Download Document

Quantum Cryptography
Antonio Acín
ICFO-Institut de Ciències Fotòniques (Barcelona)
www.icfo.es
Paraty, Quantum Information School, August 2007
Entanglement vs Prepare &
Measure
After measuring one qubit of a maximally entangled state of two qubits and
getting result b, we are projecting the other qubit into the same state.
Alice
Bob

Alice
Bob

Perfect correlations in the x and z bases also suffice
to detect a maximally entangled state of two qubits.
Security proofs
QKD: Any intervention by Eve introduces errors in the channel that can be
detected by the honest parties and abort the insecure transmission.
Should Alice and Bob abort the protocol whenever they see errors?!
They should learn how to deal with noise. In particular, from the amount of
observed errors they should be able to:
1. Estimate their correlations.
2. Bound Eve’s information.
3. Conclude whether a secret key can be established.
4. Design a key distillation protocol to establish the key.
Example: whenever the observed QBER<11%, BB84 is secure.
Entanglement and QKD
Any entanglement based protocol can be mapped into an equivalent
prepare and measure scheme (BBM92).
Entanglement is the key resource for quantum information applications, it
represents the most intrinsic quantum property, bla, bla, bla…
How come that entanglement
does not play any role in QKD?
Entanglement and QKD
Entanglement is a monogamous resource. It can be used to estimate the
way Eve is at most correlated to a state shared by Alice and Bob.
Alice
 AB
Bob
Schmidt decomposition:
 AB   i i i
 ABE
AB
i

ABE
  i i
AB
 ei
E
i
Eve

ABE
Any other purification of Alice and Bob’s state is such that:
,  AB  trE  
ABE

ABE
 1AB  U E  
ABE
All purifications are unitarily equivalent!
Prepare and Measure schemes
Bob
Alice
Quantum channel B
i
i
 Ei
i
BE
 U BE  i
 B  trE i i
E
B
Eve
BE
By repeating this process, Alice and Bob estimate the quality of their
connecting quantum channel. They accumulate statistical data of the form:
Prb j  k  i 
Probability that Bob gets the result k when applying the measurement j conditioned on the
fact that Alice sent the state i.
Entanglement picture
Bob
Alice

Quantum channel B
i
 Ei
Eve
1. Alice prepares a maximally entangled
state of two qubits and sends half of it
through the channel
2. After interaction with Eve, the parties
share the states:

ABE
 1A  U BE   
 AB  trE  
3. Alice and Bob estimate their state by local
measurements.
ABE
In the equivalent prepare and
measure protocol, Alice and
Bob are virtually estimating the
state  AB . Using this
information, the honest parties
should conclude whether key
distillation is possible.
Key distillation from quantum
states
 AB
Sequence of state preparations
and measurements
Classical-classical-quantum
(CCQ) correlations
 pa, b a

ABE
a  b b  eab eab
a ,b
Is key distillation
possible?
P A, B   E
A
0
1
B
0
1
1
2
0
0
1
2
Classical key distillation
Consider a tripartite probability distribution describing three correlated random
variables, P(A,B,E). Can Alice and Bob extract a secret key out of it?
One-way communication:
Alice
0
1
0
0
1
1
0
1
0
1
K   I A : B  I A : E 
Csiszár- Körner
 H A E   H A B 
011=0
Final secret and
error-free list of bits
1111110101
0111110001
1111110001
Eve
0
1
1
0
0
1
1
0
0
1
0
1
Bob
Privacy amplification against
quantum adversaries
Consider now classical-classical-quantum correlations, resulting from Alice and
Bob measuring a tripartite quantum state. Can Alice and Bob extract a secret
key out of it?

ABE
  ABE   pa, b  a a  b b  eab eab
a ,b
One-way communication:
K   I  A : B    A : E 
Devetak-Winter
Renner-König
Holevo quantity: classical information encoded on quantum states
When Alice obtains outcome a , which happens with probability pa , Eve has:
 Ea 
1
pa, b  eab eab

pa  b
 E   pa, b  eab eab
a ,b
  A : E   S  E    pa S  Ea 
a
   i i i  S     i log i
i
i
De Finetti Theorem
In the previous analysis, there was a very important hidden assumption:
the attack of Eve is the same for each realization of the protocol.
Quantum De Finetti theorem: Given a symmetric system, almost all
of its parts are virtually identical and independent of each other. This
result generalises de Finetti's classical representation theorem for
Renner
infinitely exchangeable sequences of random variables.
The previous assumption can be made without loss
of generality. Then it is possible to use the previous
bounds to compute the secret-key rate.
Structure of security proofs
General security proofs of QKD system:
1. Alice and Bob apply random permutations to their systems.
2. De Finetti argument follows.
3. After sequences of state preparations and measurements, they
obtain information about their connecting quantum channel, or
equivalently, about the virtual bipartite state  AB .
4. The worst state compatible with the observed measurement
outcomes is computed.
5. This provides a bound on the way Eve can be correlated.
6. Known bounds on the distillable secret key are finally applied.
Key distillation
Alice
Bob
Quantum channel
(losses)
Raw key
Public channel
Sifted key
Key
Key
Example: BB84
Alice sends states from the x and z bases.
Alice measures in the x or z bases half of a
maximally entangled state of two qubits.

By comparing some of the symbols, Alice and Bob estimate the elements:
 x  x  AB  x  x
 x  z  AB  x  z
 z  x  AB  z  x
 z  z  AB  z  z
Example: BB84
Consider the natural situation in which the error
is the same in the two bases.
 z  z  AB  z  z   z  z  AB
1 
z z 
2
 z  z  AB  z  z   z  z  AB  z  z 
 z  x  AB  z  x 
1
4
K   min  AB I  A : B    A : E 
I  A : B  1  H  

2
 1 
 m00,00
 2
m01
01,,00
00

 AB  
m10,,00
00
 10
m11, 00
 m
11, 00

Prai  bi   
m
m00
00,,01
01
m01
01,,01
01
m
m10
10,,01
01
m11,01
m
11, 01

m
m

m00
m00
00,,10
10
00,,11
11 

m01
m01,11 
01,,10
10
m10
m10,11 
10,,10
10

1


m11,10 m11,11 
m

11,10
2 
Phase covariant cloning machine:
In the optimal attack Eve clones in
an optimal way the x and z bases.
BB84 rates
If the QBER Alice and
Bob observe is smaller
than 11%, key
distillations is possible.
Otherwise, they may
decide to abort the
protocol.
11% represents a very
reasonable amount of
errors.
Shor & Preskill
Pre-processing
Is this the ultimate bound for key distillation? NO.
There are several options to improve the secret-key rate.
1-p
0
0
Pre-processing: Alice introduces some local noise.
p
1
This deteriorates the information between Alice
and Bob, but also between Alice and Eve.
    1  p  1    p  
1-p
1
I  A : B    A : E   I  A : B    A : E 
Example: BB84, the critical QBER changes, 11% → 12.4%.
Given some ccq correlations, described by a state

1
K
 ABE   max AT U I T : B U    T : E U 
 ABE
K

 lim N 

N
K1  ABE
N

Example: Six-state
Consider the natural situation in which the error
is the same in the two bases.
 z  z  AB  z  z   z  z  AB
1 
z z 
2
 z  z  AB  z  z   z  z  AB  z  z 
 z  x  AB  z  x 
1
4

2
 1 
 m00,00
 2
m01
, 00

 AB   01,00
m10,,00
00
 10
m11, 00
 m
11, 00

Prai  bi   
m
m00
00,,01
01
m01
01,,01
01
m
m10
10,,01
01
m11,01
m
11, 01

m
m

m00
m00
00,,10
10
00,,11
11 

m01
m01,11 
01,,10
10

m10
m
10,11
10,,10
10

m11,10 1m11,11 
m

11,10
2 
The state is fully defined by the observed statisics in the x, y and z bases.
K   I  A : B    A : E 
Universal cloning machine:
QBER: 11.0% → 12.7%
In the optimal attack Eve clones in
an optimal way all the bases (states).
12.4% → 14.1%
The six-state protocol is more robust than BB84.
Two-way communication
One can also consider key distillation protocols involving communication
in two directions, from Alice to Bob and from Bob to Alice.
Advantage Distillation
Alice
0
1
0
1
0
0
1
1
0
1
0
1
0
1
0
0
1
1
1
0
1
Maurer
0= 
0=NO
1= 
0= 
YES
0=
0= 
=0
=0
=0
=0
=0
=0
=1
=1
=1
0
1
1
0
1
1
0=  1
YES 0
0=
0=  1
0
101

000
=
=
=
Eve
101
0
Bob
0
0
This information is
also useful for Eve!
Two-way communication
The error between Alice and Bob in the new list after AD reads:
 
L
 L  1   L
  


1  
L
The error tends to zero with
the size of the blocks, L.
Eve’s error also tends to zero with L. However, in some cases, the error
between the honest parties tends to zero exponentially faster.
P A, B, E 
I A : B  I A : E   0
AD
P A, B, E 
I  A : B   I  A : E   0
Initially, one-way key
distillation fails.
KEY
Two-way communication
 ABE
AD
I A : B   A : E   0
 ABE
I  A : B     A : E   0
Initially, one-way key
distillation fails.
KEY
For each protocol, there is a critical value of the error rate εc such that if
ε< εc the previous protocol with blocks of finite size L gives a secret key.
Critical QBER
BB84:
20%
6-state: 27.6%
These values are tight, for the specific protocol.
Entanglement is necessary
Recall: Alice and Bob by a sequence of state preparations and
measurements acquire information about their connecting channel  , or
equivalently about the state  AB  1  .
If the observed statistics is compatible with a separable state → no secret
key can be generated by any method.
This is equivalent to say that the channel is entanglement breaking, that
is, it does not allow to distribute any entanglement.
Therefore, even if Alice and Bob never use entanglement for the key
distribution, their goal is to estimate the entanglement properties of their
connecting channel and conclude whether key distillation is possible.
Is entanglement sufficient?
Positive key
Separability
?
BB84
6-state
20%
27.6%
25%
33.3%
QBER
Pre-processing by one of the parties does not modify these values.
Is entanglement sufficient for the security
of prepare and measure schemes?
Conclusions
• The correspondence between
entanglement based and prepare measure
protocols is a very useful tool in the
derivation of security proofs.
• Entanglement does play a (crucial) role in
the security of QKD protocols.
• And what about non-locality?