for a binary channel) means perfect distinguishability. The ensemble of signals is agreed on in advance, and the goal of Alice and Bob is to optimize the average mutual information over the different possible measurements at the receiving end. For example, two orthogonal pure states transmitted through an error-free channel are perfectly distinguishable; The optimal mutual information (I = 1) is obtained if Bob measures in an appropriate basis. Finding the optimal mutual information is still an open question for most ensembles. Some cases with known analytic solutions are the case of two pure states, the case of two density matrices in two dimensions with equal determinants [69, 49] and the case of commuting density matrices [24]. There are no known analytic solutions for two non-trivial density matrices in dimensions higher than two. In this chapter we find a solvable case which has very important implications to quantum cryptography. This part of the work was done together with Charles Bennett and John Smolin [15], and with the help of Asher Peres. Suppose that a source produces binary string x of length n with equal and independent probabilities for all the digits. Let the string be encoded into a quantum-mechanical channel, in which the bits ‘0’ and ‘1’ are represented by quantum states (density matrices) ρ0 and ρ1 of independent two-state quantum systems. These can be either pure states or density matrices with equal determinants. Suppose Bob wants to learn the parity bit (exclusive-OR) of the n-bit string and not the specific value of each bit. The parity bit is described by one 44

(n)

(n)

of two density matrices ρ0 and ρ1 which lie in a 2n -dimensional Hilbert space H2n . These parity density matrices ρp(n) are the average density matrices, where the average is taken over all strings the source might produce, which have the same parity p. Since the parity bit of the source string x is encoded by ρ(n) p , information about which of the two density matrices was prepared is information about the parity of x. Let x be any classical string of n such bits, and ρx = ρ(1st bit) . . . ρ(nth bit) be the density matrix made up of the tensor product of the signaling states ρ(i) corresponding to the ith bit of x. Formally, we distinguish between the two density matrices: (n)

ρ0 =

1 2n−1

X

ρx

and

x | p(x)=0

(n)

ρ1 =

1 2n−1

X

ρx ,

(3.1)

x | p(x)=1

where the sum is over all possible strings with the same parity [each sent with equal probability (1/2n )] and p(x) is the parity function of x. We show a simple way to write the parity density matrices. We find that they are optimally distinguished by a non-factorizable coherent measurement, performed on the composite 2n dimensional quantum system, and we calculate the optimal mutual information which can be obtained on the parity bit. We concentrate on the special case where the two signaling states have large overlap, which is important in the analysis of the security of quantum key distribution against powerful multi-particle eavesdropping attacks. We show that the optimal obtainable information decreases exponentially with the length n of the string. This result provides a clue that classical privacy amplification is effective against coherent measurements, limiting the ability of an eavesdropper to obtain only negligible information on the final key. The first sections deal only with the case where each bit is encoded by a pure state. In Section 3.1 we find a simple way to write the density matrices of the parity bit for any n when the signaling states are pure; We show that the parity matrices can be written in a block diagonal form and explain the importance of this fact. In Section 3.2 we investigate the distinguishability of the parity matrices; The optimal measurement that distinguishes them is found to be a standard (von Neumann) measurement in an entangled basis (a generalization of the Bell basis of two particles); We calculate exactly the optimal mutual information on the parity bit (derived by performing the optimal measurement). In Section 3.3 we obtain the main result of this chapter: for two almost fully overlapping states, the optimal mutual information IM decreases exponentially with the length of the string. While exponentially small, this optimal information is nevertheless considerably greater than the information that would have been obtained by measuring each bit separately and classically combining the results of these measurements. We are also able to calculate the maximal deterministic (conclusive) information on the parity matrices obtained in Section 3.1; This is done in Section 3.4 where we also confirm a result previously obtained by Huttner and Peres [59] for two bits. In Section 3.5 we repeat the calculation 45

of the optimal mutual information for the more general case where the bits are represented by non-pure states (in H2 and with equal determinants). In Section 3.6 we summarize the conclusions of this chapter. In the next chapter we study the implications of these results to the security of quantum cryptography.

3.1

Density Matrices for Parity Bits

Let Alice send n bits. The possible values of a single bit (0 or 1) are represented by ! ! cos α cos α (3.2) and ψ1 = ψ0 = − sin α sin α respectively. In terms of density matrices these are: (1) ρ0

=

c2 sc sc s2

!

and

(1) ρ1

=

c2 −sc −sc s2

!

,

(3.3)

where we use a shorter notation s ≡ sin α; c ≡ cos α, for convenience, and the superscript [](1) is explained in the following paragraph. The parity bit of an n-bit string is the exclusive-OR of all the bits in the string. In other words, the parity is 1 if there are an odd number of 1’s and 0 if there are an even number. The parity density matrices of n bits will be denoted (n) (n) as ρ0 and ρ1 in case the parity is ‘0’ and ‘1’ respectively. Using these density (n) (n) matrices we define also the total density matrix ρ(n) ≡ 12 (ρ0 + ρ1 ) and the (n) (n) difference density matrix ∆(n) ≡ 21 (ρ0 − ρ1 ), so that (n)

ρ0 = ρ(n) + ∆(n)

and

(n)

ρ1 = ρ(n) − ∆(n) .

(3.4)

The one-particle density matrices (equation 3.3) also describe the parities of one particle, and therefore we can calculate (1)

ρ

1 (1) (1) = (ρ0 + ρ1 ) = 2

c2 0 0 s2

! !

,

(3.5)

1 (1) 0 sc (1) . (3.6) ∆ = (ρ0 − ρ1 ) = sc 0 2 The density matrices of the parity bit of two particles are: 1 (1) (1) (2) (1) (1) ρ0 = (ρ0 ρ0 + ρ1 ρ1 ) 2 1 (1) (1) (1) (1) (2) (ρ0 ρ1 + ρ1 ρ0 ) (3.7) ρ1 = 2 where the multiplication is a tensor product. The total density matrix is 1 (2) (2) ρ(2) = (ρ + ρ1 ) 2 0 1 (1) (1) (1) (1) (1) (1) [ρ (ρ + ρ1 ) + ρ1 (ρ1 + ρ0 )] = 4 0 0 = ρ(1) ρ(1) , (1)

46

which, by using the basis

|b0 i ≡

|b2 i ≡

0 1

!

1 0

!

1

1 0

1

1 0

!

!

2

=

2

=

0 0 1 0

1 0 0 0

;

|b1 i ≡

and |b3 i ≡

!

1 0

0 1

1

0 1

!

1

!

2

!

0 1

=

2

0 1 0 0

=

0 0 0 1

;

(3.8)

in H4 , can be written as

ρ(2) = ρ(1) ρ(1) =

c4 0 0 0 2 2 0 cs 0 0 0 0 c2 s2 0 0 0 0 s4

.

(3.9)

The difference density matrix is 1 (2) (2) (ρ − ρ1 ) 2 0 1 (1) (1) (1) (1) (1) (1) = [ρ (ρ − ρ1 ) + ρ1 (ρ1 − ρ0 )] 4 0 0 0 0 0 c2 s2 0 2 2 0 c s 0 = ∆(1) ∆(1) = 0 c2 s2 0 0 2 2 cs 0 0 0

∆(2) =

.

(3.10)

The density matrices of the parity bit of n particles can be written recursively: 1 (1) (n−1) (n) (1) (n−1) ρ0 = (ρ0 ρ0 + ρ1 ρ1 ) 2 1 (1) (n−1) (1) (n−1) (n) + ρ1 ρ0 ), ρ1 = (ρ0 ρ1 2 leading to

1 (n) (n) ρ(n) = (ρ0 + ρ1 ) = ρ(1) ρ(n−1) , 2

(3.11)

(3.12)

and

1 (n) (n) ∆(n) = (ρ0 − ρ1 ) = ∆(1) ∆(n−1) . 2 Using these expressions recursively we get

(3.13)

ρ(n) = (ρ(1) )n

(3.14)

∆(n) = (∆(1) )n

(3.15)

which is diagonal, and

47

which has non-zero terms only in the secondary diagonal. The density matrices (n) (n) ρ0 and ρ1 are now immediately derived for any n using equation (3.4): (n)

ρ0 = (ρ(1) )n + (∆(1) )n and (n)

ρ1 = (ρ(1) )n − (∆(1) )n .

(3.16)

As an illustrative example we write ρ0 and ρ1 for two particles:

(2)

ρ0 =

c4 0 0 c2 s2 2 2 2 2 0 cs cs 0 0 c2 s2 c2 s2 0 c2 s2 0 0 s4

(2)

; ρ1 =

c4 0 0 −c2 s2 2 2 2 2 0 c s −c s 0 0 −c2 s2 c2 s2 0 −c2 s2 0 0 s4

(3.17) .

The only non-zero terms in the parity density matrices are the terms in the diagonals for any n, thus the parity density matrices have an X-shape in that basis. The basis vectors can be permuted to yield block-diagonal matrices built of 2 × 2 blocks. The original basis vectors [see, for example, equation (3.8)], |bi i, are simply 2n -vectors where the ith element of the ith basis vector is 1 and all other elements are 0 (i ranges from 0 to 2n − 1). The new basis vectors are related to the old as follows: |b′i i = |bi/2 i for even i and |b′i i = |b2n −(i+1)/2 i for odd i .

(3.18)

The parity density matrices are now, in the new basis (we omit the ′ from now on as we will never write the matrices in the original basis): ρ(n) p

Bp[j=1] 0 ... 0 0 Bp[j=2] . . . = 0 (n−1) ] 0 0 . . . Bp[j=2

(3.19)

where the subscript p stands for the parity (0 or 1). Each of the 2×2 matrices has the form ! c2(n−k) s2k ±cn sn [j] Bp = , (3.20) ±cn sn c2k s2(n−k)

with the plus sign for p = 0 and the minus sign for p = 1, and 0 ≤ k ≤ n, and all these density matrices satisfy Det Bp[j] = 0. The first block (j =1) has k = 0; there are n1 blocks which have k = 1 or k = n − 1; there are n2 j’s which have k = 2 or k = n − 2, etc. This continues until k = (n − 1)/2 for odd n. For even n the process continues up to k = n/2 with the minor adjustment that n j’s of k = n/2. This enumeration groups blocks which are there are only 12 n/2 identical or identical after interchange of k and n − k and accounts for all 2n /2 blocks. We will see later that blocks identical under interchange of k and n − k 48

will contribute the same mutual information about the parity bit, thus we have grouped them together. With the density matrices written in such a block-diagonal form of 2 × 2 blocks the problem of finding the optimal mutual information can be analytically solved. It separates into two parts: • Determining in which of 2n /2 orthogonal 2d subspaces (each corresponding to one of the 2 × 2 blocks) the system lies. • Performing the optimal measurement within that subspace. The subspaces may be thought of as 2n /2 parallel channels, one of which is probabilistically chosen and used to encode the parity by means of a choice between two equiprobable pure states within that subspace (these two states are pure because the B0 and B1 matrices each have zero determinant). We shall present in the next section the optimal measurement that yields the optimal mutual information transmissible through such a two-pure-state quantum channel. The channel then corresponds to a classical binary symmetric channel (BSC), i.e., a classical one-bit-in one-bit-out channel whose output differs from its input with some error probability pj independent of whether the input was 0 or 1. The optimal mutual information in each subchannel is the optimal mutual information of a BSC with error probability pj and is I2 (pj ) = 1 − H(pj ), with H(x) = −x log2 x − (1 − x) log2 (1 − x), the Shannon entropy function. The (n) (n) optimal mutual information IM for distinguishing ρ0 from ρ1 can thus be expressed as an average over the optimal mutual information of the subchannels: 2n /2

IM =

X

qj I2 (pj ),

(3.21)

j=1 [j]

[j]

where qj = Tr B0 = Tr B1 is the probability of choosing the j’th subchannel. The BSC error probability pj for the j’th subchannel depends on the subchanˆp[j] = Bp[j] /qj , and is easily calculated nel’s 2 × 2 renormalized density matrices B once the optimal measurement is found. For each subchannel the qj and renormalized 2 × 2 matrices look like qj = c2(n−k) s2k + c2k s2(n−k) and

ˆ [j] = B p

c2(n−k) s2k c2(n−k) s2k +c2k s2(n−k) ±cn sn c2(n−k) s2k +c2k s2(n−k) )

(3.22)

±cn sn c2(n−k) s2k +c2k s2(n−k) ) c2k s2(n−k) c2(n−k) s2k +c2k s2(n−k)

.

(3.23)

Since they correspond to pure states we can find an angle γ [j] for each block such that the density matrices are [j] cos2 γ [j] ± cos[j] γ sin γ ± cos γ [j] sin γ [j] sin2 γ [j]

49

!

.

(3.24)

In our previous example of n = 2 the matrices are put in a block diagonal form:

(2)

ρ0 =

c4 c2 s2 0 0 2 2 4 cs s 0 0 0 0 c2 s2 c2 s2 0 0 c2 s2 c2 s2

(2)

; ρ1 =

c4 −c2 s2 0 0 2 2 4 −c s s 0 0 0 0 c2 s2 −c2 s2 0 0 −c2 s2 c2 s2

(3.25) ,

so that qj=1 = c4 + s4 ; qj=2 = 2c2 s2 ; and ˆ [j=1] = B p

3.2

c4 c4 +s4 2 s2 ± cc4 +s 4

2 2

s ± cc4 +s 4 s4 c4 +s4

!

;

ˆ [j=2] = B p

1/2 ±1/2 ±1/2 1/2

!

.

(3.26)

Optimal Information in a Parity Bit

Two pure states or two density matrices in H2 with equal determinants can always be written (in an appropriate basis) in the simple form ρ0 =

a1 a2 a2 a3

!

;

ρ1 =

a1 −a2 −a2 a3

!

(3.27)

with ai real positive numbers such that Tr ρp = a1 +a3 = 1. For two pure states, say ! cγ 2 ±cγ sγ , (3.28) ±cγ sγ sγ 2

we already said that a standard measurement in an orthogonal basis symmetric to the two states optimizes the mutual information. The density matrices of pure states can be written as ρi = (1l + σ · ri )/2 with the σ being the Pauli matrices and r = (± sin 2γ, 0, cos 2γ) being a three dimensional vector which describes a spin direction. Using this notation any density matrix is described by a point in a three dimensional unit ball, called the Poincar´e sphere (also called the Bloch sphere). The pure states are points on the surface of that sphere and the above two pure states have x = ±2a2 = ± sin 2γ. With the density matrix notation the optimal basis for distinguishing the states is the x basis. Note that all angles are doubled in this spin notation, so that the angle between the two states is 4γ, and the angle between the basis vector and the state is π2 − 2γ. The measurement of the two projectors A→ = 1/2

1 1 1 1

!

and

A← = 1/2

yields

1 −1 −1 1

!

(3.29)

1 sin 2γ 1 − a2 = − , (3.30) 2 2 2 which recovers the result of equation (2.7) in case of pure states obtained in Chapter 2. However, the treatment of density matrices is more general and this Pe = Tr ρ1 A→ =

50

is the optimal measurement also in the case of deriving block-diagonal matrices for the parity of string of non-pure states with equal determinants [69, 49], when ρi of equation (3.3) are replaced by ρdm of equation (3.63) and (3.64) of Section i 3.5, and this case is also described by a BSC. The only difference between the matrices is that Det ρp = 0 for pure states and 0 ≤ Det ρp ≤ 14 for density matrices. Instead of measuring the density matrices in the x direction we perform the following unitary transformation on the density matrices √ U = 1/ 2

1 1 1 −1

!

(3.31)

to obtain ρ′ = UρU † which is then measured in the z basis. Note that the transformation transform the original z-basis to x-basis (the motivation for this approach will be understood when we discuss the 2 × 2 blocks of the parity matrices). The new density matrices are ′

ρ0 =

1 + a2 2 a1 −a3 2

a1 −a3 2 1 − a2 2

!

′

; ρ1 =

1 − a2 2 a1 −a3 2

a1 −a3 2 1 + a2 2

!

(3.32)

and their measurement yields the probability 21 ± a2 to derive the correct (plus) and the wrong (minus) answers (as we obtained before), leading to optimal mutual information of 1 I2 ( − a2 ) , (3.33) 2 which depends only on a2 . Note that the same information is obtained in case a1 and a3 are interchanged. Now, instead of considering the information as a function of γ we have it as a function of a2 , and we can apply it directly to the ˆp[j] of the previous section. blocks B Let us now consider the information one can obtain on the parity bit. The naive way to derive information on a parity bit of n particles [each in one of the α states ±cos ] is to derive the optimal information on each particle separately sin α and calculate the information on the parity bit. This individual (or singleparticle measurement) is the best Bob can do in case he has no quantum memory in which to keep the particles (which, usually arrive one at a time) or he has no ability to perform more advanced coherent measurements. The optimal error2α probability for each particle is Qe = 1−sin , and the probability of deriving the 2 (sin 2α)n 1 , wrong parity bit, derived in the previous chapter (eq. 2.10) is Q(n) e = 2− 2 and the mutual information in this case was found to be IS = I2

1 (sin 2α)n − 2 2

!

.

(3.34)

As we previously said, the derivation of useless side-information on the individual bits indicates that Bob might be able to do much better by concentrating on deriving only useful information. The optimal measurement for finding mutual information on the parity bit is not a single-particle measurement, but is 51

instead a measurement on the full 2n -dimensional Hilbert space of the system. In general, optimizing over all possible measurement is a very difficult task unless the two density matrices in H2n are pure states. However, in the preceding section we have shown how to reduce the problem to that of distinguishing the 2 × 2 blocks of our block-diagonal parity matrices. We now have only to apply ˆ [j]’s of equation (3.23) and the optimal single-particle measurement to the 2x2 B use the result in equation (3.21). ˆ [j]’s of equaThe error probability (equation 3.30) for distinguishing the B tion (3.23) is seen to be: 1 cn sn − 2(n−k) 2k , 2 c s + c2k s2(n−k)

pj =

(3.35)

from which the information I2 (pj ) in each channel is obtained. Plugging the error probability pj (equation 3.35) and the probability of choosing the j’th subchannel qj (equation 3.22) into (3.21), the optimal information on the parity bit is now: 2n /2

IM =

X

(c

2(n−k) 2k

s

2k 2(n−k)

+c s

) I2

j=1

cn sn 1 − 2(n−k) 2k 2 c s + c2k s2(n−k)

.

(3.36)

For various simple cases we can see the implications of this result, and furthermore, we can compare it to the best result obtained by individual measurements. In the simple case of orthogonal states (α = π4 ) all these density matrices are the same and we get qj =

n−1 1 2

, pj = 0 and IM = 1 as expected.

• A brief remark is in order at this stage. The transformation to the x ˆp(n,k) is actually a transformation from a basis for each 2 by 2 matrix, B product basis to a fully entangled basis of the n particles. That basis is a generalization of the Bell basis of [26]. !

1 0

1 0

1

!

1

1 0

!

1 0

!

1 ... 0 2

!

n−1

!

1 ... 0 2

n−1

1 0

!

0 1

0 ± 1 n

!

!

0 ± 1 n

1

!

1

!

0 1

0 ... 1 2

!

0 1

!

0 ... 1 2

n−1

!

n−1

0 1

!

1 0

;

(3.37)

n

!

(3.38) n

etc. The Bell basis for two particles is frequently used and its basis contains the EPR singlet state and the other three orthogonal fully entangled states. For large n, the number of blocks is exponentially large and performing the summation required in equation (3.36) is impractical, since all the 2n−1 matrices must be taken into account. However, that problem can be simplified by realizing that all blocks with a given k, as well as all blocks with k and n − k interchanged, contribute the same information to the total. This is easily seen 52

in equation (3.36) where both the weight and the argument of I2 are symmetric in k and n − k. The optimal mutual information for even n is then even IM

=

n −1 2

X

k=0

!

!

1 n n q n I2 (p n2 ) , qk I2 (pk ) + 2 n2 2 k

and for odd n

n−1

odd = IM

(3.39)

!

n qk I2 (pk ) . k

2 X

k=0

(3.40)

As an example we calculate IM for n = 2 (of course, the counting argument is not needed in that case). This particular result complements the result in [59] where the deterministic information of such a system is considered (see also Section 3.4). In the new basis (3.32) the density matrices of (equation 3.26) become ˆ0′ (k=0) = B

c2 s2 c4 +s4 1 c4 −s4 2 c4 +s4

1/2 +

1 c4 −s4 2 c4 +s4 2 s2 1/2 − cc4 +s 4

and ′

ˆ0(k=1) = B

1 0 0 0

!

!

;

;

ˆ1(k=1) = B

ˆ1′ (k=0) = B

′

c2 s2 c4 +s4 1 c4 −s4 2 c4 +s4

1/2 −

0 0 0 1

!

.

1 c4 −s4 2 c4 +s4 2 s2 1/2 + cc4 +s 4

(3.41)

We use the notation S = 2sc = sin 2α; C = c2 − s2 = cos 2α (hence, c4 − s4 = C 2 ) to obtain q1 = 2c2 s2 = S2 , p1 = 0, q0 = 21 (1 + C 2 ) and c4 + s4 = 1+C 2 C2 and p0 = 1+C 2 (the qj ’s were obtained in the previous section). The mutual information of the parity of two bits is obtained using equation (3.21) IM = q0 I2 (p0 ) + q1 I2 (p1 ) ! 2 1 S2 C = (1 + C 2 )I2 + . 2 1 + C2 2

3.3

(3.42)

Information on the Parity Bit of Almost Fully Overlapping States

The case of almost fully overlapping states is extremely important to the analysis of eavesdropping attacks on any quantum key distribution scheme. In this case 2 the angle α is small so s ≡ sin α ≃ α and c ≡ cos α ≃ 1 − α2 . To observe the advantage of the coherent measurement, let us first recall that the optimal n information obtained by individual measurements [with Q(n) ≈ 12 − (2α) ], e 2 calculated to first order for small α, is (see 2.15) IS ≈

(2α)2n . 2 ln 2

(3.43)

We use the same approximations used in Chapter 2, and equations (3.35) and (3.22) to calculate the leading terms in the optimal mutual information 53

!

n 2

(3.39) and (3.40). For k = angle) and

(n even) we get pk = 0 (regardless of the small I2 (p n2 ) = 1 .

For k < n2 we get pk ≈ with η = αn−2k ]

1 2

n

− ss2k ≈

1 2

(3.44)

− αn−2k which yields [using equation (2.14)

2 2n−4k α . ln 2 and qk = 2α2k for k = n2 , so that

I2 (pk ) ≈ The coefficient qk = α2k for k <

n 2

qk I2 (pk ) ≈ for k < n2 , and

2 2(n−k) α ln 2

qk I2 (pk ) ≈ 2αn

(3.45)

(3.46) (3.47)

for k = n2 . The dominant terms are those with the largest k, that is, k closest to n2 . The next terms are smaller by two orders in α. The number of density matrices with these k’s are also the largest (up to a factor of 2 in case of even n). Therefore, the terms k = n2 for even n and k = n−1 for odd n are the dominant 2 terms in the final expression. Thus, for almost fully overlapping states, the mutual information is !

!

n n 1 n n ≈ n 2α = n α 2 2 2

even IM

for even n, and odd IM

≈

n n−1 2

!

2 n+1 α ln 2

(3.48)

for odd n. These expressions can be further simplified. The number of density matrices of any type is bounded (for large n) using Stirling formula (see [73] in the chapter on Reed-Solomon codes) 2nH(k/n) n

(3.49)

and the standard approximation (2.14): For k near n2 , η ≡ 12 − nk is small, n n 1 2 2 2 H ≈ 1−O(η ) = 1−O ( 2 − k/n) < 1 is used to derive k < √ . 2π(k/n)(1−k/n)n

Using also k/n(1 − k/n) ≈

1 4

2

− η , we derive

2n n < q π (1 + O(η 2)) . k n 2 !

(3.50)

Thus the leading term in IM is

2n

π n IM < q π α = (2α) / 2 n 2 n

54

n

r

(3.51)

for even n and 2n IM < q π 2

π π 2 2 n+1 α = α(2α)n / n < (2α)n / n ln 2 2 2 n ln 2 r

r

(3.52)

for odd n (using α < ln 2/2). We see that we could keep a better bound for odd n but for simplicity we consider the same bound for both even and odd n’s. We can now compare the optimal information IM from a coherent measurement on all n particles to the optimal information IS from separate measurements (cf. eq. 3.43): √ IM = O(1) × (2α)n / n (3.53) IS = O(1) × (2α)2n . Since α is a small number (corresponding to highly overlapping signal states), the coherent measurement is superior to the individual measurement by an approximate factor of (2α)−n . However, it is only superior by a polynomial factor, since q IM ≈ IS . (3.54)

3.4

Deterministic Information on the Parity Bit

For a single particle Bob can perform a different kind of individual measurement which is not optimal in terms of average mutual information but is sometimes very useful [4, 86]. It yields either a conclusive result about the value of that bit or an inconclusive one, and Bob will know which of the types of information he has succeeded in obtaining. Such a measurement corresponds to a binary erasure channel [86, 59, 45]. With probability p? of an inconclusive result, the mutual information is Ip? = 1 − p? . The minimal probability for an inconclusive result is cos 2α leading to Ip? = 1 − cos 2α [86]. This result is obtained by performing a generalized measurement (Positive Operator Value Measure [86, 54, 61]) on the system or a standard measurement performed on a larger system which contains the system and an auxiliary particle [86, 60]. Note that this results in less mutual information than the optimal measurement for one-particle mutual information. If Bob uses this type of measurement on each particle separately his deterministic single-particle information about the parity bit is (1−cos 2α)n . We now use the block-diagonal density matrices derived in Section 3.1 to derive also the optimal deterministic information on the parity bit. We note that each of the 2 × 2 blocks in the block-diagonal density matrices is the density matrix of a pure state, so we may replace the optimal measurement in each subchannel with the optimal deterministic measurement and proceed as before. The total optimal deterministic information is easily calculated by replacing I2 (pk ) in (3.39) and (3.40) by I(p?k ) = 1 − p?k . To find the minimal ˆp(n,k) corresponds to P?k we recall that each of the normalized density matrices B pure states (3.24) with some angle γ. Comparing with equation (3.23) we can

55

write the overlap as the difference between the diagonal terms of the density matrices c2(n−k) s2k − c2k s2(n−k) , (3.55) p? = cos(2γ) = cos2 γ − sin2 γ = 2(n−k) 2k c s + c2k s2(n−k) hence c2(n−k) s2k − c2k s2(n−k) . (3.56) I(p?k ) = 1 − 2(n−k) 2k c s + c2k s2(n−k) The total information is even ID

=

n −1 2

X

k=0

for even n, and

!

!

1 n n qk I(p?k ) + q n I(p?n/2 ) , k 2 n2 2 n−1

odd ID

=

2 X

k=0

!

n qk I(p?k ) k

(3.57)

(3.58)

for odd n. For n = 2 we recover a result previously obtained by Huttner and Peres [59] by performing the optimal POVM on the first pair of density matrices of equation (3.26), and a measurement in the entangled basis (as before) on the 4 −s4 second. The probability of an inconclusive result is cos2 γ − sin2 γ = cc4 +s 4 = 2C 2C , hence the optimal deterministic information is 1 − 1+C 2 , leading to the 1+C 2 total deterministic information C S2 1 ) + = 1 − C , (3.59) ID = q1 ID (p? ) + q2 I2 (p2 ) = (1 + C 2 )(1 − 2 2 1 + C2 2 which is exactly the result obtained by Huttner and Peres (note, however, that they used an angle which is π4 − α hence derived 1 − S for the deterministic information). For almost overlapping states (small α) the dominant terms are still the same as in the case of optimal information. The term qk is as before and the information in each port is I(p?k ) = 1 (3.60) for k =

n 2

and

c2n−4k − s2n−4k = 1 − (1 − α2n−4k )2 = 2α2n−4k c2n−4k + s2n−4k for k < n2 . Taking into consideration only the dominant term we get I(p?k ) = 1 −

even ID

≈

n n 2

!

(3.61)

αn

for even n which is the same as the optimal information, and odd ID

≈

n n−1 2

!

2αn+1

(3.62)

for odd n which is smaller than the optimal mutual information by a factor of 1 . ln 2 56

3.5

Parity Bit for Density Matrices of Mixed States

The previous discussion assumed that ρ(1) p are pure states. The generalization to the case of density matrices with equal determinants is straightforward. Let the bit ‘0’ and the bit ‘1’ be represented by ρdm 0 and ρdm 1

=

=

c2 sc − r sc − r s2

!

,

c2 −(sc − r) −(sc − r) s2

(3.63)

!

,

(3.64)

(with s = sin α etc., and r < sc) which contains the most general density matrices of the desired type. On the Poincar´e sphere these density matrices have the same z components as the previously written pure states but smaller x components (hence smaller angle α′ ). We could choose other ways of representing these density matrices, e.g., with identical x components and smaller z components. Such representations are appropriate for comparison with pure states (since they yield the same mutual information for a single particle) but are less convenient for showing that the previous result is easily generalized. Clearly ! 1 (1) c2 0 (1) (1)dm ρ = (ρ0 + ρ1 ) = , (3.65) 0 s2 2 (1)dm

∆

1 (1) (1) = (ρ0 − ρ1 ) = 2

0 sc − r sc − r 0

!

,

(3.66)

The total density matrix doesn’t change and the difference density matrix has terms (sc − r)n instead of (sc)n . Reorganizing the basis vectors we again get the block diagonal matrices where each of the 2 by 2 matrices has the form Bp(n,k) =

c2(n−k) s2k ±(cs − r)n ±(cs − r)n c2k s2(n−k)

!

.

(3.67)

When normalized, these density matrices have the form of equation (3.27) and are optimally distinguished by measuring them in the x direction. Transforming to the x basis as before we get the same qk = c2(n−k) s2k + c2k s2(n−k) as before, and

(3.68)

(cs − r)n 1 − 2(n−k) 2k . (3.69) 2 c s + c2k s2(n−k) The total information can now be calculated as before by assigning these pk and qk into equations (3.40) and (3.39). Thus, the case of mixed states is also pk =

57

analytically solved for any number of bits, and the influence of mixing on the optimal mutual information is through the pk ’s. Calculating the optimal information for small α and any r is possible but complicated. A much simpler alternative is to find a bound on the optimal information using pure states with the same angle, α′ , on the Poincar´e sphere, using sin 2α − 2r , (3.70) tan 2α′ = cos 2α or using an alternative form for the mixed states (3.63) and (3.64).

3.6

The Connection to Quantum Cryptography

In this chapter we solved a problem in quantum information: suppose Bob is given n particles, each in one of two possible states (either pure or mixed in 2-d with equal determinants). How much mutual information can he extract on the parity bit and what is the optimal measurement? The density matrices describing the parity bit are very complicated and have 2n dimensions. Thus, it is very surprising that the optimal information can be calculated, since previous results consider much simpler case (e.g. density matrices in 2-d). This result is important to the analysis of privacy amplification, and has crucial impact on quantum cryptography. Previously, it was known that privacy amplification is effective when particles are not measured together, but its effectiveness against coherent measurements was in question. Our result provides the optimal measurement which can be done to find a parity bit. In particular cases, when almost fully overlapping states are used, we proved two complementary results regarding that optimal measurement: • The optimal information IM obtained by allowing all possible measurements is much larger than the one (IS ) obtained by measuring each bit separately. • The optimal information IM is still exponentially small with the length of the string. This is an effectiveness result: classical privacy amplification techniques are effective against any quantum measurement. Our “effectiveness result” leads to the derivation of strong security results against sophisticated attacks directed against the final key. However, such analysis is much more complicated since it involves the key distribution protocol in real channels, and because Eve is exposed to classical information in addition to the quantum information. This is the subject of the next chapter.

58

Chapter 4 Security Against Collective Attacks The discussion of the previous chapter treats an imaginary scenario which is very general but is not general enough to deal with the common situation in quantum cryptographic protocols. Still, it provides some basic tools required for such an analysis. The basic differences from the situation previously described are: • Eve probes states transmitted from Alice to Bob rather than fed by Alice; Thus, she has some freedom in choosing the states she obtains. • In addition to the quantum information (the possible states of the probes) Eve obtains classical data; The state of Eve’s probes is informationdependent, and this fact must be taken into account in calculating the optimal information, and also in the optimization process. These differences create a more complicated situation where the final measurement must be optimized, not by itself, but together with the probing process. As far as quantum cryptography is concerned, this chapter provides strong evidences that quantum key distribution is secure. As far as physics is concerned, this chapter contains interesting examples for information-dependent quantum states. Another achievement is the development of new type of bounds on the information which can be extracted from quantum states. To emphasize the importance of the “effectiveness result” obtained in the previous chapter let us consider the scenario which is common in quantum key distribution schemes: Alice and Bob (the legitimate users) try to establish a secret key. They use any binary scheme and Alice sends L′ particles (see Section 1.4) through a noisy channel to Bob. An adversary, Eve, is trying to learn information on their key. She gets the particles one at a time, interacts with each one of them weakly (on average), and sends it forward to Bob. She must interact weakly with each particle if she wants to induce only small error rate (or alternatively, she could attack strongly only a few of the particles, but privacy amplification is already proven effective against such type of attack [9]). 59

Although the specification of the privacy amplification technique is announced after the transmission is over, Eve can keep a quantum state of a system which has interacted with all the transmitted particles, and use it after all the specification is announced. Security against such joint attacks in error-free channels is shown in [109]. Our main goal is to obtain a concrete bound on Eve’s information for a given error rate, and show that it reduces to zero, if large strings are used. Typically, one would like to consider the case where Alice and Bob use existing technologies, while Eve is restricted only by the laws of physics. In the first sections we concentrate on symmetric collective attacks in which the same translucent attack is applied to each transmitted particle, and the attack is symmetric to any of the possible quantum states of each particle. Such an attack induces the same probability of error to each transmitted bit. It must be weak, or else it would induce a non acceptable error rate. Thus, the possible states of Eve’s probe cannot differ much. In Section 4.1 we design a specific case in quantum key distribution where each of Eve’s probes is in one of two pure states (with small angle between them), so the efficiency result of the previous chapter can be applied. We also incorporate error correction as is done in any realistic protocol and thus the analysis becomes more complicated. This part was done together with Eli Biham and Dominic Mayers and with the help of Gilles Brassard and John Smolin. It was published with Eli Biham in [20]. Sections 4.2, 4.3 were done with Eli Biham [21]. In Section 4.2 we present new bounds on the information which can be extracted from mixed states in case the result regarding pure states is known. In Section 4.3 we combine the results of the previous sections and the fact that density matrices in Eve’s hands are information-dependent and we calculate Eve’s optimal information for various symmetric collective attacks. We show how to prove security against any symmetric collective attack which uses 2-dimensional probes. In Sections 4.4 and 4.5 we discuss the relevance of the previous result to non-symmetric collective attacks and to the optimal collective attack.

4.1

The Simplest Case – Eve’s Probes are in One Out Of Two Possible Pure States

In this section we consider the two-state scheme and devise a specific attack against it. In the two-state [4] scheme the classical bits ‘0’ or ‘1’ are represented by two non-orthogonal pure states, which can be written as cos θ ψ0 = sin θ

!

cos θ and ψ1 = − sin θ

!

(4.1)

respectively. Alice sends L′ such qubits. Bob performs a test which provides him with a conclusive or inconclusive result. For instance, he can test whether θ ′ a specific particle is in a state ψ0 or a state orthogonal to it ψ0 = −sin ;A cos θ 60

result ψ0 is treated as inconclusive (since it could also be ψ1 sent by Alice), and a result ψ0 ′ is identified as ψ1 . Alternatively, he could test if a particle is sin θ in a state ψ1 or a state orthogonal to it ψ1 ′ = cos , and identify a result ψ1′ θ conclusively as ψ0 . Bob informs Alice which bits were identified conclusively, using the unjammable classical channel, and these bits are the raw data. Later on, they check the error rate on the raw data, and if it is reasonable, they use the remaining n bits to obtain a (hopefully secure) final key. The errors are corrected using any error-correction protocol. Finally, the parity of the full nbit string is used as their final one-bit key (Of course, for practical purposes our approach must be generalized to yield a longer final string). Our first example of a collective attack is based on the “translucent attack without entanglement” of [45], which leaves Eve with probes in a pure state. The translucent attack without entanglement uses the unitary transformation cos θ′ cos θ −→ ± sin θ′ ± sin θ !

!

cos α ± sin α

!

(4.2)

where θ′ is the angle of the states received by Bob, and α is the angle of the states in Eve’s hand. The error rate is the probability of wrong identification and it is pe = sin2 (θ − θ′ ). Using the unitarity condition cos 2θ = cos 2θ′ cos 2α we get for weak attacks that α = (pe tan2 2θ)1/4 .

(4.3)

This translucent attack is performed on all the bits, and it leaves Eve with n c relevant probes, each in one of the two states ±s , with c = cos α and s = sin α. As a result, Eve holds an n-bit string x which is concatenated from its bits (x)1 (x)2 . . . (x)n . For simplicity, we choose the final key to consist of one bit, which is the parity of the n bits. Eve wants to distinguish between two density matrices corresponding to the two possible values of this parity bit. Our goal is to calculate the optimal mutual information she can extract from them. For our analysis we need some more notations. Let n ˆ (x) be the number of 1’s in x, and p(x) be the parity of x. For two strings of equal length x ⊙ y is the bitwise “AND”, so that the bit (x ⊙ y)i is one if both (x)i and (y)i are one, and zero otherwise. Also x ⊕ y is the bitwise “XOR”, so that (x ⊕ y)i is zero if (x)i and (y)i are the same, and one otherwise. For k (independent) strings, v1 , . . . , vk , of equal length let the set {v}k contain all the 2k linear combinations of v1 , . . . , vk (including the string v0 = 00 . . . 0): (v0 ), (v1 ), . . . , (vk ), (v1 ⊕ v2 ), (v1 ⊕ v3 ), . . . , (vk−1 ⊕ vk ), (v1 ⊕ v2 ⊕ v3 ), . . . (v1 ⊕ v2 . . . ⊕ vk ). Since the (original) k strings are linearly independent these 2k strings are all different. The quantum state of a string is the tensor product

ψx =

c ±s

!

!

!

c c = ... ±s ±s

61

ccc . . . ccc ±ccc . . . ccs ... ±sss . . . sss

,

(4.4)

living in a 2n dimensional Hilbert space. The sign of the i’th bit (in the middle expression) is plus for (x)i = 0 and minus for (x)i = 1. The sign of the j’th term (j = 0 . . . 2n−1 ) in the expression at the right depends on the parity of the string x ⊙ j and is equal to (−1)p(x⊙j). The density matrix ρx = ψx ψxT also has for any x, the same terms up to the signs. We denote the absolute values by ρjk ≡ |(ρx )jk |. The sign of each term (ρx )jk is given by (−1)p(x⊙j)(−1)p(x⊙k) = (−1)p[x⊙(j⊕k)] .

(4.5)

A priori, all strings are equally probable and Eve needs to distinguish between the two density matrices describing the parities. These matrices were calculated and analyzed in Chapter 3 (henceforth, the BMS work [15]). If Eve cannot obtain the error-correction code her optimal information on the parity bit is given by (3.39) and (3.40). To leading order in α it is given by (3.48) and it is ! 2k 2k even α (4.6) IM = k for n = 2k, and odd IM

!

!

2k 1 2k 2k − 1 2 2k α = α = k ln 2 k − 1 ln 2

for n = 2k − 1. Thus,

(4.7)

!

2k 2k α I(n) = c k

(4.8)

with c = 1 for n = 2k and c = 1/ ln 2 for n = 2k − 1. In case Eve is being told what the error-correction code is, all strings consistent with the given error-correction code (the r sub-parities) are equally probable, and Eve need to distinguish between the two density matrices: (n,r)

ρ0

=

1

(n,r)

X

ρx ; ρ1 2n−r−1 p(x)=0 x | (x OECC)

=

1 2n−r−1

x|(

X

ρx )

(4.9)

p(x)=1 x OECC

where OECC is a shortcut for Obeys Error-Correction Code. Let us look at two simple examples where n = 5: one with r = 1 and the other with r = 2. Suppose that the parity of the first two bits, (x)1 and (x)2 , is p1 = 0. Formally, this substring is described by the n-bit string v1 = 24 which is 11000 binary; The number of 1’s in the first two bits of a string x is given by n ˆ (x ⊙ v1 ), and x obeys the error-correction code if p(x ⊙ v1 ) = p1 . Let vd be the binary string (11111 in this case) which describes the substring of the desired parity. Eve could perform the optimal attack on the three bits which are left, or in general, on v1 ⊕ vd . For any such case, the optimal attack is given by the BMS work and the optimal information depends only on n ˆ (v1 ⊕ vd ), the Hamming distance between the two words. This information [using eq. (4.8)] is !

2k 2k α I(ˆ n) = c k 62

(4.10)

with c = 1 for even n ˆ (which equals to 2k) and c = 1/ ln 2 for odd n ˆ (which equals n ˆ = 2k − 1). Suppose that Eve gets another parity bit p2 = 1 of the binary string 01100 (v2 = 12). Now, a string x obeys the error-correction code if it also obeys p(x ⊙ v2 ) = p2 . Clearly, it also satisfies p[x ⊙ (v1 ⊕ v2 )] = p1 ⊕ p2 . In the general case there are r independent parity strings, and 2r parity strings in the set {v}r . The BMS result cannot be directly used, but it still provides some intuition: For each word (i.e., each parity string) vl ∈ {v}r , let I(ˆ n(vl ⊕vd )) be the optimal information Eve could obtain using (4.10). Also let Isum be the sum of these contributions from all such words. In reality Eve cannot obtain Isum since each measurement changes the state of the measured bits, hence we expect that Isum bounds her optimal information Itotal : Conjecture Itotal < Isum .

(4.11)

On the other hand, Eve knows all these words at once, and could take advantage of it, thus we leave this as an unproven conjecture. In the following we find an explicit way to calculate the optimal information exactly. However, this exact result requires cumbersome calculations, thus it is used only to verify the conjecture for short strings. The parity of the full string is also known since the density matrix ρ(n,r+1) (n,r) (n,r) corresponds to either ρ0 or ρ1 depending on the desired parity pr+1 , thus we add the string vr+1 = vd . There are r+1 independent sub-parities altogether, hence 2r+1 parity strings in the set {v}r+1 . A string x is included in ρ(n,r+1) if p[x ⊙ vl ] = pl

(4.12)

for all given substring in {v}r+1 In the BMS work (where r = 0) the parity density matrices were put in a block diagonal form of 2n−1 blocks of size 2 × 2. This result can be generalized to the case where r parities of substrings are given. There will be 2n−r−1 blocks of size 2r+1 × 2r+1 . We shall show that the (jk)’th term in a density matrix ρ(n,r+1) of r +1 sub-parities is either zero, ρjk or −ρjk , that is, either all the relevant strings contribute exactly the same term, or half of them cancels the other half. The proof can be skipped in a first reading. Theorem The element (ρ(n,r+1) )jk is zero if j ⊕ k 6∈ {v}r+1 , and it is ±ρjk if j ⊕ k ∈ {v}r+1. Proof In case j ⊕ k 6∈ {v}r+1

(4.13)

p[C ⊙ vl ] = 0

(4.14)

choose C such that

63

with all (vl )’s in {v}r+1 and p[C ⊙ (j ⊕ k)] = 1

(4.15)

(many such C’s exists since C has n independent bits and it needs to fulfill only r + 2 constraints). For such a C and for any x which obeys the error-correction code there exist one (and only one) y, y = x ⊕ C, which also obeys the code (due to the first demand) but has the opposite sign in the jk’th element (due to the second demand), so (ρy )jk = −(ρx )jk (due to eq. 4.5). Since this is true for any relevant x, we obtain (ρ(n,r+1) )jk = 0 .

(4.16)

j ⊕ k ∈ {v}r+1

(4.17)

In case such C cannot exists, and all terms must have the same sign: Suppose that there are two terms, x and y with opposite signs. Then C = x ⊕ y satisfies the two demands, leading to a contradiction. QED This theorem tells us the place of all non-vanishing terms in the original ordering. The matrices can be reordered to a block-diagonal form by exchanges of the basis vectors. We group the vectors s, s ⊕ v1 , etc., for all (vl )’s in {v}r+1 to be one after the other, so each such group is separated from the other groups. Now the theorem implies that all non-vanishing terms are grouped in blocks, and all vanishing terms are outside these blocks. As a result, the matrix is block-diagonal. This forms 2n−r−1 blocks of size 2r+1 × 2r+1. All terms inside the blocks and their signs are given by eq. (4.4) and (4.5) respectively up to reordering. The organization of the blocks depends only on the parity strings (n,r) (n,r) vl and not on the parities pl , thus, ρ0 and ρ1 are block diagonalized in the same basis. The rank of a density matrix is the number of (independent) pure states which form it, and it is 2n−r−1 in case of the parity matrices [eq. (4.9)]. When these matrices are put in a block diagonal form, there are 2n−r−1 (all non-zero) blocks. Thus, the rank of each block is one and the corresponding state is pure. When a block is fully diagonalized to yield

B [j] =

aj 0 0 ... 0

0 0 ... 0 0 0 ... 0 0 0 ... 0 , 0 0 ... 0

(4.18)

the non-vanishing term aj in the j’th block is the probability that a measurement will result in this block. In the BMS work (r = 0), the information, in case of small angle, was found to be exponentially small with the length of the string. When each probe is in 64

a pure state, this result can be generalized to r > 0 as follows: The optimal mutual information carried by two pure states (in any dimension) is well known. (n,r) (n,r) The two possible pure states in the j’th block of ρ0 and ρ1 can be written cos β as ± sin β . The optimal mutual information which can be obtained from the j’th block is given by the overlap (the angle βj ) Ij = 1 + pj log pj + (1 − pj )log(1 − pj ) ,

(4.19)

where

1 − sin 2βj ; (4.20) 2 The overlap is calculated using eq. (4.4) and (4.5). Thus, for any given errorcorrection code, we can find the two pure states in each block, the optimal information Ij , and finally, the total information pj =

Itotal =

X

aj Ij .

(4.21)

j

We did not use the value of vd in the proof, and thus, the final key could be the parity of any substring. Moreover, we intend to develop similar methods to analyze keys of several bits which can be formed from parities of several substrings. We wrote a computer program which receives any (short) error-correction code and calculates the total information as a function of the angle α between the pure states of the individual probes. We checked many short codes (up to n = 8) to verify whether Itotal < Isum as we conjectured. Indeed, all our checks showed that the conjecture holds. The information for small angle α is bounded by Isum = Cα2k (4.22) as previously explained, where C is given by summing the terms which contribute to the highest order of eq. (4.10), and the Hamming distance n ˆ (which is 2k or 2k −1), can be increased by choosing longer codes to provide any desired level of security. In addition to a desirable security level, the error-correction code must provide also a desirable reliability; A complete analysis must include also estimation of the probability pf that Alice and Bob still has wrong (i.e. different) final key. For enabling such analysis, one must use known error-correction codes. Random Linear Codes allow such analysis but cannot be used efficiently by Alice and Bob. Hamming codes [73], Hr which use r given parities for correcting one error in strings of length n = 2r − 1, have an efficient decoding/encoding procedure and a simple way to calculate pf . A Hamming code has 2r words in {v}r , all of them, except 00 . . . 0, are at the same distance n ˆ = 2r−1 − 1 from vd . Using our conjecture and eq. (4.10) (with k = nˆ +1 = 2r−2 ) we obtain 2 Itotal

1 2r−1 (2r−1 ) (2r −1) . α + O α < (2 − 1) ln 2 2r−2 r

!

65

(4.23)

For r = 3 (n = 7) the conjecture yields Itotal < 60.6α4 , where the 23 −1 words (0111001; 1101010; 1110100 and their linear combinations 1010011; 1001101; 0011110; 0100111) are at a distance n ˆ = 3 from vd = 1111111, and 0000000 at a distance n ˆ = 7. This Hamming code was presented in Section 1.4. For the exact calculation we use vd so there are 4 independent parity strings: 0111001; 1101010; 1110100; 1111111. As a result, there are 24 resulting strings where 0001011; 0010101; 0101100; 0110010; 1000110; 1011000; 1100001; 1111111 are added to the above. Averaging over all the density matrices which are consistent with such given parity strings, and organizing the matrices in a block diagonal form, we calculated (using the computer program) the pure states in each block and the resulting information obtained by the optimal measurement. The exact calculation also gives the same result as above, showing that the conjecture provides an extremely tight bound in this case. Using ! r−1 2(2 ) 2r−1 q < (4.24) 2r−2 ( π 2r−1 ) 2

and some calculation we finally obtain

Itotal <

2 ln 2

q π 2

√

r−1 )

2r−1 (2α)(2

,

(4.25)

bounding Itotal to be exponentially small with n [which follows from 2r−1 = (n + 1)/2]: Itotal < C(n)(2α)(n+1)/2 , (4.26) √ with C(n) = n + 1 ln 22√π . As a function of the error rate the information is Itotal < C(n)(16pe tan2 2θ)(n+1)/8 .

(4.27)

The rate of errors in the string shared by Alice and Bob (after throwing (N) inconclusive results) is the normalized error rate, pe = pe /(pc + pe ), where pc = sin(θ + θ′ ) is the probability of obtaining a correct and conclusive result. (N) cos2 2θ 4 For small α it is pe = sin2p2 e2θ = 2sin 4 2θ α . The final error probability pf is bounded by the probability to have more than one error in the initial string, (N) (N) (pe )2 + O[(npe )3 ], showing since the code corrects one error. It is pf = n(n−1) 2 (N) that we can use the Hamming codes as long as npe << 1. In case it is not, better codes such as the BCH codes [73] (which correct more than one error) are required, but their analysis is beyond the scope of this work. Extracting more than one final bit is also possible, but is also beyond the scope of this work.

4.2

Bounds on Information

In terms of quantum information theory the result of eq. (4.26) (henceforth, the BM result) extends the BMS result to the case where parities of substrings are 66

given (error-correction code). For purposes of quantum key distribution, the BM result provides the first security proof (assuming the verified conjecture 4.11) against a strong attack. However, it is restricted to attacks in which Eve’s probes are in a pure state. Unfortunately, most possible translucent attacks on the two-state scheme [4], which can be used in the first step of the collective attack, leave each of Eve’s probes in a mixed state. Also, any translucent attack on the four-state scheme [6] leaves each probe in a mixed state (at least for two out of the four possible states). The goal of this section is to apply the BM result to the case of mixed states. We demonstrate that any type of information which can be extracted from certain two-dimensional mixed states can be bounded, if the solution for pure states is known. In the next sections we use this bound and conjecture 4.11 to explicitly demonstrate, via examples, how to bound Eve’s optimal information (for a given induced error rate). Any state (density matrix) in 2-dimensional Hilbert space can be written as ρ= so that

1 ρ= 2

Iˆ + r · σ ˆ 2

1 + z x − iy x + iy 1 − z

(4.28) !

,

(4.29)

with r = (x, y, z) being a vector in R3 , σ ˆ = (ˆ σx , σ ˆy , σ ˆz ) the Pauli matrices, ˆ and I the unit matrix. In this spin notation, each state is represented by the corresponding vector r. For pure states |r| = 1, and for mixed states |r| < 1. Suppose that χ and ζ are two density matrices, represented by rχ and rζ respectively. It is possible to construct the density matrix ρ = mζ + (1 − m)χ

(4.30)

from the two matrices (where 0 ≤ m ≤ 1 since m and 1 − m are probabilities), ˆ and the geometric representation of such a density matrix ρ = I+r2ρ ·ˆσ is rρ = mrζ + (1 − m)rχ .

(4.31)

Two pure states can always be expressed as |Φ0 i = sc and |Φ1 i = c = cos α and s = sin α. Using the notations of density matrices Φ0 ≡ |Φ0 ihΦ0 |

c −s

, with (4.32)

etc. the two pure states are 1 Φp = 2

1+z x x 1−z

!

,

(4.33)

with z = cos 2α and x = sin 2α for p = 0 and x = − sin 2α for p = 1. If Φp is used to describe bit p, the receiver can identify the bit by distinguishing the two 67

pure states. Two (not necessarily pure) density matrices ρp in two-dimensional Hilbert space, with equal determinants (which are equal to |r|) can also be expressed using similar form with z = |r| cos 2α and x = ±|r| sin 2α. For two such mixed states let us choose a state χn , and two pure states Φ0 , Φ1 such that ρ0 = mΦ0 + (1 − m)χn ρ1 = mΦ1 + (1 − m)χn .

(4.34)

Let I be some (positive) measure for the optimal distinguishability of two states, so that any operation done on them cannot lead to a distinguishability better than I. From the construction of (4.34), it is clear that any such measure, I, for optimal distinguishability must find that the two mixed states ρp are not more distinguishable than the two pure states Φp . That is Theorem I(Φ0 ; Φ1 ) ≥ I(ρ0 ; ρ1 ) .

(4.35)

Proof Suppose the contrary I(Φ0 ; Φ1 ) < I(ρ0 ; ρ1 ). Then, when one receives Φp he can mix them with χn and derive a better distinguishability than I(Φ0 ; Φ1 ), in contradiction to the definition of I(Φ0 ; Φ1 ). QED We can choose any measure of an optimal information carried by these systems to describe the distinguishability. Very complicated types of information can be extracted from such systems, as for example, the optimal information on the parity of an n-bit string of such quantum bits [15, 20]. In the case [20], where parities of substrings are given, a solution exists only for pure states with small angles (the BM result). We can use this known solution to bound the optimal information on mixed states which are close to each other. ˆ Also let ρ↓ be the pure Let ρcms be the completely mixed state ρcms = 21 I. state of spin down in the z direction. Two cases of (4.34) are useful for our purpose: a) ρp = mΦp + (1 − m)ρcms , where the pure states Φp have the same angle as ρp (see Fig. 4.1a); b) ρp = mΦp + (1 − m)ρ↓ , where Φp (which are uniquely determined) are shown in Fig. 4.1b. The first type of bound is useful if ρp have a small angle α (which satisfies tan 2α = x/z), so that the angle between the pure states β = α is also small. The second type of bound is useful when the ‘distance’ 2x between the two possible mixed states is small (while α might be large). In this case x is small and z positive hence the resulting angle β between the two pure states is small x (following tan β = tan 2δ = z+1 ≤ x). Thus, in both cases the angle between 68

φ

φ

0

ρ0

ρ

2α

φ

1

1

2β

1

ρ0 χ

φ

0

ρ1

2α

n 2δ

χ

a

n

b

Figure 4.1: Two ways of finding two pure states Φp from which the two density matrices ρp can be constructed using a third state χn common to both density matrices. In a), χn = ρcms , the completely mixed state. In b), χn =↓z , the “down z” pure spin state. the two pure states is small so that I(n, β) < C(n)(2β)(n+1)/2 (with C(n) = √ n + 1 ln 22√π ) provides an upper bound on Eve’s information on the final key. Note that our final goal is to get I(n, pe ), thus we need also to find the relation between pe and β (through the known relation with α).

4.3

Security Against Symmetric Collective Attacks

An explicit calculation of Eve’s density matrix as a function of pe must be done separately for any suggested attack to obtain I(n, pe ). However, the fact that Eve is permitted to induce only small error rate restricts her possible transformations at the first stage of the collective attack, hence, the two possible states of each of her probes must be largely overlapping (for a symmetric attack). Concentrating on two-dimensional probes, this implies that the second of the two cases above can always be used to bound Eve’s information to be exponentially small. For certain examples – the first case is sufficient, hence 69

the angle between the two possible pure states can be calculated from Eve’s density matrix directly using β = α. Let us show two examples in details, to conclude that Eve’s information is exponentially small with the length of the string. Both examples use the same unitary transformation but are applied onto different quantum cryptographic schemes, the two-state scheme [4] and the four-state scheme [6]. In our examples Eve uses a 2-dimensional probe in an initial state 10 . She performs a unitary transformation !

1 |φi U 0

(4.36)

(with |φi Alice’s state), where

U =

with cγ = cos γ, etc. With γ =

π 2

1 0 0 0 cγ −sγ 0 sγ cγ 0 0 0

0 0 0 1

,

(4.37)

this gate swaps the particles !

!

1 1 . |φi → |φi 0 0

(4.38)

Eve chooses a small angle γso that the attack is a weak swap. Let Alice’s possi θ 1 1 √ ble initial states be |φp i = ±cos in the two-state scheme, and |φ i = m sin θ 2 im √ (with i = −1 and m = 0 · · · 3) in the four-state scheme. The corresponding final states are

|Ψp i =

cos θ ± sin θ cγ ± sin θ sγ 0

1 |Ψm i = √ 2

;

1 m i cγ im sγ 0

,

(4.39)

respectively. Bob’s reduced density matrices (RDMs) are calculated from |ΨihΨ| by tracing out Eve’s particle. This operation is usually denoted by ρB = TrE [|ΨihΨ|] , where the full formula is given by eq. (5.19) in [86] (ρnm = P µ ρnµ,mµ ). We denote this operation by h

i

ρB = TrE (|ΨihΨ|)Iˆ ,

(4.40) P

µν

ρnν,mµ δµν =

(4.41)

ˆ From Bob’s matrices we find where the two-dimensional δµν is written as I. the error rate, that is, the probability pe that he recognizes a wrong bit value. 70

Calculating Eve’s density matrix is more tricky; we need to take into account the additional information she obtains from the classical data, in order to obtain an information-dependent RDMs. This is a trivial task for the four-state scheme but a rather confusing task in case of the two-state scheme. In case of the four-state scheme Bob measures his particle in one of the basis x (corresponding to m = 0, 2) or y (m = 1, 3). Suppose that Alice and Bob use the x basis; Bob’s RDMs are ρB =

1 2

+ 21 (sγ )2 ± 12 cγ

1 2

± 12 cγ − 21 (sγ )2

!

,

(4.42)

leading to an error rate pe = sin2 (γ/2) which is the probability that he identifies |φ2 i when |φ0 i is sent. Eve has the same knowledge of the basis, hence her information-dependent RDMs are ρE =

1 2

+ 21 (cγ )2 ± 12 sγ

1 2

± 21 sγ − 21 (cγ )2

!

,

(4.43)

so that x = sγ , z = (cγ )2 , and the relevant angles are 2β = 2α = (tan)−1 (sγ /cγ 2 ) (using the first type of bounds). For a small angle γ we get pe ≈ γ 2 /4 + O(γ 4 ), β ≈ γ/2 + O(γ 3), and thus pe ≈ β 2 + O(β 4). The information is thus bounded by I(n, pe ) < C(n)(4pe )(n+1)/4 (4.44) to be exponentially small [using (4.26)]. It is interesting to note that this spin-exchange attack against the four-state scheme provides the optimal information vs. disturbance for individual attacks. This can be easily seen by calculating I2 (γ) from ρE and then by comparing I2 (pe ) to the optimal result calculated recently in [50]. As a result, this attack also provides the maximal possible ‘distance’ between Eve’s possible density matrices (on the Poincar´e sphere) for a given error rate. Thus, with some more work, it is possible to obtain a bound on Eve’s optimal information on the final key using any symmetric collective attack (on the four-state scheme) which uses probes in 2 dimensions. This interesting result was obtained only while adding final corrections to this thesis, and thus, it shall be explicitly shown in a future review paper on the security issue, but not in this thesis. In case of the two-state scheme Bob’s RDMs are ρB =

(cθ )2 + (sθ )2 (sγ )2 ±cθ sθ cγ ±cθ sθ cγ (sθ )2 (cγ )2

!

.

(4.45)

Bob chooses one of two possible measurements, M0→1 or M1→0 , with equal probability p0→1 = p1→0 = 1/2; In case of M0→1 , Bob measures the received state to distinguish φ0 from its orthogonal state φ0 ′ and finds a conclusive result ‘1’ whenever he gets φ0 ′ . (The conclusive result ‘0’ is obtained by interchanging 0 and 1 in the above). The error rate is the probability of identifying φp ′ when φp is sent, and it is pe = (sθ )2 (cθ )2 [1 − cγ ]2 + (sθ )4 (sγ )2 . 71

(4.46)

To obtain Eve’s density matrices one must take into account all the information she possibly has. If one ignores the classical information and calculates the standard RDMs (as in [51]), then the result is of significant importance to quantum information, while it is less relevant to quantum cryptography. Recall that Bob keeps only particles identified conclusively (as either φ0 ′ or φ1 ′ ); Bob informs Alice — and thus Eve — which they are, and, as a result, Eve knows that Bob received either φ0 ′ or φ1 ′ in his measurement, and not φ0 or φ1 . This fact influences her density matrices, and these are not given anymore h i ˆ by the simple tracing formula ρE = TrB (|ΨihΨ|)I . In general, information ˆ dependent RDMs are obtained by replacing Iˆ by any other positive operator A: ρE = TrB

h

i

(|ΨihΨ|)Aˆ

(4.47)

(This is a rather obvious conclusion from the discussions prior to eq. (5.19) and also from page 289 in Section 9 in [86]); The correctness of this technique can easily be verified. In our case ρE = TrB

1 1 (|ΨihΨ|)( |φ0′ ihφ0′ | + |φ1 ′ ihφ1 ′ |) , 2 2

(4.48)

where the halves result from p0→1 and p1→0 . This tracing technique leads to ρE =

(sθ )2 (cθ )2 + (sθ )2 (cθ )2 (cγ )2 ±cθ (sθ )3 sγ ±cθ (sθ )3 sγ (sθ )4 (sγ )2

!

.

(4.49)

After normalization we get x = 2sγ cθ (sθ )3 /TrρE

(4.50)

1+z 1−z − = [(cθ )2 (sθ )2 [1 + (cγ )2 ] − (sθ )4 (sγ )2 ]/TrρE . 2 2

(4.51)

and z=

The relevant angles are again 2β = 2α = tan−1 (x/z). For small angle γ we get pe ≈ sθ 4 γ 2 + O(γ 4), 2β ≈ (sθ /cθ )γ + O(γ 3 ). Finally we get pe ≈ (sθ )2 (cθ )2 (2β)2 + O(β 4 ) from which we find

pe I(pe , n) < C(n) sθ cθ

(n+1)/4

(4.52)

,

(4.53)

with C(n) as before. From the dependence on p(n+1)/4 (that is, from pe ≈ β 2 ) one might get e the wrong impression that this attack is much worse to Eve than the EHPP attack [see (4.27) where pe ≈ α4 ]. This is indeed the case since the EHPP attack is especially designed to attack the two-state scheme. However, Alice and Bob can easily overcome this problem if they use other (additional) states 72

in the protocol. Such additional states are used only for error estimation and are much more sensitive to the EHPP attack. For instance, if Alice sends the additional state 10 to Bob, then Bob’s RDM is

cα 2 cθ ′ 2 cθ 2

0

0 sα 2 sθ ′ 2 cθ 2

,

(4.54)

as a result of the EHPP transformation (2.3). The induced error rate is pe =

sα 2 sθ ′ 2 ≈ tan2 θ α2 cθ 2

(4.55)

proving that pe ≈ α2 as in the attacks presented in this section (actually, Alice and Bob could even identify that Eve is performing an attack specially designed against the two-state scheme if pe is so much different for different states). Thus, if Alice and Bob use such verification states, Eve must take this into account and decrease α in an appropriate way. As a result of the existence of such unique attacks against the two states of the two-state scheme, and the recent proof that the optimal attack on the four-state scheme also yields pe ≈ β 2 [50] it is quite clear that it is better to abandon the two-state scheme as it is today and to modify it as we just suggested. Whether the modified two-state scheme still deserves being called a two-state scheme is a matter of taste, but clearly it loses one of its main advantages over the four-state scheme, namely using two states instead of four for secure transmission.

4.4

Security Against Non-Symmetric Collective Attacks

While writing this thesis we extended the previous result a bit further, analyzing also a typical example of a non-symmetric collective attack. These results are yet partial, but due to their importance, we prefer to add them in an incomplete form rather than to ignore them. In this section we present the gate of weak measurement and use it to perform a non-symmetric attack on the four-state scheme. This attack generalized the simple attack presented in Section 1.4, where Eve performed standard measurements in one of the two basis. In the original attack Eve can only attack a small potion of the particles, η, or else she induces too much noise. Using the weak measurement gate presented here, she can attack all particles (for any permitted error rate). A gate for standard measurement performs the transformation √ ! √ ! √ ! ! 1/ 2 1/ 2 1/ 2 1 √ √ √ −→ . (4.56) 0 E ±1/ 2 A ±1/ 2 E ±1/ 2 B 73

We generalize this gate to 1 0

!

E

√ ! √ ! ! 1/ 2 1/ 2 cos γ √ √ −→ , ± sin γ E ±1/ 2 B ±1/ 2 A

(4.57)

which yields the previous gate for γ = π/4 and yields a weak measurement gate for small γ. This unitary transformation stands for a weak measurement in the x basis. Let us apply the unitary transformation to 10 and 01 : A

1 0 0 0

→

cγ 0 0 sγ

;

0 1 0 0

A

→

0 cγ sγ 0

.

(4.58)

This unitary transformation can be chosen as:

cγ 0 0 −sγ 0 cγ −sγ 0 0 sγ cγ 0 sγ 0 0 cγ

(4.59)

Applying this (x basis) weak measurement transformation to |φp i and |φm i we get cγ cθ cθ cγ 1 ±c s ±s im c 1 im γ θ θ γ √ ; → . (4.60) → m ±sγ sθ 0 i sγ 0 2 sγ cθ 0 sγ 0

One can verify that for γ = π/4 and m = 0, 2 this is the standard measurement gate (in the x basis) we started with. When Eve applies this transformation onto the two-state scheme as above, she actually applies another symmetric collective attack. However, when Eve applies this gate to attack the four-state scheme by choosing randomly in which basis (x or y, in our case) to measure1 , she applies a very enlightening example of a non-symmetric collective attack. We consider the case where Eve performs a weak measurement in the x direction. If Alice and Bob also use the x basis Eve induces no errors and the angle for her probe is α = γ. If they use the y basis the reduced density matrices in Bob’s hands are ! i 1 ∓ c 2γ 2 2 , (4.61) ρB = 1 ± 2i c2γ 2 leading to an error rate pe = sin2 γ. The average error rate √is thus, pe = (sin2 γ)/2, and this bounds γ to be small. For small angles γ = 2pe . 1

The gate presented above can be easily generalized to give a weak measurement in any other direction.

74

Eve has the same knowledge of the basis, hence her information-dependent RDMs are ! 1 1 + (c ) 0 2γ . (4.62) ρE = 2 2 1 0 − 21 (c2γ ) 2 These RDM’s are independent of the state sent by Alice. Thus, Eve’s density matrix provides no information at all. Although Eve’s average information on each bit does not differ much from the previous example (using the spin-exchange gate), her average information on the parity bit is much reduced. In most cases it is exactly zero since the probability that Eve guesses the basis of all the bits in an n-bit string correctly is 2−n . Even when she does guess it correctly, her information is still exponentially small I < C(n)(8pe )(n+1)/4 , (4.63) but larger than the information Eve obtains using the spin-exchange gate by a factor of 2(n+1)/4 . On average, her information is reduced by a factor of 2[(n+1)/4]−n ≈ 2−3n/4 compared to that symmetric attack. To gain a better comparison, one should calculate Eve’s information in a symmetric collective attack using a weak measurement in the Breidbart basis (the basis symmetric to the x and the y bases), or even better — to calculate Eve’s information in a non-symmetric attacks where Eve measures in some chosen angle from the Breidbart basis.

4.5

Security Against Any Collective Attack

We have seen simple symmetric collective attacks in Section 4.3. The information available to Eve when she performs any other symmetric collective attack with two-dimensional probes can also be calculated using our method. In particular, when the optimal attack of that type will be found, our method can be used to prove security against it; For small enough error rate Eve’s probes must have small angles between them, and thus, our proof can be applied using the first type of bounds (Fig. 4.1a). The second type of bounds (Fig. 4.1b) is usually irrelevant when the attack is given (since Eve’s initial state is usually in a pure state), but it can be very useful for finding the optimal attack, requiring only to find the maximal ‘distance’, 2x, between the two possible states of the probe. For the attacks on the two-state scheme the optimal distance can be found as in [51]. Note that it will not provide the optimal attack, but it shall provide a bound on Eve’s optimal information. For the attacks on the four-states scheme we can already perform the calculation as previously explained, and shall do it very soon. More general collective attacks can use non-symmetric translucent attacks and/or can use probes in higher dimensions in the first step of the collective attack. Methods similar to ours can be used for proving security against various non-symmetric collective attacks (in 2 dimensions), as is done in Section 4.4. 75

But the calculation becomes more complicated, and we are not sure if all cases can be solved. However, the case solved in the previous section provides some intuition why non-symmetric attacks are not good for Eve. Our bounds cannot be used when Eve uses higher dimensional probes. On one hand, the two possible states of each probe in this case are still highly overlapping, and the same intuition which holds in our work shall still hold. However, extending the information bounds we found to three or four dimensions might be a difficult task since there no simple geometrical representations as for two dimensions. Note that analysis of dimensions higher than four is not required since they cannot help the attacker due to reasons shown in [51].

76

Chapter 5 Quantum Networks for Quantum Cryptography Quantum correlations between two particles show non-classical properties which can be used for providing secure transmission of information. In this chapter we present a quantum cryptographic system, in which users store particles in a transmission center, where their quantum states are preserved using quantum memories. Correlations between the particles stored by two users are created upon request by projecting their product state onto a fully entangled state. Our system secures communication between any pair of users who have particles in the same center. Unlike other quantum cryptographic systems, it can work without quantum channels and is suitable for building a quantum cryptographic network. We also present a modified system with many centers. This part was done together with Eli Biham and Bruno Huttner [19]. The new developments in quantum computation started a wide surge of interest in the field of quantum computing gates and devices. However, building such computing devices is a difficult task, and quantum computing is only doing its first experimental steps. The building blocks of future quantum computers are one-bit and two-bit quantum logical gates [36, 41, 2, 31], which are currently under intensive development [33, 103, 82]. Building quantum computing devices to factor large numbers does not seem to be practical in the foreseeable future since it requires combining many one-bit and two-bit gates. However, a single two-bit gate also have intriguing uses in information processing and quantum communication such as teleporting a quantum state [8], and dense coding in quantum cryptography [16]. We shall show in this chapter that the use of quantum gates together with quantum memory opens new directions in quantum cryptography. Our system may be practical long before quantum computers are, hence it provides a short-term application for quantum gates. One of the main disadvantages of quantum cryptography is its restriction to relatively short channels. This is due to the fact that, in contrast to classical channels, a quantum channel cannot use repeaters1 to amplify the signal 1

In parallel, we investigated this problem as well and find a surprising way of defining

77

without loss of coherence. Currently, working prototypes enable transmission to distances of many kilometers (see the general introduction in Chapter 1). Commercial systems may become available in the near future [55], so that two users will be able to communicate securely (if they are not too far). However, building quantum cryptographic networks based on the existing schemes2 seems to cause severe difficulties (which may even make it impractical): 1. Quantum communication requires any pair of users to have a common quantum channel, or alternatively a center (or a telephone-like switching network) connected by quantum channels to all the users, which should match any pair of channels upon request; enhancing the security of the current world-wide telephone network (which contains about N ≈ 109 users (telephones) ) using quantum cryptography requires huge investments in quantum channels and devices. 2. Any user must have the financial and technological abilities to operate complicated quantum devices. 3. The keys must be transmitted online, or else one would need to transmit O(N 2 ) keys in advance to enable any pairs of users to communicate in secrecy. 4. The network must assure authenticity of the users. It is important to have quantum cryptographic networks not suffering from these problems. In this chapter we suggest a new cryptographic scheme in which users store quantum states in quantum memories, kept in a transmission center. Upon request from two users, the center uses two-bit gates to project the product state of two non correlated particles (one from each user) onto a fully entangled state. As a result, the two users can share a secret bit, which is unknown even to the center. Our scheme can operate without quantum channels, if the quantum states are “programmed” at the center. In that case, the scheme does not suffer from the four problems just mentioned, and can operate at any distance. Hence, it is especially appropriate for building a quantum cryptographic network of many users. Such a system actually shows some of the useful properties of the public key cryptosystems, but yet, it doesn’t require computation assumptions. In Section 5.1, we present a new two-party quantum cryptographic scheme which is a time-reversed EPR-scheme. In Section 5.2, we present a quantum network based on this scheme with the addition of quantum memories. In Section 5.3, we discuss the possibilities of implementing our scheme in practice. In Section 5.4, we present a more advanced network, based on quantum teleportation, where users can store their states in different centers and the centers quantum repeaters. See Section 6.1.3 and Section 6.3. 2 For a suggestion of a quantum cryptographic networks based on the existing schemes see [101].

78

teleport states upon request. This network uses quantum channels; however, it requires quantum channels only between the centers, so that the 4 problems stated above do not arise. In Section 5.5 we summarize this chapter.

5.1

A Time-Reversed EPR-Scheme for Quantum Cryptography

The first goal of this chapter is to suggest another scheme for quantum cryptography, which we shall call the time-reversed EPR-scheme: in the EPR scheme, presented in Section 1.4, a singlet state is prepared and, later on, it is projected on the states of the four-state scheme; in our time-reversed EPR-scheme, each user prepares one of the four states of the four-state scheme, and, later on, the product state is projected upon a basis which includes the singlet state. Let both Alice and Bob send one of the four states, | ↑i, | ↓i, | ←i or | →i to a third party whom we refer to as the center (the purpose of using this name shall be clarified in Section 5.2). The center measures their qubits together to find whether the two particles are in a singlet state. This can be done by measuring the total-spin operator (Sˆtotal )2 . If the result of the measurement is s = 0, then the two particles are projected onto the singlet state. In that case Eq. (1.25) ensures that, if the two spins were prepared along the same axis, then they necessarily had opposite values (the projection of the states with identical spins on the singlet state is zero). As a result, Bob knows Alice’s bit and vice versa. However, from Eq. (1.25), an honest center, who follows the protocol and projects onto the singlet state, has absolutely no knowledge on these bits. For example, when Alice and Bob both used the vertical axis, the center does not know whether Alice had the up state and Bob the down state, or vice versa. If the measurement result is s = 1, Alice and Bob cannot infer anything about the value of each other’s bit, and they discard the transmission. The probability of obtaining the singlet state is zero when Alice and Bob sent the same state (e.g., ↑↑), and is half in case they sent opposite states. Taking into account the case where Alice and Bob use different axes (which will also be discarded), we find that the overall probability to obtain a usable state is only one eighth. To create a key with many bits, Alice and Bob send strings of quantum states (L′ > 8(L + l) qubits) to the center. The center must be able to keep them for a while (in case the states do not arrive at the same time from Alice and Bob), and then to measure the first pair, the second pair etc. The center tells Alice and Bob all cases in which the result of the measurement is a singlet, which happens in one fourth of the cases. Alice and Bob then compare their axes. When they used the same axis (which happens about half of the time), they know that their spins are necessarily opposite, and thus Bob can calculate Alice’s bits to share a key with her. As in the BB84 scheme and the EPR schemes Alice and Bob use the classical discussion channel to estimate the error rate. If it is tolerable they perform error correction and privacy amplification,

79

Figure 5.1: Two processes, which we use to prove the security of the protocol. In both figures, one particle of each EPR correlated pair (denoted by dashed lines) is sent to the center, who performs a Bell measurement. We consider only the case where the result of the measurement is a singlet state. The second particles are sent to Alice and to Bob respectively, who project them onto the BB84 states. In a), the first measurement is done by the center. The particles arriving to Alice and Bob are therefore in the singlet state like in the EPR based protocol. In b), the first measurement is performed by Alice and Bob. Each particle sent to the center is therefore in one of the BB84 states. This is similar to our protocol. to derive a final L-bit key. The security of our protocol derives from the security of the EPR protocol, and relies on the fact that the singlet state is the only state for which the two spins are anticorrelated both in the Sˆz and in the Sˆx bases. However, as explained previously, if the center projects on the singlet state, he does not get any information on Alice’s and Bob’s bits. Therefore, a cheating center needs to project onto a different state (possibly entangled with his own system), which cannot give perfect anticorrelations along both Sˆz and Sˆx axes. Since the center cannot know in advance which basis was used by Alice and by Bob (the two density matrices corresponding to using Sˆz or Sˆx are identical), he will unavoidably introduce errors, which Alice and Bob shall identify during the discussion. In fact, in terms of eavesdropping possibilities, our protocol and the EPR protocol are equivalent, as we show using the scheme presented in Fig. 5.1. In this scheme, two EPR pairs are created, one particle of each pair is sent to the center, and the second one to Alice and to Bob. In Fig. 5.1a, the center performs a measurement on his two particles first. An honest center, who follows the 80

agreed protocol, projects the particles onto the singlet state. The two particles sent to Alice and to Bob are now in the singlet state as well. This is therefore equivalent to the EPR scheme. The only difference is that the projection onto the singlet state performed by the center succeeds with probability 1/4 only. This means that the center will ask to discard 3/4 of the transmission, but this does not affect the eavesdropping issue. A cheating center can send to Alice and Bob any state he wants, including any desired entanglement with his own system, by choosing an appropriate unitary transformation and the correct state on which to project his own particles. To show that, we start with the two singlet pairs and let the center introduce an ancilla in a state Ainit . The state of the whole system is: ΦABC =

1 | ↑↓i − | ↓↑i) ⊗ (| ↑↓i − | ↓↑i ⊗ Ainit . 2

(5.1)

The first particle of each singlet pair is sent to Alice and to Bob respectively, while the center keeps the second, together with his ancilla. The state ΦABC can thus be rearranged as: 1 | ↑↑iAB ⊗| ↓↓iC +| ↓↓iAB ⊗| ↑↑iC −| ↑↓iAB ⊗| ↓↑iC −| ↓↑iAB ⊗| ↑↓iC ⊗Ainit , 2 (5.2) where the index AB refers to the particles sent to Alice and Bob, and the index C refers to the particles kept by the center. The center now applies a unitary transformation U to entangle his particles with the ancilla in the following way:

ΦABC =

UΦABC =

1 | ↑↑iAB ⊗ | ↓↓iC ⊗ A1 + | ↓↓iAB ⊗ | ↑↑iC ⊗ A2 2 −| ↑↓iAB ⊗ | ↓↑iC ⊗ A3 − | ↓↑iAB ⊗ | ↑↓iC ⊗ A4 , (5.3)

with Ai any normalized states of the ancilla which are (in general) not orthogonal to one another. By projecting his state onto ψ = α| ↓↓iC + β| ↑↑iC − γ| ↓↑iC − δ| ↑↓iC (this projection succeeds with probability 1/4 on average), the center creates the state 1 ∗ α | ↑↑iAB ⊗ A1 + β ∗ | ↓↓iAB ⊗ A2 + γ ∗ | ↑↓iAB ⊗ A3 + δ ∗ | ↓↑iAB ⊗ A4 , 2 (5.4) which is the most general state the center could create when cheating the EPR scheme [11]. This demonstrate the equivalence between Fig. 5.1a and the EPR scheme. In Fig. 5.1b, the first measurement is performed by Alice and Bob, who project the particles onto the BB84 states. Therefore, the particles arriving at the center are also in the BB84 states, and this scheme is identical to ours. Since the relative time of the measurements cannot influence the outcome, all these schemes are equivalent. Following the same reasoning, but in two steps (first letting only Alice measure before the center) it is also possible to show

ΨABC =

81

that the security of the BB84 scheme implies the security of our scheme. Since the security of the EPR scheme implies the security of the BB84 scheme [11], our proof actually shows that the security of the three schemes is equivalent. Using only the total spin measurement, less than one eighth of the qubits could be used. A better choice, although possibly more difficult to implement in practice, is to measure the Bell operator (defined in [26]) whose eigenstates (the Bell states) are the singlet state, Ψ(−) [equation (1.25)], and the three other states: s s 1 1 (+) (| ↑↑i + | ↓↓i) = (| ←←i + | →→i) , (5.5) Φ = 2 2 Ψ(+) = and

s

s

1 1 (| ↑↓i + | ↓↑i) = − (| ←←i − | →→i) 2 2

(5.6)

s

s

1 1 (| ↑↑i− ↓↓i) = (| ←→i + | →←i) , (5.7) Φ = 2 2 where the second expression for each of the Bell states is derived by expanding them (as was done for the singlet state) into the (| ←i , | →i) basis. Consider a case where Alice and Bob used the same basis. According to the result of the measurement, and to the choice of axes by Alice and Bob, their prepared states are known to be either correlated (e.g. if the result is Φ(−) and they both used the z axis), or anticorrelated (e.g. if the result is still Φ(−) but they both used the x axis). The protocol is: (−)

• The center retrieves the particles from Alice and Bob and measures the Bell operator on each pair. He gets one of the four above states, and tells his result to Alice and Bob. • Alice and Bob tell each other the axis they used (but not the bit value). When they used different axes, they discard the transmission. Whenever they used the same axis, they know if their bits are correlated or anticorrelated. In this case half of the quantum states are used to derive the desired key, and L′ > 2(L + l) qubits are required. The proof of security for this case is similar to the proof in the singlet case. An honest center, who projects the states onto the allowed states, cannot get any information on the bits. For example, if the center obtains the state Φ(+) , and Alice and Bob announce later that they used the horizontal axis, the center only knows that either both Alice and Bob have the left state, or both have the right state. But he cannot know which of these two possibilities occurred, hence has no information on the bit values. Moreover, similarly to the singlet case, Φ(+) is the only state for which Alice’s and Bob’s states have such correlations along both x and z axes. Therefore, for each bit on which a cheating center attempts to eavesdrop, he needs to create a different state in order to gain information, which shall be detected with finite probability. By 82

checking a large number of bits, Alice and Bob will therefore detect the cheating with probability exponentially close to one.

5.2

A Quantum Cryptographic Network

In this section we combine the reversed EPR scheme and the use of quantum memories into a classical network to present a quantum cryptographic network. The classical protocol for a network uses a hidden file managed by a communication center. Any user is permitted to put data (secret keys) in the file, under his name, but only the center has access to the data. Let there be N users, and let each of them store many L-bits strings. Upon request from two users, the center uses their data and creates a secret key for them, which is shared by both of them: the center calculates the XOR of one string of the first user (say, a1 . . . aL of Alice), and one string of the second user (say, b1 . . . bL of Bob); the XOR of a string is calculated bit by bit using cj = aj ⊕ bj (the parity of the two bits), and the resulting string, C = c1 . . . cL , is transmitted (via a classical unprotected channel) to Alice; Alice rederives Bob’s string by calculating the XOR of her string with the received string, and can use Bob’s string as their common key. Secure transmissions from each user to the center can be done either by personal delivery, trusted couriers or quantum key distribution. Such a classical key distribution scheme is perfectly secure if we assume that the center holding them is perfectly safe and trusted. No other person (except the center) can have any information on their key. Even a powerful eavesdropper who can impersonate the center and all the users cannot eavesdrop, since the center and each of the legitimate users can use some of the secret bits for authenticating each other. Alice and Bob need to trust the center for two different purposes: 1. To “forget” their secret key (and not trying to listen to the messages transmitted using the key); 2. To authenticate one to the other in case they have no other way of authentication. This is a new possibility of authentication, added to the two options, previously mentioned in Section 5.1. Thus the assumption of having classical channels which cannot be modified can be completely removed, even if the users have no other way to authenticate each other. The main reason why this simple scheme is not satisfactory in practice is that it concentrates too much power in the distribution center. Indeed the center can understand all the secret communications going through its distribution web, or connect Alice to an adversary instead of to Bob. Even if we assume that the center is trusted, any eavesdropper who manages to get access to it could decipher all the communications. Using a quantum memory instead of a classical memory is the key-point in deriving the quantum network. We now present a quantum key distribution network which uses a quantum file instead of the classical hidden file, and removes the requirement of a trusted center. Alternatively, we can release the 83

usual assumption of quantum cryptography [5] – that classical channels cannot be modified by Eve – if we are willing to trust the center for authentication (without trusting him for “forgetting” their qubits). Instead of storing L classical bits to make a future key, each user shall store L′ quantum states (qubits) in specially devised quantum memories kept in a center. Upon request from two users, the center performs the time reversed EPR scheme described in the previous Section and creates correlations between the bits. The resulting string C, which holds the correlation data is sent to Alice and Bob via a classical channel. As in the classical case, using string C, Alice can calculate Bob’s string to derive a final common key of L bits. If Alice and Bob compare bases after deriving the data from the center, then, as explained in Section 5.1, any attempt by the center to obtain the value of these bits will create errors and be discovered by Alice and Bob. The center therefore does not need to be trusted anymore. Unlike other quantum schemes, the actual (online) distribution of the secret keys is performed on classical channels. First, the center let Alice and Bob know the state he got. Then, Alice and Bob continue as in the other two schemes previously described to obtain the final key. All the quantum communication is done in advance, when the users “deposit” their quantum strings in the center (preferably in a personal meeting). When L-bit strings are stored in a classical hidden file, two users derive L-bit strings of correlated bits. Using quantum states for representing the bits, longer strings of length L′ > L + l are required, since some bits will be used for error estimation, error correction and privacy amplification. The exact ratio depends on the expected error rate in the channel. Only the bits which are encoded in the same basis by both users can be used, therefore L′ > 2(L + l) bits are actually required (we assume that the more efficient scheme of measuring the Bell basis is used). Let us summarize the protocol as follows: • In the preparation step the user sends (gives) L′ -qubit strings to the center, each qubit is one of the four states of the BB84 protocol. The center keeps these quantum states in a quantum file without measuring them. It is important that the system used for keeping the quantum states will preserve them for a long time (as long as required until the actual key distribution is performed). • When Alice and Bob wish to obtain a common secret key, they ask the center to create correlations between two strings, one of Alice and one of Bob. The center performs the Bell operator measurement on each pair of qubits, which projects them onto one of the Bell states, and tells Alice and Bob the result he obtained. After Alice gets the results from the center (and not before that), Alice and Bob compare the basis they used and keep only the bits for which they used the same basis. In this case, and according to the state obtained, the states of Alice and Bob are either correlated or anticorrelated. So, Alice for example inverts all her bits 84

which should be anticorrelated with Bob’s. The remaining string should be identical with Bob’s, apart from possible errors. • An honest center, who performed the correct projections on the Bell states does not get any information on the string. • A cheating center (or any other eavesdropper who might have had access to the quantum files), who modifies the allowed states, unavoidably introduces errors between the two strings. • Alice and Bob perform error estimation, error correction and privacy amplification to derive a final key. The quantum channel is used only as a preparation step between each user and the center, and all the online communication is done via a classical channel. Yet, only O(N) keys are required to enable secret communication between any pair of the N users. The conventional quantum key distribution schemes require O(N 2 ) keys, or else require online quantum communication. In fact, our scheme does not require quantum channels at all. As in old implementations of quantum cryptography [7], the four quantum states can be chosen in any 2-dimensional Hilbert space. Instead of sending them, each user could arrive once in a while to the center, and “program” his states into the quantum file. If the memory can keep the states unperturbed long enough then each user can put as many strings as he needs till his next visit to the center. By using personal delivery of the quantum states we replace the distance limitation of all other schemes by a time limit, and solve the problems of a quantum cryptographic network which were described in the introduction to this chapter. All the technologically difficult steps, such as storing qubits and performing Bell measurements occur only at the center.

5.3

Implementations

Our scheme requires the possibility to program, store and manipulate quantum bits rather than to transmit them. Therefore, the discussion in Section 1.5 perfectly applies to our demands. In our case the quantum bits are subjected only once to a unitary operation of calculating the Bell state. We estimate3 that it may be possible to implement a working prototype of our scheme within a few years, with small modifications of existing technology of ion traps. Such a prototype shall be able to keep quantum states of several users for a few minutes and to allow to perform two-bit operations on qubits of two users. To do so, the center should hold L′ ion traps, and each of the two (or more) users puts one qubit in each ion trap. Upon request of two users the center shall be able to measure the i’th qubit of Alice and the i’th qubit of Bob together in the i’th ion trap. It may well be that such a prototype will not 3

The following suggestions were investigated with the help of D. DiVincenzo [42].

85

enable an operation on the qubits of other users, since the state of the other qubits in the ion trap might be destroyed. The way to establish a real working scheme with a center and with many users is still long. The main obstacle is that it is currently infeasible to transfer a quantum state from one ion trap to another. A real network should enable each user to program his string of quantum states in a register (say, at least one separated ion trap for each user). Then, upon request of two users, the center should be able to move one qubit of each of the two users to another ion trap where he can perform the Bell measurement without disturbing the other quantum states. As discussed in Section 1.5, this might be possible using ‘cavitraps’ but it is difficult to estimate now whether it will become practical in a few years. It may well be that other candidates based on nuclear spins will become more favorable.

5.4

World-Wide Network of Many Centers

The network of Section 5.2 is well suited for communication among users who are not far away and can arrive to the center. For two users who are far away from each other and cannot come to the same center our network may not be appropriate. We now show that it can be modified to be useful also in this case. Let there be many centers, and many users registered in each center. Every two centers should share many EPR singlet pairs. Upon request of users of the two centers, one center would teleport [8] the qubits of his user to the other center. This operation can be done with 100% efficiency (but it may, however, increase the error rate). The singlet pairs can be transmitted using any quantum cryptography scheme or even using a teleportation scheme and a supercenter who shares EPR pairs with all centers. However, the transmission and distribution of singlet pairs require quantum channels even if done in advance4 . Do we lose all the benefits we gained before? Certainly not. Still, only the centers need to have ability of performing quantum operations. All quantum transmission is done in advance, and yet, there is no need for O(N 2 ) strings, since the number of centers is much smaller than the number of users. Authentication is still simple. One problem of any quantum channel is the limit on its length. Our first scheme (with one center) replaced it by a limit on time. It would be bad to have both problems in a network of many centers. However, the suggestion of purifying singlets [12] enables transmitting signals to longer distances. Our scheme can make an excellent use of it, since only the centers need to have the technological ability of purifying singlets. Moreover, several transmission stations can be put in between to improve transmission (this idea was suggested by DiVincenzo [42]) by performing purification of singlets between any two neighboring stations and then use teleportation from one station to the next to derive purified singlets shared by the centers. 4

And transporting quantum states to deliver them by a personal meeting is similar to transmitting them through channels.

86

5.5

Summary and Discussion

In this chapter we introduced a new scheme for quantum cryptography based on a time-reversed EPR scheme. We suggested two new types of networks: a classical one based on hidden files, and one based on quantum files. The security of key distribution protocols in these networks does not rely on computational complexity assumptions. Both networks can be used to distribute keys in a secure way among any two users using simple online communication via classical channels. In the case of hidden files it is done with the help of a trusted center who can have access to all the information exchanged through its lines. Using quantum files, the center need not be trusted. Users have the means to check whether the center, or any other eavesdropper, tried to obtain information on the transmitted messages. The one-center quantum network we suggested does not require any quantum channel at all, and can be implemented in a center where each user “programs” his states into a quantum memory. We estimate that a working prototype may be built in the near future using ion-trap technology. A real network can be built when the problem of transmitting a quantum state from one trap to another is solved (perhaps using cavitrap with polarization states). The machinery required for our scheme is also required for much more complicated tasks such as purification and quantum computing. In this respect, our scheme may represent a first practical application for these new devices, which are now being planned in various laboratories. We hope that our work will motivate more research for systems which can both keep a quantum state for a long time, and enable the desired programming and measurements. We didn’t pay much attention to the delicate problem of programming the states. The programming requires a simple equipment to make sure that the center does not eavesdrop on the preparation step. While cavitraps are very complicated, programming the polarization state of each of the photons may be quite simple in the future. A future system of secure communication based on the protocol of Section 5.4 would involve a number of large transmission centers, which can exchange EPR correlated particles and store them, together with the qubits deposited at the centers by various users. Secure communication between any pair of users would then requires teleportation of the states to the same center, followed by the creation of correlations between the two strings.

87

Chapter 6 Quantum Error Correction and Quantum Privacy Amplification While doing this research, the feasibility of quantum memory was much increased (at least conceptually) due to the suggestions for quantum error correction [95]. Furthermore, additional fascinating applications of quantum memories were suggested by other people: 1. breaking quantum bit commitment [78] 2. entanglement purification [12] 3. quantum privacy amplification [38] The first issue was mentioned in Chapter 1, and we will not discuss it further. Let us explain the second issue in brief: Alice and Bob exchange many singlet pairs through a noisy channel. Because of the natural noise (or any other reason), the resulting entangled states are imperfect. Using an entanglement purification process [12], they can distill (if the initial error rate is not too large) nearly perfect singlet states. This is impressive since the purification is done by local operations performed at Alice’s site and Bob’s site, and using only classical discussion. In this chapter we present our research on quantum error correction and quantum privacy amplification. Quantum error correction and quantum privacy amplification generalize the analogous classical concepts to the quantum case. In the classical case, error correction is useful for improving communication, computation and memory, and privacy amplification is useful for cryptography. We use the term quantum privacy amplification literally. Quantum computation, communication, and memory are very sensitive to noise. Unlike the classical cases, errors cannot be removed using simple redundancy if non-orthogonal quantum states are used, due to the no-cloning theorem. Quantum error correction (QEC) was suggested [95] as a way to solve these problems by using new type of redundancy. Several schemes have been recently suggested to reduce these problems, mainly focusing on quantum computation, trying to minimize the redundancy. In Section 6.1 we investigate the 88

role of QEC in quantum communication and memory. We focus on the fidelity of the the recovered state, an issue ignored by most of the works on this subject. To improve the fidelity, we suggest to replace the error-correction codes by error-reduction codes, and we analyze the ways to calculate the fidelity. For n, a large integer, we suggest a code which uses N = n2 quantum bits to encode one quantum bit, and reduces the error exponentially with n [81]. Our result suggests the possibility of sending quantum states over very long distances, and maintaining quantum states for very long times. This part was done with the help of Eli Biham, Gilles Brassard, Lior Goldenberg and Lev Vaidman. Privacy amplification is an important step in any quantum key distribution protocol. While we (and also Yao [109] and Mayers [76]) investigated the efficiency of classical privacy amplification against a quantum eavesdropper, the possibility of using quantum privacy amplification (QPA) instead of classical privacy amplification was suggested [38]. Ignoring the problem of practice, this idea is very interesting. They suggested to perform a QPA which is based upon the entanglement purification (EP) developed in [12]. We call this process EP-based QPA, for convenience. In this process Alice and Bob use purified singlets to execute the EPR scheme or the four-state scheme (via teleportation). They can even choose a fixed basis and use orthogonal states, if they previously verified that the quantum privacy amplification works to yield the desired entanglement purification. The EP-based QPA provides a proof of security of quantum key distribution under the assumption that Alice and Bob have perfect devices1 [38]. In Section 6.2 we criticize the possibility that EP-based QPA provides secure quantum key distribution. One of the main surprises of the idea of [38] is that, unlike the classical case (where error correction and privacy amplification are usually considered separately), the suggested QPA process already contains the error correction as well! This was a hint that QEC itself could be used for suggesting another QPA process. In Section 6.3 we show that QEC codes can also serve for QPA (e.g., by encoding the qubits of the four-state scheme), if a simple randomization step is applied. In the previous chapter and in the literature [11] it is usually claimed that the EPR scheme provides no significant benefit over the four-state scheme. The EP-based QPA suggests a genuinely different quantum key distribution protocol, where the use of shared entangled states yields a protocol that has no analogue along the lines of the four-state scheme. Our QEC-based QPA shows similar features to the EP-based QPA, and it can work with any scheme. Due to the use of randomization of the code qubits, Alice could even start with only two known orthogonal states, encoded using the QEC code, to execute the key distribution. This aspect also presents a similarity to the use of the EP-based QEC. Finally, we explain that QPA might still be crucial to the security of quantum key distribution over large scale distances or times. This is due to quite different reasons from those suggested in [38]. 1

The assumption appears on page 2819, col. 1, line 18.

89

6.1 6.1.1

Quantum Error-Correction Error-Correction and Error-Reduction

The ability to correct errors in a quantum bit (qubit) is crucial to the success of quantum computing, and it is very important to the implementations of quantum communication systems and quantum memories. Motivated by quantum computing, Shor [95] shows that quantum errors can be corrected (in some analogy to classical error correction [73]). The many works which follow Shor’s idea focus on improving his result [14, 67, 98, 27] to better fit the requirements of quantum computing, or to provide a better understanding of the properties of the error-correction codes (the previous works and also [99, 46, 96]). In this section we apply this idea to quantum memories and quantum communication, where improving the fidelity of the recovered state is the main goal. The errorreduction scheme we suggest here enables, in principle, to reduce the noise in a transmission channel or in a quantum memory to any desirable level, while using much less qubits than the analogous error-correction schemes. Classical error correction is based on redundant encoding which uses more than one bit (on average) to encode one bit. The simplest scheme is the 1 → 3 repetition code in which each bit is repeated three times in the encoding, and a majority vote is chosen for decoding. This code corrects one error, thus if the 3-bit string suffers from up to one error, the original bit is recovered with perfect fidelity. In a realistic analysis one must also take into account the possibility of more than one error. For instance, if a single bit contains an error with probability p (where we assume that p is small), then pl = 3l pl (1 − p)3−l is the probability of having exactly l errors. Thus, the probability of having an error in the recovered bit is P = p2 + p3 = 3(1 − p)p2 + p3 = 3p2 − 2p3 . We call the probability P of having an error in the recovered bit the remainder error, and the fidelity is 1 − P . The analogous quantum error correction [95] uses 9 qubits2 to encode a single qubit (to perfectly correct a single error) using the following procedure: a 1 → 3 repetition code in the z basis |0i → |000i and |1i → |111i (where |000i stands for the tensor √ product |0i|0i|0i of three√qubits); a transformation to the x basis |0i → (1/ 2)(|0i + |1i) and |1i → (1/ 2)(|0i − |1i) for each qubit; and finally, again a 1 → 3 repetition code in the (new) z basis. All together, the encoding is: 1 |0i → √ (|000i + |111i)(|000i + |111i)(|000i + |111i) , 8 1 |1i → √ (|000i − |111i)(|000i − |111i)(|000i − |111i) . 8

(6.1)

We denote it as R3 UR3 where Rn stands for 1 → n repetition code, and U for transformation from the z basis to the x basis. From now on, N denotes the total number of code qubits which encode one original qubit. In an Rn URn 2

Other codes were found later on which use less qubits.

90

code (which is the obvious generalization of the code suggested by Shor) N = n2 qubits are used. A qubit is described by a two-dimensional Hilbert space (e.g., spin of a spinhalf particle) and it generalizes the classical bit to the quantum state |ψi = α|0i + β|1i with |α|2 + |β|2 = 1. When it is encoded using Rn URn we get the entangled state |ψi → |ΨRU R i = α|0RU R i + β|1RU R i . (6.2)

This state is made of N = n2 qubits, and lives in a 2(n space, with |0RU R i = |1RU R i =

!

1 √ (|01 · · · 0n i + |11 · · · 1n i) ( 2)n ! 1 √ (|01 · · · 0n i − |11 · · · 1n i) ( 2)n

2)

dimensional Hilbert

···

(|01 · · · 0n i + |11 · · · 1n i)

···

(|01 · · · 0n i − |11 · · · 1n i)(6.3)

where there are n multiplets of n bits each. In the decoding process, the disturbed state is projected on the desirable 2-dimensional subspace spanned by the two states |0RU R i and |1RU R i. An error-correction code is not supposed to correct arbitrary types of errors. In all the discussions on quantum error correction transformations of many particles together are dismissed since in reality such errors are much smaller than errors in individual bits. As a result, the interaction of the qubits can be written as a tensor product of the interactions of the individual bits (each with an independent environment). We adopt this assumption and refer to it as independent disturbance. To simplify the analysis even further, usually an additional assumption is made, that most of the bits are completely unaffected by the transformations, while few bits are strongly affected (and suffer from a bit-flip, a phase-flip or both3 ). In such a case, a code provides a perfect fidelity if it can correct at least as many bits as were affected. Unfortunately, this assumption is not natural, and it contradicts the assumption of independent disturbance which says that errors occur independently in any of the qubits. We shall not assume that only some qubits are affected. All bits are affected hence a code cannot provide perfect fidelity; there is always a remainder error P in the recovered qubit. We can estimate the average error rate p for a qubit transmitted through the channel, and calculate the remainder error P which results from it. For a small p, an error-correction code usually yields a much smaller P . However, such an approach is somewhat classical and it is not clear that it provides a correct calculation for P . To the best of our knowledge, it is not completely proven that the calculation of P can be based upon p, since the qubits are not measured separately in the QEC process. In the next subsection we shall try to remove this assumption (for a very simple case) and follow an alternative approach which is fully quantum. Instead 3

The analysis in [14, 46] might have shown that resistance against such errors promises resistance against any quantum error. We are not fully convinced that this is indeed true.

91

of choosing p as a parameter, we shall choose the “average” transformation4 which acts on each qubit. It may even be more realistic to assume that some of the transformations are not weak, but we shall be satisfied with analyzing an average transformation. Usually it is assumed that it suffices to consider the classical probability p instead of the average transformation. In this subsection we focus on analyzing the connection between p and P for Rn codes, assuming that such calculation is relevant to the quantum case of Rn URn as well. For communication purposes, we are mainly interested in the remainder error. It can be reduced if we use longer codes (or more efficient codes) which correct more errors. Alternatively, for a given code, it is possible to reduce the remainder error if we perform error reduction instead of error correction! Let us explain the difference between them (in the classical case). We previously presented the classical error-correction scheme R3 . This code improves the remainder error (to 3p2 −2p3 ) only on average: it improves it much when no errors are found, but it does not improve it when one error is found; in case we know that one error was identified and corrected [which happens with probability p2 + p1 = 3p2 (1 − p) + 3p(1 − p)2 ] the probability of having a remainder error is exactly p2 /(p1 + p2 ) = p, and we gain no error reduction at all! In case we throw away cases were an error is found, instead of correcting it, the remainder error is p3 /(p0 + p3 ) = p3 /(p3 + (1 − p)3 ). For a small p the remainder error is reduced from 3p2 − 2p3 to p3 + 3p4 + O(p5). The probability of success (the probability of not throwing the bit) is Q = p0 + p3 = 1 − 3p + O(p2 ). The possibility of using error reduction was already considered in [104], who suggested the n = 2 error reduction as an alternative to the n = 3 error correction. The n = 2 (classical) error-reduction code provides a remainder error P ≈ p2 + 3p3 which is better than 3p2 − 2p3 for a small p. In any error-correction code, the remainder error increases with the number of corrected errors. If we throw away cases where the scheme suffers from large number of errors the average remainder error can be much improved. Therefore, in our error-reduction code the majority vote is replaced by a unanimous decision; in case of a disagreement the bit is thrown away. The classical (1 → n) repetition code Rn with n = 2t + 1 provides successful unanimous decision with probability Q = (1 − p)n + pn , and the remainder error in this case is P = pn /Q. For a small p !n p P ≈ , (6.4) 1−p and (for a large n) Q is given by

Q ≈ (1 − p)n ≈ 1 − np +

(np)2 (np)3 − ... . 2! 3!

For a large n but small np we obtain Q ≈ 1 − np. 4

In order to yield a small p the transformation must be close to unity.

92

(6.5)

The same code can also be used to correct up to t errors (since n = 2t + 1), but with a much higher (average) remainder error, which can be calculated from the binomial expansion of [p + (1 − p)]n . As in the previous example, if exactly t errors are identified and corrected, the probability that there were actually t + 1 errors (hence, there is a remainder error) is p. If np > 1 (or even np ≈ 1) and Q becomes too small, error correction and error reduction can be combined together for the price of increasing the remainder error P . This is done by using a code which can correct up to t errors and use it to correct t′ errors where 0 < t′ < t. The case of t′ = 0 reduces to an error-reduction code, and the case of t = t′ reduces to an error-correction code. For simplicity we shall consider only “pure” error-reduction schemes, but our calculations can be generalized to combine the correction of few bits as well. The quantum error-reduction scheme R2 UR2 (suggested in [104]) improves the remainder error compared to Shor’s scheme, while using only 4 qubits instead of 9 for the encoding. The error-reduction process is done by projecting the state of the code’s qubits on a desirable subspace; for instance, in case of the Rn URn quantum error-reduction code, it is projected on the subspace spanned by the two states of eq. (6.3). If the projection fails, the qubit is not corrected but is thrown away. Clearly, this does not complicate the implementation, and would probably even simplify it. Unless Q is very small, throwing away the bits has only small influence on a quantum key distribution protocol since the legitimate users throw away most of the bits anyhow due to other reasons. However, in quantum computing throwing one bit destroys the computation. In a scheme which combines error reduction and t′ -errors error correction, one has to check into which subspace the state is projected, and if this subspace corresponds to t′ errors (or less) the state is corrected by simple transformations (see [95]). Suppose that the average error rate in a quantum error-reduction scheme is p. Following [95, 104] and other works on this subject we calculate the classical remainder error P (from the analogous classical code) given that errors occur with probability p. Let us use the error-reduction code Rn URn with large n. This code encodes one qubit into N = n2 qubits. It reduces the remainder error to pn P = n , (6.6) p + (1 − p)n that is, to be exponentially with n. More efficient codes could be used as well, based, for instance, on [98, 99, 27].

6.1.2

A Realistic Calculation of the Remainder Error in a Simple Case

To the best of our knowledge, a calculation of the remainder error which takes into account the fact that each bit is subjected to a transformation was done only in [66]. It was done using interaction operators and recovery operators, 93

but only the case where one of the operators is proportional to the identity was considered, and it is not clear if it covers all possible transformations. For the simple special case of the code R2 UR2 we wish to calculate explicitly the remainder error P , and the probability of success Q, to verify that they are of the same order as P and Q of the classical error reduction code R2 . We calculate the remainder error without using the classical analogous code. Let each qubit in the code be transformed arbitrarily (but independently). In general, the transformation is not unitary since an ancilla (e.g., environment) might be involved. However, for any given initial state we can still consider unitary transformations and add the effect of decoherence (non-unitary transformations) by averaging over several different unitary transformations with appropriate probabilities. (We believe that a similar argument is provided in [46]). For instance, when the weak-measurement (eq. 4.59) acts on a code gate 1 1 qubit and an environment qubit in a state 0 0 , it yields the same RDM (for the code qubit) as the average of the two transformations cγ sγ sγ cγ and

cγ −sγ −sγ cγ

! !

(6.7)

.

(6.8)

The use of unitary transformation provides the order of magnitude of the resulting P and Q, for verifying that the frequently used classical analog is not strictly wrong. Let each qubit j in the code be exposed to the most general one-particle transformation ! cos θj sin θj eiφj Uj = (6.9) − sin θj eiηj cos θei(φj +ηj ) (up to an irrelevant overall phase), where all angles are smaller than some small angle χ, so that p ≈ χ2 if a single qubit is measured. In the quantum error-reduction process R2 UR2 the original qubit is encoded into |ΨRU R i = α|0RU R i + β|1RU R i with |0RU R i = (1/2)(|0000i + |0011i + |1100i + |1111i) and |1RU R i = (1/2)(|0000i − |0011i − |1100i + |1111i). The original state 2 is in a 2(2 ) = 16 dimensional Hilbert space, and can be written as 1 |ΨRU R i = [(α+β)|0000i+(α−β)|0011i+(α−β)|1100i+(α+β)|1111i] . (6.10) 2

94

This state is transformed (due to hU1 U2 U3 U4 |0011i, etc.) into:

α+β 0 0 α−β 0 · α−β 0 0 α+β

→

x0000 x0001 x0010 x0011 x0101 · x1100 x1101 x1110 x1111

.

(6.11)

Using cθ = cos θ and sθ = sin θ, the terms are x0000 = (α + β)cθ1 cθ2 cθ3 cθ4 + (α − β)cθ1 cθ2 sθ3 sθ4 eiφ3 eiφ4 +(α−β)sθ1 sθ2 cθ3 cθ4 eiφ1 eiφ2 +(α+β)sθ1 sθ2 sθ3 sθ4 eiφ1 eiφ2 eiφ3 eiφ4 , etc. In the quantum error-reduction process the state is projected onto the subspace spanned by |0RU R i and |1RU R i. Let C = (cos θ1 · · · cos θ4 cos φ1 · · · cos φ4 cos η1 · · · cos η4 ), thus, C ≈ 1 − O(χ2 ). After h a lengthyi calculation we obtain the (unnormalized) final state |ΦRU R i = C αβ + O(χ2 ) . This final state, when normalized, is almost identical to the initial state |ΨRU R i, and the corrections are of the type sin θ1 sin θ2 ; sin η3 sin η4 , etc., all of order O(χ2 ) or smaller. Thus, the remainder error probability is indeed O(χ4) ≈ O(p2), with probability of success Q ≈ C 2 ≈ 1 − O(χ2) ≈ 1 − O(p). This simple example (which is already quite complicated) shows us that the classical use of p could be correct. Yet, a more general proof is certainly needed.

6.1.3

Application to Quantum Communication and Memory

The main problem of a scheme which performs only error reduction is that, when n is increased, the probability of successful projection diminishes as (1−p)n . We could combine it with some (small-t′ ) error correction as previously explained, but there is also a different solution, which should be preferable in case the noise changes in time as θ ≈ wt. In this case, the probability of success can be much improved using the Zeno effect (see discussion in [104, 30]) by performing M projections in between, at equal time steps, reducing p to p/(M 2 ), and Q to (1 − MP2 )nM ≈ 1 − np/M. The remainder error is also much improved by this process. Performing M projections is rather simple when enhancing a quantum memory is considered (meaning that it does not add any further complication). When transmission to long distances is considered, Alice and Bob need to have projection stations between them. We shall explain later in Section 6.3 that (contrary to the common belief) the usage of such repeater stations is possible even when used for secure transmission of quantum information (as in quantum key distribution). Analysis of the effectiveness of this scheme when real devices are used is much more complicated and (to our knowledge) is still missing. It might be 95

partially or completely solved if fault-tolerant quantum error correction [96] is used.

6.2

Quantum Privacy Amplification

Quantum privacy amplification (QPA) is a scheme for privacy amplification which uses quantum gates and memory. Purification [12] uses quantum gates and classical communication to distill purified singlet states from non-pure singlet states. Suppose that the two nonpure singlets are in a tensor product and that Alice and Bob have perfect devices. Then, if the purification succeeds, the obtained singlet state have a better fidelity than the average fidelity of the two original state. When a supply of such nonpure singlets is given, and this process is repeated many times it converges5 to provide singlets that are arbitrarily close to being perfect. Thus, purification can be used to provide Alice and Bob perfect singlets under these assumptions. Recently, a wonderful idea was raised in [38] to use purification as a QPA for the EPR scheme (but it can be useful to any other scheme due to teleportation). This paper provides an (almost complete) proof of security of quantum key distribution under the assumption that Alice and Bob have perfect devices. It also creates the impression that purification based QPA can provide a proof for the ultimate security of quantum key distribution. In this section we criticizes this possibility. It is based on discussions with Charles Bennett, Eli Biham, Gilles Brassard and John Smolin. When Eve performs a collective attack, the original pairs are in a tensor product with each other, even if entangled with Eve’s probes. In this case, and with the additional demand that Alice and Bob have perfect devices, this QPA provides an easy proof of security. [Yet, it does not provides a calculation of Eve’s information as a function of the original average fidelity and the number of singlets required (which might be exponentially large with some parameter if not proven otherwise). Only an incomplete numerical analysis is provided]. Altogether, there are three assumptions which make the proof correct and complete: (1) Alice and Bob have exponentially large number of particles. (2) Alice and Bob have perfect devices. (3) Eve performs a collective attack (this results from eq. (9) in [38]). Here, we ignore the efficiency problem, although this problem must be solved if one wishes to use the scheme. Let us try to remove assumptions (2) and (3) to see whether the purification based QPA can provide a proof of security in principle. We conclude that it might provide it, but the task might be much more difficult than proving security using classical privacy amplification. If Alice and Bob have perfect devices but Eve performs a (non-collective) joint attack their proof is almost complete: Suppose that Eve knows which pairs shall be used at each step (including the pairs which shall be used for verification, but not the basis used for each verification) Eve could prepare a state which 5

If the original singlets are not too far from being pure.

96

yields an error only in certain qubits, since all the transformations are unitary (this observation is due to Charles Bennett and John Smolin). Indeed, in this case, it is quite clear that randomizing the pairs solves the problem. However, an analysis of this attack and a proof of security against it are missing from [38], and it is not clear if changing the intuition into a proof is trivial. Note that we use a similar randomization argument in Chapter 2, where we provide an intuition that randomization makes a collective attack the strongest joint attack. The proof in [38] considers noisy channels, but assumes non-realistic perfect devices. The case of perfect devices is not of much interest unless the proof can be extended to real devices. We analyze both the security against collective attacks and against joint attacks. If Eve performs a collective attack and Alice and Bob have real devices it is still possible to generalize the proof of [38]. On one hand, Alice and Bob cannot check whether the purification converges. Perfect devices are required to enable Alice and Bob to derive any level of confidence that the remaining pairs are in the desired pure state, and quit the protocol if this level is not reached. On the other hand, repeating the purification many times and randomizing the pairs probably reduces the entanglement with Eve to zero even if the states are not purified. It is not clear how to prove security and how to find Eve’s information as a function of the number of iterations in this case. While assuming either perfect devices or collective attacks seems to cause problems which are solvable in principle, removing both assumptions might leave an unsolvable problem. Let the RDM of one such pair be ρ, and the RDM of all the pairs together be χ. Also let the state of the entire system (pairs and Eve’s probes) be ψ. With ρ close enough to the desired singlet state |φ− ihφ− |, Alice and Bob cannot distinguish ρ from the desired state due to their non-perfect devices. Let us present various attacks Eve could perform in such a case: 1. Eve can prepare a joint state χ for the pairs such that the purification does not converge due to her special choice of the entanglement of the pairs. 2. Eve can prepare a different state χ for the pairs which is not changed by randomization. 3. Eve could prepare a state ψ for the system and her probes, such that she obtains information from it. Furthermore, consider the following attack: • Eve might be able to combine the above three techniques to create a situation where purification does not converge, randomization does not work, and yet she gets some information on some final bit, or collective property of some bits.

97

We were not able to prove that such an attack is impossible. Furthermore, it is not even clear how to find an intuitive argument for security in this case. Thus the EP-based QPA only provides the possibility for a very restricted security proof, assuming either perfect devices or the collective attack. Note that improving their proof is an extremely difficult task when we recall that Eve has access to all information regarding the purification process, thus can follow the changes in the state of her probes throughout the process. Therefore, we believe that proving security using the much simpler classical privacy amplification is an easier task.

6.3

Quantum Error Correction as Quantum Privacy Amplification

In this section we suggest another QPA which is based on QEC. After reading the previous section, one may wonder whether QPA (of any type) is still interesting. We believe it is, for reasons which are shown at the end of this section. One of the effects of QPA is error correction. This raises the question of whether QEC can serve as QPA. Assuming Alice and Bob have perfect devices we suggest the following (simple) QEC-based QPA: Alice prepares M qubits that she wishes to send to Bob. She chooses the qubits according to the fourstate (or the two-state) scheme of quantum cryptography. She encodes each qubit using N qubits following any QEC scheme and sends the MN qubits to Bob. Bob receives the particles and keeps them in a quantum memory till receiving all qubits which encode an original qubit. Since perfect devices are used, QEC can reduce a small error rate in a quantum memory or in a quantum channel to any desired level due to analysis of the remainder error (apart for accumulating many-bits error). We can use projection stations to improve this QEC-based QPA much further, due to the Zeno effect. We call them quantum repeaters. When such quantum repeaters are placed in appropriate predetermined distances, they keep the error rate at low levels without reducing security. Note that, when real devices are used, the use of fault-tolerant QEC [96] might still enable reducing the errors to any desired level (although the use of projection stations becomes more subtle). Let us now analyze the case where an eavesdropper attempts to eavesdrop on the code qubits. Eve can either get the qubits at some intermediate stage, or even control the projection stations used to improve the probability of successful projection Q. Indeed, since each such station is only required to perform the desired projection, it can even be controlled by the eavesdropper; if Eve tries to do anything other than the required projections — she increases the error rate and will be detected. Eve could even control the encoding and decoding process of the original qubit.

98

The only assumption required for the success of any error-correction or errorreduction scheme is that each code bit is disturbed independently of the others. If real noise causes many-particle transformations the scheme will fail, but for bits stored or transmitted separately, such effects are expected to be negligible. Thus, the legitimate users can use error-reduction schemes to decrease the noise, and expect much less errors when comparing a portion of the data. Eve is still permitted to do whatever she likes, including creating many-particle coherence. She could clearly benefit from performing a coherent attack in this case, but she is restricted to induce a much smaller error rate on the original qubit. If perfect devices are used, Alice and Bob can reduce the permitted error rate exponentially to zero. In case of real devices a proof is still missing. As previously said, analyzing this aspect of QPA is rather complicated and we believe that a security proof based on classical privacy amplification is simpler. If Eve deviates from the protocols and the error rate is larger than expected, Alice and Bob quit the transmission. If she deviates from the protocol but provides the final state with the permitted error rate, Alice and Bob do not care which operations she has done. Then, the permitted small error rate (which is verified), promises them that her information is limited as desired. The errors due to the frequent projections in a “many-stations” system were not considered here. As in the case of a fault-tolerant calculation [96], it may well be that there is some optimal number of stations M such that a larger number of stations causes an increase of the remainder error. Note also that some errors are due to the creation and measurement of the code state in the labs of Alice and Bob, and for the time being these limit our ability to reduce P . We believe that error correction by symmetrization is the right way to handle these problems, but we are not aware of works which are showing this. However, the main limitations on quantum cryptography are maintaining coherence over long distances and long times and these limitations are solved efficiently using the scheme we suggest. Suppose now that Alice sends the MN qubits in a random order (so that Eve will not know which N qubits encode each original qubit). In this case, our QPA scheme probably becomes more secure: Without having the knowledge regarding the random permutation we conjecture that she could benefit from a coherent eavesdropping. Thus, the randomization of the code qubits probably improves the QPA. However, as for all other uses of the randomization argument there is no proof for this intuition. The EP-based and the QEC-based QPA processes do not assure security. They only allow Alice and Bob to work with a much lower permitted error rate. Even though we do not believe that QPA improves our ability to prove security in a direct way, it might still help it in other ways. a) It can be used to reduce the error rate very much. Such a reduction might be crucial for other security proofs such as the one we presented in Chapters 2 and 4, which relies on various approximations of small angles. b) It enables implementing quantum cryptography over large scale distances and times since the final error rate depends only on the devices’ errors and not on the channel/memory’s error. 99

When we combine both arguments we see that QPA might be crucial for proving security using classical privacy amplification when large scale cryptography is performed, by reducing the errors to levels which can be dealt with by the BM approach.

100

Chapter 7 Conclusions Quantum memory shall sooner or later become a common tool. In this thesis we provided the first thorough analysis of the impacts of using quantum memories for both improving quantum cryptography and for attacking it. In the hands of an eavesdropper a quantum memory is a crucial tool: without it classical privacy amplification provides a proven security of quantum key distribution (although an explicit bound is still missing). In this work we provided strong evidences that classical privacy amplification still works when Eve holds a quantum memory, and we suggested a way to establish a full proof. In the hands of the legitimate users, a quantum memory provides new ways of establishing a network for many users. It also provides the ability to improve large scale quantum key distribution.

101

Bibliography [1] R. B. Ash, Information Theory, Dover, New York (1990); T. M. Cover and J. A Thomas, Elements of Information Theory, Wiley, New York (1991). [2] A. Barenco, D. Deutsch, A. Ekert and R. Jozsa, Phys. Rev. Lett. 74, 4083 (1995). [3] C. H. Bennett, IBM J. Res. Dev. 17, 525 (1973). [4] C. H. Bennett, Phys. Rev. Lett. 68, 3121 (1992). [5] C. H. Bennett, F. Bessette, G. Brassard, L. Salvail and J. Smolin, J. of Cryp. 5, 3 (1992). [6] C. H. Bennett and G. Brassard, in Proceedings of IEEE International Conference on Computers, Systems and Signal Processing, Bangalore, India (IEEE, New York, 1984) p. 175. [7] C. H. Bennett, G. Brassard, S. Breidbart and S. Wiesner, Proc. Crypto 82, 267 (1982). [8] C. H. Bennett, G. Brassard, C. Cr´epeau, R. Jozsa, A. Peres and W. K. Wootters, Phys. Rev. Lett. 70, 1895 (1993). [9] C. H. Bennett, G. Brassard, C. Cr´epeau and U. Maurer, IEEE Trans. Info. Theo. 41, 1915 (1995). [10] C. H. Bennett, G. Brassard, C. Cr´epeau and M.–H. Skubiszewska, Proc. Crypto 91. LNCS 576, 351 (1992). [11] C. H. Bennett, G. Brassard and N. D. Mermin, Phys. Rev. Lett. 68, 557 (1992). [12] C. H. Bennett, G. Brassard, S. Popescu, B. Schumacher, J. A. Smolin and W. K. Wootters, Phys. Rev. Lett. 76, 722 (1996). [13] C. H. Bennett, G. Brassard and J.–M. Robert, Siam J. Comp. 17, 210 (1988). [14] C. H. Bennett, D. DiVincenzo, J. A. Smolin and W. K. Wootters, Phys. Rev. A 54, 3824 (1996). 102

[15] C. H. Bennett, T. Mor and J. Smolin, Phys. Rev. A 54, 2675 (1996). [16] C. H. Bennett and S. J. Wiesner, Phys. Rev. Lett. 69, 2881 (1992). [17] E. Bernstein and U. Vazirani Proc. 25 ACM Symp. on the Theo. of Comp., 11 (1993). [18] A. Berthiaume and G. Brassard, PhysComp ’92, 195 (1992). [19] E. Biham, B. Huttner and T. Mor, Phys. Rev. A 54, 2651 (1996). [20] E. Biham and T. Mor, Phys. Rev. Lett. 78, 2256 (1997). [21] E. Biham and T. Mor, “Bounds on Information and the Security of Quantum Cryptography”; quant-ph 9605010. [22] J. J. Bollinger, D. J. Heinzen, W. M. Itano, S. L. Gilbert and D. J. Wineland, IEEE Trans. Inst. and Meas. 40, 126 (1991). [23] G. Brassard and C. Cr´epeau, Proc. Crypto 90. LNCS 537, 49 (1991). [24] G. Brassard, C. Cr´epeau, R. Jozsa and D. Langlois, Proc. 34th Ann. IEEE Symp. on FOCS, 362 (1993). [25] S. L. Braunstein and C. M. Caves, Phys. Rev. Lett. 72, 3439 (1994). [26] S. L. Braunstein, A. Mann and M. Revzen, Phys. Rev. Lett. 68, 3259 (1992). [27] A.R. Calderbank and P. W. Shor, Phys. Rev. A 54, 1098 (1996). [28] C. M. Caves, Phys. Rev. D 26, 1817 (1982). [29] C. M. Caves and P. D. Drummond, Rev. Mod. Phys 66, 481 (1994). [30] I.L. Chuang and Y. Yamamoto, Phys. Rev. Lett. 76, 4281 (1996). [31] J. I. Cirac and P. Zoller Phys. Rev. Lett. 74, 4091 (1995). [32] C. Cr´epeau and J. Kilian Proc. 29th Ann. IEEE Symp. on FOCS, 42 (1988). [33] L. Davidovich, N. Zagury, M. Brune, J.–M. Raimond and S. Haroche, Phys. Rev. A 50, R895 (1994). [34] E. B. Davies, IEEE Trans. Inf. Theory 24, 596 (1978). [35] D. Deutsch Proc. R. Soc. Lond. A 420 97 (1985). [36] D. Deutsch, Proc. R. Soc. Lond. A 425 73 (1989). [37] D. Deutsch and R. Josza, Proc. Roy. Soc. Lond. A 439, 554 (1992).

103

[38] D. Deutsch, A. Ekert, R. Jozsa, C. Macchiavello, S. Popescu and A. Sanpera, Phys. Rev. Lett. 77, 2818 (1996). [39] D. Dieks, Phys. Lett. A. 92, 271 (1982). [40] W. Diffie and M. E. Hellman, IEEE Tran. Info. Theo. 22, 644 (1976). [41] D. DiVincenzo, Phys. Rev. A 51, 1015 (1995). [42] D. DiVincenzo, private communication. [43] A. Einstein, B. Podolsky and N. Rosen, Phys. Rev. 47, 777 (1935) (Reprinted in Quantum theory and measurement, J. A. Wheeler and W. Z. Zurek Eds, Princeton University Press, 1983). [44] A. K. Ekert, Phys. Rev. Lett. 67, 661 (1991). [45] A. K. Ekert, B. Huttner, G. M. Palma and A. Peres, Phys. Rev. A 50, 1047 (1994). [46] A. K. Ekert and C. Macchiavello, Phys. Rev. Lett. 77, 2585 (1996). [47] S. Even, D. Goldreich and A. Lempel, Proc. Crypto 82, 205 (1983). [48] C. A. Fuchs, PhysComp ’96, 122, Boston (1996). [49] C. A. Fuchs and C. M. Caves, Phys. Rev. Lett. 73, 3047 (1994). [50] C. A. Fuchs, N. Gisin, C.–S. Niu and A. Peres, “Optimal Eavesdropping in Quantum Cryptography; I”, Phys. Rev.A, (1997) in press. [51] C. A. Fuchs and A. Peres, Phys. Rev.A 53, 2038 (1996). [52] L. Goldenberg and L. Vaidman, Phys. Rev. Lett. 75, 1239 (1995). [53] L. Goldenberg and L. Vaidman, Phys. Rev. Lett. 77, 3265 (1996). (199?). [54] C. W. Helstrom, Quantum Detection and Estimation Theory , Academic Press, New York (1976). [55] R. J. Hughes, D. M. Alde, P. Dyer, G. G. Luther, G. L. Morgan and M. Schauer, Contemporary Physics 36, 149 (1995). R. J. Hughes, G. G. Luther, G. L. Morgan, C. G. Peterson and C. Simmons, Proc. of Crypto 96. LNCS 1109, 329 (1996). [56] L. P. Hughston, R. Jozsa and W. K. Wootters, Phys. Lett. A. 183, 14 (1993). [57] B. Huttner and A.K. Ekert, J. of Mod. Opt. 41, 2455 (1994). [58] B. Huttner, N. Imoto, N. Gisin and T. Mor, Phys. Rev. A 51, 1863 (1995). 104

[59] B. Huttner and A. Peres, J. of Mod. Opt. 41, 2397 (1994). [60] I. D. Ivanovic, Phys. Lett. A. 123, 257 (1987); A. Peres, Phys. Lett. A. 128, 19 (1988). [61] J. M. Jauch and C. Piron, Helv. Phys. Acta. 40, 559 (1967); E. B. Davies and J. T. Lewis, Com. Math. Phys. 17, 239 (1970). [62] R. Jozsa, D. Robb and W. K. Wootters, Phys. Rev. A 49, 668 (1994). [63] R. Josza and B. Schumacher, J. of Mod. Opt. 41, 2343 (1994). [64] A. S. Kholevo, Prob. Inf. Tran. 9, 177 (1973). [65] A. S. Kholevo, Prob. Inf. Tran. 9, 110 (1973). [66] E. Knill and R. Laflamme, Phys. Rev. A 55, 900 (1997). [67] R. Laflamme, C. Miquel, J.P. Paz and W.H. Zurek, Phys. Rev. Lett. 77, 198 (1996). [68] L. D. Landau and E. M. Lifshitz, Quantum Mechanics, Pergamon, Oxford (1965). [69] L. B. Levitin Proc. of the Workshop on Phys. of Comp.: PhysComp 92, IEEE, 210 (1993). [70] L. B. Levitin, “Optimal Quantum Measurements for Two Pure and Mixed States”, manuscript. [71] H. K. Lo and Chau, “Quantum Cryptography in Noisy Channels”, quantph 9511025. [72] N. L¨ utkenhaus, Phys. Rev. A 54, 97 (1996). [73] F. J. MacWilliam and N. J. A. Sloane, The Theory of error Correction Codes, North Holland, Amsterdam (1977). [74] C. Marand and P. D. Townsend, Opt. Lett. 20, 1695 (1995). [75] D. Mayers, Proc. of Crypto 95. LNCS 963, 124 (1995). [76] D. Mayers, Proc. of Crypto 96. LNCS 1109, 343 (1996); Revised version in quant-ph 9606003. [77] D. Mayers, personal communication. [78] D. Mayers, “The trouble with quantum bit commitment”, quantph/9603015; “Unconditionally secure quantum bit commitment is impossible”, PhysComp ’96, 226, Boston, (1996), quant-ph/9605044; To appear also in Phys. Rev. Lett. 105

[79] D. Mayers and L. Salvail, PhysComp 94, 69, Dallas, IEEE Computer Society Press, (1994). [80] R. Merkle, CACM 21, 294 (1978). [81] T. Mor, “Reducing Quantum Errors and Improving Large Scale Quantum Cryptography”, quant-ph 9608025. [82] C. Monroe, D. M. Meekhof, B. E. King, W. M. Itano and D. J. Wineland, Phys. Rev. Lett. 75, 4714 (1995). [83] A. Muller, J. Breguet and N. Gisin, Europhys. Lett. 23, 383 (1993). [84] A. Muller, H. Zbinden and N. Gisin, Nature 378, 449 (1995). [85] T. Pellizzary, S. A. Gardiner, J. I. Cirac and P. Zoller, Phys. Rev. Lett. 75, 3788 (1995). [86] A. Peres, Quantum Theory: Concepts and Methods, Kluwer, Dordrecht (1993), Chapt. 9. [87] A. Peres, Foun. Phys. 20, 1441 (1990). [88] A. Peres, Phys. Rev. Lett. 77, 3264 (1996). [89] A. Peres and W. K. Wootters, Phys. Rev. Lett. 66, 1119 (1991). [90] M. O. Rabin, TR-81, Aiken Comp. Lab., Harvard Univ. (1981). [91] R. L. Rivest, A. Shamir and L. Adleman, Comm. ACM 21, 120 (1978). [92] B. Schumacher, Phys. Rev A 51, 2738 (1995). [93] C. Shannon, Bell Syst. Tech. J. 27, 379 (1948); Bell Syst. Tech. J. 27, 623 (1948). [94] P. Shor, Proc. 35’th FOCS, 124, IEEE press (1994). [95] P. Shor, Phys. Rev. A 52, R2493 (1995). [96] P. W. Shor, “Fault-tolerant quantum computation”; quant-ph 9605011. [97] D. R. Simon, Proc. 35’th FOCS, 116, IEEE press (1994). [98] A. Steane, Proc. Roy. Soc. Lond. A 452, 2551 (1996). [99] A. Steane, Phys. Rev. Lett. 77, 793 (1996). [100] P. D. Townsend, J. G. Rarity and P. R. Tapster, Elect. Lett. 29, 1291 (1993).

106

[101] P. D. Townsend, S. J. D. Phoenix, K. J. Blow and S. M. Barnett, Elect. Lett. 30, 1875 (1994). [102] P. D. Townsend, J. G. Rarity and P. R. Tapster, Elect. Lett. 29, 634 (1993); P. D. Townsend, Elect. Lett. 30, 810 (1994). [103] Q. A. Turchette, C. J. Hood, W. Lange, H. Mabuchi and H. J. Kimble, Phys. Rev. Lett. 75, 4710 (1995). [104] L. Vaidman, L. Goldenberg and S. Wiesner, Phys. Rev. A 54, R1745 (1996). [105] J. von Neumann, Mathematical Foundations of Quantum Mechanics (English translation), Princeton Univ. Press (1955) p. 359. [106] S. Wiesner, “Conjugate coding”, Sigact News, 15, (1), 78 (1983); Unpublished version appeared in 1970. [107] W. K. Wootters and W. H. Zurek, Nature 299, 802 (1982). [108] A. Yao Proc. 34 IEEE Symp. on Found. of Comp. Sci., 352 (1993). [109] A. Yao Proc. 27 ACM Symp. on the Theo. of Comp., 67 (1995). [110] H. P. Yuen Quan. Sem. Opt. 8, 939 (1996).

107