Quantum Cryptography Antonio Acín ICFO-Institut de Ciències Fotòniques (Barcelona) www.icfo.es Paraty, Quantum Information School, August 2007
Entanglement vs Prepare & Measure After measuring one qubit of a maximally entangled state of two qubits and getting result b, we are projecting the other qubit into the same state. Alice Bob Alice Bob Perfect correlations in the x and z bases also suffice to detect a maximally entangled state of two qubits.
Security proofs QKD: Any intervention by Eve introduces errors in the channel that can be detected by the honest parties and abort the insecure transmission. Should Alice and Bob abort the protocol whenever they see errors?! They should learn how to deal with noise. In particular, from the amount of observed errors they should be able to: Estimate their correlations. Bound Eve’s information. Conclude whether a secret key can be established. Design a key distillation protocol to establish the key. Example: whenever the observed QBER<11%, BB84 is secure.
How come that entanglement does not play any role in QKD? Entanglement and QKD Any entanglement based protocol can be mapped into an equivalent prepare and measure scheme (BBM92). Entanglement is the key resource for quantum information applications, it represents the most intrinsic quantum property, bla, bla, bla… How come that entanglement does not play any role in QKD?
Entanglement and QKD Alice Bob Eve Entanglement is a monogamous resource. It can be used to estimate the way Eve is at most correlated to a state shared by Alice and Bob. Alice Bob Schmidt decomposition: Eve Any other purification of Alice and Bob’s state is such that: All purifications are unitarily equivalent!
Prepare and Measure schemes Alice Bob Quantum channel Eve By repeating this process, Alice and Bob estimate the quality of their connecting quantum channel. They accumulate statistical data of the form: Probability that Bob gets the result k when applying the measurement j conditioned on the fact that Alice sent the state i.
Entanglement picture Alice Bob Eve Quantum channel Alice prepares a maximally entangled state of two qubits and sends half of it through the channel After interaction with Eve, the parties share the states: Alice and Bob estimate their state by local measurements. Eve In the equivalent prepare and measure protocol, Alice and Bob are virtually estimating the state . Using this information, the honest parties should conclude whether key distillation is possible.
Key distillation from quantum states Sequence of state preparations and measurements Classical-classical-quantum (CCQ) correlations Is key distillation possible?
Classical key distillation Consider a tripartite probability distribution describing three correlated random variables, P(A,B,E). Can Alice and Bob extract a secret key out of it? One-way communication: Csiszár- Körner 0100110101 0110110001 0100110001 0100110101 011=0 Final secret and error-free list of bits Alice Bob 1111110001 1111110101 0111110001 Eve
Privacy amplification against quantum adversaries Consider now classical-classical-quantum correlations, resulting from Alice and Bob measuring a tripartite quantum state. Can Alice and Bob extract a secret key out of it? Devetak-Winter Renner-König One-way communication: Holevo quantity: classical information encoded on quantum states When Alice obtains outcome , which happens with probability , Eve has:
De Finetti Theorem In the previous analysis, there was a very important hidden assumption: the attack of Eve is the same for each realization of the protocol. Quantum De Finetti theorem: Given a symmetric system, almost all of its parts are virtually identical and independent of each other. This result generalises de Finetti's classical representation theorem for infinitely exchangeable sequences of random variables. Renner The previous assumption can be made without loss of generality. Then it is possible to use the previous bounds to compute the secret-key rate.
Structure of security proofs General security proofs of QKD system: Alice and Bob apply random permutations to their systems. De Finetti argument follows. After sequences of state preparations and measurements, they obtain information about their connecting quantum channel, or equivalently, about the virtual bipartite state . The worst state compatible with the observed measurement outcomes is computed. This provides a bound on the way Eve can be correlated. Known bounds on the distillable secret key are finally applied.
Key distillation Alice Bob Quantum channel (losses) Public channel Transmission Qubits Alice Bob Quantum channel (losses) Raw key Public channel Reconciliation Basis Sifted key QBER estimate correction Error amplification Privacy Key Key
Example: BB84 Alice sends states from the x and z bases. Alice measures in the x or z bases half of a maximally entangled state of two qubits. By comparing some of the symbols, Alice and Bob estimate the elements:
Example: BB84 Consider the natural situation in which the error is the same in the two bases. Phase covariant cloning machine: In the optimal attack Eve clones in an optimal way the x and z bases.
BB84 rates If the QBER Alice and Bob observe is smaller than 11%, key distillations is possible. Otherwise, they may decide to abort the protocol. 11% represents a very reasonable amount of errors. Shor & Preskill
Pre-processing Is this the ultimate bound for key distillation? NO. There are several options to improve the secret-key rate. 1-p Pre-processing: Alice introduces some local noise. p 1 1 This deteriorates the information between Alice and Bob, but also between Alice and Eve. 1-p Example: BB84, the critical QBER changes, 11% → 12.4%. Given some ccq correlations, described by a state
Example: Six-state Consider the natural situation in which the error is the same in the two bases. The state is fully defined by the observed statisics in the x, y and z bases. Universal cloning machine: In the optimal attack Eve clones in an optimal way all the bases (states). QBER: 11.0% → 12.7% 12.4% → 14.1% The six-state protocol is more robust than BB84.
Two-way communication One can also consider key distillation protocols involving communication in two directions, from Alice to Bob and from Bob to Alice. Advantage Distillation Maurer 0100110101 010 =0=0=0 0=0=1= 0110111010 NO 011 =0=0=0 0=0=0= Alice YES Bob 101 =1=1=1 0=0=0= YES 1 1 0 1 0 0 0 This information is also useful for Eve! = = = Eve 1 0 1
Two-way communication The error between Alice and Bob in the new list after AD reads: The error tends to zero with the size of the blocks, L. Eve’s error also tends to zero with L. However, in some cases, the error between the honest parties tends to zero exponentially faster. AD Initially, one-way key distillation fails. KEY
Two-way communication AD Initially, one-way key distillation fails. KEY For each protocol, there is a critical value of the error rate εc such that if ε< εc the previous protocol with blocks of finite size L gives a secret key. Critical QBER BB84: 20% 6-state: 27.6% These values are tight, for the specific protocol.
Entanglement is necessary Recall: Alice and Bob by a sequence of state preparations and measurements acquire information about their connecting channel , or equivalently about the state . If the observed statistics is compatible with a separable state → no secret key can be generated by any method. This is equivalent to say that the channel is entanglement breaking, that is, it does not allow to distribute any entanglement. Therefore, even if Alice and Bob never use entanglement for the key distribution, their goal is to estimate the entanglement properties of their connecting channel and conclude whether key distillation is possible.
Is entanglement sufficient? Positive key Separability ? BB84 6-state QBER 27.6% 20% 25% 33.3% Pre-processing by one of the parties does not modify these values. Is entanglement sufficient for the security of prepare and measure schemes?
Conclusions The correspondence between entanglement based and prepare measure protocols is a very useful tool in the derivation of security proofs. Entanglement does play a (crucial) role in the security of QKD protocols. And what about non-locality?
Thanks for your attention!