Supplementary Material I. BEAMSPLITTER ATTACK The beamsplitter attack has been discussed [C. H. Bennett, F. Bessette, G. Brassard, L. Salvail, J. Smol

Similar documents
arxiv:quant-ph/ v2 17 Sep 2002

Quantum Error Correcting Codes and Quantum Cryptography. Peter Shor M.I.T. Cambridge, MA 02139

Security of Quantum Key Distribution with Imperfect Devices

Ping Pong Protocol & Auto-compensation

Efficient Quantum Key Distribution. Abstract

Introduction to Quantum Cryptography

Unconditional Security of the Bennett 1992 quantum key-distribution protocol over a lossy and noisy channel

Quantum key distribution with 2-bit quantum codes

5th March Unconditional Security of Quantum Key Distribution With Practical Devices. Hermen Jan Hupkes

Entanglement and information

Quantum Cryptography

Secure quantum key distribution using squeezed states

Quantum Cloning, Eavesdropping and Bell's inequality N. Gisin and B. Huttner Group of Applied Physics University of Geneva 20 Rue de l'ecole de Medeci

arxiv:quant-ph/ v1 27 Dec 2004

Cryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1

Security Implications of Quantum Technologies

High Fidelity to Low Weight. Daniel Gottesman Perimeter Institute

9. Distance measures. 9.1 Classical information measures. Head Tail. How similar/close are two probability distributions? Trace distance.

arxiv:quant-ph/ v1 13 Jan 2003

Quantum Cryptography

5. Communication resources

A. Quantum Key Distribution

Key distillation from quantum channels using two-way communication protocols

arxiv:quant-ph/ v2 2 Jan 2007

arxiv:quant-ph/ v1 13 Mar 2007

Lecture 11: Quantum Information III - Source Coding

A quantum analog of Huffman coding

Practical quantum-key. key- distribution post-processing

Lecture 6: Quantum error correction and quantum capacity

A review on quantum teleportation based on: Teleporting an unknown quantum state via dual classical and Einstein- Podolsky-Rosen channels

b) (5 points) Give a simple quantum circuit that transforms the state

A probabilistic quantum key transfer protocol

A Genetic Algorithm to Analyze the Security of Quantum Cryptographic Protocols

Problem Set: TT Quantum Information

1. Basic rules of quantum mechanics

EPR paradox, Bell inequality, etc.

An Introduction to Quantum Information. By Aditya Jain. Under the Guidance of Dr. Guruprasad Kar PAMU, ISI Kolkata

Quantum secret sharing based on quantum error-correcting codes

Quantum cryptography -the final battle?

Quantum Coding. Benjamin Schumacher. Department of Physics. Kenyon College. Gambier, OH

Why quantum bit commitment and ideal quantum coin tossing are impossible.

Entanglement Manipulation

Quantum Information Transfer and Processing Miloslav Dušek

Teleportation of Quantum States (1993; Bennett, Brassard, Crepeau, Jozsa, Peres, Wootters)

LECTURE NOTES ON Quantum Cryptography

1 1D Schrödinger equation: Particle in an infinite box

Security of Quantum Cryptography using Photons for Quantum Key Distribution. Karisa Daniels & Chris Marcellino Physics C191C

Chapter 13: Photons for quantum information. Quantum only tasks. Teleportation. Superdense coding. Quantum key distribution

Transmitting and Hiding Quantum Information

Quantum key distribution for the lazy and careless

CS/Ph120 Homework 8 Solutions

Quantum Information Types

Quantum Information & Quantum Computation

Quantum Cryptography

arxiv:quant-ph/ v2 7 Nov 2001

An Introduction to Quantum Information and Applications

Compression and entanglement, entanglement transformations

Exemple of Hilbert spaces with dimension equal to two. *Spin1/2particle

Efficient controlled quantum secure direct communication based on GHZ-like states

Quantum Cryptography. Areas for Discussion. Quantum Cryptography. Photons. Photons. Photons. MSc Distributed Systems and Security

A New Wireless Quantum Key Distribution Protocol based on Authentication And Bases Center (AABC)

to mere bit flips) may affect the transmission.

Two-Step Efficient Deterministic Secure Quantum Communication Using Three-Qubit W State

arxiv:quant-ph/ Jan 2000

Quantum Teleportation Pt. 1

Lecture 21: Quantum communication complexity

arxiv:quant-ph/ v2 3 Oct 2000

1 1D Schrödinger equation: Particle in an infinite box

arxiv: v3 [quant-ph] 6 Sep 2009

An Introduction. Dr Nick Papanikolaou. Seminar on The Future of Cryptography The British Computer Society 17 September 2009

Lecture 18: Quantum Information Theory and Holevo s Bound

Entanglement-Assisted Capacity of a Quantum Channel and the Reverse Shannon Theorem

Physics ; CS 4812 Problem Set 4

Realization of B92 QKD protocol using id3100 Clavis 2 system

C. QUANTUM INFORMATION 99

Lecture: Quantum Information

Bell inequality for qunits with binary measurements

Quantum Cryptography

Simulation of BB84 Quantum Key Distribution in depolarizing channel

Multiparty Quantum Secret Sharing via Introducing Auxiliary Particles Using a Pure Entangled State

arxiv:quant-ph/ v1 6 Dec 2005

Analysis of the Influenceof the Rate of Spies Measure on the Quantum Transmission

Quantum Teleportation Pt. 3

All this was changed by PKC. The idea of PKC is for each user (eg Alice) to randomly choose a pair of mutually inverse transformations a scrambling tr

Basics on quantum information

Security of quantum-key-distribution protocols using two-way classical communication or weak coherent pulses

INTRODUCTION TO QUANTUM COMPUTING

arxiv: v7 [quant-ph] 20 Mar 2017

Introduction to Quantum Information Hermann Kampermann

8 Elliptic Curve Cryptography

Quantum Secure Direct Communication with Authentication Expansion Using Single Photons

Error Reconciliation in QKD. Distribution

Quantum Cryptography and Security of Information Systems

C. QUANTUM INFORMATION 111

CPSC 467b: Cryptography and Computer Security

Other Topics in Quantum Information

Physics is becoming too difficult for physicists. David Hilbert (mathematician)

Advanced Cryptography Quantum Algorithms Christophe Petit

Quantum Cryptography. Marshall Roth March 9, 2007

Quantum Cryptographic Network based on Quantum Memories. Abstract

Transcription:

Unconditional Security Of Quantum Key Distribution Over Arbitrarily Long Distances Hoi-Kwong Lo 1 and H. F. Chau, 2y 1 Hewlett-Packard Labs, Filton Road, Stoke Giord, Bristol BS34 8QZ, U. K. 2 Department ofphysics, University of Hong Kong, Pokfulam Road, Hong Kong (March 10, 1999) Abstract e-mail: hkl@hplb.hpl.hp.com y e-mail: hfchau@hkusua.hku.hk 1

Supplementary Material I. BEAMSPLITTER ATTACK The beamsplitter attack has been discussed [C. H. Bennett, F. Bessette, G. Brassard, L. Salvail, J. Smolin, J. Cryptol. 5, 3 (1992)]. Here we show that, even in the case of zero bit error rate (BER) in BB84 [C. H. Bennett and G. Brassard, in Proceedings of the IEEE International Conference on Computers, Systems, and Signal Processing, (IEEE Press, New York, 1984), p. 175-179], a generalized version of beamsplitter attack can break BB84 completely provided that the loss due to the quantum channel between Alice and Bob is suciently large. For ease of discussion, we consider a generalized beamsplitter attack, which has been brought to our attention by N. Lutkenhaus. Eve measures the photon number observable N of each pulse. If N is less than two, she keeps the signal herself and Bob receives nothing. If N is two or larger, she uses an ideal beamsplitter to take one photon out. She then resends the remaining photons to Bob via a superior channel so as to ensure that Bob still gets the same bit rate. [This is possible provided that the loss of the quantum channel between Alice and Bob is large enough.] Eve stores her photons and waits for the announcement of the polarization bases. As far as polarization is concerned, Eve has an exact copy of Bob's signals. Therefore, by measuring her own photons along the correct bases in BB84, she learns the polarizations of Bob's received photons and hence the key. 2

II. TWO LEMMAS Lemma 1: (High delity implies low entropy) If hr singletsjjr singletsi > 1, where 1, then the von Neumann entropy S() <,(1, ) log 2 (1, ), log 2. (2 2R,1) Proof: If hr singletsjjr singletsi > 1,, then the largest eigenvalue of the density matrix must be larger than 1,, the entropy of is, therefore, bounded above by that of 0 = diag f1, ; ; ; ; g. That is, (2 2R,1) (2 2R,1) (2 2R,1) 0 is diagonal with a large entry 1, and with the remaining probability equally distributed between the remaining 2 2R, 1 possibilities. Q.E.D. Lemma 2: (Entropy is a bound to mutual information.) Given any pure state AB of a system consisting of two subsystems A and B, and any generalized measurements X and Y on A and B respectively, the entropy of each subsystem S( A ) (where A =Tr B j AB ih AB j) is an upper bound to the amount ofmutual information between X and Y. Proof: This is a corollary to Holevo's theorem [see A. S. Holevo, Probl. Inf. Transm. (U.S.S.R.) 9, 117 (1973)] Q.E.D. III. EFFICIENT SCHEMES FOR QUANTUM ERROR CORRECTION EXIST For instance, one can simply choose a block code of length k (say k = 7) that can correct a single error to encode a single qubit repeatedly. In the rst level of this concatenated coding scheme, the qubit is mapped into k qubits. In the second level of the coding, each of the k qubits is individually encoded into k qubits, resulting in k 2 qubits altogether, so on 3

and so forth. Let us assume that the errors for various elementary gates are independent and of order. After the rst level of encoding, all single errors can be corrected. Therefore, the eective error rate is of the order 2. More generally, the eective error rate of the (L + 1)-th level is related to that of the L-th level by (L+1) ( (L) ) 2. Consequently, one expects that (L) 0 ( 0 )2L where 0 is some threshold value of the error rate. [See Eq. (36) of J. Preskill, in Introduction to Quantum Computation and Information, H.-K. Lo, S. Popescu, T. Spiller, Eds. (World Scientic, Singapore, 1998), p. 213-269].Therefore, the error rate becomes exponentially suppressed whenever a level is added. IV. EVE MUST NOT KNOW THE RANDOM SUBSETS BEFOREHAND On the contrary, if Eve were to know the subsets beforehand, then similar to our discussion on classical random hashing, Eve could alway cheat successfully: In the above example, suppose Eve is told beforehand the subsets s 1 and s 2 and that Alice and Bob will generate their key by measuring their pair along z-axis. Then, Eve can cheat by nding out which cheating nal state will pass the verication test and then following its evolution backwards in time to work out the initial state: Suppose Eve would like the value of the key to be \0". She observes that the nal state j~1~0~1~1ij" z # z i = 1 p2 j ~1~0~1~1i(j~1~1i + j~0~1i) will achieve her goal. Evolving it backwards in time, Eve nds that she needs to prepare the initial state 1 p2 j ~1~1~1~1i(j~1~1i,j~0~1i). 4

V. SUBTLETIES The key point to note is that, starting with an N-singlet state j~1~1 ~1i, the parity computation will simply evolve it into another N-Bell state, up to a phase [17].Notice that the N pairs in such a nal state are not entangled with one another. Therefore, if we consider the untested N,m pairs, they should be in a pure state. In fact, they will be in an (N,m)- Bell state, described by the density matrix, Tr tested U s 1;s2;;smj~1~1 ~1ih~1~1 ~1jU y. s1;s2;;sm Recall that, for any eective eavesdropping strategy (that is, one that passes the verication test with a probability 2,r ), the delity of the initial state as N-singlets is very close to 1. By unitarity, the delity of the nal state as U s 1;s2;;smj~1~1 ~1i is also close to 1. Since delity does not decrease under tracing [for this property, see R. Jozsa, J. Mod. Opt. 41, 2315 (1994)], the delity of the subsystem of the untested pairs as Tr tested U s 1;s2;;smj~1~1 ~1ih~1~1 ~1jU y s1;s2;;sm is very close to 1. As Tr tested U s 1;s2;;smj~1~1 ~1ih~1~1 ~1jU y s1;s2;;sm is a pure state, we can apply the argument in note [28] to prove that the von Neumann entropy of those N, m untested pairs is very close to 0 and, hence, that the mutual information between those N, m pairs and the external universe (Eve plus tested pairs plus anything else) is exponentially small. Since the tested pairs are just part of the external universe, measurements on them do not really help. VI. EXAMPLES OF QUANTUM TO CLASSICAL REDUCTION RESULT Here we give the key arguments for the reduction result in the two examples rigorously, but leave out the irrelevant detailed calculations based on classical statistical theory. In the 5

rst example, consider N pairs of qubits shared between Alice and Bob. Those pairs can be entangled with each other and also with the external universe, for example, an ancilla prepared by Eve. Suppose Alice and Bob would like to estimate the number of singlets. i.e., the expected number of \yes" answers if a singlet-or-not measurement were performed on each pair individually. This number can, in principle, be determined by Bell measurements if they bring the two halves together. However, Alice and Bob would like to perform local measurements and classical communication only. We argue that they can, nonetheless, estimate it accurately by the following method. They randomly pick m pairs and measure the two members of each pair along an axis chosen randomly from x, y and z axes. Then they publicly announce their outcomes. Claim: If k of the outcomes are anti-parallel, then the estimated fraction of singlets in the N pairs is (3k, m)=2m. Furthermore, condence levels can be deduced from classical statistical theory. Proof: Consider, for each pair, the projection operators P i and P i k anti,k for the two coarsegrained outcomes (parallel and antiparallel) of the measurement performed on the ith pair. It is straight-forward to express these projection operators as linear combinations of projection operators along a single basis, namely, N-Bell basis. Let us consider the operator M B which represents the action of a measurement along N-Bell basis. Since M B, P i k and P i anti,k all refer to a single basis (N-Bell basis), they clearly commute with each other. Thus, a premeasurement M B by Eve along N-Bell basis will in no way change the outcome for P i k and P i k. Therefore, we mayaswell consider the case when such a pre-measurement is performed and the problem is classical to begin with. Random sampling is a powerful technique in classical statistical theory. The Central 6

Limit Theorem shows that the asymptotic or large-sample distribution of the mean of a random sample from any nite population with nite variance is normal. [see, for example, B. W. Lindgren, Statistical Theory (Collier Macmillan, London, ed. 3, 1976)]. Therefore, for a suciently large m, we can simply use a normal distribution to estimate the original mean and establish the condence level. There is a minor subtlety. For each pair, only one of three random measurements is performed. Since everything is now classical and is unrelated to the key points of this paper, we shall skip the details here and refer the readers to, for example, W. G. Cochran, Sampling Techniques (Wiley, New York, ed. 3, 1977), chap. 5. Q.E.D. This result is profound because it allows one to apply classical sampling theory and central limit theorem to a quantum problem at hand. For the second example, one can establish a rigorous probabilistic bound on the eavesdropper's mutual information I Eve on the nal key by random sampling (i.e., by sampling a random subset of photons, computing the error rates in the two bases and then applying classical probability theory to estimate the real error rates, etc). We assume that the signal carriers in BB84 are perfect single photons. Notice that Alice could use EPR pairs to prepare photons in BB84. Let us consider a pre-measurement M B along N-Bell basis by Eve and the coarse-grained projectors P i and P i k anti,k. As before, they refer to a single basis and, thus, commute with each other. Therefore, a pre-measurement M B will in no way change those coarse-grained outcomes. Alice and Bob pick m photons randomly from those that are both transmitted and received along the same basis and publicly compare their polarizations. Alice and Bob can then work out the \typical subspace" that is likely to give such error rates and compute its 7

dimensions. The logarithm of the number of dimensions of the typical subspace will be a very good probabilistic bound on the eavesdropper's information. [The probability amplitude on the \atypical subspace" will also contribute to the entropy, but this contribution can be made to be negligible in comparison. In more detail, Suppose there are N EPR pairs and the squared amplitude on the atypical subspace is at most. Then the atypical space's contribution S a to the entropy is no more than S a =, log 2 2 2N 2N. By making sure that is much less than 1, S a is much less than N. Since the contribution of the typical space to the entropy is supposed to be linear in N in a noisy channel, clearly S a is negligible in comparison.] 8

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback