Feb 12, 2015 - Toward secure communication using intra-particle entanglement. S. Adhikari Â· Dipankar Home. A. S. Majumdar Â· A. K. Pan. Akshata Sheno...

0 downloads 8 Views 379KB Size

(will be inserted by the editor)

Toward secure communication using intra-particle entanglement S. Adhikari · Dipankar Home A. S. Majumdar · A. K. Pan Akshata Shenoy H. · R. Srikanth

arXiv:1309.0656v4 [quant-ph] 12 Feb 2015

Received: date / Accepted: date

Abstract We explore the use of the resource of intra-particle entanglement for se-

cure quantum key distribution in the device-independent scenario. By virtue of the local nature of such entanglement, Bell tests must be implemented locally, which leads to a natural decoupling of device errors from channel errors. We consider a side-channel attack on the sender’s state preparation device, for which the intraparticle entanglement-based scheme is shown to be more secure than the one that uses separable states. Of practical relevance is the fact that such entanglement can be easily generated using linear optics.

1 Introduction

Quantum key distribution (QKD) protocols [1] allow two distant parties, traditionally called Alice and Bob, to produce a shared random bit string consisting of 0’s and 1’s known only to them, which can be used as a key to encrypt and decrypt messages. Based on fundamental principles such as the quantum no-cloning S. Adhikari Indian Institute of Technology, Jodhpur, India E-mail: [email protected] Dipankar Home CAPSS, Dept. of Physics, Bose Institute, Salt Lake, Kolkata-700091, India E-mail: [email protected] A. S. Majumdar S. N. Bose National Centre for Basic Sciences, Salt Lake, Kolkata 700 098, India E-mail: [email protected] A. K. Pan Dept. of Physics, NIT Patna, India E-mail: [email protected] Akshata Shenoy H. Electrical Communication [email protected]

Engineering

Dept.,

IISc,

Bangalore,

India

E-mail:

ak-

R. Srikanth Poornaprajna Institute of Scientific Research, Bangalore, India E-mail: [email protected]

2

S. Adhikari et al.

principle [2], QKD provides an unconditionally secure way to distribute random keys through insecure channels. While the first QKD scheme to be proposed, the Bennett –Brassard (BB84) protocol [3] was a prepare-and-measure protocol, which used separable states, a connection between nonlocality [4, 5] and security was first suggested by the Ekert protocol [6]. The basic intuition here is that Eve’s attack causes a reduction in the correlation between legitimate parties, which is now understood as due to the monogamy of nonlocality in non-signaling theories [7]. It is also known that nonlocality helps security not only in the traditional QKD scenario (where Eve attacks the channel) but even in the more stringent device-independent (DI) scenario, where neither the prepared initial states nor the devices are trusted. Security here must be guaranteed simply via certain statistical checks —typically sufficiently high violation of a Bell inequality —and without requiring a detailed characterization of devices [8, 9, 10, 11, 12, 13]. The nonlocality, and hence entanglement, considered above is inter -particle entanglement, and the Bell-inequality violating property (i.e., nonlocality) pertains to the correlations obtained by spatially separated measurements by a sender (Alice) and receiver (Bob). A different kind of entanglement is that between two degrees of freedom of the same particle, i.e., intra-particle entanglement. This has been discussed by Basu et al. [14] in the context of a Mach –Zehnder type interferometric set-up for demonstrating the violation of non-contextuality. An experiment using single neutrons was performed by Hasegawa et al. [15]. Here, for the first time, we propose the use of the resource of intra-particle entanglement for QKD. By its nature, Bell tests with intra-particle entanglement must be local. Interestingly, such local Bell tests have also been proposed in the case of bipartite systems for self-testing schemes employed to certify the state preparation process or the source of quantum states [16, 17, 18]. Our method also evokes a comparison with one-sided DIQKD, in which the Alice’s devices are untrusted, but Bob’s are trusted [19], and where the statistical check is based on steering inequalities [20]. An interesting counterpoint here is provided by the scenario of measurement DI, in which, the devices for measurement, rather than that of the sender, is untrusted [21]. Relative to inter-particle entanglement, intra-particle entanglement is easy to generate. In the optical case, considered here, linear optics suffices. However, the local nature of intra-particle entanglement means that it is unsuitable for many quantum information processing tasks, like quantum teleportation or dense coding. It is an interesting question whether it is useful for cryptography, which we answer here in the affirmative. Experimental demonstrations of various QKD protocols were discussed in [22, 23, 24, 25, 26, 27]. The practical violation of the Bell’s inequality in the cryptographic context was first considered in an experiment by Jennewein et. al. [28], but no quantitative measure of security was derived from the observed violation. Later, Ling et. al. [29] performed an experiment on entanglement-based QKD, in which the violation of Bell-CHSH inequality is used to also quantify the degree of security according to the criterion of Refs. [7, 30]. In this work, our accent is mainly on introducing intra-particle entanglement between position (path) and polarization of photons, as a useful and easy-toprepare resource for QKD, which presents novel elements when state preparation devices, in addition to the channel, are allowed to be insecure. We do so by showing that this QKD is secure against certain “side channels” that leak secret data

Toward secure communication using intra-particle entanglement

3

(such as Alice’s or Bob’s settings and outcome information), whereas the corresponding version of BB84 is not secure. Clearly, there is no protection against an unrestrictedly powerful side channel. Hence, we must assume that it cannot be “obvious”. Examples of typical side channels are timing information on the devices used, observations of power consumption or electromagnetic leaks bearing some heat signature of devices, or even a click sound produced by an optical element. We quantitatively find that the Bell-inequality violating (BIV) property of the pathpolarization correlations can be used to guarantee security against an individual side-channel attack, which would render insecure QKD in the standard scenario. Here an incoherent attack is one where Eve attacks Alice’s particles along the transmission channel individually and measures them independently, without the involvement of any joint measurement. Further details, such as coherent attacks, optical losses in the channel and universal composability are important future directions of this work, not considered here. An important aspect of using intraparticle-based entanglement, which we consider in more detail elsewhere [31], is to generalize the Goldenberg –Vaidman protocol for orthogonal state- based cryptography [32], as a method to thwart general individual and coherent attacks [33] on intra-particle entanglement-based qudits. This article is divided as follows: in Sect. 2, we introduce the notion of intraparticle entanglement and present simple generation schemes for path-polarization intra-particle entanglement. In Sect. 3, we introduce an augmented key distribution protocol, suitable for a side-channel attack scenario, in which the sender Alice must verify the quality of intra-particle entanglement just before transmitting the particle to the receiver Bob, and after all optical elements used for the encoding process have been applied. In Sect. 4, an individual attack scheme by Eve is considered. Her action is to depolarize the initial maximally entangled state into an intra-particle Werner state, for which the entanglement and BIV properties are readily known. The condition for secure extraction of secret bits is studied in comparison with the availability of these properties in the noisy state received by Bob. In Sect. 5, we demonstrate the usefulness of intra-particle entanglement in protecting against a class of side-channel attacks that rely on flaws in certain optical elements such as quarter-wave plates (QWPs). Finally, we present our conclusions in Sect. 6.

2 Intra-particle entanglement

Let us consider a photon that is initially polarized along the vertical direction (its state denoted by |0i). Taking into consideration its path (or position) variables, the joint path-polarization state can be written as |ψ0 ips = |V is ⊗ |ψ0 ip

(1)

where the subscripts p and s refer to the path and the spin (i.e., polarization) variables, respectively. A photon in the state |ψ0 ips with Alice is incident on a beam splitter (BS1), whose transmission and reflection probabilities are |α|2 and |β|2 respectively, where |α|2 + |β|2 = 1 (cf. Fig. 1). The reflected and transmitted states from BS1 are designated by |ψR i and |ψT i, respectively. Here we recall that for any given lossless beam splitter, arguments using the unitarity condition show that for the particles incident on the beam

4

S. Adhikari et al.

splitter, the phase between the transmitted and the reflected states of the particle is π2 . Note that the beam splitter acts only on the path states without affecting the polarization state of the particles. The state of a particle emergent from BS1 can then be written as |ψ0 ips → |ψ1 ips = |V is ⊗ (α|ψT ip + iβ|ψR ip ),

(2)

where 0 1 |ψT ip ≡ , |ψR ip ≡ 1 0 0 1 |V is ≡ |0is ≡ , |His ≡ |1is ≡ . 1 0

(3)

Our simplest basis, called GA 1 , can be generated without using the beam splitter: |Ψ+ i = |0is ⊗ |ψT ip , |Ψ− i = |1is ⊗ |ψT ip , ∗ |Ψ+ i = |0is ⊗ |ψR ip , ∗ |Ψ− i = |1is ⊗ |ψR ip .

(4)

A basis consisting of path-polarization entangled elements and which is mutuA ally unbiased with GA 1 , is G2 , given below in Eq. (5). It is produced by a linear optical set-up consisting of a beam splitter, a half-wave plate (HWP), QWP and a phase shifter (PS). For example, |Φ+ i is produced from |Ψ+ i, by passing the particle through a BS1, applying HWP on the transmitted wave packet |ψT ip , followed by the application of QWP on both arms. The HWP has the action |His ↔ |V is . The states resulting from GA 1 by this procedure are: |0 i s + |1 i s |0is − |1is 1 √ √ |Φ± i = √ ⊗ |ψT ip ± i ⊗ |ψR ip , 2 2 2 |0 i s − | 1 i s |0is + |1is 1 √ √ |Φ∗± i = √ ⊗ |ψT ip ± i ⊗ |ψR ip , (5) 2 2 2 A A which form the basis GA 2 . The bases G1 and G2 are mutually unbiased in the sense that any element in either basis is an equal weight superposition (apart from phase factors) of elements of the other basis. To measure the state in an arbitrary separable basis (a, b) ≡ a·σ⊗b·σ , where a and b denote direction vectors of unit magnitude, one passes the particle through a beam splitter of suitable bias that de-rotates the position to the computational basis, and then uses two detectors, both set alike to measure the polarization along a. For example, if b ≡ (sin θ cos φ, sin θ, sin φ, cos θ), the beam splitter is chosen with coefficients of transmission and reflection being cos(θ/2) and eiφ sin(θ/2), respectively. These coefficients can be set at the time of manufacture by the reflection coating applied to a beam splitter, and their ratio determines whether the element functions as a balanced (50:50) or unbalanced (say 90:10) beam splitter. The particular measurements basis settings (a, b) we require in order to evaluate the Bell observable, are given in Eq. (14).

Toward secure communication using intra-particle entanglement

5

In dimension d = 4, there are d + 1 = 5 mutually unbiased bases (MUBs). A Another mutually unbiased entangled basis, denoted GA 3 , in addition to sets G1 A and G2 , is: |0is − i|1is |0is + i|1is 1 √ √ ⊗ |ψT ip ± i ⊗ |ψR ip , |Λ± i = √ 2 2 2 | 0 i + i|1is | 0 i − i| 1 i 1 s s s √ √ |Λ∗± i = √ ⊗ |ψT ip ± i ⊗ |ψR ip . (6) 2 2 2 A Two others (separable state) MUBs, which may be denoted GA 4 and G5 , can be produced by applying H ⊗ H and H 0 ⊗ H 0 to the elements of basis GA (4), where 1 H ≡ 12 (σz + σx ), while H 0 ≡ 21 (σz + σy ). All these states are easy to prepare, requiring only linear optical elements.

ALICE

D1 D2 PBS1

M1

D3

arm a

BS2

PBS2

D4

HWP

BOB

S

BS1

PS1

M2

arm b

Fig. 1 BB84 set-up: Alice transmits a state to Bob in one of the bases GA j by suitably applying the linear optical elements of beam splitters, HWP, QWP and PS. Bob may recombine the reflected and the transmitted channels at BS2. Finally, Bob performs path and polarization measurements using the polarizing beam splitters PBS1 and PBS2.

Alice’s states are analyzed in Bob’s system, consisting of a beam splitter (BS2), followed by polarization analyzer in each output arm. For example, if she sends the state |Φ+ i or |Φ− i, then after emerging from BS2 (cf. Fig. 1), the corresponding resulting states at Bob’s site are given by 1 2 1 0 i ), |Φ0− i = √ (i|χ2 i ⊗ |ψT0 i + |χ1 i ⊗ |ψR 2 0 where |χ1 i = |0is , |χ2 i = |1is , |ψT i = √12 |ψT0 i + i|ψR i and |ψT i = 0 |Φ0+ i = √ (i|χ1 i ⊗ |ψT0 i + |χ2 i ⊗ |ψR i ),

(7) √1

2

0 |ψT0 i − i|ψR i .

6

S. Adhikari et al.

3 Protocol

In each of the five MUBs, given by states (4), (5), (6), etc., Alice and Bob designate basis elements by numbers 0, 1, 2 and 3. We can form different protocols by considering any two or more of the five bases. It will suffice for us to consider the A protocol P1,2 where only two bases are used, which are GA 1 and G2 . However, any other pair of MUBs will do. Using a larger number of bases enhances the tolerable error rate, but is less efficient and experimentally more difficult. The protocol is as follows. (1) Using mirrors, phase shifters and beam splitters (Fig. 1), Alice prepares an intra-particle path-polarization entangled states in basis A GA 1 or G2 , randomly chosen, starting from the initial input state |V i|ψT i. (2) Just before transmission to Bob, but after state preparation, she selects a fraction g of the states, to verify that their fidelity with the intended output entangled state remains 1. She may do so by reversing her preparation procedure and observing the probability eA that the output fails to coincide with |V i|ψT i. As explained later, she may equivalently perform a test of Bell inequality violation. This step is a key addition to the protocol for protection against the side-channel attack; Here we assume that the optical set-up that reverses the preparation is different from that actually used for state preparation, though this is not necessary; we note that the test based on reversing implicitly verifies that the reversed state is separable. Since an entangled bipartite state is necessarily mixed in any one of its parts, a test of mixedness may be optionally implemented. If it returns a positive result, then clearly the output fails to coincide with |V i|ψT i. (For a particular proposal for testing mixedness, see Ref. [36]). (3) Alice transmits the remaining particles to Bob (i.e., no quantum memory is used to hold the other particles while the Bell test is underway); (4) Bob obtains a 2-bit outcome by using mirrors, phase shifters and beam splitters (Fig. 1) to measure the transmitted photon, choosing A randomly the measurement basis GB j basis, the ”primed” versions of Gj . The remaining steps involve only classical post-processing: (5) The experiment described in the above two steps is repeated many times. Alice then declares via an authenticated classical channel the value of eA and the basis (but not the basis element) from which she chose the state (The existence of an authenticated channel between Alice and Bob, which gives Bob an edge over Eve, is essential to the security of QKD). Bob announces the cases where his basis was mismatched with hers. The corresponding measurement outcome data are discarded. (6) From the retained (sifted) measurement data, a sufficiently large portion is divulged by Bob. The fraction of it that does not agree with her preparation state is an estimate of the error rate in the key, e. If e is sufficiently low, they proceed with the rest of the protocol, else they abort it. (7) Alice and Bob perform key reconciliation over the authenticed channel, to improve the correlation of their respective copy of the key. They then perform privacy amplification to minimize Eve’s information on the key. The verification step in the protocol, which is an augmentation over conventional QKD protocols, makes our protocol more secure in a DI scenario, as we explain later. With inter-particle entanglement, Alice and Bob perform this step by using local operations and classical communication (LOCC) to determine the nonlocality of the state, from which an estimate of the secrecy content follows. With intra-particle entanglement, only one of the parties (here, Alice) must accomplish this, because the path and polarization qubits cannot be measured at

Toward secure communication using intra-particle entanglement

7

spatially separated stations. In this sense, Alice and Bob distinguish between errors arising due to the channel (the conventional security scenario) versus errors arising during state preparation (the side-channel or DI) scenario. Before discussing detailed security issues, let us make a number of remarks to qualify the motivation behind this work. 1. Formally, the four-dimensional spin-position entangled states we use for encoding can be considered as superpositions of a ququart (four-dimensional quantum system). However, our point is to study the system as two-qubit entanglement because we wish to take advantage of some ideas from DI quantum cryptography. 2. We consider below (apart from a channel attack) Eve’s side-channel attack only on Alice’s QWP, and not other optical elements. There is no special reason to make this choice. Rather, this is meant only as an illustration of the general principle of how intra-particle entanglement can be more useful that a plain qubit or ququart superposition. An more detailed follow-up can extend this principle to other optical elements. 3. Note that the verification step itself can be subject to an attack, for example, to the particular side-channel attack, we describe below. What this entails is that Eve can know what Alice knows about Eve’s eavesdropping actions, possibly introducing further noise. From the viewpoint of enhancing her knowledge of the final key, this does not help Eve, and we do not consider such attacks here.

4 Security in the conventional scenario

We model Eve’s attack as a simple intercept-resend attack on single particles. Eve can also eavesdrop their authenticated classical channel and thus make use of their basis announcements. Eve’s strategy is to measure the particles randomly in one of the legitimate bases. She forwards the measured state to Bob, and waits until after their public announcement of bases to find out when she got it right. For purposes of this section, Eve is assumed to attack only the channel and not exploit any side channels. Accordingly, the verification step (2) in the protocol presented above may be omitted.

4.1 A simple individual attack Without loss of generality, suppose Alice sends the state |Φ+ i and Eve attacks fraction f of particles from Alice to Bob. Eve has an equal chance of measuring in the right or wrong basis. If she measures in GA 2 (with probability f /2), she always obtains |Φ+ i, which she forwards to Bob, without introducing any error. On the other hand, if she measures in a basis other than GA 2 , she finds any one of the four basis elements with equal probability. She forwards the obtained state to Bob. After Alice’s public announcement of basis, she is equally unsure of what state Alice prepared as she is of what state Bob obtained. The error rate e generated is given by the probability that Alice and Bob, measuring in the same basis, find the wrong outcome, which is: e=

f

2

×

3 3f = 4 8

(8)

8

S. Adhikari et al.

Eve’s average information (symmetrically with respect to Alice or Bob) per transmitted particle is maximal when, during Alice’s announcement of bases, she finds that Alice’s basis matches hers, and minimal when it does not. In terms of error observed, her information is: f 8e I (A : E ) = I (B : E ) = 2 × = bits, (9) 2 3 in view of Eq. (8). Because of the mutual unbiasedness property between any two bases, after Alice and Bob have reconciled their bases, Eve’s action induces on any input symbol m, the output probability distribution P (n) where P (n = m) = 1 − e and P (n 6= m) = 3e . The corresponding Shannon entropy functional is given by H 1 − e, 3e , 3e , 3e = −(1 − e) log2 (1 − e) − e log(e/3). Assuming Alice sends all four states in both bases with equal probability, Bob’s information is given by the mutual information: e e e I (A : B ) = 2 − H 1 − e, , , . (10) 3 3 3 The condition for a positive key rate is K = I (A : B ) − min{I (A : E ), I (B : E )} > 0,

(11)

whose sign is determined by Eqs. (10) and (9) [37]. K is the secret bit rate that can be distilled. The key rate for this situation is plotted as the rightmost curve in Fig. 2. The largest tolerable error rate, which we denote by e2 , is about 27 the relative weakness of Eve’s attack. As we find later, even this weak attack, augmented by Eve’s access to certain side channels, leads to more stringent bounds (the other two curves in the same Figure). By Eve’s interference, she is acting as a depolarizing channel that has the action: f f I4 ρkj −→ E (ρkj ) = 1 − ρkj + (12) 2 2 4 where k ∈ {1, 2} labels the basis and j (∈ {1, 2, 3, 4}) labels the basis elements. If Alice transmits an entangled basis element, then the state in Eq. (12) is (up to local unitaries) a Werner state [38]. Substituting for f from Eq. (8) in Eq. (12), we find Eve’s depolarizing channel in terms of error rate: 4e 4e I4 ρkj −→ E (ρkj ) = 1 − ρkj + , (13) 3 3 4

4.2 Entanglement considerations Let the measurement settings on the first and second qubit (i.e., the polarization and path qubit) be given by the following directions: 1 1 a1 = ˆi, a2 = ˆ j , a3 = √ ˆi + √ ˆ j,

2 2 1 ˆ 1 ˆ −1 ˆ 1 ˆ b1 = √ i + √ j , b2 = √ i + √ j , b3 = ˆ j 2 2 2 2

(14)

Toward secure communication using intra-particle entanglement

9

2

K

1.5

1

0.5

0 0

0.1

0.2

0.3

0.4

0.5

e

Fig. 2 The secret key rate as a function of error rate e in the conventional attack scenario (Eq. (10) and, as explained later, the side-channel attack scenario (Eq. (36). The conventional security scenario is represented by the rightmost curve, which has a positive key rate while e ≤ e2 ≈ 27%, the largest tolerable error rate in the simple individual attack in a conventional cryptographic scenario. The leftmost curve represents the above attack augmented in a sidechannel scenario, with Eve’s maximal attack (F = 21 in Eq. (38)), with a tolerable error rate of at most 14.5% for depolarizing action Eq. (13), the noisy state is nonlocal for e < eLR ≈ 0.17 (Eq. (22), first vertical line) and entangled for e < eent = 0.5 (Eq. (23), second vertical line). Thus the individual attack in the conventional scenario allows secure states that are local, but which are necessarily entangled. The intermediate curve represents F = 0.6 for which the region of nonlocality and secrecy coincide.

which are used for evaluating the following Bell inequality S = E (a1 , b1 ) + E (a2 , b1 ) + E (a1 , b2 ) − E (a2 , b2 ),

(15)

where E (a, b) is expectation value of measuring the spin in the directions a and b in the two particles, respectively. It is well known that for local-realist models, S ≤ SLR = 2. The correlation for the singlet is given by E (ai , bj ) = −ai · bj , √

so that S = −2 2 = ρsep

(16)

√

2SLR . The most general separable state is given by Z Z = σ (na , nb )|na ihna | ⊗ |nb ihnb |dna dnb ,

(17)

10

where

S. Adhikari et al.

RR

σ (na , nb )dna dnb = 1 and

ˆ na = sin θa cos φaˆi + sin θa sin φaˆ j + cos θa k ˆ nb = sin θb cos φbˆi + sin θb sin φbˆ j + cos θb k

(18)

The correlations for ρsep can be calculated as E (ai , bj ) = Tr[ρsep σ.ai ⊗ σ.bj ].

(19)

Using equations Eqs. (14), (15), (16) and (17), the upper and lower bound of the Bell quantity S in Eq. (15) is given by Z Z Z Z √ S = 2 σ (θa , θb , φa , φb ) sin2 θa sin2 θb sin(φa + φb )dθa dθb dφa dφb √ √ ⇒ − 2 ≤ S ≤ 2,

(20) √

so that quantum bound for separable states, Smax:sep = 2 < SLR [40]. State |Φ+ i is equivalent upto local√unitaries to a Bell state, and yields the maximal Bell-inequality violation of 2 2 for settings (14), whereas S (I4 ) = 0. After Alice’s public announcement of bases, if Bob divides the received states into sub-ensembles corresponding to each input state, then in view of Eq. (13), for the |Φ+ i subensemble, Bob will observe: √ 4e (21) S = 1− 2 2. 3 This is nonlocal when hSi > SLR = 2, or 3 1 e< 1− √ ≡ eLR ≈ 22.5%. (22) 4 2 From Eq. (13), setting 1 − 43e > 31 as the necessary and sufficient condition for entanglement [38] of Werner states by the Peres-Horodecki positive-partialtranspose criterion [39], we find that Bob’s states are entangled when e<

1 ≡ eent . 2

(23)

Since e2 > eLR (cf. Fig. 2), it follows that there are local states that allow secrecy extraction for both protocols under the considered attack. This will not be true when the side-channel attack is included. √ The corresponding values of S are, from Eq. (13), S2 = 1 − 43e2 2 2 ≈ 1.36Smax:sep , implying that e2 < eent (cf. Figure 2). In other words, all states secure under the protocol for the given class of attacks are necessarily entangled. Since the considered attacks are clearly not the strongest possible for the protocol considered, this implies that security or secrecy is a strictly stronger condition than entanglement (in that more powerful attacks will reduce the tolerable error rate, and thus increase the amount entanglement in the state at the security threshold). Our above results may be compared and contrasted with corresponding results obtained in the inter-particle case for the link between nonlocality and secrecy in quantum mechanics and general non-signaling theories in the conventional attack and attack scenarios involving untrusted devices [9, 34, 35, 7, 30, 12].

Toward secure communication using intra-particle entanglement

11

5 Side-channel attacks and faulty devices

The peculiar nature of intra-particle entanglement is that simple operations like application of an optical element on an arm can be an entangling operation. This property can be useful to protect secrecy in a side scenario. As an example, consider the tiny angular momentum acquired by the QWP through recoil during its rotation of the photon polarization. Eve may be able to somehow monitor the vibrational state of the QWP and deduce private information about the settings used by Alice. Alternatively, Eve may detect a gap in the wall of Alice’s station, and shine a thin pencil of light beam at some of the optical elements through the gap and deduce information based on the pattern of electromagnetic scatter. Worse still, Eve may be the vendor from whom Alice and Bob purchase their optical elements. Even if the available side channels are weak, Eve may install hidden ”trojan horses” that reveal basis or outcome information to her. The attack implemented in a QWP can be mathematically modeled as follows: |bi|AiD → |bi|AiD (b = 0, 1) |0i|P iD |0D iϕ → |+i|P+ iD |0D iϕ → |+i|P iD |YD iϕ |1i|P iD |0D iϕ → |−D i|P− iD |0D iϕ → |−i|P iD |YD iϕ

(24)

where |AiD , |P iD correspond to states of the initial absence or presence of some device (here the QWP) in path D ∈ {R, T }; |P± iD , the recoiled state of the device, carrying a small amount of angular momentum acquired when the photon in a V /H state is transformed into one of the diagonal polarization states |±i ≡ √1 (|Hi ± |V i); |0D iϕ , |YD iϕ are the vacuum state and state of the electromagnetic 2 leaking channel, produced when the device relaxes back from |P± iD to its initial state. The subscript in state |YD i indicates a photon in the mode coupled with device D. Practically speaking, for Alice to rule out every possible malicious defect is not easy, if not impossible. What is desirable is statistical tests on performance that acts like a catch-all check. The usefulness here of nonlocal correlations (or, entanglement within quantum mechanics) between measurements by Alice and Bob has been recognized [9, 7, 30]. What is interesting is that intra-particle entanglement also can be useful in this way. This is at first not obvious. To obtain the Alice –Bob correlations, one of an entangled pair of particles must be transmitted to Bob, following which each particle is measured separately. With intra-particle entanglement, such spatial separation is not possible. Moreover, when Alice transmits the particle, all entangled degrees of freedom in principle become available to Eve, who may thus be able remove any trace of her tampering the devices. In this work, we suggest that this problem can be solved by having Alice perform a Bell-inequality test on the particle after and all her devices have been used (beam splitters, polarizers, measurements), and just before the particle’s transmission to Bob. Furthermore, because both entangled degrees of freedom are with Alice, she might equally well measure them in GA 2 basis to verify their BIV property. This is accomplished simply be reversing the preparation procedure and verifying that the output is indeed the input state |V i|ψT i. The attack (24) does not affect elements from basis GA 1 , because no QWP is made use of. On the other hand, any element from the entangled basis GA 2 , say

12

S. Adhikari et al.

|Φ+ i, is affected. The below analysis holds for any other element in the basis as

well. To prepare the state |Φ+ i ∈ GA 2 , Alice inputs |0, ψT i into the beam splitter, and applies a HWP plate on the R arm to obtain √12 (|0i|ψT i + i|1i|ψR i). Applying a QWP on both arms R and T , in view of Eq. (24), she effects the transformation: 1 2 |0is + |1is |0is − |1is 1 √ √ → √ |0R , YT iϕ |ψT ip + i |YR , 0T iϕ |ψR ip |P, P iR,T 2 2 2 6= |Φ+ i|x, yiR,T |0, 0iϕ , (25)

|0i|ψT i|P, P iR,T |0, 0iϕ → √ (|0i|ψT i + i|1i|ψR i) |P, P iR,T |0, 0iϕ

for any |x, yi. Eve needs to distinguish between the case that the mode ϕ remains vacuum, and that there is a radiation of a photon. Let the projector to |0R , 0T i be denoted Π0 . Let h0|Y i ≡ cos θ in both arms, so that ϕ hYR , 0T |0R , YT iϕ = cos2 (θ). It is easy to verify that the probability of observed error upon Alice’s reversing her state preparation is eA =

1 sin2 (θ). 2

(26)

This is the probability that, upon reversing her preparation procedure on a given particle, Alice fails to find it in the original input state |0i|ψT i. We call this the device error, to contrast it with the conventional error, e, which may be called the channel error, acquired during the transmission of the particle through the channel. We will conservatively assume that no new noise above the preparation noise is introduced during the reversing step. The reversal is assumed to be implemented through an auxiliary optical set-up. For quantum cryptography to be a realistic enterprise, we must assume that Eve’s side channel is passive, i.e., she cannot use this side information to alter any settings of Alice’s device (otherwise– i.e., if Eve had active access —clearly Eve would be too powerful for security to be meaningful). In particular, Eve cannot alter Alice’s readings in this check. Moreover, Eve cannot access the random number generator Alice used to prepare random states. Thus a side-channel attack of the type (24) cannot be correlated with the prepared states, and Eve cannot hope to lower the value of eA as seen by Alice. At best, Eve can find out the value of eA , but ideally she knows this already, being the adversary who causes the device noise. We note that this error check is a simple substitute for a Bell test, in that it effects a measurement that verifies that the particle’s state is indeed |Φ+ i. By contrast, in the inter-particle case, local operations and classical communication would be needed, not to mention the difficulty in preparing the entanglement. What is interesting here, in contrast to the inter-particle entanglement case, is that the attack (24) can render intra-particle separable states as intra-particle entangled, again disrupting the correlations, which can be detected in the verification step. For example, the attack (24) when Alice attempts to prepare the separable state 21 (|0i + |1i)(|ψR i + |ψT i) ∈ GA 4 instead produces the entangled state 1 2

√

|0is + |1is √

2

⊗ (|0R , YT iΦ |ψT ip + i|YR , 0T iΦ |ψR ip ) |P, P iR,T .

(27)

Toward secure communication using intra-particle entanglement

13

As before, the verification step detects Eve with probability eA . Thus it is straightA forward to adapt the analysis given below for a protocol where bases {GA 1 , G4 } A A are used instead of {G1 , G2 }. For the present protocol, one strategy for Eve would be as follows. She measures the electromagnetic modes in the basis {Π0 , 1 − Π0 }, where Π0 ≡ |0R , 0T iΦ h0R , 0T | in the Hilbert space given by span{|0R , 0T i, |1R , 0T i, |0R , 1T i}. The outcome Π0 is indeterminate, while outcome 1 − Π0 deterministically informs Eve that the basis GA 2 was used, and leaves the particle in the state |Φ+ i ≡

(1 − Π0 )|Φ+ i , ||(1 − Π0 )|Φ+ i||

(28)

with probability P (1 − Π0 |GA 2 ) ≡ hΦ+ |(1 − Π0 )|Φ+ i

= 1 − || cos(θ)|Φ+ i||2 = 1 − cos2 (θ) = 2eA ,

(29)

where the last follows from Eq. (26). Thus, the more the deterministic information Eve acquires, the larger is the disturbance she produces, that Alice can see. It can be shown that the disturbed versions of the elements in basis GA 2 remain orthogonal. For example, hΦ+ |Φ− i ∝ hΦ+ |(1 − Π0 )2 |Φ− i

= hΦ+ |(1 − Π0 )|Φ− i = −hΦ+ |Π0 |Φ− i = − cos2 θhΦ+ |Φ− i = 0.

(30)

Thus, there exists a projective measurement strategy whereby the elements of the ”disturbed” basis GA 2 can be deterministically distinguished. Since Eve’s attack on any element in GA 1 produces no radiative emission, we have the conditional probability P (Π0 |GA 1 ) = 1.

(31)

The probability that Eve obtains outcome Π0 is, using Eq. (29) A P (Π0 ) = P (Π0 |GA 1 )p1 + P (Π0 |G2 )(1 − p1 )

= cos2 (θ) + p1 sin2 (θ),

(32) A

A

where p1 ≡ P (G1 ), the probability that Alice chooses (an element of) G1 . By the Bayesian rule, using Eqs. (31) and (32), we have P (GA 1 |Π0 ) =

P (Π0 , GA 1) P (Π 0 )

P (Π0 |GA 1 )p 1 + p1 sin2 (θ) p1 = , cos2 (θ) + p1 sin2 (θ)

=

cos2 (θ)

(33)

14

S. Adhikari et al.

which we denote p10 . It may be noted that if p10 > 12 , i.e., p1 >

cos2 (θ) , 1 + cos2 (θ)

(34)

which happens when θ > 0, then Eve’s best guess to minimize error in an interceptresend attack would be to assume that GA 1 was used if her measurement returns Π0 . That is to say that if no radiation leakage is found even with high distinguishability, chances are that the state sent by Alice was an element in GA 1. In practice, however, Alice and Bob, could respond to this potential tactic by Eve this by always using GA 2 . To avoid this, Eve responds to Π0 outcomes by transmitting a random element of either basis chosen with equal probability. Eve’s full strategy in this attack scenario is that she will use this extra basis information to improve her guess work in the intercept-resend attack of Sect. 3. If Eve obtains outcome 1 − Π0 , she determines the GA 2 element obtained by a projective measurement, and forwards this state to Bob, producing no errors. When Eve obtains an outcome Π0 , she measures randomly in either basis, notes the outcome state and forwards it to Bob. In this case, she identifies the sent state correctly if she measures in the right basis: in the GA 1 case, there is no state distortion; in the GA case, orthogonality is preserved on account of Eq. (30). 2 Therefore, the probability she produces an error that can be detected by Alice and Bob is found, using Eqs. (33) and (32), to be e = f P (Π 0 )

=

1 3 × 2 4

3 2 cos θ + p1 sin2 θ 8

(35)

in place of Eq. (8), the corresponding error in the conventional scenario. Eve’s information is, in place of Eq. (10), now given by by: I 0 (A : E ) = I 0 (B : E ) = 2P (1 − Π0 )f + P (Π0 )f

=

8e 1 + sin2 θ(1 − p1 ) , 3 1 − sin2 θ(1 − p1 )

=

8e 1 + 2(1 − F )(1 − p1 ) , 3 1 − 2(1 − F )(1 − p1 )

(36)

where F = 1 − eA ,

(37)

where F is the probability of recovering |0i|ψT i, upon reversing and measuring in the verification step, and taking values between 1 (when Eve does not attack, corresponding to θ = 0) to 21 (when Eve maximally attacks, corresponding to θ = π/2). In the limit of indistinguishability of the radiative leak modes (i.e., θ → 0), Eqs. (35) and (36) reduce, respectively, to Eqs. (8) and (10). In particular, letting p1 = 21 , from Eq. (36), we have I 0 (A : E ) = I 0 (B : E ) =

8e 2 − F . 3 F

(38)

Eve’s maximal attack in this model corresponds to F = 21 , whereby she fully distinguishes the side channels corresponding to G1 and G2 (θ = π/2 in Eq. (26)).

Toward secure communication using intra-particle entanglement

15

The corresponding secret key rate (as a function of channel error ) obtained by substituting Eqs. (38) and (10) in Eq. (11) is plotted in Fig. 2 as the leftmost curve. The highest tolerable error rate, which is the x-intercept of the curve, is about 14.5 as seen from Figure 2, this implies that secure states in this scenario are necessarily Bell-inequality violating. This is in contrast to the security in the conventional scenario (the rightmost curve in Fig. 2), where there are secure states that are Bell-inequality non-violating (0.17 . e . 0.27). The central curve corresponds to F ≈ 0.6, for which positivity of secrecy rate coincides with the BIV property. For the attacked state√in Eq. (25), the amount of Bell’s inequality violation can be shown to√be B(θ) = 2 2(1 + cos2 (θ)), so that it follows from Eqs. (26) and (37) that B = 2 2F . Substituting this in Eq. (38), and allowing for the possibility of some errors being due to noise rather than Eve, we can bound Eve’s information from above as a function of Bell’s inequality violation observed by Alice to be: √

I 0 (A : E ) ≤

8e 4 2 − B , 3 B

(39)

This form may be compared with bounds on Eve’s information as a function of Bell’s inequality violation in DIQKD with inter-particle entanglement, except that B is evaluated by Alice, rather than Bob and indicates the level of Alice’s device error, which in turn indicates the level of channel error that can be tolerated.

6 Conclusions

Our work proposes the use of intra-particle entanglement (path-polarization entanglement of single photons) for cryptography using an interferometric setup. Here, unlike the conventional BB84, the system used is four dimensional and hence one can have five mutually unbiased bases for encoding. We illustrate its usefulness by pointing out a type of side-channel attack which it is secure against, but which renders a BB84-like protocol insecure. Intra-particle entanglement is necessarily checked by a local Bell test, which leads to a decoupling of device noise from channel noise. The observed device noise, derived from the local Bell test, determines the channel error that can be tolerated. Note that error rates and security proofs have been explicitly given in the paper. We may also stress that, since the use of intra-particle entanglement allows one to distinguish between channel and device errors which, in usual protocols, are indistinguishable, this could be of aid in assessing the security of the protocol when actually implemented. The present work mainly highlights the usefulness of intra-particle entanglement for QKD. There are a number of prospects for extending this work. The attack model on the channel can consider more powerful adversaries, for example, executing a coherent attack. The eavesdropping scenario can be expanded from a single untrusted element toward higher DI. Ref. [19] considers the problem posed by optical losses on the channel, which has remained beyond the scope of the present work, and is of interest for a practical application. Similarly, the issue of composability of intra-particle entanglement-based QKD may be studied [42]. Finally, the problem of secure direction communication [43, 44, 45, 46, 47, 48] with intra-particle entanglement would be worth considering. ASM and DH acknowledge support from the Department of Science and Technology, India (DST) Project SR/S2/LOP-08/2013, and RS for the DST-supported

16

S. Adhikari et al.

Project SR/S2/LOP-02/2012. DH also thanks the Centre for Science, Kolkata for support.

References 1. N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden. Quantum cryptography. Rev. Mod. Phys. 74, 145 (2002). 2. W. K. Wootters, and W. H. Zurek. A single quantum cannot be cloned. Nature (London) 299, 802 (1982). 3. C. H. Bennett, and G. Brassard. Quantum cryptography: public key distribution and coin tossing. In Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing, Bangalore, India, (IEEE, New York), 175 (1984). 4. J. S. Bell. On the Einstein-Podolsky-Rosen paradox. Physics 1 (Long Island City, N.Y.), 195 (1964). 5. J. F. Clauser and M. A. Horne and A. Shimony and R.A. Holt. Proposed experiment to test local hidden-variable theories. Phys. Rev. Lett. 23, 880 (1969). 6. A. K. Ekert. Quantum cryptography based on Bell’s theorem. Phys. Rev. Lett. 67, 661 (1991). 7. Ll. Masanes. A. Acin and N. Gisin, General properties of nonsignaling theories. Phys. Rev. A, 73, 012112 (2006). 8. D. Mayers. D. and C. Yao, A., Quantum cryptography with imperfect apparatus. FOCS 98. 503 (1998). 9. J. Barrett, L. Hardy and A. Kent. No signaling and quantum key distribution. Phys. Rev. Lett. 95, 010503 (2005). 10. Scarani, V., Gisin, N., Brunner, N., Masanes, L., Pino, S., Ac´ın, A. Secrecy extraction from no-signaling correlations. Phys. Rev. A 74, (2006) 042339. 11. L. Masanes, S. Pironio, and A. Ac´n. Secure device-independent quantum key distribution with causally independent measurement devices. Nature Communications, 2(238):7, 2011. 12. S. Pironio, A. Acin, N. Brunner, N. Gisin, S. Massar, and V. Scarani. Device-independent quantum key distribution secure against collective attacks. New J. Phys. 11 045021 (2009). 13. M. Vidick and U. Vazirani. Fully device independent quantum key distribution. arXiv:1210.1810. 14. S. Basu, S. Bandyopadhyay, G. Kar and D. Home. Bell’s inequality for a single spin-1/2 particle and quantum contextuality. Phys. Lett A 279, 281 (2001). 15. Y. Hasegawa, R. Loidl, G. Badurek1, M. Baron and H. Rauch. Violation of a Bell-like inequality in single-neutron interferometry. Nature 425, 45 (2003). 16. C. C. W. Lim, C. Portmann, M. Tomamichel, R. Renner and N. Gisin. Device-independent quantum key distribution with local Bell test. Phys. Rev. X 3, 031006 (2013). 17. D. Mayers and A. Yao. Self testing quantum apparatus. Quant. Info. Comp. 4, 273 (2004). 18. M. Tomamichel, E. H¨ anggi. The link between entropic uncertainty and nonlocality. J. Phys. A: Math. Theor. 46 055301, 2013 19. C. Branciard, E. G. Cavalcanti, S. P. Walborn et al., One-sided device-independent quantum key distribution: Security, feasibility, and the connection with Steering. Phys. Rev. A 85, 010301(R) (2012). 20. H. M. Wiseman, S. J. Jones and A. C. Doherty. Steering, Entanglement, Nonlocality, and the Einstein-Podolsky-Rosen Paradox. Phys. Rev. Lett. 98, 140402 (2007). 21. H. -K. Lo, M. Curty and B. Qi. Measurement-Device-Independent quantum key distribution. Phys. Rev. Lett. 108, 130503 (2012). 22. M. Lucamarini, and S. Mancini. Secure deterministic communication without entanglement. Phys. Rev. Lett. 94, 140501 (2005). 23. D. Bruss. Optimal eavesdropping in quantum cryptography with six states. Phys. Rev. Lett. 81, 3018 (1998). 24. X. B. Wang. Beating the photon-number-splitting attack in practical quantum cryptography. Phys. Rev. Lett. 94, 230503 (2005). 25. B. Kraus, N. Gisin, and R. Renner. Lower and upper bounds on the secret-key rate for quantum key distribution protocols using one-way classical communication. Phys. Rev. Lett. 95, 080501 (2005). 26. H. -K. Lo, H. F. Chau, and M. Ardehali. Efficient quantum key distribution scheme and a proof of its unconditional security. J. Cryptology 18, 133 (2005).

Toward secure communication using intra-particle entanglement

17

27. Y. Adachi, T. Yamamoto, M. Koashi, and N. Imoto. Simple and efficient quantum key distribution with parametric down-conversion. Phys. Rev. Lett. 99, 180503 (2007). 28. T. Jennewein, C. Simon, G. Weihs, H. Weinfurter, and A. Zeilinger. Quantum Cryptography with Entangled Photons. Phys. Rev. Lett. 84, 4729 (2000). 29. A. Ling, M. P. Peloso, I. Marcikic, V. Scarini, A. Lamaslinares, and C. Kurtsiefer. Experimental quantum key distribution based on a Bell test. Phys. Rev. A 78, 020301 (R) (2008). 30. A. Acin, N. Gisin, and L. Masanes. From Bell’s Theorem to Secure Quantum Key Distribution. Phys. Rev. Lett. 97, 120405 (2006). 31. Akshata Shenoy H., R. Srikanth, D. Home, A. S. Majumdar, S. Adhikari and A. Pan. Combining Goldenberg-Vaidman and Bennett-Brassard-1984 protocols using intra-particle entanglement. Under preparation. 32. L. Goldenberg and L. Vaidman. Quantum Cryptography Based on Orthogonal States. Phys. Rev. Lett., 75, 1239 (1995). 33. N. J. Cerf, M. Bourennane, A. Karlsson, N. Gisin. Security of Quantum Key Distribution Using d-Level Systems Phys. Rev. Lett. 88, 127902 (2002). 34. V. Scarani and N. Gisin. Quantum Communication between N Partners and Bell’s Inequalities. Phys. Rev. Lett. 87, 117901 (2001). 35. V. Scarani and N. Gisin. Quantum key distribution between N partners: Optimal eavesdropping and Bell’s inequalities. Phys. Rev. A 65, 012311 (2001). 36. S. Mal, T. Pramanik and A. S. Majumdar. Detecting mixedness of qutrit systems using the uncertainty relation Phys. Rev. A 87, 012105 (2013) 37. I. Csiz´ ar and J. K¨ orner. Broadcast channels with confidential messages. IEEE Trans. Inf. Theory 24, 339 (1978). 38. R. Werner. Quantum states with Einstein-Podolsky-Rosen correlations admitting a hiddenvariable model. Phys. Rev. A 40, 4277 (1989). 39. D. Bruss. Characterizing entanglement. J. Math. Phys. 43, 4237 (2002). 40. S. M. Roy. Multipartite Separability Inequalities Exponentially Stronger than Local Reality Inequalities. Phys. Rev. Lett. 94, 010402 (2005). 41. A. Acin, S. Massar and S. Pironio. Randomness versus Nonlocality and Entanglement. Phys. Rev. Lett. 108, 100402 (2012). 42. R. Renner and R, K¨ onig. Universally Composable Privacy Amplification Against Quantum Adversaries. quant-ph/0403133. 43. F.-G. Deng, G.-L. Long. Secure direct communication with a quantum one-time pad. Phys. Rev. A 69, 052319 (2004). 44. Li, X. H. et al. Deterministic Secure Quantum Communication Without Maximally Entangled States. J. Korean Phys. Soc. 49, 1354 (2006). 45. Yan, F.L., Zhang. X.,A scheme for secure direct communication using EPR pairs and teleportation. Eur. Phys. J. B 41, 75 (2004). 46. Man, Z.X., Zhang, Z.J., Li, Y. Quantum dialogue revisited. Chin. Phys. Lett. 22, 18 (2005). 47. Zhu, A.D., Xia, Y., Fan, Q.B., Zhang, S. Secure direct communication based on secret transmitting order of particles. Phys. Rev. A 73, 022338 (2006). 48. Tsai, C.W., Hsieh, C.R., Hwang, T. Dense coding using cluster states and its application on deterministic secure quantum communication Eur. Phys. J. D 61, 779 (2011). 49. T. Pramanik, S. Adhikari, A. S. Majumdar and D. Home. Proposal for testing non-locality of single photons in cavities. Phys. Lett. A 376, 344 (2012).