Документ взят из кэша поисковой машины. Адрес оригинального документа : http://qilab.phys.msu.ru/papers/Quantum%20Electronics%2035(1)%2080.pdf
Дата изменения: Mon Feb 4 18:39:32 2008
Дата индексирования: Mon Oct 1 20:05:18 2012
Кодировка:

Quantum Electronics 35 (1) 80 К 84 (2005)

709/786 К KAI К 17/iii-05 К SVERKA К 5 рянят

ъ2005 Kvantovaya Elektronika and Turpion Ltd PACS numbers: 03.67.Dd; 03.67.Pp DOI: 10.1070/QE2005v035n01ABEH002886

мяор. Е 3

Analysis of limiting i nformation characteristics of quantum-cryptography protocols
D.V. Sych, B.A. Grishanin, V.N. Zadkov

Abstract. The problem of increasing the critical error rate of quantum-cryptography protocols by varying a set of letters in a quantum alphabet for space of a Иxed dimensionality is studied. Quantum alphabets forming regular polyhedra on the Bloch sphere and the continual alphabet equally including all the quantum states are considered. It is shown that, in the absence of basis reconciliation, a protocol with the tetrahedral alphabet has the highest critical error rate among the protocols considered, while after the basis reconciliation, a protocol with the continual alphabet possesses the highest critical error rate.
Keywords: optical quantum-information processing, quantum cryptography.

1. Introduction
Since the advent of the idea of quantum cryptography (QC) [1] up to now, several protocols have been proposed for its realisation [2К 5]. All these protocols are based on the principle excluding copying of arbitrary quantum states [6], which excludes exact copying of an arbitrary message transmitted through a quantum channel if the message is coded by letters representing the mutually nonorthogonal states of a quantum data carrier, for example, a photon. Moreover, any attempt to eavesdrop the message will inevitably produce errors in it, and by analysing these errors, one can not only uncover the eavesdropping itself but also calculate the maximum eavesdropped information volume possible for the given message. Recall the main steps of standard QC protocols by using the commonly accepted terminology: Alice is a data transmitter, Bob is a data receiver, and Eve is an eavesdropper. Different QC protocols have similar operating algorithms and differ in fact only in their alphabets, i.e., sets of quantum states playing the role of letters from which a message is constructed. The Иrst step is a choice of the alphabet, i.e., the coding of classical information, which
D.V. Sych, B.A. Grishanin, V.N. Zadkov Department of Physics, M.V. Lomonosov Moscow State University; International Teaching and Research Laser Center, M.V. Lomonosov Moscow State University, Vorob'evy gory, 119992 Moscow, Russia; e-mail: sych@comsim1.phys.msu.ru, grishan@comsim1.phys.msu.ru, zadkov@comsim1.phys.msu.ru Received 22 September 2004 Kvantovaya Elektronika 35 (1) 80 К 84 (2005) Translated by M.N. Sapozhnikov

Alice wants to communicate to Bob, by quantum states, when a set of several mutually nonorthogonal to each other but internally orthogonal pairs of states is related to a logic pair of bits `0' and `1'. For example, the alphabet of the Иrst QC protocol, referred to as BB84 by the names of its 1 creators [1], consists of four states: fj0i; p (j0i j1i); 2 1 j1i; p2 (j0iю j1i)g. Here, the Иrst two states correspond to `0', and the second two to `1'. To code a speciИc bit, a speciИc state is selected randomly from this set. For 1 1 example, the sequence j0i; p (j0i j1i); j0i; p (j0iюj1i), 2 2 1 p (j0iюj1i); j1i can correspond to the line 0, 0, 1, 1, 1. 2 Alice sends to Bob the bit sequence coded in this way. To extract classical information, Bob measures the received state in the basis randomly selected from the alphabet common with Alice and recovers from the measurement the transmitted classical bit. If he has guessed a `correct' basis, i.e., measured the state in the same basis in which it was encoded, he should correctly recover the classical bit. If he has failed to guess a correct basis, the probability of a correct recovery of the classical bit is 1/2 (for the BB84 protocol). Thus, at the Bob side the so-called `raw key' К a sequence of classical bits is formed, which inevitably contains errors. Then, the basis reconciliation is performed: by communicating through an open classical channel in what basis the measurement has been made (but not reporting its result), Alice and Bob will select only a part of messages for which Bob `has guessed' the basis correctly. In a `sifted' key obtained in this way, the data at the Alice and Bob sides should coincide because the presence of mutually nonorthogonal states guarantees the impossibility of an imperceptible eavesdropping. However, in reality there always exist additional errors caused by the natural noise in communication channels, the imperfection of the equipment, etc. For this reason, after obtaining the sifted key, Alice and Bob perform additional classical procedures to correct errors and improve the security [7]. A common feature of all the QC protocols is the presence of a critical error rate above which the protocol cannot guarantee the possibility of sharing a secret message. The existence of this critical error rate restricts the range of secret data transmission due to the natural noise in the communication channel. At present the maximum distance of secret data transmission in the open air is approximately 100 km [7]. One of the aims of the development of new QC protocols is increasing the critical error rate to make the protocol more stable against the eavesdropper attacks and natural noises in the experimental setup and information channel,

Analysis of limiting information characteristics

81

which allows the transmission of secret data over longer distances. The critical error rate can be increased by varying the alphabet and the dimensionality of the space of states. It is widely accepted (although is not proved) that in the twodimensional case the protocol with the alphabet consisting of three mutually unbiased bases, the six-state protocol, has the maximum critical error rate [4, 8, 9]. It is assumed, as a rule, that the critical error rate can be further increased only by increasing the dimensionality of the space of states [10 К 12]. In this paper, we consider the possibility of increasing the critical error rate above that of the six-state protocol by varying the alphabet in the two-dimensional space. Noting that a set of six letters of the six-state protocol forms an octahedron on the Bloch sphere (which is also called the Poincare sphere in some papers [13]), we consider alphabets whose letters form regular polyhedra: tetrahedron, cube, icosahedron, and dodecahedron having 4, 8,12, and 20 vertices, respectively, and as a limiting case of a polyhedron with an inИnite number of vertices, the continual alphabet, which equally includes all the quantum states. Protocols, which use such alphabets, repeat all the main steps of standard QC protocols, for example, the BB84 protocol [1] (the raw key formation, basis reconciliation, security improving, etc.). Some speciИc features are inherent only in a protocol with the continual alphabet (section 2) and in a protocol with the tetrahedral alphabet (section 3). In other respects, these protocols can be analysed using a standard scheme based on the calculation of the mutual information in bipartite subsystems of the tripartite Alice К Eve К Bob system [14].

Bloch sphere. We assume for simplicity that the regions into which the Bloch sphere is divided are circular with the radius R and that 2N 2 circles with the radius p=2N can certainly cover the entire Bloch sphere (with the unit radius). Then, we obtain the dependence of the amount of information in a qubit on the number of regions presented in Table 1.
Table 1. Dependence of the amount of information per qubit on the number of regions in the case of approximately reconciled bases. Number of 2 8 18 32 50 72 98 regions Amount of information (bit) 0.469 0.801 0.906 0.946 0.965 0.976 0.982

2. Peculiarities of a protocol with the continual alphabet
From the practical point of view, a protocol with the continual alphabet differs from protocols with the discrete alphabet in the basis-reconciliation procedure. For discrete alphabets, an exact reconciliation of bases is fulИlled, i.e., Alice and Bob select only the part of messages that were transmitted and received by using the same basis. For the continual alphabet, the bases cannot be reconciled exactly because the amount of information about a point of a continuum is inИnite. Therefore, we propose to reconcile the bases for the continual alphabet approximately. For this purpose, we divide the entire space of states into several regions with approximately identical states and will reconcile the bases by transmitting information on the number of the region to which the basis belongs. The two bases found in the same region are considered coincident. It is clear that such a procedure will produce additional errors caused by the nonzero projection of the state vector n coding the message `0' in the basis fjni; j~ig to the state ~ vector coding the message `1' in another basis fjmi; jmig, even if these bases fell into the same region. Let us calculate the amount of information I in one qubit in the case of approximately reconciled bases: F I 1 jhmjnij2 log2 jhmjnij2 dVn dVm jhmjnij2 dVn dVm ; (1) where integration is performed over the selected basisreconciliation region into which the states jni and jmi fall; and dVn , and dVm are the differentials of the volume on the

As the number of regions increases and, hence, the size of each region decreases, information contained in one qubit increases approximately from 0.47 bit for two regions to 1 bit in the limit of an inИnite number of regions. Note that the increase in the number of regions results in the proportional increase in the amount of additional information about the region number in the basis reconciliation and also in a proportional decrease in the number of messages selected after the basis reconciliation. Another speciИc feature of the protocol with the continual alphabet is the quantitative estimate of the measure of eavesdropper interference. One of the most widespread characteristics is the quantum bit error rate (QBER): Q 1 ю N=Nmax , where N is the number of correctly transmitted letters and Nmax is the total number of transmitted letters. The use of the QBER as the measure of eavesdropper interference assumes implicitly that QBER is zero in the absence of the eavesdropping. Indeed, a message transmitted through a perfect quantum channel with exactly reconciled bases contains no errors. However, in the protocol with the continual alphabet it is impossible to reconcile bases exactly, and the QBER is nonzero even in the absence of eavesdropping, so that it obviously does not characterise the real measure of eavesdropper interference. To solve this contradiction, we propose to estimate the data transmission accuracy by the relative amount of correctly transmitted information rather than by number of correctly transmitted letters. Then, the error rate can be ~ deИned as Q 1 ю I=Imax , where I is the amount of information per qubit in the presence of eavesdropping, and Imax is the maximum amount of information in the absence of eavesdropping. Similarly to the QBER, this quantity can be called the mutual information error rate (MIER). One can see that the MIER correctly characterises the level of eavesdropper interference even for the protocol with the continual alphabet with the approximately reconciled bases. Below, it is convenient to use both these characteristics, the QBER and MIER, assuming on default that when the QBER is used, the limiting case of exactly reconciled bases takes place.

3. The intercept К resend strategy
The simplest eavesdropping strategy is the measurement by Eve of the transmitted qubit in some basis and the subsequent transmission of the result of the measurement to Bob К the so-called intercept К resend strategy. It is clear that in this case, Eve exactly knows what Bob receives, and no secret communication between Alice and Bob can be

82

D.V. Sych, B.A. Grishanin, V.N. Zadkov

achieved. Therefore, the maximum error rate, at which the secret communication is possible, does not exceed the error rate caused by the intercept К resend strategy, i.e., the calculation of these errors gives the upper bound of the efИciency of the QC protocols. Let us assume that Alice sent a state jai to Bob, while Eve eavesdropped this state by using the basis fjci; jcc ig. Then, Eve obtained the result jci with the probability jhcjaij2 or the result jcc i with the probability jhcc jaij2 and sent the obtained result to Bob. After measuring the transmitted states jci and jcc i in the basis fjai; jac ig, Bob will obtain a correct result К the state jai with the probabilities jhcjaij2 and jhcc jaij2 and an incorrect result К the state jac i with the probabilities jhcjac ij2 and jhcc jac ij2 . The total probability for obtaining a correct result by Bob is jhcjaij4 jhcc jaij4 , and the error appearing probability is correspondingly Qac 1ю jhcjaij4 юjhcc jaij4 . To calculate the QBER, it is necessary to average Qac over all the Alice bases fag and to minimise the result of averaging over the Eve bases fcg: Q
fag fcg

formation UBE with the state jbiB transmitted from Alice to Bob and with the probe Eve state j0iE connected to the information channel (if the transformation performed by Eve is nonunitary, it corresponds to some unitary transformation in an extended system with the subsequent averaging over a part of variables, which adds no new information to her and presents no additional problems for Alice and Bob). This unitary transformation acts on the basis elements as j0iB j0iE ю3 j0iB jF00 iE j1iB jF01 iE ; (4) j1iB j0iE ю3 j0iB jF10 iE j1iB jF11 iE : The unitarity assumes the existence of restrictions following from the conditions of the orthogonality preservation hF00 jF10 ihF01 jF11 i 0 and the normalisation jF00 j2 jF01 j2 jF10 j2 jF11 j2 1. Taking these restrictions into account, the set of all the states jFij i can be represented as a superposition of only two basis states H IH I g00 g01 jF00 i f jF01 i g f g10 g11 g j0iE f gf g (5) d jF10 i e d g11 g10 e j1i ; E g01 g00 jF11 i where all the coefИcients of transformation (5) are expressed in terms of two parameters (y and j) controlled by Eve: gmn ( ю 1)mn cos (y ю mp=2) cos (j ю np=2). ^EB The initial density matrix r1 a j0iE h0jE jaiB hajB of the Bob К Eve system is transformed to the Иnal matrix ^EB r2 (a), which is used to obtain the joined tripartite probability distribution: ^EB PABE a; b; e TrBE jeiE hejE jbiB hbjB r2 adVE dVB : (6) The natural characteristic for the calculation of the amount of information is the standard information Shannon functional I
XY UBE UBE

Qac =Na Nc ;

where Na and Nc are the numbers of bases in the Alice and Eve alphabets. For the protocol with the continual alphabet, the corresponding integration is performed instead of summation. The results of calculations are presented in Table 2. The maximum possible error rate equal to 1/3 is provided by protocols with alphabets containing 6 and 8 letters and by the protocol with the continual alphabet. Protocols with 12 and 20 letters have a somewhat lower error rate equal to 74=225 9 0:329. Note a speciИc feature of the four-letter protocol with the tetrahedral alphabet, which is absent in Table 2. Because tetrahedron has no central symmetry, the letters in such an alphabet do not form the sets of orthogonal bases, and the basis-reconciliation procedure in the standard form is not performed for this protocol.
Table 2. QBER caused by the intercept К resend strategy. Number of alphabet letters QBER 6 0.333 8 0.333 12 0.329 20 0.329 I 0.333

PXY SPX SPY ю SP

XY

,

(7)

4. Optimal eavesdropping strategy
It was proved [15] that a safe connection between Alice and Bob is possible if Bob receives from Alice more information than Eve from Alice or Bob, i.e., ю IAB > max IAE ; IBE : (1) Consider the optimal extracts the maximum dropped message at the ducing the corresponding I
AE;BE

eavesdropping strategy, when Eve of information from the eavesgiven level of interference proerror rate, which can be written as : (2)

max I
I
AB

const

AE;BE

Note that this strategy can differ from optimal cloning [16]. Without loss of generality we can assume that in the case of optimal eavesdropping, Eve performs the unitary trans-

where S[P] is the classical Shannon entropy [17] deИned on the joined (P PXY ) and partial (P PX , PY ) probability distributions. By averaging (6) over the third system, we obtain bipartite probability distributions and, by using (7), the corresponding dependences of the information IAB , IAE , and IBE on the parameters y and j in the Alice К Bob, Alice К Eve, and Bob К Eve systems. A comparison of these dependences shows that the condition IAE 5 IBE is fulИlled for any values of the parameters y and j. Therefore, there is no need to consider below the dependence of the information IBE , and the safety condition (2) is transformed to the relation IAB > IAE . Analysis of the optimal eavesdropping condition (3) shows that this condition is fulИlled in the region of values of parameters y p=4. Taking into account that the dependences of IAE and IAB are symmetric with respect to y j, Fig. 1 shows only one-parametric dependences IAB (y) when the optimal eavesdropping condition (3) is fulИlled.

Analysis of limiting information characteristics I bit ~ Table 4. Critical error rate Q0 in the case of the basis reconciliation. Number of alphabet letters MIER 6 0.806 8 0.805 12 0.804 20 0.805 I 0.811

83

AB

0.3

4 6 8 12 20 I

0.2

0.1

0

p= 8

y

p= 4

Figure 1. Dependence of the amount of information IAB in the Alice К Bob system on the parameter y for protocols using 4, 6, 8, 12, and 20 letters and the protocol with the continual alphabet (inИnite number of letters).

reconciliation for the protocol with the continual alphabet is assumed). The security condition IAB > IAE is now fulИlled up to the other values of y0 (compared to the case of the absence of the basis reconciliation), which depend on the speciИc protocol. In this case, the critical error rate also increases (see Table 4). After the basis reconciliation, the protocol with the continual alphabet has the highest error rate, which is valid in the limiting case of an exact basis reconciliation. For the tetrahedral alphabet, the basis-reconciliation procedure is not performed in a standard form, so that Table 4 does not contain the corresponding result.

5. Experimental realisation
Because of the symmetry IAB (y, j) IAE (j, y) and the optimality condition y p=4 ю j, the security condition IAB > IAE is fulИlled up to the critical value y0 p=8 at which the information eavesdropped by Eve is equal to the ~ information received by Bob. The critical error rates Q0 for protocols under study are presented in Table 3, from which it follows that, when the bases are not reconciled, the protocol with the tetrahedral alphabet has the highest critical error rate.
~ Table 3. Critical error rate Q0 in the absence of the basis reconciliation. Number of alphabet letters MIER 4 6 8 12 20 I

Figure 2 shows the experimental scheme for realisation of the QC protocols considered above, where the letters are coded by polarisation of photons.
Alice 3 Bob

5

1

2

2

2

2

4

5

0.650 0.630 0.607 0.597 0.589 0.600

Figure 2. Experimental scheme for realising QC protocols: ( 1 ) source of single photons; ( 2 ) Pockels cell; ( 3 ) quantum channel; ( 4 ) polarisation beamsplitter; ( 5 ) photon counter.

Note that the direct calculation of the amount of information is not connected with its coding. Most often binary coding is used, when `0' is assigned to one of the states from the orthogonal pair and `1' is assigned to another state, which is related to the basis-reconciliation procedure. Coding in the continual alphabet is similar to standard QC protocols because for any letter from the continual alphabet the orthogonal letter exists. The method of dividing the Bloch sphere into orthogonal pairs is arbitrary, only the division into regions should be taken into account by reconciling approximately the bases. It can be divided, for example, into the upper part of the Bloch sphere coding `0' and the lower part coding `1'. Because the letters of the tetrahedral alphabet do not form orthogonal pairs, another coding should be used for them, where `0' is assigned to two arbitrary letters and `1' is assigned to the two remaining letters. Consider now the role of the basis reconciliation. We assume that Alice and Bob perform security reconciliation of the bases, i.e., Eve does not affect the selection of data, does not introduce any false messages into the open communication channel and does not perform additional transformations with her probe state after the basis reconciliation, i.e., her information does not increase after basis reconciliation. The information IAB that Bob receives from Alice after the basis reconciliation proportionally increases compared to the case without the basis reconciliation and achieves a maximum value of 1 bit per message (an exact basis

On the Alice side, photons are generated with an arbitrary quantum polarisation state. This can be realised using source ( 1 ) of single photons with Иxed polarisation, for example, a laser emitting single photons. A set of letters forming the alphabet of the protocol being realised is speciИed by a set of point at the Bloch sphere and is determined by a set of the angles of rotation of the polarisation basis, for example, with the help of two Pockels cells ( 2 ), where the Иrst cell rotates the vertical component of polarisation, while the second cell rotates the horizontal component. Instead of Pockels cells, quarter-wave polarisation plates can be also used by rotating them through the angles corresponding to the selected alphabet. To the alphabets with a Иnite discrete set of letters, a Иnite discrete set of the angles of rotation of polarisation will correspond, while to the continual alphabet К a continuous set of the angles of rotation of polarisation. The received photon with an arbitrary polarisation state is then transmitted to Bob through polarisation-preserving quantum channel ( 3 ), for example, in the open space. On the Bob side, the polarisation of each photon is transformed according to the selected alphabet, as has been done on the Alice side, but in the reverse order, so that a photon after the transformation would be in the Иxed polarisation basis, in which it is measured with the help of polarisation beamsplitter ( 4 ) and photon counter ( 5 ). The above scheme for the transmission of quantum letters should be supplemented with a classical unclassiИed communication channel, which Alice and Bob use for

84

D.V. Sych, B.A. Grishanin, V.N. Zadkov

communicating the unclassiИed information to realise the open stages of the transmission of the quantum key, for example, to calculate the error rate, basis reconciliation, testing the security condition, etc.

6. Conclusions
Our analysis has shown that even when the two-dimensional space of quantum states is used, the critical error rate of the six-state protocol can be exceeded by varying the alphabet used. In the absence of the basis reconciliation, the protocol with the tetrahedral alphabet has a higher critical error rate than the six-state protocol, while in the case of the reconciled bases, the protocol with the continual alphabet has the highest critical error rate. Acknowledgements. This work was partially supported by the Russian Foundation for Basic Research (Grant Nos 0203-32200 and 04-02-17554) and the INTAS Grant INFO 00-479.

References
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. Bennett Ch.H., Brassard G., in Proc. IEEE Intern. Conf. on Computer, System Signal Processing (New York: IEEE, 1984) p. 175. Ekert A.K. Phys. Rev. A, 67, 661 (1991). Bennett Ch.H. Phys. Rev. Lett., 68, 3121 (1992). Bruss D. Phys. Rev. Lett., 81, 3018 (1998). Grosshans F., Grangier P. Phys. Rev. Lett., 88, 057902 (2002). Wootters W.K., Zurek W.H. Nature (London), 299, 802 (1982). Stucki D., Gisin N., Guinnard O., Ribordy G., Zbinden H. New J. Phys., 4, 41.1 (2002). Bechmann-Pasquinucci H., Gisin N. Phys. Rev. A, 59, 4238 (1999). Gottesman D., Lo H.-K. IEEE Trans. Inf. Theory, 49, 457 (2003). Bechmann-Pasquinucci H., Tittel W. Phys. Rev. A, 61, 062308 (2000). Bourennane M., Karlsson A., Bjork G. Phys. Rev. A, 64, 012306 (2001). Cerf N.J., Bourennane M., Karlsson A., Gisin N. Phys. Rev. Lett., 88, 127902 (2002). Born M., Wolf E. Principles of Optics, 4th ed. (Oxford: Pergamon Press, 1969; Moscow: Nauka, 1973) p. 50. Gisin N., Ribordy G., et al. Rev. Mod. Phys., 74, 145 (2002). Bennett C.H., Brassard G., Robert J.M. SIAM J. Comput., 17, 210 (1988). Fuchs C.A., Gisin N., Griffiths R.B., Niu C.-S., Peres A. Phys. Rev. A, 56, 1163 (1997). Gallagher R.G. Information Theory Reliable Communication (New York: John Wiley and Sons, 1968).