Документ взят из кэша поисковой машины. Адрес оригинального документа : http://qi.phys.msu.su/papers/2007-jetpl(e)-85-297.pdf
Дата изменения: Sat Jan 3 14:36:30 2009
Дата индексирования: Mon Oct 1 19:46:59 2012
Кодировка:

ISSN 0021-3640, JETP Letters, 2007, Vol. 85, No. 6, pp. 297301. © Pleiades Publishing, Ltd., 2007. Original Russian Text © S.P. Kulik, S.N. Molotkov, A.P. Makkaveev, 2007, published in Pis'ma v Zhurnal иksperimental'nooe i Teoreticheskooe Fiziki, 2007, Vol. 85, No. 6, pp. 354 359.

Combined PhaseTime Encoding Method in Quantum Cryptography
S. P. Kulika, S. N. Molotkovbd, and A. P. Makkaveevd
b

Faculty of Physics, Moscow State University, Moscow, 119992 Russia Institute of Solid State Physics, Russian Academy of Sciences, Chernogolovka, Moscow region, 142432 Russia c Academy of Cryptography of the Russian Federation, Moscow, 121552 Russia d Faculty of Computational Mathematics and Cybernetics, Moscow State University, Moscow, 119899 Russia
Received February 15, 2007

a

A new combined phasetime encoding method is proposed for fiber optic quantum cryptography systems. Preliminary estimates are given for the probability of the critical error to which cryptographic key distribution is possible. PACS numbers: 03.65.Bz, 03.67.Db DOI: 10.1134/S0021364007060070

Quantum cryptography, i.e., cryptographic quantum key distribution through open communication channels, is based on fundamental quantum mechanical laws. Any measurement in a quantum system generally changes its state. This circumstance allows the detection of an eavesdropping attack in the communication channel. More formally, if the quantum system is in one of two nonorthogonal states, no measurements can allow one to distinguish these states with certainty. Certain indistinguishability between nonorthogonal states is a consequence of the Heisenberg uncertainty principle or, more formally, a consequence of the absence of a common set of eigenvectors of a pair of noncommuting operators. Eavesdropping attacks are detected at the receiver side by a change in the measurement statistics with respect to the statistics on unperturbed states. It is fundamentally impossible to distinguish eavesdropperinduced changes in measurement statistics from statistics changes caused by imperfections in the system (noise in the communication channel, dark counts of photodetectors, etc.). For this reason, all changes in measurement statistics and, correspondingly, errors in primary keys should be referred to the eavesdropper actions. If quantum cryptography made it possible only to detect eavesdropping attacks, this would be insufficient for key distribution. Quantum cryptography allows one not only to detect eavesdropping attacks but also to ensure the security of distributed keys if a change in the statistics (error in primary keys) does not exceed a certain critical value. The larger the admissible critical error to which the key distribution privacy is ensured, the more stable the quantum cryptographic protocol against eavesdropping

and noise. The most studied protocol is the so-called BB84 protocol [1]. The critical error for it is ~11% [2 4]. Moreover, this protocol can be implemented by various methods for quantum cryptography fiber optic systems. Other key distribution protocols, which have a larger critical error than the BB84 protocol, were theoretically proposed [24]. However, such protocols usually use multilevel quantum systems with a state-space dimension lager than two [5]. For this reason, experimental implementation of such protocols for fiber optic systems is very difficult and inconvenient. For example, the implementation of the protocol described in [6] requires the use of a four-arm MachZehnder interferometer at the receiver and transmitter stations for which it is very difficult to ensure long-term optical stability. In this work, a new key distribution protocol is proposed. Our previous estimates indicate that it ensures a larger critical error than that for the existing protocols and is realizable by a small modification of the existing quantum cryptography systems. This protocol is a combined phasetime encoding method for key distribution. In a certain sense, this encoding method is a combination of two quantum cryptographic protocols: BB84 [1] and B92 [7]. Let us first describe the formal protocol and then its fiber optic implementation. The protocol involves eight states, two states in each of four bases, which are denoted as +L, вL, +R, and вR. The states in the +L basis are 1 |0 + L = ------ ( |0 + |1 ) , 2 1 |1 + L = ------ ( |0 |1 ) ; 2 (1)

297

298

KULIK et al.

the states in the вL basis are 1 |0 в L = ------ ( |0 + i |1 ) , 2 1 |0 + R = ------ ( |1 + |2 ) , 2 1 |0 в R = ------ ( |1 + i |2 ) , 2 1 |1 в L = ------ ( |0 i |1 ) ; (2) 2 1 |1 + R = ------ ( |1 |2 ) ; (3) 2 1 |1 в R = ------ ( |1 i |2 ) . (4) 2

exceed the critical value. Finally, the cleaned key is compressed (privacy amplification occurs). Let us preliminarily estimate the critical error of this protocol for simple eavesdropping strategies in comparison with the BB84 protocol [1]. The first simplest strategy is the receptionretransmission with guessing the basis. For the standard BB84 protocol, this strategy reduces to the following. The eavesdropper tries to guess the basis and then performs measurements in this basis. The probability of correctly guessing the basis is equal to 1/2. If the basis is guessed correctly, the states in this basis are identified with certainty owing to their orthogonality. For this reason, for half the transmitted sequence, the eavesdropper knows all the transmitted states. For the second half, where the basis is not guessed, measurements in the incorrect basis provide an error probability of 1/2 for the eavesdropper. The mutual information of the eavesdropper's information on the transmitted sequence after the opening of the bases of the legitimate users is equal to IAE = 1/2 per message. The error appearing at the receiver side for this eavesdropper strategy is equal to Q = 25%, because half the states in half the sequence, where the basis was guessed incorrectly, in the process of the transmission of states from the incorrect basis provides error at the receiver side. For this protocol, the probability of guessing the correct basis is equal to 1/4. The L or R basis is guessed with a probability of 1/2, and the + or в is guessed with a probability of 1/2 for a chosen L or R basis. For this reason, the eavesdropper certainly knows one fourth of the bits in the transmitted sequence after the legitimate users open the bases. For the remaining three fourths of the sequence, the error probability for the eavesdropper is equal to 1/2 according to Eqs. (5)(8). Correspondingly, the mutual information of the eavesdropper is equal to IAE = 1/4 per message for the entire sequence. The argumentation for the probability of error due to the retransmission of states for half the sequence for which the basis L or R is guessed correctly is similar to that for the preceding case of the BB84 protocol. The 11 -error probability on the receiver side is equal to -- -- . For 42 the second half, for which the basis L or R is guessed incorrectly, the retransmission of states leads to an error 11 -probability of -- -- on the receiver side. The total error 22 probability is Q = 37.5% for mutual information IAE = 1/4. Thus, the mutual information for such a strategy is halved, and the error probability is one and a half larger than that for the BB84 protocol. The next receptionretransmission strategy for the standard BB84 protocol reduces to the measurement of states in the so-called symmetric (Briedbart) basis [8] in the two-dimensional state space. In this basis, the angles between the basis vectors and information states
JETP LETTERS Vol. 85 No. 6 2007

the states in the +R basis are

and the states in the вR basis are

Here, |0, |1, and |2 are the orthonormalized basis vectors (they correspond to the time-localized single-photon states pairwise shifted in time by a certain interval). The state space H is formally three-dimensional. The states from one basis are orthogonal to each other as in the BB84 protocol [1], and the states from different bases are pairwise nonorthogonal to each other as in the B92 protocol [7]. The protocol is formally described as follows. (i) Alice at the transmitter side randomly chooses one of eight equiprobable states and transmits it to Bob at the receiver side. (ii) Bob randomly chooses one of four equiprobable bases for measurements; more precisely, Bob randomly uses one of four measurements described by the following decompositions of unity I in H: I = |0 + L 0 + L| + |1 + L 1 + L| + |2 2| for a measurement in the +L basis, I = |0 в L 0 в L| + |1 в L 1 в L| + |2 2| for a measurement in the вL basis, I = |0 0| + |1 + R 1 + R| + |2 + R 2 + R| for a measurement in the +R basis, and I = |0 0| + |1 в R 1 в R| + |2 в R 2 в R| (8) for a measurement in the вR basis. Bob reports only the fact of receiving a state. (iii) After a series of messages and measurements, Alice opens the bases but does not open the states. (iv) Using an open channel, Bob reports the numbers of messages in which the bases do not coincide. These messages are discarded. The measurement results in messages where the bases coincide are treated by Bob as 0 or 1. In the absence of the eavesdropper and noise, measurements with coinciding bases allow unambiguous interpretation of the received states. Further actions are similar to other protocols. The error probability is estimated by opening a part of the received bit sequence (the opened part is then discarded). Then, distributed error correction in the remaining part occurs if the error probability does not (7) (6) (5)

COMBINED PHASETIME ENCODING METHOD

299

1 1 ------ (|0 ± |1) and ------ (|0 ± i|1) are equal to /8 and 2 2 5/8, respectively. In this basis, the probability p of the correct identification of the 0 or 1 bit is equal to (e.g., for the +L and вL bases) p = 0 + L|0 Br = 1 в L|1 Br
2 2

or R (this occurs with a probability of 1/2) and then use the intermediate basis. The basis L or R is correctly guessed only for half the sequence; e.g., L and measurements are then carried out in the intermediate basis, which are described by the unity decomposition I = |0 Br 0 Br| + |1 Br 1 Br| + |2 2| . (15)

= 1 + L|1 Br
2

2

= 0 в L|0 Br

2

(9) 1 1 = cos -- = -- 1 + ------ 85 %. 8 2 2

Correspondingly, the error probability 1 p (probability that 0 is resent to Bob when Alice really sends 1 and vise versa) is 1 p = 0 + L|1 Br = 0 в L|1 Br
2 2

In this case, for half the sequence for which the basis (e.g., L) is correctly guessed, the argumentation similar to the preceding case is valid. The mutual information of the eavesdropper is given by the expression I
AE

1 = -- ( 1 + p log p + ( 1 p ) log ( 1 p ) ) 0.2 . (16) 2

= 1 + L|0 Br
2

2

= 1 в L|0 Br

1 2 1 = 1 cos -- = -- 1 ------ 15 %. 8 2 2

(10)

For the second half of the sequence, for which the basis (e.g., L) is guessed incorrectly, the mutual information of the eavesdropper is equal to zero according to the structure of states (1)(4) and measurement (15). In this case, the eavesdropper-induced error on the receiver side is equal to 15 % 1 1 1 Q = ---------- + -- -- -- 32.5 %. - --422 2 (17)

Here, |0Br and |1Br form an intermediate basis. The mutual information of the eavesdropper on the bit string after the opening of the bases is limited by the capacity of the binary symmetric communication channel with the error probability 1 p: I
AE

= 1 + p log p + ( 1 p ) log ( 1 p ) 0.4 .

(11)

In contrast to the preceding strategy, the eavesdropper's information on each transmitted bit is probable. As is well known, private key distribution is possible [9] if the mutual information on a bit string between Alice and Bob IAB is larger than the mutual information between Alice and the eavesdropper: IAB > IAE. (12) Since the eavesdropper identifies states with error, the error Q appears at the receiver side. The mutual information IAB is determined by the capacity of the symmetric binary communication channel with the error probability Q as I
AB

= 1 + Q log Q + ( 1 Q ) log ( 1 Q ) .

(13)

Condition (12) provides a critical error at the receiver side to which the secure key distribution is possible (for this eavesdropping strategy): I
AB

=I

AE

0.4 ,

Q 15 %.

(14)

Thus, the eavesdropping strategy with measurement in the intermediate symmetric basis is more efficient for the eavesdropper than the strategy with simple guessing the bases. Let us discuss a similar strategy for our protocol. The intermediate symmetric basis that minimizes the error over all the states for the case where M = N + 1 (M is the number of bases; in our case, M = 4 and N = 3 is the dimension of the state space) is absent [10]. For this reason, the eavesdropper should first guess the basis L
JETP LETTERS Vol. 85 No. 6 2007

Thus, preliminary estimates show that the eavesdropper-induced error is larger and the information extracted by the eavesdropper is smaller than the respective quantities in the BB84 protocol. The cause is that the distinguishability of states for the eavesdropper is effectively smaller due not only to the nonorthogonality of the states in the different bases (+L, вL) and (+R, вR) but also to the pairwise nonorthogonality of the states from different bases L and R. The fiber optic implementation of this protocol is illustrated in the figure. The system consists of a laser, two unbalanced MachZehnder interferometers with the time arm difference T, two phase modulators, and two avalanche photodetectors operating in a gated mode. The laser generating short classical pulses used for synchronization (time matching) of single-photon states in each message, as well as an attenuator, is not shown in the figure. Preparation of information states. Alice switches on the laser generating short pulses in each message. One of two states shifted in time by T equal to the difference between the long and short arms of the Mach Zehnder interferometer is randomly generated with equal probability. At this stage, Alice chooses the basis L or R. We denote this pair of states as |0L and |1R. The states |0L and |1R differ from each other only by a time shift of |1R = U(T)|0L, where U(T) is the time translation operator by time T. Then, it is easily to verify that these states after the passage through the Mach Zehnder interferometer are transformed at one of its outputs to the following pair of states: |0 L 1 ------ ( |0 + |1 ) , 2 |1 R 1 ------ ( |1 + |2 ) . (18) 2

300

KULIK et al.

Fiber optic quantum cryptography scheme with phasetime encoding: MZ1 and MZ2 are the unbalanced MachZehnder interferometers, PM1 and PM2 are the phase modulators, L is the laser, D1 and D2 are the avalanche photodetectors, and 03 are the time windows.

Each state in Eqs. (18) is a superposition of the states |0, |1 and |1, |2 localized in the time windows 0, 1, and 2, respectively (see figure). The time windows 0, 1, and 2 spaced from each other by a time interval T are equal to the difference between the long and short arms of the MachZehnder interferometer. Further, when the states specified by Eqs. (18) pass through the phase modulator, Alice applies a voltage to the modulator for a short time. This voltage induces an additional phase difference between the "halves" of the i 1 1 states in the superposition ------ (|0 + e A |1), ------ (|1 + 2 2 e A |2). The application of the voltage to the phase modulator for a time when one of the halves of the state that is a superposition of states localized in the time windows is present in this modulator changes the refractive index of the medium. This change leads to the appearance of an additional phase difference between the halves in the superposition. Such an inclusion of phase modulators was used in [11] (in the previous fiber optic implementations of the BB84 protocol, the phase modulators were included in the long arms of the MachZehnder interferometers at the
Table 1 Bit value 0 1 0 1 Alice phase 0 /2 3/2
A
i

receiver and transmitter sides). Two possible variants of the voltage application are equivalent for the quantum cryptographic protocol, because only the relative phase difference between the halves in the superposition is meaningful. In the first variant, the voltage is applied in the 1 time window (to the front and back halves for the 1 1 states ------ (|0 + |1) and ------ (|1 + |2), respectively [18]). 2 2 In the second variant, the voltage is applied to the modulator in the 1 and 2 time windows if Alice generates 1 1 the states ------ (|0 + |1) and ------ (|1 + |2), respectively. 2 2 For definiteness, we suggest that Alice uses the second variant and randomly chooses the voltage on the modulator, which leads to the relative phase difference presented in Table 1. Then, after attenuation, the states are sent to the communication channel. At the receiver side, Bob randomly chooses voltages on the phase modulator independently from Alice, which lead to the additional relative phase difference B = 0 or /2. The technique of the application of the voltage to the modulator is the same as at the transmitter side. Before the input of the MachZehnder interferometer at the receiver side, the states after the phase modulator have the form 1 ------ ( |0 + e 2 1 ------ ( |1 + e 2
i (A B)

State State Bob phase in basis L in basis R B |0+L |1+L |0вL |1вL |0+R |1+R |0вR |1вR 0 0 /2 /2

|1 ) in the basis L , |2 ) in the basis R .

(19) (20)

i (A B)

Further, the bases are matched through the open communication channel. Alice reports the bases for each
JETP LETTERS Vol. 85 No. 6 2007

COMBINED PHASETIME ENCODING METHOD Table 2 Bit value 0 1 0 1 0 1 0 1 Alice's state |0+L |1+L |0вL |1вL |0+R |1+R |0вR |1вR Bob's state 1 -- (|0 + 2|1 + |2) 8 1 -- (|0 + |2) 8 1 -- (|0 + |2) 8 1 -- (|0 + 2|1 + |2) 8 1 -- (|1 + |3) 8 1 -- (|1 + |3) 8 1 -- (|1 + 2|2 + |3) 8 1 -- (|1 + 2|2 + |3) 8 Bob's detector D1 D2 D1 D2 D1 D2 D1

301

In conclusion, we note that the exact critical error for this protocol is unknown to date. The preliminary estimates for the simplest receptionretransmission eavesdropper strategies provide the hope that the potential critical error of the proposed protocol is larger than that of the standard, most studied BB84 protocol. The proposed protocol allows generalization (enhancement in the sense of the critical error) if states in each of the +L and вL bases (similarly in +R and вR bases) are made pairwise nonorthogonal by appropriately choosing phases. Such a construction leads to the so-called BB84 4 + 2 protocol [12], which is stable against the photon number splitting attack. In our case, this leads to a new protocol more stable than the BB84 4 + 2 protocol, which will be reported elsewhere. S.N.M. acknowledges the support of the Academy of Cryptography of the Russian Federation. This work was supported by the Russian Foundation for Basic Research (project nos. 05-02-08306-ofi-a, 05-0217387, and 06-02-16769). REFERENCES

D2

message that she uses but does not report the bit values. In each basis, there are two bit values that are not opened. Bob retains the measurements only in the messages where the bases coincide. The correspondence of the bases (relative phases in the superposition) of Alice and Bob is shown in Table 1. For undiscarded messages, where the bases coincide, the states presented in Table 2 arrive at the detectors D1 and D2. The measurements are carried out by gating the detectors D1 and D2 in the 1 and 2 time windows, which are chosen randomly. After the stage of basis matching through the open communication channel between Alice and Bob, Bob can certainly identify the transmitted bit values. For example, in the absence of the eavesdropper, if the state |0+L is transmitted, counts for the states in the +L basis occur only in the 1 time window in the detector D1 and never occur in the detector D2. The transformation of states by means of the phase modulator and interferometer at the receiver side and measurement in certain time windows by the detectors D1 and D2 are equivalent to the measurements specified by Eqs. (5)(8) in the sense of the distinguishability between the states.

1. C. H. Bennett and G. Brassard, in Proceedings of IEEE International Conference on Computer Systems and Signal Processes (Bangalore, India, 1984), p. 175. 2. D. Mayers and A. Yao, quant-ph/9802025. 3. E. Biham, M. Boyer, P. O. Boykin, et al., quantph/9912053. 4. P. W. Shor and J. Preskill, quant-ph/0003004. 5. H. Bechmann-Pasquinucci and A. Peres, Phys. Rev. Lett. 85, 3313 (2000). 6. H. Bechmann-Pasquinucci and W. Tittel, Phys. Rev. A 61, 062308 (2000). 7. C. H. Bennett, Phys. Rev. Lett. 68, 3121 (1992). 8. C. H. Bennett, F. Bessette, G. Brassard, et al., J. Cryptology 5, 3 (1992). 9. I. CsiszДr and J. KЖrner, IEEE Trans. Inf. Theory 24, 339 (1978). 10. M. Bourennane, A. Karlsson, and G. BjЖrk, Phys. Rev. A 64, 012306-1 (2001); R. Asplund, M. Bourennane, and G. BjЖrk, quant-ph/0011037. 11. Y. Nambu, K. Yoshino, and A. Tomita, quantph/0603041. 12. V. Scarani, A. Acin, G. Ribordy, and N. Gisin, Phys. Rev. Lett. 92, 057901-1 (2004); A. Acin, N. Gisin, and V. Scarani, quant-ph/0302037.

Translated by R. Tyapaev

JETP LETTERS

Vol. 85

No. 6

2007