Документ взят из кэша поисковой машины. Адрес оригинального документа : http://qilab.phys.msu.ru/papers/Laser-Physics-14(10)-2004.pdf
Дата изменения: Mon Feb 4 18:39:27 2008
Дата индексирования: Mon Oct 1 20:03:15 2012
Кодировка:

Laser Physics, Vol. 14, No. 10, 2004, pp. 1314 1321.
Original Text Copyright © 2004 by Astro, Ltd. Copyright © 2004 by MAIK "Nauka / Interperiodica" (Russia).

NONLINEAR AND QUANTUM OPTICS

Quantum Key Distribution with a Continuous Alphabet
D. Sych, B. Grishanin, and V. Zadkov
International Laser Center and Faculty of Physics, Lomonosov Moscow State University, Moscow, 119899 Russia
e-mail: sych@comsim1.phys.msu.su Received January 15, 2004

Abstract--A novel quantum key distribution protocol (QKD) based on all unselected states of a quantum system that set the alphabet with a continuous set of letters is proposed. Employing all states of the Hilbert space leads to a maximum quantum uncertainty of transmitted states, and, therefore, an eavesdropper receives the minimum amount of information. For the case of a two-dimensional Hilbert space, our protocol allows secure transmission at an error rate better than that for the BB84-protocol and is comparable with the characteristics of the best known QKD protocols. However, with increasing the dimensionality of the Hilbert space, the critical error rate for our protocol increases and, in the limit of infinite-dimensional space, the protocol becomes nonthreshold.

1. INTRODUCTION Quantum cryptography could well be the first practical application of the rapidly developing field of quantum information [1]. Since the 1970s, when the idea of quantum cryptography was first proposed [2, 3], a number of different quantum key distribution (QKD) protocols for implementing it have been proposed [36]. Despite their diversity, all of them are based on the beautiful idea of employing a basic no-cloning principle of quantum mechanics--the impossibility of copying arbitrary quantum states [7]. Thanks to this, an eavesdropper cannot intercept the quantum communication channel without disturbing the transmitting message if it contains a set of incompatible, i.e., essentially quantum, states not governed by the rules of classical logic. Moreover, any attempt to obtain information about this set of states inevitably disturbs the transmitted message. Keeping this advantage of quantum physics for cryptography in mind, any QKD protocol uses messages entirely composed of an incompatible set of quantum states or a so-called quantum alphabet consisting of incompatible "letters." Various QKD protocols are distinguished in essence only by their different alphabets, which ensure secure message transmission up to the level of error determining the protocol efficiency. By analyzing distortions in received messages, one can reveal an eavesdropping attack, but, in order to establish a secure connection, one must also be capable of stemming such attacks. All QKD protocols discussed in the literature have relatively a low critical quantum bit error rate (QBER) [1, 8] above which they do not ensure secure transmission. It is eventually assumed that all perturbations in the transmitted information are caused by an eavesdropper. However, in reality, imperfections of the apparatus used for realizing the QKD schemes and external sources of noise in the quantum channel (in addition to the eavesdropper) also perturb the information and, therefore, set

a limit on the maximum length of secure quantum channels used in the QKD schemes [1]. These limitations significantly hinder applications of quantum cryptography to make secure transmission impossible over an arbitrary distance, and, in order to overcome this obstacle, one has to develop more efficient QKD protocols. For the optimum efficiency analysis of various protocols, different efficiency criteria are used in the literature [9], which is inconvenient for objective comparison of the protocols. In this paper, we use the most appropriate, in our view, criterion, based on estimating classical Shannon information transmitted through a secure channel of the QKD scheme [10]. A typical QKD scheme includes three basic players, Alice, Bob, and Eve (the conventional names for the sender, receiver, and eavesdropper, respectively), which communicate via a quantum channel. Despite the communication channel between Alice, Bob, and Eve being quantum, in the final analysis they exchange classical information. Therefore, the classical Shannon information can serve as a valid measure for the quantitative analysis of QKD protocols. It corresponds to the joint probability distribution of the measurement results (which are classical) in the quantum system AliceEveBob. Any QKD alphabet is formed by selecting a set of quantum states at the input and output of the quantum channel. The selection rules determine the different QKD protocols. For example, the QKD protocol proposed in 1992 by Bennett--hence the name B92 [4]-- uses only two quantum states, which is the minimum limit of incompatible letters composing the alphabet. The first QKD protocol proposed in 1984 by Bennett and Brassard (BB84) [3] is another example of a protocol, in which four incompatible quantum states are used. In the other limiting case, when selection of quantum states is not performed and, therefore, the alphabet consists of all states of the Hilbert space, we have a new

1314

QUANTUM KEY DISTRIBUTION WITH A CONTINUOUS ALPHABET

1315

QKD protocol, which we analyze in this paper. We will show that this protocol has essential advantages over the other known QKD protocols. Specifically, its critical QBER exceeds that for the BB84 protocol and generalization of our protocol to the case of multidimensional Hilbert space further significantly increases the critical QBER. In the limit of infinite-dimensional Hilbert space, the protocol has no error threshold and the critical QBER approaches its maximum possible value. This means that our QKD protocol can basically work at any level of external errors or eavesdropping attacks (except for brutal interceptresend attacks), which is a novel feature for QKD protocols. 2. COMPATIBLE INFORMATION AS A QUANTUM INFORMATION MEASURE FOR QKD In quantum cryptography, Alice (A), Bob (B), and Eve (E) are different, kinematically independent quantum systems. Thus, the quantum events related to these systems represented by different Hilbert spaces are mutually compatible. Due to this property, any pair of quantum events at the input and output of the quantum channel can be considered classically. Quantum specificity of the channel is revealed then only in the form of intrinsic quantum uncertainty of events at the input and output of the channel. We will call information related to the mutually compatible events in two quantum systems compatible quantum information [11, 12]. A natural quantitative measure of compatible information is the standard mutual Shannon information functional of the classical inputoutput (AliceBob) joint probability distribution PAB: I AB [ P AB ] = S A [ P A ] + S B [ P B ] S AB [ P AB ] , (1) where S[P] is the classical Shannon entropy functional for the joint, P = PAB, and marginal, P = PA, PB, probability measures [10]. In quantum information theory, like in the classical theory of information, one has to clarify which quantum events are used for the information exchange between quantum systems and define the set of elementary events of which any message is composed. Elementary events for a quantum system are given by the wave functions representing the state vectors of the system. Mathematically, a choice of basis events or the information basis can be given by defining a set of pos^ itive operators E representing a nonorthogonal expansion of the unit operator [13] or the positive operator valued measure (POVM) [14]: ^ 1=

are defined by the two limiting cases of the unit operator expansion: the two-component orthogonal POVM [15] ^ ~~ 1 = |µ µ| + |µ µ| and the continuous nonorthogonal POVM [12] ^ 1= (3)

| | dV ,

(4)

~ where |µ and | µ are an arbitrary pair of orthogonal wave functions and dV = sin dd/(2) with the standard angular parameters on the Bloch sphere. The completely selected information determines information exchange between two quantum systems A ^ and B with the joint density matrix AB through the selected set of orthogonal quantum events. The orthogonal basis determined by the unitary two-parametric transformations UA() and UB() in the quantum systems A and B, respectively, can be chosen differently and the selected information also depends on the choice made: I AB ( , ) =

k, l

P AB ( k, l ) P AB ( k, l ) log 2--------------------------- , PA (k ) PB (l)

(5)

where parameters = (1, 1) and = (2, 2) are given by the standard Bloch sphere angles. The joint distribution
^ ^ ^ P AB ( k, l ) = Tr AB ( E A ( k ) E B ( l ) ) AB ,

^ where E

A, B

(k) = |k

A, B

k|

A, B

, is defined on the basis

states |k A and |l B of the input (Alice) and output (Bob) of the channel, which are the orthogonal basis states of the Hilbert spaces HA and HB, respectively. For the nonselected information, the information exchange equally includes all states participating in the exchange. Therefore, the information basis states of the information channel are all wave functions of the Hilbert spaces of a pair of quantum systems participating in the exchange. The respected nonselected information is then given as I
AB

=

P AB ( d, d ) P AB ( d, d ) log 2----------------------------------- , P A ( d ) P B ( d )
AB

(6) , and

^ ^ ^ where PAB(d, d) = TrAB( E A (d) E B (d)) ^ E A (d) = |A |AdV.

^ E .

(2)

For simplicity, in the following, we consider twodimensional spaces when not otherwise defined. The two limiting cases of the compatible information, completely selected and nonselected information,
LASER PHYSICS Vol. 14 No. 10 2004

Note that the nonselected information is equal to the selected information averaged over all orientations of the orthogonal bases: I
AB

=

dV dV I AB ( d, d ) ------------------ , 2 V

V=

dV = 2. (7)

1316

SYCH et al.

3. QKD PROTOCOL EMPLOYING ALL STATES OF THE HILBERT SPACE In quantum cryptography, the purpose of Alice and Bob is to establish a secure connection, which prevents copying of useful transmitted information by Eve. It has been proved that such a secure connection is possible if the amount of information Bob receives from Alice exceeds the information Eve receives either from Alice or Bob [16]. This condition can be written as I
AB

> max ( I AE, I BE ) .

(8)

If condition (8) is fulfilled, it is possible, with the help of special methods of privacy amplification, to reduce up to zero the amount of useful information Eve can gain through eavesdropping on the quantum channel. Even if condition (8) is not fulfilled, Alice and Bob can establish a secure connection using the advantage distillation protocols [1]. We do not consider this option here but keep in mind that using it can improve the security criterion for our QKD protocol. Eve, in turn, also tries to use optimum strategies of eavesdropping; i.e., Eve tries to gain maximum information about the transmitted message at a given error rate by performing any physically allowed transformations and minimizing the level of error she causes: I
AE, BE

When the transmission of the entire message, consisting of an essential number of elementary QKD steps, is completed, Alice and Bob should perform classical posttransmission procedures with the transmitted raw key. First, they determine the mutual probability distribution PAB(, ) and calculate the average amount of information IAB per transmission. For this, Alice and Bob disclose and then discard the random part of the measurement results by transmitting them over an insecure classical channel. The information transmitted from Alice to Bob, IAB, can be calculated with the help of Eq. (7), whereas the information transmitted between Eve and Alice and Bob, IAE and IBE, can be calculated using the theoretical model of eavesdropping, which we will discuss in the following subsection. Second, they need to check the security condition (8). If it is fulfilled, Alice and Bob decide that the secret key transfer is completed and perform then classical error correction and privacy amplification algorithms with the raw key. Otherwise, the transmitted key is not used. 3.1. Information Analysis of the Protocol For the information analysis of our protocol, let us first calculate the amount of information Bob received from Alice, IAB, and Eve received from Alice and Bob, IAE, BE, under the condition (9) of optimal eavesdropping. The initial state of the quantum system AliceEve ^ (1) ^ (1) Bob ABE = AB |0E0|E , which is described by the tensor product of the entangled antisymmetric pair ^ (1) AliceBob AB = ||AB ||AB and Eve's initial state |0E, is transferred after eavesdropping by Eve into the final state, which is an entangled state of Alice, Bob, U ^ (2) ^ (1) ^ (2) and Eve, ABE : ABE BE ABE . Let us assume that Alice's state | is totally entangled with the transmitting state | and is, for example, the antisymmetric ~ ~ Bell state || = (|| | |)/ 2 , which means that Alice knows the transmitting state | perfectly, because the maximum value of mutual selected information is equal to unity for the entangled states. We can assume (without reducing the generality of our consideration) that the unitary transformation UBE performed by Eve has the form |0 B |0 |1 B |0
U E U E
BE BE

=
I

max I
AB

= const

AE, BE

.

(9)

All known QKD protocols using finite-dimensional spaces of states are built on alphabets with a finite discrete set of incompatible quantum "letters," which can be realized as pure states of a quantum system. In this paper, we suggest a qualitatively new QKD protocol, which is based on the alphabet including all states of the Hilbert space. In other words, this alphabet consists of an infinite number of quantum letters formed by arbitrary superpositions of the orthogonal basis states of the Hilbert space HA. Let us first consider the case of two-dimensional space (the multidimensional case is considered in Section 4). The elementary step of the QKD protocol, i.e., the transmission of a single letter or state from Alice to Bob, can be outlined as follows: (i) Alice generates and transmits a randomly chosen state | via a quantum channel to Bob. (ii) Eve eavesdrops on the channel by performing a unitary bipartite transformation UBE with her initial probe state |0E and with the state |B transmitted by Alice to Bob and measures her final probe state. Though Eve does not measure the state transmitted from Alice to Bob directly, she disturbs it through the transformation UBE. (iii) Bob reads the perturbed state using an arbitrary projector for the measurement because he has no a priori information about the received message other than the dimension of the Hilbert space HA.

|0 B | 00 E + |1 B | 01 E , |0 B | 10 E + |1 B | 11 E .

(10)

The unitarity imposes the following restrictions, which are due to the orthogonality and normalization conditions: 00| 10 + 01| 11 = 0 ,
2 00

+

2 01

=

2 10

+

2 11

(11) = 1.

LASER PHYSICS

Vol. 14

No. 10

2004

QUANTUM KEY DISTRIBUTION WITH A CONTINUOUS ALPHABET

1317

It was suggested in [9] based on numerical estimations and then proved in [17] that, in the QKD protocols BB84 and B92, Eve's state at optimal eavesdropping lies in the two-dimensional Hilbert space. This is also true (and can be proved by analogy with [9]) for our QKD protocol. Therefore, the states |ij can be written, taking into account conditions (11), as a superposition of the two basis states: | = | 00 | 01 = | 10 | 11
00 10 11 01

01 11 10 00

|0 E , |1 E

solid line at = /4 shown in Fig. 2. From analyzing this figure, one can see that, at = 0, the level of eavesdropping attacks and the respected losses of information are equal to zero. At = /4, Eve's intervention is at a maximum and she acts similar to Bob in gaining the maximum possible information. The security condition (8) is fulfilled up to a cer(1) tain critical value 0 = /8, which is the intersection point (1) of the curves for IAB and IAE in Fig. 2. If Eve performs the unitary transformation (10) with < 0 , then Alice and Bob can establish a secure connection; otherwise, it is not established. 3.3. Definitions of the Error Rate in the QKD Protocols In order to estimate the error rate in the different QKD protocols and, therefore, their efficiency, different quantitative characteristics can be introduced. One of the characteristics most accepted in the literature, the quantum bit error rate (QBER), was suggested to characterize the error rate in the sifted key. It is defined as the ratio of wrong bits in the transmitted message to the total number of received bits. Obviously, the QBER for an ideal quantum channel without noise is equal to zero and one can use the QBER to estimate Eve's interference. Generally, any QKD protocol works up to a certain critical rate of error defined as the critical QBER. The larger the critical QBER, the more stable the protocol to errors caused by Eve. However, if the QKD scheme without external noise does not show the QBER to be equal to zero, then we cannot use the QBER characteristic for estimating the efficacy of the QKD protocol or for comparing it with other QKD protocols. In this case, the QBER, as it has been defined previously, simply does not reflect the real level of Eve's interference. Keeping in mind that Eve performs unitary transformation (10), we can define the QBER, which we designate as q, as the probability that Eve flips the transmitted bit of information to Bob: q = 01| 01 = 10| 10 = sin .
2 (1)

(12)

where the transformation parameters
mn

mn = ( 1 ) cos m -- cos n -- 2 2

(13)

are determined via the two angles and controlled by Eve. The resulting bipartite density matrices that Alice Bob, AliceEve, and BobEve obtained by averaging the three-partite density matrix over the third system enable us to calculate the respective mutual information: ^ ^
(2) AB

^ = Tr E

(2) ABE

I AB , I AE , I BE . (14)

(2) AE

^ = Tr B

(2) ABE (2) ABE

^

(2) BE

^ = Tr A

In our QKD protocol, Alice sends Bob any pure state with equal probability and neither Bob nor Eve has an a priori chosen basis for the measurement; thus, both Eve and Bob use an arbitrary chosen basis each. After averaging over a large number of measurements, due to Eq. (7), we find that the nonselected information is precisely the information measure for our QKD protocol. 3.2. Calculation Results Results for the mutual AliceBob, AliceEve, and BobEve nonselected information (IAB, IAE, and IBE, respectively) calculated with the help of Eqs. (6), (10), (12), and (14) are shown in Fig. 1 versus the parameters and controlled by Eve (see Eq. (13)). One can clearly see from the figure that, for all values of , , we have IAE IBE; thus, we will focus only on IAE in what follows. The optimal eavesdropping condition (9) requires that we look for the maximum IAE = IAE(, ) at a given value of IAB = IAB(, ). A detailed analysis of the data in Fig. 1 reveals that optimal eavesdropping can be realized at = /4 , which corresponds to the solid line in Fig. 1d. For most purposes, it is enough to consider only the case of optimal eavesdropping that corresponds to the
LASER PHYSICS Vol. 14 No. 10 2004

This definition essentially relies on the structure of the transformation (10) performed by Eve. It is worth also to note that, as was shown in [9], the QBER is not always an adequate characteristic of the degree of Eve's eavesdropping attacks, for instance, in the B92 protocol. Therefore, we suggest using another characteristic, which we call the compatible information error rate (CIER) and designate as Q. This characteristic naturally represents the degree of Eve's interference in the transmission of information in terms of the compatible information: I AB Q = 1 -------- [ 0, 1 ] . max I AB (15)

1318 (a)

SYCH et al. IAB, bit 0.28 (b) IAE, bit 0.28

0.14

0.14

/4 /8 0 0 (c) /8 0 /4

/4 /8 0 /4 0 (d) /8 0 /4

IAB, bit 0.10

0.05

/8

/4 /8 0 0 /8 0 /4 0 0

/8

/4

Fig. 1. (a) AliceBob, (b) AliceEve, and (c) BobEve mutual Shannon information versus Eve's eavesdropping parameters and . (d) Results of (a) for the AliceBob mutual Shannon information (IAB) as a contour plot; the solid line corresponds to the case of optimal eavesdropping.

Here, IAB is the AliceBob compatible information with the presence of eavesdropping and I is its maximum possible value without attacks by Eve. Qualitatively, the CIER is the error rate of the secret key that can be distilled from the correlations per transmission. By contrast with the QBER (q), the CIER (Q) is, in our view, the most adequate parameter for the information properties of QKD protocols, even in the presence of internal noise caused by the protocol itself. Without eavesdropping attacks by Eve, both parameters q and Q are equal to zero, which means that there are no transmission errors. At the maximum level of interference from Eve with the transmitted information, we have Q = 1 and q = 0.5, which correspond to the maximum possible level of errors caused by Eve. At the (1) critical point 0 , where the amount of information gained by Eve is equal to the amount of information (1) (1) received by Bob, Q 0 0.6 and q 0 0.15.
max AB

At an error level exceeding critical, i.e., at Q > Q 0 , the protocol does not ensure security of the transmitted data and Alice and Bob decide that the transmission is not complete. Note that the described scheme does not require bases reconciliation between Alice and Bob, i.e., selection of only that part of the message for which Alice and Bob used the same information basis, via an additional information exchange over the classical channel. However, one can significantly improve the stability of the protocol for a noisy quantum channel using the bases reconciliation considered in the next section. 3.4. Basis Reconciliation After transmission of an entire message through a noisy quantum channel, Alice and Bob can select only those transmitted data for which they used approximately similar orthogonal bases. In our case, the set of
LASER PHYSICS Vol. 14 No. 10 2004

(1)

QUANTUM KEY DISTRIBUTION WITH A CONTINUOUS ALPHABET I, bit 1.00 Information per transmission, bit 1.0

1319

0.75

0.9

0.8 0.50 0.7 0.25 (1) (2) 0.6

0

/8

/4

0.5 0

50

100

150 200 Number of areas

Fig. 2. AliceBob (dotted and dashed lines for the reconciliated and nonreconciliated basis states of Alice and Bob, respectively) and AliceEve (solid line) mutual Shannon information under the condition of optimal eavesdropping.

Fig. 3. Maximum amount of information per transmission versus the number of areas the Hilbert space is split into.

basis states is continuous; thus, it is necessary to split it into several approximately equal areas and count the bases that are similar, if they are in the same area on the Bloch sphere. Depending on the number of such areas, the mutual information in the AliceBob system per single transmission increases from 0.28 to 1 bit. This can be clearly understood because, for an initial state of the AliceBob system in the form of an antisymmetric Bell state, the mutual selected information is equal to unity when one uses similar bases from Alice and Bob. If the bases from Alice and Bob are different, the amount of information in a single transmission will be less than unity. The calculated dependency of the maximum amount of information per single transmission versus the number of areas in which we split the Hilbert space is shown in Fig. 3. We restrict the actions of Eve by the measurement of the probe state immediately after the unitary transformation (10). Therefore, one can suppose that Eve does not affect the data selection with the reconciling bases and does not use additional transformations after the bases have been reconciled. Then, she gains no additional information. The information that Bob receives from Alice per complete message transmission after the bases reconciliation is shown in Fig. 2 (dashed line). The new critical value is larger than , and, therefore, the critical error rates Q0 and q0 are significantly higher: Q
(2) 0 (2) 0 (1) 0

Note that the bases reconciliation procedure significantly increases the required number of messages transmitted over an insecure classical channel, because we have to transmit information about the area in which the randomly chosen basis lies. Accordingly, the number of filtered messages transmitted through a quantum channel is also decreased. It is not necessary, however, to infinitely increase the accuracy. As a rule, errors during data transmission have a typical finite level for the specific experimental QKD setup. Therefore, for the bases reconciliation, it is sufficient to increase the accuracy according to the external noise conditions up to a level that ensures an error rate less than the critical rate at which the QKD protocol guarantees secure transmission of data in accordance with the security condition (8). 4. MULTIDIMENSIONAL CASE We can fundamentally improve the properties of our QKD protocol using multidimensional spaces for Bob and Alice (D > 2). In the multidimensional case, the maximum possible amount of mutual selected informaD tion is equal to I max = log 2D and grows infinitely at D . The maximum possible amount of nonselected information is equal to the amount of accessible information [18]: I
D accesible

1 = log 2D ------ln 2

k=2

D

1 -- , k

0.81, and, for the QBER, we have q
Vol. 14 No. 10

(2) 0

0.254.

which, in the limit D of I 0.61 bit.

, is restricted by the value

LASER PHYSICS

2004

1320 Q0 1.00

SYCH et al.

0.96

0.92

0.88

0.84

one can select the required dimensionality of the Alice Bob space in order to meet this value of the CIER (Fig. 4). The question regarding Eve's transformation structure for performing optimal eavesdropping in the multidimensional case is essentially more difficult, but the result outlined above is qualitatively correct, despite the specific structure of Eve's transformation. The above-described advantage of our QKD protocol can be clarified as follows. When Alice sends a message, neither Eve nor Bob does not know a priori in which basis it is transferred. Therefore, both Eve and Bob are perplexed in the multidimensional space; they retrieve less information from the transmitted message as the dimensionality of the Hilbert space increases. After a partial bases reconciliation, which is described in Subsection 3.4, Bob significantly increases the amount of information per transmission by filtering only strongly correlated transmissions, i.e., the transmissions for which Alice and Bob used approximately equal bases. Eve, for her part, cannot filter the transmissions, and the amount of information she can retrieve remains the same. Therefore, the larger the dimension of the Hilbert space, the less equally Eve and Bob receive the information.
4 8 12 16 20 24 28 32 D

0.80 0

5. EXPERIMENTAL SETUP FOR A QKD PROTOCOL WITH CONTINUOUS ALPHABET An experimental setup for our QKD protocol with a continuous alphabet whose letters are coded with photon polarizations of the points is shown in Fig. 5. In the notation given, a random letter in the alphabet corresponds to an arbitrary photon polarization. At the Alice side of the QKD setup, random letters from the continuous alphabet are generated. The laser at this side generates single photons with determined polarization, which is rotated by a polarization plate at a random angle for each photon. Alice knows these random angles for each photon. Generated photons are transmitted then to Bob via a quantum channel (for instance, a fiber optical link preserving the polarizations of the photons). For the measurement in an arbitrary basis, Bob first rotates the polarization of the incident photon through the polarization plate to a random angle value and then performs measurement in the fixed basis. Alice and Bob reconcile their bases states by exchanging nonsecure public information over a classical channel, for instance, a telephone line. In the described QKD setup, the case of multidimensional Hilbert space for the quantum channel input and output can be, in principle, realized by transmitting information with the help of several entangled qubits (photons). It is, however, experimentally difficult to generate, operate, and measure arbitrary states in multidimensional spaces; i.e., it is difficult to generate and operate multiple entangled photons.
LASER PHYSICS Vol. 14 No. 10 2004

Fig. 4. Critical CIER Q0 versus the dimensionality D of the Hilbert space.

After bases reconciliation for Alice and Bob, the amount of information in the AliceBob system is given by the maximum possible selected information, whereas, in the AliceEve system, it is given by the maximum possible nonselected information, independently of the specific type of unitary transformation performed by Eve in the multidimensional case. Then, the critical CIER in the limit of D is equal to unity: Q = 1
0

= lim Q
D

D 0

D I accessible lim ----------------D ID max

0.61 1 lim ------------- = 1. D log 2 D

(16)

This means that, by increasing the dimensionality of the AliceBob system, one can reach a critical error rate (QBER or CIER) that exceeds any given value (below unity). The dependency of the critical CIER versus the dimensionality of the Hilbert space is shown in Fig. 4. The essential qualitative novelty of our QKD -protocol, which employs all states of the Hilbert space, is that it can work, in principle, with any imperfections or noise in the quantum channel (either internal or external) and has no any critical CIER value above which the protocol becomes insecure. For any given CIER value,

QUANTUM KEY DISTRIBUTION WITH A CONTINUOUS ALPHABET Alice 3 Bob 5

1321

16311, 02-03-32200) and INTAS (grant no. INFO 00479).
5

1

2

2

4

REFERENCES
1. N. Gisin, "Quantum Cryptography," Rev. Mod. Phys. 74, 145 (2002). 2. S. Wiesner, "Conjugate Coding," SIGAT News 15, 78 (1983). 3. Ch. H. Bennett and G. Brassard, in Proceedings of IEEE International Conference on Computer, System, and Signal Processing, Bangalore, India (IEEE, New York, 1984), p. 175. 4. Ch. H. Bennett, "Quantum Cryptography Using any Two Nonorthogonal States," Phys. Rev. Lett. 68, 3121 (1992). 5. D. Bruss, "Optimal Eavesdropping in Quantum Cryptography with Six States," Phys. Rev. Lett. 81, 3018 (1998). 6. F. Grosshans and P. Grangier, "Continuous Variable Quantum Cryptography Using Coherent States," Phys. Rev. Lett. 88, 057 902 (2002). 7. W. K. Wootters and W. H. Zurek, "A Single Quantum Cannot Be Cloned," Nature 299, 802 (1982). 8. D. Gottesman and Hoi-Kwong Lo, "Proof of Security of QKD with Two-Way Classical Communication," quantph/0105121 (2001). 9. C. A. Fuchs and A. Peres, "Quantum State Disturbance versus Information Gain: Uncertainty Relations for Quantum Information," Phys. Rev. A 53, 2038 (1996). 10. R. G. Gallagher, Information Theory and Reliable Communication (Wiley, New York, 1968; Sovetskoe Radio, Moscow, 1974). 11. B. A. Grishanin, Probl. Peredachi Inf. 38, 31 (2002). 12. B. A. Grishanin and V. N. Zadkov, "Measurement and Physical Content of Quantum Information," J. Commun. Technol. Electron. 47, 933 (2002). 13. B. A. Grishanin, Izv. Akad. Nauk SSSR, Tekh. Kibern. 11, 27 (1973). 14. J. Preskill, "Lecture Notes on Quantum Information," http://www.theory.caltech.edu/people/preskill/ph229/. 15. J. von Neumann, Mathematical Foundations of Quantum Mechanics (Princeton Univ. Press, Princeton, N.J., 1955; Nauka, Moscow, 1964). 16. C. H. Bennett, G. Brassard, and J. M. Robert, "Privacy Amplification by Public Discussion," SIAM J. Comput. 17, 210 (1988). 17. C. A. Fuchs, N. Gisin, R. B. Griffiths, et al., "Optimal Eavesdropping in Quantum Cryptography. I. Information Bound and Optimal Strategy," Phys. Rev. A 56, 1163 (1997). 18. C. M. Caves and C. A. Fuchs, Preprint (1996), quantph/9601025.

Fig. 5. Experimental setup for the QKD protocol with a continuous alphabet. At the Alice side, the laser (1) generates single photons whose polarization is rotated by the polarizator (2) at a random angle. These photons are transmitted to Bob via the quantum channel (3). The measurement part of the QKD setup at the Bob side includes the polarization plate (2) that rotates polarization of the incident photon, the beamsplitter (4), and the photon counting detectors (5). The supplementary classical channel over which Alice and Bob reconcile their bases states by exchanging nonsecure public information is not shown in the figure.

6. CONCLUSIONS In conclusion, a new QKD protocol based on a quantum alphabet with an infinite number of "letters" (i.e., employing all quantum states of the AliceBob quantum system) is proposed. It has a number of advantages over the other known QKD protocols. In the two-dimensional case, the critical QBER for our protocol exceeds 25% and can be increased further with the help of special classical methods of advantage distillation. The essential qualitative novelty of our QKD protocol in the multidimensional case is that it can work, in principle, for any imperfections or noise in the quantum channel (either internal or external) and does not have a critical bit error rate above which the protocol becomes insecure. For estimating Eve's intervention in data transmission through a quantum channel, we use a new classical, mutual Shannon informationbased criterion, which adequately reflects the information aspect of the eavesdropping and can be effectively used for both constructing and analyzing QKD protocols. The only restriction on Eve's strategy of eavesdropping is that she measures her probe state before the bases reconciliation. This restriction does not contradict the experimental realizations of the QKD-protocols; Alice and Bob need simply to reconcile their bases after the finite decoherence time in the quantum system. Obviously, such an experimental trick does not give a 100% guarantee of secure transmission, but, in real QKD schemes, it seems reasonable. ACKNOWLEDGMENTS This work was partially supported by the Russian Foundation for Basic Research (project nos. 01-02-

LASER PHYSICS

Vol. 14

No. 10

2004