Application and manipulation of bipartite and multipartite entangled quantum states by Benjamin Fortescue A thesis submitted in conformity with the requirements for the degree of Doctor of Philosophy Graduate Department of Physics University of Toronto Copyright c 2009 by Benjamin Fortescue
187
Embed
Application and manipulation of bipartite and …...Application and manipulation of bipartite and multipartite entangled quantum states by Benjamin Fortescue A thesis submitted in
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Application and manipulation of bipartite and multipartite
entangled quantum states
by
Benjamin Fortescue
A thesis submitted in conformity with the requirementsfor the degree of Doctor of Philosophy
4.6 3-way QKD using 2-party protocols. Alice generates separate keys AB
and AC with Bob and Charlie then encrypts key AB with key AC for
classical communication to Charlie. with key . . . . . . . . . . . . . . . 153
xiv
Chapter 1
Introduction
In this introductory chapter we give a brief summary of some of the major results con-
cerning quantum entanglement most relevant to our work, which we discuss in section
1.5. For a much more comprehensive review see e.g. [2, 3].
1.1 Entanglement
1.1.1 Entanglement in quantum mechanics
Arguably a major reason for why the description of physical processes as given by quan-
tum mechanics is at odds with our intuition is the divide that quantum mechanics gives
between the properties of such systems and what we can discover about them through
measurement. In classical, Newtonian mechanics, we can consistently refer, for example,
to particles with well-defined masses, positions, momenta etc., which both determine
their behaviour over time and can be measured whenever we wish. There is no difficulty
with the intuitively satisfying picture of an independent physical reality whose properties,
all of which are at least in principle measurable, determine its evolution.
In quantum mechanics the picture becomes much less clear-cut. Using, for example,
the Schrodinger picture [4], the underlying entities whose time-evolution we are concerned
1
Chapter 1. Introduction 2
with are not particles but quantum states which describe the particles. Knowing such
states and the rules for their evolution is sufficient to describe the observable physics,
but the states themselves are not observables (there is no “state-meter”). Indeed, there
is no guarantee that a given observable has a definite value when the system is in a given
state, resulting in probabilistic results when measuring such observables even in identical
states. Whether the states represent “reality” or merely a mathematical convenience is
a matter of interpretation, but the connection between observables and the underlying
physics is, in a sense, less direct than in the classical case. Moreover, measurement itself
can no longer be considered as a passive operation with respect to the observed system
but will, in general, actively alter the system’s state.
Of course, one illustration of this behaviour, as alluded to above, is the well-known
“uncertainty principle” describing the limitations on the degree to which certain ob-
servable quantities (e.g. position and momentum) can be simultaneously known for the
same system. But the curious phenomenon of entanglement can also be considered as
arising from this division. Entanglement, broadly speaking, occurs when two or more
distinguishable systems (often conveniently envisioned, as we shall do here, as two sep-
arate particles, though by no means exclusive to this case) can only be fully quantum-
mechanically described in terms of their joint behaviour, with observable properties of
the separate particles being correlated in a way that appears to contradict their having
locally independent behaviour.
Moreover, measurement of such observables of the individual particles (and, in gen-
eral, any operation acting on the individual particles) alters, in general, the overall state
of the system of both particles. The result is that the particles behave as if mysteriously
connected even when not directly interacting with each other - the underlying state
“knows” about the connection even when there is no apparent communication between
the particles and operations on one particle affect the state of the other.
Such phenomena have been known about for decades but have gained a new promi-
Chapter 1. Introduction 3
nence with the rise of the field of quantum information. Such correlations between (po-
tentially) distant particles have obvious relevance to a field concerned, like its classical
counterpart, with the degree to which certain types of communication may be achieved.
A remarkable property of entanglement is that, though there appears to be an underlying
connection between entangled particles, this does not violate the ban imposed by special
relativity on faster-than-light communication, since entanglement alone cannot be used
for communication. This does not prevent it being a useful resource in quantum infor-
mation applications - as discussed in the following sections, entanglement is both useful
as a communication resource when combined with other forms of communication, and as
a resource in its own right in applications such as quantum cryptography. Indeed, the
picture of entanglement specifically as a resource and its description in terms of what can
be achieved using entangled states, is very much key to the description of entanglement
in quantum information theory, and a major element of this thesis.
In the following sections we will discuss some important properties of entanglement
in more formal terms.
Consider a Hilbert space HA with basis vectors |ψi〉, and a second orthogonal
Hilbert space HB with vectors |φj〉. A quantum state in the combined Hilbert space
HA ⊗HB can be generally expressed as
ρ =∑
∀i,i′,j,j′λii′jj′|ψi〉|φj〉〈ψi′ |〈φj′| (1.1)
for some complex coefficients λii′jj′ such that ρ is Hermitian and positive and tr(ρ) = 1.
Certain states ρs may (for some choice of basis vectors i, j) be expressible in the form
ρs =∑
k
pkρk ⊗ σk (1.2)
where ρk =∑
∀i,i′ aii′ |ψi〉〈ψ′i| and σk =
∑
∀j,j′ bjj′|φj〉〈φj′| i.e. states ρk exist entirely
within space HA and state σk within HB (with positive coefficients pk such that∑
k pk =
1). Such a state ρs is described as separable with respect to HA and HB - one can
consider ρ as consisting of a mixture of separate states ρk and σk such that any operator
Chapter 1. Introduction 4
acting on ρ only within HA can be considered as acting only on the state ρk and likewise
for HB and σk. Conversely, a state which is not separable is described as entangled
with respect to HA and HB. A simple and well-known two-party entangled state is the
Einstein-Podolsky-Rosen or EPR pair.
|Φ〉 =1√2(|0〉A|0〉B + |1〉A|1〉B) =
1√2(|00〉 + |11〉)AB (1.3)
(using a simplified notation in the rightmost expression). As discussed in later sections,
this is often used as a fundamental two-party unit of entanglement.
A common example of a bipartite (two-party) entangled state, which highlights the
counterintuitive nature of entanglement, is where HA and HB correspond to states of
physically separate systems, for example two particles A and B. This was the system
considered by Einstein, Podolsky and Rosen [5] in their paper which originally introduced
the concept of entanglement. In this paper the authors consider the case of two physically
separated particles in an entangled state and note that under such circumstances the
state of one particle can be affected by a measurement made on the other particle, even
though the particles are not interacting, described by Einstein as “spooky action at a
distance”. It was later shown by Bell [6] that the correlations in classical measurement
outcomes that quantum mechanics predicts for entangled states cannot be accounted for
by a purely local description of the entangled systems - these predictions have since been
validated in many experiments [7, 8, 9, 10]. Quantum mechanics thus appears to be an
inherently nonlocal theory and entanglement has been regarded by many as a defining
feature of quantum mechanics.
1.1.2 Entanglement as a resource
1.1.3 Quantum information
Quantum information theory is concerned with the informational properties of quantum
states. The quantum analogue of the classical “bit” - a classical variable taking one of
Chapter 1. Introduction 5
two possible values (typically labelled 0 and 1) - is the “qubit”, a quantum state within
a two-dimensional Hilbert space (typically with basis vectors labelled |0〉 and |1〉) e.g.
|ψ〉 = α|0〉 + β|1〉, (|α|2 + |β|2 = 1). (1.4)
Such a state can thus be in either of the two basis states or any superposition thereof.
This makes quantum information qualitatively different from its classical counterpart.
For classical information, one can define, for a given channel, a single classical “chan-
nel capacity” [11] which quantifies how many data or “logical” bits may be accurately
received across the channel per “raw” bit sent, optimised over schemes encoding logical
bits in raw bits. For an input variable X and output variable Y this is known to be the
maximum over X of the classical mutual information.
I(X;Y ) = H(X) +H(Y ) −H(X, Y ) (1.5)
where H is the Shannon entropy, which for a variable X taking values x with probability
px is
H(X) = −∑
x
px log2 px, (∑
x
px = 1). (1.6)
However a simple corollary of the no-cloning theorem [12, 13] shows that the capacity
of a classical channel to send quantum information, i.e. qubits, is zero. Instead, one can
define a “quantum channel” with a capacity in terms of its ability to reliably transmit
qubits, as introduced in [14].1
Quantum information is thus qualitatively distinct from its classical counterpart, and
considering the channel capacity reveals close connections between entanglement and
quantum channels, as discussed in later sections.
1This capacity can be defined with respect to different scenarios, for example whether or not a classicalside channel is available and, if so, whether one or two-way classical communication is permitted. Forthe case of no side channel the quantum channel capacity was shown [15, 16, 17] to be equal to themaximisation of the coherent information, an analogous quantity to the classical mutual information. Acrucial difference in the quantum case, however, is that the quantum channel capacity must be maximisedover multiple uses of the channel, the inputs to which may be entangled. As a result, both determiningthe capacity of a given channel and constructing coding schemes which saturate the capacity is a muchmore challenging problem for quantum channels.
Chapter 1. Introduction 6
1.1.4 Entanglement and information
While Bell inequality experiments show that entangled states exhibit nonlocality and thus
components of an entangled state can apparently instantaneously influence each other
over large distances, it has been proven that this cannot be used to violate causality as
understood in special relativity i.e. one cannot use entangled states to transmit infor-
mation faster than the speed of light. This follows from the result that in the absence
of any classical communication between parties, entanglement alone cannot be used to
transmit any information, classical or quantum. Intuitively this may be understood as a
consequence of quantum randomness - a local measurement on one part of an entangled
system can determine the outcome of a measurement on another party of the system,
but in general the measurement outcomes, while correlated, are nondeterministic. Hence
if Alice makes a computational basis measurement on her half of an EPR pair her result
will tell her what Bob’s measurement outcome on his half will be, but she cannot control
his measurement result, since her measurement result is random 2
Teleportation and dense coding
However, entanglement can be used in conjunction with forms of communication to in-
crease the transmission of classical or quantum information. In quantum teleportation
[18] two parties, Alice and Bob (A and B), who share an entangled EPR pair (also known
as an “ebit”) |Φ〉AB can perform local operations on their halves of the pair along with
locally-created states, combined with the transmission of two bits of classical communi-
cation, to send a single qubit from Alice to Bob or vice versa. The EPR pair is destroyed
in the teleportation process. This leads to the relation, in terms of communication cost
1 ebit + 2 bits ≥ 1 qubit. (1.7)
2Such correlated randomness can be useful as, for example, a cryptographic key - a principle exploitedin quantum key distribution (QKD), as discussed in Chapter 4. It does not, however, in itself constitutea message transferred from Alice to Bob.
Chapter 1. Introduction 7
This also motivates the ebit as a natural unit of entanglement, since any other two-qubit
entangled state can be produced (without any quantum communication) from an ebit by
Alice locally preparing the state and teleporting one of the qubits to Bob.
A dual protocol to quantum teleportation is quantum dense coding [19]. In this
protocol Alice shares an EPR pair with Bob and also transmits to him a qubit. Combined
with local operations (which destroy the EPR pair), this allows Alice to transmit two
classical bits to Bob, versus zero bits using the EPR pair alone or one bit using the qubit
alone (as shown by the Holevo bound [20]). This gives the relation
1 ebit + 1 qubit ≥ 2 bits. (1.8)
A more recent development is the concept of “coherent bits” or cobits [21, 22], an
intermediate resource between classical and quantum bits. A cobit channel is weaker
than a general quantum channel, but does allow controlled entangling operations between
Alice and Bob, of the form.
(α|0〉 + β|1〉)A → (α|00〉 + β|11〉)AB. (1.9)
It can be shown [21] that the above protocols are reversible when the “classical”
communication is performed using a cobit channel, leading to the relation.
2 cobits = 1 qubit + 1 ebit. (1.10)
A much more general picture of quantum information protocols was provided in [23],
which provided a description of the above and other protocols in terms of two general fully
quantum “mother” and “father” resource inequalities (i.e. statements of achievability
using quantum resources), of which the protocols involving classical communication are
simply specific cases. A description of specific protocols allowing the mother and father
inequalities to be saturated was given in [24].
Protocols such as these, in which “consuming” entangled states allows information to
be transmitted, motivates the view of entanglement as a resource which can be exchanged
Chapter 1. Introduction 8
for other informational resources such as quantum and classical information transmission
and used to perform non-classical tasks. Indeed, it was shown in [25] that any bipartite
entangled state can, at a minimum, be used to enhance the ability of some other entangled
state to be used for quantum teleportation i.e. all bipartite entangled states have some
use as a resource.
Treating entanglement this way necessitates quantifying how much entanglement par-
ties possess.
1.2 Entanglement measures
1.2.1 LOCC
Treating entanglement as a resource involves describing what those parties possessing a
certain amount of entanglement can do with it via certain operations. To meaningfully
quantify the amount of entanglement the parties possess, these operations should not
result in an increase in entanglement. We know that two parties can produce entangled
states by performing joint quantum operations - equivalently, they can perform local
quantum operations and exchange quantum information. This motivates the idea of the
distant lab paradigm and the regime of local operations and classical communication or
LOCC.
In the distant lab paradigm we consider physically-separated parties working in sepa-
rate laboratories some distance away, who may share entangled states but are restricted
in the operations they may perform on such states - they may perform operations on
their own portions of the state and exchange information via some channel(s), classical
or quantum. Specifically, under the LOCC regime, we consider separated parties who
may only exchange classical information. Such parties can be considered as researchers
working in separate labs, who may perform any quantum operation they wish in their
own labs and/or have discussions with each other on the phone, but not send each other
Chapter 1. Introduction 9
any quantum-mechanical systems.
Measures of shared entanglement are generally defined such that the expectation of
such measures cannot increase in the LOCC regime - it follows from the above requirement
that states which can be reversibly interconverted under LOCC must have the same
entanglement under a given measure. For example, a frequently used two-qubit basis,
consisting of states of equal entanglement to an EPR pair is the “Bell basis”
|Φ±〉 =1√2(|00〉 ± |11〉)AB (1.11)
|Ψ±〉 =1√2(|01〉 ± |10〉)AB. (1.12)
In addition, “stochastic LOCC” or SLOCC is sometimes used to refer to operations in
the LOCC regime which produce a given result with some finite (non-zero) probability
≤ 1.
1.2.2 Operational entanglement measures
In addition to the above property of being non-increasing under LOCC (monotonicity), a
scale is generally set for entanglement measures by requiring that they vanish for product
states, and, commonly, that they be equal to 1 for EPR pairs. Nonetheless this still
allows for many different measures to exist. Some may be useful primarily in that they
are straightforward to calculate, or to measure experimentally. Others, however, have an
operational interpretation, corresponding to some task, the achievement of which under
LOCC requires a certain quantity of entanglement.
The Von Neumann entropy
The Von Neumann entropy is a quantum-mechanical counterpart to the classical Shannon
entropy. The Shannon entropy is defined as in section 1.1.3 and represents the “uncer-
tainty” or information content of the possible values of a variable. For a quantum state
Chapter 1. Introduction 10
ρ the Von Neumann entropy S(ρ) is defined as
S(ρ) = −trρ log2 ρ. (1.13)
and similarly reflects the uncertainty of a quantum state. For a pure state |psi〉 S(|ψ〉) =
0, and S for a classical mixture of orthogonal states reduces to the Shannon entropy of
the mixture.
The entanglement entropy
For a pure state ψAB, one can define the entanglement entropy Es in terms of S, where
Es(ψ) = S(ρA) (1.14)
and Alice’s reduced density matrix ρA is defined as
ρA = TrBρAB. (1.15)
(Note that by this definition S(ρA) = S(ρB)). Qualitatively, this measures the uncer-
tainty of one party’s state in the absence of the other party, and thus the degree of
entanglement between the parties.
An important feature of the entanglement entropy is its operational interpretation -
it was shown by Bennett, Bernstein, Popescu and Schumacher (BBPS) [26] that, when
performing the LOCC-conversion of N copies of a pure state ψAB to M EPR pairs,
ψ⊗NAB −→ |Φ+〉⊗M (1.16)
the optimal ratio MN
as N → ∞ is equal to Es(ψ). Moreover, in the limit of large
N the above procedure is reversible [26]. The procedure of converting general states
into maximally entangled states (MES’s) is known as entanglement concentration or
entanglement distillation and the reverse procedure as entanglement dilution.
Pure-state bipartite entanglement is thus fungible - reversibly convertible to EPR
pairs as standard units of entanglement, at a rate given by the entanglement entropy. Es
Chapter 1. Introduction 11
is often used as a standard measure for bipartite entanglement as, in the asymptotic case,
it is thus equal to both the operational measures of the entanglement cost (the number
of EPR pairs required to make a state under LOCC in the many-copy limit) and the
distillable entanglement (the number of EPR pairs one can obtain from a state under
LOCC in the many-copy limit) for pure bipartite states. Entanglement entropy is also
an additive measure.
It is known [4] that all bipartite pure states |ψ〉AB can be expressed as a Schmidt
decomposition
|ψ〉AB =k∑
i=1
√pi|i〉A|i〉B (1.17)
where 〈i|j〉 = δij , pi > 0 for all i,∑k
i=1 pi = 1, and the Schmidt number of the state
is defined as k. Thus any pure two-qubit state can be expressed in the form |ψ〉 =
α|00〉 + β|11〉 (|α|2 + |β|2 = 1), and the highest Es for any such state is 1 for the EPR
pair. The EPR pair is thus a maximally entangled state (MES) of two qubits.
1.2.3 Non-operational entanglement measures
We note in passing that not all entanglement measures are operational - measures can
also be defined purely by reference to the state in question. One example, which we use
in Chapter 4, is the relative entropy of entanglement Er, defined in terms of a distance
measure, the relative entropy, as the distance from the nearest separable state.
Er(ρ) = minσsep
S(ρ||σ) (1.18)
where the minimisation is over all separable states σsep and the relative entropy S(σ ‖ ρ)
is defined as:
S(σ ‖ ρ) = trσ log2 σ − σ log2 ρ. (1.19)
One advantage of such a measure compared to, say, the distillable entanglement, is that
it does not rely on a well-defined MES and hence can be applied to multipartite states.
Chapter 1. Introduction 12
1.2.4 Measures for mixed states
For mixed states the situation is less well-understood than for pure states. We immedi-
ately see, for example, that the entanglement entropy can no longer be used as for pure
states. From the definition in section 1.2.2 we see that if Alice and Bob share a mixed
state, then Alice’s reduced density matrix will have non-zero Von Neumann entropy even
in the absence of any entanglement with Bob. Moreover, there is no simple relationship
between the entanglement of a mixture of states and that of its components, since mixed
states do not have a unique decomposition. For example, an equal mixture ρ of the
maximally-entangled states Φ±
ρ =|Φ+〉〈Φ+| + |Φ−〉〈Φ−|
2=
|00〉〈00|+ |11〉〈11|2
(1.20)
thus can be produced from a mixture of product states and has zero entanglement. While
schemes such as [14] exist to “purify” EPR pairs from noisy entangled states, these are
in general not provably efficient. Moreover, unlike in the pure-state case, mixed-state
entanglement is not fungible in general - there exist states with “bound entanglement”
[27] which require a non-zero number of EPR pairs to create but from which no EPR
pairs can be distilled.
However, consideration of the distillation of entanglement from mixed states does
have a close connection to quantum channel capacity, since as demonstrated in [14],
mixed entangled states shared between Alice and Bob can be considered as resulting
from Alice sending halves of EPR pairs down a noisy channel to Bob. If the two parties
can distill EPR pairs from the mixed states, these can be used in combination with
one-way classical communication for quantum teleportation of arbitrary states. It has
been shown [14, 28] that quantum channel capacity with a one-way classical side channel
is equal to that with no side channel, thus the distillable entanglement in this scenario
places a lower bound on the channel capacity.
Chapter 1. Introduction 13
Convex hull
Allowing for the above, a straightforward means of adapting any pure-state entanglement
measure to mixed states is by minimising the expected value of that measure over de-
compositions, the “convex hull”. I.e. for a mixed state ρAB expressible in decompositions
ρ =∑
i pi|ψi〉AB and a pure state entanglement measure E, we can define a mixed-state
measure
E ′(ρ) = minpi,|ψi〉
∑
i
piE(ψi) (1.21)
where the minimisation is over decompositions. It was proven in [29] that the convex
hull for a pure-state monotone is itself an entanglement monotone. However, even if E
is straightforward to calculate E ′ may well not be.
Entanglement of formation
One example of a convex hull measure is the entanglement of formation Ef , which equates
to the convex hull using entanglement entropy Es as a measure. In the many-copy limit
this can be regarded as an “entanglement cost” in the sense that it measures the number
of EPR pairs used to construct a state via the specific procedure of creating pure states
corresponding to the minimal-entropy state decomposition and then combining them in
an ensemble - that is, in the limit of large N , the number of EPR pairs required using this
procedure is NEf (ρ). As this is not the most general LOCC procedure, the entanglement
of formation Ef differs in definition from the entanglement cost Ec.
However it was shown in [30] that in the large N limit NEf (ρ) = EC(ρ⊗N). If Ef
could be shown to be an additive measure (as has been conjectured) i.e. that Ef(ρ⊗N ) =
NEf (ρ), then EC = Ef . However this is now known not to be true in general, as a
counterexample to the additivity of classical capacity of quantum channels, previously
shown by Shor [31] to be equivalent to the additivity of Ef , has been recently shown by
Hastings [32].
Chapter 1. Introduction 14
Entanglement cost and distillable entanglement
The operational measures of entanglement cost and distillable entanglement (shown for
pure states to both be asymptotically equal to the entanglement entropy) are well-defined
operational measures in the mixed-state case also. The entanglement cost Ec represents
the number of EPR pairs needed to make a state, that is for a protocol
|Φ+〉⊗M −→ ρ⊗N (1.22)
Ec(ρ) = limM→∞
maxM
N(1.23)
where the maximisation is over protocols. (It follows that mixed-state Ec is just the
convex hull using the entanglement entropy as a measure). Likewise the definition of
distillable entanglement Ed follows from the reverse process
ρ⊗N −→ |Φ+〉⊗M (1.24)
Ed(ρ) =M
N, N → ∞. (1.25)
In general Ec ≥ Ed (otherwise one could generate EPR pairs through LOCC), but in
some cases this inequality is strict - mixed-state entanglement is not fungible in general.
Concurrence
A well-known pure- and mixed-state entanglement measure for two-qubit states is the
concurrence [33]. For a two-qubit state ρAB, one defines the state ρ, where
ρ = (σAy ⊗ σBy )ρ∗(σAy ⊗ σBy ). (1.26)
where ρ∗ is the complex conjugate of ρ taken in the |0〉, |1〉 basis. The concurrence is
then defined as
C(ρ) = min√
λ1 −√
λ2 −√
λ3 −√
λ4, 0 (1.27)
where λ1 . . . λ4 are the eigenvalues of ρρ in descending order of size. The function
H2(ǫ(C)), where H2 is the binary Shannon entropy
H2(x) = −x log2(x) − (1 − x) log2(1 − x) (1.28)
Chapter 1. Introduction 15
and
ǫ(C(ρ)) =1 +
√1 − C2
2(1.29)
also equates to the convex hull for Es, and is consequently equal to the entanglement
of formation for a two-qubit mixed state, and hence the entanglement entropy for a
two-qubit pure state.
1.3 Multipartite states
As discussed above, for two-party pure states at least, entanglement appears to be a
single kind of resource, which has an intuitive operational interpretation and can be
readily interconverted between different forms (i.e. states of equal entanglement) through
LOCC in the many-copy limit. For multipartite states (those shared between more than
two parties), the situation is much more complex.
There appear to be multiple types of multipartite pure-state entanglement. As dis-
cussed above, an EPR pair is a standard MES for two-qubit states since all two-qubit
states may be produced via LOCC from a single EPR pair through teleportation. For
three qubits (shared between three parties) however, the situation is different. It was
shown in [34] that pure three-qubit entangled states can be divided into two classes, with
the probability of converting a single copy of a state in one class to a state in the other
through LOCC being zero (versus some finite probability for LOCC-conversion within
a class i.e. states are only SLOCC-convertible within their own class). Notable states
belonging to, respectively, the two separate classes are the Greenberger-Horne-Zeilinger
(GHZ) [35] state and the W state:
|GHZ〉 =1√2(|000〉 + |111〉)ABC (1.30)
|W 〉 =1√3(|001〉 + |010〉 + |100〉)ABC. (1.31)
Distinct entanglement classes appear to be the norm for multipartite states, with nine
Chapter 1. Introduction 16
separate classes in the four-qubit case [36]. Indeed, it was shown in [34] that randomly
chosen pure states are typically not interconvertible. Thus, while several results exist
regarding the purification of pure multipartite states from “noisy” mixed versions of the
same states [37, 38, 39, 40, 41], there is no analogous result to the fungibility of pure
bipartite entanglement.
1.3.1 MREGS
The idea of distinct entanglement classes for multipartite entangled states motivates the
idea, in the many-copy limit, of the minimal reversible entanglement generating set, or
MREGS [42]. An M-party MREGS consists of the smallest set of states |ψi〉 from
which any M-party pure state may be reversibly produced through LOCC. Thus the
EPR pair constitutes a two-party MREGS, as would any other pure bipartite entangled
state, since all such states are asymptotically interconvertible. The presence of distinct
entanglement classes with respect to single-copy SLOCC in the multipartite case implies
that there is no single well-defined MES for such states. Thus for multipartite states an
MREGS might require more than one state.
So far, however, no finite reversible entanglement generating set is known for any
multipartite case3, even the simplest - that of three qubits shared between three par-
ties, Alice, Bob and Charlie. It is known that in this case the three possible EPR pairs
(|Φ〉AB, |Φ〉AC , |Φ〉BC) do not constitute an MREGS [43], nor do the EPR pairs com-
bined with GHZ states [44] or the EPR pairs combined with W states [45].
1.4 Quantum key distribution and entanglement
One application of entangled states is in quantum key distribution (QKD). QKD is
a solution to the practical problem of key distribution in cryptography. Suppose two
3Trivially, the set of all states is a reversible entanglement generating set.
Chapter 1. Introduction 17
distant parties (Alice and Bob) wish to be able to communicate securely - that is, they
wish to be able to send messages to each other over an open channel (e.g. phone lines,
the internet etc.) which could potentially be intercepted by an eavesdropper (Eve). They
can do this through cryptography - encoding and decoding (in this context, encrypting
and decrypting) the messages at their respective ends of the channel so that the original
message is hard to obtain from what is passed over the channel. It was shown by Shannon
[46] that this could be done with perfect security (i.e. it is impossible for an eavesdropper
to obtain the original message from the encrypted message) if the participants share a
one-time pad - for each N -bit message, this is a shared random sequence of N bits, to be
used once in encryption and decryption (by applying it to the message using an exclusive-
OR (XOR) operation, equivalent to taking the binary sum of key and message) and then
discarded.
In general, such shared sequences (“keys”) are elements (though for less-than-perfectly-
secure systems, not always with such stringent requirements of randomness and single-
use) of many classical cryptography protocols. However, a need for such keys raises the
key distribution problem - how the distant parties are to obtain them in the first place.
Those methods which exist (an initial meeting of the parties, use of a trusted courier
etc.) all have drawbacks in terms of security, speed and convenience.
An alternative to the need for the parties to possess identical keys lies in public-key
cryptography, first (publically) proposed in [47] (though earlier in [48]), in which different
keys are used for the encryption and decryption stages, the encryption key being made
public. However the security of such schemes is generally related to unproven assumptions
regarding the computational cost of certain mathematical tasks - in particular factoring,
which is conjectured but not proven to not be achievable in polynomial time on a classical
computer, but known to be theoretically achievable in polynomial time on a quantum
computer using Shor’s algorithm [49].
QKD allows for provably-secure key distribution whose security is based on the axioms
Chapter 1. Introduction 18
of quantum mechanics. In particular the security of QKD can be regarded as stemming
from the uncertainty principle and the no-cloning theorem - that one cannot, in general,
ascertain the state of a quantum system through measurement without changing that
system, and that one cannot make copies of an unknown quantum system. In QKD, in
general, Alice and Bob generate their shared key from quantum states sent over an open
channel - while they cannot prevent eavesdropping, any eavesdropping can be detected by
sampling the states for errors potentially introduced by an eavesdropper’s measurements.
The earliest QKD protocol proposed was BB84, by Bennett and Brassard [50] and its
security was later proven in [51].
QKD has close ties to entanglement. It is straightforward to see, from the form of
(1.3), that if Alice and Bob share an EPR pair they can easily share a random bit, simply
by both making a computational basis |0〉, |1〉 measurement.
An EPR-based QKD scheme by Ekert [52] was one of the earliest proposed - this
consisted of the two parties receiving an EPR pair from a third source and verifying
security through Bell inequalities. Another possible QKD scheme, though, would be for
Alice to locally create EPR pairs and send halves of them to Bob. Any eavesdropping by
Eve (or any noise in the channel) would result in the pure EPR pairs degrading to some
mixed state, from which Alice and Bob could then perform a purification protocol to
obtain pure EPR pairs and hence a secure key4. While the purification would, in general,
require some classical communication, if Alice and Bob could perform this efficiently
using some pre-existing secure key, such that fewer secure bits were used than created in
the protocol, the scheme would work as a “key-growing” protocol5.
The usefulness of entanglement distillation for QKD arises not just because computational-
basis measurements on an EPR pair give Alice and Bob random bits correlated with each
4The non-trivial aspect of such protocols is generally in efficiently verifying that the output statesare EPR pairs.
5Strictly speaking all QKDs are key-growing protocols, as they all require some initial secure key, ifonly to authenticate the classical communication (i.e. allow Alice and Bob to prove their identities toeach other.)
Chapter 1. Introduction 19
other (which could also be achieved using, say, the fully mixed product state (1.20)), but
because these are necessarily uncorrelated with any other party, a consequence of the
“monogamy of entanglement” (states fully entangled with each other cannot be entan-
gled with any other state [53] - by contrast Eve could hold the purification of (1.20) and
consequently know Alice and Bob’s qubits). This idea of entanglement distillation as a
means of achieving security has been used in many QKD security proofs.
We note, however, that while there are clear connections between entanglement and
QKD, and it is clear that a supply of EPR pairs is sufficient to perform QKD, it is
known that, surprisingly, distillable entanglement is not necessary for QKD. In [54] the
class of “private states” (from which Alice and Bob can obtain a secure key, assuming in
general that Eve holds the state’s purification) was shown, in general, to be the result of
a “twisting” operation on maximally-entangled states. (Here “twisting” consists of Alice
and Bob applying identical joint unitaries to some ancillary systems of the measured state,
conditioned on the measured state). The general class of private states are necessary
and sufficient for the generation of secure bipartite keys [54] and formalisms have been
developed to distill such states from “noisy” copies thereof [55]. Such private states can
be bound-entangled, even having arbitrarily small distillable entanglement [56]. Thus one
can sometimes obtain secure keys from states from which no EPR pairs can be obtained.
1.5 Our results
As discussed above, then, the description of entanglement in the resource model concerns
the possible conversions of entangled states to other communication resources. Such
conversions can demonstrate important properties of entanglement via abstract examples,
such as the fungibility of pure bipartite entanglement in the many-copy limit, or consider
more practically-achievable protocols with real-world applications, such as in the use of
entangled states to obtain shared secure classical information in QKD.
Chapter 1. Introduction 20
In the former case, while (especially for multipartite states) numerous inequivalent
conversions between arbitrary states could be considered, most interesting are those which
demonstrate general and/or previously unknown characteristics of entangled states, such
as to provide genuine insight into the properties of these states as a resource.
In our work we consider three main topics, all related to the properties of entangled
states in the resource model.
1.5.1 Classical communication cost in entanglement dilution
In Chapter 2 we consider a resource which is often neglected in the resource model of en-
tanglement - the classical communication required for conversion between pure bipartite
states. As discussed above, such conversions are known to be asymptotically efficient in
terms of the entanglement required, but, despite being a cost of the conversion, classi-
cal communication is often not considered in such LOCC protocols. Prior results have
established bounds for the classical communication required for conversion to and from
EPR pairs, but not more general conversions.
Using a quantitative analysis of known conversion protocols we find lower bounds for
the classical communication and inefficiency (the amount of lost entanglement) required
in conversion between general pure bipartite states. This gives a more complete picture
of bipartite entanglement as a resource. This chapter covers work published in [57]6; a
summary of some the earlier results was also given in [58]7.
1.5.2 Random distillation of multipartite entanglement
In Chapter 3 we consider pure-state entanglement conversions for multipartite states.
As discussed in the preceding sections, relatively little is known about such conversions
compared to their bipartite counterparts and with no known equivalent result to the
6Copyright (2005) by the American Physical Society7Copyright IEEE (2005)
Chapter 1. Introduction 21
fungibility of pure bipartite entanglement, it is not clear what target states are of most
interest in a resource model.
However, because of the many results concerning bipartite entanglement as a resource,
a class of conversions which are therefore of obvious interest is that of multipartite states
to bipartite states - if we can establish what bipartite states can be obtained from a
given multipartite state, then we can apply our knowledge of what can be achieved with
bipartite states to a multipartite resource model.
Of course, conversion from multipartite to bipartite states introduces a new degree
of freedom - we have a choice of which two parties will share the final state. Prior work
in this area has focused on protocols in which some pair of parties is chosen beforehand
to receive the final state, with a related measure, the “entanglement of assistance”,
quantifying the amount of entanglement obtainable this way.
We show the surprising new result that one can, in general, achieve qualitatively
different outcomes if the parties are post-selected - that is, by using protocols in which
the parties receiving the final entangled state are randomly determined. This is not
restricted to the case of multipartite→bipartite conversion; in general the additional
degree of freedom applies to any conversion from a multipartite state to one shared
between fewer parties.
We show a variety of results related to such “random distillation”, including protocols,
bounds on what can be achieved, its applicability to the multiple-copy case and the
potential for performing random distillation experimentally in trapped ions. This work
demonstrates that considering multipartite states in the resource model allows for distinct
protocols without bipartite counterparts, allowing for conversions between states not
previously known to be possible.
The original random distillation concept, basic protocol for three-party W states and
upper bounds in terms of the relative entropy of entanglement were originally published
Chapter 1. Introduction 22
in [59]8, while the refined definition of “advantageous” random distillation and its appli-
cation to the GHZ and W classes of three-party states and to the many-copy case were
originally published in [60]9.
1.5.3 Experimental GHZ-based QKD
In Chapter 4 we consider a practical application of multipartite entanglement, a three-
party experimental QKD based on shared GHZ states. Prior work has shown this GHZ-
based protocol to be theoretically feasible in an idealised case, and it can in principle be
implemented experimentally using only two-party entangled states (much as, say, BB84
can be proven secure by reference to two-party entanglement purification but imple-
mented using unentangled states).
In collaboration with an experimental implementation of the GHZ QKD using qubits
encoded as polarisation-entangled photons created through parametric downconversion,
we consider the insecurities in this setup arising from a non-ideal source, namely a down-
conversion source producing pairs and single photons in addition to the photon pairs we
desire, the extra photons being of potential use to an eavesdropper. Given these imper-
fections, which are distinct to the multiparty setup, along with distinct countermeasures
applied to deal with them, we apply existing techniques in two- and three-party QKD and
numerical optimisation to determine what secure key rate can be achieved experimentally.
This work demonstrates that practical applications of multipartite entangled states
can raise both problems and solutions distinct from the bipartite case, but may nonethe-
less be amenable to analysis based on bipartite results.
The work in this chapter is currently unpublished, but various stages have been
presented at conferences [61, 62, 63].
In addition to other collaborators (mentioned in the relevant chapters), all of the
8Copyright (2007) by the American Physical Society9Copyright (2008) by the American Physical Society
Chapter 1. Introduction 23
above work was conducted under the supervision of and in collaboration with Prof. Hoi-
Kwong Lo (PhD advisor).
Chapter 2
Classical communication cost in
entanglement dilution
2.1 Introduction
As discussed in section 1.2.2, partially-entangled pure bipartite states (of the form |ψ〉 =
α|00〉 + β|11〉) may be reversibly converted [26] to EPR pairs in the many-copy limit,
showing pure-state bipartite entanglement to be a fungible resource in the resource model.
In this chapter, we will consider an additional aspect of the resources required for such
conversions - the classical communication cost. We will derive an explicit lower bound
on both the classical communication cost and inefficiency in converting between general
pure bipartite states - the results in this chapter may be found in [57].
In the resource model of entanglement, classical communication is often regarded
as “free” insofar as all that is considered is what can be achieved under LOCC with a
given entangled system, without regard to how much classical communication is required.
There is some motivation for this from a practical point of view - fast and reliable classical
communication channels (telephone lines, computer networks etc.) are commonplace and
easily implemented in comparison with controlled quantum operations and the exchange
24
Chapter 2. Classical communication cost in entanglement dilution 25
of quantum information, both of which are typically much more challenging. Thus as far
as practical implementation is concerned, classical communication is “free” compared to
quantum communication. Moreover, as discussed in Chapter 1, classical communication
is qualitatively less powerful than quantum communication, so not considering the former
still allows for a consistent resource model.
However classical communication is nonetheless a useful resource, whose quantifica-
tion with respect to performing operations is the subject of an extensive body of work
in classical communication theory. In addition the quantum “primitive” of dense coding
is a protocol whose purpose is to maximise classical communication using quantum re-
sources - if creating EPR pairs from partially entangled states required too much classical
communication, then dense coding would not be feasible with such states, it would be
a protocol requiring EPR pairs specifically, rather than simply bipartite entanglement.
Moreover, as with other classical quantities, classical communication can be regarded as
a limiting case of quantum communication - a complete theory should be able to consider
all the types of resource involved. This motivates quantifying the classical communication
involved in entanglement manipulations.
2.1.1 BBPS entanglement concentration and dilution
We will first summarise the principles behind the BBPS protocols of Bennett et al [26].
Crucial to these is the idea of a “typical space” - that is, that while N copies of a D
dimensional system occupy a DN -dimensional Hilbert space, they do not, in general,
do so uniformly, with much of the “weight” of the quantum system occupying a smaller,
“typical” space. Roughly speaking, this is the region of the Hilbert space where the state’s
amplitude is largest; the subspace into which one would with high probability find the
system following a projective measurement into subspaces. This is a basic concept in
both classical [11, 64] and quantum [65, 4] information theory.
The BBPS protocols exploit this property directly - in the case of entanglement
Chapter 2. Classical communication cost in entanglement dilution 26
concentration (converting large numbers of partially-entangled states to smaller numbers
of EPR pairs) one of the two parties (Alice and Bob) performs a projective measurement
on their half of the partially entangled states, projecting the system (with probability
→ 1 in the large N limit) into a space which, as is shown in [26], is maximally entangled
with respect to its dimensions (that is, it occupies a (2 ⊗ 2)⊗M Hilbert space and has
entanglement entropy M) and can be converted via local operations to M EPR pairs.
The local operations required to do this are dictated only by the outcome of this
projective measurement, thus the only classical communication the parties might require
would be for the measuring party to inform the other of the outcome. However, since
the measurement is one which either party can locally perform to determine the state of
the system, this communication can be avoided (as noted in [26]) simply by the second
party making the equivalent local measurement (and receiving the same outcome). Thus
no classical communication is required in two-party pure-state entanglement
concentration to EPR pairs.
However, in [26], classical communication is required for entanglement dilution. This
is because the dilution protocol proceeds by one party locally preparing the typical sub-
space of ψ⊗N where ψ is the desired partially entangled state and using M shared EPR
pairs to teleport their half of the system to the other party. This process is efficient
(i.e. the entanglement lost per EPR pair → 0) in the large N limit because in this
case the error between the typical subspace and the full system is negligible. (This is
a form of “quantum compression” of the state, encoding it using an asymptotically effi-
cient scheme, analogous to classical Shannon coding and derived for the quantum case
by Schumacher [65].) However, as described in [18], quantum teleportation does require
classical communication for the receiving party to apply the appropriate local unitary to
recover the teleported state - two classical bits per qubit. Thus entanglement dilution of
EPR pairs to N copies of a state ψ via the BBPS protocol requires 2N bits of classical
communication.
Chapter 2. Classical communication cost in entanglement dilution 27
2.2 Prior work
We will refer frequently to the work of Lo and Popescu [66]. They considered the case
of diluting partially entangled bipartite states to EPR pairs, and showed that in the
asymptotic limit of large N , a dilution
|Φ〉⊗NE(ψ) → |ψ〉⊗N (2.1)
(where E is the entanglement entropy) could be achieved with O(√N) bits of classical
communication, thus the classical communication cost per copy goes as O(√N)/N and
→ 0 in the many-copy limit. Much of our work here consists of a generalisation of the
methods in this paper.
It was later shown by Harrow and Lo [67] and independently by Hayden and Winter
[68] that there is a lower bound on the classical communication cost of this dilution of
O(√N) bits and a lower bound on the inefficiency of this dilution (i.e. the number of
ebits lost in the dilution) of O(√N) bits also (so the process can still be asymptotically
efficient with inefficiency per ebit → 0). Specifically, it was shown in [67] that, for dilution
from M EPR pairs to N copies of a state ψ in this limit, with probability of success 2−s
using c bits of classical communication:
M ≥ NE(ψ) + αψ√N (2.2)
c+ s ≥ αψ√N (2.3)
where for |ψ〉〈ψ| having eigenvalues pi
α2ψ ≡
∑
i
pi(log2 pi + E(ψ))2 (αψ > 0). (2.4)
These results all apply solely to dilution from EPR pairs to partially entangled states
and do not address the situation of conversion between multiple copies of two different
partially entangled states, e.g. from roughly NE(ψ2)/E(ψ1) copies of an entangled state
ψ1 to N copies of an entangled state ψ2. Some results regarding dilutions of this kind
Chapter 2. Classical communication cost in entanglement dilution 28
follow immediately from the above results - it is clear from [26] that one can perform
such a dilution asymptotically efficiently, by efficient concentration from the initial state
to EPR pairs followed by efficient dilution from EPR pairs to the final state. Likewise
there is an upper limit of O(√N) bits of classical communication required for such a
dilution, since one can always concentrate to EPR pairs (at zero classical communication
cost) and then dilute via the Lo-Popescu protocol at a cost of O(√N) bits.
However it is not immediately clear what, if any, lower bound applies to the ineffi-
ciency and classical communication cost of converting between partially entangled states
- the above results do not forbid there being a cost of e.g. zero or O(log2N) bits, though
intuitively one would expect there to be a non-zero cost in, for example, diluting from a
state very close to an EPR state.
In our work:
1. We construct explicit bounds on the classical communication cost and inefficiency
for conversion between partially entangled states.
2. We give explicit examples of partially entangled states that require O(√N) bits
of classical communications between their inter-conversion and likewise for ineffi-
ciency.
3. To do so, we have also worked out the dependence of the coefficient of the O(√N)
term in the classical communication cost on the error (as measured in trace dis-
tance) in the Lo-Popescu protocol for entanglement dilution.
2.3 Our method
We consider the conversion of many copies of some pure bipartite state ψ1 to another
pure bipartite state ψ2. Since we know that conversion of such states to and from EPR
pairs can proceed asymptotically efficiently, we wish to convert roughly NE(ψ2)/E(ψ1)
Chapter 2. Classical communication cost in entanglement dilution 29
copies of ψ1 to N copies of ψ2.
We are interested in the classical communication cost of doing so and also the inef-
ficiency (which we know to be of subleading order but non-zero in general). Except in
the concluding section, we will focus on the case where ψ1 and ψ2 each have a Schmidt
number of only two. In other words, |ψ1〉 = a1|00〉 + b1|11〉 and ψ2 = a2|00〉 + b2|11〉,
where |ai|2 + |bi|2 = 1.
The method we use was proposed in [67] and its idea is to consider a two-stage
dilution. First, roughly NE(ψ2) EPR pairs are diluted to roughly NE(ψ2)/E(ψ1) copies
of a state ψ1 via the Lo-Popescu protocol, using β√N bits of classical communication for
some β. These are then converted to roughly N copies of a state ψ2 via some unknown
protocol, using m bits of classical communication. This two-stage process is one way
of implementing the dilution from EPR pairs to ψ2 and must therefore obey the lower
bound of Harrow-Lo [67] and Hayden-Winter [68]. The method is illustrated graphically
in Figure 2.1. Thus we have that
β√N +m ≥ αψ2
√N
m ≥ (αψ2 − β)√N. (2.5)
Hence we can derive a lower limit on the classical communication cost of the conversion
from ψ1 to ψ2 if we can calculate the coefficient β. This is not derived in [66] and we do
so here.
2.4 Classical communication cost in Lo-Popescu
In principle, the parameter β may depend on the target state in question, the allowable
error and/or success probability of the Lo-Popescu protocol. However the explicit de-
pendence of β on these parameters is not derived in [66]. In this section we explain the
principles of the Lo-Popescu protocol and work out this dependence in detail.
Chapter 2. Classical communication cost in entanglement dilution 30
m bits CC
|ψ2〉⊗N
Error ≤ ǫ
Error ≤ ǫ2
Error ≤ ǫ1
≥ αψ2
√N bits CC
β√N bits CC
|ψ1〉⊗NE(ψ2)
E(ψ1)
|EPR〉⊗NE(ψ2)
Figure 2.1: Classical communication (CC) costs of entanglement dilution via a two-
stage protocol, Lo-Popescu followed by some unknown protocol for dilution between
partially entangled states. The right-hand side gives the Harrow-Lo bound on classical
communication for the whole process.
The essential idea of [66] is that, qualitatively, a system consisting of NE(ψ) EPR
pairs is quite close to ψ⊗N . Hence, instead of creating ψ⊗N locally and then using EPR
pairs to teleport it, it may be possible to teleport only a quantum state which constitutes
some small difference between the two systems, leaving most of the EPR pairs untouched.
Less teleportation results in less classical communication.
We consider now what a system of, say, d EPR pairs looks like. We see that a state
|Φ〉⊗d =
(1√2(|00〉 + |11〉)
)⊗d
AB
(2.6)
has (when expanded in the computational basis) 2M orthogonal terms of equal amplitude
e.g. |00 . . . 0〉A|00 . . . 0〉B, |00 . . . 10〉A|00 . . . 10〉B etc. Note that the “Alice” parts of each
term are all orthogonal, likewise the “Bob” parts. Hence this expansion is already in
Schmidt form, and we can equivalently express the state as
|Φ〉⊗d =1√2d
2d∑
i=1
|i〉A|i〉B. (2.7)
Chapter 2. Classical communication cost in entanglement dilution 31
Hence any bipartite state with 2d Schmidt terms is equivalent up to local unitaries to
|Φ〉⊗d and parties wishing to obtain such a state from d EPR pairs need perform no
teleportation at all.
Suppose that two parties instead wish to share a state expressible as |Φ〉⊗d ⊗ ∆ for
some general state ∆, then the parties need only teleport the state ∆. This may also
be satisfactory for a desired state |Φ〉⊗d ⊗ ∆ + ǫLP , provided that the error term ǫLP is
sufficiently small.
In [66] it is shown how, by appropriate grouping of the terms of the expansion of
|ψ〉⊗N , one may express such a state as
|ψ〉⊗N = |Φ〉⊗d ⊗ |∆〉 + |ǫLP 〉 (2.8)
where those terms making up u1 ≡ Φd ⊗∆ have high degeneracy of approximately 2d in
their Schmidt coefficients and those in the error term ǫLP have low degeneracy.
The terms in the expansion are divided between u1 and ǫLP in such a way as to ensure
that those in u1 have a large common factor d = NE(ψ) − O(√N) in their degeneracy,
allowing u1 to expressed as Φd⊗∆. This is done largely by assigning most of the typical
terms of the expansion to u1.
In diluting from EPR pairs Φ, all that needs to be teleported is one half of the
residual state ∆ with dimension 2O(√N) and thus only O(
√N) bits are required compared
to the 2N bits that would be needed to teleport the entire state ψ⊗N to perform the
dilution naıvely. The exact amount of classical communication needed can be bounded
by comparing the dimension of u1 with d - we will calculate this in the following sections.
2.4.1 Error size
The size of the coefficient on√N in the classical communication cost depends on the
allowable error ǫLP . We derive this dependency for the general two-term case |ψ〉 =
a|00〉+b|11〉. Thus a term in the expansion |ψ〉⊗N has amplitude akbN−k. The degeneracy
Chapter 2. Classical communication cost in entanglement dilution 32
of coefficients in |ψ〉⊗N containing k a’s is(Nk
), the binomial coefficient defined as
(N
k
)
≡ N !
k!(N − k)!. (2.9)
We define p = |a|2, q = |b|2 = 1 − p, and, disregarding the trivial case of p = q
(corresponding to an EPR pair as the target state, requiring no dilution) assume (without
further loss of generality) that p < q.
As in [66], we define the typical set as those coefficients for which
2NE(ψ)−γ√N ≤
(N
k
)
≤ 2NE(ψ)+γ√N (2.10)
for some coefficient γ. We wish to find what range of k this corresponds to.
Using Stirling’s approximation for N !, we have following well-known lemma:
Lemma 2.1:
ln
(N
k
)
→ −N ln 2 ×H2
(k
N
)
±O(logN) (2.11)
Proof: See Appendix A.1.
We thus have that(N
k
)
= 2NH2(k/N)±O(logN) (2.12)
where H2 is the binary entropy function. Hence, defining Hk ≡ H2(k/N), the typical set
(2.10) corresponds to a range
E(ψ) − γ/√N ±O
(logN
N
)
≤ Hk ≤ E(ψ) + γ/√N ± O
(logN
N
)
. (2.13)
With our assumption p < q we have the following lemma:
Lemma 2.2: The range (2.13) corresponds to the range in k
Np− γ√N
log2(q/p)±O (logN) ≤ k ≤ Np+
γ√N
log2(q/p)± O (logN) . (2.14)
Proof: See Appendix A.2.
Chapter 2. Classical communication cost in entanglement dilution 33
Thus the typical set corresponds to these values of k, with the remaining terms forming
the atypical set. The contribution ǫLP1 of the atypical set to the total weight of the state
〈ψ⊗N |ψ⊗N〉 is
ǫLP1 =∑
katypical
(N
k
)
pkqN−k, (2.15)
a binomial distribution for which in the large N limit we can use the Gaussian approxi-
mation as given in e.g. [69]
(N
k
)
pkqN−k ∼ e−(k−Np)2
2Npq
√2πNpq
. (2.16)
where the symbol ∼ denotes that the ratio of the terms on either side tends to 1 in the
limit N → ∞. Thus we have, approximating the sum to an integral,
ǫLP1 =1√
2πNpq
∫ Np− γ√
Nlog2(q/p)
±O(logN)
−∞e−
(k−Np)2
2Npq dk
+1√
2πNpq
∫ ∞
Np+ γ√
Nlog2(q/p)
±O(logN)
e−(k−Np)2
2Npq dk + δi (2.17)
= 2 × 1√2πNpq
∫ Np− γ√
Nlog2(q/p)
±O(logN)
−∞e−
(k−Np)2
2Npq dk + δi (2.18)
= 2 ×(
1 − 1√2π
∫ γ/α±O“
log N√N
”
−∞e−x
2/2dx
)
± δi (2.19)
where α ≡ √pq log2(q/p) =
√∑
i pi[log2 pi + E(ψ)]2, the same α(ψ) defined in [67]. The
error δi in the approximation of the sum over binomial terms to a Gaussian integral is
given by the Berry-Esseen bound [69] as O(
1√N
)
.
We are not aware of any analytical expression for (2.19), but it may be bounded [69]
as
√
2
π
(1
(γ/α)− 1
(γ/α)3
)
e−12(
γα)
2
± O
(logN√N
)
≤ ǫLP1
≤√
2
π
(1
(γ/α)
)
e−12(
γα)
2
±O
(logN√N
)
. (2.20)
However, the error term ǫLP in (2.8) does not consist only of atypical terms. This is
because, as described in [66], while every term in the typical set has a large degeneracy
Chapter 2. Classical communication cost in entanglement dilution 34
2NE(ψ)−O(√N) there is not necessarily a large common factor to these degeneracies. To
ensure such a factor, the typical-set is “coarse-grained”, with terms with each k grouped
in nk “bins” of size 2NE(ψ)−ω√N where ω > γ, such that, for every k in the typical set,
nk2NE(ψ)−ω
√N ≤
(N
k
)
≤ (nk + 1)2NE(ψ)−ω√N . (2.21)
For each k, only nk2NE(ψ)−ω
√N of the terms are kept in u1 and the remainder are assigned
to the error term. This ensures a large common degeneracy for the terms in u1 of
2NE(ψ)−ω√N .
Theorem 2.1 The contribution ǫLP 2 to 〈ǫLP |ǫLP 〉, due to those typical terms which are
grouped in the error term in Lo-Popescu’s protocol, falls off exponentially with N . Hence
〈ǫLP |ǫLP 〉 = ǫLP1 ±O(c−N) for some positive constant c > 1.
Proof: As noted in [66], the terms with typical k assigned to the error term have
a degeneracy(Nk
)− nk2
NE(ψ)−ω√N ≤ 2NE(ψ)−ω
√N , and thus their contribution ǫLP2 to
〈ǫLP |ǫLP 〉 satisfies
ǫLP2 ≤ 2NE(ψ)−ω√N∑
ktypical
pkqN−k (2.22)
Given the assumption p < q, the function pkqN−k = qN (p/q)k decreases monotonically
with k, hence we have
∑
ktypical
pkqN−k ≤∫ ⌈Np γ
√N
log2(q/p)⌉
⌊Np γ√
Nlog2(q/p)
⌋pkqN−kdk. (2.23)
Hence
ǫLP2 ≤ 2NE(ψ)−ω√NqN
∫ Np+ γ√
Nlog2(q/p)
+1
Np− γ√
Nlog2(q/p)
−1
(p/q)kdk (2.24)
=2−ω
√N
ln(q/p)
[
2γ√N±O(c−N ) − 2−γ
√N±O(c−N )
]
(2.25)
∼ 2−(ω−γ)√N
ln(q/p). (2.26)
Thus we can choose ω = γ + δ for positive δ → 0, so that the above term is ex-
ponentially small. Hence 〈ǫLP |ǫLP 〉 ∼ ǫLP1 and hence we have a common degeneracy
Chapter 2. Classical communication cost in entanglement dilution 35
of 2NE(ψ)−γ√N±O(logN) to the terms in u1, thus u1 can be expressed as Φd ⊗ ∆ where
d = NE(ψ) − γ√N ±O(logN).
Theorem 2.2: The error term ǫLP1 in Lo-Popescu’s protocol is bounded by Eq. (2.20)
whose upper bound may be inverted to give
γ
α≤√
W
(2
πǫ2LP1
)
± O
(logN√N
)
(2.27)
where W () is the Lambert W function [70], defined such that
W (x)eW (x) = x. (2.28)
Proof: It is clear from Eq.(2.19) that for a given ǫLP1 , the largest value of γ/α corresponds
to the inverse of the upper bound. The form of the inverse follows from the definition of
W (x).
2.4.2 Classical communication cost
Sch(u1), the Schmidt number of u1, is simply∑
ktypical
(Nk
). We are not aware of any ana-
lytical expression for this sum, but it may be trivially bounded (as noted more generally
in [71]) by the definition of the typical set in (2.10) and the associated range in k (2.14)
2NE(ψ)+γ√N ≤
∑
ktypical
(N
k
)
≤(
2γ√N
log2(q/p)± O (logN)
)
· 2NE(ψ)+γ√N . (2.29)
Thus we find
Sch(u1) = 2NE(ψ)+γ√N±O(logN). (2.30)
Since u1 = Φd ⊗ ∆ we have that
Sch(∆) = 2NE(ψ)+γ√N−d±O(logN)
= 22γ√N±O(logN). (2.31)
It was shown in [72] that production of a known entangled state via quantum telepor-
tation can be performed with half the classical communication cost of naıve teleportation
Chapter 2. Classical communication cost in entanglement dilution 36
of the state. Hence:
Lemma 2.3: The asymptotic classical communication cost of diluting from EPR pairs to
N copies of a state ψ via Lo-Popescu is 12×2×2γ
√N±O(logN) = 2γ
√N±O(logN) bits.
Proof : As above.
2.5 Relation between protocol errors
As shown above the classical communication cost of the Lo-Popescu protocol is a function
of the allowable error in that protocol ǫLP . We will now relate the error in our-two-stage
protocol to ǫLP .
We first define the trace distance D between states with density matrices σ and ρ as
D(σ, ρ) ≡ Tr|σ − ρ|. (2.32)
In our two-stage protocol, we start with roughly NE(ψ2) EPR pairs with an overall
density matrix σ. We then dilute using Lo-Popescu to a state Λ′ which is close to the
desired state of NE(ψ2)/E(ψ1) copies of ψ1, with density matrix Λ. Finally we dilute Λ′
via some unknown protocol to ρ′′, close to the desired state ρ of N copies of a state ψ2.
ρ′′ differs from ρ due to the errors introduced at both dilution stages - we in addition
define ρ′ as the state which one would acquire from the unknown protocol if Λ was used
as the input state.
We define the upper bounds of the errors in the protocols as follows:
D(Λ,Λ′) ≤ ǫ1 (error in Lo-Popescu) (2.33)
D(ρ′, ρ) ≤ ǫ2 (error in unknown protocol) (2.34)
D(ρ′′, ρ) ≤ ǫ (overall error in two-stage protocol). (2.35)
The above is illustrated in Figure 2.2.
Chapter 2. Classical communication cost in entanglement dilution 37
(3.125) gives a lower bound for R2 for this state of H2(1/4) ≈ 0.81 (where H2 is the
binary Shannon entropy). However, we know from section 3.6.3 that if we perform the W
protocol on this state we will end up with a randomly-shared 3-party W3 state. Suppose
the 4 parties do this and end up with a three-party W shared between A1, A2, B1. They
could perform a further round of random distillation, leaving them with a randomly-
shared EPR pair. However, this would only have a probability of 1/3 of being between
the desired pair of A1B1, a worse yield than the time-sharing approach.
Instead, if the parties use state-merging to obtain EPR pairs shared between A1 and
B1 from the W3 state, they can achieve an asymptotic rate of H2(1/3) ≈ 0.92. Any three
Chapter 3. Random distillation 99
(1)
+
(2)
+ + +
+ ++
A2
B2
A1 A2
B2B1
A1
B1
A1
B1
A1 A2
B2
0.81M1 0.81M2
B1B1
A1 A2
B2
A1 A2
B1
A2
B2B1
A1
B2B1
A2
0.92M3
B2
0.92M2 0.92M4
A1
A2
0.92M1
B2
∑2
i=1Mi = N
∑4
i=1Mi = N
|W4〉⊗N
|W4〉⊗N
|W3〉⊗M1 |W3〉⊗M2 |W3〉⊗M3 |W3〉⊗M4
Figure 3.5: Converting many copies of a state W4 in the intermediate distillation regime:
A naive “time-shifting” protocol (1), separately creating EPR pairs between A1B1 and
A2B2, produces an asymptotic rate R2 ≈ 0.81. Using an intermediate random distillation
to three-party W states (2) gives an improved asymptotic rate R2 ≈ 0.92.
of the parties will contain either A1, B1 or A2, B2 so any of the possible W3 states can
be distilled to obtain EPR pairs at this rate between a desired pair of parties. Hence
we have R2(W4) ≥ H2(1/3) ≈ 0.92, beating the time-sharing lower bound, as illustrated
in Figure 3.5. Thus a mixture of random distillation and distillation to specified parties
improves upon either approach used alone.
However, the upper bound from (3.124) for W4 is H2(1/2) = 1, so this protocol does
not saturate that bound. Moreover, as with the condition Et > Esp, discussed earlier,
there exist states for which one can find trivial improvements on the lower bound e.g.
where the initial state is |Φ〉A1B1⊗|Φ〉A2B2 . Hence more careful definitions may be needed
to identify interesting effects.
Chapter 3. Random distillation 100
3.9 Discussion
There are many ways in which the work on random distillation can be extended in other
contexts to those we have considered above. We discuss several examples below.
3.9.1 Full description of bipartite distillation
The majority of the above work discusses bipartite entanglement obtained from multi-
partite states in terms of quantities Et, Ernd etc. As discussed in the introduction, the
known properties of bipartite entanglement make such descriptions of multipartite states
worthwhile in the resource model. However, even when we are only interested in EPR
pairs as output states, such descriptions are inherently limited in that they map to a sin-
gle number output states in which bipartite entanglement is potentially shared between
many different pairs of parties.
A full description in a resource model of what conversions can be achieved to states
shared between fewer parties would require multiple numbers for a given state. To
give an explicit example, our work shows that a W state can be converted to an EPR
shared between parties AB, BC or AC each with probability 1/3, and hence could for
example be represented as a “vector” 1/3, 1/3, 1/3. A full description of W →EPR
conversions would have to describe the full range of such vectors, rather than simply a
sum or maximisation over pairs of parties as we have been doing so far. In general the
achievable conversions of an M-party state would require a vector with M(M − 1)/2
entries. A narrower question would be to enquire what range of vectors corresponds to
the “optimal” (maximum Et or Ernd) distillation for a given state.
3.9.2 More general multipartite states
Our work has largely concentrated on distillation of bipartite entanglement. As noted
in sections 3.4.3 and 3.6.3, random distillation can also be used to obtain multipartite
Chapter 3. Random distillation 101
states both via intermediate EPR pairs and directly. In the former case, the full bipartite
description combined with existing results on quantum compression and teleportation
would likely be sufficient to classify the achievable conversions via this method.
Direct conversions (multipartite-multipartite states) are more complicated. As shown
in 3.6.3, advantageous random distillation (in the general sense of achievable final states
that cannot be achieved for predetermined parties) can occur in conversions from M-
partite to (N < M)-partite states, and intuition would suggest that this is much more
efficient in general than conversion via EPR pairs 1 Yet another possibility is multipartite-
multipartite conversion via multipartite intermediates, or combinations of these with
EPR pairs. However, the lack of operational measures for multipartite states makes it
difficult to describe these properties in a general way that goes beyond narrow classes.
3.9.3 Generalisation of allowed parties
As discussed in section 3.8, one can also consider the creation of entanglement between
multiple subsets of the parties. While numerous scenarios can be envisaged, with regard
to our discussions in that section, we would in in general like to find an exact formula for
R2. A simpler open question is whether the upper bound (3.124) is ever not saturated
(clearly it is sometimes saturated e.g. trivially where the 4 parties start with EPR pairs
between the desired pairs, or less trivially for the 4-party GHZ state).
3.9.4 Mixed states
In both the bipartite and multipartite cases (with the exception of section 3.7) we have
largely concentrated on pure states. Clearly a full description of state conversion through
LOCC to states held by subsets of the parties would also include mixed states, both as
1For example, creating an M -qubit entangled state via teleportation would require a minimum ofM − 1 EPR pairs, while a LOCC-conversion of an M + 1-qubit state could at most create (M + 1)/2EPR pairs, but as the symmetric Dicke state example shows, direct conversion of M +1-qubit to M -qubitstates can be achieved via random distillation.
Chapter 3. Random distillation 102
the initial and final states. We note that our monotones Esp Et and Ernd are applicable
to mixed states if a suitable mixed-state entanglement measure E is used.
3.9.5 Relation to existing entanglement measures
While many of our defined quantities (Et, Ernd) are LOCC-monotones by definition, we
have not extensively explored the connection between these and existing monotones, and
though we have demonstrated the existence of advantageous random distillation in im-
portant classes of states, this has largely been through explicit examples. A desirable
goal would be to be able to determine a state’s properties with respect to existing mono-
tones which can be explicitly calculated or at least bounded. In the general case this is
of course challenging since relatively few such measures exist in the multiparty case.
The connection to existing monotones is also of interest since advantageous random
distillation (in the broad sense of obtaining final states not obtainable between pre-
determined parties) of an M-party to (M − 1)-party state requires genuine M-party
entanglement i.e. the original state cannot be expressed as a product state with respect
to any of the parties. By contrast, many monotones have positive values for any M
party state that cannot be expressed as an M-party product state (One exception is the
3-tangle [53], which is only non-zero in the case of genuine three-party entanglement).
Hence finding measures related to a state’s random distillation properties is related to
the more general problem of identifying genuine M-party entanglement.
3.9.6 Classical information
Fully classical analogues
As discussed in sections 3.4.2 and 3.6.3, our quantum protocols for distilling entanglement
have some fully-classical analogues for deriving classical correlations among subsets of
parties sharing some classical joint probability distribution. Just as in the quantum case,
Chapter 3. Random distillation 103
the general problem of obtaining correlations among subsets of the parties is unsolved.
As well as the discussed example of distilling secret key between pairs of parties, one
could also consider the distillation of multiple-party classical correlations appropriate for
secret sharing - that is, a distribution which allows some subset of the parties to recover
a classical “secret” only if they all cooperate.
For example, if M parties each holding a binary variable hold a joint distribution
such that the binary sum of all their variables is always a fixed quantity, then the value
of all the parties’ variables can be obtained by any M − 1 parties. E.g. three parties
holding an equal mixture of the three bits 001, 010, 100, 110, 101, 011, whose binary
sum is 1. Any two cooperating parties can therefore determine the bit of the third. We
discuss such protocols further in the next chapter.
Classical key distillation from quantum states
In the quantum case, we have considered the distillation of entangled states, particularly
bipartite EPR pairs, which are sufficient for shared secret classical bits. However, as
discussed in the introduction, EPR pairs are not necessary for secret key distillation.
Thus one could consider separately the problem of obtaining secret classical key bits (or
equivalently private states [54]) from multiparty quantum states, via random distillation.
All the generalisations discussed above for the quantum case could be considered. In
addition, in the adversarial model for QKD one could also consider obtaining secret key
where certain of the parties are collaborating with the eavesdropper. The classical prob-
lem of generating common randomness (not necessarily secret) between two parties with
the help of a third, somewhat analogous to entanglement of assistance, was considered
by Csisar and and Narayan [109] who obtained various rate expressions as functions of
the parties’ shared information source.
Chapter 3. Random distillation 104
3.9.7 Experimental Implementation
Our simple simulation of section 3.7.2 indicates that advantageous random distillation is
demonstrable experimentally. Clearly it would be desirable to confirm this by performing
an actual implementation. The simulation, however, could also be much improved - at
present we roughly simulate measurement errors and restrict our number of allowable
rounds to be small compared to the state lifetime. A better approach would be to fully
simulate the effects of spontaneous emission and thermal noise on the state over the time
required to perform the protocol.
3.10 Conclusion
We have demonstrated (with explicit protocols) a new means (“random distillation”) of
converting multiparty entangled states to those shared between fewer parties, and shown
that one can obtain qualitatively different results than those of prior methods. We have
defined measures for describing the outcome of random distillation and circumstances
under which it can be regarded as “advantageous”. We have found some general ran-
dom distillation properties of classes of states including the GHZ and W 3-qubit classes
and the class of symmetric Dicke states, including finding examples of states where ran-
dom distillation can produce target states which have arbitrarily small probability of
being produced between specified parties. We have derived upper bounds to what can
be achieved in random distillation, and shown that advantageous random distillation
does not occur in the many-copy limit. Finally, we have discussed a promising poten-
tial experimental demonstration of random distillation, with numerical evidence that
demonstrating advantageous random distillation should be feasible.
Chapter 4
Experimental GHZ-based QKD
4.1 Introduction
4.1.1 Multi-party protocols
As discussed in the introduction, an important application of quantum information,
strongly related to entanglement, is two-party quantum key distribution (QKD). As with
many applications in QIT, one can define multipartite analogues to the bipartite case for
QKD and related applications. Examples include
• Conference key agreement: N parties, connected by some quantum channels
and/or sharing certain quantum states, wish to share a single secret key, unknown
to any eavesdropper.
• Quantum sharing of classical secrets (QSCS): N parties have a shared quan-
tum state from which some minimum number of parties M ≤ N can, if they
collaborate, obtain a classical bit string. However, fewer than N parties (or any
eavesdropper) cannot obtain any information about the string.
• Quantum secret sharing (QSS): As above, but the quantity to be reconstructed
is a quantum state rather than a classical string (it follows immediately from the
105
Chapter 4. Experimental GHZ-based QKD 106
no-cloning theorem that we require M > N2).
(In addition to the above, there also exist fully classical (classical sharing of classical
secrets) secret sharing schemes.)
• Third-party quantum cryptography (TQC): This is a form of controlled QKD,
in that the successful performance of two-party QKD depends on the cooperation
of a third party who does not, however, share the final key.
A useful state for many of the above protocols is the three-party GHZ state
|GHZ〉 =1√2(|000〉 + |111〉)ABC. (4.1)
For the purposes of conference key agreement, the GHZ state seems a natural extension
of the EPR pair, in that three parties sharing such a state can straightforwardly obtain
a secret shared random bit via Z-basis (computational basis) measurements - we will
discuss this process further in following sections.
The GHZ state is also a +1 eigenvalue of the following observables:
XXX,ZZI, ZIZ, IZZ,−Y Y X,−Y XY,−XY Y, (4.2)
where X, Y and Z are the Pauli operators and e.g. XXX = XA ⊗XB ⊗XC represents
X measurements by Alice, Bob and Charlie.
GHZ-based schemes for sharing random classical secrets were proposed in [110] and
later in [111], based on the above property. In these schemes all 3 parties make either
X or Y measurements, and publically announce their measurement bases, discarding the
results except where the three chosen bases correspond to one of the observables above.
The secret in question consists of the parties’ three individual measurement results, each
±1, which, given that their product is known, correspond to 23/2 = 4 possibilities, or 2
bits of information initially unknown to an external eavesdropper. Each individual party
knows only their own result and consequently the product of the other parties’ results
but not the other parties’ individual results, representing 1 bit of information. However,
Chapter 4. Experimental GHZ-based QKD 107
if two parties share their measurement results they have sufficient information to know
that of the third party.
It was also shown in [110] that a GHZ state could be used in a form of quantum
secret sharing. In this scheme Alice shares a GHZ state with Bob and Charlie and in
addition possesses a quantum secret in the form of a qubit in some arbitrary pure state.
She entangles her secret and GHZ qubits by making a Bell state measurement upon
them both, initially not revealing the outcome to Bob or Charlie. One of Bob or Charlie
(chosen at random by Alice, we shall suppose it is Bob) then makes an X measurement
upon their GHZ qubit, with Alice informing Charlie of her Bell measurement outcome. It
is shown in [110] that Charlie can then reconstruct Alice’s qubit if and only if Bob informs
him of his X measurement outcome. This is very similar to quantum teleportation [18]
but, as shown in [110] can be made secure against cheating and eavesdropping.
The applicability of the GHZ state to third-party quantum cryptography was noted
in [39]. Suppose for example that Alice, Bob and Charlie share some noisy GHZ states
(which may be partially entangled with an eavesdropper) and Alice makes an X mea-
surement upon her qubits. If Alice does not reveal her measurement result, Bob and
Charlie are left with the fully mixed state
ρmix = (|0〉〈0|+ |1〉〈1|)/2 (4.3)
which is a product state from which no secure key can be extracted. However if Alice
makes her result public then Bob and Charlie will know which of the two Bell states
1√2(|00〉± |11〉) they share noisy versions of, from which they can, in general, distill some
pure Bell states and consequently some secret key.
Some experimental implementation of multipartite quantum information protocols
has been done previously - GHZ-based QSCS and TQC has been demonstrated by by
Chen et al [112] using a four-photon source as a triggered GHZ source and was previously
demonstrated using “pseudo-GHZ” states (using an approach similar to the “prepare and
measure” scheme we adopt here) in [113]. A four-party QSCS was demonstrated in [114].
Chapter 4. Experimental GHZ-based QKD 108
In this chapter, we will discuss the experimental implementation of a multipartite
quantum information protocol, specifically a three-party conference key agreement pro-
tocol based on GHZ states. This is based on a prepare-and-measure protocol originally
proposed in by Chen and Lo [39], which can be implemented using only bipartite entangle-
ment. Our goal is to consider the achievable secure key rate for a particular experimental
realisation of this protocol (implemented by Rob Adamson in the Steinberg group at the
University of Toronto), in which the key is encoded in polarisation states of entangled
photons produced in parametric down-conversion. As we will see, just as occurs in bi-
partite QKD protocols, successful implementation of this protocol (i.e. generating secure
key) is considerably more complex than in the idealised theoretical case.
We take into account the ways in which our setup differs from the idealised case
to determine an achievable experimental key rate. By adapting several existing results
related to both bipartite and multipartite QKD, we find that a positive key rate should
be achievable with our chosen implementation.
In section 4.1.2 we discuss the theoretical basis for a GHZ-based QKD and the
previously-derived key rate in [39]. In section 4.2 we describe our experimental setup
and explain the important ways in which it differs from the idealised case. In sections
4.3 and 4.4 we discuss how previous results in two-party QKD may be adapted to our
experimental implementation to take account of these imperfections. In section 4.7 we
explicitly apply these techniques to our implementation to derive an expression for a
secure key rate. In section 4.8 we describe the estimation of parameters such as channel
transmissivity and error rates for the experimental implementation, and based on such
estimates we derive optimal settings and an expected key rate for the implementation.
This is joint work with Rob Adamson.
Chapter 4. Experimental GHZ-based QKD 109
4.1.2 GHZ-based QKD
As discussed in the introduction, entangled states provide a natural means of generating
secure key between separated parties. Parties sharing a pure EPR pair need only make
computational basis measurements to obtain one bit of secure key. In the tripartite case,
three parties may likewise generate secure key from the GHZ state through computational
basis (Z) measurements. Hence one could consider a QKD involving three parties (Alice,
Bob and Charlie) based on distribution of GHZ states - Alice locally creates GHZ states
then distributes Bob and Charlie’s qubits to them over an open channel, the three parties
distilling pure states from the noisy GHZ states which result, then measuring the final
states in the Z basis. Such a protocol was considered by Chen and Lo in [39], who showed
that it could be performed and reduced to a prepare-and-measure scheme. Thus only
bipartite entangled states are required. We summarise here some of the features of this
protocol.
The protocol is based on noting that the GHZ is an eigenstate of the observables
(4.2). These observables all factorise with respect to the parties. Thus if the three
parties possess an ensemble of many noisy GHZ states, they can estimate the error rates
(i.e. the probability of getting -1 measurement results) by making local measurements
and classically communicating their results for the observables.
Considering the form of the GHZ state, one sees that there are four possible types of
bit and phase error. Each of the three parties’ qubits can have a bit error and there can be
an overall phase error between the two terms in the computational basis. Combinations
of these errors define 24 = 16 states, half of which are redundant, since up to an overall
phase a bit error on N of the three parties is equivalent to a bit error on 3 −N parties.
Thus we have 23 = 8 different error states, which define a three-qubit basis. It is shown in
[39] that the parties can, through random local unitaries, diagonalise any tripartite mixed
state in this basis. Thus we need only consider the probability of the above errors. These
probabilities are simple functions of the error rates (4.2), hence the parties can determine
Chapter 4. Experimental GHZ-based QKD 110
the error probabilities through local measurements and classical communication.
Correcting the bit and phase errors will leave the parties with pure GHZ states. In
[39] it is shown how this may be achieved in principle using a modification of a multi-
party random hashing protocol originally due to Maneva and Smolin [38]. Defining the
phase error rate b0, and bit error rates b1 and b2 for, respectively, the operators XXX,
ZIZ and ZZI, the random hashing protocol can purify GHZ states at a rate at least
1−H2(b0)−H2(b1)−H2(b2), with the error terms representing the amount of hashing that
must occur and hence the number of “raw” states that must be sacrificed to determine
the location of the bit and phase errors and hence correct them.
Chen-Lo GHZ distillation rate (ideal case)
In [39] an improved rate is derived, based on the possibility of correlations between
the various errors. Any such correlations will mean that the information obtained in
correcting one set of errors will be of use in correcting other. This leads to a rate per
received pair (in the case where all 3 parties are using the Z basis):
Having established the error pattern of b1 through H2(b1) rounds of hashing, only the
additional hashing H2(b2|b1) is required to obtain the pattern of b2. However a single
round of hashing to obtain bit-error information gives information on both b1 and b2.
Thus only the maximum of these is required. Correcting phase errors similarly requires
H2(b0) rounds of hashing, but knowing the error pattern of b1 and b2 provides I(b0; b1, b2)
bits of information on this already. The required hashing is consequently reduced.
As shown in [39], this protocol (distribution of GHZ states, followed by error correc-
tion through random hashing using quantum circuits) can be reduced to a prepare-and-
Chapter 4. Experimental GHZ-based QKD 111
Alice’s basis Result Transmitted state
X ±1 1√2(|00〉 ± |11〉)BC
Y ±1 1√2(|00〉 ± i|11〉)BC
Z +1 |00〉BCZ −1 |11〉BC
Table 4.1: Summary of Alice’s transmissions in the ideal Chen-Lo protocol
measure QKD protocol. In this case Alice measures her qubit before distributing the
remaining two to Bob and Charlie. Her measurement can be in the X, Y or Z bases,
resulting in Alice transmitting states as given in Table 4.1.
On receiving their qubits, Bob and Charlie make X, Y or Z measurements on them.
Thus a single round of transmission and measurement involves an effective measurement
of X, Y or Z by each of the three parties. In the QKD protocol, ZZZ measurements give
the three parties their bit values, remaining measurement combinations either correspond
to the elements (4.2) and hence give error rates, or are discarded.
Correction of bit errors can be done classically using forward error correction (i.e.
using some classical error-correcting code, Alice broadcasts encrypted error-correction
bits to Bob and Charlie, who then correct the relevant blocks). As with BB84 and its
security proof, phase errors have no effect on the Z values measured in the final key. Thus
it is not necessary to actually correct these errors - to establish security, it is enough just
to show that they could have been corrected in principle. This can be achieved by privacy
amplification via e.g. classical random hashing.
4.2 Experimental implementation
The above prepare-and-measure protocol is concerned with an idealised case of sending
precisely the states listed in Table 4.1 over some noisy channel and detecting them with
Chapter 4. Experimental GHZ-based QKD 112
perfect efficiency.
In our work, we wish to adapt the protocol of [39] so as to obtain a secure key dis-
tribution within our experimental setup. As described above, the prepare-and-measure
GHZ QKD consists of Alice distributing two-qubit states to Bob and Charlie, some of
which are entangled. In the experiment, the quantum systems used are the polarisa-
tions of photons in free space, with horizontal polarisation corresponding to bit-0 and
vertical to bit-1. Alice generates these pairs using parametric down-conversion (PDC) of
photons from a continuous-wave (CW) pump laser, with the parties selecting their po-
larisation bases (for transmission or measurement) using liquid crystal (LC) waveplates.
The experimental setup is shown in Figure 4.1.
As shown in the figure, coincidence electronics connecting Bob and Charlie’s detectors
(silicon avalanche photodetectors (APDs)) record the timing of photons detected. A
successful detection consists of detecting a photon “pair” which in practice means photons
arriving at both Bob and Charlie’s detectors within the same time window. Ideally
this window is as short as possible (∼10ns in our implementation). The public timing
information presents no additional security concerns since in principle Eve could obtain
it directly and non-destructively from the photons.
We note that we assume in our analysis that all the photodetectors are identical in
performance. If this is not the case than this may be exploitable by Eve - attacks based
on this “detection efficiency mismatch” have been proposed in [115] and experimentally
implemented in [116], with an additional attack proposed and implemented in [117].
4.2.1 General form of the QKD protocol
In section 4.2.2 we will discuss our modifications to the Chen-Lo analysis given the
differences in our experimental situation from the ideal case. However our QKD protocol
is still in the following general form:
1. Alice transmits photon pairs to Bob and Charlie who measure their polarisation.
Chapter 4. Experimental GHZ-based QKD 113
2x2.5mmBBO, Type I
Phasematching
PolarisingBeamsplitter
LC waveplate
LC waveplate
LC waveplate
10 nm spectral filter
LC waveplate
Spatial filter
LC waveplate
405nm CW Pump
Charlie
BobAlice
Coi
ncid
ence
Ele
ctro
nics
Figure 4.1: GHZ QKD experimental setup (based on a diagram by Rob Adamson)
The three parties use the polarisation settings as described in section 4.1.2, or a
subset thereof.
2. The three parties determine error rates in the observables given in (4.2).
3. From the cases of ZZZ measurement settings, the parties obtain classical “raw”
key bits.
4. The parties correct errors in the raw key bits using classical error correction, re-
sulting in an identical shared key of corrected bits.
5. The parties perform classical privacy amplification on the corrected key bits to
obtain a final secure key.
Chapter 4. Experimental GHZ-based QKD 114
4.2.2 Non-ideal properties of Alice’s output in the experimental
situation
Ideally, a given transmission by Alice (that is, those photons she sends into the channel
in between changes of her basis and bit settings) consists of exactly one photon pair,
randomly chosen from the states in Table 4.1. In practice this is not the case. The
output from Alice’s down-conversion crystal consists of multiple spatial, frequency and
polarisation modes. As shown in Figure 4.1, we obtain the desired modes in the appropri-
ate polarisation states by spatial and wavelength filtering within Alice’s lab, along with
additional use of waveplates to adjust polarisation. This process is imperfect, in that
the photon pairs leaving Alice’s lab are, in general, not precisely in the states of Table
4.1. In the case of a single photon pair, such imperfection is taken into account by the
measured error rates in Bob and Charlie’s received states, and has no further security
implications.
Multiple pairs
The analysis of [39] is sufficient in the case where Alice transmits either a single photon
pair or vacuum (since the latter is equivalent to Eve simply blocking a single photon
pair, as she is always free to do). However, in our case there is a non-zero probability for
the down-conversion crystal to output two or more photon pairs, each of which may pass
the spatial and wavelength filters, resulting in multiple pairs in the channel. Clearly this
presents a security problem - in our implementation Alice has no way of knowing if this
has occurred, and, if it does, Eve has a “spare” copy of the transmitted state which she
can measure, allowing an unaltered copy to proceed to Bob and Charlie and thus not
affecting the parties’ error rates. Such transmissions are completely insecure.
Chapter 4. Experimental GHZ-based QKD 115
Unpaired photons
A second, more subtle problem arises from our means of generating photon pairs using
filtered down-conversion. While a small number of photon pairs produced in PDC leave
Alice’s lab and are sent into the channel, the majority are filtered out by the spatial and
wavelength filters within Alice’s lab. However, since these filters operate independently on
those photons intended for Bob and and for Charlie, another possibility is that only one of
the two photons in the pair enters the channel, with the other staying in Alice’s lab. This
turns out to be considerably more likely than both photons entering the channel, with
the result that every pair Alice transmits is, on average, accompanied by many unpaired
photons arising from the same polarisation settings. Can Eve gain useful information
from these unpaired photons? We see immediately that the answer is yes. Referring to
Table 4.1, if Alice is transmitting pairs in the X or Y bases, unpaired photons will be
in the fully mixed state whereas in the Z basis unpaired photons will either all be in
state |0〉 or in state |1〉 depending on the transmitted state. Therefore, not only do the
unpaired photons give Eve information about Alice’s basis, but in the case of the Z basis
(in which all the key bits are transmitted), they tell Eve what the bit value is. Clearly
this presents a security problem.
4.2.3 Summary of solutions to security problems
Multiple pairs - reduced intensity
We deal with the problem of multiple pairs simply by using a low intensity of pump
laser for the PDC, resulting in a low mean number of pairs leaving Alice’s lab and a
correspondingly low probability of multiple pairs.
Chapter 4. Experimental GHZ-based QKD 116
Unpaired photons - added noise
To reduce Eve’s information from the unpaired photons, we add additional unpaired
photons to the channel, such that the distribution of unpaired photons in the channel is
close to being the same state irrespective of the state of the photon pairs. This can be
achieved in one of two ways - either through adding large numbers of photons in state
ρmix at all times (drowning out the information with uncorrelated “white noise”), or, in
a more sophisticated approach, adding photons in state |1〉 when all the PDC-derived
photons are in state |0〉 and vice versa. While this “anticorrelated noise” should allow
for a higher key rate, it requires more waveplates than we have available, thus in our
implementation of the QKD we add uncorrelated noise. This is achieved by Alice
using separate horizontally and vertically polarised LED sources of equal intensity. Since
these undergo the same spatial and wavelength filtering as the PDC photons (and both
sources are effectively phase-randomised, since down-conversions occur at a rate much
lower than the coherence time of the pump source), they should be indistinguishable from
the PDC photons.
In the following sections we integrate these security problems and solutions into the
derivation of the secure key rate for our experiment.
4.3 Multiple pairs and the PNS attack
The issue of Alice inadvertently sending multiple photons pairs into the channel has
a straightforward analogue in Alice sending multiple photons into the channel when
performing a two-party QKD with Bob only. This is a well-known issue in the two-party
case, since implementing a true single-photon source is very challenging and arguably the
most common photon source is a laser emitting a Poissonian mixture of Fock states. A
security analysis of this general situation was done in the 2-way case by Gottesman, Lo,
Lutkenhaus and Preskill (GLLP) [118], and is readily employed here, as discussed below.
Chapter 4. Experimental GHZ-based QKD 117
In a worst-case scenario, we can assume that every time more than one pair is trans-
mitted the transmitted state is completely insecure and known to Eve. Naıvely, one
might then think that one can simply upper bound the secure key rate by deducting the
fraction of insecure (multiple-pair) states transmitted, and using privacy amplification
to achieve the necessary rate. However, what matters is what fraction of received states
are insecure, and this can be manipulated by Eve. In particular, Eve can, in principle,
without causing any polarisation errors, make a photon number count to see if a state is
secure or not, then block secure states and increase the chance of transmission of insecure
states such that the insecure fraction is very high. This is known as the photon number
splitting (PNS) attack.
Methods such as the use of decoy states [119, 120, 121, 122] exist to counteract PNS
attacks, but our experiment will not employ them1, hence we simply wish to find an
upper bound to the potential insecurity caused by the multiple-pair states. Following
the analysis of [118] (and simply considering single pairs rather than single photons), we
note that we wish to find the minimum number of pairs received by Bob that are secure,
as follows:
Suppose Alice transmits NA sets of pairs, NAi of which are insecure (i.e. they contain
more than one pair), and Bob and Charlie receive NBC pairs (if only one of Bob and
Charlie receives a photon from a pair, the pair does not count as received). In the
worst-case scenario, every insecure pair gets transmitted. Thus a minimum NBC−NAi of
received pairs are from transmissions containing zero or one pairs. We will describe such
transmissions as “potentially secure” (PS)- that is, they are, at least, not insecure
due to multiple pairs, though not necessarily secure either.
1Implementation of decoy-state protocols requires the photon number distribution of transmissionsto vary between transmissions, which in our case would mean imposing very rapidly-varying attenuationof the pump laser for our PDC, for which we are not equipped.
Chapter 4. Experimental GHZ-based QKD 118
Considering the insecure fraction of transmitted pairs
Θ =NAi
NA(4.6)
and the transmissivity of the channel
Q =NBC
NA(4.7)
that means a fraction
Ω =NBC −NAi
NBC= 1 − Θ
Q(4.8)
of the received pairs are from PS transmissions.
4.3.1 Multiple pairs and key rate
Thus the raw key obtained by the parties in step 3 of section 4.2.1 will, in general, contain
some bits derived from insecure transmissions, and can be considered as a combination of
insecure and PS bits. However, in our case, the parties do not know which transmissions
these are. This means, for example, that they have to correct bit errors on all the key bits,
and thus must still sacrifice the usual fraction of the raw bits to do so. (In other words,
they must make the pessimistic assumption that all bit errors occur on the PS bits).
We note here that the loss LFEC in the key rate due to bit error correction follows from
a classical argument unrelated to the remainder of the security proof - it is simply the
classical bits sufficient for Alice to correct the bit errors via classical FEC. We can assume
that Alice transmits these bits using a one-time pad, thus they are unavailable to Eve.
However, considered in the context of a prepare-and-measure protocol, the expression
maxH2(b1), H2(b2|b1) in the GHZ distillation rate of [39] (4.4) implicitly assumes that
all the information (i.e. which bits they fall on) on Bob’s bit errors (with rate b1) is
made public and hence can be used by Charlie, and while intuition suggests it to be the
case, we have not proven that this raises no security issues in the prepare-and-measure
protocol.
Chapter 4. Experimental GHZ-based QKD 119
Hence we use the (in general) slightly larger loss maxH2(b1), H2(b2) - if Alice uses
this proportion of check bits in her FEC, this will be sufficient to correct both Bob and
Charlie’s bit errors, without the location of anyone’s errors being publically revealed
(except in the negligible fraction of raw bits made public to establish error rates).
Hence we use the expression
LFEC = maxH2(b1), H2(b2). (4.9)
As noted in GLLP, however, privacy amplification by random hashing on a mixture
of insecure and secure bits is equivalent to applying an XOR operation between secure
and insecure key strings, resulting in a secure final key of the same length as the secure
key string. We do not need to know which are the insecure bits to obtain a secure final
key through privacy amplification (indeed, we would not need privacy amplification if we
did, we could simply discard all insecure bits).
This has an intuitive parallel in the entanglement distillation picture: as also noted
in [118], in principle the parties could know which the insecure states are, by performing
the same non-destructive photon-number measurement we allow Eve to perform. For
phase error correction (privacy amplification in the prepare-and-measure protocol), we
do not need to perform such error correction, we only need to perform sufficient privacy
amplification to give us the key size we would have if we were correcting these errors.
Hence we can assume that when doing phase error correction we do know which the
insecure bits are.
However, in our case, the raw corrected key is merely a mixture of insecure and
potentially secure bits, with the security for the latter unproven. Suppose, though, that
we could prove security for the PS bit string hashed down to some fraction RPS of its
original length and separately perform this hashing on the PS bits. Then hashing together
the resultant bits with the insecure bits from multiple pairs would, as per the analysis
above, result in a secure key, a fraction ΩRPS − LFEC of the uncorrected raw key.
But, as argued above, for linear hashing there is no need to separate the secure and
Chapter 4. Experimental GHZ-based QKD 120
insecure bit strings and the above operation is equivalent to simply hashing the corrected
key to the appropriate length. Thus, we can achieve a key rate
R ≥ ΩRPS − LFEC (4.10)
This argument is straightforward in the case of individual attacks, where we restrict
Eve to only attacking a single transmission at a time. Under such circumstances the most
she can possibly achieve is to have to complete knowledge of a given transmission, which
we already allow for the multiple-pair states in the above analysis. The situation is less
clear for general attacks, in which Eve can, for example, induce correlations between the
transmissions containing multiple pairs and those which do not. The analysis in [118]
allows for such attacks, but assumes that sender and receiver’s systems are qubits. We
can potentially deal with this by use of a “squashing model”, as discussed further in
section 4.10.3.
In the following section we discuss the unpaired single photons and a security analysis
to derive RPS.
Side note on error correlations
We note in passing that, comparing (4.10) to (4.4), the latter contains no mutual in-
formation term reflecting bit/phase error correlations. This is, in general, because the
“phase error” description is specific to an entanglement-distillation based picture, which
we are not necessarily using in deriving RPS. In addition, however, even if one uses this
description there may be overlap between the information on phase errors supplied by
the bit errors and information we have implied by our assumptions.
Suppose there were no unpaired photons. In this case we could combine the EDP
analysis of section 4.1.2 with our GLLP analysis above, considering now the phase errors
on the PS states as follows:
We assume the worst-case scenario of all phase errors on PS bits. Hence the phase
error rate on these bits is b0Ω
, affecting a fraction Ω of the bits, so ΩH2
(b0Ω
)bits are lost
Chapter 4. Experimental GHZ-based QKD 121
in error correction. Since we start with a secure proportion of the bits Ω, this leads to a
key rate of Ω − maxH2(b1), H2(b2) − ΩH2
(b0Ω
).
However we cannot simply add I(b0; b1, b2) to the above rate. This is because we
are already implicitly assuming some knowledge about the phase errors which aids us in
their correction - that they all occur on insecure states whose location we can in principle
know. This reduces the bits lost in phase error correction to ΩH2
(b0Ω
)rather than H2(b0).
While, in general, the bit error correction does also give us some information about phase
errors, in the worst-case scenario this overlaps maximally with the above information.
Thus the key rate for this hypothetical scenario (additional pairs, no unpaired photons,
as distinct from our experimental scenario) according to this analysis is
RGHZ ≥ max
[
Ω − maxH2(b1), H2(b2) − ΩH2
( p
Ω
)
,
Ω − maxH2(b1), H2(b2) −H2(p) + I(p; b1, b2), 0
]
(4.11)
4.4 Security of potentially secure (PS) states
As discussed above, we can effectively divide the corrected raw key bits into those arising
from insecure states and those from PS states, and determine a separate key rate for the
PS states, whose insecurity derives partially from unpaired single photons. As mentioned
in section 4.2.2, we attempt to counteract this by having Alice add many additional
photons in the state ρmix to every transmission. Thus the PS states consist of zero or
one photon pairs, accompanied by unpaired single photons with, in general, polarisation
states with some degree of correlation to the photon pairs. (Of course, the insecure
states are also accompanied by unpaired single photons, but we already assume Eve has
complete information about such states.)
We thus require a security analysis for the PS states that takes into account the
unpaired photons, which essentially constitute a side channel giving partial information
Chapter 4. Experimental GHZ-based QKD 122
Alice
Bob
Charlie
?
?CC
CC
0100111011001...
Bob−Charlieρ
Figure 4.2: Eve’s view of the QKD - Alice transmits quantum states ρ (as well as
broadcasting encrypted classical communications (CC)) to a joint entity Bob-Charlie in
order to establish a common secret classical key. Eve wants to know the key, but only
has access to ρ and CC.
about the signal states (the pairs).
We could quantify the classical information about the signal states provided by the
side channel, but this would ignore the possibility of Eve making some joint quantum-
mechanical attack on unpaired and pair states together. Instead, we require an analysis
that considers, quantum-mechanically, the complete state in the channel. Fortunately,
our protocol has a property which makes this analysis more straightforward in light of
earlier work, namely that, as depicted in Figure 4.2, from Eve’s point of view, the
QKD is essentially a two-party protocol.
What do we mean by this? Simply that, since we intend for Bob and Charlie to have
the same key bits, one could regard the QKD as Alice sending quantum-mechanical states
Chapter 4. Experimental GHZ-based QKD 123
to a single receiver (Bob+Charlie), followed by broadcasting some encrypted classical
information to allow error correction and privacy amplification to be performed. As a
result a single key is generated between Alice and Bob-Charlie. Now, of course, Bob
and Charlie are separated and cannot perform joint quantum operations, which limits
the operations they can perform to verify the error rates of the states and perform
error correction and privacy amplification. But if they can nonetheless perform such
operations, then from Eve’s point of view the protocol is just of Alice sending quantum-
mechanical states to Bob-Charlie, which she wishes to exploit along with any public
classical information to obtain the key.
Hence we can potentially use a two-party security analysis in this case, which we shall
do in the following section.
4.4.1 Lo-Preskill security analysis
A suitable analysis (by Lo and Preskill) is found in [1]. We recall that the potential
insecurity of the states Alice transmits arises from their “leaking” information to Eve
(via the unpaired photons) regarding the basis in which Alice is transmitting, information
which Eve can exploit to gain information about the final key. As usual the parties can, in
principle, take this into account to reduce Eve’s information about the final key through
privacy amplification. The work of [1] applies a general analysis based on the work of
Koashi [123] to quantify the privacy amplification required for a given amount of leaked
basis information. The analysis is for a two-party protocol (Alice and Bob) in which
Alice transmits in one of two bases, and is based on the complementarity principle. We
will outline it briefly below.
The authors of [1] consider a situation where Alice holds a qubit, from which she
obtains her key bit via measurement in one of two bases, which we shall take here to be
X and Z 2. Depending on her basis, she sends some state over a quantum channel to
2In [1] the corresponding bases are Y and X , the change does not affect the analysis.
Chapter 4. Experimental GHZ-based QKD 124
Bob, who performs an X or Z-basis measurement upon his received state to obtain his
key bit. (Strictly speaking Bob performs a POVM MX or MZ , since we cannot assume
his received state is a qubit).
Since it makes no difference to Bob’s measurement result or those of a hypothetical
Eve, we can assume that Alice does not make her measurement until Bob receives his
state, and denote Alice and Bob’s joint state prior to measurement as σX or σZ (not to
be confused with the Pauli operators), depending on the basis used.
We consider first the subset of cases where Alice and Bob both measure in the Z
basis. They can, as usual, publically announce a subset of their bits to determine an
error rate δZZ (where the superscript denotes the parties’ measurement basis and the
subscript denotes their shared state, in this case σZ). Alice and Bob correct these errors
via classical error correction by sacrificing a fraction H2(δZZ ) of secure bits, leaving them
with shared bits but, of course, no guarantee that these are secure.
However, since Eve’s knowledge of the key is unaffected by whether or not Alice’s
measurement is performed before or after Bob’s we can assume that Bob measures first,
leaving Alice with some qubit state on which she makes Z measurements to obtain key
bits. The underlying principle of security in [1] and [123] is that if Alice’s qubits,
conditioned on Bob’s measurement outcome, are left as X eigenstates, then if
she subsequently performs Z measurements upon them the resulting classical
bits are guaranteed, via the uncertainty principle, to be completely unknown
to Eve.
To quantify how close Alice’s qubits are to X eigenstates under such circumstances,
we consider Alice and Bob’s joint state (prior to measurements) σZ , and consider what
would happen if, rather than Z measurements, Alice and Bob made X measurements on
this state.
As shown in [1], if Alice and Bob could obtain an error rate δXZ when making X
measurements on σZ , then, when Alice and Bob make their usual Z measurements on
Chapter 4. Experimental GHZ-based QKD 125
σZ Alice can first project her N qubits to N(1 − H2(δXZ )) states exponentially close to
X eigenstates. This is equivalent to Alice and Bob performing privacy amplification via
random hashing to the “raw” key bits. The net effect is that Alice and Bob can extract
key at a rate
RLP = 1 −H2(δZZ ) −H2(δ
XZ ). (4.12)
However, the quantity δXZ is not measured directly in the protocol, corresponding as
it does to Alice and Bob making X measurements but sharing the state σZ . Instead,
during the protocol, they make X measurements on a state σX to obtain an error rate
δXX . These three types of measurement are illustrated in Figure 4.3.
Of course, if σX = σZ (i.e. the shared state is basis-independent, such as in an ideal
BB84 protocol) we can take δXX = δXZ , but in general there will be some basis-dependence
and we need to obtain a relationship between δXX and δXZ .
Two means of deriving such a relationship are given in [1], and described below.
The “quantum coin” argument
The quantum coin argument assumes that, prior to transmitting, Alice holds a pure
joint state of her qubit and the states to be transmitted, either ψX or ψZ depending
on the basis, and further that Alice holds an additional “quantum coin” (QC) qubit, a
measurement on which determines her basis, for a joint state (prior to transmission) of
|ψ〉 = (|0〉QC ⊗ |ψX〉 + |1〉QC ⊗ |ψZ〉)/√
2. (4.13)
In the above state, if ψX = ψZ (basis-independence3), the quantum coin qubit is in a +1
eigenstate of X. In general, an X measurement on the coin produces a −1 result with
probability ∆, where
〈ψX |ψZ〉 = 1 − 2∆. (4.14)
3Note of course that Eve can do anything in the channel, so these need not be Alice and Bob’s jointstates after transmission, but the basis-independence will nonetheless hold since Eve cannot increase thestates’ distinguishability.
Chapter 4. Experimental GHZ-based QKD 126
mode
Eve
qubit
Bobmeasures MZ
measures ZAlice
Filter
ρZ
Eve
qubit
Bobmeasures MX
measures XAlice
Filter
ρX
mode
mode
Eve
qubit
Bobmeasures MX
measures XAlice
Filter
ρZ
(1)
(2)
(3)
Error rate δZZ
Error rate δXX
Error rate δXZ
Figure 4.3: Types of measurement in the two-party Lo-Preskill protocol. Alice holds
a joint state ρX/Z of her qubit and the transmitted state. After the transmission they
hold joint states σX/Z and make measurements, with Bob filtering out any inconclusive
outcomes. In scenario (1) they perform Z measurements on state σZ for an error rate
δZZ . In the other experimental scenario (2) they perform X measurements on σX for an
error rate δXX . In scenario (3), which does not occur in the experiment, they perform X
measurements on σZ for an error rate δXZ . The achievable key rate can be expressed in
terms of this error rate. (Adapted from diagrams in [1], Copyright Rinton Press (2007).)
Chapter 4. Experimental GHZ-based QKD 127
Thus a larger ∆ corresponds to more leaked basis information. As in the PNS attack,
Eve can increase this effect via selective blocking if there is any loss in the channel. For
a fraction QLP of transmitted PS states being received, this results (in the worst-case
scenario) in an “effective ∆”, ∆′, where, analogously to (4.8)
∆′ =∆
QLP. (4.15)
The authors of [1] derive a relationship between δXX and δXZ in terms of ∆′, showing
that
δXZ ≤ δXX + 4∆′(1 − ∆′)(1 − 2δXX ) + 4(1 − 2∆′)√
∆′(1 − ∆′)δXX ))(1 − δXX ) + ǫ (4.16)
for any ǫ > 0.
The fidelity argument
It is further shown in [1] that a similar relation to (4.16) may be obtained without
reference to a quantum coin or a pure joint state of Alice’s qubit and transmitted state,
as follows:
We consider Alice and Bob’s joint states after transmission (but before measurement)
σX and σZ . We recall that we are relating the error rates of both parties performing X
measurements on these two states, and denote this joint measurement as a three outcome
POVM Ea, where the three outcomes correspond to Alice and Bob’s outcomes agreeing,
disagreeing, or Bob’s measurement being inconclusive (i.e. he does not receive a signal).
We assume that the probability of a conclusive measurement is basis-independent, and
is therefore simply equal to QPS.
Recalling the general inequality for POVMs operating on density matrices
F (σX , σZ) ≤∑
a
√
tr(σXEa)tr(σZEa) (4.17)
where F is the fidelity
F (σ, ρ) = Tr
√
ρ12σρ
12 . (4.18)
Chapter 4. Experimental GHZ-based QKD 128
we have
F (σX , σZ) ≤ (1 −QLP ) +QLP
(√
δXXδXZ +
√
(1 − δXX )(1 − δXZ )
)
. (4.19)
Note that we do not know the states σX and σZ which, in general, depend on Eve’s actions
in the channel. However, since Eve’s actions cannot increase the distinguishability of the
states, we have, for the pre-transmission joint states (of Alice’s qubit and the states to
be transmitted) ρX and ρZ .
F (ρX , ρZ) ≤ (1 −QLP ) +QLP
(√
δXXδXZ +
√
(1 − δXX )(1 − δXZ )
)
. (4.20)
from which we obtain the inequality
δXZ ≤ δXX + 4∆′F (1 − ∆′
F )(1 − 2δXX ) + 4(1 − 2∆′F )√
∆′F (1 − ∆′
F )δXX (1 − δXX ) + ǫ. (4.21)
where ∆′F = ∆F/QLP and
F (ρX , ρZ) = 1 − 2∆F . (4.22)
Note, however, that, unlike the quantum coin argument (which provides unconditional
security), the above relation concerns attacks by Eve on individual transmissions and
thus a key rate derived from the fidelity argument is only valid for such “individual”
attacks.
4.4.2 Modified fidelity argument
We note that a small modification of the fidelity argument in [1] is possible. In section
4.4.1 we referred to the POVM Ea operating on the states ρX and ρZ as a description
of the measurement outcomes of Alice and Bob’s X measurements on their respective
portions of the states.
Suppose we consider a different POVM E ′a, identical to Ea except that we are
now considering a (hypothetical) X measurement made by Alice before transmitting the
state to Bob (we do not need to assume that this is what she actually does). Clearly,
Chapter 4. Experimental GHZ-based QKD 129
whether she does such a measurement before or after the transmission makes no difference
to the parties’ joint measurement outcomes. Furthermore, the same joint measurement
outcomes will of course be produced if the X measurement we consider is one of many
made by Alice (in other words, if she keeps measuring her qubit in the X basis she will
keep getting the same outcome). Hence let us consider the states ρ′X , ρ′Z , the joint states
of Alice’s qubit and the transmission state after an X measurement by Alice but before
transmission. By the reasoning above (in other words, that the joint outcomes of X
measurements are unchanged if the initial states are ρ′X , ρ′Z rather than the undashed
states), we have that
δXZ = δXX + 4∆X ′F (1 − ∆X ′
F )(1 − 2δXX ) + 4(1 − 2∆X ′F )√
∆X ′F (1 − ∆X ′
F )δXX ))(1 − δXX ) + ǫ
(4.23)
where ∆X ′F = ∆X
F/QLP and
F (ρ′X , ρ′Z) = 1 − 2∆X
F . (4.24)
Note that δXZ and δXX here are thus the same quantities as in the previous section, since
as discussed above the error rates will be the same on a state where Alice pre-measures
X.
In other words, using this argument, we can replace ∆′F in (4.21) with ∆X ′
F to get
(4.23). Since F (ρ′X , ρ′Z) ≥ F (ρX , ρZ) this gives us, in general, a higher key rate, which
will prove useful later.
Thus we will use the modified version of the fidelity argument in preference to the
original version. Note that we cannot further improve the fidelity bound by also applying
Bob’s measurement to the states, since this measurement must occur after transmission
and any action by Eve. We cannot assume that Eve’s action follow by Bob’s measurement
will produce a higher fidelity than Bob’s measurement alone.
All the above still applies in our three-party protocol with Bob-Charlie as the receiver.
As with the fidelity argument, however, this works only for individual attacks.
Chapter 4. Experimental GHZ-based QKD 130
4.4.3 Applying Lo-Preskill to the GHZ experiment
We note that we can reduce the GHZ protocol to a two-basis protocol (as required to
apply the above analysis) by only using the Z and X measurements for all 3 parties (in
the EDP picture, Z and X measurements are sufficient to establish bit and phase error
rates, Y measurements allow us to determine any correlations between these rates and
hence, while they improve the key rate in general, are not necessary).
As discussed above, we can apply the two-party analysis to our three-party experiment
by considering Bob and Charlie as a single party. Here we note where the experiment
differs from this assumption, and how we can deal with this.
• Bob and Charlie cannot perform joint quantum operations. In particular, this
means they cannot obtain key bits from the X transmissions (though they can
obtain error rates from these transmissions by publically announcing their mea-
surement results). Thus, all the key bits come from the Z transmissions. This does
not affect security, however.
• All unpaired photons in the channel are directed towards either Bob or Charlie.
Thus there is an additional bit of information carried by each photon (equivalently,
a classical side-channel) compared to a genuine two-party case. However, this
information has no correlation with the photon polarisation (in which all the key
information is encoded) and thus does not affect security.
• In the case of Z transmissions, the parties measure individual error rates b1 and b2
between Alice-Bob and Alice-Charlie. As discussed in the introduction these can be
corrected (in the large-key limit) using maxH2(b1), H2(b2) bits of communication
by Alice (note that this is approximately H2(b1) bits if the two error rates b1 and
b2 are roughly equal). We implicitly assume (by deducting these bits from the final
key) that the communication for error correction is encrypted and inaccessible to
Eve. Thus there are no further security implications.
Chapter 4. Experimental GHZ-based QKD 131
• We note that while the above analysis allows us to quantify the insecurity due to
the unpaired photons, we still have the “completely insecure” incidents of Alice
transmitting multiple pairs, which we treat separately as described in section 4.3.1.
For our use of Lo-Preskill we will consider only the “potentially secure”
(PS) states - those where Alice transmits either 0 or 1 pairs.
4.5 Overall key rate
The above arguments allow us, by defining joint states of Alice’s qubit and her transmit-
ted state ψX/Z or ρX/Z , to obtain a secure key rate RPS = RLP , where RPS is as defined
in (4.10) and RLP as in (4.12). We use RLP as defined for the PS states in terms of the
parameter δXZ , as obtained using (4.16) or (4.23).
We substitute this RPS into (4.10), but note that, as discussed in section 4.3.1, RPS
as used in (4.10) is the secure key rate for PS states in the corrected raw key, for which
we have no bit errors. Hence we substitute δZZ = 0 into (4.4), giving an obtainable overall
rate (as a fraction of the raw key)
R ≥ Ω(1 −H2(δXZ )) − maxH2(b1), H2(b2). (4.25)
In the following sections we will discuss how to obtain the parameters in the above
expression (particularly δXZ ) in terms of the known properties of the experimental state.
4.6 The experimental state
In this section we will obtain a quantitative description of Alice’s experimental transmis-
sions for given basis and bit values.
Chapter 4. Experimental GHZ-based QKD 132
4.6.1 The transmitted state
Notes on the Poisson distribution
Two important facts which will be used several times.
1. The sum of two independent Poisson distributions
Pλ(N) ∼ λNe−λ
x!(4.26)
of means λ1 and λ2 is a Poisson distribution with mean λ1 + λ2
2. Given a Poisson distribution of events with mean λ, each event being subsequently
and independently assigned into group A with probability pA and group B with
probability pB, groups A and B will follow independent Poisson distributions with
means λpA and λpB respectively.
Alice’s down-conversion crystal produces a Poissonian mixture of photon pairs - that
is, she transmits, at random, a certain number of photon pairs between changes of the
polarisation setting, the number of pairs transmitted being governed by a Poisson dis-
tribution. (We will henceforth denote such a distribution of mean λ by P (λ).) There is
a certain probability for each photon to make it through the Alice’s spatial and wave-
length filters, so that sometimes one or both photons is stopped. The net effect (from
the above) is that Alice transmits a Poisson distribution of pairs with mean µ and an
independent Poisson distribution of “unwanted” unpaired photons with mean cpµ where
cp is a constant. To counteract the leakage of basis information to Eve from these un-
wanted unpaired photons, Alice also adds noise to the channel, in the form of a Poisson
distribution of unpaired photons in state ρmix = (|00〉〈00|+ |11〉〈11|)/2.
Chapter 4. Experimental GHZ-based QKD 133
4.6.2 The pairs
We assume Alice transmits pairs in either the X or Z basis, with two mutually orthogonal
states in each basis. The four possible transmitted pair states are thus
X : (|00〉 ± |11〉)/√
2 (4.27)
Z : |00〉, |11〉. (4.28)
Alice randomly chooses (with equal probability) a basis and a state and transmits a
certain number of photon pairs in the state, the number following a distribution P (µ).
(We assume that if she transmits 2 or more pairs then the transmission is insecure. We
deal with these states separately using the GLLP method.) Hence PS transmissions
contain either zero or one pairs, in one of the above states, with probabilities (as a
fraction of PS states)
pPS(0) =e−µ
e−µ + µe−µ(4.29)
pPS(1) = 1 − pPS(0) =µe−µ
e−µ + µe−µ. (4.30)
4.6.3 Unpaired photons
There are two sources of unpaired photons in Alice’s transmission. “Unwanted” unpaired
photons arise from PDC-produced pairs in which exactly one of the pair is blocked by
Alice’s filters, as discussed in section 4.2.2. Unpaired photons are also added to the
channel by Alice in the form of uncorrelated noise.
As with the photon pairs, each unpaired photon is directed towards either Bob or
Charlie, but there is no correlation between this spatial information and photon polari-
sation (hence the spatial information does not affect security), thus we shall only consider
the latter in the following analysis. Hence references below to the unpaired photon
states refer to the state of all unpaired photons, whether in Bob or Charlie’s
channel. All such states are uniformly randomly distributed between the two
Chapter 4. Experimental GHZ-based QKD 134
channels.
The unwanted unpaired photons
If Alice is transmitting in either X state the unpaired photons will be in the state ρmix.
But if she is transmitting in Z then the unpaired photons will be in state |0〉 when the
pairs are in state |00〉 and |1〉 when the pairs are in state |11〉, revealing information about
the pair basis and polarisation to Eve. As discussed above, though the means of the pair
and unwanted unpaired photons are related (since both are proportional to the number
of PDC pairs produced in Alice’s lab) the total number of unwanted unpaired photons
transmitted follows a Poisson distribution independent of the number of transmitted
pairs and of their polarisation state.
We denote the mean total number of unwanted unpaired photons transmitted by
2δ. It follows that |00〉 and |11〉 pair polarisations correspond to a distribution P (2δ)
of unwanted unpaired photons in states |0〉 and |1〉 respectively, while X-basis transmis-
sions have P (2δ) unwanted unpaired photons in state ρmix or, equivalently (following the
Poisson distribution properties in section 4.6.1), P (δ) photons in each of states |0〉 and
|1〉.
Added uncorrelated noise
Alice’s added noise consists of a Poisson distribution of unpaired photons in the state
ρmix. We denote the mean of this distribution by 2(α− δ). Thus Alice equivalently adds
distributions P (α− δ). of photons in each of states state |0〉 and |1〉.
4.6.4 Summary of PS transmissions
Thus the overall state of PS transmissions consists of independent pair and unpaired
photon distributions, where the unpaired photon states are the sum of the unwanted and
noise distributions. These will thus follow Poisson distributions with means equal to the
Chapter 4. Experimental GHZ-based QKD 135
Alice’s basis Alice’s bit Transmitted pair Mean of |0〉 Mean of |1〉
(if any) distribution distribution
X 0 1√2(|00〉 + |11〉) α α
X 1 1√2(|00〉 − |11〉) α α
Z 0 |00〉 α + δ α− δ
Z 1 |11〉 α− δ α + δ
Table 4.2: Summary of Alice’s transmissions when adding uncorrelated noise.
sum of the means of the unwanted and noise distributions, hence the overall transmitted
PS states are as given in Table 4.2.
4.7 Joint state description for PS states
In this section we will use the above description to construct explicit valid joint states of
Alice’s qubit and transmitted PS states (as required for the arguments in section 4.4.1),
for both the quantum coin and modified fidelity arguments. The inner product (for pure
joint states, using the quantum coin argument) or fidelity (for mixed joint states, using
the modified fidelity argument), determine the parameter ∆ or ∆XF , giving an upper
bound for the key rate parameter δXZ in terms of the measured error rate δXX .
4.7.1 Definition of a valid joint state
By “valid” joint states, we do not necessarily mean the state that Alice actually holds
prior to transmission. For example, as discussed in section 4.1.2, in our prepare-and-
measure scheme Alice does not in fact possess a qubit entangled with her transmission
state, she simply transmits states correlated with her classical bit values in such a way
that her possible measurement outcomes (and those of Bob, Charlie and Eve) are the
same as those that would be obtained if she did have such an entangled qubit. Similarly,
Chapter 4. Experimental GHZ-based QKD 136
by a “valid” joint state, we mean a joint state compatible with the possible mea-
surement outcomes of Alice, Bob and Charlie from which Eve could always
obtain the experimentally transmitted state.
This condition follows from our merely trying to obtain a lower bound on the achiev-
able secure key rate for our protocol. RPS is a secure key rate for the corrected PS bits
and, if Eve had no knowledge about these bits, we would have RPS = 1. Since to prove
security we must find an upper bound to Eve’s knowledge of the key, if a given RPS can
be obtained for a state from which the experimental state can always be obtained by
Eve, then the same rate can also be obtained for the experimental state.
For example, while, as described in the previous section, Alice’s transmitted PS states
are mixed states of different photon numbers and polarisations, we are free to describe
them as pure states as long as Eve could always obtain the mixed states via e.g. a
non-destructive photon number measurement. We will make use of this argument in the
following section.
4.7.2 Pure state (quantum coin argument)
To use the quantum coin argument from section 4.4.1, we need to construct valid joint
pure states ψX and ψZ for Alice’s transmissions. In this section we construct such states
- note though that these are not provably optimal in terms of the corresponding key rate.
We can without loss of generality describe the joint pure state of Alice’s qubit and
the transmitted states for the two bases as
|ψX〉 = (|+〉 ⊗ |X0〉 + eiθ1 |−〉|X1〉)/√
2 (4.31)
|ψZ〉 = (|0〉 ⊗ |Z0〉 + eiθ2|1〉 ⊗ |Z1〉)/√
2 (4.32)
(where |±〉 = (|0〉±|1〉)/√
2)). In the above, |X0〉 and |X1〉 are Alice’s transmitted states
for the two possible bits, and likewise for the Z basis. The phases θ1 and θ2 are arbitrary.
Since, as discussed in section 4.6, the number distributions of unpaired photons and
Chapter 4. Experimental GHZ-based QKD 137
photon pairs are independent, we can write the pure states as e.g. |X1〉 = |Xp1 〉|Xs
1〉
where the superscripts denote the photon pair (p) and unpaired photon (s) states. We
further note that the X0 and X1 unpaired photon distributions are independent of the
pair polarisation and symmetric between |0〉 and |1〉 states. The Z0 and Z1 unpaired
photon distributions are related by the transformation Z0 ↔ Z1, |0〉 ↔ |1〉, thus we can
choose purifications such that
|Xs1〉 = |Xs
0〉 ≡ |Xs〉 (4.33)
〈Xs|Zs0〉 = 〈Xs|Zs
1〉 ≡ 〈XsZs〉 . (4.34)
For the pair states, the probabilities of transmitting either 0 pairs or 1 pair are
independent of pair basis and polarisation. In terms of the probabilities in (4.29) and