Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Quantum Information Stephen M. Barnett University of Strathclyde [email protected] The Wolfson Foundation 1. Probability and Information 2. Elements of Quantum Theory 3. Quantum Cryptography 4. Generalized Measurements 3.1 3.2 3.3 3.4 5. Entanglement 6. Quantum Information Processing 7. Quantum Computation 8. Quantum Information Theory Information security Quantum communications Optical polarization Quantum key distribution 3.1 Information security A T M Honest John’s 1234 5678 Bank 9012 3456 I M A SUCKER PIN: 3141 Cash machine fraud netts thieves £100 million pounds each year in the UK. THE TIMES Wednesday February 16 2000 PRESIDENT Clinton an astonishing to Internet pest putshad words in Clinton’sconfession mouth FROM DAMIANhe WHITWORTH IN WASHINGTON make. “Personally” said, “I would like to see more PRESIDENT Clinton had an astonishing confession to make. “Personally” he said, “I would like to see porn on the Internet”. more porn on the Internet”. That his own sexual predilections were revealed to the world by a cyber-gossip and then chronicled in an explicit report first revealed on the Web only made his comment all the more intriguing. Then the truth emerged: a prankster had managed to circumvent filtering software to speak as if he were the President in an Internet interview. Mr Clinton had given his first live online interview to CNN, which was confident that it had the technology to stop interference with its website for the duration. Instead, pranksters had a field day, posting ribald remarks that were attributed to Mr Clinton and asking impertinent questions. One, in a reference to Mr Clinton’s attempts to blur the truth about whether there was, or “is”, a sexual relationship with Monica Lewinsky, asked the question no professional interviewer has dared: “Can you define ‘is’ for us yet?” Mr Clinton had given his first live online interview to CNN, which was confident that it had the technology to stop interference with its website for the duration. Instead, pranksters had a field day, posting ribald remarks that were attributed to Mr Clinton and asking impertinent questions. Caeserean or transposition cipher Shift the letters by a fixed (and secret) number of places in the alphabet, e.g: A B, B C, , Y Z, Z A The weakness of this cipher is that it has only 25 possible shifts so we can try them all: YBTXOB QEB FABP LC JXOZE ZCUYPC RFC GBCQ MD KYPAF ADVZQD SGD HCDR NE LZQBG BEWARE THE IDES OF MARCH CFXBSF UIF JEFT PG NBSDI Codes and ciphers: A code is produced by a substitution of the symbols in a message by another symbol e.g. ASCII or Morse code. A cipher is a message specifically modified to protect its meaning. Single Key Cryptography Alice the key must be kept secret sender & recipient must have same key scrambling done by series of complex permutations Is it secure? Bob Classical Cryptography crypto-key (secret) crypto-key (secret) Alice mathematical transformation Bob Protected Data inverse mathematical transformation Hostile Network unprotected data unprotected data Eavesdropping Tampering The message or plaintext P is protected by a key K used to produce a ciphertext C: C = C(P,K) P = P(C,K) In a substitution cipher, each letter is replaced by another one. Here the number of possible ciphers is 26! 4 10 26 Clearly an extensive key search is impractical, but we can use the known letter frequencies: A 8.2% B 1.5% G 2.0% H 6.1% M 2.4% N 6.7% S 6.3% T 9.0% Y 2.0% Z 0.1% C 2.8% I 7.0% O 7.5% U 2.8% D 4.2% J 0.1% P 1.9% V 1.0% E 12.7% K 0.8% Q 0.1% W 2.4% F 2.2% L 4.0% R 6.0% X 0.1% Perfect secrecy? Let {pi} be the set of possible plaintexts and {cj} the set of possible ciphertexts. The cipher is perfectly secure if we can learn nothing by reading it: P( pi | c j ) P( pi ) i, j Equivalently: P(c j | pi ) P(c j ) i, j Were this not the case then Eve could associate a given ciphertext with a restricted group of messages and thereby learn something. The number of possible keys required is at least as great as the number of possible plaintexts or messages. The Vernam Cipher or One-Time Pad message 010111001001001 010111 . . . . . . cryptogram message 100010111101010 101100 . . . . . . 010111001001001 010111 . . . . . . M M K = C C K = M 110101110100011 111011 . . . . . . 110101110100011 111011 . . . . . . key key M = Identity binary addition (logical XOR) 0 1 0 1 0 1 1 0 Secrecy of the Vernam cipher: The key is a random string of N bits and so it can take any one of 2N values, each with probability 2-N. It follows that any chosen plaintext will be mapped to any of 2N possible ciphertexts and these are all equally likely: P(c j | pi ) 2 - N P(c j ) i, j An eavesdropper, having access only to the ciphertext has no information about the plaintext: P(c j , pi ) P(c j | pi ) P( pi ) P(c j ) P( pi ) Hence the mutual information between the ciphertext and the plaintext is zero: H(P:C) = 0 The noisy channel coding theorem tells us that no information about P is carried by C alone. Practical Secret-Key Cryptography EVE (eavesdropper) ALICE Cryptogram BOB Algorithm : public standard e.g. DES Key : short random bit sequence (DES key = 56 bits) Yes we want the EU Constitution Alice Bob Yes we want the EU Constitution Protocol Failure Alice locks case M K A C1 Bob locks case C1 K B M K A K B C2 Alice unlocks case C2 K A M K B C3 Bob unlocks case C3 K B M C1 C 2 C 3 Eve ? ( M K A ) (M K A K B ) (M K B ) M The failure was due to the simplicity of the protocol, but more complicated protocols have problems of their own. Suppose that Alice and Bob each use their own 26 letter one-time pads, then for the first letter: Alice Plaintext Substitution ABCDEFGHIJKLMNOPQRSTUVWXYZ XBJIFWMLQTAZUODECSNKHPGRVY Bob Plaintext Substitution ABCDEFGHIJKLMNOPQRSTUVWXYZ FPOAZWIRJXTCUVEKYGBHMNDLSLQ The failure was due to the simplicity of the protocol, but more complicated protocols have problems of their own. Suppose that Alice and Bob each use their own 26 letter one-time pads, then for the first letter: Alice Plaintext Substitution ABCDEFGHIJKLMNOPQRSTUVWXYZ XBJIFWMLQTAZUODECSNKHPGRVY Bob Plaintext Substitution ABCDEFGHIJKLMNOPQRSTUVWXYZ FPOAZWIRJXTCUVEKYGBHMNDLSLQ The failure was due to the simplicity of the protocol, but more complicated protocols have problems of their own. Suppose that Alice and Bob each use their own 26 letter one-time pads, then for the first letter: Alice Plaintext Substitution ABCDEFGHIJKLMNOPQRSTUVWXYZ XBJIFWMLQTAZUODECSNKHPGRVY Bob Plaintext Substitution ABCDEFGHIJKLMNOPQRSTUVWXYZ FPOAZWIRJXTCUVEKYGBHMNDLSLQ 3.2 Quantum communications A quantum communications channel is one in which the message is carried by a quantum system Eavesdropping Information source Alice Receiver Transmitter Signal Received signal ˆ i , P(ai ) Bob Choice of what to measure Noise source Destination As usual, A denotes the events in Alice’s domain: She selects a message from the set {ai} with probabilities P(ai). She prepares the associated state from the corresponding set {i}. We shall assume that the states and their probabilities of occurrence are known to Bob (and Eve). Bob can describe the state of the quantum signal, before his measurement, by the a priori density operator: ˆ P(a ) ˆ i i i Bob’s task is to determine which of the states was prepared and so recover the message. ˆ i ˆ j 0, i j If the signal states are all orthogonal, then Bob need only measure an observable with these density operators as non-degenerate eigenstates. If the signal states are not all mutually orthogonal then there is no certain way for Bob to distinguish between them. Consider, for example, just two pure and non-orthogonal signal states: 1 2 1 1 1 1 0, 0 1 Bob might try measuring the observable: Aˆ 1 1 - 1 1 2 1 1 1 1 0, 0 For Bob it is the other conditional probabilities that are important! P(1 | 1 ) 1 P( 1 | 1) good? P(1 | 2 ) 2 P(-1 | 2 ) 2 P( 1 ) 2 P( 1 ) P( 2 ) 2 1- 2 P( 2 | 1) P( 2 ) 2 P( 1 ) P( 2 ) P( 2 | -1) 1 The no-cloning theorem - accurate copying of a quantum state is impossible. Wootters, Zurek and Dieks If cloning were possible then it would mean copying a qubit state onto an second ‘blank’ qubit whilst leaving the state of the original unchanged. B This would have to hold for all possible qubit states |>. We can show that this would violate the linearity of quantum theory by means of a simple example: Suppose that the copying device works perfectly for the states |0> and |1>: 0 B 0 0 1 B 1 1 The superposition principle then tells us that: 0 1 B 0 B 1 B 0 0 1 1 But this is NOT two copies of the original state: 0 1 0 1 2 0 0 0 1 1 0 2 1 1 FLASH - First Light Amplification Superluminal Hookup Herbert (1982) The entangled state - 1 2 0 1 -1 0 is the zero-angular momentum state of two spin-half particles. It follows that the two ‘spins’ must be oppositely aligned so that ˆ x ˆ x - - ˆ y ˆ y - - ˆ z ˆ z - - If we measure on component of the spin and find the value +1(-1), then the other particle is immediately projected into the -1(+1) eigenstate of the same observable. FLASH - First Light Amplification Superluminal Hookup Alice measures x or z. singlet source Such superluminal signalling would clearly be in conflict with relativity. In fact, no signalling is possible in this way and this is a consequence of the powerful ‘no-signalling’ theorem. Herbert (1982) Cloning machine Bob determines the state from multiple copies: 0 1 0 -1 2 0 ,1, 1 2 1 , and hence whether Alice measured x or z. 3.3 Optical polarisation Maxwell’s equations in an isotropic dielectric medium take the form: E 0 E, B and k are mutually orthogonal B 0 B E t E B 2 c t E S k B For plane waves (and lab. beams that are not too tightly focussed) this means that the E and B fields are constrained to lie in the plane perpendicular to the direction of propagation. -1 0 E B Consider a plane EM wave of the form E E 0 exp i (kz - t ) B B 0 exp i (kz - t ) If E0 and B0 are constant and real then the wave is said to be linearly polarised. B Polarisation is defined by an axis rather than by a direction: B E E If the electric field for the plane wave can be written in the form E E0 (i ij) exp i(kz - t ) Then the wave is said to be circularly polarised. For right-circular polarisation, an observer would see the fields rotating clockwise as the light approached. B E Spin and polarisation Qubits Poincaré and Bloch Spheres Two state quantum system Bloch Sphere Electron spin Poincaré Sphere Optical polarization We can realise a qubit as the state of single-photon polarisation Horizontal 0 Vertical 1 Diagonal up 1 2 Diagonal down 1 2 Left circular 1 2 Right circular 1 2 0 1 0 -1 0 i 1 0 -i 1 3.4 Quantum key distribution Recall that perfect secrecy is possible using a one-time pad. message 010111001001001 010111 . . . . . . cryptogram message 100010111101010 101100 . . . . . . 010111001001001 010111 . . . . . . M K = C C K = 110101110100011 111011 . . . . . . 110101110100011 111011 . . . . . . key key M But this leaves, of course, the problem of communicating the key. Quantum key distribution is designed to tackle this problem. 1960’s Wiesner’s quantum money £1,000,000 ZQ23165F Bennett-Brassard protocol: BB84 Alice is going to send a random bit stream to Bob 0 1 1 0 1 0 0 1 1 0 0 0 1 0 1 1 1 0 . . . . She takes a single photon and prepares it in one of the four polarisation states chosen at random OR OR OR 1 0 0 1 0 1 1 0 1 0 Eavesdropping (Intercept & resend) Alice Eve Bob ‘1’ ‘0’ 50% probability 50% probability Eve generates substantial bit-error rate ~ 25% and gets incomplete information 1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 0 0 0 1 1 0 0 1 1 X 1 X 0 0 X 0 1 1 0 1 1 1 0 0 0 0 1 X 0 0 0 1 Alice transmits random sequence of bits using random coding scheme 0 1 0 0 1 Bob receives photon and makes random choice of measurement basis Alice and Bob compare bases and discard events where no photon was received and different bases were used 1 2 3 4 5 6 7 8 9 10 11 12 13 14 1 0 0 0 1 1 0 0 1 1 0 0 1 0 1 0 1 1 1 0 1 0 0 0 0 0 E D D 0 0 0 X X 1 1 1 D E D D 1 1 ALICE EVE X 1 1 0 1 BOB D E Bit positions 1,3,4,9,10 and 13 are discarded Bit positions 2,8 and 14 lead to an error caused by Eve Bit position 13 is an extra ‘null’ event caused by Eve Eavesdropping strategy I Suppose that Eve measures either the linear or circular polarisation of each photon and prepares a new photon in the measured state for retransmission to Bob. Bob Eve Alice ‘1’ 1/2 1/4 1 ‘1’ ‘1’ 1/4 ‘0’ 1/4 1/4 1/4 1/4 P(correct) = 3/4 P(error) = 1/4 ‘1’ 1/2 ‘0’ 1/4 ‘1’ 1/4 Eavesdropping strategy II 1 2 Measure an intermediate basis 0 -i 1 ‘1’ P(correct) = 0.85 P(error) = 1/4 ‘0’ 1 If Alice and Bob test N bits then the probability that Eve has used these strategies and produced no errors is (3/4)N. 0 ‘1’ 1 2 0 i 1 ‘0’ Bennett two-state protocol: B92 Alice uses just two different but non-orthogonal polarisation states Alice is going to send a random bit stream to Bob 0 1 1 0 1 0 0 1 1 0 0 0 1 0 1 1 1 0 . . . . 1 0 0 1 1 0 1 0 Bob measures either the horizontal/vertical polarisation or the diagonal polarisation Bob Discard Alice ‘0’ Discard MUST correspond to zero: keep Bob measures either the horizontal/vertical polarisation or the diagonal polarisation Bob Discard Alice ‘1’ Discard MUST correspond to one: keep Care needs to be taken as Eve can do the same as Bob! Into the single photon regime - weak pulses Attenuate laser pulses to an average of ~ 0.1 photons per pulse. Single photons? P(1 photon) = 0.1 P(0 photons) = 0.9 P(>1 photons) ~ 0.01 Into the single photon regime - down conversion A pump laser photon can be split to create two daughter photons p s i k p k s ki Energy conservation Momentum conservation Photon pairs arrive at the same time on opposite sides of the cone of down-converted light. Use one photon as a herald for its twin. Into the single photon regime - single emitters Laser excitation Spontaneous emission Emitting a photon leaves the single emitter in its ground state and unable to emit a second photon. First experiment: Bennett et al 1992 Transmission distance 30cm. Rate 10 bits/sec 1993 onwards - fibre systems using polarisation or phase coding Transmission distances up to 50km. Rates ~ 10 kbits/sec Multi-User Quantum Key Distribution at Gigahertz Clock Rates • Up to 3.3GHz clock rates • Bit rates approaching 1Mbits-1 at distances < 1km Bit Rate versus Fibre Distance at 3GHz Clock Frequency 10,000,000 Raw Bit Rate Bit Rate (%) 1,000,000 100,000 10,000 Net Bit Rate 1,000 0 2 4 6 8 10 Distance (km) 12 14 16 Bit commitment: quantum promises? (Lo & Chau 97) Alice Bob Bob cannot read without Alice’s help Alice cannot change her mind Use polarisation basis =1 =0 Bob cannot determine basis used by measurement and so cannot determine Alice’s choice of bit Alice can cheat using entanglement! Alice Bob Alice prepares the entangled state 1 2 R A R B L A L B 12 H A H B -V A and can fix the basis later by measuring her particle. V B Summary Quantum cryptography was designed to solve the problem of secure key distribution. It relies on the fact that measuring, copying or interfering with a quantum system will usually change its state. Quantum key distribution requires us to design a ‘protocol’ whereby Alice and Bob can be certain that they will be able to detect any activity by Eve. Proving security against all possible attacks is a challenging problem. The failure was due to the simplicity of the protocol, but more complicated protocols have problems of their own. Suppose that Alice and Bob each use their own 26 letter one-time pads, then for the first letter: Alice Plaintext Substitution ABCDEFGHIJKLMNOPQRSTUVWXYZ XBJIFWMLQTAZUODECSNKHPGRVY Bob Plaintext Substitution ABCDEFGHIJKLMNOPQRSTUVWXYZ FPOAZWIRJXTCUVEKYGBHMNDLSLQ The failure was due to the simplicity of the protocol, but more complicated protocols have problems of their own. Suppose that Alice and Bob each use their own 26 letter one-time pads, then for the first letter: Alice Plaintext Substitution ABCDEFGHIJKLMNOPQRSTUVWXYZ XBJIFWMLQTAZUODECSNKHPGRVY Bob Plaintext Substitution ABCDEFGHIJKLMNOPQRSTUVWXYZ FPOAZWIRJXTCUVEKYGBHMNDLSLQ The failure was due to the simplicity of the protocol, but more complicated protocols have problems of their own. Suppose that Alice and Bob each use their own 26 letter one-time pads, then for the first letter: Alice Plaintext Substitution ABCDEFGHIJKLMNOPQRSTUVWXYZ XBJIFWMLQTAZUODECSNKHPGRVY Bob Plaintext Substitution ABCDEFGHIJKLMNOPQRSTUVWXYZ FPOAZWIRJXTCUVEKYGBHMNDLSLQ The failure was due to the simplicity of the protocol, but more complicated protocols have problems of their own. Suppose that Alice and Bob each use their own 26 letter one-time pads, then for the first letter: Alice Plaintext Substitution ABCDEFGHIJKLMNOPQRSTUVWXYZ XBJIFWMLQTAZUODECSNKHPGRVY Bob Plaintext Substitution ABCDEFGHIJKLMNOPQRSTUVWXYZ FPOAZWIRJXTCUVEKYGBHMNDLSLQ Diffie-Hellman One way function: a function that is easy to calculate but with an inverse that is easy to evaluate. We need a large prime number p and another g that is a primitive root modulo p, which means that for any A less than p-1 there exists an a such that A = ga mod p. Finding A from a is easy, finding a from A is difficult. Alice generates the numbers A and a, Bob generates the numbers B and b: B = gb modp. Alice sends A to Bob and Bob sends B to Alice. B a mod p g ab mod p Ab mod p g ab mod p This is the required shared key: K = gab mod p. Public-Key Cryptography Bob’s public key (not secret) Bob’s private key (secret) public directory Alice mathematical transformation Protected Data Bob inverse mathematical transformation Hostile Network unprotected data unprotected data Public Key Cryptography RSA scheme : inputs - data x, two large primes p,q Calculate m = pq (easy) Choose e and d such that de = 1 mod (m) (easy if you know p and q) ( m) ( p - 1)( q - 1) (m,e) = public key (m,d) = private key x e mod m (x e ) d encryption mod m x mod m decryption Public Key Cryptography • public key cryptography works in a different way to secret key schemes • algorithms - RSA, Diffie-Hellman etc • public key for RSA = (m, e) with m = pq (product of two large primes) and d easily found with p (or q) • difficulty of breaking RSA is thought to be equal to the difficulty of factoring (no proof) - getting p & q from m numbers of about 1090 can be factored in a day such numbers for public keys are clearly inadequate for good security Current Applications of Cryptography • public key cryptography relatively slow, secret key cryptography very fast • public key cryptography generally used for key management and digital signatures secret key protected with public key message secret key message protected with secret key Digital Signatures Bob’s public key (not secret) public directory A inverse mathematical transformation signature check 8 or 4 Bob’s private key (secret) Signed + Message Data B mathematical transformation Hostile Network unsigned data Over long distances losses contribute to the noise; an absorbed quantum cannot be measured by Bob! Long distance communications overcome this with: Repeaters - measure and regenerate the signal Amplifiers - amplify the signal intensity. In quantum communications these processes add excess noise which tends to destroy the quantum information. If Alice prepares qubits in just the states |0> and |1> then the task is easy: Measure z and if the result is +1(-1) then make as many qubits as you please in the state |0>(|1>. Problems arise when Alice selects from a non-orthogonal set of states. Measurements will, in general, change the state: Consider a simple model of a general qubit measurement in which our qubit in a general state |> is made to interact with an ancilla, prepared in the state |A>. The interaction is associated with a unitary transformation, the general form of which is Uˆ Î Aˆ0 ˆ x Aˆ x ˆ y Aˆ y ˆ z Aˆ z This unitary operator transforms the original state into A Aˆ 0 A ˆ x Aˆ x A ˆ y Aˆ y A ˆ z Aˆ z A The qubit state |> is unchanged, but the change in the ancilla is independent of |> so this cannot describe a measurement! The state of the qubit will be unchanged only if it is an eigenstate of U, but there are no common eigenstates of the three Pauli spin components and our signal states are non-orthogonal so ... Optimal (symmetric) cloning - Hillery & Buzek We can’t clone perfectly but what is the best we can do? 0 B Q 2 1 0 1 1 0 q 0 0 q 3 6 1 B Q 2 1 0 1 1 0 q 1 1 q 3 6 state of copying machine Both the original qubit and the clone are left in the correct state with probability 5/6 ˆ 5 1 6 6 At least one of the qubits is in the correct state. Interestingly, the ‘cloning machine’ achieves something closer to a quantum NOT operation: Let q 1, B Q q - 0 2 3 1 6 The third qubit is in the orthogonal state to the original with probability 2/3: ˆ 2 1 3 3 The Jones representation We can write the x and y components of the complex electric field amplitude in the form of a column vector: i E0 x E0 x e x E i y 0 y E0 y e The size of the total field tells us nothing about the polarisation so we can conveniently normalise the vector: Horizontal polarisation Vertical polarisation 1 0 0 1 Left circular polarisation 1 2 1 i Right circular polarisation 1 2 1 - i One advantage of this method is that it allows us to describe the effects of optical elements by matrix multiplication: Linear polariser (oriented to horizontal): Quarter-wave plate (fast axis to horizontal): 1 0 0 0 1 1 1 0 , 90 , 45 0 0 0 1 2 1 1 1 0 1 0 0 i 0 , 0 - i 90 , 1 i 45 i 1 1 0 0 -1 Half-wave plate (fast axis horizontal or vertical): The effect of a sequence of n such elements is: 1 2 A an B c n bn a1 d n c1 b1 A d1 B We refer to two polarisations as orthogonal if E*2 E1 0 This has a simple and suggestive form when expressed in terms of the Jones vectors: A1 A2 B is orthogonal to B if 1 2 A2* A1 B2* B1 0 A * 2 A2 B2 B2* A1 B 0 1 † A1 B 0 1 There is a clear and simple mathematical analogy between the Jones vectors and our description of a qubit.