Fakulteta za matematiko in fiziko Univerza v Ljubljani Seminar II Quantum Communication Avtor: Matjaž Gregorič Mentor: prof. N.S. Mankoč Borštnik Ljubljana, januar 2008
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Fakulteta za matematiko in fizikoUniverza v Ljubljani
Seminar II
Quantum Communication
Avtor:Matjaž Gregorič
Mentor:prof. N.S. Mankoč Borštnik
Ljubljana, januar 2008
Contents1 Introduction 2
1.1 Qubit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.2 Quantum register . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.3 Quantum gates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3.1 Hadamard gate . . . . . . . . . . . . . . . . . . . . . . . . 31.3.2 Phase gate . . . . . . . . . . . . . . . . . . . . . . . . . . 31.3.3 CNOT gate . . . . . . . . . . . . . . . . . . . . . . . . . . 41.3.4 Pauli matrices . . . . . . . . . . . . . . . . . . . . . . . . 4
1.4 Holevo’s theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . 51.5 No-cloning theorem . . . . . . . . . . . . . . . . . . . . . . . . . . 51.6 Quantum entanglement . . . . . . . . . . . . . . . . . . . . . . . 5
2 Superdense coding 6
3 Quantum teleportation 8
4 Quantum cryptography 104.1 Classical cryptography . . . . . . . . . . . . . . . . . . . . . . . . 11
4.1.1 Secret key cryptography . . . . . . . . . . . . . . . . . . . 114.1.2 Public key cryptography . . . . . . . . . . . . . . . . . . . 11
4.2 Quantum key distribution . . . . . . . . . . . . . . . . . . . . . . 134.3 The BB84 protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 144.4 The E91 protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 154.5 Possible attack strategies . . . . . . . . . . . . . . . . . . . . . . 164.6 Practical implementations . . . . . . . . . . . . . . . . . . . . . . 16
5 Conclusion 18
1
Abstract
Quantum communication is a subfield of quantum information process-ing which is concerned with the exchange of information between distantparties. In this paper I discuss some of the most interesting applicationsof quantum mechanics to communication problems. After reviewing thebasic ideas of quantum computation and quantum information processing,the seminar looks into the topics of superdense coding, quantum telepor-tation, and quantum cryptography.
1 IntroductionIn my previous seminar I discussed quantum computers and quantum compu-tation. Today I will discuss a closely related field of quantum communication.Quantum communication is concerned with application of quantum mechanicsto communication problems and borrows many ideas from quantum computa-tion. Several applications of quantum mechanics to communication problemshave been proposed, ranging from more efficient ways of sending classical in-formation (superdense coding) to novel ways to achieve secret communication(quantum cryptography). First let us review some basic principles of quantumcomputation and quantum comunication.
1.1 QubitA classical bit is the base of computer information. Regardless of its physicalrepresentation, it is always read as either a 0 or a 1. A quantum bit or qubithas some similarities to a classical bit, but is overall very different. Like a bit,a qubit can have two possible states – |0〉 or |1〉. The difference is that whereasa bit must be either 0 or 1, a qubit can be in |0〉, |1〉, or in a superposition ofboth states
|ψ〉 = α|0〉+ β|1〉, |α|2 + |β|2 = 1, (1)
where α, β ∈ C. The state of the qubit is represented by two complex numbers.The state of a classical bit (0 or 1) can always be determined by measure-
ment. The same is not true for a qubit, one cannot determine the exact valueof probability amplitudes α and β. When one measures a qubit in the standardbasis, the probability of outcome |0〉 is |α|2 and the probability of outcome |1〉is |β|2. After we perform the measurement, the state of the qubit collapses intoone of the basis states and therefore the information about the state of the qubitbefore the measurement is lost.
A qubit can be physically implemented in a number of different ways. Anytwo-level system can be used to represent a qubit: two orthogonal polarizationstates of a photon, spin of an electron in a magnetic field, ground and excitedstates of an electron in an atom. . .
1.2 Quantum registerA quantum register is a collection of n qubits and is the quantum mechanicalanalogue of a classical processor register. A classical register of two bits canbe in one of the four states: 00, 01, 10, 11. A quantum register of two qubits
2
on the other hand has four basis states: |00〉, |01〉, |10〉, |11〉, and can be in asuperposition of the four basis states
|ψ〉 = α00|00〉+ α01|01〉+ α10|10〉+ α11|11〉. (2)
A general n-qubit quantum register is represented by 2n−1 complex ampli-tudes. For large values of n the information needed to describe the register’sstate is enormous and one might expect that qubits can be used to store muchmore information than classical bits. Such expectations were proven false byAlexander Holevo in 1973 (see section 1.4).
1.3 Quantum gatesActions on qubits are performed via the use of quantum gates. Quantum gatesare unitary operators which act on one or more qubits. They can be representedby unitary matrices.
The most important quantum gates are the phase gate and the Hadamardgate which both operate on one qubit, and the controlled not (or CNOT) gate,which operates on two qubits. Phase, Hadamard and CNOT gates form auniversal set of quantum gates. That means that any possible unitary operationcan be constructed using only these three types gates [1].
1.3.1 Hadamard gate
Figure 1: Graphical representation of the Hadamard gate.
The Hadamard gate operates on one qubit. In the basis (|0〉, |1〉) it is repre-sented by the unitary matrix
Ha =1√2
(1 11 −1
)a
, (3)
where a is the index of the qubit we want to apply the gate on. The Hadamardgate transforms the basis states into:
Ha|0〉a =1√2
(|0〉a + |1〉a) , (4)
Ha|1〉a =1√2
(|0〉a − |1〉a) . (5)
1.3.2 Phase gate
The phase gate also operates on one qubit. It is represented by the matrix
Ra,φ =(
1 00 eiφ
)a
. (6)
3
Figure 2: Graphical representation of the phase gate.
The phase gate transforms the basis states into:
Ra,φ|0〉a = |0〉a (7)Ra,φ|1〉a = eiφ|1〉a (8)
1.3.3 CNOT gate
Figure 3: Graphical representation of the CNOT gate.
The CNOT gate operates on two qubits. It is represented by a 4x4 unitarymatrix
CNOTa,b =
1 0 0 00 1 0 00 0 0 10 0 1 0
a,b
. (9)
The CNOT gate flips the b-th (target) qubit if the a-th (control) qubit is in thestate |1〉, otherwise it keeps the target qubit unchanged:
CNOTa,b|0〉a|0〉b = |0〉a|0〉b, (10)CNOTa,b|0〉a|1〉b = |0〉a|1〉b, (11)CNOTa,b|1〉a|0〉b = |1〉a|1〉b, (12)CNOTa,b|1〉a|1〉b = |1〉a|0〉b. (13)
1.3.4 Pauli matrices
In quantum computing and especially in quantum communication some of themost useful one-qubit gates are those represented by the Pauli matrices. Theycan be constructed from the Hadamard and phase gates as follows.
σx =(
0 11 0
)= HRπH (14)
σy =(
0 −ii 0
)= iRπHRπH (15)
σz =(
1 00 −1
)= Rπ (16)
4
1.4 Holevo’s theoremHolevo’s theorem [3] is an important limitative theorem in quantum informationscience. It states that n qubits cannot be used to encode more than n classicalbits of information. The origin of this limitation stems from the fact that anymeasurement performed on the quantum register disturbs its state and ‘corrupts’some of the information stored in it.
1.5 No-cloning theoremAnother important limitation of quantum information processing which wasstated by Wootters, Zurek, and Dieks in 1982 [4] is the no-cloning theorem.The no-cloning theorem forbids the creation of identical copies of an arbitraryunknown quantum state.
A simple proof goes as follows. Suppose the state of a quantum system A,which we wish to copy, is |ψ〉A. In order to make a copy, we take a system Bwith the same state space and initial state |s〉B . The initial or blank state mustbe independent of |ψ〉A, of which we have no prior knowledge. The compositesystem is then described by the tensor product, and its state is
|ψ〉A|s〉B . (17)
Suppose there exits some unitary operator U which acts as a copier and cancopy the first state into the second as
U |ψ〉A|s〉B = |ψ〉A|ψ〉B . (18)
If operator U is a true copier, it must be able to copy arbitrary states. So wecan also write
U |ϕ〉A|s〉B = |ϕ〉A|ϕ〉B . (19)
Now by definition of unitary operator, U preserves the inner product:
〈s|B〈ϕ|AU†U |ψ〉A|s〉B = 〈ϕ|B〈ϕ|A|ψ〉A|ψ〉B (20)
or〈ϕ|ψ〉 = 〈ϕ|ψ〉2. (21)
This implies that either |ψ〉 = |ϕ〉 or |ϕ〉 is orthogonal to |ψ〉 which is not truein general. Therefore U cannot clone a general quantum state. A similar, butsomewhat more complicated proof also exits in case U is not unitary [4].
1.6 Quantum entanglementQuantum entanglement is a quantum mechanical phenomenon in which thequantum states of two or more objects have to be described with reference toeach other, even though the individual objects may be spatially separated. En-tanglement is one of the properties of quantum mechanics which caused Einsteinand others to dislike the theory. In 1935, Einstein, Podolsky, and Rosen formu-lated the famous EPR paradox, a quantum-mechanical thought experiment witha highly counterintuitive and apparently nonlocal outcome. Einstein famouslydescribed entanglement as “spooky action at a distance”.
5
Entangled states of two or more qubits are those states that cannot be writ-ten as a product of one-qubit states. The state
α|00〉+ β|01〉 = |0〉 ⊗ (α|0〉+ β|1〉) (22)
is not entangled, while the state
α|00〉+ β|11〉 6= |ψ〉1 ⊗ |ψ〉2 (23)
is entangled.Entanglement has many applications in quantum information theory. Mixed
state entanglement can be viewed as a resource for quantum communication.With the aid of entanglement, otherwise impossible tasks may be achieved.Among the best known such applications of entanglement are superdense codingand quantum state teleportation, both of which we will look into in the followingsections.
The four Bell states represent the simplest possible examples of entangle-ment and are defined as maximally entangled states of two qubits. The fourorthonormal Bell states are:
|Φ+〉 =1√2
(|00〉+ |11〉) , (24)
|Φ−〉 =1√2
(|00〉 − |11〉) , (25)
|Ψ+〉 =1√2
(|01〉+ |10〉) , (26)
|Ψ−〉 =1√2
(|01〉 − |10〉) . (27)
Bell states can be constructed from the computational basis states using asimple circuit consisting of a single Hadamard and a single CNOT gate (Figure4).
Figure 4: Quantum circuit used to generate Bell states. If we feed the cir-cuit |00〉, |01〉, |10〉 or |11〉, we get |Φ+〉, |Ψ+〉, |Φ−〉 or |Ψ−〉 on the output,respectively.
2 Superdense codingSuperdense coding is the simplest yet surprising application of quantum entan-glement to communication. It combines in a concrete, non-trivial way all thebasic ideas of elementary quantum mechanics and is therefore and ideal example
6
of the information processing tasks that can be accomplished using quantum me-chanics. Superdense coding involves two parties, conventionally known as Aliceand Bob, who are a long way away from one another. Their goal is to transmitsome classical information from Alice to Bob. Suppose Alice is in possession oftwo classical bits of information which she wishes to send to Bob, but is onlyallowed to send a single qubit to Bob. Can she achieve that?
She can achieve her goal by the means of superdense coding. Suppose Aliceand Bob initially share a pair of qubits in the entangled state
|Φ+〉 =|00〉+ |11〉√
2. (28)
Alice is initially in possession of the first qubit, while Bob has possession of thesecond qubit. By sending the single qubit in her possession to Bob, it turns outthat Alice can communicate two bits of classical information to Bob. Here isthe procedure she uses: If she wishes to send the bit string ‘00’ to Bob then shedoes nothing at all to her qubit. If she wishes to send ‘01’ then she applies thequantum gate σz If she wishes to send ‘10’ then she applies the σx quantumgate. If she wishes to send ‘11’ then she applies the iσy gate to her qubit. Thefour resulting states are easily seen to be:
00 : |Φ+〉 −→ |00〉+ |11〉2
= |Φ+〉 (29)
01 : |Φ+〉 −→ |00〉 − |11〉2
= |Φ−〉 (30)
10 : |Φ+〉 −→ |10〉+ |01〉2
= |Ψ+〉 (31)
11 : |Φ+〉 −→ |01〉 − |10〉2
= |Ψ−〉 (32)
These are the four Bell basis states or EPR pairs. Since the pairs form anorthonormal basis, they can therefore be distinguished by an appropriate quan-tum measurement. If Alice sends her qubit to Bob, giving Bob possession ofboth qubits, then by doing a measurement in the Bell basis Bob can determinewhich of the four possible bit strings Alice sent. Note that if Bob doesn’t havethe technical ability1 to perform the measurement in the Bell state directly, hecan always first transform the Bell states into states of the computational basisand then perform the measurement in the computational basis. He can do thatusing the inverse circuit of the circuit in Figure 4. Since Hadamard and CNOTgates are both self-inverse, the appropriate circuit is simply
(CNOT1,2H1)−1 = H1 CNOT1,2. (33)
Alice, interacting only with a single qubit is able to transmit two bits ofinformation to Bob. Of course, two qubits are involved in the protocol, butAlice never need interact with the second entangled qubit. Classically, thetask Alice accomplishes would have been impossible had she only transmitteda single classical bit [1], hence the name ‘superdense coding’. Furthermore, thisinteresting superdense coding protocol has received verification in the laboratory[5].
1Like quantum computers, quantum communication devices are required to be able toperform measurements in the computational basis, but are not required to be able to performmeasurements in any other bases directly.
7
Figure 5: A schematic picture of the superdense coding protocol. The doublelines denote two classical bits and the single line a quantum bit. S is the sourceof entangled qubits.
Figure 6: A quantum circuit implementing the dense coding protocol. The Ugate represents I, σx, iσy or σz gate, depending on which string of bits Alicewants to send.
3 Quantum teleportationQuantum teleportation allows for the transmission of quantum information to anarbitrarily distant location using a distributed entangled state and the transmis-sion of some classical information. This possibility could be of practical interestfor quantum computation, for example in the transfer of quantum informationbetween different units of a quantum computer. Let us consider the simplestexample of teleportation: Alice owns a two level system in some unknown state
|ψ〉 = α|0〉+ β|1〉, (34)
and she wishes to send this qubit to Bob using only a classical communicationchannel: she can send only classical bits, not quantum bits. At first sight, thetask seems desperate since a measurement of the system would uncontrollablyperturb its state and from this measurement Alice can obtain only a singlebit of information. Quantum teleportation successfully solves this problem,provided that Alice and Bob share an entangled pair of qubits. The procedurefor quantum teleportation is outlined in the following (Figure 7):
1. First we create the Bell state (an EPR pair)
|Ψ+〉 =1√2
(|01〉+ |10〉) (35)
8
and send the first half of the EPR pair to Alice and the second half toBob2. Alice now owns two qubits (the state |ψ〉 which she wants to teleportand the first half of the EPR pair), while Bob owns a single qubit (thesecond half of the EPR pair). Alice and Bob can be very far apart. Thethree-qubit state of the system at this point is given as
|ψ〉 ⊗ |Ψ+〉 = (α|0〉+ β|1〉)⊗ 1√2
(|01〉+ |10〉)
=α√2
(|001〉+ |010〉) +β√2
(|101〉+ |110〉) . (36)
2. Alice allows the qubit |ψ〉 to interact with her half of the EPR pair. Sheperforms the unitary transformation H1 CNOT1,2 which leads to the fol-lowing global state for the three qubits:
12|01〉 (α|0〉+ β|1〉) +
12|11〉 (α|0〉 − β|1〉)
+12|00〉 (α|1〉+ β|0〉) +
12|01〉 (α|1〉 − β|0〉) . (37)
3. Alice measures the two qubits in her possession in the computational basis.The four possible outcomes (|00〉, |01〉, |10〉, |11〉) give two bits of classicalinformation (00, 01, 10 or 11, respectively).
4. Alice sends these two classical bits to Bob.
5. Bob receives these two bits of classical information, telling him which ofthe four possible outcomes of her measurement Alice obtained. Dependingon this classical message, Bob performs one out of four possible unitaryoperations U on his qubit to recover the state |ψ〉. From the equation37 we can see that if Alice obtained |01〉, Bob’s particle already is in thedesired state |ψ〉 = α|0〉 + β|1〉, so U = I. If Alice obtained |00〉, |10〉 or|11〉, Bob performs U = σx, U = iσy or U = σz, respectively.
At first glance quantum teleportation allows one to transmit quantum statesfaster than the speed of light. But that is not the case, because to successfullycomplete the teleportation, Alice must transmit her measurement result to Bobover a classical channel. Without the classical communication, teleportationdoes not convey any information at all [1]. The classical channel is limited by thespeed of light, so it follows that quantum teleportation cannot be accomplishedfaster than the speed of light, resolving the apparent paradox.
Another puzzling thing about teleportation is that it appears to create a copyof the quantum state being teleported which is an apparent violation of the no-cloning theorem. This violation is only illusory since after the teleportationprocess only the target qubit is left in the state |ψ〉, and the original data qubitends up in one of the computational basis states |0〉 or |1〉, depending uponthe measurement result on the first qubit. Therefore the state of the particle is‘moved’ rather than ‘copied’.
Quantum teleportation has been experimentally realized with photons [7, 8]and with ions [9]. The current distance record is 600 m [8].
2Usually photons are used as EPR qubits, since they are relatively easy to transportthrough optical fibers without corrupting the entanglement.
9
Figure 7: A quantum circuit for teleportation. The upper line represents thequbit |ψ〉 to be teleported, the middle line is the half of the EPR pair possesedby Alice, and the lower line represents the other half of the EPR possesed byBob. After performing a unitary transformation, Alice measures the states ofher two qubits and sends the two classical bits to Bob, who performs the unitaryoperation U depending on the received classical bits. By the end of the circuit,Bob’s qubit is in the desired state |ψ〉.
It is interesting to note that superdense coding and quantum teleportationcan be obtained by the same quantum circuit “cut” in the different positions(see Figure 8).
Figure 8: Diagrams representing superdense coding (left) and teleportation(right). Double lines represent two classical bits, single lines a quantum bit,S the EPR source, M the measurement process, U the unitary transformationdriven by the two classical bits, ‘in’ and ‘out’ the intput and output of thecircuits.
4 Quantum cryptographyQuantum cryptography is so far the most remarkable application of quantumcommunication. Today’s most popular methods for secure communication usepublic key cryptography. It is well known that once quantum computers withlarge enough registers can be successfully built, they will be able to relativelyquickly break today’s cryptograpy methods. Fortunately, however, what quan-tum mechanics takes away with one hand, it gives back with the other: a pro-
10
cedure known as quantum cryptography or quantum key distribution exploitsthe principles of quantum mechanics to enable provably secure distribution ofprivate information. Let us first look at the basics of classical cryptography.
4.1 Classical cryptography4.1.1 Secret key cryptography
Until the invention of public key cryptography in the 1970s, all cryptosystemsoperated on a different principle, now known as secret key cryptography (some-times called private key cryptography). In a secret key cryptosystem, if Alicewishes to send messages to Bob, then Alice must have an encoding key, whichallows her to encrypt her message, and Bob must have a matching decodingkey, which allows Bob to decrypt the encrypted message. A simple, yet highlyeffective secret key cryptosystem is the Vernam cipher, sometimes known as aone time pad (OTP). Alice and Bob begin with n-bit secret key strings, whichare identical. Alice encodes her n-bit message by adding the message and keytogether, and Bob decodes by substracting to invert the encoding, as illustratedin Figure 9.
Figure 9: The Vernam cipher. Alice encrypts by adding the random key bits tothe original message. Bob decrypts by substracting the key bits to recover themessage.
The code is unbreakable, provided that the key is completly random, since inthis case the encrypted message is completely random, too. It gives no furtherinformation whatsoever about the original message. But the key must be usedonly once (that is why it is also called the one time pad). If reused more thanonce the code might be broken by means of statistical analysis.
The major difficulty of secret key cryptosystems is secure distribution of thekey. In particular, the Vernam cipher is secure only as long as the number of keybits is at least as large as the size of the original message, the key is completelyrandom (a non-trivial task in itself) and key bits cannot be reused. Thus, thelarge amount of key bits needed makes such schemes impractical for general use.
4.1.2 Public key cryptography
Owing to the difficulty of supplying new random keys for every message, theVernam cipher is nowadays used mainly for important diplomatic communica-
11
tions. For less delicate business, it is substituted by public key cryptographicsystems, whose principles were discovered in 1970.
The fundamental difference between the traditional secret key cryptosystemand the recent public key cryptosystem is the following:
• In the secret key cryptosystem, Alice encrypts her message by means of asecret key. She sends the encrypted message to Bob, who owns the samesecret key and can therefore decrypt the message. The security of themessage depends on the secrecy of the key. Since the secret key must beat some time distributed between Alice and Bob, there is always a riskthat the key is intercepted.
• In the public key cryptosystem, Alice and Bob do not exchange any secretkey. Bob publishes a key which can be seen by anyone (the public key).Alice uses this public to encrypt the message. However, the messagecannot be decrypted by this key, but only by another key (the privatekey), which is possessed by Bob alone. Therefore, the key-distribution isavoided. The public-key cryptosystem works as if Bob had constructed asafe into which he inserted a message. The safe has two keys, one publicto lock it and another private to open it. Anyone may place a messagein the safe, but only one person (Bob) can open the safe and take themessage out.
In contrast to the secret key cryptosystem, which if used properly (usingthe Vernam cipher with completely random, never reused keys) is proven to beunbreakable, the security of public key cryptography relies on unproven mathe-matical assumptions about the difficulty of solving certain problems like factor-ing (with classical computers!), even though it is more convenient and widelyused in most ecommerce applications.
The RSA protocol is one of the most widely used public-key encryptionprotocols used today. It was devised in 1977 and works as follows:
1. Bob chooses two large enough prime numbers p an q, and computes pq =N .
2. Bob chooses at random a number e that is coprime to (p− 1)(q− 1), thatis, e and (p− 1)(q − 1) share no factors other than 1.
3. Bob computes d, the inverse modulo (p− 1)(q − 1) of e
de = 1 mod (p− 1)(q − 1). (38)
Note that from now on we can forget about p and q.
4. Bob publishes the pair (e,N). This is the public key, which anybody canuse to send messages to Bob.
5. The pair (d,N) is the private decryption key, possessed by Bob alone.Therefore, only Bob can decrypt the messages that were encrypted usingthe public key.
12
6. Alice divides her message into blocks and each block can be written as anumber m with m < N . Alice encrypts each block as follows:
c = me mod N. (39)
7. Bob decrypts the message by computing
m = cd mod N. (40)
Note the advantages with respect to the Vernam cipher:
• There is no need to distribute a secret key over a supposedly secure chan-nel: the public key can be used by anybody who wishes to communicatewith Bob while the secret key is possessed by Bob alone.
• The public key can be reused as many times as desired.
The RSA code can be broken if one discovers the prime factors p and qof N . After this, the private key d can be easily computed since e is known.Therefore the reliability of this method is based on the fact that there exist noknown efficient (polynomial time) classical algorithms to find the factors of aninteger N . For a number with 250 digits it would take about 10 million yearsto compute the prime factors using a modern classical computer and the mostefficient known classical algorithm, called the number field sieve[10]. This meansthat the problem is in practice impossible to solve with current technology.However, when powerful enough quantum computers can be build, the code willbecome breakable since due to Shor’s factoring algorithm. Shor’s algorithm isan efficient quantum algorithm to factor large numbers. The task that takesclassical computers millions of years to complete, could be accomplished in amanner of days on large enough quantum computers. This is a clear warningthat the security of public-key cryptosystems is not a sufficient guarantee formessages that must be kept secret for indefinitely long times.
4.2 Quantum key distributionQuantum key distribution (QKD) is a protocol by which secret key bits can becreated between two parties over a public channel and is provably secure. Thekey bits can then be used to implement a classical secret key cryptosystem likethe Vernam cipher, to enable the parties to communicate securely. The onlyrequirement for the QKD protocol is that qubits can be communicated over apublic channel with an error rate lower than a certain threshold. The securityof the resulting key is guaranteed by the properties of quantum information,and thus is conditioned only on fundamental laws of physics being correct.
In classical physics it is impossible to know with certainty if some eaves-dropper is monitoring a message. The reason is that classical information canbe copied without changing the original message. Indeed, information must beencoded in some physical system (a piece of paper, radio signals, etc.), whoseproperties can be measured passively. In contrast, in quantum mechanics themeasurement process in general disturbs the system for fundamental reasons.The basic idea behind QKD is this: the eavesdropper cannot gain any infor-mation from the qubits transmitted from Alice to Bob without disturbing their
13
state. First of all, by the no-cloning theorem, the eavesdropper cannot clone Al-ice’s qubit. Second, in any attempt to distinguish between two non-orthogonalquantum states, information gain is only possible at the expense of introducingdisturbance to the signal.
Quantum key distribution protocol makes use of this idea by transmittingnon-orthogonal qubit states between Alice and Bob. By checking for disturbancein their transmitted states they can detect possible eavesdropping. If the levelof eavesdropping is below a certain threshold a key can be produced which isguaranteed as secure (i.e. the eavesdropper has no information about), otherwiseno secure key is possible and communication is aborted.
Two types of quantum key distribution protocols were invented. The firstuses the polarization of photons to encode the bits of information while theother one uses entangled photons to achieve the same.
4.3 The BB84 protocolThe BB84 protocol was discovered by Bennett and Brassard in 1984. Thesecurity of the protocol comes from encoding the information in non-orthogonalqubit states. BB84 uses two pairs of states, with each pair conjugate to theother pair, and the two states within a pair orthogonal to each other. Whenusing the polarization of photons as qubits, the usual polarization state pairsused are the rectilinear basis (+) states and the diagonal basis (×) states. Thedescription of the protocol follows:
1. Alice generates a random sequence of 0’s and 1’s.
2. Alice randomly selects one of the two bases (rectilinear or diagonal) andthen prepares a photon polarization state, depending both on the bit valueand the chosen basis. She encodes 0 as either ↑ or ↗ and 1 as either →or ↘.
3. Alice sends the resulting series of qubits (photons) to Bob.
4. For each qubit, Bob decides at random what axis (+ or ×) to use formeasurement. Approximately half of the time, Bob chooses the sameaxis as Alice. When they choose the same axis, Bob measures the samevalue Alice encoded. In contrast, if Bob chooses an axis different fromAlice, the bit resulting from his measurement agrees with the bit sent byAlice only half of the time. For instance, if Bob receives a photon in the→ polarization state, and performs a measurement in the × basis, theoutcomes 0 and 1 have equal probability. From now on Alice and Bobexchange only classical information over a public channel.
5. Bob communicates to Alice over a classical public channel which bases heused for each of the measurements. Of course, he does not communicatethe results of his measurements.
6. Alice communicates to Bob over a classical public channel which bases sheused to encode each of the transmitted qubits.
7. Alice and Bob delete all bits corresponding to the cases in which they useddifferent bases. After this thay share the so-called raw key. This key is
14
Alice’s random data bits 1 0 0 0 1 1 0 1 0 1Alice’s random sending basis × + × + × × × + + ×Photon polarization Alice sends ↘ ↑ ↗ ↑ ↘ ↘ ↗ → ↑ ↘Bob’s random measuring basis × + × × + × + × + +Photon polarization Bob measures ↘ ↑ ↗ ↗ ↑ ↘ ↑ ↗ ↑ ↓Bob’s data bits 1 0 0 0 0 1 0 0 0 1Shared raw key 1 0 0 1 0
Table 1: An example of the BB84 protocol.
the same for Alice and Bob, insofar as there were no disturbances causedby noise or eavesdropping.
8. Over a public channel, Alice and Bob announce and compare a part oftheir raw key. From this comparison they can estimate the error rate Rdue to eavsdroppers or noise effects. If this rate is to high, they restartthe protocol from the beginning. If not, they perform information rec-onciliation and privacy amplification on the remaining bits of their rawkey.
9. Information reconciliation is simply classical error correction over a publicchannel. We won’t go into the detail of classical error correction here, itis described in [1]. After the information reconciliation, with high proba-bility, Alice and Bob share the same string of bits.
10. The final step, privacy amplification, reduces the eavesdroppers informa-tion about the final secret key to arbitrarily small values. Let us illustratea simple privacy amplification protocol. Alice and Bob estimate from theerror rate R obtained previously the maximum number of bits k knownby the eavesdropper. Let s be a security parameter. Then Alice and Bobchoose at random n−k−s subsets of their key, where n denotes the num-ber of bits in the key. The parities of these subsets become the final secretkey. This key is more secure than the previous one, since the eavesdroppermust know something about each bit of a subset in order to obtain infor-mation about its parity. It can be shown that the eavesdropper’s residualinformation is aribtrarily small [1].
4.4 The E91 protocolAnother protocol was proposed by Artur Ekert in 1991. His scheme uses en-tangled qubit states. In its simplest version, Alice and Bob share a set of nentangled pairs of qubits in the state
|Φ+〉 =1√2
(|00〉+ |11〉) . (41)
Alice could prepare these states and send half of each to Bob, or vice versa.Alternatively, a third party could prepare the pairs and send halves to Aliceand Bob. Or they could have met a long time ago and shared them, storingthem until present.
15
Alice and Bob now perform measurements on their half of the EPR pair,randomly deciding to measure either in the rectilinear base (+) or the diagonalbase (×), each choice occuring with probability 1
2 . After the measurementprocess, Alice and Bob announce over a public channel which observable theymeasured for each EPR pair. In the cases in which their measurement axesagree, the outcomes are perfectly correlated, provided no noise or eavesdroppingoccured. Alice and Bob discard the other bits, thus remaining with a shared rawkey. After this, they proceed as in the BB84 protocol, first estimating the errorrate, then continuing with information reconciliation and privacy amplification.
It is interesting to note that the secret key is not generated by either Aliceor Bob. The key is undetermined until Alice and Bob measure their halves ofthe shared EPR pairs. Then the secret key arises from a fundamentally randomprocess, the quantum measurement. The key is truly random. In fact thesame applies to the BB84 protocol, since it can be reduced to an instance of ageneralized version of the E91 protocol [1].
Note that the E91 protocol is potentially interesting for key storage. Theproblem is the following: once the secret key has been established, Alice andBob must store it in their safes, until they need it. However, the key is astring of classical bits and, in principle, can be copied. It may be difficult tocrack open the safe, but always possible, no fundamental reasons exclude thispossibility. However, if Alice and Bob were able to store the EPR pairs, theycould wait to establish the secret key until needed. Of course many technicaldifficulties of implementing such key storage arise from the fact that one shouldbe able to protect the EPR pairs from noise effects, due to interactions withtheir environment, for long times. This possibility is beyond the reach of presenttechnology.
4.5 Possible attack strategiesIn quantum cryptography, traditional man-in-the-middle attacks are impossi-ble since any attempt to intercept the stream of photons will inevitably alterthem. The eavesdropper cannot re-emit the photons to Bob correctly, sincehis measurement has destroyed information about the photon’s full state andcorrelations.
Because usually a dedicated fiber optic line is required between the twopoints linked by quantum cryptography, a denial of service attack can be per-formed by simply cutting the line. Such an attack only prevents Alice andBob from communication, though, and doesn’t reveal any information to theeavesdropper.
Quantum cryptography is still vulnerable to a type of man-in-the-middleattacks where the eavesdropper establishes himself as “Alice” to Bob, and as“Bob” to Alice. Then, the eavesdropper simply has to perform QC negotiationson both sides simultaneously, obtaining two different keys. Alice-side key is usedto decrypt the incoming message, which is reencrypted using the Bob-side key.This attack fails if both sides can somehow verify each other’s identity.
4.6 Practical implementationsThe field in quantum information science that has best been practically demon-strated is quantum cryptography. In fact three companies are already offering
16
commercial quantum cryptography systems, based on the plug-and-play prin-ciple: id Quantique (Geneva) [14], MagiQ Technologies (New York) [15] andSmartQuantum (France) [16]. Several other companies also have active researchprogrammes, including Toshiba, HP, IBM, Mitsubishi and NEC.
So far the longest distance over which quantum key distribution has beendemonstrated using optic fibre is 148.7 km, achieved by Los Alamos/NIST usingthe BB84 protocol [11].
Besides optic fiber QKD, a lot of research is going into free space QKD, asit avoids the need to have an optical fibre set up between the communicatingparties. The current distance record for free space QKD is 144km between twoof the Canary Islands, achieved by a European collaboration using entangledphotons (the E91 protocol) in 2006 [12], and using a modified version of theBB84 protocol in 2007 [13]. The experiments suggests transmission to satellitesis possible, due to the lower atmospheric density at higher altitudes, which wouldbe of a big practical importance.
DARPA (Defense Advanced Research Projects Agency) has been runningand actively developing a 10-node quantum network which includes a 25 kmwireless link since 2004 in Massachusetts, USA.
In 2004, the world’s first bank transfer using quantum cryptography wascarried in Vienna by the group of Professor Anton Zeilinger from Vienna Uni-versity. In this practical demonstration, a cheque was transmitted from theVienna City Hall to a Bank Austria Creditanstalt office [17].
In 2004, European Union decided to invest 11 million EUR in a projectknown as SECOQC (Secure Communication based on Quantum Cryptogra-phy). The project SECOQC aims at evolving quantum cryptography into aninstrument that can be operated in an economic environment.
Quantum encryption technology provided by the Swiss company Id Quan-tique was used in the Swiss canton of Geneva to transmit ballot results to thecapitol in the national election occurring on October 21, 2007 [18].
Figure 10: A commercial stand-alone plug-and-play type unit combining quan-tum key distribution and secure encryption engines for point-to-point link en-cryption. The unit continuosly generates and exchanges 256-bit secure keys atregular intevals, up to 100 times per second. It works over distances of up to100 km. [14]
17
5 ConclusionQuantum communication offers some remarkable new possibilities, not availableby the means of classical communication. Perhaps the simplest application ofquantum mechanics to communication is superdense coding, which allows one tosend two bits of information by sending only one qubit. It is based on quantumentanglement, and is closely related to another interesting idea of quantumcommunication: teleportation.
Quantum teleportation is one well-known quantum information processingoperation which reliably transfers an unknown quantum state from one pointto another distant point, destroying the original state in the process. Thispossibility is of interest in quantum communication, as it allows transportationof quantum information from one unit of quantum computer to another.
Both superdense coding and quantum teleportation have been successfullyexperimentaly demonstrated, but so far the technology is at a very early stage ofdevelopment and is not yet practically useful, but intensive research continues.
Quantum cryptography is a remarkable and most advanced application ofquantum information science. It enables two parties to produce a shared randombit string known only to them, which can be used as a secret key to encryptand decrypt messages in a provably secure way.
Compared to superdense coding and teleportation, quantum cryptography ismuch more advanced. Some companies offer commecrial quantum cryptographybased systems. However, the current commercial systems are aimed mainly atgovernments and corporations with high security requirements. Factors prevent-ing wide adoption of quantum cryptography outside high security areas includethe cost of equipment, and the lack of a demonstrated threat to existing keyexchange protocols. However, with optic fibre networks already present in manycountries the infrastructure is in place for a more widespread use and researchcontinues at a rapid pace.
18
References[1] M. Nielsen, I. Chuang, Quantum Computation and Quantum Information,
Cambridge (2000)
[2] G. Benenti, G. Casati, G. Strini, Principles of Quantum Computation andInformation, World Science Publishing (2004)
[3] A.S. Holevo, Some estimates for the amount of information transmittableby a quantum communications channel, Problemy Peredači Informacii 9(3),3–11 (1973)
[4] W.K. Wootters, W.H. Zurek, A Single Quantum Cannot be Cloned, Nature299 802–803 (1982)
[5] K. Mattle, H. Weinfurter, P.G. Kwiat, A. Zeilinger, Dense Coding in Ex-perimental Quantum Communication , Phys. Rev. Lett. 76, 4656 (1996)
[6] C.H. Bennett, G. Brassard, C. Crepeau, R. Jozsa, A. Peres, W.K. Wootters,Teleporting an Unknown Quantum State via Dual Classical and Einstein-Podolsky-Rosen Channels, Phys. Rev. Lett. 70 1895–1899 (1993)
[7] D. Bouwmeester, J.W. Pan, K. Mattle, M. Eibl, H. Weinfurter, A. Zeilinger,Experimental Quantum Teleportation, Nature 390, 575-579 (1997)
[8] R. Ursin et.al., Quantum Teleportation Link across the Danube, Nature430, 849 (2004)
[9] M.D. Barrett et. al., Deterministic Quantum Teleportation of AtomicQubits, Nature 429, 737 (2004)
[10] C. Pomerance, A Tale of Two Sieves, Notices of the AMS 43 (12), 1473-1485 (1996)
[11] P.A. Hiskett, D. Rosenberg, C.G. Peterson, R.J. Hughes, S. Nam, A.E.Lita, A.J. Miller, J.E. Nordholt, Long-distance quantum key distribution inoptical fibre, New J. Phys. 8, 193 (2006)
[12] R. Ursin, et al, Free-Space distribution of entanglement and single photonsover 144 km, Nature Physics 3, 481–486 (2007), arXiv:quant-ph/0607182v2
[13] T. Schmitt-Manderbach, et al, Experimental demonstration of free-spacedecoy-state quantum key distribution over 144 km, Physical Review Let-ters 98.1 010504 (2007), http://www.quantum.at/uploads/media/PRL_98__010504__2007_.pdf
[14] http://idquantique.com/ [accessed February 5, 2008]
[15] http://magiqtech.com/ [accessed February 5, 2008]
[16] http://www.smartquantum.com/ [accessed February 5, 2008]
[17] http://www.secoqc.net/downloads/pressrelease/Banktransfer_english.pdf [accessed February 6, 2008]
[18] http://www.idquantique.com/news/files/com_swissquantum_ang.pdf [accessed February 6, 2008]
19
Related Documents
