Application and manipulation of bipartite and …...Application and manipulation of bipartite and multipartite entangled quantum states by Benjamin Fortescue A thesis submitted in

Application and manipulation of bipartite and multipartite

entangled quantum states

by

Benjamin Fortescue

A thesis submitted in conformity with the requirementsfor the degree of Doctor of Philosophy

Graduate Department of Physics

University of Toronto

Copyright c© 2009 by Benjamin Fortescue

Abstract

Application and manipulation of bipartite and multipartite entangled quantum states

Benjamin Fortescue

Doctor of Philosophy

Graduate Department of Physics

University of Toronto

2009

The phenomenon of quantum entanglement is a fundamental feature of quantum me-

chanics which, as a counterintuitive and inherently ”quantum” phenomenon (with no

classical analogue) has been the subject of much study, especially in quantum informa-

tion theory. One fruitful approach to the description of entanglement has been in its

operational description - that is, in the consideration of what can be achieved using

entangled states under certain restrictions, typically the regime of local operations and

classical communications.

We present results here related to the operational characterisation of entanglement

in the resource model, in both bipartite and multipartite cases. First, we consider the

conversion between pure bipartite entangled states in terms of an often-ignored resource

- the classical communication cost. Using prior results for more specific conversions, we

derive lower bounds on this cost (and the related quantity of the conversion inefficiency)

for general bipartite pure states.

We also consider pure-state conversions of multipartite entanglement, in particular

the class of protocols in which multipartite states are converted to states shared between

fewer parties. We have found a previously-unconsidered variety of such conversions, in

which the target state of the conversion is a state shared between a random subset of

the parties. We find that when such post-selection of parties in the protocol is permitted

allows for a wider variety of achievable target states; certain states which can not be

ii

reliably obtained between predetermined parties (even some where the probability of

doing so is arbitrarily small) can be obtained between random parties. We consider a

variety of states in which this phenomenon occurs, as well as bounds on such protocols

can achieve.

Finally we consider a practical use of entanglement as a resource, in an experimental

implementation of a multipartite QKD protocol. This is based on the tripartite GHZ

entangled state, but can be implemented using only bipartite entanglement. We adapt

existing QKD results for both the bipartite and multipartite case to derive a secure key

rate for this implementation, taking into account the ways in which it differs from the

idealised theoretical case.

iii

Dedication

To my parents.

iv

Acknowledgements

Firstly, my sincere thanks to my supervisor, Professor Hoi-Kwong Lo, to whom I am

greatly indebted for his tireless and invaluable guidance and help throughout the whole

of my Master’s and PhD research.

I was privileged to work alongside many excellent colleagues and friends in our re-

search group, including Xiongfeng Ma, Fred Fung, Bing Qi, Yi Zhao, Kai Chen, Kiyoshi

Tamaki, Marcos Curty and J.C. Boileau.

I gratefully acknowledge many fruitful discussions with other colleagues and collabora-

tors, including Daniel Gottesman, Martin Plenio, Andreas Winter, Hartmut Haffner, Rob

Adamson, Jonathan Oppenheim, Matthias Christandl, Debbie Leung, Andrew House

and Geir Ove Myhr. Particular thanks to members of my PhD committee: Daniel Lidar,

Daniel James, Aephraim Steinberg and my external examiner John Watrous.

Thanks to the University of Toronto for financial support during my Master’s and

PhD.

My sincere gratitude to the Master and Fellows of Massey College, both for finan-

cial support and for providing a wonderful social, residential and academic environment

which enhanced my time in Toronto enormously. And of course to all the friends from

Massey and elsewhere whom I’ve had the pleasure of knowing during my time in graduate

school: far too many to list, but special mention should be made of Ela Beres, Kevin

Blagrave, Dan Giang, Andrew House, Jennifer Konieczny, George Kovacs, Kari Maaren,

Ester Macedo, Michael Neff, Janna Rosales, Sapna Sharma, Beth Tsai, Angela Varma,

Katherine Verhagen and Simon Watson.

Finally my heartfelt thanks to my family, for all their support.

v

Contents

1 Introduction 1

1.1 Entanglement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.1.1 Entanglement in quantum mechanics . . . . . . . . . . . . . . . . 1

1.1.2 Entanglement as a resource . . . . . . . . . . . . . . . . . . . . . 4

1.1.3 Quantum information . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.1.4 Entanglement and information . . . . . . . . . . . . . . . . . . . . 6

1.2 Entanglement measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1.2.1 LOCC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1.2.2 Operational entanglement measures . . . . . . . . . . . . . . . . . 9

1.2.3 Non-operational entanglement measures . . . . . . . . . . . . . . 11

1.2.4 Measures for mixed states . . . . . . . . . . . . . . . . . . . . . . 12

1.3 Multipartite states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

1.3.1 MREGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

1.4 Quantum key distribution and entanglement . . . . . . . . . . . . . . . . 16

1.5 Our results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

1.5.1 Classical communication cost in entanglement dilution . . . . . . 20

1.5.2 Random distillation of multipartite entanglement . . . . . . . . . 20

1.5.3 Experimental GHZ-based QKD . . . . . . . . . . . . . . . . . . . 22

2 Classical communication cost in entanglement dilution 24

vi

2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

2.1.1 BBPS entanglement concentration and dilution . . . . . . . . . . 25

2.2 Prior work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

2.3 Our method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

2.4 Classical communication cost in Lo-Popescu . . . . . . . . . . . . . . . . 29

2.4.1 Error size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

2.4.2 Classical communication cost . . . . . . . . . . . . . . . . . . . . 35

2.5 Relation between protocol errors . . . . . . . . . . . . . . . . . . . . . . . 36

2.6 The inefficiency bound . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

2.6.1 Inefficiency in Lo-Popescu . . . . . . . . . . . . . . . . . . . . . . 40

2.7 Discussion of bounds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

2.8 The general pure state case . . . . . . . . . . . . . . . . . . . . . . . . . 43

2.8.1 Inefficiency and classical communication bounds for the general

pure state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

2.9 Summary of results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

2.9.1 General pure states . . . . . . . . . . . . . . . . . . . . . . . . . . 48

2.10 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

3 Random distillation 52

3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

3.2 Entanglement of assistance . . . . . . . . . . . . . . . . . . . . . . . . . . 54

3.2.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

3.3 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

3.3.1 ΩIJ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

3.3.2 Esp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

3.3.3 Ernd(ψ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

3.3.4 A hypothetical example . . . . . . . . . . . . . . . . . . . . . . . 59

3.3.5 Regularisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

vii

3.3.6 Et . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

3.3.7 Main result . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

3.3.8 Important inequalities . . . . . . . . . . . . . . . . . . . . . . . . 64

3.4 The W state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

3.4.1 Bounds for chosen parties . . . . . . . . . . . . . . . . . . . . . . 65

3.4.2 The W protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

3.4.3 Multipartite distillation from W states . . . . . . . . . . . . . . . 70

3.5 Upper bounds on random distillation . . . . . . . . . . . . . . . . . . . . 71

3.5.1 E∞t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

3.5.2 E∞rnd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

3.6 More general states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

3.6.1 W-class states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

3.6.2 GHZ-class states . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

3.6.3 Symmetric Dicke states . . . . . . . . . . . . . . . . . . . . . . . . 86

3.7 Feasibility study of experimental implementation of random distillation . 89

3.7.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

3.7.2 Proposed experimental W protocol . . . . . . . . . . . . . . . . . 91

3.7.3 Feasibility of random distillation . . . . . . . . . . . . . . . . . . . 92

3.7.4 Upper bound to qsp . . . . . . . . . . . . . . . . . . . . . . . . . . 93

3.7.5 Numerical simulation of random distillation . . . . . . . . . . . . 94

3.8 Generalisation of allowed parties in random distillation . . . . . . . . . . 96

3.8.1 Upper bound on R2 (entropy) . . . . . . . . . . . . . . . . . . . . 97

3.8.2 Lower bound on R2 (time-sharing) . . . . . . . . . . . . . . . . . 98

3.8.3 Random distillation can improve on the lower bound . . . . . . . 98

3.9 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

3.9.1 Full description of bipartite distillation . . . . . . . . . . . . . . . 100

3.9.2 More general multipartite states . . . . . . . . . . . . . . . . . . . 100

viii

3.9.3 Generalisation of allowed parties . . . . . . . . . . . . . . . . . . . 101

3.9.4 Mixed states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

3.9.5 Relation to existing entanglement measures . . . . . . . . . . . . 102

3.9.6 Classical information . . . . . . . . . . . . . . . . . . . . . . . . . 102

3.9.7 Experimental Implementation . . . . . . . . . . . . . . . . . . . . 104

3.10 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

4 Experimental GHZ-based QKD 105

4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

4.1.1 Multi-party protocols . . . . . . . . . . . . . . . . . . . . . . . . . 105

4.1.2 GHZ-based QKD . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

4.2 Experimental implementation . . . . . . . . . . . . . . . . . . . . . . . . 111

4.2.1 General form of the QKD protocol . . . . . . . . . . . . . . . . . 112

4.2.2 Non-ideal properties of Alice’s output in the experimental situation 114

4.2.3 Summary of solutions to security problems . . . . . . . . . . . . . 115

4.3 Multiple pairs and the PNS attack . . . . . . . . . . . . . . . . . . . . . 116

4.3.1 Multiple pairs and key rate . . . . . . . . . . . . . . . . . . . . . 118

4.4 Security of potentially secure (PS) states . . . . . . . . . . . . . . . . . . 121

4.4.1 Lo-Preskill security analysis . . . . . . . . . . . . . . . . . . . . . 123

4.4.2 Modified fidelity argument . . . . . . . . . . . . . . . . . . . . . . 128

4.4.3 Applying Lo-Preskill to the GHZ experiment . . . . . . . . . . . . 130

4.5 Overall key rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

4.6 The experimental state . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

4.6.1 The transmitted state . . . . . . . . . . . . . . . . . . . . . . . . 132

4.6.2 The pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

4.6.3 Unpaired photons . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

4.6.4 Summary of PS transmissions . . . . . . . . . . . . . . . . . . . . 134

4.7 Joint state description for PS states . . . . . . . . . . . . . . . . . . . . . 135

ix

4.7.1 Definition of a valid joint state . . . . . . . . . . . . . . . . . . . . 135

4.7.2 Pure state (quantum coin argument) . . . . . . . . . . . . . . . . 136

4.7.3 Mixed state (modified fidelity argument) . . . . . . . . . . . . . . 138

4.8 Key rate in terms of experimental quantities . . . . . . . . . . . . . . . . 141

4.9 Optimisation of experimental settings . . . . . . . . . . . . . . . . . . . . 143

4.9.1 Coincidences caused by unpaired photons . . . . . . . . . . . . . . 144

4.9.2 The transmissivity Q of the channel . . . . . . . . . . . . . . . . . 145

4.9.3 Bit and phase errors . . . . . . . . . . . . . . . . . . . . . . . . . 145

4.9.4 Key generation frequency . . . . . . . . . . . . . . . . . . . . . . 145

4.9.5 Optimisation results . . . . . . . . . . . . . . . . . . . . . . . . . 146

4.10 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

4.10.1 Anticorrelated noise . . . . . . . . . . . . . . . . . . . . . . . . . 150

4.10.2 No unpaired photons . . . . . . . . . . . . . . . . . . . . . . . . . 151

4.10.3 Potential improvements in security proof . . . . . . . . . . . . . . 151

4.11 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

5 Conclusions 156

A Proofs of Lemmas, Chapter 2 161

A.1 Proof of Lemma 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

A.2 Proof of Lemma 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

B The Innsbruck ion trap state ρIW 163

Bibliography 164

x

List of Tables

3.1 Outcomes for performing our hypothetical protocol separately on two

copies of ρ. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

3.2 Upper bounds on the obtainable concurrence for distillation of the Inns-

bruck ion trap state ρIW to specified parties. Unitary size is the dimension

of the unitary matrix applied to the eigenstate decomposition of ρIW to

obtain the minimal decomposition found by Zyczkowski’s algorithm . . . 95

4.1 Summary of Alice’s transmissions in the ideal Chen-Lo protocol . . . . . 111

4.2 Summary of Alice’s transmissions when adding uncorrelated noise. . . . . 135

4.3 Experimental parameters used in calculating the optimal key rate. . . . . 143

4.4 Individual parameters for the optimal key rate of ≈ 4.5× 10−4 secure bits

per measurement setting. . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

xi

List of Figures

2.1 Classical communication (CC) costs of entanglement dilution via a two-

stage protocol, Lo-Popescu followed by some unknown protocol for dilution

between partially entangled states. The right-hand side gives the Harrow-

Lo bound on classical communication for the whole process. . . . . . . . 30

2.2 Errors for different stages of the two-stage dilution . . . . . . . . . . . . . 37

2.3 Plots of 2ζ(ǫ2) as a function of ǫ2 . . . . . . . . . . . . . . . . . . . . . . 42

2.4 Regions of non-zero classical communication cost (below the curves), as a

function of initial and final state parameters p1 and p2 and protocol error ǫ2. 44

3.1 Various conversions of a tripartite state ψ to bipartite entanglement: (1)

Ω measures the entanglement obtainable between a specific pair of parties

(in this case AB): (2) Et is the sum of the jointly-obtainable entanglement

between all pairs of parties, (3) Ernd measures the maximum entanglement

obtainable between post-selected parties. . . . . . . . . . . . . . . . . . . 63

3.2 Illustration of multipartite state distillation from W states using random

distillation. N copies of the W states are distilled to EPR pairs shared

evenly between the parties, who prepare local copies of some 3-qubit state

ψ3q. Each party then uses half of the EPR pairs they share with each

of the other parties to teleport qubits from ψ3q to the other two parties,

resulting in N/2 shared copies of ψ3q in the large N limit. . . . . . . . . . 71

xii

3.3 Illustration of the procedure for performing the W protocol in trapped

40Ca+ ions. Ions are originally in a W state in the S,D subspace, changed

(2) to the D′, D subspace, then the unitary (3) and projection (4) are

applied using state |S〉 as an additional state |2〉 . . . . . . . . . . . . . . 92

3.4 An intermediate random distillation regime for conversion of many copies

of a 4-party state ψ to EPR pairs. We wish to create entanglement between

either the pairs A1B1 or B1B2, but no other combinations, for a total rate

R2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

3.5 Converting many copies of a state W4 in the intermediate distillation

regime: A naive “time-shifting” protocol (1), separately creating EPR

pairs between A1B1 and A2B2, produces an asymptotic rate R2 ≈ 0.81.

Using an intermediate random distillation to three-partyW states (2) gives

an improved asymptotic rate R2 ≈ 0.92. . . . . . . . . . . . . . . . . . . 99

4.1 GHZ QKD experimental setup (based on a diagram by Rob Adamson) . 113

4.2 Eve’s view of the QKD - Alice transmits quantum states ρ (as well as

broadcasting encrypted classical communications (CC)) to a joint entity

Bob-Charlie in order to establish a common secret classical key. Eve wants

to know the key, but only has access to ρ and CC. . . . . . . . . . . . 122

xiii

4.3 Types of measurement in the two-party Lo-Preskill protocol. Alice holds

a joint state ρX/Z of her qubit and the transmitted state. After the trans-

mission they hold joint states σX/Z and make measurements, with Bob

filtering out any inconclusive outcomes. In scenario (1) they perform Z

measurements on state σZ for an error rate δZZ . In the other experimental

scenario (2) they perform X measurements on σX for an error rate δXX .

In scenario (3), which does not occur in the experiment, they perform X

measurements on σZ for an error rate δXZ . The achievable key rate can

be expressed in terms of this error rate. (Adapted from diagrams in [1],

Copyright Rinton Press (2007).) . . . . . . . . . . . . . . . . . . . . . . . 126

4.4 Key generation frequency Rt as a function of added noise Sn, for µ = 0.02.

Optimising over both Sn and µ we find the optimal rate at µ ≈ 0.02,

Sn ≈ 50. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

4.5 Key generation frequency Rt as a function of mean pairs µ and added

noise Sn. The apparently lower peak compared to Figure 4.4 is due to the

limited resolution of the plot . . . . . . . . . . . . . . . . . . . . . . . . . 148

4.6 3-way QKD using 2-party protocols. Alice generates separate keys AB

and AC with Bob and Charlie then encrypts key AB with key AC for

classical communication to Charlie. with key . . . . . . . . . . . . . . . 153

xiv

Chapter 1

Introduction

In this introductory chapter we give a brief summary of some of the major results con-

cerning quantum entanglement most relevant to our work, which we discuss in section

1.5. For a much more comprehensive review see e.g. [2, 3].

1.1 Entanglement

1.1.1 Entanglement in quantum mechanics

Arguably a major reason for why the description of physical processes as given by quan-

tum mechanics is at odds with our intuition is the divide that quantum mechanics gives

between the properties of such systems and what we can discover about them through

measurement. In classical, Newtonian mechanics, we can consistently refer, for example,

to particles with well-defined masses, positions, momenta etc., which both determine

their behaviour over time and can be measured whenever we wish. There is no difficulty

with the intuitively satisfying picture of an independent physical reality whose properties,

all of which are at least in principle measurable, determine its evolution.

In quantum mechanics the picture becomes much less clear-cut. Using, for example,

the Schrodinger picture [4], the underlying entities whose time-evolution we are concerned

1

Chapter 1. Introduction 2

with are not particles but quantum states which describe the particles. Knowing such

states and the rules for their evolution is sufficient to describe the observable physics,

but the states themselves are not observables (there is no “state-meter”). Indeed, there

is no guarantee that a given observable has a definite value when the system is in a given

state, resulting in probabilistic results when measuring such observables even in identical

states. Whether the states represent “reality” or merely a mathematical convenience is

a matter of interpretation, but the connection between observables and the underlying

physics is, in a sense, less direct than in the classical case. Moreover, measurement itself

can no longer be considered as a passive operation with respect to the observed system

but will, in general, actively alter the system’s state.

Of course, one illustration of this behaviour, as alluded to above, is the well-known

“uncertainty principle” describing the limitations on the degree to which certain ob-

servable quantities (e.g. position and momentum) can be simultaneously known for the

same system. But the curious phenomenon of entanglement can also be considered as

arising from this division. Entanglement, broadly speaking, occurs when two or more

distinguishable systems (often conveniently envisioned, as we shall do here, as two sep-

arate particles, though by no means exclusive to this case) can only be fully quantum-

mechanically described in terms of their joint behaviour, with observable properties of

the separate particles being correlated in a way that appears to contradict their having

locally independent behaviour.

Moreover, measurement of such observables of the individual particles (and, in gen-

eral, any operation acting on the individual particles) alters, in general, the overall state

of the system of both particles. The result is that the particles behave as if mysteriously

connected even when not directly interacting with each other - the underlying state

“knows” about the connection even when there is no apparent communication between

the particles and operations on one particle affect the state of the other.

Such phenomena have been known about for decades but have gained a new promi-


nence with the rise of the field of quantum information. Such correlations between (po-

tentially) distant particles have obvious relevance to a field concerned, like its classical

counterpart, with the degree to which certain types of communication may be achieved.

A remarkable property of entanglement is that, though there appears to be an underlying

connection between entangled particles, this does not violate the ban imposed by special

relativity on faster-than-light communication, since entanglement alone cannot be used

for communication. This does not prevent it being a useful resource in quantum infor-

mation applications - as discussed in the following sections, entanglement is both useful

as a communication resource when combined with other forms of communication, and as

a resource in its own right in applications such as quantum cryptography. Indeed, the

picture of entanglement specifically as a resource and its description in terms of what can

be achieved using entangled states, is very much key to the description of entanglement

in quantum information theory, and a major element of this thesis.

In the following sections we will discuss some important properties of entanglement

in more formal terms.

Consider a Hilbert space HA with basis vectors |ψi〉, and a second orthogonal

Hilbert space HB with vectors |φj〉. A quantum state in the combined Hilbert space

HA ⊗HB can be generally expressed as

ρ =∑

∀i,i′,j,j′λii′jj′|ψi〉|φj〉〈ψi′ |〈φj′| (1.1)

for some complex coefficients λii′jj′ such that ρ is Hermitian and positive and tr(ρ) = 1.

Certain states ρs may (for some choice of basis vectors i, j) be expressible in the form

ρs =∑

k

pkρk ⊗ σk (1.2)

where ρk =∑

∀i,i′ aii′ |ψi〉〈ψ′i| and σk =

∑

∀j,j′ bjj′|φj〉〈φj′| i.e. states ρk exist entirely

within space HA and state σk within HB (with positive coefficients pk such that∑

k pk =

1). Such a state ρs is described as separable with respect to HA and HB - one can

consider ρ as consisting of a mixture of separate states ρk and σk such that any operator


acting on ρ only within HA can be considered as acting only on the state ρk and likewise

for HB and σk. Conversely, a state which is not separable is described as entangled

with respect to HA and HB. A simple and well-known two-party entangled state is the

Einstein-Podolsky-Rosen or EPR pair.

|Φ〉 =1√2(|0〉A|0〉B + |1〉A|1〉B) =

1√2(|00〉 + |11〉)AB (1.3)

(using a simplified notation in the rightmost expression). As discussed in later sections,

this is often used as a fundamental two-party unit of entanglement.

A common example of a bipartite (two-party) entangled state, which highlights the

counterintuitive nature of entanglement, is where HA and HB correspond to states of

physically separate systems, for example two particles A and B. This was the system

considered by Einstein, Podolsky and Rosen [5] in their paper which originally introduced

the concept of entanglement. In this paper the authors consider the case of two physically

separated particles in an entangled state and note that under such circumstances the

state of one particle can be affected by a measurement made on the other particle, even

though the particles are not interacting, described by Einstein as “spooky action at a

distance”. It was later shown by Bell [6] that the correlations in classical measurement

outcomes that quantum mechanics predicts for entangled states cannot be accounted for

by a purely local description of the entangled systems - these predictions have since been

validated in many experiments [7, 8, 9, 10]. Quantum mechanics thus appears to be an

inherently nonlocal theory and entanglement has been regarded by many as a defining

feature of quantum mechanics.

1.1.2 Entanglement as a resource

1.1.3 Quantum information

Quantum information theory is concerned with the informational properties of quantum

states. The quantum analogue of the classical “bit” - a classical variable taking one of


two possible values (typically labelled 0 and 1) - is the “qubit”, a quantum state within

a two-dimensional Hilbert space (typically with basis vectors labelled |0〉 and |1〉) e.g.

|ψ〉 = α|0〉 + β|1〉, (|α|2 + |β|2 = 1). (1.4)

Such a state can thus be in either of the two basis states or any superposition thereof.

This makes quantum information qualitatively different from its classical counterpart.

For classical information, one can define, for a given channel, a single classical “chan-

nel capacity” [11] which quantifies how many data or “logical” bits may be accurately

received across the channel per “raw” bit sent, optimised over schemes encoding logical

bits in raw bits. For an input variable X and output variable Y this is known to be the

maximum over X of the classical mutual information.

I(X;Y ) = H(X) +H(Y ) −H(X, Y ) (1.5)

where H is the Shannon entropy, which for a variable X taking values x with probability

px is

H(X) = −∑

x

px log2 px, (∑

x

px = 1). (1.6)

However a simple corollary of the no-cloning theorem [12, 13] shows that the capacity

of a classical channel to send quantum information, i.e. qubits, is zero. Instead, one can

define a “quantum channel” with a capacity in terms of its ability to reliably transmit

qubits, as introduced in [14].1

Quantum information is thus qualitatively distinct from its classical counterpart, and

considering the channel capacity reveals close connections between entanglement and

quantum channels, as discussed in later sections.

1This capacity can be defined with respect to different scenarios, for example whether or not a classicalside channel is available and, if so, whether one or two-way classical communication is permitted. Forthe case of no side channel the quantum channel capacity was shown [15, 16, 17] to be equal to themaximisation of the coherent information, an analogous quantity to the classical mutual information. Acrucial difference in the quantum case, however, is that the quantum channel capacity must be maximisedover multiple uses of the channel, the inputs to which may be entangled. As a result, both determiningthe capacity of a given channel and constructing coding schemes which saturate the capacity is a muchmore challenging problem for quantum channels.


1.1.4 Entanglement and information

While Bell inequality experiments show that entangled states exhibit nonlocality and thus

components of an entangled state can apparently instantaneously influence each other

over large distances, it has been proven that this cannot be used to violate causality as

understood in special relativity i.e. one cannot use entangled states to transmit infor-

mation faster than the speed of light. This follows from the result that in the absence

of any classical communication between parties, entanglement alone cannot be used to

transmit any information, classical or quantum. Intuitively this may be understood as a

consequence of quantum randomness - a local measurement on one part of an entangled

system can determine the outcome of a measurement on another party of the system,

but in general the measurement outcomes, while correlated, are nondeterministic. Hence

if Alice makes a computational basis measurement on her half of an EPR pair her result

will tell her what Bob’s measurement outcome on his half will be, but she cannot control

his measurement result, since her measurement result is random 2

Teleportation and dense coding

However, entanglement can be used in conjunction with forms of communication to in-

crease the transmission of classical or quantum information. In quantum teleportation

[18] two parties, Alice and Bob (A and B), who share an entangled EPR pair (also known

as an “ebit”) |Φ〉AB can perform local operations on their halves of the pair along with

locally-created states, combined with the transmission of two bits of classical communi-

cation, to send a single qubit from Alice to Bob or vice versa. The EPR pair is destroyed

in the teleportation process. This leads to the relation, in terms of communication cost

1 ebit + 2 bits ≥ 1 qubit. (1.7)

2Such correlated randomness can be useful as, for example, a cryptographic key - a principle exploitedin quantum key distribution (QKD), as discussed in Chapter 4. It does not, however, in itself constitutea message transferred from Alice to Bob.


This also motivates the ebit as a natural unit of entanglement, since any other two-qubit

entangled state can be produced (without any quantum communication) from an ebit by

Alice locally preparing the state and teleporting one of the qubits to Bob.

A dual protocol to quantum teleportation is quantum dense coding [19]. In this

protocol Alice shares an EPR pair with Bob and also transmits to him a qubit. Combined

with local operations (which destroy the EPR pair), this allows Alice to transmit two

classical bits to Bob, versus zero bits using the EPR pair alone or one bit using the qubit

alone (as shown by the Holevo bound [20]). This gives the relation

1 ebit + 1 qubit ≥ 2 bits. (1.8)

A more recent development is the concept of “coherent bits” or cobits [21, 22], an

intermediate resource between classical and quantum bits. A cobit channel is weaker

than a general quantum channel, but does allow controlled entangling operations between

Alice and Bob, of the form.

(α|0〉 + β|1〉)A → (α|00〉 + β|11〉)AB. (1.9)

It can be shown [21] that the above protocols are reversible when the “classical”

communication is performed using a cobit channel, leading to the relation.

2 cobits = 1 qubit + 1 ebit. (1.10)

A much more general picture of quantum information protocols was provided in [23],

which provided a description of the above and other protocols in terms of two general fully

quantum “mother” and “father” resource inequalities (i.e. statements of achievability

using quantum resources), of which the protocols involving classical communication are

simply specific cases. A description of specific protocols allowing the mother and father

inequalities to be saturated was given in [24].

Protocols such as these, in which “consuming” entangled states allows information to

be transmitted, motivates the view of entanglement as a resource which can be exchanged


for other informational resources such as quantum and classical information transmission

and used to perform non-classical tasks. Indeed, it was shown in [25] that any bipartite

entangled state can, at a minimum, be used to enhance the ability of some other entangled

state to be used for quantum teleportation i.e. all bipartite entangled states have some

use as a resource.

Treating entanglement this way necessitates quantifying how much entanglement par-

ties possess.

1.2 Entanglement measures

1.2.1 LOCC

Treating entanglement as a resource involves describing what those parties possessing a

certain amount of entanglement can do with it via certain operations. To meaningfully

quantify the amount of entanglement the parties possess, these operations should not

result in an increase in entanglement. We know that two parties can produce entangled

states by performing joint quantum operations - equivalently, they can perform local

quantum operations and exchange quantum information. This motivates the idea of the

distant lab paradigm and the regime of local operations and classical communication or

LOCC.

In the distant lab paradigm we consider physically-separated parties working in sepa-

rate laboratories some distance away, who may share entangled states but are restricted

in the operations they may perform on such states - they may perform operations on

their own portions of the state and exchange information via some channel(s), classical

or quantum. Specifically, under the LOCC regime, we consider separated parties who

may only exchange classical information. Such parties can be considered as researchers

working in separate labs, who may perform any quantum operation they wish in their

own labs and/or have discussions with each other on the phone, but not send each other


any quantum-mechanical systems.

Measures of shared entanglement are generally defined such that the expectation of

such measures cannot increase in the LOCC regime - it follows from the above requirement

that states which can be reversibly interconverted under LOCC must have the same

entanglement under a given measure. For example, a frequently used two-qubit basis,

consisting of states of equal entanglement to an EPR pair is the “Bell basis”

|Φ±〉 =1√2(|00〉 ± |11〉)AB (1.11)

|Ψ±〉 =1√2(|01〉 ± |10〉)AB. (1.12)

In addition, “stochastic LOCC” or SLOCC is sometimes used to refer to operations in

the LOCC regime which produce a given result with some finite (non-zero) probability

≤ 1.

1.2.2 Operational entanglement measures

In addition to the above property of being non-increasing under LOCC (monotonicity), a

scale is generally set for entanglement measures by requiring that they vanish for product

states, and, commonly, that they be equal to 1 for EPR pairs. Nonetheless this still

allows for many different measures to exist. Some may be useful primarily in that they

are straightforward to calculate, or to measure experimentally. Others, however, have an

operational interpretation, corresponding to some task, the achievement of which under

LOCC requires a certain quantity of entanglement.

The Von Neumann entropy

The Von Neumann entropy is a quantum-mechanical counterpart to the classical Shannon

entropy. The Shannon entropy is defined as in section 1.1.3 and represents the “uncer-

tainty” or information content of the possible values of a variable. For a quantum state


ρ the Von Neumann entropy S(ρ) is defined as

S(ρ) = −trρ log2 ρ. (1.13)

and similarly reflects the uncertainty of a quantum state. For a pure state |psi〉 S(|ψ〉) =

0, and S for a classical mixture of orthogonal states reduces to the Shannon entropy of

the mixture.

The entanglement entropy

For a pure state ψAB, one can define the entanglement entropy Es in terms of S, where

Es(ψ) = S(ρA) (1.14)

and Alice’s reduced density matrix ρA is defined as

ρA = TrBρAB. (1.15)

(Note that by this definition S(ρA) = S(ρB)). Qualitatively, this measures the uncer-

tainty of one party’s state in the absence of the other party, and thus the degree of

entanglement between the parties.

An important feature of the entanglement entropy is its operational interpretation -

it was shown by Bennett, Bernstein, Popescu and Schumacher (BBPS) [26] that, when

performing the LOCC-conversion of N copies of a pure state ψAB to M EPR pairs,

ψ⊗NAB −→ |Φ+〉⊗M (1.16)

the optimal ratio MN

as N → ∞ is equal to Es(ψ). Moreover, in the limit of large

N the above procedure is reversible [26]. The procedure of converting general states

into maximally entangled states (MES’s) is known as entanglement concentration or

entanglement distillation and the reverse procedure as entanglement dilution.

Pure-state bipartite entanglement is thus fungible - reversibly convertible to EPR

pairs as standard units of entanglement, at a rate given by the entanglement entropy. Es


is often used as a standard measure for bipartite entanglement as, in the asymptotic case,

it is thus equal to both the operational measures of the entanglement cost (the number

of EPR pairs required to make a state under LOCC in the many-copy limit) and the

distillable entanglement (the number of EPR pairs one can obtain from a state under

LOCC in the many-copy limit) for pure bipartite states. Entanglement entropy is also

an additive measure.

It is known [4] that all bipartite pure states |ψ〉AB can be expressed as a Schmidt

decomposition

|ψ〉AB =k∑

i=1

√pi|i〉A|i〉B (1.17)

where 〈i|j〉 = δij , pi > 0 for all i,∑k

i=1 pi = 1, and the Schmidt number of the state

is defined as k. Thus any pure two-qubit state can be expressed in the form |ψ〉 =

α|00〉 + β|11〉 (|α|2 + |β|2 = 1), and the highest Es for any such state is 1 for the EPR

pair. The EPR pair is thus a maximally entangled state (MES) of two qubits.

1.2.3 Non-operational entanglement measures

We note in passing that not all entanglement measures are operational - measures can

also be defined purely by reference to the state in question. One example, which we use

in Chapter 4, is the relative entropy of entanglement Er, defined in terms of a distance

measure, the relative entropy, as the distance from the nearest separable state.

Er(ρ) = minσsep

S(ρ||σ) (1.18)

where the minimisation is over all separable states σsep and the relative entropy S(σ ‖ ρ)

is defined as:

S(σ ‖ ρ) = trσ log2 σ − σ log2 ρ. (1.19)

One advantage of such a measure compared to, say, the distillable entanglement, is that

it does not rely on a well-defined MES and hence can be applied to multipartite states.


1.2.4 Measures for mixed states

For mixed states the situation is less well-understood than for pure states. We immedi-

ately see, for example, that the entanglement entropy can no longer be used as for pure

states. From the definition in section 1.2.2 we see that if Alice and Bob share a mixed

state, then Alice’s reduced density matrix will have non-zero Von Neumann entropy even

in the absence of any entanglement with Bob. Moreover, there is no simple relationship

between the entanglement of a mixture of states and that of its components, since mixed

states do not have a unique decomposition. For example, an equal mixture ρ of the

maximally-entangled states Φ±

ρ =|Φ+〉〈Φ+| + |Φ−〉〈Φ−|

2=

|00〉〈00|+ |11〉〈11|2

(1.20)

thus can be produced from a mixture of product states and has zero entanglement. While

schemes such as [14] exist to “purify” EPR pairs from noisy entangled states, these are

in general not provably efficient. Moreover, unlike in the pure-state case, mixed-state

entanglement is not fungible in general - there exist states with “bound entanglement”

[27] which require a non-zero number of EPR pairs to create but from which no EPR

pairs can be distilled.

However, consideration of the distillation of entanglement from mixed states does

have a close connection to quantum channel capacity, since as demonstrated in [14],

mixed entangled states shared between Alice and Bob can be considered as resulting

from Alice sending halves of EPR pairs down a noisy channel to Bob. If the two parties

can distill EPR pairs from the mixed states, these can be used in combination with

one-way classical communication for quantum teleportation of arbitrary states. It has

been shown [14, 28] that quantum channel capacity with a one-way classical side channel

is equal to that with no side channel, thus the distillable entanglement in this scenario

places a lower bound on the channel capacity.


Convex hull

Allowing for the above, a straightforward means of adapting any pure-state entanglement

measure to mixed states is by minimising the expected value of that measure over de-

compositions, the “convex hull”. I.e. for a mixed state ρAB expressible in decompositions

ρ =∑

i pi|ψi〉AB and a pure state entanglement measure E, we can define a mixed-state

measure

E ′(ρ) = minpi,|ψi〉

∑

i

piE(ψi) (1.21)

where the minimisation is over decompositions. It was proven in [29] that the convex

hull for a pure-state monotone is itself an entanglement monotone. However, even if E

is straightforward to calculate E ′ may well not be.

Entanglement of formation

One example of a convex hull measure is the entanglement of formation Ef , which equates

to the convex hull using entanglement entropy Es as a measure. In the many-copy limit

this can be regarded as an “entanglement cost” in the sense that it measures the number

of EPR pairs used to construct a state via the specific procedure of creating pure states

corresponding to the minimal-entropy state decomposition and then combining them in

an ensemble - that is, in the limit of large N , the number of EPR pairs required using this

procedure is NEf (ρ). As this is not the most general LOCC procedure, the entanglement

of formation Ef differs in definition from the entanglement cost Ec.

However it was shown in [30] that in the large N limit NEf (ρ) = EC(ρ⊗N). If Ef

could be shown to be an additive measure (as has been conjectured) i.e. that Ef(ρ⊗N ) =

NEf (ρ), then EC = Ef . However this is now known not to be true in general, as a

counterexample to the additivity of classical capacity of quantum channels, previously

shown by Shor [31] to be equivalent to the additivity of Ef , has been recently shown by

Hastings [32].


Entanglement cost and distillable entanglement

The operational measures of entanglement cost and distillable entanglement (shown for

pure states to both be asymptotically equal to the entanglement entropy) are well-defined

operational measures in the mixed-state case also. The entanglement cost Ec represents

the number of EPR pairs needed to make a state, that is for a protocol

|Φ+〉⊗M −→ ρ⊗N (1.22)

Ec(ρ) = limM→∞

maxM

N(1.23)

where the maximisation is over protocols. (It follows that mixed-state Ec is just the

convex hull using the entanglement entropy as a measure). Likewise the definition of

distillable entanglement Ed follows from the reverse process

ρ⊗N −→ |Φ+〉⊗M (1.24)

Ed(ρ) =M

N, N → ∞. (1.25)

In general Ec ≥ Ed (otherwise one could generate EPR pairs through LOCC), but in

some cases this inequality is strict - mixed-state entanglement is not fungible in general.

Concurrence

A well-known pure- and mixed-state entanglement measure for two-qubit states is the

concurrence [33]. For a two-qubit state ρAB, one defines the state ρ, where

ρ = (σAy ⊗ σBy )ρ∗(σAy ⊗ σBy ). (1.26)

where ρ∗ is the complex conjugate of ρ taken in the |0〉, |1〉 basis. The concurrence is

then defined as

C(ρ) = min√

λ1 −√

λ2 −√

λ3 −√

λ4, 0 (1.27)

where λ1 . . . λ4 are the eigenvalues of ρρ in descending order of size. The function

H2(ǫ(C)), where H2 is the binary Shannon entropy

H2(x) = −x log2(x) − (1 − x) log2(1 − x) (1.28)


and

ǫ(C(ρ)) =1 +

√1 − C2

2(1.29)

also equates to the convex hull for Es, and is consequently equal to the entanglement

of formation for a two-qubit mixed state, and hence the entanglement entropy for a

two-qubit pure state.

1.3 Multipartite states

As discussed above, for two-party pure states at least, entanglement appears to be a

single kind of resource, which has an intuitive operational interpretation and can be

readily interconverted between different forms (i.e. states of equal entanglement) through

LOCC in the many-copy limit. For multipartite states (those shared between more than

two parties), the situation is much more complex.

There appear to be multiple types of multipartite pure-state entanglement. As dis-

cussed above, an EPR pair is a standard MES for two-qubit states since all two-qubit

states may be produced via LOCC from a single EPR pair through teleportation. For

three qubits (shared between three parties) however, the situation is different. It was

shown in [34] that pure three-qubit entangled states can be divided into two classes, with

the probability of converting a single copy of a state in one class to a state in the other

through LOCC being zero (versus some finite probability for LOCC-conversion within

a class i.e. states are only SLOCC-convertible within their own class). Notable states

belonging to, respectively, the two separate classes are the Greenberger-Horne-Zeilinger

(GHZ) [35] state and the W state:

|GHZ〉 =1√2(|000〉 + |111〉)ABC (1.30)

|W 〉 =1√3(|001〉 + |010〉 + |100〉)ABC. (1.31)

Distinct entanglement classes appear to be the norm for multipartite states, with nine


separate classes in the four-qubit case [36]. Indeed, it was shown in [34] that randomly

chosen pure states are typically not interconvertible. Thus, while several results exist

regarding the purification of pure multipartite states from “noisy” mixed versions of the

same states [37, 38, 39, 40, 41], there is no analogous result to the fungibility of pure

bipartite entanglement.

1.3.1 MREGS

The idea of distinct entanglement classes for multipartite entangled states motivates the

idea, in the many-copy limit, of the minimal reversible entanglement generating set, or

MREGS [42]. An M-party MREGS consists of the smallest set of states |ψi〉 from

which any M-party pure state may be reversibly produced through LOCC. Thus the

EPR pair constitutes a two-party MREGS, as would any other pure bipartite entangled

state, since all such states are asymptotically interconvertible. The presence of distinct

entanglement classes with respect to single-copy SLOCC in the multipartite case implies

that there is no single well-defined MES for such states. Thus for multipartite states an

MREGS might require more than one state.

So far, however, no finite reversible entanglement generating set is known for any

multipartite case3, even the simplest - that of three qubits shared between three par-

ties, Alice, Bob and Charlie. It is known that in this case the three possible EPR pairs

(|Φ〉AB, |Φ〉AC , |Φ〉BC) do not constitute an MREGS [43], nor do the EPR pairs com-

bined with GHZ states [44] or the EPR pairs combined with W states [45].

1.4 Quantum key distribution and entanglement

One application of entangled states is in quantum key distribution (QKD). QKD is

a solution to the practical problem of key distribution in cryptography. Suppose two

3Trivially, the set of all states is a reversible entanglement generating set.


distant parties (Alice and Bob) wish to be able to communicate securely - that is, they

wish to be able to send messages to each other over an open channel (e.g. phone lines,

the internet etc.) which could potentially be intercepted by an eavesdropper (Eve). They

can do this through cryptography - encoding and decoding (in this context, encrypting

and decrypting) the messages at their respective ends of the channel so that the original

message is hard to obtain from what is passed over the channel. It was shown by Shannon

[46] that this could be done with perfect security (i.e. it is impossible for an eavesdropper

to obtain the original message from the encrypted message) if the participants share a

one-time pad - for each N -bit message, this is a shared random sequence of N bits, to be

used once in encryption and decryption (by applying it to the message using an exclusive-

OR (XOR) operation, equivalent to taking the binary sum of key and message) and then

discarded.

In general, such shared sequences (“keys”) are elements (though for less-than-perfectly-

secure systems, not always with such stringent requirements of randomness and single-

use) of many classical cryptography protocols. However, a need for such keys raises the

key distribution problem - how the distant parties are to obtain them in the first place.

Those methods which exist (an initial meeting of the parties, use of a trusted courier

etc.) all have drawbacks in terms of security, speed and convenience.

An alternative to the need for the parties to possess identical keys lies in public-key

cryptography, first (publically) proposed in [47] (though earlier in [48]), in which different

keys are used for the encryption and decryption stages, the encryption key being made

public. However the security of such schemes is generally related to unproven assumptions

regarding the computational cost of certain mathematical tasks - in particular factoring,

which is conjectured but not proven to not be achievable in polynomial time on a classical

computer, but known to be theoretically achievable in polynomial time on a quantum

computer using Shor’s algorithm [49].

QKD allows for provably-secure key distribution whose security is based on the axioms


of quantum mechanics. In particular the security of QKD can be regarded as stemming

from the uncertainty principle and the no-cloning theorem - that one cannot, in general,

ascertain the state of a quantum system through measurement without changing that

system, and that one cannot make copies of an unknown quantum system. In QKD, in

general, Alice and Bob generate their shared key from quantum states sent over an open

channel - while they cannot prevent eavesdropping, any eavesdropping can be detected by

sampling the states for errors potentially introduced by an eavesdropper’s measurements.

The earliest QKD protocol proposed was BB84, by Bennett and Brassard [50] and its

security was later proven in [51].

QKD has close ties to entanglement. It is straightforward to see, from the form of

(1.3), that if Alice and Bob share an EPR pair they can easily share a random bit, simply

by both making a computational basis |0〉, |1〉 measurement.

An EPR-based QKD scheme by Ekert [52] was one of the earliest proposed - this

consisted of the two parties receiving an EPR pair from a third source and verifying

security through Bell inequalities. Another possible QKD scheme, though, would be for

Alice to locally create EPR pairs and send halves of them to Bob. Any eavesdropping by

Eve (or any noise in the channel) would result in the pure EPR pairs degrading to some

mixed state, from which Alice and Bob could then perform a purification protocol to

obtain pure EPR pairs and hence a secure key4. While the purification would, in general,

require some classical communication, if Alice and Bob could perform this efficiently

using some pre-existing secure key, such that fewer secure bits were used than created in

the protocol, the scheme would work as a “key-growing” protocol5.

The usefulness of entanglement distillation for QKD arises not just because computational-

basis measurements on an EPR pair give Alice and Bob random bits correlated with each

4The non-trivial aspect of such protocols is generally in efficiently verifying that the output statesare EPR pairs.

5Strictly speaking all QKDs are key-growing protocols, as they all require some initial secure key, ifonly to authenticate the classical communication (i.e. allow Alice and Bob to prove their identities toeach other.)


other (which could also be achieved using, say, the fully mixed product state (1.20)), but

because these are necessarily uncorrelated with any other party, a consequence of the

“monogamy of entanglement” (states fully entangled with each other cannot be entan-

gled with any other state [53] - by contrast Eve could hold the purification of (1.20) and

consequently know Alice and Bob’s qubits). This idea of entanglement distillation as a

means of achieving security has been used in many QKD security proofs.

We note, however, that while there are clear connections between entanglement and

QKD, and it is clear that a supply of EPR pairs is sufficient to perform QKD, it is

known that, surprisingly, distillable entanglement is not necessary for QKD. In [54] the

class of “private states” (from which Alice and Bob can obtain a secure key, assuming in

general that Eve holds the state’s purification) was shown, in general, to be the result of

a “twisting” operation on maximally-entangled states. (Here “twisting” consists of Alice

and Bob applying identical joint unitaries to some ancillary systems of the measured state,

conditioned on the measured state). The general class of private states are necessary

and sufficient for the generation of secure bipartite keys [54] and formalisms have been

developed to distill such states from “noisy” copies thereof [55]. Such private states can

be bound-entangled, even having arbitrarily small distillable entanglement [56]. Thus one

can sometimes obtain secure keys from states from which no EPR pairs can be obtained.

1.5 Our results

As discussed above, then, the description of entanglement in the resource model concerns

the possible conversions of entangled states to other communication resources. Such

conversions can demonstrate important properties of entanglement via abstract examples,

such as the fungibility of pure bipartite entanglement in the many-copy limit, or consider

more practically-achievable protocols with real-world applications, such as in the use of

entangled states to obtain shared secure classical information in QKD.


In the former case, while (especially for multipartite states) numerous inequivalent

conversions between arbitrary states could be considered, most interesting are those which

demonstrate general and/or previously unknown characteristics of entangled states, such

as to provide genuine insight into the properties of these states as a resource.

In our work we consider three main topics, all related to the properties of entangled

states in the resource model.

1.5.1 Classical communication cost in entanglement dilution

In Chapter 2 we consider a resource which is often neglected in the resource model of en-

tanglement - the classical communication required for conversion between pure bipartite

states. As discussed above, such conversions are known to be asymptotically efficient in

terms of the entanglement required, but, despite being a cost of the conversion, classi-

cal communication is often not considered in such LOCC protocols. Prior results have

established bounds for the classical communication required for conversion to and from

EPR pairs, but not more general conversions.

Using a quantitative analysis of known conversion protocols we find lower bounds for

the classical communication and inefficiency (the amount of lost entanglement) required

in conversion between general pure bipartite states. This gives a more complete picture

of bipartite entanglement as a resource. This chapter covers work published in [57]6; a

summary of some the earlier results was also given in [58]7.

1.5.2 Random distillation of multipartite entanglement

In Chapter 3 we consider pure-state entanglement conversions for multipartite states.

As discussed in the preceding sections, relatively little is known about such conversions

compared to their bipartite counterparts and with no known equivalent result to the

6Copyright (2005) by the American Physical Society7Copyright IEEE (2005)


fungibility of pure bipartite entanglement, it is not clear what target states are of most

interest in a resource model.

However, because of the many results concerning bipartite entanglement as a resource,

a class of conversions which are therefore of obvious interest is that of multipartite states

to bipartite states - if we can establish what bipartite states can be obtained from a

given multipartite state, then we can apply our knowledge of what can be achieved with

bipartite states to a multipartite resource model.

Of course, conversion from multipartite to bipartite states introduces a new degree

of freedom - we have a choice of which two parties will share the final state. Prior work

in this area has focused on protocols in which some pair of parties is chosen beforehand

to receive the final state, with a related measure, the “entanglement of assistance”,

quantifying the amount of entanglement obtainable this way.

We show the surprising new result that one can, in general, achieve qualitatively

different outcomes if the parties are post-selected - that is, by using protocols in which

the parties receiving the final entangled state are randomly determined. This is not

restricted to the case of multipartite→bipartite conversion; in general the additional

degree of freedom applies to any conversion from a multipartite state to one shared

between fewer parties.

We show a variety of results related to such “random distillation”, including protocols,

bounds on what can be achieved, its applicability to the multiple-copy case and the

potential for performing random distillation experimentally in trapped ions. This work

demonstrates that considering multipartite states in the resource model allows for distinct

protocols without bipartite counterparts, allowing for conversions between states not

previously known to be possible.

The original random distillation concept, basic protocol for three-party W states and

upper bounds in terms of the relative entropy of entanglement were originally published


in [59]8, while the refined definition of “advantageous” random distillation and its appli-

cation to the GHZ and W classes of three-party states and to the many-copy case were

originally published in [60]9.

1.5.3 Experimental GHZ-based QKD

In Chapter 4 we consider a practical application of multipartite entanglement, a three-

party experimental QKD based on shared GHZ states. Prior work has shown this GHZ-

based protocol to be theoretically feasible in an idealised case, and it can in principle be

implemented experimentally using only two-party entangled states (much as, say, BB84

can be proven secure by reference to two-party entanglement purification but imple-

mented using unentangled states).

In collaboration with an experimental implementation of the GHZ QKD using qubits

encoded as polarisation-entangled photons created through parametric downconversion,

we consider the insecurities in this setup arising from a non-ideal source, namely a down-

conversion source producing pairs and single photons in addition to the photon pairs we

desire, the extra photons being of potential use to an eavesdropper. Given these imper-

fections, which are distinct to the multiparty setup, along with distinct countermeasures

applied to deal with them, we apply existing techniques in two- and three-party QKD and

numerical optimisation to determine what secure key rate can be achieved experimentally.

This work demonstrates that practical applications of multipartite entangled states

can raise both problems and solutions distinct from the bipartite case, but may nonethe-

less be amenable to analysis based on bipartite results.

The work in this chapter is currently unpublished, but various stages have been

presented at conferences [61, 62, 63].

In addition to other collaborators (mentioned in the relevant chapters), all of the

8Copyright (2007) by the American Physical Society9Copyright (2008) by the American Physical Society


above work was conducted under the supervision of and in collaboration with Prof. Hoi-

Kwong Lo (PhD advisor).

Chapter 2

Classical communication cost in

entanglement dilution

2.1 Introduction

As discussed in section 1.2.2, partially-entangled pure bipartite states (of the form |ψ〉 =

α|00〉 + β|11〉) may be reversibly converted [26] to EPR pairs in the many-copy limit,

showing pure-state bipartite entanglement to be a fungible resource in the resource model.

In this chapter, we will consider an additional aspect of the resources required for such

conversions - the classical communication cost. We will derive an explicit lower bound

on both the classical communication cost and inefficiency in converting between general

pure bipartite states - the results in this chapter may be found in [57].

In the resource model of entanglement, classical communication is often regarded

as “free” insofar as all that is considered is what can be achieved under LOCC with a

given entangled system, without regard to how much classical communication is required.

There is some motivation for this from a practical point of view - fast and reliable classical

communication channels (telephone lines, computer networks etc.) are commonplace and

easily implemented in comparison with controlled quantum operations and the exchange

24

Chapter 2. Classical communication cost in entanglement dilution 25

of quantum information, both of which are typically much more challenging. Thus as far

as practical implementation is concerned, classical communication is “free” compared to

quantum communication. Moreover, as discussed in Chapter 1, classical communication

is qualitatively less powerful than quantum communication, so not considering the former

still allows for a consistent resource model.

However classical communication is nonetheless a useful resource, whose quantifica-

tion with respect to performing operations is the subject of an extensive body of work

in classical communication theory. In addition the quantum “primitive” of dense coding

is a protocol whose purpose is to maximise classical communication using quantum re-

sources - if creating EPR pairs from partially entangled states required too much classical

communication, then dense coding would not be feasible with such states, it would be

a protocol requiring EPR pairs specifically, rather than simply bipartite entanglement.

Moreover, as with other classical quantities, classical communication can be regarded as

a limiting case of quantum communication - a complete theory should be able to consider

all the types of resource involved. This motivates quantifying the classical communication

involved in entanglement manipulations.

2.1.1 BBPS entanglement concentration and dilution

We will first summarise the principles behind the BBPS protocols of Bennett et al [26].

Crucial to these is the idea of a “typical space” - that is, that while N copies of a D

dimensional system occupy a DN -dimensional Hilbert space, they do not, in general,

do so uniformly, with much of the “weight” of the quantum system occupying a smaller,

“typical” space. Roughly speaking, this is the region of the Hilbert space where the state’s

amplitude is largest; the subspace into which one would with high probability find the

system following a projective measurement into subspaces. This is a basic concept in

both classical [11, 64] and quantum [65, 4] information theory.

The BBPS protocols exploit this property directly - in the case of entanglement


concentration (converting large numbers of partially-entangled states to smaller numbers

of EPR pairs) one of the two parties (Alice and Bob) performs a projective measurement

on their half of the partially entangled states, projecting the system (with probability

→ 1 in the large N limit) into a space which, as is shown in [26], is maximally entangled

with respect to its dimensions (that is, it occupies a (2 ⊗ 2)⊗M Hilbert space and has

entanglement entropy M) and can be converted via local operations to M EPR pairs.

The local operations required to do this are dictated only by the outcome of this

projective measurement, thus the only classical communication the parties might require

would be for the measuring party to inform the other of the outcome. However, since

the measurement is one which either party can locally perform to determine the state of

the system, this communication can be avoided (as noted in [26]) simply by the second

party making the equivalent local measurement (and receiving the same outcome). Thus

no classical communication is required in two-party pure-state entanglement

concentration to EPR pairs.

However, in [26], classical communication is required for entanglement dilution. This

is because the dilution protocol proceeds by one party locally preparing the typical sub-

space of ψ⊗N where ψ is the desired partially entangled state and using M shared EPR

pairs to teleport their half of the system to the other party. This process is efficient

(i.e. the entanglement lost per EPR pair → 0) in the large N limit because in this

case the error between the typical subspace and the full system is negligible. (This is

a form of “quantum compression” of the state, encoding it using an asymptotically effi-

cient scheme, analogous to classical Shannon coding and derived for the quantum case

by Schumacher [65].) However, as described in [18], quantum teleportation does require

classical communication for the receiving party to apply the appropriate local unitary to

recover the teleported state - two classical bits per qubit. Thus entanglement dilution of

EPR pairs to N copies of a state ψ via the BBPS protocol requires 2N bits of classical

communication.


2.2 Prior work

We will refer frequently to the work of Lo and Popescu [66]. They considered the case

of diluting partially entangled bipartite states to EPR pairs, and showed that in the

asymptotic limit of large N , a dilution

|Φ〉⊗NE(ψ) → |ψ〉⊗N (2.1)

(where E is the entanglement entropy) could be achieved with O(√N) bits of classical

communication, thus the classical communication cost per copy goes as O(√N)/N and

→ 0 in the many-copy limit. Much of our work here consists of a generalisation of the

methods in this paper.

It was later shown by Harrow and Lo [67] and independently by Hayden and Winter

[68] that there is a lower bound on the classical communication cost of this dilution of

O(√N) bits and a lower bound on the inefficiency of this dilution (i.e. the number of

ebits lost in the dilution) of O(√N) bits also (so the process can still be asymptotically

efficient with inefficiency per ebit → 0). Specifically, it was shown in [67] that, for dilution

from M EPR pairs to N copies of a state ψ in this limit, with probability of success 2−s

using c bits of classical communication:

M ≥ NE(ψ) + αψ√N (2.2)

c+ s ≥ αψ√N (2.3)

where for |ψ〉〈ψ| having eigenvalues pi

α2ψ ≡

∑

i

pi(log2 pi + E(ψ))2 (αψ > 0). (2.4)

These results all apply solely to dilution from EPR pairs to partially entangled states

and do not address the situation of conversion between multiple copies of two different

partially entangled states, e.g. from roughly NE(ψ2)/E(ψ1) copies of an entangled state

ψ1 to N copies of an entangled state ψ2. Some results regarding dilutions of this kind


follow immediately from the above results - it is clear from [26] that one can perform

such a dilution asymptotically efficiently, by efficient concentration from the initial state

to EPR pairs followed by efficient dilution from EPR pairs to the final state. Likewise

there is an upper limit of O(√N) bits of classical communication required for such a

dilution, since one can always concentrate to EPR pairs (at zero classical communication

cost) and then dilute via the Lo-Popescu protocol at a cost of O(√N) bits.

However it is not immediately clear what, if any, lower bound applies to the ineffi-

ciency and classical communication cost of converting between partially entangled states

- the above results do not forbid there being a cost of e.g. zero or O(log2N) bits, though

intuitively one would expect there to be a non-zero cost in, for example, diluting from a

state very close to an EPR state.

In our work:

1. We construct explicit bounds on the classical communication cost and inefficiency

for conversion between partially entangled states.

2. We give explicit examples of partially entangled states that require O(√N) bits

of classical communications between their inter-conversion and likewise for ineffi-

ciency.

3. To do so, we have also worked out the dependence of the coefficient of the O(√N)

term in the classical communication cost on the error (as measured in trace dis-

tance) in the Lo-Popescu protocol for entanglement dilution.

2.3 Our method

We consider the conversion of many copies of some pure bipartite state ψ1 to another

pure bipartite state ψ2. Since we know that conversion of such states to and from EPR

pairs can proceed asymptotically efficiently, we wish to convert roughly NE(ψ2)/E(ψ1)


copies of ψ1 to N copies of ψ2.

We are interested in the classical communication cost of doing so and also the inef-

ficiency (which we know to be of subleading order but non-zero in general). Except in

the concluding section, we will focus on the case where ψ1 and ψ2 each have a Schmidt

number of only two. In other words, |ψ1〉 = a1|00〉 + b1|11〉 and ψ2 = a2|00〉 + b2|11〉,

where |ai|2 + |bi|2 = 1.

The method we use was proposed in [67] and its idea is to consider a two-stage

dilution. First, roughly NE(ψ2) EPR pairs are diluted to roughly NE(ψ2)/E(ψ1) copies

of a state ψ1 via the Lo-Popescu protocol, using β√N bits of classical communication for

some β. These are then converted to roughly N copies of a state ψ2 via some unknown

protocol, using m bits of classical communication. This two-stage process is one way

of implementing the dilution from EPR pairs to ψ2 and must therefore obey the lower

bound of Harrow-Lo [67] and Hayden-Winter [68]. The method is illustrated graphically

in Figure 2.1. Thus we have that

β√N +m ≥ αψ2

√N

m ≥ (αψ2 − β)√N. (2.5)

Hence we can derive a lower limit on the classical communication cost of the conversion

from ψ1 to ψ2 if we can calculate the coefficient β. This is not derived in [66] and we do

so here.

2.4 Classical communication cost in Lo-Popescu

In principle, the parameter β may depend on the target state in question, the allowable

error and/or success probability of the Lo-Popescu protocol. However the explicit de-

pendence of β on these parameters is not derived in [66]. In this section we explain the

principles of the Lo-Popescu protocol and work out this dependence in detail.


m bits CC

|ψ2〉⊗N

Error ≤ ǫ

Error ≤ ǫ2

Error ≤ ǫ1

≥ αψ2

√N bits CC

β√N bits CC

|ψ1〉⊗NE(ψ2)

E(ψ1)

|EPR〉⊗NE(ψ2)

Figure 2.1: Classical communication (CC) costs of entanglement dilution via a two-

stage protocol, Lo-Popescu followed by some unknown protocol for dilution between

partially entangled states. The right-hand side gives the Harrow-Lo bound on classical

communication for the whole process.

The essential idea of [66] is that, qualitatively, a system consisting of NE(ψ) EPR

pairs is quite close to ψ⊗N . Hence, instead of creating ψ⊗N locally and then using EPR

pairs to teleport it, it may be possible to teleport only a quantum state which constitutes

some small difference between the two systems, leaving most of the EPR pairs untouched.

Less teleportation results in less classical communication.

We consider now what a system of, say, d EPR pairs looks like. We see that a state

|Φ〉⊗d =

(1√2(|00〉 + |11〉)

)⊗d

AB

(2.6)

has (when expanded in the computational basis) 2M orthogonal terms of equal amplitude

e.g. |00 . . . 0〉A|00 . . . 0〉B, |00 . . . 10〉A|00 . . . 10〉B etc. Note that the “Alice” parts of each

term are all orthogonal, likewise the “Bob” parts. Hence this expansion is already in

Schmidt form, and we can equivalently express the state as

|Φ〉⊗d =1√2d

2d∑

i=1

|i〉A|i〉B. (2.7)


Hence any bipartite state with 2d Schmidt terms is equivalent up to local unitaries to

|Φ〉⊗d and parties wishing to obtain such a state from d EPR pairs need perform no

teleportation at all.

Suppose that two parties instead wish to share a state expressible as |Φ〉⊗d ⊗ ∆ for

some general state ∆, then the parties need only teleport the state ∆. This may also

be satisfactory for a desired state |Φ〉⊗d ⊗ ∆ + ǫLP , provided that the error term ǫLP is

sufficiently small.

In [66] it is shown how, by appropriate grouping of the terms of the expansion of

|ψ〉⊗N , one may express such a state as

|ψ〉⊗N = |Φ〉⊗d ⊗ |∆〉 + |ǫLP 〉 (2.8)

where those terms making up u1 ≡ Φd ⊗∆ have high degeneracy of approximately 2d in

their Schmidt coefficients and those in the error term ǫLP have low degeneracy.

The terms in the expansion are divided between u1 and ǫLP in such a way as to ensure

that those in u1 have a large common factor d = NE(ψ) − O(√N) in their degeneracy,

allowing u1 to expressed as Φd⊗∆. This is done largely by assigning most of the typical

terms of the expansion to u1.

In diluting from EPR pairs Φ, all that needs to be teleported is one half of the

residual state ∆ with dimension 2O(√N) and thus only O(

√N) bits are required compared

to the 2N bits that would be needed to teleport the entire state ψ⊗N to perform the

dilution naıvely. The exact amount of classical communication needed can be bounded

by comparing the dimension of u1 with d - we will calculate this in the following sections.

2.4.1 Error size

The size of the coefficient on√N in the classical communication cost depends on the

allowable error ǫLP . We derive this dependency for the general two-term case |ψ〉 =

a|00〉+b|11〉. Thus a term in the expansion |ψ〉⊗N has amplitude akbN−k. The degeneracy


of coefficients in |ψ〉⊗N containing k a’s is(Nk

), the binomial coefficient defined as

(N

k

)

≡ N !

k!(N − k)!. (2.9)

We define p = |a|2, q = |b|2 = 1 − p, and, disregarding the trivial case of p = q

(corresponding to an EPR pair as the target state, requiring no dilution) assume (without

further loss of generality) that p < q.

As in [66], we define the typical set as those coefficients for which

2NE(ψ)−γ√N ≤

(N

k

)

≤ 2NE(ψ)+γ√N (2.10)

for some coefficient γ. We wish to find what range of k this corresponds to.

Using Stirling’s approximation for N !, we have following well-known lemma:

Lemma 2.1:

ln

(N

k

)

→ −N ln 2 ×H2

(k

N

)

±O(logN) (2.11)

Proof: See Appendix A.1.

We thus have that(N

k

)

= 2NH2(k/N)±O(logN) (2.12)

where H2 is the binary entropy function. Hence, defining Hk ≡ H2(k/N), the typical set

(2.10) corresponds to a range

E(ψ) − γ/√N ±O

(logN

N

)

≤ Hk ≤ E(ψ) + γ/√N ± O

(logN

N

)

. (2.13)

With our assumption p < q we have the following lemma:

Lemma 2.2: The range (2.13) corresponds to the range in k

Np− γ√N

log2(q/p)±O (logN) ≤ k ≤ Np+

γ√N

log2(q/p)± O (logN) . (2.14)

Proof: See Appendix A.2.


Thus the typical set corresponds to these values of k, with the remaining terms forming

the atypical set. The contribution ǫLP1 of the atypical set to the total weight of the state

〈ψ⊗N |ψ⊗N〉 is

ǫLP1 =∑

katypical

(N

k

)

pkqN−k, (2.15)

a binomial distribution for which in the large N limit we can use the Gaussian approxi-

mation as given in e.g. [69]

(N

k

)

pkqN−k ∼ e−(k−Np)2

2Npq

√2πNpq

. (2.16)

where the symbol ∼ denotes that the ratio of the terms on either side tends to 1 in the

limit N → ∞. Thus we have, approximating the sum to an integral,

ǫLP1 =1√

2πNpq

∫ Np− γ√

Nlog2(q/p)

±O(logN)

−∞e−

(k−Np)2

2Npq dk

+1√

2πNpq

∫ ∞

Np+ γ√

Nlog2(q/p)

±O(logN)

e−(k−Np)2

2Npq dk + δi (2.17)

= 2 × 1√2πNpq

∫ Np− γ√

Nlog2(q/p)

±O(logN)

−∞e−

(k−Np)2

2Npq dk + δi (2.18)

= 2 ×(

1 − 1√2π

∫ γ/α±O“

log N√N

”

−∞e−x

2/2dx

)

± δi (2.19)

where α ≡ √pq log2(q/p) =

√∑

i pi[log2 pi + E(ψ)]2, the same α(ψ) defined in [67]. The

error δi in the approximation of the sum over binomial terms to a Gaussian integral is

given by the Berry-Esseen bound [69] as O(

1√N

)

.

We are not aware of any analytical expression for (2.19), but it may be bounded [69]

as

√

2

π

(1

(γ/α)− 1

(γ/α)3

)

e−12(

γα)

2

± O

(logN√N

)

≤ ǫLP1

≤√

2

π

(1

(γ/α)

)

e−12(

γα)

2

±O

(logN√N

)

. (2.20)

However, the error term ǫLP in (2.8) does not consist only of atypical terms. This is

because, as described in [66], while every term in the typical set has a large degeneracy


2NE(ψ)−O(√N) there is not necessarily a large common factor to these degeneracies. To

ensure such a factor, the typical-set is “coarse-grained”, with terms with each k grouped

in nk “bins” of size 2NE(ψ)−ω√N where ω > γ, such that, for every k in the typical set,

nk2NE(ψ)−ω

√N ≤

(N

k

)

≤ (nk + 1)2NE(ψ)−ω√N . (2.21)

For each k, only nk2NE(ψ)−ω

√N of the terms are kept in u1 and the remainder are assigned

to the error term. This ensures a large common degeneracy for the terms in u1 of

2NE(ψ)−ω√N .

Theorem 2.1 The contribution ǫLP 2 to 〈ǫLP |ǫLP 〉, due to those typical terms which are

grouped in the error term in Lo-Popescu’s protocol, falls off exponentially with N . Hence

〈ǫLP |ǫLP 〉 = ǫLP1 ±O(c−N) for some positive constant c > 1.

Proof: As noted in [66], the terms with typical k assigned to the error term have

a degeneracy(Nk

)− nk2

NE(ψ)−ω√N ≤ 2NE(ψ)−ω

√N , and thus their contribution ǫLP2 to

〈ǫLP |ǫLP 〉 satisfies

ǫLP2 ≤ 2NE(ψ)−ω√N∑

ktypical

pkqN−k (2.22)

Given the assumption p < q, the function pkqN−k = qN (p/q)k decreases monotonically

with k, hence we have

∑

ktypical

pkqN−k ≤∫ ⌈Np γ

√N

log2(q/p)⌉

⌊Np γ√

Nlog2(q/p)

⌋pkqN−kdk. (2.23)

Hence

ǫLP2 ≤ 2NE(ψ)−ω√NqN

∫ Np+ γ√

Nlog2(q/p)

+1

Np− γ√

Nlog2(q/p)

−1

(p/q)kdk (2.24)

=2−ω

√N

ln(q/p)

[

2γ√N±O(c−N ) − 2−γ

√N±O(c−N )

]

(2.25)

∼ 2−(ω−γ)√N

ln(q/p). (2.26)

Thus we can choose ω = γ + δ for positive δ → 0, so that the above term is ex-

ponentially small. Hence 〈ǫLP |ǫLP 〉 ∼ ǫLP1 and hence we have a common degeneracy


of 2NE(ψ)−γ√N±O(logN) to the terms in u1, thus u1 can be expressed as Φd ⊗ ∆ where

d = NE(ψ) − γ√N ±O(logN).

Theorem 2.2: The error term ǫLP1 in Lo-Popescu’s protocol is bounded by Eq. (2.20)

whose upper bound may be inverted to give

γ

α≤√

W

(2

πǫ2LP1

)

± O

(logN√N

)

(2.27)

where W () is the Lambert W function [70], defined such that

W (x)eW (x) = x. (2.28)

Proof: It is clear from Eq.(2.19) that for a given ǫLP1 , the largest value of γ/α corresponds

to the inverse of the upper bound. The form of the inverse follows from the definition of

W (x).

2.4.2 Classical communication cost

Sch(u1), the Schmidt number of u1, is simply∑

ktypical

(Nk

). We are not aware of any ana-

lytical expression for this sum, but it may be trivially bounded (as noted more generally

in [71]) by the definition of the typical set in (2.10) and the associated range in k (2.14)

2NE(ψ)+γ√N ≤

∑

ktypical

(N

k

)

≤(

2γ√N

log2(q/p)± O (logN)

)

· 2NE(ψ)+γ√N . (2.29)

Thus we find

Sch(u1) = 2NE(ψ)+γ√N±O(logN). (2.30)

Since u1 = Φd ⊗ ∆ we have that

Sch(∆) = 2NE(ψ)+γ√N−d±O(logN)

= 22γ√N±O(logN). (2.31)

It was shown in [72] that production of a known entangled state via quantum telepor-

tation can be performed with half the classical communication cost of naıve teleportation


of the state. Hence:

Lemma 2.3: The asymptotic classical communication cost of diluting from EPR pairs to

N copies of a state ψ via Lo-Popescu is 12×2×2γ

√N±O(logN) = 2γ

√N±O(logN) bits.

Proof : As above.

2.5 Relation between protocol errors

As shown above the classical communication cost of the Lo-Popescu protocol is a function

of the allowable error in that protocol ǫLP . We will now relate the error in our-two-stage

protocol to ǫLP .

We first define the trace distance D between states with density matrices σ and ρ as

D(σ, ρ) ≡ Tr|σ − ρ|. (2.32)

In our two-stage protocol, we start with roughly NE(ψ2) EPR pairs with an overall

density matrix σ. We then dilute using Lo-Popescu to a state Λ′ which is close to the

desired state of NE(ψ2)/E(ψ1) copies of ψ1, with density matrix Λ. Finally we dilute Λ′

via some unknown protocol to ρ′′, close to the desired state ρ of N copies of a state ψ2.

ρ′′ differs from ρ due to the errors introduced at both dilution stages - we in addition

define ρ′ as the state which one would acquire from the unknown protocol if Λ was used

as the input state.

We define the upper bounds of the errors in the protocols as follows:

D(Λ,Λ′) ≤ ǫ1 (error in Lo-Popescu) (2.33)

D(ρ′, ρ) ≤ ǫ2 (error in unknown protocol) (2.34)

D(ρ′′, ρ) ≤ ǫ (overall error in two-stage protocol). (2.35)

The above is illustrated in Figure 2.2.


S2

S1

Error ≤ ǫ2

Unknown protocol

Error ≤ ǫ1

Lo-Popescu

S2 Error ≤ ǫ2

Unknown protocol

ρ′ ≡ |ψN2 〉〈ψN2 | + errorρ′′ ≡ |ψN2 〉〈ψN2 | + error + error

ρ ≡ |ΦNE(ψ2)〉〈ΦNE(ψ2)|

Λ′ ≡ |ψNE(ψ2)E(ψ1)

1 〉〈ψNE(ψ2)E(ψ1)

1 | + error Λ ≡ |ψNE(ψ2)E(ψ1)

1 〉〈ψNE(ψ2)E(ψ1)

1 |

Figure 2.2: Errors for different stages of the two-stage dilution

Since our final bounds will depend only on ǫ2 we are free to choose our allowable

error ǫ1 in the Lo-Popescu dilution as long as it is consistent with the requirement of the

Harrow-Lo bound (under “Definition of error” in Theorem 1 of [67]) that

D(ρ, ρ′′) ≤ 0.01. (2.36)

We can describe the Lo-Popescu dilution as a trace-preserving operation S1, likewise

the unknown protocol as a trace-preserving operation S2, so that

Λ′ = S1σ

ρ′′ = S2Λ′ = S2S1σ

ρ′ = S2Λ.


From the triangle inequality (see for example [4]), we have that:

ǫ2 = D(ρ′′, ρ) = D(S2S1σ, ρ)

≤ D(S2S1σ, S2Λ) +D(S2Λ, ρ)

≤ D(S1σ,Λ) +D(Λ, ρ)

= D(S1σ,Λ) + ǫ2

since trace-preserving quantum operations are contractive (applying S2 cannot increase

the trace distance). We have

D(S1σ,Λ) + ǫ2 = D(Λ,Λ′) + ǫ2

= ǫ1 + ǫ2

hence

D(ρ, ρ′′) ≤ ǫ1 + ǫ2. (2.37)

In performing a two-stage dilution, we are free to choose the ǫ1 for our Lo-Popescu

protocol. However in order to derive inefficiency and classical communication bounds

for the second stage we must be able to apply the Harrow-Lo bound and hence must

satisfy (2.36). But given this restriction, we would like ǫ1 to be as large as possible so

that γ/αψ1 is small and hence the inefficiency and classical communication bounds are

restrictive. E.g. taking ǫ1 → 0 would give γ/α → ∞ and hence no meaningful bound

(since the Lo-Popescu classical communication cost and inefficiency would then be very

large for almost all ψ1 and hence satisfy the Harrow-Lo bound without the need for any

classical communication or inefficiency from the second stage of the dilution). -Thus for

given ǫ2 < 0.01, from (2.37) we satisfy (2.36) by setting

ǫ1 = 0.01 − ǫ2. (2.38)

In Lo-Popescu the (normalized) state obtained is |Φd ⊗ ∆ + ǫLP 〉〈Φd ⊗ ∆ + ǫLP | and


the (normalized) desired state is |Φd⊗∆〉〈Φd⊗∆|1−ǫLP1

. Thus we find, from Claim 1:

Tr|Λ′ − Λ| = Tr

∣∣∣∣∣

|Φd ⊗ ∆〉〈Φd ⊗ ∆|1 − ǫLP1

− |Φd ⊗ ∆ + ǫLP 〉〈Φd ⊗ ∆ + ǫLP |∣∣∣∣∣

(2.39)

= Tr

∣∣∣∣∣

ǫLP1|Φd ⊗ ∆〉〈Φd ⊗ ∆|1 − ǫLP1

− |Φd ⊗ ∆〉〈ǫLP | − |ǫLP1〉〈Φd ⊗ ∆| − |ǫLP 〉〈ǫLP |∣∣∣∣∣

= Tr

∣∣∣∣

ǫLP1 |Φd ⊗ ∆〉〈Φd ⊗ ∆|1 − ǫLP1

− |ǫLP 〉〈ǫLP |∣∣∣∣

= |ǫLP1 | + | − ǫLP1 | ±O(c−N) = 2ǫLP1 ± + ≤ ǫ1 (2.40)

since 〈ǫLP |ǫLP 〉 = ǫLP1 ± O(c−N). Thus for a chosen allowable error ǫ1, ǫLP1 ≤ ǫ12±

O(c−N). Hence from Claim 2:

γ/α ≤√

W

(8

π(0.01 − ǫ2)2

)

± O

(logN√N

)

(2.41)

and so for a given stage 2 error ǫ2 ≤ 0.01, from Lemma 2.3, we can begin our two-stage

dilution with a Lo-Popescu dilution with a classical communication cost no greater than

2

√

W

(8

π(0.01 − ǫ2)2

)

αψ1

√

NE(ψ2)

E(ψ1)± O(logN) bits. (2.42)

Applying the bound in [67] and using Eq. (2.5) and Eq. (2.42)

m ≥(

αψ2 − 2

√

W

(8

π(0.01 − ǫ2)2

)

αψ1

√

E(ψ2)

E(ψ1)

)

√N ± O(logN) bits. (2.43)

As one would expect, this bound is strictest for a dilution protocol with ǫ2 = 0, for

which we have

m ≥(

αψ2 − 5.68αψ1

√

E(ψ2)

E(ψ1)

)√N ± O(logN) bits. (2.44)

where the figure 5.68 is to two decimal places.

2.6 The inefficiency bound

We can do an analogous calculation of the inefficiency in dilution between partially

entangled states by considering the same two-stage dilution as before and the ebits lost


at each stage, since we know that (ebits lost in Lo-Popescu dilution from EPR pairs to

ψ1)+(ebits lost in dilution from ψ1 to ψ2) ≥ the lower bound on inefficiency given in [67]

= αψ2

√N ebits.

2.6.1 Inefficiency in Lo-Popescu

In the Lo-Popescu protocol the only state that needs to be teleported is ∆ and the

inefficiency arises in this teleportation, which requires log2(Sch(∆)) ebits to teleport but

which only provides E(∆) ebits of shared entanglement.

The entanglement entropy (i.e. the Von Neumann entropy of the reduced state) of

those terms in ǫLP2, denoted E(ǫLP2 is bounded

E(ǫLP2) ≤ −2NE(ψ)−ω√N∑

ktypical

pkqN−k log2(2NE(ψ)−ω

√NpkqN−k). (2.45)

Since the sum in the above expression is at most polynomial in N , the entanglement

entropy of u1 is close to that of the typical set.

E(u1) = −∑

ktypical

(N

k

)

pkqN−k log2(pkqN−k) ±O(c−N) (2.46)

=−1√

2πNpq(N log2 q)

∫ Np+ γ√

Nlog2(q/p)

Np− γ√

Nlog2(q/p)

e−(k−Np)2/2Npqdk + δi2

=−1√2π

[

N log2 q

∫ γ/α

−γ/αe−x

2/2dx+Np log2(p/q)

∫ γ/α

−γ/αe−x

2/2dx

+√Npq

∫ γ/α

−γ/αxe−x

2/2dx

]

+ δi2

=NE(ψ)√

2π

∫ γ/α

−γ/αe−x

2/2dx+ δi2

= NE(ψ)[1 − ǫLP1 ] + δi2 (2.47)

where δi2 is O(

1√N

)

. However we recall that u1 is unnormalised, and the entanglement


entropy S ′u of normalised u1 satisfies

S ′u = E

(u1

1 − ǫLP1

)

(2.48)

=1

1 − ǫLP1

(E(u1) + log2(1 − ǫLP1)) (2.49)

= NE(ψ) + log2(1 − ǫLP1) ±O

(1√N

)

. (2.50)

We recall u1 = Φd ⊗ ∆, thus the entanglement of ∆ is NE(Ψ) − d = γ√N ± O

(1√N

)

.

So from equation (2.31) the asymptotic inefficiency (the number of ebits lost) in diluting

from EPR pairs to N copies of ψ via Lo-Popescu is

log2(Sch(∆))−E(∆) = 2γ√N±O(logN)−γ

√N±O

(1√N

)

= γ√N±O(logN) ebits.

(2.51)

For the two-stage dilution, as described in section 2.5, we can always choose our error

in Lo-Popescu such that γ/α ≤√

W(

8π(0.01−ǫ2)2

)

±O(

logN√N

)

and so from the Harrow-Lo

inefficiency bound we have that, for a loss of k ebits from the unknown protocol

√

W

(8

π(0.01 − ǫ2)2

)

αψ1

√

NE(ψ2)

E(ψ1)+ k ≥ αψ2

√N ± O(logN) (2.52)

k ≥(

αψ2 −√

W

(8

π(0.01 − ǫ2)2

)

αψ1

√

E(ψ2)

E(ψ1)

)√N ± O(logN) ebits. (2.53)

with the strictest bound again for an error ǫ2 = 0, with a minimum inefficiency of

2.84αψ2

√N (to two decimal places) ebits, half of the bits in the classical communication

cost bound.

2.7 Discussion of bounds

The forms of the classical communication and inefficiency bounds in (2.42) and (2.53)

are not very intuitively clear. In this section we discuss their behaviour as a function of

the initial and final states and the protocol error.


Figure 2.3: Plots of 2ζ(ǫ2) as a function of ǫ2

As discussed in [67], we could impose an absolute ordering on entangled states in

terms of their classical communication cost if the cost was non-zero for converting from

state ψ1 to ψ2 iff E(ψ1)α(ψ1)

> E(ψ2)α(ψ2)

. Instead our bound (which we do not claim to be tight)

provides a partial ordering, such that the cost is non-zero if

E(ψ1)

αψ1

≥ 2ζ(ǫ2)E(ψ2)

αψ2

. (2.54)

where we define the function

ζ(ǫ2) ≡√

W

(8

π(0.01 − ǫ2)2

)

. (2.55)

Similarly non-zero inefficiency occurs for

E(ψ1)

αψ1

≥ ζ(ǫ2)E(ψ2)

αψ2

. (2.56)

A plot of 2ζ(ǫ2) against ǫ2 is given in Figure 2.3.

As noted earlier, 2ζ has a minimum value of approximately 5.68 and, as seen in Figure

2.3, grows rapidly with larger values of ǫ2 - this limits the range of conversions for which


we have non-zero bounds. The regions satisfying (2.55) for given protocol errors ǫ2 are

shown as the areas below the curves in Figure 2.4, as a function of the parameters p1 and

p2 (where |ψ1〉 =√p1|00〉 +

√1 − p1|11〉 and likewise for |ψ2〉 and p2).

As seen, these regions vary relatively little over much of the range of ǫ2, given its

allowable range of 0 ≤ ǫ2 ≤ 0.01. While it is not obvious from the figure, note that the

plotted curves do not intercept the x axis i.e. every initial state has some target state

for which our bound on the classical communication cost is non-zero, although in many

cases this target state is very close to a product state.

2.8 The general pure state case

For the general pure state

|ψ〉 =

m∑

i=1

√pi|ii〉 (2.57)

we can perform an analogous analysis to the single-qubit case, bounding the degeneracy

of terms with amplitudes∏

i piki2 in ψN

NE(ψ) − γ√N ≤ log2

(N

k1 . . . kb

)

≤ NE(ψ) + γ√N. (2.58)

In the two-term case, we only had one independent variable k. Now we have m − 1

such variables. Moreover the independent variables are not the ki - the covariances σkikj

for the multinomial distribution are non-zero. We require a new set of variables which

diagonalises the covariance matrix. We use the substitution (from [73]1) of

yi =ki − (N − ki − . . .− ki−1)piπ

−1i−1

√

Npiπiπ−1i−1

, πi = 1 − p1 − . . . pi (2.59)

giving the asymptotic approximation

(N

k1 . . . km

)

pk11 . . . pkmm ∼ e−(y21+...+y2m−1)/2

(√

2πN)m−1√p1p2 . . . pm. (2.60)

1Note that this source has a typo, quoting π−1i

instead of π−1i−1 in the numerator.


Figure 2.4: Regions of non-zero classical communication cost (below the curves), as a

function of initial and final state parameters p1 and p2 and protocol error ǫ2.


Thus

(N

k1 . . . km

)

∼ e−(y21+...+y2m−1)/2p−k11 . . . p−kmm

(√

2πN)m−1√p1p2 . . . pm

(2.61)

log2

(N

k1 . . . km

)

∼m∑

i=1

(y2i

2 ln 2− ki log2 p1

)

+ constants. (2.62)

We wish to expand the above expression in the variables yi about the point log2

(N

k1...km

)=

NE(ψ) ±O(logN), yi = 0 ± O(

logN√N

)

∀ yi and, making use of the inverse of (2.59)

kj =√

Npj

(

−j−1∑

i=1

yi

√pipjπi−1πi

+ yi

√πjπj−1

+Npj

)

(2.63)

we find

∂kj∂yi

=√

Npi

[

δi<j

√pipjπi−1πi

δij

√πiπi−1

]

(2.64)

thus

∂ log2

(N

k1...km

)

∂yi

∣∣∣∣∣yi=0±O

“

log N√N

”

=

m∑

j=1

(log2 pj)∂ky∂yi

(2.65)

=√N

(

−√

piπi−1πi

m∑

j=i+1

pj log2 pj +

√πipiπi−1

log2 pi

)

(2.66)

= −√N

√pi

πiπi−1

m∑

j=i+1

pj log2(pj/pi). (2.67)

We find then that for the typical set

∣∣∣∣∣

m−1∑

i=1

Ωiyi

∣∣∣∣∣≤ γ ± O

(logN√N

)

(2.68)

where

Ωi =

√pi

πiπi−1

m∑

j=i+1

pj log2(pj/pi). (2.69)

We are unaware of any expression for the integral of the probability distribution (2.60)

over the range (2.69). Instead we choose a value Ωt such that Ωt ≥ |Ωi| ∀ i < m and


integrate (2.60) outside the range ±γ/Ωt for all yi to obtain an upper bound on ǫLP1 .

Doing so we find (bounding as in (2.20)

ǫLP1 ≤ 2

(

1√2π

∫ γΩt

±O“

log N√N

”

−∞e−y

2/2dy

)m−1

±O

(1√N

)

(2.70)

≤ 2

[√

2π(γ/Ωt)]m−1e−(m−1)

“

γΩt

”2/2 ± O

(logN√N

)

(2.71)

which inverts to

γ

Ωt

≤

√√√√W

(

1

2π(ǫLP1/2)2

m−1

)

± O

(logN√N

)

. (2.72)

2.8.1 Inefficiency and classical communication bounds for the

general pure state

The remainder of the analysis follows as for the single-qubit case - in particular we find

that Claims 1 and 2 still apply (with (2.72) substituted into Claim 2) and our final results

are, that for an m-bit classical communication cost and k-ebit inefficiency diluting from

ψ1 to ψ2, where ψ1 has Schmidt number m:

m ≥

αψ2 − 2

√√√√W

(

1

2π(0.01−ǫ24

)2

m−1

)

Ωtψ1

√

E(ψ2)

E(ψ1)

√N ± O(logN) (2.73)

k ≥

αψ2 −

√√√√W

(

1

2π(0.01−ǫ24

)2

m−1

)

Ωtψ1

√

E(ψ2)

E(ψ1)

√N ± O (logN) . (2.74)

2.9 Summary of results

We have derived lower bounds for the classical communication cost and inefficiency of

converting between pure bipartite entangled states expressible in two terms. Specifically,

we have proven the following results:


Theorem 2.3: For any protocol which converts via LOCC NE(ψ2)/E(ψ1) copies of a

state ψ1 into N copies of state ψ2 with at most error ǫ2 < 0.01, in the limit of large N

and where ψ1, ψ2 are bipartite pure entangled states and ψ1 is expressible in two terms,

the classical communication cost is at least

(

αψ2 − 2

√

W

(8

π(0.01 − ǫ2)2

)

αψ1

√

E(ψ2)

E(ψ1)

)√N ± O(logN) bits. (2.75)

Theorem 2.4: For the protocol described in Theorem 2.3, the inefficiency is at least

(

αψ2 −√

W

(8

π(0.01 − ǫ2)2

)

αψ1

√

E(ψ2)

E(ψ1)

)√N ±O (logN) ebits. (2.76)

Proof: As shown in Sections 2.4, 2.5 and 2.6.

These bounds are meaningful in that they give non-zero classical communication

costs for conversions between possible states, however they only give a partial ordering

on entangled states due to the asymmetry of the coefficients involved. As mentioned

earlier, nonzero classical communication is required for entanglement conversion from ψ1

to ψ2 when

αψ2

E(ψ2)≥ 2

√

W

(8

π(0.01 − ǫ2)2

)αψ1

E(ψ1)(2.77)

and nonzero inefficiency when

αψ2

E(ψ2)≥√

W

(8

π(0.01 − ǫ2)2

)αψ1

E(ψ1). (2.78)

So, for example, for a protocol with essentially zero error, there will be a non-zero classical

communication cost in diluting e.g. states |ψ1〉 =√

0.43|00〉+√

0.57|11〉 to states |ψ2〉 =√

0.14|00〉 +√

0.86|11〉, and a non-zero inefficiency in diluting the same ψ1 to states

|ψ2〉 =√

0.3|00〉 +√

0.7|11〉. I.e. these bounds do give useable limits on allowable

dilutions.


We have also derived explicit expressions for various details of the Lo-Popescu proto-

col, in particular the dependence of the coefficient in the O(√N) classical communication

cost on the allowable error.

There is however no reason to believe that these bounds cannot be improved - their

derivation is dependent on considering one particular entanglement dilution protocol

(Lo-Popescu) and a tighter bound could potentially be derived by considering a different

protocol with lower inefficiency and classical communication costs.

Moreover, our current approach is dependent on explicitly using the upper-bound on

error (0.01) introduced somewhat arbitrarily (as a proof-of-concept) in [67]. This is a

reasonable error value that allows us to consider errors up to 0.01 for our more general

dilution. However, it is likely that use of this arbitrary value gives a weaker bound than

could otherwise be obtained - as suggested by Figure 2.4.

It is pointed out in [67] that more general error bounds ǫ can be used for the dilution

from EPR pairs, with a modified classical communication cost of2 Ω(α√

N log(1/ǫ)).

Hence to most tightly bound the costs in our protocol (the second stage, we recall, of

a hypothetical two-stage dilution) as a function of its allowable error ǫ2, an improved

approach would be to optimise the expression for these costs over both errors ǫ1 in the

Lo-Popescu dilution and ǫ in the Harrow-Lo bound.

2.9.1 General pure states

For dilution of general pure states, we have found:

Theorem 2.5: For any protocol which converts via LOCC NE(ψ2)/E(ψ1) copies of a

state ψ1 into N copies of state ψ2 with at most error ǫ2 < 0.01, in the limit of large N

and where ψ1, ψ2 are bipartite pure entangled states and ψ1 is of Schmidt number b, the

2Using Ω here in the Bachmann-Landau notation, not to be confused with our earlier coefficientassociated with the general pure-state case


classical communication cost is at least

αψ2 − 2

√√√√W

(

1

2π(0.01−ǫ24

)2

b−1

)

Ωtψ1

√

E(ψ2)

E(ψ1)

√N ± O(logN) bits. (2.79)

for an Ωtψ1≥ |Ωiψ1

| ∀ i < b.

Theorem 2.6: For the protocol described in Theorem 2.5, the inefficiency is at least

αψ2 −

√√√√W

(

1

2π(0.01−ǫ24

)2

b−1

)

Ωtψ1

√

E(ψ2)

E(ψ1)

√N ±O (logN) ebits. (2.80)

Choosing Ωt

Still undefined is how one chooses Ωt. Ideally one would would take Ωt equal to the

largest Ωi, but it can be seen from (2.69) that the values of Ωi are dependent on the

arbitrary ordering of the coefficients pi. Thus the tightest bound this analysis provides

is for Ωt equal to the maximum Ωi for the ordering in which this maximum is smallest.

For a given state this is certainly a well-defined quantity, but we do not have a general

formula for it in terms of the pi’s.

An alternative prescription for Ωt is to order p1 ≤ p2 ≤ . . . ≤ pb and use

Ωt =

√pb−1

πb−1πb−2

b∑

i=2

pi log(pi/p1) (2.81)

which is simply expressed, but depending on the state may provide a much looser bound

than that using the above prescription. Whatever the chosen Ωt, using a single bound

for all the yi clearly makes the overall bound looser than in the two-Schmidt term case.

However even the general Ωt in (2.81) can give specific bounds on classical communi-

cation and inefficiency. E.g. we find that for an error-free protocol diluting from many

copies of√

0.3|11〉 +√

0.3|22〉 +√

0.4|33〉 to√

0.1|11〉 +√

0.1|22〉 +√

0.8|33〉 at least

0.29√N bits of classical communication are required and at least 0.87

√N ebits are lost.

It may well be feasible to obtain much tighter bounds in specific cases.


2.10 Conclusion

We have shown that the O(√N) lower bounds on classical communication and inefficiency

costs for dilution from EPR pairs apply to many general bipartite state conversions, and

found specific bounds which can be usefully applied (i.e. they give a finite bound) in

many cases. As in [67], the relevant bound is proportional to the quantity α, a measure

which, for a state with coefficients√pi in its Schmidt decomposition, corresponds to the

variance of log2(pi), just as the Von Neumann entropy corresponds to the negative of

its mean. Less “uniform” states in this sense are less well approximated by their typical

subspaces, and hence have higher-dimensional “supplemental” terms ∆.

We note that, as was already clear from prior results, the classical communication

and inefficiency costs per copy of a target state is O(1/√N), and thus negligible in

the large N limit. Hence even with classical communication taken into account, pure

bipartite states are asymptotically fungible, as noted in [66]. However our result, as

well as clarifying the form of the dependence for general states in the asymptotic case,

also consequently provides a lower bound for the average inefficiency and communication

costs in the finite-copy case, where such costs may not be negligible.

Aside from the improvements in the approximations used, as discussed in the previous

section, a natural area for further work might seem to be in bounding the costs in the

mixed-state case. This is arguably of less interest than the pure-state case since, as

demonstrated by the existence of bound-entangled states, mixed-state entanglement is

known not to be fungible, besides which general efficient protocols for concentration (for

those states which are distillable) and dilution are not known.

An equivalence of the entanglement cost and entanglement of formation for mixed

states would suggest an optimal protocol in terms of efficiency for dilution to such states

- one would simply dilute EPR pairs to those pure states comprising the minimum-entropy

decomposition, as discussed in section 1.2.4. Though these quantities are now known not

to be equal in general, we note that it has been shown that EC = Ef for certain classes


of mixed states [74, 75]. However, whether such a protocol would be optimal in terms of

classical communication cost is not clear.

Chapter 3

Random distillation

3.1 Introduction

As discussed in Chapter 1, the numerous different classes of multipartite states and lack of

any proven operational equivalence analogous to the fungibility of pure bipartite states

make it unclear which LOCC-conversions of such states are of most interest, since no

given target state is “maximally entangled” in the same operational sense as an EPR

pair. However an area of clear interest is in the conversion of multipartite entangled

states to those shared between subsets of the parties.

This is because, in general, more is known about entanglement held between fewer

parties. Thus, knowing what states can be produced between subsets of the parties

provides a straightforward “lower bound” on what can be achieved with the original

state. This is most obvious in the case of bipartite entanglement - the two-party quantum

teleportation protocol allows an EPR pair (combined with classical communication) to

communicate one qubit of information between parties. Hence a group of parties sharing

some set of EPR pairs between them can share multipartite states through teleportation,

if parties create such states locally and then teleport parts of them to the other parties.

Thus the ability to create EPR pairs from multipartite states provides a lower bound on

52

Chapter 3. Random distillation 53

the ability to create other multipartite states.

More generally, then, considering such protocols allows one to determine multipartite

state properties inductively - if one knows the rate of EPR creation from a 3-party state

and the rate of its creation from a 4-party state etc., then ”lower bounds” can be found

for the properties of states shared between many parties.

The relation between multipartite entanglement and that of subsets of parties illus-

trates a curious feature of multipartite entanglement. Consider 3 parties, Alice, Bob

and Charlie (ABC). Clearly there is no “true” tripartite entanglement in an EPR pair

shared between Alice and Bob, since they are unentangled with Charlie. Likewise for an

Alice-Charlie EPR pair. But if the parties have both these states then Alice can locally

create a 3-qubit entangled state and teleport qubits to Bob and Charlie, creating tripar-

tite entanglement. Hence multipartite entanglement for some given number of parties M

is super-additive - states with zero M-partite entanglement can be combined to create

non-zero M-partite entanglement.

Another interesting connection between multipartite states and their subsets was

demonstrated in [76], which showed that almost every multipartite pure state (if the

Hilbert spaces of its parties are of the same dimension) could be fully specified by speci-

fying the reduced states of some fraction of the parties, this fraction being less than 2/3

in the many-party limit.

In this chapter we consider the relation between multipartite states and their subsets

in the resource model, for the specific protocol of multiple cooperating parties converting

shared multipartite states, through LOCC, into entangled states shared between fewer

parties. As discussed below, a form of this procedure (converting multipartite states to

bipartite states, often mentioned with respect to the quantity “Entanglement of assis-

tance”) has been previously considered, but only in the case where the parties receiving

the final state are pre-determined e.g. where Alice, Bob and Charlie wish to convert their

tripartite state to one shared between Alice and Bob only.


Here we shall consider, in contrast, cases where the parties receiving the final state are

post-selected, specifically where the parties wish to maximise the amount of entanglement

received by some subset of the parties, but do not predetermine of which parties that

subset consists. In other words, we consider protocols where the parties receiving the

final desired entangled state are determined randomly in the course of the protocol.

We find that, perhaps surprisingly, such protocols can allow entangled states to be

obtained which it would be impossible to obtain between predetermined parties. The

majority of the results discussed in this chapter can be found in [59] and [60].

3.2 Entanglement of assistance

3.2.1 Background

We consider here a form of entanglement conversion not previously discussed in this

thesis - the conversion of multiparty entangled states to bipartite entangled states.

Entanglement of assistance EA is a quantity first proposed in [77], for tripartite pure

states ψABC shared between Alice, Bob and Charlie. The proposed protocol is for Charlie

(say) to make a projective measurement on his subsystem, and communicate the result

to Alice and Bob. This leaves Alice and Bob with some known pure state with some

entanglement E. Charlie’s measurement will have multiple possible outcomes, so the

entanglement of Alice and Bob’s final state will be an average 〈E〉 over all these out-

comes. The entanglement of assistance is defined as the maximum 〈E〉 over all possible

measurements by Charlie.

Considering Alice and Bob’s reduced state ρAB, since it is known by the Hughston-

Jozsa-Wootters theorem [78] that any decomposition of ρAB into pure states may be

produced as an ensemble by Charlie’s measurement, the entanglement of assistance may

be expressed simply in terms of ρAB - the maximisation of E over decompositions ρAB =


∑

i pi|ψ〉AB i.e.

EA(|ψ〉ABC) = max∑

i

piE(|ψ〉AB) (3.1)

In this sense the entanglement of assistance is dual to the mixed-state entanglement of

formation, which minimises E over decompositions.

In [77] the chosen entanglement measure E was the distillable entanglement, for

which the authors give upper bounds for EA. An explicit expression for the concurrence

of assistance (EA using concurrence as the entanglement measure) was found for the case

of two qubits in [79]. Further work on the concurrence of assistance was done by Gour

[80], who found bounds on concurrence of assistance for mixed states.

It should be noted, as in [81], that while the entanglement of assistance can be defined

wholly with respect to Alice and Bob’s (mixed) reduced state, it is not a property of that

state, in that it depends on Charlie holding the state’s purification and participating

in the protocol. Moreover, the entanglement of assistance as defined above is also not a

three-party monotone, since the protocol is restricted to a specific form rather than being

general LOCC - in some cases [81] one can improve on the entanglement obtained by

allowing general LOCC. General-LOCC quantities analogous to EA have been proposed

in [81] and [80].

However, as shown in [82], using distillable entanglement in the regularised many-copy

limit, - that is, when we consider the protocol

|ψ〉⊗NABC −→︸︷︷︸

LOCC

⊗

ij

|Φ〉⊗NABAB . (3.2)

and the number of Alice-Bob EPR pairs NAB obtainable per copy from N copies of ψABC

as N → ∞ - the entanglement of assistance is equal to that obtainable through general

LOCC. An explicit expression for this asymptotic entanglement of assistance E∞a was

found in [82] for the case of three or four parties.

An explicit expression for the M-party case - that is, where M collaborating parties

wish to convert many copies of a state ψA1...AMto EPR pairs shared between chosen


parties AI , AJ - was derived by Horodecki, Oppenheim and Winter [83, 84]. This was

a corollary to their result on multiparty “state-merging” - they found that an optimal

distillation rate

E∞aIJ

= minT

S(ρAIT ), S(ρAJT) (3.3)

where the minimisation is over the division of parties other than AI and AJ into two

groups T and T (i.e. over bipartite “cuts” separating all parties into two groups, one

containing AI and one containing AJ ) and

ρAIT = trAj /∈I,T(|ψ〉〈ψ|), (3.4)

the reduced state of |ψ〉〈ψ|, traced over all Aj /∈I,T.

The rate is clearly optimal (since otherwise one could increase the entanglement across

the cut) and can be achieved by successive state merging with AI and AJ by the parties

on either side of the cut.

3.3 Definitions

As discussed above, prior results for the conversion of multipartite to bipartite entangled

states have considered the case where the two parties receiving the final state are cho-

sen, then all parties collaborate in some LOCC protocol to maximise the entanglement

received by these chosen parties.

For our results, we will consider the case where we wish to obtain bipartite entan-

glement from multipartite states but do not specify the parties receiving the bipartite

entanglement beforehand. We will show that by doing this one can, by certain measures,

obtain more final entanglement than is obtainable by specifying the parties. To do so,

we will make use of the following definitions:

Consider (1) the LOCC-conversion (via a protocol P ) of an initial state ρ to multi-


partite states ρf with probabilities pf

ρP−→︸︷︷︸

LOCC

ρf , pf (3.5)

and (2) the subsequent LOCC conversion (via a protocol Q) of multiparty states ρf to

two-party states ρgIJwith probabilities pg

ρfQ−→︸︷︷︸

LOCC

ρgIJ⊗ σg, pg. (3.6)

(Note that we do not, in general, require that the states ρf and ρg be pure, but we do

require that the parties know which states f and g they receive as a result of the protocols

P and Q.).

We define, for the above operations and some bipartite entanglement measure E

ΩIJ(ρ) ≡ supP,Q

∑

g

pgE(ρgIJ) (3.7)

Esp(ρ) ≡ maxIJ

ΩIJ(ρ) (3.8)

Ernd(ρ) ≡ supP

∑

f

pfEsp(ρf) (3.9)

E∞rnd(ρ) ≡ lim

N→∞

Ernd(ρ⊗N)

N, (3.10)

E∞sp (ρ) ≡ lim

N→∞

Esp(ρ⊗N )

N, (3.11)

where the suprema in the above expressions are over all possible LOCC protocols P and

Q.

We discuss these definitions in further detail below, by considering the example of

protocols on some tripartite state ρABC

3.3.1 ΩIJ

The quantity ΩIJ is similar to the entanglement of assistance, but defined for general

states and LOCC protocols. Suppose Alice, Bob and Charlie share the state ρABC and

wish to create entanglement between two pre-chosen parties - Alice and Bob, say. They all


perform some given LOCC protocol (we can subsume stage (1) above into this protocol),

the final result of which is that Alice and Bob end up with some distribution of known

states (we can assume without loss of generality that Charlie discards his system at

the end) ρg with probabilities pg. Thus, as a result of the LOCC-protocol, Alice and

Bob share some expected entanglement 〈E〉 =∑

g pgE(ρgAB). The quantity ΩAB is the

supremum of this 〈E〉 over LOCC protocols, the highest expected entanglement that

Alice and Bob can achieve with Charlie’s assistance. In general, then, ΩIJ(ρ) is the

maximum expected entanglement that multiple cooperating parties sharing a state ρ can

obtain through LOCC between pre-chosen parties I and J .

3.3.2 Esp

Having defined the quantity ΩIJ(ρ), the quantity Esp is simply the maximisation of this

quantity over pairs of parties IJ , the highest expected entanglement that cooperating

parties can obtain through LOCC between any pair of pre-chosen parties. Hence Esp(ρ)

is a property of the state ρ only and not of given parties. We define this quantity in

order to demonstrate in later sections that obtaining greater entanglement through post-

selection of parties is due to using a nondeterministic protocol and not simply due to

an asymmetry of the initial state. For example, if we can obtain a higher expected

entanglement between post-selected parties than between Alice and Bob, it could simply

be because Bob and Charlie, say, have higher initial entanglement than Alice and Bob.

3.3.3 Ernd(ψ)

Ernd(ρ) is the maximum expected entanglement shared between post-selected parties.

Consider Alice, Bob and Charlie performing some LOCC protocol P on ρABC , obtaining

some state ρf with probability pf . For each such state there is some pair of parties IJf

for which a further LOCC protocol Qf will produce the highest expected entanglement

Esp(ρf), and the three parties now choose these parties and perform protocol Qf , re-


ceiving this expected entanglement between two parties IJf . Hence the expected final

entanglement between the chosen parties is∑

f pfEsp(ρf ) and Ernd(ψ) is defined as the

supremum of this expected entanglement over protocols P .

Thus, for a given “one-off” implementation of this protocol in which state ρf is re-

ceived the parties are only finally concerned with the entanglement between one particular

pair of parties IJf . However, in general, the “optimal” parties IJf vary with the state

ρf . Thus the expected entanglement∑

f pfEsp(ρf) is taken, in general, over different

pairs of parties. This is because, as described above, the parties are post-selected after

performing protocol P .

3.3.4 A hypothetical example

Consider a three-party state ρABC . Suppose that the parties wish to create entanglement

between Alice and Bob and the optimal LOCC protocol for doing so gives an expected

entanglement (according to some bipartite measure) of 0.3, the corresponding values for

Bob-Charlie and Alice-Charlie being 0.2 and 0.5. Then ΩAB = 0.3, ΩBC = 0.2, ΩAC = 0.5

and Esp(ψ) = max(0.3, 0.2, 0.5) = 0.5.

Suppose, however, that there exists a protocol that produces one of either entangle-

ment between Alice and Bob of 0.5, Bob-Charlie of 0.4 or Alice-Charlie of 0.9, such that

in each case there is no entanglement between any of the other parties and the probabil-

ity of each case is 1/3. Note that this is not in contradiction to the above results, since

the expected entanglement for e.g. Alice and Bob after performing this protocol is 0.5/3

which is less than its declared maximum of 0.3, and likewise for the other pairs.

However if the parties with the largest final entanglement are post-selected, then the

expected entanglement between the post-selected parties (which are not always the same

parties) is (0.5 + 0.4 + 0.9)/3 = 0.6 > 0.5 = Esp(ρ). Since we only know that this value

can be achieved with some protocol (and not that no protocol can do better) we can say

that Ernd(ρ) ≥ 0.6 > Esp(ρ), Ernd(ρ) being equal to the supremum of this expectation


over all LOCC protocols.

3.3.5 Regularisation

The quantities E∞sp and E∞

rnd are defined in the usual manner for regularisation - for a

state ρ = ρ′⊗N , E∞sp (ρ

′) = 1NEsp(ρ) in the limit as N → ∞, and likewise for E∞

rnd(ρ′).

The former case is reasonably straightforward - for example, Alice, Bob and Charlie

share many copies of ρ′ which they wish to convert to as much expected entanglement

as possible between Alice and Bob. Each pair (Alice-Bob, Alice-Charlie, Bob-Charlie)

has some value for this maximum obtainable expected entanglement and E∞sp (ρ

′) is the

maximum of these values over the pairs, divided by N .

For E∞rnd(ρ

′), we have the same situation as in section 3.3.3 - the parties convert their

many copies of ρ′ to a state ρ′f and post-select whichever pair of parties their ρ′f will pro-

vide the optimum expected entanglement for, then performing the protocol that obtains

this expected entanglement. It is thus implicit in this definition that, for a given one-off

implementation of the protocol, every copy of ρ′ is being converted to entanglement be-

tween the same (post-selected) pair of parties. But since the parties are post-selected,

it follows that we cannot assume that E∞rnd(ρ

′) ≥ Ernd(ρ′), as is usually the case for

regularised distillable entanglement. Such a property typically follows from one’s ability

to perform a protocol on multiple copies of the state consisting of the optimal single-

copy protocol performed on each single copy. In such a case the maximum entanglement

obtainable is at least N times that of the single-copy entanglement.

In our case, though, performing the optimal protocol on a single copy of ρ′ will

produce a state with some value of bipartite entanglement, and the expectation of this

value (hence its average over many copies) will be equal to Ernd(ρ′). But for post-selected

parties, in general, the parties for which the relevant final entanglement is obtained will

be different for different copies of ρ′. Thus, when performing such a protocol on many

copies of ψ, any given pair of parties (even if post-selected) will have a lower entanglement


First copy outcome Second copy outcome Max. post-selected entanglement

Alice-Bob 0.5 Alice-Bob 0.5 1 (Alice-Bob)

Alice-Bob 0.5 Bob-Charlie 0.4 0.5 (Alice-Bob)

Alice-Bob 0.5 Alice-Charlie 0.9 0.9 (Alice-Charlie)

Bob-Charlie 0.4 Alice-Bob 0.5 0.5 (Alice-Bob)

Bob-Charlie 0.4 Bob-Charlie 0.4 0.8 (Bob-Charlie)

Bob-Charlie 0.4 Alice-Charlie 0.9 0.9 (Alice-Charlie)

Alice-Charlie 0.9 Alice-Bob 0.5 0.9 (Alice-Charlie)

Alice-Charlie 0.9 Bob-Charlie 0.4 0.9 (Alice-Charlie)

Alice-Charlie 0.9 Alice-Charlie 0.9 1.8 (Alice-Charlie)

Mean: 0.91 (2 d.p.)

Table 3.1: Outcomes for performing our hypothetical protocol separately on two copies

of ρ.

than N · Ernd(ψ).

Referring to our hypothetical example above, the parties can, with a certain protocol,

obtain an expected entanglement of 0.6 between some post-selected pair of parties. How-

ever, if they perform this protocol separately on two copies of the state, they will receive

one of 32 = 9 outcomes, each with probability 1/9. We detail these in Table 3.1, recalling

that in our example protocol only one of the three possible pairs of parties receives any

entanglement from a single copy of the state.

The expected post-selected output entanglement for two copies of ρ′ is thus 0.91 (2

d.p.), giving an entanglement per copy of 0.46 (2 d.p.) < 0.6. This, as seen in the

table, is simply due to the maximum output entanglement generally going to different

pairs in each copy. Thus we cannot trivially achieve an expected post-selected output

entanglement on multiple copies of ρ′ equal to Ernd(ρ′), and hence cannot assume in

general that E∞rnd(ρ

′) ≥ Ernd(ρ′).


However, this is all that the above example shows - conversely there is also no reason

to assume that the trivial multi-copy protocol (performing the single-copy protocol mul-

tiple times) is optimal for multiple copies. In general one might well find more efficient

protocols that operate directly on multiple copies, as in the BBPS protocols for bipartite

distillation. Hence there is no inequality relation between Ernd and E∞rnd that follows

immediately from their definitions.

3.3.6 Et

So far, as discussed above, we have considered the entanglement obtainable between some

particular pair of parties, when pre-selected or post-selected. A separate quantity we can

consider is the entanglement simultaneously obtainable between multiple pairs of parties.

To do this, we define a quantity Et, by considering a LOCC-conversion to EPR pairs Φ:

ρ −→︸︷︷︸

LOCC

⊗

I,J

|Φ〉⊗NfIJ

IJ , pf. (3.12)

We define

Et(ρ) ≡ supP

∑

f

pf∑

IJ

NfIJ , (3.13)

E∞t (ρ) ≡ lim

N→∞supP

Et(ρ⊗N )

N. (3.14)

Et is thus the maximum expectation of the total number of EPR pairs obtainable through

LOCC, irrespective of which parties share them. It differs from Ernd in that Ernd is the

expectation of the entanglement shared by a single pair of parties (post-selected according

to which pair of parties has the most entanglement), while Et sums the final entanglement

(measured specifically by the number of EPR pairs produced) over all pairs of parties.

It is worth noting that, if we use pure-state entanglement entropy as our measure E, we


, ,

(1)

(2)

(3)

C

A

B

A

B B B

A

C C

C

A

BC

A

B

C

A

CB C

A

B

A

ΩAB

Et

Ernd

|ψ〉

|ψ〉

|ψ〉

Figure 3.1: Various conversions of a tripartite state ψ to bipartite entanglement: (1) Ω

measures the entanglement obtainable between a specific pair of parties (in this case AB):

(2) Et is the sum of the jointly-obtainable entanglement between all pairs of parties, (3)

Ernd measures the maximum entanglement obtainable between post-selected parties.

can equivalently interpret E∞t in terms of a deterministic protocol

ψ⊗N P−→︸︷︷︸

LOCC

⊗

I,J

|Φ〉⊗NIJIJ , (3.15)

E∞t (ψ) ≡ lim

N→∞supP

∑

IJ NIJ

N. (3.16)

We illustrate our definitions in Figure 3.1.


3.3.7 Main result

In this chapter, we will show that for certain pure states ψ the following condition is

satisfied:

Ernd(ψ) > Esp(ψ) (3.17)

- that is, one can obtain more final-state bipartite entanglement by not choosing parties

beforehand, but instead exploiting a degree of indeterminacy in which parties receive the

highest entanglement in the final state. We will refer to this general process as “random

distillation”.

Many of the above quantities are dependent on some choice of entanglement measure

E. Henceforth, unless explicitly stated otherwise, we will consider the case

of pure output states ρf = |ψf〉〈ψf | and ρg = |ψg〉〈ψg| and take E to be the

entanglement entropy (the Von Neumann entropy of the reduced state).

3.3.8 Important inequalities

To establish the property (3.17) we will make use of the various quantities defined above.

Here we note briefly various inequalities between them. For any state ρ, pure or mixed,

and entanglement measure E we have the following:

E∞sp (ρ) ≥ Esp(ρ), (3.18)

Ernd(ρ) ≥ Esp(ρ), (3.19)

E∞rnd(ρ) ≥ E∞

sp (ρ). (3.20)

The inequality (3.18) arises since, for preselected parties, the single-copy distillation rate

is a lower bound for the multiple copy rate. The inequalities (3.19) and (3.20) arise

since allowing for post-selection always increases the yield in entanglement distillation.

It follows from the above that (3.17) is satisfied if we can show Ernd(ρ) > E∞sp (ρ), which

is what we will do in several cases.


If we additionally adopt our standard requirement of pure output states and the

entanglement entropy as the measure, we have that

E∞t (ρ) ≥ E∞

rnd(ρ), (3.21)

E∞t (ρ) ≥ Ernd(ρ), (3.22)

E∞t (ρ) ≥ E∞

sp (ρ), (3.23)

since for pure states the entanglement entropy is a measure of asymptotic distillability of

EPR pairs, the total distillability of which among all parties is quantified by E∞t (ρ). It

follows that if (3.17) is satisfied then E∞t (ψ) > E∞

sp (ψ). However the converse does not

follow - we note for example that for the state |Φ〉AB|Φ〉BC we trivially have Et = 2 >

Esp = 1, but no true advantageous random distillation is taking place. However, E∞t is

useful in providing an upper bound on what can be achieved via random distillation.

In the following section, we will discuss our random distillation protocol and the

underlying principle of the phenomenon of advantageous random distillation with respect

to a tripartite entangled state - the W state.

3.4 The W state

The W state is a symmetric (in the computational basis) three-party pure state

|W 〉 =1√3(|001〉+ |010〉 + |100〉)ABC. (3.24)

We find that for this state Ernd(W ) > Esp(W ). Specifically we find that one can

obtain, from a W , through LOCC with probability arbitrarily close to 1, an EPR pair

shared between random parties, but not shared between pre-chosen parties.

3.4.1 Bounds for chosen parties

Using (3.3) we find

E∞sp (W ) = H2(1/3) ≈ 0.92. (3.25)


For the single-copy case we do not have an expression for Esp as defined above using the

entanglement entropy as a measure. However we can use the result of [80], which de-

fines the “generalised concurrence of assistance” (GCoA) - an entanglement of assistance

measure using “generalised concurrence” [85] as the underlying measure. This measure

coincides with the Wootters concurrence for 2-qubit systems and [80] shows that the

GCoA is equal to the concurrence obtained through general LOCC for pure states. It

follows that for a 3-qubit pure state such as the W , the concurrence of assistance qA (the

expected Wootters concurrence obtainable through a single measurement by Charlie) is

equal to the expected Wootters concurrence obtainable through a general LOCC.

In [79] the explicit expression for the 2-qubit concurrence of assistance (for a reduced

state ρAB of a pure state ψABC) is shown to be

qA = F (ρAB, ρAB) (3.26)

where the tilde is as defined in section 1.2.4 and F is the fidelity

F (σ, ρ) = Tr

√

ρ12σρ

12 . (3.27)

This gives qA(W ) = 2/3, (which can be achieved simply by Charlie making a compu-

tational basis measurement, which gives Bob and Charlie an EPR pair 2/3 of the time).

Hence, in terms of EPR distillation rates, for pre-chosen parties, a single W may be

converted to an EPR with a maximum probability of 2/3, while many W states may be

converted to EPR pairs at a rate up to ≈ 0.92. We will now demonstrate that these rates

can be beaten for post-selected parties.

3.4.2 The W protocol

Three parties sharing a W state can reliably convert it to an EPR pair using the following

protocol (devised in collaboration with Daniel Gottesman), which we will refer to as the

W protocol.


Alice, Bob and Charlie each apply the unitary rotation

|1〉 −→ |1〉, |0〉 −→√

1 − ǫ2|0〉 + ǫ|2〉, (3.28)

then

|W 〉ABC −→ (1−ǫ2)|W 〉+ ǫ√3

(|021〉+|201〉+|012〉+|210〉+|102〉+|120〉

)+O(ǫ2) (3.29)

If all 3 parties then make a measurement on their qubit using the projectors

F = |0〉〈0|+ |1〉〈1|, G = |2〉〈2| (3.30)

then either:

1. All 3 parties get outcome “F”, with probability (1 − ǫ2)2, and hence share a W

again, the rotations and projective measurements are then repeated.

2. One of the three parties gets outcome “G” (i.e. their qubit is in state |2〉), with

probability (2/3)ǫ2(1− ǫ2) per party. Say this is Alice, then following the measure-

ment the state is |2〉A⊗ 1√2(|01〉+ |10〉)BC i.e. Bob and Charlie share an EPR pair,

and the protocol terminates successfully. By symmetry, if the party with a |2〉 is

Bob, then Alice and Charlie will share an EPR pair and so on, for a total success

probability (where “success” is defined as some pair of parties obtaining an EPR

pair) of 2ǫ2(1 − ǫ2)

3. Two or more parties get outcome “G”, resulting in a product state, with total

probability ǫ4.

Thus, if exactly one party gets outcome “G” (which is equally likely for all 3 parties) the

remaining two have an EPR pair. In general, the parties will perform repeated rounds

of distillation until either an EPR is obtained (the protocol succeeds) or a product state

is obtained (the protocol fails). We choose ǫ so as to maximise the probability of the

protocol succeeding. We will find that in the limit of many rounds, ǫ → 0, the protocol


always succeeds, but will demonstrate this by considering the general case where the

parties are only willing to perform up to a finite number of rounds (this is always an

upper limit, as the protocol will always terminate in the event of success (EPR pair) or

failure (product state)).

Since the parties start every new round with a W state, the only thing determining

ǫD, their choice of ǫ, is the number of remaining rounds (including the current one) D.

Performing the above protocol, their expected entanglement yield (the probability of

eventually getting an EPR) ED is

ED = (1 − ǫ2D)2ED−1 + 2ǫ2D(1 − ǫ2D), (3.31)

hence

dEDd(ǫ2D)

= −2(1 − ǫ2D)ED−1 + 2(1 − ǫ2D) − 2ǫ2D. (3.32)

Setting dED

d(ǫ2D)= 0 to maximise ED we find

(ǫ2D)max =1 − ED−1

2 − ED−1(3.33)

EmaxD = 1 − (ǫ2D)max =

1

2 − ED−1

(3.34)

(where (ǫ2D)max is the (ǫ2D) that maximises ED). Thus, if for some D′, ED′−1 = D′−1D′ , then

EmaxD′ = D′

D′+1. Since E0 = 0 (satisfying the condition for D′ = 1) we have, by induction

EmaxD =

D

D + 1, and (3.35)

(ǫ2D)max =1

D + 1. (3.36)

Hence as D → ∞, EmaxD → 1 - the parties will reliably obtain an EPR shared between

random parties in the limit of many rounds. Furthermore, relatively few rounds are

required to beat even the asymptotic bounds for preselected parties - the parties receive

an EPR with probability > 2/3 for D ≥ 3 and with probability > 0.92 for D ≥ 12.


A classical analogue for random distillation

We note that the W protocol and other similar states which we have used in this chapter

have a reasonably straightforward classical analogue.

Consider three parties with three classical bits (two in state 0 and one in state 1)

uniformly randomly distributed between them (so each party receives one bit), who wish

for any two of their number to share a secret random bit of information. If one of the

parties with a 0 (Alice, say) announces their bit value, then Bob and Charlie will have

a 0 and a 1 and will know (by considering the public information and consulting their

own bits) who has which. An eavesdropper (Eve) will know that Bob and Charlie have

a 0 and a 1 but not who has which. Since there are two possibilities for who has which,

Bob and Charlie share one secret bit. (We require of course that only one of the parties

holding a 0 makes an announcement, otherwise Eve knows all the bits).

This procedure only works if Alice’s announcement provides no information to Eve

about which of Bob and Charlie is more likely to have the 0. However, the parties need

some protocol to decide which of the parties receiving a 0 makes the announcement, given

that they do not initially know each other’s bit values. Any deterministic protocol (e.g.

if Alice has a 0 she announces it immediately, if there is no announcement from Alice

within 10 seconds Bob announces his 0) could leak information to Eve (e.g. in the timed

example above, an announcement by Bob tells Eve that Alice must have the 1, and hence

Charlie has the 0).

To avoid this, we make the announcements entirely independent of the bit values of

the other parties (thus, every party should perform the same actions upon receiving a 0,

without relying on what any other party does). For the protocol to work, the actions of

an individual party should not always result in their making an announcement (otherwise

both parties with 0s will always announce and the protocol fails), but it must sometimes

do so (otherwise the protocol fails). In other words, a party with a 0 must make an

announcement with some finite probability, the same for all parties.


The classical protocol then just consists of the following: the two parties receiving a

0 make a private random determination (e.g. roll a die), each announcing their bit with

some finite probability (e.g. when getting a particular number). If no party makes an

announcement, the rounds of dice-rolling are repeated until an announcement is made.

The protocol will thus always succeed unless both parties with 0s announce at the same

time, but in the limit of small announcement probability (and hence many rounds) this

outcome becomes negligibly likely. Thus in this limit two random parties will eventually

share a private secure bit.

(From the point of view of Eve, nothing occurs until one random party (each being

equally likely) makes an announcement. Her only information is that the announcing

party has a 0 and how long it took for an announcement to be made, both of these are

uncorrelated with which of the two remaining bits the remaining parties have).

3.4.3 Multipartite distillation from W states

We note that the above result, though concerned with distillation of EPR pairs, provides

us with a lower bound on the distillation rate for any shared three-qubit state ψ3q from

W states, by considering EPR distillation followed by teleportation, as follows:

• In the limit of large N , Alice, Bob and Charlie can distill N W states to N/3 EPR

pairs for each of the pairs of parties AB, BC, AC.

• Alice, say, locally creates N/6 copies of ψ3q, and uses half of the EPR pairs she

shares with Bob to teleport his qubits from ψ⊗N

63q to him. She does the same with

Charlie.

• Bob and Charlie do the same as Alice (e.g. the remaining half of Alice and Bob’s

N/3 EPR pairs are used by Bob to teleport qubits from his locally prepared copies

of ψ3q to Alice, and so on), resulting in a total of 3 ×N/6 = N/2 shared copies of

ψ3q.


Randomdistillation Teleportation

C

A

BC

A

B C

A

B

|Φ〉⊗N3|Φ〉⊗N

3

|Φ〉⊗N3|ψ3q〉⊗

N6 |ψ3q〉⊗

N6

|ψ3q〉⊗N6

|ψ3q〉⊗N2|W 〉⊗N

Figure 3.2: Illustration of multipartite state distillation from W states using random

distillation. N copies of the W states are distilled to EPR pairs shared evenly between

the parties, who prepare local copies of some 3-qubit state ψ3q. Each party then uses

half of the EPR pairs they share with each of the other parties to teleport qubits from

ψ3q to the other two parties, resulting in N/2 shared copies of ψ3q in the large N limit.

Hence, as illustrated in Figure 3.2, any three-qubit state can be distilled from W states

at an asymptotic rate ≥ 1/2 (and, in general, a higher rate can be achieved through

Schumacher compression). While even with compression this procedure is in general not

optimal (trivially for distilling W states, but also for distilling GHZ states for which

a rate ≈ 0.64 was demonstrated in [82]) it does demonstrate the applicability of these

results to multipartite distillation. Finally we note that such bounds do not follow from

the values either of Et or Ernd, since neither quantity describes the distribution between

parties of the final entangled states, which is essential to multipartite distillation rates.

3.5 Upper bounds on random distillation

We see that for the W state we can achieve Ernd ≥ 1 and Et ≥ 1 vs. Esp = 1/3 and

E∞sp ≈ 0.92. Could we have achieved a higher yield of EPR pairs? For the case of a single

W we can see that the answer is no, we have

Ernd(W ) = Et(W ) = 1. (3.37)


This is because any protocol giving Ernd(W ) > 1 or Et(W ) > 1 would require, respec-

tively, a finite probability to obtain a two-party pure state with entanglement entropy

> 1 or a finite probability to obtain > 1 EPR pairs from a W state, which in both cases

would increase the Schmidt number across some bipartite cut, shown to be forbidden for

LOCC operations on pure states in [86].

This is clear for the case of Ernd(W ) > 1 (which would require the relevant pure-state

entanglement to be between two parties); for the Et(W ) > 1 case (which would not e.g.

we could have EPR pairs shared between both Alice-Bob and Bob-Charlie) we note that

at least one party (Bob in the above example) must possess half of both EPR pairs, with

a forbidden Schmidt number increase thus required across a bipartite cut between that

party and the other two. This reasoning in fact applies to any 3-qubit state ψ3q, so for

such states we have

Ernd(ψ3q) ≤ 1 (3.38)

Et(ψ3q) ≤ 1 (3.39)

In the many-copy case the same analysis can be used to show E∞rnd(ψ3q) ≤ 1. It is not

as obvious, however, whether or not we can have E∞t (W ) > 1. Here we will demonstrate

general upper bounds on both quantities.

3.5.1 E∞t

Our tightest upper bound for E∞t for three-party states is as follows:

Theorem 3.1: For a pure tripartite state σABC

E∞t (σABC) ≤ minS(σBC) + E∞

r (σBC), S(σAC) + E∞r (σAC), S(σAB) + E∞

r (σAB)

(3.40)

where the asymptotic relative entropy of entanglement E∞r (ρ) = limN→∞Er(ρ

⊗N)/N


and for an M-party state, the relative entropy of entanglement Er satisfies

Er(ρA1...AM) = min

σsepA1...AM

S(ρA1...AM||σA1...AM

), (3.41)

where the minimisation is over all separable states σsep and

S(σ ‖ ρ) = trσ log2 σ − σ log2 ρ. (3.42)

Proof: (Our proof is a simple application of the result in [43]). It was shown in [43] that

for any three-party LOCC protocol starting from a pure initial state ρABC

〈Er(ρBC)〉final − Er(ρBC)initial ≤ S(ρA)initial − 〈S(ρA)〉final (3.43)

For a distillation (3.12) of a pure state σABC to EPR pairs we have, assuming asymptotic

continuity (demonstrated for the relative entropy in [87]),

S(ρA)initial =S(σ⊗NA ) = NS(σA), (3.44)

〈S(ρA)〉final =NAB +NAC , (3.45)

〈Er(ρBC)〉final =NBC , and (3.46)

Er(ρBC)initial =Er(σ⊗NBC ) (3.47)

thus

NAB +NBC +NAC ≤NS(σA) + Er(σ⊗NBC ) = NS(σBC) + Er(σ

⊗NBC ) (3.48)

Since we are free to permute parties A,B,C, dividing through byN and taking limN→∞

leads to (3.40).

We also find a more general bound for any number of parties:

Theorem 3.2: For an M-party pure state σA1...AM,

E∞t (σ) ≤ E∞

r (σ). (3.49)


(We thank Martin Plenio for pointing out this bound to us in the tripartite case, which

follows from Theorem 3.1 above and Theorem 1 of [88]).

Proof: Plenio and Vedral [88] derive a bound on the relative entropy of tripartite systems

from [89], noting that this readily generalises to the multiparty case. We show the

generalisation here, following the same reasoning as [89] and [88] for the tripartite case:

From Theorem 4 of [89], we have that for any non-distillable bipartite state ρAB and any

bipartite state σAB

S(σAB ‖ ρAB) − S(σA ‖ ρA) ≥ S(σA) − S(σAB). (3.50)

If σAB is a pure state then the final term is zero.

We can replace the bipartite states in the above with multipartite states shared be-

tween parties A1 . . . AM with a bipartite division between party M and the others. Thus,

for a pure σA1...AM

S(σ ‖ ρ) − S(σA1...AM−1‖ ρA1...AM−1

) ≥ S(σA1...AM−1) (3.51)

where, for brevity, states without subscripts are the non-reduced states e.g. σ = σA1...AM.

Let us consider a particular ρ∗, the closest (as measured by the relative entropy S(σ ‖ ρ))

M-party separable state to σ. Then S(σ ‖ ρ∗) = Er(σ) and

Er(σ) ≥ S(σA1...AM−1‖ ρ∗A1...AM−1

) + S(σA1...AM−1). (3.52)

Since ρ∗A1...AM−1is separable, S(σA1...AM−1

‖ ρ∗A1...AM−1) ≥ Er(σA1...AM−1

), so

Er(σ) ≥ Er(σA1...AM−1) + S(σA1...AM−1

). (3.53)

By permuting the parties we get the general multiparty bound in the asymptotic case

Er(σA1...AM) ≥maxS(σA1...AM−1

) + Er(σA1...AM−1), . . . (3.54)

where the maximum is over all permutations of the parties A1 to AM . For the three-party

case, the quantity which the RHS of (3.54) maximises over parties as a lower limit on


E∞r is that which the RHS of (3.40) minimises over parties as an upper bound on E∞

t .

Thus the theorem is proven in the 3-party case.

Considering the final state in (3.16) ρfA1...AM=⊗

ij |Φ〉⊗NAIAJAIAJ

, we have:

S(ρfA1...AM−1) =

∑

i

NAiAM(3.55)

thus

E∞r (σA1...AM

) ≥∑

i

NAiAM+ E∞

r (σA1...AM−1). (3.56)

From (3.56) if E∞r (σA1...AM−1

) ≥ ∑

i,j 6=M NAiAjthen E∞

r (σA1...AM) ≥ E∞

t (ψ) and the

bound is proven in the M-party case. However, the above condition is satisfied as shown

above for M = 3, thus, by induction, the bound is satisfied generally .

We note that the 3-party bound in Theorem 3.1 is tighter in general than the above

bound.

Consequences of bounds on E∞t

In general, there is no known prescription for calculating Er for a given state, which

means neither of the above bounds can always be easily obtained for a specific state.

However, we can do so in the case of the W state, for which it is known [88] that

Er(W ) = 2 log2 3 − 2 ≈ 1.17. Since Er ≥ E∞r ≥ E∞

t this provides an upper bound to

E∞t , using (3.49). Since, as noted in [88], the W state also saturates the bound (3.54), it

follows from the symmetry of the state that this is also the upper bound to (3.40). Hence

our tightest bound is that we can get at most ≈ 1.17 EPR pairs per W from W states in

the many-copy limit. We conjecture that our lower bound is tight (i.e. that E∞t (W ) = 1)

but do not have proof of this. We note that while E∞r (W ) is not known, it has been

shown in [45] that E∞r (W ) ≥ log2 3 − 5/9 ≈ 1.03, thus knowing E∞

t (W ) ≤ E∞r (W )

cannot be sufficient to prove our conjecture.

An interesting consequence of this bound occurs for GHZ-like states |GHZ ′〉 =

α|000〉 + β|111〉, for which we have from [88] that E∞t (GHZ ′) = H2(|α|2). We see


that this is also Esp(GHZ′) (since this entanglement entropy may be achieved between

e.g. Alice and Bob by Charlie making a measurement in the basis |±〉 = 1√2(|00〉±|11〉)),

thus E∞t (GHZ ′) = Ernd(GHZ

′) = Esp(GHZ′) - there is no advantage to random distil-

lation for such states. This raises the question of whether there is any consistent pattern

to the random distillation properties of the GHZ and W classes identified by [34], which

we will consider in section 3.6.

3.5.2 E∞rnd

When considering Ernd, theorem 3.3 below shows advantageous random distillation as

defined by Ernd > Esp to be essentially a “finite-copy” phenomenon, unlike many entan-

glement properties which also occur in the asymptotic limit. We find:

Theorem 3.3:

Ernd(ψ⊗N) −→ Esp(ψ

⊗N), N → ∞. (3.57)

In other words, as defined in (3.10) and (3.11),

E∞rnd(ψ) = E∞

sp (ψ). (3.58)

Proof:

This is shown by the result of [66], that for a LOCC protocol distilling EPR pairs from

N copies of a two-party pure state σAB,

|σ〉⊗NAB −→︸︷︷︸

LOCC

|Φ〉N ′AB (3.59)

the probability of gettingN ′ > NS(ρA) tends to 0 asN → ∞. Specifically the probability

shrinks as O(c−N) for some positive constant c > 1. Note that this is stronger than the

well-known result that optimally 〈N ′〉 = NS(ρA), since it disallows improving on the

optimum expected yield even some of the time.


Consider a process (3.5), where ρ = |φ⊗NA1...Am

〉〈φ⊗NA1...Am

|, for some pure state φ. The

optimum distillation to specified parties will be to some pair of parties AI , AJ . where

(from (3.3)) the distillation rate is Sφ(AITφIJ) where Sφ denotes the Von Neumann entropy

of the bracketed parties’ reduced state of φ, TIJ in general represents some group of parties

not containing AI or AJ and T φij is the group that minimises Sφ(AiTij), i.e. for any fixed

but arbitrary pair of parties Ai, Aj .

Sφ(AiTφij) ≤ Sφ(AiTij) ∀ Tij . (3.60)

Thus, as N → ∞

Esp(ψ) −→ NSφ(AITφIJ) (3.61)

and

Sφ(AITφIJ) ≥ Sφ(AiT

φij) ∀ ij (3.62)

For Ernd(ψ) > Esp(ψ), by the definition in (3.9) we require at least one possible

output state ψf to have Esp(ψf ) > Esp(ψ). Let us consider one such ψf , denoted by

ψ′f , and occurring with some fixed probability p′f . Suppose optimal distillation of ψ′

f (to

specified parties) is to parties AX and AY with the corresponding bipartite cut being

between AXTfXY on one side (using, here and below, f to denote quantities defined for

reduced states of ψ′f , analogously to φ above) and its complementary set on the other

side. Similar to Eqs. (3.60) and (3.62), we have for each fixed but arbitrary pair i, j that

Sf(AiTfij) ≤ Sf(AiTij) for all Tij and Sf(AXT

fXY ) ≥ Sf (AiT

fij) for all i, j. Then, in the

many-copy limit

Esp(ψ′f) = Sf(AXT

fXY ) > Esp(ψ) = NSφ(AIT

φIJ). (3.63)

However, from (3.60), (3.62) and (3.63) we have that

Sf (AXTφXY ) ≥ Sf(AXT

fXY ) > NSφ(AIT

φIJ) ≥ NSφ(AXT

φXY ). (3.64)

Consider now a bipartite division of ψ between the group AXTφXY acting as a single

party (i.e. we allow joint quantum operations within this group) denoted by A and the


group of all other parties acting as a single party B. A and B perform the above LOCC

protocol independently on M copies of ψ. Then with probability (pf ′)M , they obtain M

copies of ψ′f . In the limit of large M , the parties A and B can, through LOCC, distill

these copies to MSf (A) > MNSφ(A) EPR pairs.

Thus A and B would be distilling more than MNSφ(A) EPR pairs from MN copies

of φ, and from [66] their success probability must be O(c−MN), hence p′f is O(C−N).

But for Ernd(ψ) > Esp(ψ) under these circumstances would require Sf (AXTfXY ) to be

O(cN), which would require a forbidden increase in Schmidt number across a bipartite

split between group AXTfXY and all other parties.

Hence in the limit of large N , we cannot have advantageous random distillation of N

copies of a pure state. .

3.6 More general states

So far we have seen that advantageous random distillation Ernd > Esp occurs for W

states and does not occur for certain GHZ-like states |GHZ ′〉 (not to be confused with

the more general GHZ-class states of [34]) or many copies of any state. We will now

consider more general classes of state, starting with the W and GHZ classes of [34],

discussed in Chapter 1.

3.6.1 W-class states

Theorem 3.4:

For any W-class pure entangled three-qubit state ψW

Ernd(ψW ) > Esp(ψW ). (3.65)

Proof:

We make use of the following simple lemma:


Lemma 1: For a general normalised two-qubit pure state

ψ = (c00|00〉 + c01|01〉 + c10|10〉 + c11|11〉)AB (3.66)

the entanglement measure S(ρA) increases monotonically with the concurrence [33]

q(ψ) = 2|c01c10 − c00c11| (3.67)

and S(ρA) is a convex function of q(ψ) in the range 0 ≤ q ≤ 1 , corresponding to

0 ≤ S ≤ 1.

Proof: Explicit calculation shows

S(ρA) = f(q) = H2

(

1 −√

1 − q(ψ)2

2

)

(3.68)

and that

d2f

dq2≥ 0, 0 ≤ S ≤ 1. (3.69)

The monotonicity is clear from the form of (3.68) and (3.69) is sufficient to satisfy con-

vexity.

We define qsp, qrnd etc. as analogous quantities to Esp, Ernd etc., with q as the entan-

glement measure. The quantity q is a useful measure in this case since it is second-order

in the state’s coefficients. Thus, for repeated rounds of unitaries and measurements,

probabilities and normalisation factors cancel out when calculating 〈q〉, as shown be-

low. Since the Ex (i.e. Ernd, Esp etc.) are expectation values for S, it follows from the

convexity result that

Ex(ψ) ≥ f(qx(ψ)). (3.70)

Note then that by this definition qx(ψ) 6= f−1(Ex(ψ)), in general.

We now consider applying the W protocol to a general three-qubit pure state shared

between Alice, Bob and Charlie:

|ψ1〉ABC = |0〉A(

k000 |00〉 + k010 |01〉 + k100 |10〉 + k110 |11〉)

BC+ |1〉A(. . .) (3.71)


where the (. . .) represent some additional terms whose amplitudes we are not concerned

with. We define K000≡ |k000

|2 etc.

After every party has performed the unitary (3.28) the state becomes

|ψ1〉ABC = (1 − ǫ2)12 |0〉A

[

(1 − ǫ2)k000|00〉 + (1 − ǫ2)12 [k010|01〉 + k100|10〉] + k110 |11〉

]

BC

+ ǫ|2〉A[

(1 − ǫ2)k000 |00〉 + (1 − ǫ2)12 [k010 |01〉 + k100 |10〉] + k110|11〉

]

BC+ |1〉A(. . .)BC .

(3.72)

If all the parties then perform the projection (3.30) and all get outcome F the resultant

state will differ from the initial state. Likewise if these unitaries and projections repeat

until Alice, say, eventually gets outcome G the state then shared by Bob and Charlie will

depend on the number of rounds performed up to that point.

In general after R rounds of unitaries and projections in which all parties get F , the

shared state will be

|ψR〉ABC = |0〉A(

k00R|00〉 + k01R

|01〉 + k10R|10〉 + k11R

|11〉)

BC+ |1〉A(. . .)BC (3.73)

where

k00R=

(1 − ǫ2)3R2 k000

√PFR

. . . PF1

(3.74)

k01R=

(1 − ǫ2)Rk010√PFR

. . . PF1

(3.75)

k10R=

(1 − ǫ2)Rk100√PFR

. . . PF1

(3.76)

k11R=

(1 − ǫ2)R2 k110

√PFR

. . . PF1

(3.77)

and PFNis the probability of all parties getting F in the Nth round of the protocol after

having done so in all previous rounds i.e.

PFN= (1 − ǫ2)

(

(1 − ǫ2)2K00N−1+ (1 − ǫ2)[K01N−1

+K10N−1] +K11N−1

)

(3.78)


If the parties perform one further round of unitaries, the state will be

|ψR+1〉ABC =(1 − ǫ2)12 |0〉A

[

(1 − ǫ2)k00R|00〉 + (1 − ǫ2)

12 [k01R

|01〉 + k10R|10〉] + k11R

|11〉]

BC

+ ǫ|2〉A[

(1 − ǫ2)k00R|00〉 + (1 − ǫ2)

12 [k01R

|01〉 + k10R|10〉] + k11R

|11〉]

BC

+ |1〉A(. . .)BC (3.79)

If the parties then project and Alice alone gets outcome G, with probability

PGR+1= ǫ2

(

(1 − ǫ2)2K00R+ (1 − ǫ2)[K01R

+K10R] +K11R

)

(3.80)

the resultant state will be

1√PGR+1

ǫ|2〉A(

(1 − ǫ2)k00R|00〉 + (1 − ǫ2)

12 [k01R

|01〉 + k10R|10〉] + k11R

|11〉)

BC(3.81)

and Bob and Charlie will share a state with entanglement (measured by the concurrence

q (3.67))

qBCR+1 =1

PGR+1

ǫ2(1 − ǫ2) × 2|k01Rk10R

− k00Rk11R

| (3.82)

=2

PGR+1PFR

. . . PF1

ǫ2(1 − ǫ2)2R+1 × |k010k100 − k000k110 |. (3.83)

Thus if we consider applying the W protocol to an arbitrary three-qubit state we have

that for the final expected concurrence⟨qBCf

⟩(3.67):

⟨qBCf

⟩≥ lim

ǫ→0

∞∑

R=0

qBCR+1PGR+1

R∏

N=1

PFN(3.84)

= 2|k010k100 − k000k110| × limǫ→0

∞∑

R=0

ǫ2(1 − ǫ2)2R+1 (3.85)

= 2|k010k100 − k000k110| × limǫ→0

ǫ2(1 − ǫ2)

1 − (1 − ǫ2)2(3.86)

= |k010k100

− k000k110

|. (3.87)

The above bound concerns only Bob and Charlie’s entanglement as a result of Alice

eventually getting outcome G (and the other parties outcome F ). However other possible


outcomes are where instead Bob or Charlie getsG and the other parties F resulting in zero

Bob-Charlie entanglement, but some entanglement between Alice-Bob or Alice-Charlie.

How much entanglement depends on the form of the original state, but since the W

protocol is symmetric (i.e. invariant with respect to permutation of parties), we see that

in the special case of a symmetric state (in the computational basis) ψsymmABC , the expected

entanglement due to such outcomes must also be |k010k100 − k000k110 | = |k2010

− k000k110|

(since k010 = k100 for symmetric ψABC), for each of Alice-Bob and Alice-Charlie.

Thus, considering only these outcomes where two parties share some entanglement

and are unentangled with the third party, it follows that

Ernd(ψsymmABC ) ≥ 3|k2

010− k000k110 |. (3.88)

In [34] it was shown that a general W -class state could be expressed as

(α|100〉+ β|010〉 + γ|001〉 + δ|000〉)ABC (3.89)

where α, β, γ, δ ∈ R and α, β, γ > 0, δ ≥ 0. We will without loss of generality take

γ ≥ β ≥ α.

We find for the state (3.89) that

S(ρA) = H2(λ), where (3.90)

λ2 − λ+ α2(β2 + γ2) = 0 (3.91)

Using (3.68), we find the corresponding concurrences

q(ρA) = 2α√

β2 + γ2 (3.92)

q(ρB) = 2β√

α2 + γ2 (3.93)

q(ρC) = 2γ√

α2 + β2. (3.94)

It is straightforward to see that q(ρC) ≥ q(ρB) ≥ q(ρA) and thus

E∞sp (ψW ) = S(ρB) = f(q(ρB)). (3.95)


A random distillation for W-class states

We will see that a higher entanglement than the above may be obtained for a W -class

state by first symmetrising it and then performing random distillation via theW protocol.

Starting with the state (3.89) Alice applies the unitary

|0〉 −→ α

γ|0〉 +

√

1 −(α

γ

)2

|2〉, |1〉 −→ |1〉 (3.96)

producing the state

(

α|100〉 +βα

γ|010〉 + α|001〉 +

δα

γ|000〉

)

ABC

+

√

1 −(α

γ

)2

|2〉A (β|10〉 + γ|01〉 + δ|00〉)BC(3.97)

Alice then projects using (3.30). If she receives outcome G (with probability 1 − PAF )

the protocol terminates, otherwise Bob then applies the unitary

|0〉 −→ β

γ|0〉 +

√

1 −(β

γ

)2

|2〉, |1〉 −→ |1〉 (3.98)

producing the state

1√PAF

[(αβ

γ(|100〉+ |010〉 + |001〉) +

δαβ

γ2|000〉

)

ABC

+

√

1 −(β

γ

)2

|2〉B(

α|10〉+ α|01〉 +δα

γ|00〉

)

AC

]

. (3.99)

Bob likewise then projects using (3.30), the protocol terminating if he gets outcome G.

If he gets outcome F (conditional probability PBF ), the state obtained is

1√PAFPBF

αβ

γ

(

|100〉+ |010〉+ |001〉 +δ

γ|000〉

)

ABC

(3.100)

which is a symmetric state on which the three parties perform the W protocol.


Thus for the overall protocol

qrnd(ψW ) ≥(1 − PAF ) × 2

(

1 −(αγ

)2)

βγ

1 − PAF+ PAF (1 − PBF ) × 2

(

1 −(αβ

)2)

α2

PAF (1 − PBF )

+ PAFPBF × 3

(αβγ

)2

PAFPBF

= 2

(

1 − α2

γ2

)

βγ + 2α2 +α2β2

γ2. (3.101)

We use the Lemma:

Lemma 2:

qrnd(ψW ) =2

(

1 − α2

γ2

)

βγ + 2α2 +α2β2

γ2

>q(ρB) = 2β√

α2 + γ2. (3.102)

Proof:

q2rnd − q(ρB)2 =4

(

1 − 2α2

γ2+α4

γ4

)

β2γ2 + 4α4 +α4β4

γ4+ 8α2βγ

(

1 − α2

γ2

)

+ 4α4β2

γ2

+ 4α2β3

γ

(

1 − α2

γ2

)

− 4β2(α2 + γ2) (3.103)

=α2

[

−12β2 + 8α2β2

γ2+ 4α2 +

α2β4

γ4+ 8βγ

(

1 − α2

γ2

)

+ 4β3

γ

(

1 − α2

γ2

)]

(3.104)

=α2

[

β2

(

8γ

β+ 4

β

γ− 12

)

+ α2

(

8β2

γ2+ 4 +

β4

γ4− 8

β

γ− 4

β3

γ3

)]

(3.105)

=α2

[

4β2

(γ

β− 1

)(

2 − β

γ

)

+ α2

((β2

γ2− 2β

γ

)2

+ 4

(

1 − β

γ

)2)]

.

(3.106)

There are thus 3 terms in the above. We recall that 0 < α ≤ β ≤ γ. The first term is

clearly ≥ 0 since γ ≥ β, and the other two terms are clearly ≥ 0 since they are squared.

The first and third terms are both equal to 0 iff β = γ, but in that case the second term

is > 0. Thus the overall expression is strictly > 0 and

qrnd > q(ρB). (3.107)


Hence from (3.70)

Ernd(ψW ) ≥ f(qrnd(ψW )) > f(q(ρB)) = Esp(ψW ). (3.108)

3.6.2 GHZ-class states

As noted above, the inequality (Ernd(ψ) > Esp(ψ)) is not generally true for GHZ class

states, with the GHZ state itself and more generally states of the form |GHZ ′〉 = α|000〉+

β|111〉 (for which Esp = Ernd) providing a counterexample. One might wonder whether

random distillation gives no advantage for any state in the GHZ class. Here, we answer

this question in the negative. More specifically, we find an explicit example of a GHZ class

state for which random distillation gives an advantage over distillation to predetermined

parties.

Our example state is

|ψG〉 = α(|100〉+ |010〉 + |001〉) + ǫ|111〉, ǫ =√

1 − 3α2. (3.109)

for 0 < α, β, γ, δ, ǫ ∈ R. The 3-tangle τABC [53] for this state is equal to 16ǫα3, and

being non-zero the state is thus [34] GHZ-class.

By symmetry of ψG, we have Esp(ψG) = H2(α2 + ǫ2), and

f−1(Esp(ψG)) =√

8α2(1 − 2α2) (3.110)

From its symmetry and the analysis of section 3.6.1, ψG can be randomly distilled to

obtain

qrnd ≥ 3α2. (3.111)

It follows that qrnd(ψG) > f−1(Esp(ψG)) and hence Ernd(ψG) > Esp(ψG) for α2 > 8/25.

I.e. there exist GHZ class states for which random distillation is advantageous and others

for which it is not.


3.6.3 Symmetric Dicke states

While we do not have a general treatment of random distillation applied to pure states

shared between > 3 parties, it is clear that there are such states from which final states

shared between fewer parties can be reliably obtained iff those parties are not predeter-

mined.

We consider a more general class of states whose entanglement properties are of some

interest [90, 91, 92] - the M-party symmetric Dicke states [93, 94]. These are of the form

|ψ(M,N)〉 =1√MCN

∑

|1〉⊗N |0〉⊗M (3.112)

where MCN are the binomial coefficients

MCN ≡ M !

N !(M −N)!(3.113)

and the sum is over all permutations of the individual qubits. E.g.

|ψ(4, 2)〉 =1√6(|0011〉+ |0110〉 + |1100〉 + |1001〉+ |0101〉 + |1010〉) (3.114)

and the 3-party W state can also be expressed as ψ(3, 1).

We can express a state |ψ(M,N)〉 with respect to some party P as

|ψ(M,N)〉 =1√MCN

[

|0〉P ⊗∑

|1〉⊗N |0〉⊗(M−1) + |1〉P ⊗∑

|1〉⊗(N−1)|0〉⊗M]

(3.115)

where the sums are again over qubit permutations, consisting of M−1CN terms in the first

sum and M−1CN−1 in the second.

Considering then the Von Neumann entropy of party P we have

S(σM,NP ) = H2

(M−1CNMCN

)

(3.116)

= H2

(N

M

)

(3.117)

(where σM,NP is party P ’s reduced state of ψ(M,N)).

Since we are largely concerned with the entanglement of these states rather than their

(arbitrary) labels, let us assume N ≤M/2 (if this is not the case it can straightforwardly


be achieved via each party applying the local “bit-flip” unitary |0〉 ↔ |1〉, corresponding

to the Pauli matrix X), then any LOCC distillation ψ(M,N) −→ ψ(M ′, N ′) (assuming

likewise that N ′ ≤M ′/2) cannot be reliably performed for predetermined final parties if

M ′

N ′ >MN

.

However, we see that if we apply the W protocol to a state ψ(M,N) we can reliably

obtain either a randomly-shared ψ(M − 1, N) (applying the usual protocol) or ψ(M −

1, N − 1) (applying the W protocol but with |0〉 and |1〉 states reversed). Essentially the

parties can reliably ”drop” either a |0〉 or |1〉 from the terms of the state to produce a

state randomly shared between one fewer party.

Let us assume, as above, that N ≤M/2. It follows that for the two states ψ(M−1, N)

and ψ(M −1, N −1) that can be created in the above operation, by dropping a |0〉 or |1〉

respectively, that N − 1 ≤ (M − 1)/2 (always) and N ≤ (M − 1)/2 unless N = M . In

the latter case, we assume that the parties subsequently all perform the X operation, for

a final state ψ(M − 1, N). Given this, if the parties perform multiple rounds of “qubit

drops”, we can, by induction, assume that the final state ψ(M ′, N ′) satisfies N ′ ≤M ′/2.

(It can be seen that, with regard to the final states that can be created through

LOCC, our “bit-flipping” assumption is without loss of generality, since an all-party bit

flip followed by several rounds of qubit dropping is equivalent to the same number of

rounds of dropping the orthogonal qubit followed by an all-party bit flip. Hence we can

consider any bit flips as occurring after any qubit drops, and the final states obtainable

under our assumption are equivalent up to local unitaries to those obtainable without

the assumption. The assumption simply makes the notation more straightforward).

Given the above, we find that via random distillation the parties can reliably perform

|ψ(M,N)〉 −→ |ψ(M ′, N ′)〉, if (3.118)

M ′ ≤M and

N − (M −M ′) ≤ N ′ ≤ min(N,M ′/2),


many of which conversions cannot be performed between predetermined parties.

Lower bound on Ernd for arbitrarily small Esp

Considering now the conversion of symmetric Dicke states to bipartite states, of particular

interest for this class of states is that the above conditions are always satisfied (except

for trivial product states) for M ′ = 2, N ′ = 1, which corresponds (up to local unitaries)

to an EPR pair. In other words any symmetric Dicke state can be converted via random

distillation to a randomly-shared EPR pair. Thus

Ernd(ψ(M,N)) ≥ 1 (3.119)

We see from the symmetry of the state and (3.3) and (3.117), that since the local

entropy of a bipartite cut between one party and all others provides an upper bound for

Esp, that

Esp(ψ(M,N)) ≤ H2

(N

M

)

. (3.120)

Thus by an appropriate choice of M and N we can have arbitrarily small Esp for a

symmetric Dicke state, yet Ernd has the lower bound of 1. I.e. there exist states for

which the probability of getting an EPR between pre-determined parties is vanishingly

small, yet one can always obtain an EPR between some pair of parties.

A classical analogue can again be applied here, particularly in the case of a ψ(M, 1) →

ψ(2, 1) conversion, analogous to an unbiased classical lottery, with M participants, and

a single “winner” (holding bit 1, while the other players have bit 0). In the limit of large

M , any pre-selected pair of parties are very unlikely to either of them have the winning

bit, but some party must. A protocol that allows losing parties to be eliminated with-

out revealing information about those remaining will eventually result in two remaining

parties, each with an even chance of holding bit 1. As with the example in section 3.4.2

this constitutes their sharing a secure bit.


3.7 Feasibility study of experimental implementation

of random distillation

As noted in section 3.4.2, we can implement the W protocol on a single copy of the W ,

and achieve a higher expected entanglement than that between predetermined parties

even with relatively few rounds of the protocol. This raises the possibility of performing

such a protocol experimentally. In this section we will briefly discuss the feasibility of

experimentally implementing a random distillation of W →EPR in the Innsbruck ion

trap. This work has been done in collaboration with Hartmut Haffner of the Department

of Physics, University of Innsbruck.

3.7.1 Background

Controlled quantum operations in ion traps

As discussed in e.g. [4, 95, 96] ion traps, in general, consist of configurations of elec-

tromagnetic fields (both static and time-dependent) in free space so as to isolate ions in

particular spatial positions. Quantum information can be encoded in the electron en-

ergy states of the ions, and manipulated by the ions’ interaction with an electromagnetic

(EM) field. In practice this requires high vacuum and low temperatures (of order 1K),

both to confine the ions and to ensure that there is little or no thermal noise to disrupt

coherent electron states. Decoherence due to spontaneous emission can be minimised by

the use of long-lived states such as hyperfine or Zeeman levels of the ground state or

metastable excited states. If a trap contains multiple ions then, in addition to coupling

to any externally applied EM field, ions are also strongly coupled to each other through

the Coulomb interaction, resulting in quantised vibrational modes (phonons) within the

multi-ion system.

The above properties make the ion trap system very appealing for use in quantum


information processing, satisfying many of the the well-known DiVincenzo criteria for

quantum computation [97], as discussed in [96]:

1. A scalable physical system with well-characterised qubits: the qubits are imple-

mented as electronic energy states as discussed above. Scalability can potentially

be implemented using multiple traps and either moving ions between them or trans-

ferring ion states between traps using photons.

2. Ability to initialise the state of the qubits to a simple fiducial state: Ions can be

initialised in well-known electronic states through optical pumping, and in motional

ground states through cooling.

3. Long decoherence times relative to the gate-operation time: As discussed above,

the electronic states used for qubits are very long-lived (can be of the order of

seconds or minutes) compared to gate times of the order of µs.

4. A universal set of quantum gates: The combination of single-qubit unitaries and the

controlled-not (CNOT) gate comprise a universal set [4, 98, 99, 100]. Single qubit

unitaries can be implemented using standard optical techniques on a single ion and,

as discussed above, the coupling of ions through the Coulomb interaction allows for

two-qubit gates. A scheme for implementation of a controlled-NOT (CNOT) gate

in trapped ions was originally proposed in [101] and another universal two-qubit

gate in [102]. The former proposal has been implemented as described in [103].

5. A qubit-specific measurement capability: This can be implemented through optical

pumping at a transition between some qubit energy level and an additional level,

with any emitted photons indicating the the qubit is in the level in question.

Current limitations in ion trap quantum computing include decoherence arising from

the ion-ion interactions and the difficulty of scaling to multiple traps, as well as the more

general challenges of maintaining the high vacuum and low temperatures required.


W states in the Innsbruck ion trap

The ion trap at the University of Innsbruck is a linear Paul trap containing 40Ca+ ions.

This trap has been successfully used to create three-qubit entangled states in the trapped

ions, as described in [104], with high fidelities for both the GHZ and W states. Com-

putational basis states in this case are implemented as the S1/2 and D5/2 states of the

ions.

The approximate W state ρIW created in the Innsbruck trap is given in [104], and

reproduced in Appendix B. Fidelity (as defined in (3.27)) with the pure W state is 91%.

Existing ion trap techniques should be sufficient to successfully implement theW protocol

in a trapped ion state, as described below.

3.7.2 Proposed experimental W protocol

The following procedure (as illustrated in Figure 3.3) is applied to all three ions in the

trap:

1. The ion trap qubits are encoded in an approximate W state ρIW in the states |S〉

and |D〉 of the calcium ion energy levels, where the |S〉 level represents state |0〉

and the |D〉 level represents state |1〉.

2. A π pulse is applied to excite ions in the |S〉 levels to some additional Zeeman

level D′, such that state |D′〉 now represents state |0〉 in the W state, which is now

encoded in the D and D′ levels.

3. A weak ǫ pulse is applied at the frequency separating the S and D′ levels, applying

the standard unitary operation of the W protocol, where |S〉 now represents the

state |2〉 in this protocol.

4. To perform the projective part of the W protocol, radiation is applied at the fre-

quency separating the S and P levels. Any fluorescence detected corresponds to


(4)

(3)(2)

42P3/2

42P1/2

32D5/2

32D3/2

|D′〉|D〉

|S〉42S1/2

Figure 3.3: Illustration of the procedure for performing the W protocol in trapped 40Ca+

ions. Ions are originally in a W state in the S,D subspace, changed (2) to the D′, D

subspace, then the unitary (3) and projection (4) are applied using state |S〉 as an

additional state |2〉

measuring an ion in the state S, projecting that ion into state |2〉 (and terminating

the protocol), otherwise the ion is projected into the |0〉, |1〉 subspace of D and D′

levels and steps 3 and 4 can be repeated.

3.7.3 Feasibility of random distillation

We wish to demonstrate, through simulation, whether advantageous random distillation

can be performed in the ion trap W state. That is, we would like to show that we can

perform a protocol using this state which will create expected entanglement between

post-selected parties higher than any we could achieve between preselected parties. We

have, of course, already shown this in the theoretical case for the pure W . Experimental


imperfections means it is not feasible to prepare trapped ions in precisely the state |W 〉,

thus we used the mixed state ρIW .

Thus we wish to show Ernd(ρIW ) > Esp(ρIW ) using the definitions from section 3.3

for some bipartite entanglement measure E. However we cannot use the entanglement

entropy in this case since the states in question are mixed. We choose instead the

concurrence q, and thus seek to show that qrnd(ρIW ) > qsp(ρIW ).

3.7.4 Upper bound to qsp

To find an upper bound qsp we need to find an upper bound on the concurrence q that

can be created between preselected parties for the state ρIW . Note that here we are not

simulating any particular protocol but providing an upper bound to what can be done

using any LOCC protocol. To do this, we make use of several results by Gour, discussed

in [80] and below:

For a tripartite mixed state, the generalised concurrence of assistance (GCOA) Ga

for pure states is defined in [80] as in (3.1), using q as the entanglement measure. I.e.

this is just the concurrence of assistance for pure states, which, in the case of a 3-qubit

state, we can calculate explicitly as discussed in section 3.4.1.

For mixed states, Ga is defined in terms of the convex hull, i.e. for a mixed state

ρABC =∑

i pi|ψi〉〈ψi|ABC ,

Ga(ρABC) = min∑

i

piGa(|ψi〉ABC) (3.121)

where the minimisation is over possible decompositions pi, |ψi〉ABC. Note however that

for mixed states we no longer have the operational interpretation -Ga does not, in general,

represent the maximum concurrence obtainable between Alice and Bob from ρABC .

However [80] showed that mixed-state Ga is an upper bound on the entanglement

obtainable between Alice and Bob from a general LOCC. Thus an upper bound on Ga

for the three possible pairs of parties AB,AC,BC provides us with an upper bound on


qsp(ρABC). Since Ga for mixed states is a minimum over decompositions, we can find an

upper bound for it by simply calculating (3.121) for any decomposition, though of course

we would like as tight a bound as possible.

Hence the maximum Ga (over pairs of parties) for pure states is a function we can

calculate explicitly and we want to minimise this function (separately for the three pairs

of parties) over pure-state decompositions of the ion trap state ρIW .

To do this (minimisation of a state function over pure-state decompositions) we make

use of the numerical algorithm of Zyczkowski [105], originally devised for calculating

entanglement of formation. It is known [106, 107] that for an N ×N density matrix we

need a maximum of N2 states in the decomposition to minimise a function - we can thus

perform the minimisation by exploring the space of unitary matrices of up to N2 × N2

size acting on some decomposition of ρ (the eigenvector decomposition being a natural

starting point). The algorithm is fully-described in [105] - in summary it consists of a

simple random walk in the space of unitary matrices, calculating the relevant function at

various random nearby points and “moving” to whichever gives the smallest value, then

repeating the process with smaller “steps” until some lower limit on step size is reached.

This procedure is repeated for unitaries of size N ×N up to N2 ×N2 and the minimum

Ga found.

An upper bound to qsp - results

We find upper bounds on Ga as given in Table 3.2. Thus we have qsp ≤ 0.587 for the

state ρIW .

3.7.5 Numerical simulation of random distillation

To find a lower bound to qrnd, we perform a simple simulation of the application of the

W protocol to the state ρIW , via the procedure discussed in section 3.7.2. We will take

into account the following ways in which this differs from the idealised case, based on a


Parties Upper bound on Ga Unitary size

AB 0.537 8 × 8

BC 0.587 8 × 8

AC 0.543 8 × 8

Table 3.2: Upper bounds on the obtainable concurrence for distillation of the Innsbruck

ion trap state ρIW to specified parties. Unitary size is the dimension of the unitary matrix

applied to the eigenstate decomposition of ρIW to obtain the minimal decomposition

found by Zyczkowski’s algorithm

description in [108].

• We are using the mixed state ρIW rather than the pure state W as our initial state

in all simulations.

• The lifetime of the state ρIW in the trap is approximately 400 ms, 1/3 that of

the metastable D5/2 state. Estimated time to perform a round of distillation is

approximately 0.25 ms. We shall therefore impose an upper limit of 16 rounds of

distillation (∼ 1% of the state lifetime) and neglect any spontaneous emission from

the state.

• We estimate a certain rate of misinterpreted measurements - that is, an ion is

thought to be in state |2〉 when it is actually in the |0〉, |1〉 subspace and vice versa.

The latter case is of less concern - an ion in state |2〉 but not measured as such will

remain in that state and very likely be measured as such in the following round.

The former is more of a problem since it can lead to a premature termination of the

protocol. It is estimated [108] that the measurement can be biased such that an ion

in state |2〉 is incorrectly measured with probability ≈ 0.05/3, with a corresponding

incorrect measurement probability of ≈ 0.005/3 for an ion in the |0〉, |1〉 subspace.


We simulate the W protocol performed on state ρIW subject to the above constraints

(we set the unitary parameter ǫD equal to 1√D+1

when D rounds remain, as would be

optimal for a pure W ) and record the value of the two-party concurrence q obtained. The

protocol terminates if one or more parties record state |2〉 or if 16 rounds are performed,

whichever occurs first. If the protocol terminates successfully (a single party is found in

state |2〉) the q for the other two parties is recorded. If 16 rounds are reached with no

parties in state |2〉, the q between Bob and Charlie is recorded.

The restrictions and errors we discuss above are those we explicitly impose. In ad-

dition, of course, since the state ρIW is not a pure W , it will degrade in the sense

of changing over multiple unsuccessful distillation rounds, as discussed for the general

three-qubit pure state in section 3.6.1 i.e. the parties’ shared state after the first round

is no longer ρIW .

Simulation results

Based on 104 simulated distillations we find an expected concurrence for the post-selected

parties 〈q〉 = 0.67 > qsp. Hence advantageous random distillation ought to be demon-

strable via the method described above.

3.8 Generalisation of allowed parties in random dis-

tillation

We have so far, in general, contrasted two different cases of obtaining entanglement

between subsets of parties - where a single subset is wholly predetermined (entanglement

of assistance and associated quantities) and where we allow any subset (Ernd and Et).

However, one can of course consider an intermediate regime between these two extremes.

Suppose that some set of parties A1 . . . AM wish to create shared EPR pairs. We could,

for example, consider the case where only pairs between A1A2 and A2A6 were desirable,


A2

N2

B2

A1

B1

R2

A1 A2

B2

N1

B1

|ψ〉⊗N

Figure 3.4: An intermediate random distillation regime for conversion of many copies of

a 4-party state ψ to EPR pairs. We wish to create entanglement between either the pairs

A1B1 or B1B2, but no other combinations, for a total rate R2.

or where every pair was desirable except between A1A2, and try to quantify how much

entanglement could be obtained under these circumstances. While our existing results

provide some bounds in such cases, in general we have not considered this intermediate

regime. However we will very briefly discuss one result of interest, obtained in discussions

with Jonathan Oppenheim.

Suppose we have 4 parties A1, A2, B1, B2. sharing many copies of some state ψ. They

wish to convert these states into EPR pairs shared between either A1B1 or A2B2 but not

any other states. That is, we have a LOCC procedure

|ψ〉⊗N → |Φ〉⊗N1A1B1

|Φ〉⊗N2A2B2

(3.122)

and we would like to obtain an expression for R2 ≡ limN→∞ sup N1+N2

N, maximised over

LOCC protocols, as illustrated in Figure 3.4.

3.8.1 Upper bound on R2 (entropy)

An upper bound on NR2 is just given by the local entropy of the joint state of parties A1

and A2, which starts as NS(ρA1A2) (where ρ is a reduced state of ψ), finishes as N1 +N2

and cannot increase through LOCC. Thus

R2 ≤ S(ρA1A2). (3.123)


If there are only 4 parties then S(ρA1A2) = S(ρB1B2), otherwise we have the (generally

tighter) bound

R2 ≤ minS(ρA1A2T ), S(ρB1B2T). (3.124)

3.8.2 Lower bound on R2 (time-sharing)

A lower bound on R2 is provided by considering doing state-merging (i.e. the optimal

many-copy protocol for obtaining entanglement between pre-selected parties) to create

EPR pairs between the pairs A1B1 and A2B2 separately and time-sharing. Or the parties

can just do state-merging on to whichever of the two pairs gives a better yield, thus:

R2 ≥ maxE∞aA1B1

, E∞aA2B2

. (3.125)

We then ask if either of these bounds is tight.

3.8.3 Random distillation can improve on the lower bound

We find that in some cases the W protocol for random distillation can improve on the

lower bound. Consider the 4-party W state shared between A1, A2, B1, B2:

|W4〉 =1

2(|0001〉+ |0010〉 + |0100〉 + |1000〉)A1A2B1B2. (3.126)

(3.125) gives a lower bound for R2 for this state of H2(1/4) ≈ 0.81 (where H2 is the

binary Shannon entropy). However, we know from section 3.6.3 that if we perform the W

protocol on this state we will end up with a randomly-shared 3-party W3 state. Suppose

the 4 parties do this and end up with a three-party W shared between A1, A2, B1. They

could perform a further round of random distillation, leaving them with a randomly-

shared EPR pair. However, this would only have a probability of 1/3 of being between

the desired pair of A1B1, a worse yield than the time-sharing approach.

Instead, if the parties use state-merging to obtain EPR pairs shared between A1 and

B1 from the W3 state, they can achieve an asymptotic rate of H2(1/3) ≈ 0.92. Any three


(1)

+

(2)

+ + +

+ ++

A2

B2

A1 A2

B2B1

A1

B1

A1

B1

A1 A2

B2

0.81M1 0.81M2

B1B1

A1 A2

B2

A1 A2

B1

A2

B2B1

A1

B2B1

A2

0.92M3

B2

0.92M2 0.92M4

A1

A2

0.92M1

B2

∑2

i=1Mi = N

∑4

i=1Mi = N

|W4〉⊗N

|W4〉⊗N

|W3〉⊗M1 |W3〉⊗M2 |W3〉⊗M3 |W3〉⊗M4

Figure 3.5: Converting many copies of a state W4 in the intermediate distillation regime:

A naive “time-shifting” protocol (1), separately creating EPR pairs between A1B1 and

A2B2, produces an asymptotic rate R2 ≈ 0.81. Using an intermediate random distillation

to three-party W states (2) gives an improved asymptotic rate R2 ≈ 0.92.

of the parties will contain either A1, B1 or A2, B2 so any of the possible W3 states can

be distilled to obtain EPR pairs at this rate between a desired pair of parties. Hence

we have R2(W4) ≥ H2(1/3) ≈ 0.92, beating the time-sharing lower bound, as illustrated

in Figure 3.5. Thus a mixture of random distillation and distillation to specified parties

improves upon either approach used alone.

However, the upper bound from (3.124) for W4 is H2(1/2) = 1, so this protocol does

not saturate that bound. Moreover, as with the condition Et > Esp, discussed earlier,

there exist states for which one can find trivial improvements on the lower bound e.g.

where the initial state is |Φ〉A1B1⊗|Φ〉A2B2 . Hence more careful definitions may be needed

to identify interesting effects.


3.9 Discussion

There are many ways in which the work on random distillation can be extended in other

contexts to those we have considered above. We discuss several examples below.

3.9.1 Full description of bipartite distillation

The majority of the above work discusses bipartite entanglement obtained from multi-

partite states in terms of quantities Et, Ernd etc. As discussed in the introduction, the

known properties of bipartite entanglement make such descriptions of multipartite states

worthwhile in the resource model. However, even when we are only interested in EPR

pairs as output states, such descriptions are inherently limited in that they map to a sin-

gle number output states in which bipartite entanglement is potentially shared between

many different pairs of parties.

A full description in a resource model of what conversions can be achieved to states

shared between fewer parties would require multiple numbers for a given state. To

give an explicit example, our work shows that a W state can be converted to an EPR

shared between parties AB, BC or AC each with probability 1/3, and hence could for

example be represented as a “vector” 1/3, 1/3, 1/3. A full description of W →EPR

conversions would have to describe the full range of such vectors, rather than simply a

sum or maximisation over pairs of parties as we have been doing so far. In general the

achievable conversions of an M-party state would require a vector with M(M − 1)/2

entries. A narrower question would be to enquire what range of vectors corresponds to

the “optimal” (maximum Et or Ernd) distillation for a given state.

3.9.2 More general multipartite states

Our work has largely concentrated on distillation of bipartite entanglement. As noted

in sections 3.4.3 and 3.6.3, random distillation can also be used to obtain multipartite


states both via intermediate EPR pairs and directly. In the former case, the full bipartite

description combined with existing results on quantum compression and teleportation

would likely be sufficient to classify the achievable conversions via this method.

Direct conversions (multipartite-multipartite states) are more complicated. As shown

in 3.6.3, advantageous random distillation (in the general sense of achievable final states

that cannot be achieved for predetermined parties) can occur in conversions from M-

partite to (N < M)-partite states, and intuition would suggest that this is much more

efficient in general than conversion via EPR pairs 1 Yet another possibility is multipartite-

multipartite conversion via multipartite intermediates, or combinations of these with

EPR pairs. However, the lack of operational measures for multipartite states makes it

difficult to describe these properties in a general way that goes beyond narrow classes.

3.9.3 Generalisation of allowed parties

As discussed in section 3.8, one can also consider the creation of entanglement between

multiple subsets of the parties. While numerous scenarios can be envisaged, with regard

to our discussions in that section, we would in in general like to find an exact formula for

R2. A simpler open question is whether the upper bound (3.124) is ever not saturated

(clearly it is sometimes saturated e.g. trivially where the 4 parties start with EPR pairs

between the desired pairs, or less trivially for the 4-party GHZ state).

3.9.4 Mixed states

In both the bipartite and multipartite cases (with the exception of section 3.7) we have

largely concentrated on pure states. Clearly a full description of state conversion through

LOCC to states held by subsets of the parties would also include mixed states, both as

1For example, creating an M -qubit entangled state via teleportation would require a minimum ofM − 1 EPR pairs, while a LOCC-conversion of an M + 1-qubit state could at most create (M + 1)/2EPR pairs, but as the symmetric Dicke state example shows, direct conversion of M +1-qubit to M -qubitstates can be achieved via random distillation.


the initial and final states. We note that our monotones Esp Et and Ernd are applicable

to mixed states if a suitable mixed-state entanglement measure E is used.

3.9.5 Relation to existing entanglement measures

While many of our defined quantities (Et, Ernd) are LOCC-monotones by definition, we

have not extensively explored the connection between these and existing monotones, and

though we have demonstrated the existence of advantageous random distillation in im-

portant classes of states, this has largely been through explicit examples. A desirable

goal would be to be able to determine a state’s properties with respect to existing mono-

tones which can be explicitly calculated or at least bounded. In the general case this is

of course challenging since relatively few such measures exist in the multiparty case.

The connection to existing monotones is also of interest since advantageous random

distillation (in the broad sense of obtaining final states not obtainable between pre-

determined parties) of an M-party to (M − 1)-party state requires genuine M-party

entanglement i.e. the original state cannot be expressed as a product state with respect

to any of the parties. By contrast, many monotones have positive values for any M

party state that cannot be expressed as an M-party product state (One exception is the

3-tangle [53], which is only non-zero in the case of genuine three-party entanglement).

Hence finding measures related to a state’s random distillation properties is related to

the more general problem of identifying genuine M-party entanglement.

3.9.6 Classical information

Fully classical analogues

As discussed in sections 3.4.2 and 3.6.3, our quantum protocols for distilling entanglement

have some fully-classical analogues for deriving classical correlations among subsets of

parties sharing some classical joint probability distribution. Just as in the quantum case,


the general problem of obtaining correlations among subsets of the parties is unsolved.

As well as the discussed example of distilling secret key between pairs of parties, one

could also consider the distillation of multiple-party classical correlations appropriate for

secret sharing - that is, a distribution which allows some subset of the parties to recover

a classical “secret” only if they all cooperate.

For example, if M parties each holding a binary variable hold a joint distribution

such that the binary sum of all their variables is always a fixed quantity, then the value

of all the parties’ variables can be obtained by any M − 1 parties. E.g. three parties

holding an equal mixture of the three bits 001, 010, 100, 110, 101, 011, whose binary

sum is 1. Any two cooperating parties can therefore determine the bit of the third. We

discuss such protocols further in the next chapter.

Classical key distillation from quantum states

In the quantum case, we have considered the distillation of entangled states, particularly

bipartite EPR pairs, which are sufficient for shared secret classical bits. However, as

discussed in the introduction, EPR pairs are not necessary for secret key distillation.

Thus one could consider separately the problem of obtaining secret classical key bits (or

equivalently private states [54]) from multiparty quantum states, via random distillation.

All the generalisations discussed above for the quantum case could be considered. In

addition, in the adversarial model for QKD one could also consider obtaining secret key

where certain of the parties are collaborating with the eavesdropper. The classical prob-

lem of generating common randomness (not necessarily secret) between two parties with

the help of a third, somewhat analogous to entanglement of assistance, was considered

by Csisar and and Narayan [109] who obtained various rate expressions as functions of

the parties’ shared information source.


3.9.7 Experimental Implementation

Our simple simulation of section 3.7.2 indicates that advantageous random distillation is

demonstrable experimentally. Clearly it would be desirable to confirm this by performing

an actual implementation. The simulation, however, could also be much improved - at

present we roughly simulate measurement errors and restrict our number of allowable

rounds to be small compared to the state lifetime. A better approach would be to fully

simulate the effects of spontaneous emission and thermal noise on the state over the time

required to perform the protocol.

3.10 Conclusion

We have demonstrated (with explicit protocols) a new means (“random distillation”) of

converting multiparty entangled states to those shared between fewer parties, and shown

that one can obtain qualitatively different results than those of prior methods. We have

defined measures for describing the outcome of random distillation and circumstances

under which it can be regarded as “advantageous”. We have found some general ran-

dom distillation properties of classes of states including the GHZ and W 3-qubit classes

and the class of symmetric Dicke states, including finding examples of states where ran-

dom distillation can produce target states which have arbitrarily small probability of

being produced between specified parties. We have derived upper bounds to what can

be achieved in random distillation, and shown that advantageous random distillation

does not occur in the many-copy limit. Finally, we have discussed a promising poten-

tial experimental demonstration of random distillation, with numerical evidence that

demonstrating advantageous random distillation should be feasible.

Chapter 4

Experimental GHZ-based QKD

4.1 Introduction

4.1.1 Multi-party protocols

As discussed in the introduction, an important application of quantum information,

strongly related to entanglement, is two-party quantum key distribution (QKD). As with

many applications in QIT, one can define multipartite analogues to the bipartite case for

QKD and related applications. Examples include

• Conference key agreement: N parties, connected by some quantum channels

and/or sharing certain quantum states, wish to share a single secret key, unknown

to any eavesdropper.

• Quantum sharing of classical secrets (QSCS): N parties have a shared quan-

tum state from which some minimum number of parties M ≤ N can, if they

collaborate, obtain a classical bit string. However, fewer than N parties (or any

eavesdropper) cannot obtain any information about the string.

• Quantum secret sharing (QSS): As above, but the quantity to be reconstructed

is a quantum state rather than a classical string (it follows immediately from the

105

Chapter 4. Experimental GHZ-based QKD 106

no-cloning theorem that we require M > N2).

(In addition to the above, there also exist fully classical (classical sharing of classical

secrets) secret sharing schemes.)

• Third-party quantum cryptography (TQC): This is a form of controlled QKD,

in that the successful performance of two-party QKD depends on the cooperation

of a third party who does not, however, share the final key.

A useful state for many of the above protocols is the three-party GHZ state

|GHZ〉 =1√2(|000〉 + |111〉)ABC. (4.1)

For the purposes of conference key agreement, the GHZ state seems a natural extension

of the EPR pair, in that three parties sharing such a state can straightforwardly obtain

a secret shared random bit via Z-basis (computational basis) measurements - we will

discuss this process further in following sections.

The GHZ state is also a +1 eigenvalue of the following observables:

XXX,ZZI, ZIZ, IZZ,−Y Y X,−Y XY,−XY Y, (4.2)

where X, Y and Z are the Pauli operators and e.g. XXX = XA ⊗XB ⊗XC represents

X measurements by Alice, Bob and Charlie.

GHZ-based schemes for sharing random classical secrets were proposed in [110] and

later in [111], based on the above property. In these schemes all 3 parties make either

X or Y measurements, and publically announce their measurement bases, discarding the

results except where the three chosen bases correspond to one of the observables above.

The secret in question consists of the parties’ three individual measurement results, each

±1, which, given that their product is known, correspond to 23/2 = 4 possibilities, or 2

bits of information initially unknown to an external eavesdropper. Each individual party

knows only their own result and consequently the product of the other parties’ results

but not the other parties’ individual results, representing 1 bit of information. However,


if two parties share their measurement results they have sufficient information to know

that of the third party.

It was also shown in [110] that a GHZ state could be used in a form of quantum

secret sharing. In this scheme Alice shares a GHZ state with Bob and Charlie and in

addition possesses a quantum secret in the form of a qubit in some arbitrary pure state.

She entangles her secret and GHZ qubits by making a Bell state measurement upon

them both, initially not revealing the outcome to Bob or Charlie. One of Bob or Charlie

(chosen at random by Alice, we shall suppose it is Bob) then makes an X measurement

upon their GHZ qubit, with Alice informing Charlie of her Bell measurement outcome. It

is shown in [110] that Charlie can then reconstruct Alice’s qubit if and only if Bob informs

him of his X measurement outcome. This is very similar to quantum teleportation [18]

but, as shown in [110] can be made secure against cheating and eavesdropping.

The applicability of the GHZ state to third-party quantum cryptography was noted

in [39]. Suppose for example that Alice, Bob and Charlie share some noisy GHZ states

(which may be partially entangled with an eavesdropper) and Alice makes an X mea-

surement upon her qubits. If Alice does not reveal her measurement result, Bob and

Charlie are left with the fully mixed state

ρmix = (|0〉〈0|+ |1〉〈1|)/2 (4.3)

which is a product state from which no secure key can be extracted. However if Alice

makes her result public then Bob and Charlie will know which of the two Bell states

1√2(|00〉± |11〉) they share noisy versions of, from which they can, in general, distill some

pure Bell states and consequently some secret key.

Some experimental implementation of multipartite quantum information protocols

has been done previously - GHZ-based QSCS and TQC has been demonstrated by by

Chen et al [112] using a four-photon source as a triggered GHZ source and was previously

demonstrated using “pseudo-GHZ” states (using an approach similar to the “prepare and

measure” scheme we adopt here) in [113]. A four-party QSCS was demonstrated in [114].


In this chapter, we will discuss the experimental implementation of a multipartite

quantum information protocol, specifically a three-party conference key agreement pro-

tocol based on GHZ states. This is based on a prepare-and-measure protocol originally

proposed in by Chen and Lo [39], which can be implemented using only bipartite entangle-

ment. Our goal is to consider the achievable secure key rate for a particular experimental

realisation of this protocol (implemented by Rob Adamson in the Steinberg group at the

University of Toronto), in which the key is encoded in polarisation states of entangled

photons produced in parametric down-conversion. As we will see, just as occurs in bi-

partite QKD protocols, successful implementation of this protocol (i.e. generating secure

key) is considerably more complex than in the idealised theoretical case.

We take into account the ways in which our setup differs from the idealised case

to determine an achievable experimental key rate. By adapting several existing results

related to both bipartite and multipartite QKD, we find that a positive key rate should

be achievable with our chosen implementation.

In section 4.1.2 we discuss the theoretical basis for a GHZ-based QKD and the

previously-derived key rate in [39]. In section 4.2 we describe our experimental setup

and explain the important ways in which it differs from the idealised case. In sections

4.3 and 4.4 we discuss how previous results in two-party QKD may be adapted to our

experimental implementation to take account of these imperfections. In section 4.7 we

explicitly apply these techniques to our implementation to derive an expression for a

secure key rate. In section 4.8 we describe the estimation of parameters such as channel

transmissivity and error rates for the experimental implementation, and based on such

estimates we derive optimal settings and an expected key rate for the implementation.

This is joint work with Rob Adamson.


4.1.2 GHZ-based QKD

As discussed in the introduction, entangled states provide a natural means of generating

secure key between separated parties. Parties sharing a pure EPR pair need only make

computational basis measurements to obtain one bit of secure key. In the tripartite case,

three parties may likewise generate secure key from the GHZ state through computational

basis (Z) measurements. Hence one could consider a QKD involving three parties (Alice,

Bob and Charlie) based on distribution of GHZ states - Alice locally creates GHZ states

then distributes Bob and Charlie’s qubits to them over an open channel, the three parties

distilling pure states from the noisy GHZ states which result, then measuring the final

states in the Z basis. Such a protocol was considered by Chen and Lo in [39], who showed

that it could be performed and reduced to a prepare-and-measure scheme. Thus only

bipartite entangled states are required. We summarise here some of the features of this

protocol.

The protocol is based on noting that the GHZ is an eigenstate of the observables

(4.2). These observables all factorise with respect to the parties. Thus if the three

parties possess an ensemble of many noisy GHZ states, they can estimate the error rates

(i.e. the probability of getting -1 measurement results) by making local measurements

and classically communicating their results for the observables.

Considering the form of the GHZ state, one sees that there are four possible types of

bit and phase error. Each of the three parties’ qubits can have a bit error and there can be

an overall phase error between the two terms in the computational basis. Combinations

of these errors define 24 = 16 states, half of which are redundant, since up to an overall

phase a bit error on N of the three parties is equivalent to a bit error on 3 −N parties.

Thus we have 23 = 8 different error states, which define a three-qubit basis. It is shown in

[39] that the parties can, through random local unitaries, diagonalise any tripartite mixed

state in this basis. Thus we need only consider the probability of the above errors. These

probabilities are simple functions of the error rates (4.2), hence the parties can determine


the error probabilities through local measurements and classical communication.

Correcting the bit and phase errors will leave the parties with pure GHZ states. In

[39] it is shown how this may be achieved in principle using a modification of a multi-

party random hashing protocol originally due to Maneva and Smolin [38]. Defining the

phase error rate b0, and bit error rates b1 and b2 for, respectively, the operators XXX,

ZIZ and ZZI, the random hashing protocol can purify GHZ states at a rate at least

1−H2(b0)−H2(b1)−H2(b2), with the error terms representing the amount of hashing that

must occur and hence the number of “raw” states that must be sacrificed to determine

the location of the bit and phase errors and hence correct them.

Chen-Lo GHZ distillation rate (ideal case)

In [39] an improved rate is derived, based on the possibility of correlations between

the various errors. Any such correlations will mean that the information obtained in

correcting one set of errors will be of use in correcting other. This leads to a rate per

received pair (in the case where all 3 parties are using the Z basis):

RCL = 1 − maxH2(b1), H2(b2|b1) −H2(b0) + I(b0; b1, b2) (4.4)

where I is the classical mutual information [64]

I(X;Y ) = H(X) −H(X|Y ). (4.5)

Having established the error pattern of b1 through H2(b1) rounds of hashing, only the

additional hashing H2(b2|b1) is required to obtain the pattern of b2. However a single

round of hashing to obtain bit-error information gives information on both b1 and b2.

Thus only the maximum of these is required. Correcting phase errors similarly requires

H2(b0) rounds of hashing, but knowing the error pattern of b1 and b2 provides I(b0; b1, b2)

bits of information on this already. The required hashing is consequently reduced.

As shown in [39], this protocol (distribution of GHZ states, followed by error correc-

tion through random hashing using quantum circuits) can be reduced to a prepare-and-


Alice’s basis Result Transmitted state

X ±1 1√2(|00〉 ± |11〉)BC

Y ±1 1√2(|00〉 ± i|11〉)BC

Z +1 |00〉BCZ −1 |11〉BC

Table 4.1: Summary of Alice’s transmissions in the ideal Chen-Lo protocol

measure QKD protocol. In this case Alice measures her qubit before distributing the

remaining two to Bob and Charlie. Her measurement can be in the X, Y or Z bases,

resulting in Alice transmitting states as given in Table 4.1.

On receiving their qubits, Bob and Charlie make X, Y or Z measurements on them.

Thus a single round of transmission and measurement involves an effective measurement

of X, Y or Z by each of the three parties. In the QKD protocol, ZZZ measurements give

the three parties their bit values, remaining measurement combinations either correspond

to the elements (4.2) and hence give error rates, or are discarded.

Correction of bit errors can be done classically using forward error correction (i.e.

using some classical error-correcting code, Alice broadcasts encrypted error-correction

bits to Bob and Charlie, who then correct the relevant blocks). As with BB84 and its

security proof, phase errors have no effect on the Z values measured in the final key. Thus

it is not necessary to actually correct these errors - to establish security, it is enough just

to show that they could have been corrected in principle. This can be achieved by privacy

amplification via e.g. classical random hashing.

4.2 Experimental implementation

The above prepare-and-measure protocol is concerned with an idealised case of sending

precisely the states listed in Table 4.1 over some noisy channel and detecting them with


perfect efficiency.

In our work, we wish to adapt the protocol of [39] so as to obtain a secure key dis-

tribution within our experimental setup. As described above, the prepare-and-measure

GHZ QKD consists of Alice distributing two-qubit states to Bob and Charlie, some of

which are entangled. In the experiment, the quantum systems used are the polarisa-

tions of photons in free space, with horizontal polarisation corresponding to bit-0 and

vertical to bit-1. Alice generates these pairs using parametric down-conversion (PDC) of

photons from a continuous-wave (CW) pump laser, with the parties selecting their po-

larisation bases (for transmission or measurement) using liquid crystal (LC) waveplates.

The experimental setup is shown in Figure 4.1.

As shown in the figure, coincidence electronics connecting Bob and Charlie’s detectors

(silicon avalanche photodetectors (APDs)) record the timing of photons detected. A

successful detection consists of detecting a photon “pair” which in practice means photons

arriving at both Bob and Charlie’s detectors within the same time window. Ideally

this window is as short as possible (∼10ns in our implementation). The public timing

information presents no additional security concerns since in principle Eve could obtain

it directly and non-destructively from the photons.

We note that we assume in our analysis that all the photodetectors are identical in

performance. If this is not the case than this may be exploitable by Eve - attacks based

on this “detection efficiency mismatch” have been proposed in [115] and experimentally

implemented in [116], with an additional attack proposed and implemented in [117].

4.2.1 General form of the QKD protocol

In section 4.2.2 we will discuss our modifications to the Chen-Lo analysis given the

differences in our experimental situation from the ideal case. However our QKD protocol

is still in the following general form:

1. Alice transmits photon pairs to Bob and Charlie who measure their polarisation.


2x2.5mmBBO, Type I

Phasematching

PolarisingBeamsplitter

LC waveplate

LC waveplate

LC waveplate

10 nm spectral filter

LC waveplate

Spatial filter

LC waveplate

405nm CW Pump

Charlie

BobAlice

Coi

ncid

ence

Ele

ctro

nics

Figure 4.1: GHZ QKD experimental setup (based on a diagram by Rob Adamson)

The three parties use the polarisation settings as described in section 4.1.2, or a

subset thereof.

2. The three parties determine error rates in the observables given in (4.2).

3. From the cases of ZZZ measurement settings, the parties obtain classical “raw”

key bits.

4. The parties correct errors in the raw key bits using classical error correction, re-

sulting in an identical shared key of corrected bits.

5. The parties perform classical privacy amplification on the corrected key bits to

obtain a final secure key.


4.2.2 Non-ideal properties of Alice’s output in the experimental

situation

Ideally, a given transmission by Alice (that is, those photons she sends into the channel

in between changes of her basis and bit settings) consists of exactly one photon pair,

randomly chosen from the states in Table 4.1. In practice this is not the case. The

output from Alice’s down-conversion crystal consists of multiple spatial, frequency and

polarisation modes. As shown in Figure 4.1, we obtain the desired modes in the appropri-

ate polarisation states by spatial and wavelength filtering within Alice’s lab, along with

additional use of waveplates to adjust polarisation. This process is imperfect, in that

the photon pairs leaving Alice’s lab are, in general, not precisely in the states of Table

4.1. In the case of a single photon pair, such imperfection is taken into account by the

measured error rates in Bob and Charlie’s received states, and has no further security

implications.

Multiple pairs

The analysis of [39] is sufficient in the case where Alice transmits either a single photon

pair or vacuum (since the latter is equivalent to Eve simply blocking a single photon

pair, as she is always free to do). However, in our case there is a non-zero probability for

the down-conversion crystal to output two or more photon pairs, each of which may pass

the spatial and wavelength filters, resulting in multiple pairs in the channel. Clearly this

presents a security problem - in our implementation Alice has no way of knowing if this

has occurred, and, if it does, Eve has a “spare” copy of the transmitted state which she

can measure, allowing an unaltered copy to proceed to Bob and Charlie and thus not

affecting the parties’ error rates. Such transmissions are completely insecure.


Unpaired photons

A second, more subtle problem arises from our means of generating photon pairs using

filtered down-conversion. While a small number of photon pairs produced in PDC leave

Alice’s lab and are sent into the channel, the majority are filtered out by the spatial and

wavelength filters within Alice’s lab. However, since these filters operate independently on

those photons intended for Bob and and for Charlie, another possibility is that only one of

the two photons in the pair enters the channel, with the other staying in Alice’s lab. This

turns out to be considerably more likely than both photons entering the channel, with

the result that every pair Alice transmits is, on average, accompanied by many unpaired

photons arising from the same polarisation settings. Can Eve gain useful information

from these unpaired photons? We see immediately that the answer is yes. Referring to

Table 4.1, if Alice is transmitting pairs in the X or Y bases, unpaired photons will be

in the fully mixed state whereas in the Z basis unpaired photons will either all be in

state |0〉 or in state |1〉 depending on the transmitted state. Therefore, not only do the

unpaired photons give Eve information about Alice’s basis, but in the case of the Z basis

(in which all the key bits are transmitted), they tell Eve what the bit value is. Clearly

this presents a security problem.

4.2.3 Summary of solutions to security problems

Multiple pairs - reduced intensity

We deal with the problem of multiple pairs simply by using a low intensity of pump

laser for the PDC, resulting in a low mean number of pairs leaving Alice’s lab and a

correspondingly low probability of multiple pairs.


Unpaired photons - added noise

To reduce Eve’s information from the unpaired photons, we add additional unpaired

photons to the channel, such that the distribution of unpaired photons in the channel is

close to being the same state irrespective of the state of the photon pairs. This can be

achieved in one of two ways - either through adding large numbers of photons in state

ρmix at all times (drowning out the information with uncorrelated “white noise”), or, in

a more sophisticated approach, adding photons in state |1〉 when all the PDC-derived

photons are in state |0〉 and vice versa. While this “anticorrelated noise” should allow

for a higher key rate, it requires more waveplates than we have available, thus in our

implementation of the QKD we add uncorrelated noise. This is achieved by Alice

using separate horizontally and vertically polarised LED sources of equal intensity. Since

these undergo the same spatial and wavelength filtering as the PDC photons (and both

sources are effectively phase-randomised, since down-conversions occur at a rate much

lower than the coherence time of the pump source), they should be indistinguishable from

the PDC photons.

In the following sections we integrate these security problems and solutions into the

derivation of the secure key rate for our experiment.

4.3 Multiple pairs and the PNS attack

The issue of Alice inadvertently sending multiple photons pairs into the channel has

a straightforward analogue in Alice sending multiple photons into the channel when

performing a two-party QKD with Bob only. This is a well-known issue in the two-party

case, since implementing a true single-photon source is very challenging and arguably the

most common photon source is a laser emitting a Poissonian mixture of Fock states. A

security analysis of this general situation was done in the 2-way case by Gottesman, Lo,

Lutkenhaus and Preskill (GLLP) [118], and is readily employed here, as discussed below.


In a worst-case scenario, we can assume that every time more than one pair is trans-

mitted the transmitted state is completely insecure and known to Eve. Naıvely, one

might then think that one can simply upper bound the secure key rate by deducting the

fraction of insecure (multiple-pair) states transmitted, and using privacy amplification

to achieve the necessary rate. However, what matters is what fraction of received states

are insecure, and this can be manipulated by Eve. In particular, Eve can, in principle,

without causing any polarisation errors, make a photon number count to see if a state is

secure or not, then block secure states and increase the chance of transmission of insecure

states such that the insecure fraction is very high. This is known as the photon number

splitting (PNS) attack.

Methods such as the use of decoy states [119, 120, 121, 122] exist to counteract PNS

attacks, but our experiment will not employ them1, hence we simply wish to find an

upper bound to the potential insecurity caused by the multiple-pair states. Following

the analysis of [118] (and simply considering single pairs rather than single photons), we

note that we wish to find the minimum number of pairs received by Bob that are secure,

as follows:

Suppose Alice transmits NA sets of pairs, NAi of which are insecure (i.e. they contain

more than one pair), and Bob and Charlie receive NBC pairs (if only one of Bob and

Charlie receives a photon from a pair, the pair does not count as received). In the

worst-case scenario, every insecure pair gets transmitted. Thus a minimum NBC−NAi of

received pairs are from transmissions containing zero or one pairs. We will describe such

transmissions as “potentially secure” (PS)- that is, they are, at least, not insecure

due to multiple pairs, though not necessarily secure either.

1Implementation of decoy-state protocols requires the photon number distribution of transmissionsto vary between transmissions, which in our case would mean imposing very rapidly-varying attenuationof the pump laser for our PDC, for which we are not equipped.


Considering the insecure fraction of transmitted pairs

Θ =NAi

NA(4.6)

and the transmissivity of the channel

Q =NBC

NA(4.7)

that means a fraction

Ω =NBC −NAi

NBC= 1 − Θ

Q(4.8)

of the received pairs are from PS transmissions.

4.3.1 Multiple pairs and key rate

Thus the raw key obtained by the parties in step 3 of section 4.2.1 will, in general, contain

some bits derived from insecure transmissions, and can be considered as a combination of

insecure and PS bits. However, in our case, the parties do not know which transmissions

these are. This means, for example, that they have to correct bit errors on all the key bits,

and thus must still sacrifice the usual fraction of the raw bits to do so. (In other words,

they must make the pessimistic assumption that all bit errors occur on the PS bits).

We note here that the loss LFEC in the key rate due to bit error correction follows from

a classical argument unrelated to the remainder of the security proof - it is simply the

classical bits sufficient for Alice to correct the bit errors via classical FEC. We can assume

that Alice transmits these bits using a one-time pad, thus they are unavailable to Eve.

However, considered in the context of a prepare-and-measure protocol, the expression

maxH2(b1), H2(b2|b1) in the GHZ distillation rate of [39] (4.4) implicitly assumes that

all the information (i.e. which bits they fall on) on Bob’s bit errors (with rate b1) is

made public and hence can be used by Charlie, and while intuition suggests it to be the

case, we have not proven that this raises no security issues in the prepare-and-measure

protocol.


Hence we use the (in general) slightly larger loss maxH2(b1), H2(b2) - if Alice uses

this proportion of check bits in her FEC, this will be sufficient to correct both Bob and

Charlie’s bit errors, without the location of anyone’s errors being publically revealed

(except in the negligible fraction of raw bits made public to establish error rates).

Hence we use the expression

LFEC = maxH2(b1), H2(b2). (4.9)

As noted in GLLP, however, privacy amplification by random hashing on a mixture

of insecure and secure bits is equivalent to applying an XOR operation between secure

and insecure key strings, resulting in a secure final key of the same length as the secure

key string. We do not need to know which are the insecure bits to obtain a secure final

key through privacy amplification (indeed, we would not need privacy amplification if we

did, we could simply discard all insecure bits).

This has an intuitive parallel in the entanglement distillation picture: as also noted

in [118], in principle the parties could know which the insecure states are, by performing

the same non-destructive photon-number measurement we allow Eve to perform. For

phase error correction (privacy amplification in the prepare-and-measure protocol), we

do not need to perform such error correction, we only need to perform sufficient privacy

amplification to give us the key size we would have if we were correcting these errors.

Hence we can assume that when doing phase error correction we do know which the

insecure bits are.

However, in our case, the raw corrected key is merely a mixture of insecure and

potentially secure bits, with the security for the latter unproven. Suppose, though, that

we could prove security for the PS bit string hashed down to some fraction RPS of its

original length and separately perform this hashing on the PS bits. Then hashing together

the resultant bits with the insecure bits from multiple pairs would, as per the analysis

above, result in a secure key, a fraction ΩRPS − LFEC of the uncorrected raw key.

But, as argued above, for linear hashing there is no need to separate the secure and


insecure bit strings and the above operation is equivalent to simply hashing the corrected

key to the appropriate length. Thus, we can achieve a key rate

R ≥ ΩRPS − LFEC (4.10)

This argument is straightforward in the case of individual attacks, where we restrict

Eve to only attacking a single transmission at a time. Under such circumstances the most

she can possibly achieve is to have to complete knowledge of a given transmission, which

we already allow for the multiple-pair states in the above analysis. The situation is less

clear for general attacks, in which Eve can, for example, induce correlations between the

transmissions containing multiple pairs and those which do not. The analysis in [118]

allows for such attacks, but assumes that sender and receiver’s systems are qubits. We

can potentially deal with this by use of a “squashing model”, as discussed further in

section 4.10.3.

In the following section we discuss the unpaired single photons and a security analysis

to derive RPS.

Side note on error correlations

We note in passing that, comparing (4.10) to (4.4), the latter contains no mutual in-

formation term reflecting bit/phase error correlations. This is, in general, because the

“phase error” description is specific to an entanglement-distillation based picture, which

we are not necessarily using in deriving RPS. In addition, however, even if one uses this

description there may be overlap between the information on phase errors supplied by

the bit errors and information we have implied by our assumptions.

Suppose there were no unpaired photons. In this case we could combine the EDP

analysis of section 4.1.2 with our GLLP analysis above, considering now the phase errors

on the PS states as follows:

We assume the worst-case scenario of all phase errors on PS bits. Hence the phase

error rate on these bits is b0Ω

, affecting a fraction Ω of the bits, so ΩH2

(b0Ω

)bits are lost


in error correction. Since we start with a secure proportion of the bits Ω, this leads to a

key rate of Ω − maxH2(b1), H2(b2) − ΩH2

(b0Ω

).

However we cannot simply add I(b0; b1, b2) to the above rate. This is because we

are already implicitly assuming some knowledge about the phase errors which aids us in

their correction - that they all occur on insecure states whose location we can in principle

know. This reduces the bits lost in phase error correction to ΩH2

(b0Ω

)rather than H2(b0).

While, in general, the bit error correction does also give us some information about phase

errors, in the worst-case scenario this overlaps maximally with the above information.

Thus the key rate for this hypothetical scenario (additional pairs, no unpaired photons,

as distinct from our experimental scenario) according to this analysis is

RGHZ ≥ max

[

Ω − maxH2(b1), H2(b2) − ΩH2

( p

Ω

)

,

Ω − maxH2(b1), H2(b2) −H2(p) + I(p; b1, b2), 0

]

(4.11)

4.4 Security of potentially secure (PS) states

As discussed above, we can effectively divide the corrected raw key bits into those arising

from insecure states and those from PS states, and determine a separate key rate for the

PS states, whose insecurity derives partially from unpaired single photons. As mentioned

in section 4.2.2, we attempt to counteract this by having Alice add many additional

photons in the state ρmix to every transmission. Thus the PS states consist of zero or

one photon pairs, accompanied by unpaired single photons with, in general, polarisation

states with some degree of correlation to the photon pairs. (Of course, the insecure

states are also accompanied by unpaired single photons, but we already assume Eve has

complete information about such states.)

We thus require a security analysis for the PS states that takes into account the

unpaired photons, which essentially constitute a side channel giving partial information


Alice

Bob

Charlie

?

?CC

CC

0100111011001...

Bob−Charlieρ

Figure 4.2: Eve’s view of the QKD - Alice transmits quantum states ρ (as well as

broadcasting encrypted classical communications (CC)) to a joint entity Bob-Charlie in

order to establish a common secret classical key. Eve wants to know the key, but only

has access to ρ and CC.

about the signal states (the pairs).

We could quantify the classical information about the signal states provided by the

side channel, but this would ignore the possibility of Eve making some joint quantum-

mechanical attack on unpaired and pair states together. Instead, we require an analysis

that considers, quantum-mechanically, the complete state in the channel. Fortunately,

our protocol has a property which makes this analysis more straightforward in light of

earlier work, namely that, as depicted in Figure 4.2, from Eve’s point of view, the

QKD is essentially a two-party protocol.

What do we mean by this? Simply that, since we intend for Bob and Charlie to have

the same key bits, one could regard the QKD as Alice sending quantum-mechanical states


to a single receiver (Bob+Charlie), followed by broadcasting some encrypted classical

information to allow error correction and privacy amplification to be performed. As a

result a single key is generated between Alice and Bob-Charlie. Now, of course, Bob

and Charlie are separated and cannot perform joint quantum operations, which limits

the operations they can perform to verify the error rates of the states and perform

error correction and privacy amplification. But if they can nonetheless perform such

operations, then from Eve’s point of view the protocol is just of Alice sending quantum-

mechanical states to Bob-Charlie, which she wishes to exploit along with any public

classical information to obtain the key.

Hence we can potentially use a two-party security analysis in this case, which we shall

do in the following section.

4.4.1 Lo-Preskill security analysis

A suitable analysis (by Lo and Preskill) is found in [1]. We recall that the potential

insecurity of the states Alice transmits arises from their “leaking” information to Eve

(via the unpaired photons) regarding the basis in which Alice is transmitting, information

which Eve can exploit to gain information about the final key. As usual the parties can, in

principle, take this into account to reduce Eve’s information about the final key through

privacy amplification. The work of [1] applies a general analysis based on the work of

Koashi [123] to quantify the privacy amplification required for a given amount of leaked

basis information. The analysis is for a two-party protocol (Alice and Bob) in which

Alice transmits in one of two bases, and is based on the complementarity principle. We

will outline it briefly below.

The authors of [1] consider a situation where Alice holds a qubit, from which she

obtains her key bit via measurement in one of two bases, which we shall take here to be

X and Z 2. Depending on her basis, she sends some state over a quantum channel to

2In [1] the corresponding bases are Y and X , the change does not affect the analysis.


Bob, who performs an X or Z-basis measurement upon his received state to obtain his

key bit. (Strictly speaking Bob performs a POVM MX or MZ , since we cannot assume

his received state is a qubit).

Since it makes no difference to Bob’s measurement result or those of a hypothetical

Eve, we can assume that Alice does not make her measurement until Bob receives his

state, and denote Alice and Bob’s joint state prior to measurement as σX or σZ (not to

be confused with the Pauli operators), depending on the basis used.

We consider first the subset of cases where Alice and Bob both measure in the Z

basis. They can, as usual, publically announce a subset of their bits to determine an

error rate δZZ (where the superscript denotes the parties’ measurement basis and the

subscript denotes their shared state, in this case σZ). Alice and Bob correct these errors

via classical error correction by sacrificing a fraction H2(δZZ ) of secure bits, leaving them

with shared bits but, of course, no guarantee that these are secure.

However, since Eve’s knowledge of the key is unaffected by whether or not Alice’s

measurement is performed before or after Bob’s we can assume that Bob measures first,

leaving Alice with some qubit state on which she makes Z measurements to obtain key

bits. The underlying principle of security in [1] and [123] is that if Alice’s qubits,

conditioned on Bob’s measurement outcome, are left as X eigenstates, then if

she subsequently performs Z measurements upon them the resulting classical

bits are guaranteed, via the uncertainty principle, to be completely unknown

to Eve.

To quantify how close Alice’s qubits are to X eigenstates under such circumstances,

we consider Alice and Bob’s joint state (prior to measurements) σZ , and consider what

would happen if, rather than Z measurements, Alice and Bob made X measurements on

this state.

As shown in [1], if Alice and Bob could obtain an error rate δXZ when making X

measurements on σZ , then, when Alice and Bob make their usual Z measurements on


σZ Alice can first project her N qubits to N(1 − H2(δXZ )) states exponentially close to

X eigenstates. This is equivalent to Alice and Bob performing privacy amplification via

random hashing to the “raw” key bits. The net effect is that Alice and Bob can extract

key at a rate

RLP = 1 −H2(δZZ ) −H2(δ

XZ ). (4.12)

However, the quantity δXZ is not measured directly in the protocol, corresponding as

it does to Alice and Bob making X measurements but sharing the state σZ . Instead,

during the protocol, they make X measurements on a state σX to obtain an error rate

δXX . These three types of measurement are illustrated in Figure 4.3.

Of course, if σX = σZ (i.e. the shared state is basis-independent, such as in an ideal

BB84 protocol) we can take δXX = δXZ , but in general there will be some basis-dependence

and we need to obtain a relationship between δXX and δXZ .

Two means of deriving such a relationship are given in [1], and described below.

The “quantum coin” argument

The quantum coin argument assumes that, prior to transmitting, Alice holds a pure

joint state of her qubit and the states to be transmitted, either ψX or ψZ depending

on the basis, and further that Alice holds an additional “quantum coin” (QC) qubit, a

measurement on which determines her basis, for a joint state (prior to transmission) of

|ψ〉 = (|0〉QC ⊗ |ψX〉 + |1〉QC ⊗ |ψZ〉)/√

2. (4.13)

In the above state, if ψX = ψZ (basis-independence3), the quantum coin qubit is in a +1

eigenstate of X. In general, an X measurement on the coin produces a −1 result with

probability ∆, where

〈ψX |ψZ〉 = 1 − 2∆. (4.14)

3Note of course that Eve can do anything in the channel, so these need not be Alice and Bob’s jointstates after transmission, but the basis-independence will nonetheless hold since Eve cannot increase thestates’ distinguishability.


mode

Eve

qubit

Bobmeasures MZ

measures ZAlice

Filter

ρZ

Eve

qubit

Bobmeasures MX

measures XAlice

Filter

ρX

mode

mode

Eve

qubit

Bobmeasures MX

measures XAlice

Filter

ρZ

(1)

(2)

(3)

Error rate δZZ

Error rate δXX

Error rate δXZ

Figure 4.3: Types of measurement in the two-party Lo-Preskill protocol. Alice holds

a joint state ρX/Z of her qubit and the transmitted state. After the transmission they

hold joint states σX/Z and make measurements, with Bob filtering out any inconclusive

outcomes. In scenario (1) they perform Z measurements on state σZ for an error rate

δZZ . In the other experimental scenario (2) they perform X measurements on σX for an

error rate δXX . In scenario (3), which does not occur in the experiment, they perform X

measurements on σZ for an error rate δXZ . The achievable key rate can be expressed in

terms of this error rate. (Adapted from diagrams in [1], Copyright Rinton Press (2007).)


Thus a larger ∆ corresponds to more leaked basis information. As in the PNS attack,

Eve can increase this effect via selective blocking if there is any loss in the channel. For

a fraction QLP of transmitted PS states being received, this results (in the worst-case

scenario) in an “effective ∆”, ∆′, where, analogously to (4.8)

∆′ =∆

QLP. (4.15)

The authors of [1] derive a relationship between δXX and δXZ in terms of ∆′, showing

that

δXZ ≤ δXX + 4∆′(1 − ∆′)(1 − 2δXX ) + 4(1 − 2∆′)√

∆′(1 − ∆′)δXX ))(1 − δXX ) + ǫ (4.16)

for any ǫ > 0.

The fidelity argument

It is further shown in [1] that a similar relation to (4.16) may be obtained without

reference to a quantum coin or a pure joint state of Alice’s qubit and transmitted state,

as follows:

We consider Alice and Bob’s joint states after transmission (but before measurement)

σX and σZ . We recall that we are relating the error rates of both parties performing X

measurements on these two states, and denote this joint measurement as a three outcome

POVM Ea, where the three outcomes correspond to Alice and Bob’s outcomes agreeing,

disagreeing, or Bob’s measurement being inconclusive (i.e. he does not receive a signal).

We assume that the probability of a conclusive measurement is basis-independent, and

is therefore simply equal to QPS.

Recalling the general inequality for POVMs operating on density matrices

F (σX , σZ) ≤∑

a

√

tr(σXEa)tr(σZEa) (4.17)

where F is the fidelity

F (σ, ρ) = Tr

√

ρ12σρ

12 . (4.18)


we have

F (σX , σZ) ≤ (1 −QLP ) +QLP

(√

δXXδXZ +

√

(1 − δXX )(1 − δXZ )

)

. (4.19)

Note that we do not know the states σX and σZ which, in general, depend on Eve’s actions

in the channel. However, since Eve’s actions cannot increase the distinguishability of the

states, we have, for the pre-transmission joint states (of Alice’s qubit and the states to

be transmitted) ρX and ρZ .

F (ρX , ρZ) ≤ (1 −QLP ) +QLP

(√

δXXδXZ +

√

(1 − δXX )(1 − δXZ )

)

. (4.20)

from which we obtain the inequality

δXZ ≤ δXX + 4∆′F (1 − ∆′

F )(1 − 2δXX ) + 4(1 − 2∆′F )√

∆′F (1 − ∆′

F )δXX (1 − δXX ) + ǫ. (4.21)

where ∆′F = ∆F/QLP and

F (ρX , ρZ) = 1 − 2∆F . (4.22)

Note, however, that, unlike the quantum coin argument (which provides unconditional

security), the above relation concerns attacks by Eve on individual transmissions and

thus a key rate derived from the fidelity argument is only valid for such “individual”

attacks.

4.4.2 Modified fidelity argument

We note that a small modification of the fidelity argument in [1] is possible. In section

4.4.1 we referred to the POVM Ea operating on the states ρX and ρZ as a description

of the measurement outcomes of Alice and Bob’s X measurements on their respective

portions of the states.

Suppose we consider a different POVM E ′a, identical to Ea except that we are

now considering a (hypothetical) X measurement made by Alice before transmitting the

state to Bob (we do not need to assume that this is what she actually does). Clearly,


whether she does such a measurement before or after the transmission makes no difference

to the parties’ joint measurement outcomes. Furthermore, the same joint measurement

outcomes will of course be produced if the X measurement we consider is one of many

made by Alice (in other words, if she keeps measuring her qubit in the X basis she will

keep getting the same outcome). Hence let us consider the states ρ′X , ρ′Z , the joint states

of Alice’s qubit and the transmission state after an X measurement by Alice but before

transmission. By the reasoning above (in other words, that the joint outcomes of X

measurements are unchanged if the initial states are ρ′X , ρ′Z rather than the undashed

states), we have that

δXZ = δXX + 4∆X ′F (1 − ∆X ′

F )(1 − 2δXX ) + 4(1 − 2∆X ′F )√

∆X ′F (1 − ∆X ′

F )δXX ))(1 − δXX ) + ǫ

(4.23)

where ∆X ′F = ∆X

F/QLP and

F (ρ′X , ρ′Z) = 1 − 2∆X

F . (4.24)

Note that δXZ and δXX here are thus the same quantities as in the previous section, since

as discussed above the error rates will be the same on a state where Alice pre-measures

X.

In other words, using this argument, we can replace ∆′F in (4.21) with ∆X ′

F to get

(4.23). Since F (ρ′X , ρ′Z) ≥ F (ρX , ρZ) this gives us, in general, a higher key rate, which

will prove useful later.

Thus we will use the modified version of the fidelity argument in preference to the

original version. Note that we cannot further improve the fidelity bound by also applying

Bob’s measurement to the states, since this measurement must occur after transmission

and any action by Eve. We cannot assume that Eve’s action follow by Bob’s measurement

will produce a higher fidelity than Bob’s measurement alone.

All the above still applies in our three-party protocol with Bob-Charlie as the receiver.

As with the fidelity argument, however, this works only for individual attacks.


4.4.3 Applying Lo-Preskill to the GHZ experiment

We note that we can reduce the GHZ protocol to a two-basis protocol (as required to

apply the above analysis) by only using the Z and X measurements for all 3 parties (in

the EDP picture, Z and X measurements are sufficient to establish bit and phase error

rates, Y measurements allow us to determine any correlations between these rates and

hence, while they improve the key rate in general, are not necessary).

As discussed above, we can apply the two-party analysis to our three-party experiment

by considering Bob and Charlie as a single party. Here we note where the experiment

differs from this assumption, and how we can deal with this.

• Bob and Charlie cannot perform joint quantum operations. In particular, this

means they cannot obtain key bits from the X transmissions (though they can

obtain error rates from these transmissions by publically announcing their mea-

surement results). Thus, all the key bits come from the Z transmissions. This does

not affect security, however.

• All unpaired photons in the channel are directed towards either Bob or Charlie.

Thus there is an additional bit of information carried by each photon (equivalently,

a classical side-channel) compared to a genuine two-party case. However, this

information has no correlation with the photon polarisation (in which all the key

information is encoded) and thus does not affect security.

• In the case of Z transmissions, the parties measure individual error rates b1 and b2

between Alice-Bob and Alice-Charlie. As discussed in the introduction these can be

corrected (in the large-key limit) using maxH2(b1), H2(b2) bits of communication

by Alice (note that this is approximately H2(b1) bits if the two error rates b1 and

b2 are roughly equal). We implicitly assume (by deducting these bits from the final

key) that the communication for error correction is encrypted and inaccessible to

Eve. Thus there are no further security implications.


• We note that while the above analysis allows us to quantify the insecurity due to

the unpaired photons, we still have the “completely insecure” incidents of Alice

transmitting multiple pairs, which we treat separately as described in section 4.3.1.

For our use of Lo-Preskill we will consider only the “potentially secure”

(PS) states - those where Alice transmits either 0 or 1 pairs.

4.5 Overall key rate

The above arguments allow us, by defining joint states of Alice’s qubit and her transmit-

ted state ψX/Z or ρX/Z , to obtain a secure key rate RPS = RLP , where RPS is as defined

in (4.10) and RLP as in (4.12). We use RLP as defined for the PS states in terms of the

parameter δXZ , as obtained using (4.16) or (4.23).

We substitute this RPS into (4.10), but note that, as discussed in section 4.3.1, RPS

as used in (4.10) is the secure key rate for PS states in the corrected raw key, for which

we have no bit errors. Hence we substitute δZZ = 0 into (4.4), giving an obtainable overall

rate (as a fraction of the raw key)

R ≥ Ω(1 −H2(δXZ )) − maxH2(b1), H2(b2). (4.25)

In the following sections we will discuss how to obtain the parameters in the above

expression (particularly δXZ ) in terms of the known properties of the experimental state.

4.6 The experimental state

In this section we will obtain a quantitative description of Alice’s experimental transmis-

sions for given basis and bit values.


4.6.1 The transmitted state

Notes on the Poisson distribution

Two important facts which will be used several times.

1. The sum of two independent Poisson distributions

Pλ(N) ∼ λNe−λ

x!(4.26)

of means λ1 and λ2 is a Poisson distribution with mean λ1 + λ2

2. Given a Poisson distribution of events with mean λ, each event being subsequently

and independently assigned into group A with probability pA and group B with

probability pB, groups A and B will follow independent Poisson distributions with

means λpA and λpB respectively.

Alice’s down-conversion crystal produces a Poissonian mixture of photon pairs - that

is, she transmits, at random, a certain number of photon pairs between changes of the

polarisation setting, the number of pairs transmitted being governed by a Poisson dis-

tribution. (We will henceforth denote such a distribution of mean λ by P (λ).) There is

a certain probability for each photon to make it through the Alice’s spatial and wave-

length filters, so that sometimes one or both photons is stopped. The net effect (from

the above) is that Alice transmits a Poisson distribution of pairs with mean µ and an

independent Poisson distribution of “unwanted” unpaired photons with mean cpµ where

cp is a constant. To counteract the leakage of basis information to Eve from these un-

wanted unpaired photons, Alice also adds noise to the channel, in the form of a Poisson

distribution of unpaired photons in state ρmix = (|00〉〈00|+ |11〉〈11|)/2.


4.6.2 The pairs

We assume Alice transmits pairs in either the X or Z basis, with two mutually orthogonal

states in each basis. The four possible transmitted pair states are thus

X : (|00〉 ± |11〉)/√

2 (4.27)

Z : |00〉, |11〉. (4.28)

Alice randomly chooses (with equal probability) a basis and a state and transmits a

certain number of photon pairs in the state, the number following a distribution P (µ).

(We assume that if she transmits 2 or more pairs then the transmission is insecure. We

deal with these states separately using the GLLP method.) Hence PS transmissions

contain either zero or one pairs, in one of the above states, with probabilities (as a

fraction of PS states)

pPS(0) =e−µ

e−µ + µe−µ(4.29)

pPS(1) = 1 − pPS(0) =µe−µ

e−µ + µe−µ. (4.30)

4.6.3 Unpaired photons

There are two sources of unpaired photons in Alice’s transmission. “Unwanted” unpaired

photons arise from PDC-produced pairs in which exactly one of the pair is blocked by

Alice’s filters, as discussed in section 4.2.2. Unpaired photons are also added to the

channel by Alice in the form of uncorrelated noise.

As with the photon pairs, each unpaired photon is directed towards either Bob or

Charlie, but there is no correlation between this spatial information and photon polari-

sation (hence the spatial information does not affect security), thus we shall only consider

the latter in the following analysis. Hence references below to the unpaired photon

states refer to the state of all unpaired photons, whether in Bob or Charlie’s

channel. All such states are uniformly randomly distributed between the two


channels.

The unwanted unpaired photons

If Alice is transmitting in either X state the unpaired photons will be in the state ρmix.

But if she is transmitting in Z then the unpaired photons will be in state |0〉 when the

pairs are in state |00〉 and |1〉 when the pairs are in state |11〉, revealing information about

the pair basis and polarisation to Eve. As discussed above, though the means of the pair

and unwanted unpaired photons are related (since both are proportional to the number

of PDC pairs produced in Alice’s lab) the total number of unwanted unpaired photons

transmitted follows a Poisson distribution independent of the number of transmitted

pairs and of their polarisation state.

We denote the mean total number of unwanted unpaired photons transmitted by

2δ. It follows that |00〉 and |11〉 pair polarisations correspond to a distribution P (2δ)

of unwanted unpaired photons in states |0〉 and |1〉 respectively, while X-basis transmis-

sions have P (2δ) unwanted unpaired photons in state ρmix or, equivalently (following the

Poisson distribution properties in section 4.6.1), P (δ) photons in each of states |0〉 and

|1〉.

Added uncorrelated noise

Alice’s added noise consists of a Poisson distribution of unpaired photons in the state

ρmix. We denote the mean of this distribution by 2(α− δ). Thus Alice equivalently adds

distributions P (α− δ). of photons in each of states state |0〉 and |1〉.

4.6.4 Summary of PS transmissions

Thus the overall state of PS transmissions consists of independent pair and unpaired

photon distributions, where the unpaired photon states are the sum of the unwanted and

noise distributions. These will thus follow Poisson distributions with means equal to the


Alice’s basis Alice’s bit Transmitted pair Mean of |0〉 Mean of |1〉

(if any) distribution distribution

X 0 1√2(|00〉 + |11〉) α α

X 1 1√2(|00〉 − |11〉) α α

Z 0 |00〉 α + δ α− δ

Z 1 |11〉 α− δ α + δ

Table 4.2: Summary of Alice’s transmissions when adding uncorrelated noise.

sum of the means of the unwanted and noise distributions, hence the overall transmitted

PS states are as given in Table 4.2.

4.7 Joint state description for PS states

In this section we will use the above description to construct explicit valid joint states of

Alice’s qubit and transmitted PS states (as required for the arguments in section 4.4.1),

for both the quantum coin and modified fidelity arguments. The inner product (for pure

joint states, using the quantum coin argument) or fidelity (for mixed joint states, using

the modified fidelity argument), determine the parameter ∆ or ∆XF , giving an upper

bound for the key rate parameter δXZ in terms of the measured error rate δXX .

4.7.1 Definition of a valid joint state

By “valid” joint states, we do not necessarily mean the state that Alice actually holds

prior to transmission. For example, as discussed in section 4.1.2, in our prepare-and-

measure scheme Alice does not in fact possess a qubit entangled with her transmission

state, she simply transmits states correlated with her classical bit values in such a way

that her possible measurement outcomes (and those of Bob, Charlie and Eve) are the

same as those that would be obtained if she did have such an entangled qubit. Similarly,


by a “valid” joint state, we mean a joint state compatible with the possible mea-

surement outcomes of Alice, Bob and Charlie from which Eve could always

obtain the experimentally transmitted state.

This condition follows from our merely trying to obtain a lower bound on the achiev-

able secure key rate for our protocol. RPS is a secure key rate for the corrected PS bits

and, if Eve had no knowledge about these bits, we would have RPS = 1. Since to prove

security we must find an upper bound to Eve’s knowledge of the key, if a given RPS can

be obtained for a state from which the experimental state can always be obtained by

Eve, then the same rate can also be obtained for the experimental state.

For example, while, as described in the previous section, Alice’s transmitted PS states

are mixed states of different photon numbers and polarisations, we are free to describe

them as pure states as long as Eve could always obtain the mixed states via e.g. a

non-destructive photon number measurement. We will make use of this argument in the

following section.

4.7.2 Pure state (quantum coin argument)

To use the quantum coin argument from section 4.4.1, we need to construct valid joint

pure states ψX and ψZ for Alice’s transmissions. In this section we construct such states

- note though that these are not provably optimal in terms of the corresponding key rate.

We can without loss of generality describe the joint pure state of Alice’s qubit and

the transmitted states for the two bases as

|ψX〉 = (|+〉 ⊗ |X0〉 + eiθ1 |−〉|X1〉)/√

2 (4.31)

|ψZ〉 = (|0〉 ⊗ |Z0〉 + eiθ2|1〉 ⊗ |Z1〉)/√

2 (4.32)

(where |±〉 = (|0〉±|1〉)/√

2)). In the above, |X0〉 and |X1〉 are Alice’s transmitted states

for the two possible bits, and likewise for the Z basis. The phases θ1 and θ2 are arbitrary.

Since, as discussed in section 4.6, the number distributions of unpaired photons and


photon pairs are independent, we can write the pure states as e.g. |X1〉 = |Xp1 〉|Xs

1〉

where the superscripts denote the photon pair (p) and unpaired photon (s) states. We

further note that the X0 and X1 unpaired photon distributions are independent of the

pair polarisation and symmetric between |0〉 and |1〉 states. The Z0 and Z1 unpaired

photon distributions are related by the transformation Z0 ↔ Z1, |0〉 ↔ |1〉, thus we can

choose purifications such that

|Xs1〉 = |Xs

0〉 ≡ |Xs〉 (4.33)

〈Xs|Zs0〉 = 〈Xs|Zs

1〉 ≡ 〈XsZs〉 . (4.34)

For the pair states, the probabilities of transmitting either 0 pairs or 1 pair are

independent of pair basis and polarisation. In terms of the probabilities in (4.29) and

(4.30) we can express the states as

|Zp0〉 =

√

pPS(0)|00〉 + eiφ1√

1 − pPS(0)|vac〉 (4.35)

|Zp1〉 =

√

pPS(0)|11〉 + eiφ2√

1 − pPS(0)|vac〉 (4.36)

|Xp0 〉 =

√

pPS(0)|+2〉 + eiφ3√

1 − pPS(0)|vac〉 (4.37)

|Xp1 〉 =

√

pPS(0)|−2〉 + eiφ4√

1 − pPS(0)|vac〉 (4.38)

(where |±2〉 = (|00〉 ± |11〉)/√

2).

From (4.31, 4.32), (4.33, 4.34) and (4.35-4.38):

〈ψX |ψZ〉 =1

2√

2

[

p√2(1 + e−iθ1)(1 + eiθ2)

+ (1 − p)(ei(φ3−φ1) + ei(φ4−φ1−θ1) + ei(φ3−φ2+θ2) − ei(φ4−φ2+θ2−θ1))

]

〈XsZs〉 .

(4.39)

Choosing the phases θ1, θ2, φ1, φ3 = 0, and φ4, φ2 = π4

we get

〈ψX |ψZ〉 = 〈XsZs〉 . (4.40)


Purification of the unpaired photon states

We now consider the unpaired photon states |Xs〉 and |Zs0/1〉. Since the transmitted

unpaired photon states are Poissonian mixtures diagonal in polarisation and number

states, we can take the purifications to be coherent superpositions of these states with

all phases equal to 0. That is

|Xs〉 =∞∑

i=0

√

e−2ααM+N

M !N !|0M〉|1N〉 (4.41)

|Zs0〉 =

∞∑

i=0

√

e−2α(α + δ)M(α− δ)N

M !N !|0M〉|1N〉 (4.42)

where e.g. |0M〉 denotes a state with M unpaired photons in state |0〉. This gives us

〈ψX |ψZ〉 = 〈XsZs〉 = 〈Xs|Zs0〉 = e−2α

∞∑

M=0

(α(α + δ))M/2

M !

∞∑

N=0

(α(α− δ))N/2

N !(4.43)

= exp[−2α + (α(α+ δ))1/2 + (α(α− δ))1/2]. (4.44)

We note that the mixed states transmitted by Alice can be obtained from the pure

states given above by Eve making non-destructive photon number measurements on the

pair states, and non-destructive photon-number and polarisation measurements on the

unpaired states. This will not affect Alice, Bob and Charlie’s measurement outcomes.

Thus the pure states are valid joint states according to our earlier definition and we can

use our expression for 〈ψX |ψZ〉 above in the quantum coin argument.

4.7.3 Mixed state (modified fidelity argument)

To establish a key rate using, instead of the quantum coin argument, the fidelity argument

from sections 4.4.1 and 4.4.2, we need to establish, in general, mixed joint states of Alice’s

qubit and transmitted state.

We can of course still use the pure states above, in which case the fidelity between

the states ρX , ρZ is just the inner product 〈ψX |ψZ〉 and one obtains the same key rate as


using the quantum coin argument. However, we may be able to improve upon this rate,

given that the states involved are no longer required to be pure.

Using the fidelity argument as given in sections 4.4.1 and 4.4.2 we consider the states

ρX and ρZ . Given that the transmitted state consists of either one or zero photon pairs,

we will consider these two (orthogonal) subspaces separately, where

ρ′X = pPS(0)ρ′X(1) + (1 − pPS(0))ρ′X(0) (4.45)

ρ′Z = pPS(0)ρ′Z(1) + (1 − pPS(0))ρ′X(0). (4.46)

Note that as with the quantum-coin argument, we are free to consider states which

are experimentally in an incoherent mixture as being in a coherent superposition, as long

as Eve could obtain the incoherent mixture without affecting Alice and Bob-Charlie’s

measurement results.

Zero pairs

In the case of zero pairs, the transmitted states consist solely of unpaired photons. We

shall denote the unpaired photon states as ρZ0s and ρZ1s (for unpaired states correspond-

ing to Alice’s qubit states in the Z basis) and ρXs

(for unpaired states in the X basis,

which are independent of Alice’s qubit). Thus we have zero-pair states

ρX(0) = (|+〉〈+|+ |−〉〈−|)A ⊗ ρXs

/2 (4.47)

ρZ(0) = (|0〉〈0|A ⊗ ρZ0s + |1〉〈1|A ⊗ ρZ1s)/2. (4.48)

However we can also adopt the method of section 4.4.2, considering a pre-measurement

in the X basis by Alice. In this case ρ′X(0) = ρX(0) but

ρZ(0) = [(|+〉〈+| + |−〉〈−| + |+〉〈−| + |−〉〈+|)A ⊗ ρZ0s

+ [(|+〉〈+| + |−〉〈−| − |+〉〈−| − |−〉〈+|)A ⊗ ρZ1s ]/4

= [(|+〉〈+| + |−〉〈−|)A ⊗ (ρZ0s + ρZ1s) + (|+〉〈−| + |−〉〈+|) ⊗ (ρZ0s − ρZ1s)]/4

(4.49)


thus

ρ′Z(0) =(|+〉〈+| + |−〉〈−|)A

2⊗ (ρZ0s + ρZ1s)

2(4.50)

and

F (ρ′Z(0), ρ′X(0)) = F (ρXs

, [ρZ0s + ρZ1s ]/2). (4.51)

The above expression is larger than that for F (ρX(0), ρZ(0)), indicating that it is advan-

tageous to consider Alice’s pre-measurement.

As discussed in section 4.6.4, the unpaired states are just diagonal Poissonian mixtures

in the basis of |0〉 and |1〉 Fock states. For the unpaired photon states, the probabilities

of transmitting M photons in state |0〉 and N in state |1〉 are as follows:

PX(M,N) =αMe−α

M !

αNe−α

N !(4.52)

PZ0(M,N) =(α + δ)Me−α

M !

(α− δ)Ne−α

N !(4.53)

PZ1(M,N) =(α− δ)Me−α

M !

(α+ δ)Ne−α

N !(4.54)

thus we have

F (ρ′Z(0), ρ′X(0)) =∞∑

M=0

∞∑

N=0

√

PX(M,N)[PZ0(M,N) + PZ1(M,N)]

2(4.55)

=e−2α

√2

∞∑

M=0

∞∑

N=0

αM+N

2

M !N ![(α− δ)M(α + δ)N + (α + δ)M(α− δ)N ]

12 .

(4.56)

This needs to be evaluated numerically; by summing the terms in (4.56) up to some finite

limit (e.g. M,N ≤ 2α) we obtain a lower bound on F and hence on the key rate.

One pair

We choose the one pair states to simply be the one-pair portions of the pure states

used in section 4.7.2, appropriately normalised, that is ρZ(1) = |ψZ(1)〉〈ψZ(1)|, ρX(1) =


|ψX(1)〉〈ψX(1)| where

|ψX(1)〉 = [|+〉A|+2〉 + |−〉A|−2〉] ⊗ |Xs〉/√

2 (4.57)

|ψZ(1)〉 = [|0〉A|00〉 ⊗ |Zs0〉 + |1〉A|11〉 ⊗ |Zs

1〉]/√

2 (4.58)

(using the pure unpaired photon states from section 4.7.2) from which we find

F (ρ′Z(1), ρ′X(1)) = 〈ψX(1)|ψZ(1)〉 = 〈XsZs〉 . (4.59)

Thus overall, for our chosen states, we have that

F (ρ′Z , ρ′X) =pPS(0) × e−2α

√2

∞∑

M=0

∞∑

N=0

αM+N

2

M !N ![(α− δ)M(α + δ)N + (α + δ)M(α− δ)N ]

12

+ (1 − pPS(0)) × exp(−2α + (α(α + δ))1/2 + (α(α− δ))1/2). (4.60)

We can use the above relations to derive explicit lower bounds for the key rate R, as

discussed below. Note that, as with the pure states in section 4.7.2, we have not proven

that these are the optimum valid states to use.

4.8 Key rate in terms of experimental quantities

In this section we describe how to determine the achievable key rate in terms of measured

experimental quantities.

Combining (4.16), (4.40) and (4.44) (quantum coin argument) or (4.23) and (4.60)

(modified fidelity argument) gives us the relation between δXX and δXZ for the PS states,

in terms of unpaired photon parameters α and δ and pair parameter µ, all measurable

in Alice’s lab.

From the experimental data, we measure directly the bit error rates b1 and b2 from

ZZI and ZIZ measurements by Alice, Bob and Charlie (that is, where Alice-Bob and/or

Alice-Charlie are both measuring in Z). We also measure the error rate b0 of errors in

XXX measurements and the channel transmissivity Q (the fraction of transmissions


which result in a pair being detected). Finally of course we obtain raw key bits from

ZZZ measurements.

We denote the mean number of down-conversion pairs transmitted by Alice as µ.

Then, the fraction of multiple-pair transmissions is

Θ = 1 − e−µ − µe−µ (4.61)

with a fraction 1 − Θ of the transmissions being PS.

A fraction Q of transmissions result in a pair detection. We pessimistically assume

all multiple-pair transmissions are detected. Thus detected PS states comprise a fraction

Q′ of all transmissions, Ω of all detections, and QPS of all PS transmissions, where

Q′ = Q− Θ (4.62)

Ω =Q′

Q= 1 − Θ

Q(4.63)

QPS =Q′

1 − Θ=

ΘΩ

(1 − Θ)(1 − Ω)(4.64)

We pessimistically assume all errors occur on these transmissions. Thus we must

sacrifice maxH2(b1), H2(b2) key bits to correct the bit errors, and the PS transmissions

have an error rate of

δXX =b0Ω. (4.65)

Using the arguments of sections 4.4.1 and 4.4.2, we calculate the parameter ∆′ or

∆X ′F for our transmitted PS states, depending on whether we use the quantum coin or

modified fidelity arguments. Using this parameter we obtain an value for δXZ .

It follows from the argument of [1] that a fraction H2(δXZ ) (where δXZ satisfies (4.16)

or (4.23) depending on the argument used) of the key bits received from PS states must

be sacrificed in privacy amplification.

Hence the overall key rate is as given in (4.25) and can be expressed, using the

expressions of the previous sections, in terms of the experimental quantities b0, b1, b2,

Q, µ, α and δ (representing the measured error rates, channel transmissivity, pair and


Quantity Symbol Value/Notes

Mean number of pairs per transmission µ Set by us

Number of unwanted unpaired photons per channel Su ≈ 18µ

(proportional to mean pairs µ)

Noise added per channel Sn Set by us

Detection probability for a pair T ≈ 0.2

Detection probability for an unpaired photon√T ≈

√0.2

Coincidence windows per transmission period NW ≈ 2 × 107

Dark count photons detected per channel (Bob or Charlie) Sd ×√T ≈ 28

per transmission

Phase error rate without adding noise praw ≈ 0.1

Bit error rate per channel without adding noise braw ≈ 0.016

Table 4.3: Experimental parameters used in calculating the optimal key rate.

unpaired photon intensities respectively). Rewriting R solely in terms of these quantities

results in a very cumbersome expression so we do not do so here.

4.9 Optimisation of experimental settings

In the above description, the two variables we are free to alter are the mean number of

pairs we produce µ and the amount of noise 2(α − δ) we add. We would therefore like

to optimise the key rate over different values of these and hence need to estimate the

resultant channel transmissivities, error rates etc. These depend on various experimental

parameters, as given in table 4.3.

Note that, in terms of our parameters α and δ for the unpaired photon distributions


given in section 4.6.4, we have

Su = δ (4.66)

Sn = α− δ (4.67)

We have two settings that can be independently controlled in the experiment - the

mean number of pairs µ in Alice’s transmission and the mean number of unpaired photons

2(α − δ) in the noise she deliberately adds. Higher µ increases Bob and Charlie’s rate

of receiving pairs, but also increases the fraction of multiple-pair transmissions. More

noise decreases the information Eve can get from looking at the unpaired photons, but

increases the bit and phase error rates in the pairs (as described below). We want to

find the global maximum in these two variables and use that for our settings. Note

that since the actual quantities we are simulating will be measured in the

course of the experiment, our goal is not to find pessimistic bounds for these

quantities, just accurate estimates.

4.9.1 Coincidences caused by unpaired photons

If Bob and Charlie’s channels contain, respectively, NB and NC unpaired photons, each

of which has an independent and equal probability of arriving at the detector within any

of the NW coincidence “windows”, the probability of a coincidence detection pc satisfies

pc ≈NBNC

NW. (4.68)

The total unpaired photons in each channel is approximately Su + Sn + Sd. Thus the

fraction of detected pairs due to false coincidences (i.e. coincidences caused by unpaired

photons) is

pfc ≈(Su + Sn + Sd)

2/NW

(Su + Sn + Sd)2/NW + µ(4.69)

and the probability per transmission of a “dark count” (a detection not caused by trans-

mitted pairs) is

pd ≈T (Su + Sn + Sd)

2

NW. (4.70)


4.9.2 The transmissivity Q of the channel

Q is defined as the fraction of transmission events which result in a pair detection. A

reasonable detector model gives each pair an independent detection probability T . Hence

the probability of getting at least one detection from N pairs is

DN = (1 − (1 − T )N) + pd − pd(1 − (1 − T )N) (4.71)

for an overall pair detection rate

Q =

∞∑

N=0

DNµNe−µ

N != 1 − (1 − pd)e

−µ∞∑

N=0

(µ(1 − T ))N

N != 1 − (1 − pd)e

−µT , (4.72)

thus

Ω = 1 − 1 − e−µ − µe−µ

1 − (1 − pd)e−µT. (4.73)

4.9.3 Bit and phase errors

We will assume transmitted pairs which are degraded by the channel have bit and phase

error rates of braw and praw respectively. However, pairs produced by false coincidences

will be in the state ρmix and hence have bit and phase error rates of 50%. Hence, for the

overall bit and phase error rates of detected pairs, we have

b1 ≈ b2 ≈ (1 − pfc)braw + 0.5pfc (4.74)

b0 ≈ (1 − pfc)praw + 0.5pfc. (4.75)

4.9.4 Key generation frequency

Our key rate expression R, as given in (4.25), is the secure key rate as a fraction of the

raw key bits. However, in optimising our key generation for practical purposes, we would

like to optimise the secure key rate per unit time, which is simply equal to QR.

Note that since Q is a function of µ this is not equivalent to optimising R - while the

rate of Alice’s transmission events is limited by how rapidly she can change her trans-

mission basis (in practical terms, the speed at which the setting of the LCD waveplates


can be changed) and no more than one raw key bit can be received per transmission, the

likelihood of receiving such a bit depends on µ.

Thus the rate we wish to optimise (as a fraction of ZZZ transmission events) is

Rt = max[Q(Ω(1 −H2(δXZ )) −H2(b1)), 0] (4.76)

(we assume Bob and Charlie’s channels have roughly identical bit error rates, hence the

simplified error correction term). Using the expressions in the above sections for Q, Ω,

δXZ and b1 we express the above rate in terms of NW , Su, Sn, Sd, T , µ, praw and braw,

then optimise with respect to µ and Sn.

4.9.5 Optimisation results

As shown in Figures 4.4 and 4.5 we find that the optimal simulated key rate, given our

parameters in Table 4.4, corresponds to Rexp ≈ 4.5 × 10−4 secure bits per transmission,

at µ ≈ 0.02, Sn ≈ 50, using the “modified fidelity” argument. We have not been able to

obtain positive key rate using the quantum coin or fidelity arguments (note that we have

not proven that this cannot be done by a suitable choice of purification).

Due to unexpected delays in the data-readout electronics, the experimental setup

can achieve approximately 1 transmission per second, while roughly 1 transmission every

10ms ought to be possible. Even assuming the faster figure, and assuming all 3 parties

use the Z basis 100% of the time (this is not the case in practice, but the fraction of

X basis events can be made arbitrarily small in the limit of many transmissions), this

gives a secure key rate of roughly 4.5 × 10−2 bits per second. We also note that our

assumptions of efficient error estimation and correction are only exact in the limit of a

large key and the key rate will consequently be reduced for keys of finite length.

The experimental settings and derived quantities for this key rate are given in Table

4.4.


Figure 4.4: Key generation frequency Rt as a function of added noise Sn, for µ = 0.02.

Optimising over both Sn and µ we find the optimal rate at µ ≈ 0.02, Sn ≈ 50.


Figure 4.5: Key generation frequency Rt as a function of mean pairs µ and added noise

Sn. The apparently lower peak compared to Figure 4.4 is due to the limited resolution

of the plot


Quantity Description Value

µ Mean number of pairs/transmission 0.02

Sn Added noise per channel (photons/transmission) 50

Ω Fraction of detections which are PS 0.95

∆X ′F Measure of leaked basis information 0.018

δXX ”Phase error rate” for PS detections 0.18

b1 Bit error rate on detections 0.031

pfc Fraction of detections due to false coincidences 0.031

H2(δXX ) PS key bits lost in privacy amplification 0.68

H2(b1) Key bits lost in error correction 0.20

Table 4.4: Individual parameters for the optimal key rate of ≈ 4.5× 10−4 secure bits per

measurement setting.

4.10 Discussion

While the dependence of the key rate on the various experimental factors is not always

straightforward, we can discuss the cause of this low rate in a semi-quantitative fashion.

Because of the very low µ the probability of multiple pairs is very low and 95%

of our transmitted states are PS. Given this low transmission rate, the largest single

further cause of the low key rate is the large praw - the error rate on XXX measurements,

exacerbated by the low detection efficiency for pairs. Both of these are directly related

to the use of entangled states for key distribution - it is difficult to get precisely the

desired states from the filtered down-conversion source, and requiring coincident photon

pairs as our detection events means our efficiency scales as the square of the individual

photodetector efficiencies. This inefficiency (as well as directly linearly decreasing our

overall key rate) increases the assumed fraction of insecure states as we need to allow for

Eve performing number-splitting attacks, and hence the privacy amplification required

increases. More restrictive filtering of the down-conversion source could reduce the phase


error rate but at the cost of increasing the relative number of unwanted unpaired photons

and thus the leaked basis information.

The effect of the leaked basis information is quantified by the quantity δXZ , as defined

in this case by (4.23). When we are close to basis-independence (small ∆XF ), we have

δXZ ≈ δXX + 4∆X ′F + 4

√

∆X ′F δ

XX . Thus we have a phase error rate of ≈ 10% and a small

∆X ′F ≈ 2% giving an effective phase error rate ≈ 10% + 4 × 2% = 18% which results in

68% of the PS key bits being lost in privacy amplification, with roughly 20/0.95 = 21%

being lost in bit error correction. Hence the final key is only around 10% of the raw key

bits. We note that despite the fidelity of our transmitted ρ′X and ρ′Z being greater than

99%, the leaked basis information still equates to a significantly larger effective phase

error rate than the raw rate.

While overall our expression for F (ρ′Z , ρ′X) needs to be evaluated numerically, its

contribution from one-pair states scales approximately as 1 − δ2

2α. Thus the one-pair

states’ contribution of leaked basis information to the effective phase error rate scales

roughly as the square of the unwanted photon number over the added noise. However,

the increase in false coincidence probability pfc and hence in the bit and effective phase

error rates scales roughly as the square of of the added noise. Hence the optimum error

reduction by adding uncorrelated noise is achieved at relatively low values of µ and Sn,

in which regime the dark count contribution to false coincidences is significant relative

to that of the added noise. The dark count contribution likewise prevents a positive key

rate being obtained in the limit of small µ.

4.10.1 Anticorrelated noise

We can readily adapt our analysis to the case of anticorrelated noise. In this case we do

not reduce Eve’s information by adding as much noise as possible, but by matching the

noise intensity to that of the unwanted unpaired photons so the overall unpaired photon

distribution does not change with our basis or bit value.


As before we will define α as the mean number of |0〉 and |1〉 unpaired photons (so

a mean of 2α in total) transmitted in the X basis. In the Z basis we assume as before

when Alice is transmitting |00〉 that she sends a mean of α + δ photons in state |0〉 and

α − δ in state |1〉, vice versa for |11〉 transmissions. It follows that, for anticorrelated

photons,

Su = (α− δ)/2 (4.77)

Su(1 + ǫ) = (α + δ)/2 = Sn. (4.78)

where ǫ is our fractional error in matching the mean of the unwanted photons with

anticorrelated noise.

We find that, for example, ǫ = 0.1 corresponds to an optimum key rate of ≈ 1.2×10−3

secure bits per transmission at an optimal µ ≈ 0.05.

4.10.2 No unpaired photons

In the event that we did not have the issue of unwanted unpaired photons (so we would

not be adding noise, merely reducing our source intensity to allow for PNS attacks), we

find an optimum simulated key rate of ≈ 4.2 × 10−3 secure bits per transmission, at an

optimal µ ≈ 0.12.

4.10.3 Potential improvements in security proof

We note that, at present, our calculated achievable key rate is only secure against

individual attacks. This is because we have only obtained positive key rate for the

given parameters when using the fidelity argument, which has only been proven secure

against such attacks, and likewise for our use of the GLLP model in section 4.3.1 given

that our system does not consist of qubits. However, as noted in [1], a possible solution for

the limitations of the fidelity argument would be to use the quantum de Finetti theorem

[124, 125, 126] to show that the full space of transmissions (which Eve can entangle with


each other) can be approximated by product states, for which a security proof against

individual attacks is sufficient. Lo and Preskill also note the difficulty with this, in that

such an approximation is only valid in the case of finite-dimensional states, which those

in our implementation are not.

However, recent work by Beaudry, Moroder and Lutkenhaus [127] has shown that a

“squashing model”, in which a party applying a POVM to a received infinite-dimensional

state in a transmission can be equivalently represented by the transmitted state being

“squashed” down to a qubit by an operation of Eve’s, can be applied to optical implemen-

tations of BB84 and many similar protocols. This reduces the parties’ joint state before

measurement to a finite-dimensional system and would allow the quantum de Finetti

theorem to be applied. We conjecture that such a model could be applied in our case,

which would in addition allow us to use the GLLP argument in the case of collective

attacks.

We also note that, as our purifications in section 4.7.2 have not be proven optimal, it

may be possible to find purifications to give a non-zero key rate using the quantum coin

argument, which also proves security against collective attacks. In any case, a desirable

development would be to find optimal pure and mixed states for the quantum coin and

fidelity arguments.

In general, of course, many different security proofs can be considered for a given

physical implementation and there is no reason to assume that our approach here is

optimal.

4.11 Conclusions

We have described the implementation of a three-party GHZ-based QKD protocol using

parametric down-conversion and linear optics components and derived a security proof

and secure key rate expression for this implementation, taking into account the ways in


Alice

Bob

Charlie

QKD, Key AB

QKD, Key AC

Classical, AB⊕BC

Figure 4.6: 3-way QKD using 2-party protocols. Alice generates separate keys AB and

AC with Bob and Charlie then encrypts key AB with key AC for classical communication

to Charlie. with key

which it differs from an idealised case.

We note that a simpler way of performing such a three-way QKD would be as shown

in Figure 4.6, where Alice performs separate QKD protocols with Bob and Charlie to

generate separate shared keys AB and AC. She then e.g. classically communicates

the key AB to Charlie by encrypting it with the key AC as a one-time-pad, leaving all

three parties with the shared secure key AB. (In fact, such a protocol would be more

symmetric than the above description implies - having generated AB and AC, Alice

simply broadcasts AB ⊕ AC, allowing both Bob and Charlie to obtain both keys AB

and AC, one of which (the choice is arbitrary, though only one can be used) can then be

used as a shared secure key).

The key generation rate for such protocol would thus then simply be the lower of the

two two-way QKD protocols, which can be achieved at much higher rates over much larger

distances than our protocol. For example BB84 using decoy states has been implemented

over a 144km free-space link at a rate of 12.8 bits/s [128] and over a 97km fibre at 0.82

kbits/s [129].

It is possible that the use of entangled states in key distribution provides some ad-

vantage in multi-party QKD protocols in the case of e.g. some subset of the parties being

untrusted, but our work does not investigate or show any such advantage. Thus as a


practical means of achieving three-party secure key distribution our GHZ-based QKD

seems significantly outperformed by existing methods.

We note that our implementation is more a demonstration of the concept than an

attempt to achieve high speeds, and that GHZ-based QKD may be achievable at rates

comparable to those of two-way entanglement-based schemes. By the latter, we mean, in

general, two-party schemes which employ an untrusted source of entangled photon pairs,

distributing them to Alice and Bob who extract secure key using measurement, error

correction and privacy amplification. In general this can be done with any EDP-based

QKD scheme such as BB84 or B92 - use of an additional source simply omits the com-

mon prepare-and-measure element in which Alice is assumed to measure her photon then

transmit its partner to Bob, resulting in no need for entanglement in experimental im-

plementation. Entanglement-based QKD has, for example, recently been demonstrated

at 0.57 bps over a 100km fibre link (50km from the source to each of the two receivers)

[130].

The main practical difference between a 3-party prepare-and-measure GHZ-based

QKD and the above schemes is the need for the distributing party (Alice) to adjust

the polarisation of the distributed photons, which imposes an additional limit on the

transmission rate, since in a two-party EDP the parties’ selection of measurement basis

can be done passively without any need for such switching. However, higher polarisation-

switching rates than ours could, for example, be achieved using Pockels cells rather than

liquid crystal waveplates.

Depending on the implementation, the issue of additional pairs and/or unpaired pho-

tons could still arise, but these could be more efficiently dealt with than in our imple-

mentation by using anticorrelated noise and decoy states.

Nonetheless approaches of this kind are still more challenging to implement than

multiple bipartite links, so it is not clear whether there is any advantage to performing

conference key agreement using multipartite entanglement rather than multiple bipartite


communications. Arguably, one might expect there to be an advantage in the use of

multipartite entanglement for multipartite QKD, since it is in a sense more parsimonious

(e.g. a GHZ state has a lower relative entropy than two EPR pairs), but we have not

demonstrated that this equates to a practical improvement.

We have, however, demonstrated both theoretical and practical means of dealing

with the security issues raised by key distribution via entangled states, in particular the

leaking of basis information via unwanted additional pairs and unpaired photons. We

have shown that direct countermeasures in the form of added noise can be implemented to

successfully obtain a positive key rate, and that proving the security of such a setup can

be achieved by adapting existing results for the two-party case. Notably, the Lo-Preskill

analysis was originally applied to QKD via coherent states for which phase randomisation

could not be assumed, we have adapted it to the basis information leakage caused by our

unpaired photons which effectively equates to a classical side channel of basis information,

which one can envision arising in many other experimental situations involving imperfect

equipment.

Chapter 5

Conclusions

We have demonstrated various results related to quantum entanglement in the resource

model, both in terms of the theoretical description of entangled states and the practical

application of such states to quantum key distribution. With regard to the former, our

lower bound for the classical communication cost of bipartite pure-state entanglement

dilution provides a fuller picture of the already well-understood conversions between pure

bipartite states, demonstrating that, while (as previously shown) the classical communi-

cation cost of such conversions is negligible when amortised in the many-copy limit, it is

nonetheless non-zero and should be considered in the full resource model picture.

Our results concerning “random distillation” demonstrate a qualitatively new phe-

nomenon which occurs when considering entanglement manipulation in the multiparty

case. The result is that the entanglement (and, more generally, the states) obtainable

through LOCC between subsets of parties sharing a given quantum state depends not

only on the parties chosen (trivially clear in the case of asymmetric states) but on whether

those parties are pre- or post-selected. This clearly has no bipartite analogue, since only

in the multiparty case can we consider entanglement between subsets of parties. We see

that, to some degree, concepts in the resource model of bipartite entanglement can be

usefully applied to multipartite states (as had already been demonstrated in the “entan-

156

Chapter 5. Conclusions 157

glement of assistance”). Certainly considering such measures gives a useful operational

interpretation of multipartite states - we can find “lower bounds” to their use in bipartite

applications such as teleportation or QKD, and the concept of random distillation shows

that one should be careful about definitions when doing so.

However, while the ability to perform random distillation is of interest in the quantum-

mechanical resource model, a telling part of the random distillation work is the distinction

between Et and Ernd in terms of defining “true” random distillation. That is, multipartite

measures based on summing bipartite entanglement do not distinguish between a true

multiparty entangled state and a collection of separate bipartite entanglements between

different parties (hence Et > Esp can be trivially satisfied), while a qualitative difference

can be defined by the condition Ernd > Esp. And, as noted in Chapter 3, Ernd gives a

limited operational description of multipartite states, even in terms of bipartite measures,

a full description of which would require a space of “vectors” of mutually achievable

entanglements between given pairs of parties. This highlights qualitative differences

between bipartite and multipartite entanglement and the limitations of a reductionist

approach - we note that characterising multipartite entanglement is a well-known hard

problem in quantum information theory, and hope that our work in random distillation

has shed some light on this important subject.

Our GHZ-based QKD work is an example of an application of an “effective” mul-

tipartite entangled state (assumed in the security proof for the idealised case if not

actually required in the prepare-and-measure implementation), and demonstrates the

much-increased difficulty in trying to implement practical protocols using such states as

opposed to their bipartite counterparts. As noted in Chapter 4, performing a QKD using

multiple entangled receivers both introduced problems (information leakage via unpaired

photons) and allowed for solutions (added noise) which would not occur in the bipartite

case. We also demonstrated that such protocols were amenable to security analysis using

existing two-party results, since multiple receivers could be regarded as a single receiver


with a limited class of operations.

All these topics have potential for further work, as noted in their respective chapters.

In the case of classical communication cost a desirable goal would be to find a provably

optimal (in terms of both efficiency and classical communication cost) protocol for general

bipartite conversions. A simpler goal would be to improve our bound in the general

pure-state case. There is some potential for extending the work to mixed states - as

previously noted, an equivalence of entanglement of formation and entanglement cost for

certain mixed states would imply an efficient (in terms of entanglement lost) protocol

for dilution to those states, and the communication cost of such a protocol could be

bounded using pure-state results. Another possible extension of the work would be its

generalisation to the more general description of entanglement dilution in terms of the

“coherent communication” resource model of quantum operations introduced by Harrow

[21, 22] and discussed briefly in section 1.1.4, if one were to take into account sublinear

resources in such a model.

The classical communication cost of entanglement conversions in the multiparty case

could also be considered. While the usual caveats apply (entanglement as a less well-

defined quantity in the multiparty case, few provably-efficient protocols), certainly the

simplest protocols for creating multiparty states (multiple parties teleporting portions

of the state using EPR pairs) do require classical communication, so lower-bounding

the communication costs of such conversions is an interesting and largely open problem.

Additionally, of course, quantifying the communication involved involves specifying the

parties between which it occurs.

For random distillation, there are many ways in which the work can be generalised -

considering mixed states, relating the random distillation properties to other monotones,

considering more general subsets of parties, deriving analogous results for the distillation

of secure classical correlations (from either classical or quantum states) and considering a

more complete “vector” description of the entanglement obtainable between the various


parties sharing a multipartite state. For the latter, focusing on bipartite output states

seems to have the most potential given how much better-understood entanglement is in

the bipartite case - relating the results to existing monotones seems the most promising

way to be able to bound what can be achieved for broad classes of states as opposed to

individual examples.

While we have demonstrated that the advantage gained from post-selecting parties

in terms of the bipartite entanglement obtained (characterised by Ernd) vanishes in the

many-copy limit, we have not shown any analogous result for the bipartite entanglement

summed over all pairs of parties Et. As noted earlier, Et was not always an appropri-

ate measure for the phenomena we wished to demonstrate (given that Et > Esp could

be trivially demonstrated), but it is interesting that our conjecture E∞t (W ) = 1 does

not appear simple to prove, despite being trivially clear in the single-copy case, and it

would be worth attempting further to prove this. Et is clearly related to measures of

entanglement for the overall state (as opposed to bipartite subsets) such as the relative

entropy, so finding a method to prove the conjecture might lead to a useful new measure.

Conversely, proving the conjecture false would demonstrate a surprising result for the

properties of multipartite states in the many-copy case.

Finally, it is worth considering the classical communication resources required for the

W protocol, in which, despite the initial and final states only involving a small number

of qubits, the number of rounds and hence the amount of classical communication used

in performing the protocol become very large as the probability of success tends to 1.

This raises the question of whether such communication resources are strictly necessary

or whether a more efficient version of the protocol can be found.

For the GHZ experiment, the first priority is of course to obtain data for our experi-

ment, which will hopefully confirm the estimated quantities in our analysis and thus that

we can obtain secure key from our particular setup. An obvious extension of the existing

theoretical work is to demonstrate the conjectured compatibility of our protocol with a


squashing model, and consequently to extend our security proof to cover collective attacks

by Eve. As discussed earlier, two practical changes which could substantially increase

the key rate for our experiment would be the use of decoy states and of anticorrelated as

opposed to uncorrelated added noise. The experimental setup could also be potentially

used for other GHZ-based protocols such as quantum sharing of classical secrets.

More generally, as noted earlier, many different implementations of entanglement-

based QKD exist, and could be potentially be adapted to conference-key agreement

implementations, potentially achieving improved key rates to which much of our existing

analysis could be applicable.

Overall then, we have, we believe, added to the understanding of the properties of

entangled states, in both abstract and more practically-focused cases, with particular

consideration of the less well-understood multipartite case. Given the importance of

entanglement to many aspects of quantum information, achieving a fuller understanding

of its properties will likely continue to be an important element of the study of quantum-

mechanical systems and their applications.

Appendix A

Proofs of Lemmas, Chapter 2

A.1 Proof of Lemma 1

ln

(N

k

)

= ln(N !) − ln((N − k)!) − ln(k!) (A.1)

= N lnN −N − (N − k) ln(N − k) − (N − k) − k ln k − k ± O(logN) (A.2)

= N

(

lnN − N − k

Nln(N − k) − k

Nln k

)

± O(logN) (A.3)

= −N ln 2 ×(

−N − k

Nlog2

(N − k

N

)

− k

Nlog2

(k

N

))

±O(logN) (A.4)

= −N ln 2 ×H2

(k

N

)

±O(logN) (A.5)

A.2 Proof of Lemma 2

We note the derivative

dH2(x)

dx= − log2 x+ log2(1 − x), hence

dx

dH2(x)=

1

− log2 x+ log2(1 − x)

161

Appendix A. Proofs of Lemmas, Chapter 2 162

and defining Hk ≡ H2(k/N) we find

d(k/N)

dHk=

1

N

dk

dHk(A.6)

=1

log2

(N−kk

) (A.7)

Hence near the point Hk = E(ψ), k = Np we have, Taylor-expanding in Hk about this

point,

dk

dHk

|k=Np = N log2

(p

q

)

(A.8)

k = Np +N log2

(p

q

)

(Hk −E(ψ)) +O(Hk − E(ψ))2 (A.9)

Since Hk − E(ψ) is O(

1√N

)

for the range

E(ψ) − γ/√N ± O

(logN

N

)

≤ Hk ≤ E(ψ) + γ/√N ± O

(logN

N

)

. (A.10)

we have, for this range

Np− γ√N

log2(q/p)± O (logN) ≤ k ≤ Np+

γ√N

log2(q/p)± O (logN) . (A.11)

Appendix B

The Innsbruck ion trap state ρIW

In computational basis notation, state “DDD” represents state |000〉, state “DDS” rep-

resents state |001〉 etc.

(Table reproduced from “Control and Measurement of Three-Qubit Entangled States”,

C. F. Roos, M. Riebe, H. Haffner, W. Hansel, J. Banhelm, G. P. T. Lancaster, C. Becher,

F. Schmidt-Kaler and R. Blatt. Science Vol. 304 no. 5676 pp 1478-1480 (2004), Online

supplementary material. Reproduced with permission from AAAS [104]).

DDD DDS DSD DSS SDD SDS SSD SSS

DDD 0.03 -0.03-0.01i -0.01 0.02-0.02i -0.01-0.01i 0.01-0.01i 0.01 0

DDS -0.03+0.01i 0.33 0.29+0.07i -0.02+0.02i 0.27+0.03i -0.01-0.01i -0.01+0.01i -0.01-0.03i

DSD -0.01 0.29-0.07i 0.31 0.01i 0.25-0.05i 0.01i -0.03-0.01i -0.02i

DSS 0.02+0.02i -0.02-0.02i -0.01i 0.03 -0.02i 0.01+0.01i 0 0

SDD -0.01+0.01i 0.27-0.03i 0.25+0.05i 0.02i 0.23 -0.01 -0.01 -0.01-0.02i

SDS 0.01+0.01i -0.01+0.01i -0.01i 0.01-0.01i -0.01 0.02 -0.01+0.01i 0.01-0.01i

SSD 0.01 -0.01-0.01i -0.03+0.01i 0 -0.01 -0.01-0.01i 0.03 -0.02

SSS 0 -0.01+0.03i 0.02i 0 -0.01+0.02i 0.01+0.01i -0.02 0.02

163

Bibliography

[1] H.-K. Lo and J. Preskill, Quant. Inf. Comput. 8, 431 (2007).

[2] M. Plenio and S. Virmani, Quant. Inf. Comput. 7, 1 (2007).

[3] R. Horodecki, P. Horodecki, M. Horodecki, and K. Horodecki, arXiv:quant-

ph/0702225 (2007).

[4] M. A. Nielsen and I. L. Chuang, Quantum Computation and Quantum Information

(Cambridge University Press, Cambridge, 2000).

[5] A. Einstein, B. Podolsky, and N. Rosen, Phys. Rev. 47, 777 (1935).

[6] J. S. Bell, Physics 1, 777 (1935).

[7] S. J. Freedman and J. F. Clauser, Phys. Rev. Lett. 28, 938 (1972).

[8] A. Aspect, P. Grangier, and G. Roger, Phys. Rev. Lett. 47, 460 (1981).

[9] W. Tittel, J. Brendel, B. Gisin, T. Herzog, H. Zbinden, and N. Gisin, Phys. Rev.

A 57, 3229 (1998).

[10] G. Weihs, T. Jennewein, C. Simon, H. Weinfurter, and A. Zeilinger, Phys. Rev.

Lett. 81, 5039 (1998).

[11] C. Shannon, Bell Sys. Tech. J. 27, 379, 623 (1948).

[12] W. K. Wootters and W. H. Zurek, Nature 299, 802 (1982).

164

Bibliography 165

[13] D. Dieks, Phys. Lett. A 92, 271 (1982).

[14] C. H. Bennett, D. P. DiVincenzo, J. A. Smolin, and W. K. Wootters, Phys. Rev.

A 54, 3824 (1996).

[15] S. Lloyd, Phys. Rev. A 55, 1613 (1997).

[16] P. W. Shor, The quantum channel capacity and coherent information, Lecture

notes, MSRI workshop on quantum computation, 2002.

[17] I. Devetak, IEEE Trans. Inf. Th. 51, 44 (2005).

[18] C. H. Bennett, G. Brassard, C. Crepeau, R. Jozsa, A. Peres, and W. K. Wootters,

Phys. Rev. Lett. 70, 1895 (1993).

[19] C. H. Bennett and S. J. Wiesner, Phys. Rev. Lett. 69, 2881 (1992).

[20] A. Holevo, Information Theory, IEEE Transactions on 44, 269 (1998).

[21] A. Harrow, Phys. Rev. Lett. 92, 097902 (2004).

[22] A. W. Harrow, Ph.D. thesis, Massachusetts Institute of Technology, 2005.

[23] I. Devetak, A. W. Harrow, and A. Winter, Phys. Rev. Lett. 93, 230504 (2004).

[24] A. Abeyesinghe, I. Devetak, P. Hayden, and A. Winter, arXiv:quant-ph/0606225

(2006).

[25] L. Masanes, Physical Review Letters 96, 150501 (2006).

[26] C. H. Bennett, H. J. Bernstein, S. Popescu, and B. Schumacher, Phys. Rev. A 53,

2046 (1996).

[27] M. Horodecki, P. Horodecki, and R. Horodecki, Phys. Rev. Lett. 80, 5239 (1998).

[28] H. Barnum, E. Knill, and M. Nielsen, IEEE Trans. Inf. Th. 46, 1317 (2000).

Bibliography 166

[29] G. Vidal, J. Mod. Opt. 47, 355 (2000).

[30] P. M. Hayden, M. Horodecki, and B. M. Terhal, J. Phys. A 34, 6891 (2001).

[31] P. W. Shor, Commun. Math. Phys 246, 453 (2004).

[32] M. B. Hastings, arXiv:0809.3972v3 (2008).

[33] W. K. Wootters, Phys. Rev. Lett. 80, 2245 (1998).

[34] W. Dur, G. Vidal, and J. I. Cirac, Phys. Rev. A 62, 062314 (2000).

[35] D. M. Greenberger, M. Horne, and A. Zeilinger, in Bell’s Theorem, Quantum The-

ory and Conceptions of the Universe, edited by M. Kafatos (Kluwer Academic,

Dordrecht, 1989).

[36] F. Verstraete, J. Dehaene, B. De Moor, and H. Verschelde, Phys. Rev. A 65, 052112

(2002).

[37] M. Murao, M. B. Plenio, S. Popescu, V. Vedral, and P. L. Knight, Phys. Rev. A

57, R4075 (1998).

[38] E. N. Maneva and J. A. Smolin, in Quantum Computation and Quantum Infor-

mation Science, Vol. 305 of AMS Contemporary Mathematics, edited by S. J.

Lomonaco and H. E. Brandt (American Mathematical Society, Providence, RI,

2002), pp. 203–212.

[39] K. Chen and H.-K. Lo, in Proceedings of the 2005 IEEE International Symposium

on Information Theory, Adelaide, Australia (IEEE, New Jersey, 2005), pp. 1607–

1611.

[40] C. Kruszynska, A. Miyake, H. J. Briegel, and W. Dur, Phys. Rev. A 74, (2006).

[41] A. Miyake and H. J. Briegel, Phys. Rev. Lett. 95, (2005).

Bibliography 167

[42] C. H. Bennett, S. Popescu, D. Rohrlich, J. A. Smolin, and A. V. Thapliyal, Phys.

Rev. A 63, 012307 (2000).

[43] N. Linden, S. Popescu, B. Schumacher, and M. Westmoreland, Quant. Inf. Proc.

4, 241 (2005).

[44] A. Acin, G. Vidal, and J. I. Cirac, Quant. Inf. Comp. 3, 55 (2003).

[45] S. Ishizaka and M. B. Plenio, Phys. Rev. A 72, 042325 (2005).

[46] C. E. Shannon, Bell Sys. Tech. J. 28, 656 (1949).

[47] W. Diffie and M. Hellman, IEEE Trans. Inf. Th. 22, 644 (1976).

[48] C. C. Cocks, Technical report, CESG, UK (unpublished).

[49] P. W. Shor, Foundations of Computer Science, 1994 Proceedings., 35th Annual

Symposium on 124 (1994).

[50] C. H. Bennett and G. Brassard, in Proceedings of the IEEE International Confer-

ence on Computers, Systems, and Signal Processing, Bangalore, India (IEEE, New

Jersey, 1984), pp. 175–179.

[51] P. W. Shor and J. Preskill, Phys. Rev. Lett. 85, 441 (2000).

[52] A. K. Ekert, Phys. Rev. Lett. 67, 661 (1991).

[53] V. Coffman, J. Kundu, and W. K. Wootters, Phys. Rev. A 61, 052306 (2000).

[54] K. Horodecki, M. Horodecki, P. Horodecki, and J. Oppenheim, Phys. Rev. Lett.

94, 160502 (2005).

[55] K. Horodecki, D. Leung, H.-K. Lo, and J. Oppenheim, Phys. Rev. Lett. 96, 070501

(2006).

Bibliography 168

[56] K. Horodecki, M. Horodecki, P. Horodecki, and J. Oppenheim, arXiv:quant-

ph/0506189 (2005).

[57] B. Fortescue and H.-K. Lo, Phys. Rev. A 72, 032336 (2005).

[58] B. Fortescue and H.-K. Lo, in Proceedings of the 2005 IEEE International Sympo-

sium on Information Theory, Adelaide, Australia (IEEE, New Jersey, 2005), pp.

889–892.

[59] B. Fortescue and H.-K. Lo, Phys. Rev. Lett. 98, 260501 (2007).

[60] B. Fortescue and H.-K. Lo, Phys. Rev. A 78, 012348 (2008).

[61] R. B. A. Adamson, B. Fortescue, H.-K. Lo, and A. M. Steinberg, (presentation:

Canadian Institute for Photonic Innovations, Annual Meeting, Hamilton, Ontario,

Canada, 2005) (unpublished).

[62] R. B. A. Adamson, B. Fortescue, H.-K. Lo, and A. M. Steinberg, (presentation:

Conference on Lasers and Electro-Optics/Quantum Electronics and Laser Science,

Long Beach, California, USA, 2006) (unpublished).

[63] R. B. A. Adamson, B. Fortescue, H.-K. Lo, and A. M. Steinberg, (presentation: 4th

Canadian Quantum Information Student Conference, Waterloo, Ontario, Canada,

2007) (unpublished).

[64] T. M. Cover and J. A. Thomas, Elements of Information Theory (John Wiley &

Sons, New York, 1991).

[65] B. Schumacher, Phys. Rev. A 51, 2738 (1995).

[66] H.-K. Lo and S. Popescu, Phys. Rev. A 63, 022301 (2001).

[67] A. Harrow and H.-K. Lo, IEEE Trans. Inf. Th. 50, 319 (2004).

Bibliography 169

[68] P. Hayden and A. Winter, Phys. Rev. A 67, 012326 (2003).

[69] W. Feller, An Introduction to Probability Theory and Its Applications (John Wiley

& Sons, New York, 1957).

[70] R. M. Corless, G. H. Gonnet, D. E. G. Hare, D. J. Jeffrey, and D. E. Knuth, Adv.

Comput. Math. 5, 329 (1996).

[71] T. Worsch, Technical report, Universitat Karsruhe, Germany (unpublished).

[72] H.-K. Lo, Phys. Rev. A 62, 012313 (2000).

[73] N. K. Arenbaev, Theor. Probab. Appl. 21, 805 (1977).

[74] G. Vidal, W. Dur, and J. I. Cirac, Phys. Rev. Lett. 89, 027901 (2002).

[75] K. Matsumoto and F. Yura, J. Phys. A 37, L167 (2004).

[76] N. Linden and W. K. Wootters, Phys. Rev. Lett. 89, 277906 (2002).

[77] D. P. DiVincenzo, C. A. Fuchs, H. Mabuchi, J. A. Smolin, A. V. Thapliyal, and A.

Uhlmann, in QCQC ’98: Selected papers from the First NASA International Con-

ference on Quantum Computing and Quantum Communications (Springer-Verlag,

London, UK, 1998), pp. 247–257.

[78] L. P. Hughston, R. Jozsa, and W. K. Wootters, Phys. Lett. A 183, 14 (1993).

[79] T. Laustsen, F. Verstraete, and S. J. V. Enk, Quant. Inf. Comp. 3, 64 (2003).

[80] G. Gour, Phys. Rev. A 72, 042318 (2005).

[81] G. Gour and R. W. Spekkens, Phys. Rev. A 73, 062331 (2006).

[82] J. A. Smolin, F. Verstraete, and A. Winter, Phys. Rev. A 72, 052317 (2005).

[83] M. Horodecki, J. Oppenheim, and A. Winter, Nature (London) 436, 673 (2005).

Bibliography 170

[84] M. Horodecki, J. Oppenheim, and A. Winter, arXiv:quant-ph/0512247v1 (2005).

[85] G. Gour, Phys. Rev. A 71, 012318 (2005).

[86] B. M. Terhal and P. Horodecki, Phys. Rev. A 61, 040301 (2000).

[87] M. J. Donald and M. Horodecki, Phys. Lett. A 264, 257 (1999).

[88] M. Plenio and V. Vedral, J. Phys. A 34, 6997 (2001).

[89] M. Plenio, S. Virmani, and P. Papadopoulos, J. Phys. A 33, L193 (2000).

[90] N. Kiesel, C. Schmid, G. Toth, E. Solano, and H. Weinfurter, Phys. Rev. Lett. 98,

063604 (2007).

[91] G. Toth, J. Opt. Soc. Am. B 24, 275 (2007).

[92] J. K. Stockton, J. M. Geremia, A. C. Doherty, and H. Mabuchi, Phys. Rev. A 67,

022112 (2003).

[93] R. H. Dicke, Phys. Rev. 93, 99 (1954).

[94] L. Mandel and E. Wolf, Optical Coherence and Quantum Optics (Cambridge Uni-

versity Press, Cambridge, 1997).

[95] A. M. Steane and D. M. Lucas, in Scalable Quantum Computers (Wiley-VCH,

Berlin, 2001), pp. 69–88.

[96] Technical report, ARDA, USA (unpublished).

[97] D. P. Divincenzo, Fortschr. Phys. 48, 771 (2000).

[98] D. P. DiVincenzo, Phys. Rev. A 51, 1015 (1995).

[99] S. Lloyd, Phys. Rev. Lett. 75, 346 (1995).

Bibliography 171

[100] A. Barenco, C. H. Bennett, R. Cleve, D. P. DiVincenzo, N. Margolus, P. Shor, T.

Sleator, J. A. Smolin, and H. Weinfurter, Phys. Rev. A 52, 3457 (1995).

[101] J. I. Cirac and P. Zoller, Phys. Rev. Lett. 74, 4091 (1995).

[102] J. I. Cirac and P. Zoller, Nature (London) 404, 579 (2000).

[103] F. Schmidt-Kaler, H. Haffner, M. Riebe, S. Gulde, G. P. T. Lancaster, T. Deuschle,

C. Becher, C. F. Roos, J. Eschner, and R. Blatt, Nature (London) 422, 408 (2003).

[104] C. F. Roos, M. Riebe, H. Haffner, W. Hansel, J. Benhelm, G. P. T. Lancaster, C.

Becher, F. Schmidt-Kaler, and R. Blatt, Science 304, 1478 (2004).

[105] K. Zyczkowski, Phys. Rev. A 60, 3496 (1999).

[106] A. Uhlmann, arXiv:quant-ph/9704017 (1997).

[107] P. Horodecki, Phys. Lett. A 232, 333 (1997).

[108] H. Haffner, (private communication).

[109] I. Csiszar and P. Narayan, IEEE Trans. Inf. Th. 46, 344 (2000).

[110] M. Hillery, V. Buzek, and A. Berthiaume, Phys. Rev. A 59, 1829 (1999).

[111] V. Scarani and N. Gisin, Phys. Rev. Lett. 87, 117901 (2001).

[112] Y.-A. Chen, A.-N. Zhang, Z. Zhao, X.-Q. Zhou, C.-Y. Lu, C.-Z. Peng, T. Yang,

and J.-W. Pan, Phys. Rev. Lett. 95, 200502 (2005).

[113] W. Tittel, H. Zbinden, and N. Gisin, Phys. Rev. A 63, 042301 (2001).

[114] S. Gaertner, C. Kurtsiefer, M. Bourennane, and H. Weinfurter, Phys. Rev. Lett.

98, 020503 (2007).

[115] V. Makarov, A. Anisimov, and J. Skaar, Phys. Rev. A 74, 022313 (2006).

Bibliography 172

[116] V. Makarov and J. Skaar, Quant. Inf. Comp. 8, 622 (2008).

[117] Y. Zhao, C.-H. F. Fung, B. Qi, C. Chen, and H.-K. Lo, arXiv:0704.3253 (2007).

[118] D. Gottesman, H.-K. Lo, N. Lutkenhaus, and J. Preskill, Quant. Inf. Comput. 4,

325 (2004).

[119] H.-K. Lo, X. Ma, and K. Chen, Phys. Rev. Lett. 94, 230504 (2005).

[120] Y. Zhao, B. Qi, X. Ma, H.-K. Lo, and L. Qian, Phys. Rev. Lett. 96, 070502 (2006).

[121] D. Rosenberg, J. W. Harrington, P. R. Rice, P. A. Hiskett, C. G. Peterson, R. J.

Hughes, A. E. Lita, S. W. Nam, and J. E. Nordholt, Phys. Rev. Lett. 98, 010503

(2007).

[122] Z. L. Yuan, A. W. Sharpe, and A. J. Shields, Appl. Phys. Lett. 90, 011118 (2007).

[123] M. Koashi, arXiv:quant-ph/0505108 (2005).

[124] R. Konig and R. Renner, J. of Math. Phys. 46, 122108 (2005).

[125] M. Christandl, R. Konig, G. Mitchison, and R. Renner, Commun. Math. Phys.

273, (2007).

[126] R. Renner, Nature Phys. 3, 645 (2007).

[127] N. J. Beaudry, T. Moroder, and N. Lutkenhaus, arXiv:quant-ph/0804.3082 (2008).

[128] T. Schmitt-Manderbach, H. Weier, M. Furst, R. Ursin, F. Tiefenbacher, T. Scheidl,

J. Perdigues, Z. Sodnik, C. Kurtsiefer, J. G. Rarity, A. Zeilinger, and H. Weinfurter,

Phys. Rev. Lett. 98, 010504 (2007).

[129] A. Tanaka, M. Fujiwara, S. W. Nam, Y. Nambu, S. Takahashi, W. Maeda, K.

Yoshino, S. Miki, B. Baek, Z. Wang, A. Tajima, M. Sasaki, and A. Tomita,

arXiV:0805.2193 (2008).

Bibliography 173

[130] T. Honjo, S. W. Nam, H. Takesue, Q. Zhang, H. Kamada, Y. Nishida, O. Tadanaga,

M. Asobe, B. Baek, R. Hadfield, S. Miki, M. Fujiwara, M. Sasaki, Z. Wang,

K. Inoue, and Y. Yamamoto, (presentation: Conference on Lasers and Electro-

Optics/Quantum Electronics and Laser Science, San Jose, California, USA) (un-

published).

Application and manipulation of bipartite and …...Application and manipulation of bipartite and multipartite entangled quantum states by Benjamin Fortescue A thesis submitted in

Documents