Lo-Chau Quantum Key Distribution

1. Alice creates 2n EPR pairs in state each in state |00>, and picks a random 2n bitstring b,

2. Alice randomly selects n EPR pairs T for checking Eve’s interference,

3. Alice performs H on the second qubit of each pair i such that bi=1, she sends the second qubit of each pair to Bob,

4. Bob receives them and announces it,5. Alice announces b and T,6. Bob applies H on the qubits where bi=1,7. Alice and Bob measure their qubits in T in the Z basis,

publicly share the result. If more than t errors occurred they abort,

8. Alice and Bob consider the remaining qubits as being in superposition over all [n,m]-CSS(u,v) codes correcting any t errors. Alice measures u,v, sends result to Bob, both correct the errors and get m nearly perfect EPR pairs,

9. Alice and Bob measure the m EPR pairs in the standard computational basis to get a shared secret-key.

Family of CSS codes

Remember that CSS codewords are defined as:

€

x ∈ C1 ⇒ x +C2 =1

C2

x + yy∈C2

∑

Equivalently, we can define CSSu,v as follows:

€

x ∈ C1 ⇒ ξ x,u,v =1

C2

(−1)u⋅y x + y + vy∈C2

∑

CSSu,v codes all work the same way than CSS codes.

CSSxz(C1,C2) is a basis

We have seen that:

€

2−n / 2 ww∈ 0,1{ }

n

∑ ⊗ w = 2−n / 2 ξ vk ,x,z

vk

∑x,z

∑ ⊗ ξ vk ,x,z

•C1 is a [n,k1,t]-linear code,•C2 is a [n,k2]-linear code such that the dual of C2 corrects t errors.

•When A measures H1 she gets sx randomly in {0,1}n-k1,•When A measures H2 she gets sz randomly in {0,1}k2.After error-correction and decoding they get:

€

2k1 −k2

2 ξ vk ,sx ,sz⊗ ξ vk ,sx ,sz

vk∈ 0,1{ }

k1−k2

∑ decoding ⏐ → ⏐ ⏐ 2k1 −k2

2 k ⊗ kk∈ 0,1{ }

k1−k2

∑

Assume H1 is the parity check for C1 and H2 is the parity check for C2

*.

Error-Rate Estimation

Estimating the number of bit and phase flips:

€

∏bf = β 01 β 01 + β11 β11 ⇒ B = ( β 00 β 00 + β10 β10 ) − ( β 01 β 01 + β11 β11 ) ,

∏ pf = β10 β10 + β11 β11 ⇒ P = ( β 00 β 00 + β 01 β 01 ) − ( β10 β10 + β11 β11 ),

Remark that this allows for detecting bit and phase flips since :

β 01 = I⊗ X( ) β 00 , β10 = I⊗Z( ) β 00 , and β11 = I⊗Y( ) β 00 .

Since :

BP = PB⇒ Bit flips and phase flips can be observed unambiguously(hand- in #1).

Bit and phase flips can be extracted from observables P and B.

Thm: If n out of 2n 2-qubit states are tested that way and less than t bit and phase flips were found then the number t’ of phase and bit flips for the untested positions is such that:

€

Pr(t'>t+δn) <e−cδ2n,c >0.

A non-local testSince Alice and Bob are physically separated, the previoustest cannot be performed. However,

•Notice that the same statistics as before would be obtained if for each position either bit flip or phase flip would be tested but not both.

•Observe also that:

which means that bit flips and phase flips can be detected by applying both the Z or the X measurements and comparing the results.

Notice that Alice and Bob by doing this make the detection of both bit-flip and phase-flip impossible on a single qubit.

€

B = Z ⊗Z and P = X ⊗X,

Bit-Flips and Phase-Flips

Notice that using H on the second qubit of each pair at random randomizes the distribution of the errors:

€

Z β 00 = H−1XH β 00

X β 00 = H−1ZH β 00

It follows that the number of phase-flips and bit flips are distributed identically since H is applied randomly and Eve cannot find any information about when H is applied.

Only measuring for bit-flips gives a bound on both the number phase-flips and bit-flips. Thm: If n out of 2n 2-qubit states(in Lo-Chau) are tested for bit flips and t’ are detected then the number tx and tz for phase and bit flips in the untested positions is such that:

€

Pr(tx > t'+δn) < e−cδ 2n / 4,c > 0.

€

Pr(tz > t'+δn) < e−cδ 2n / 4,c > 0.

High Fidelity Implies Low Entropy

Lemma 12.9: If <00(n)

||00(n)

> > 1-2-s, then S) < (2n+s+1/ln2)2-s+O(2-2s).

Proof:

€

β00(n) ρ β00

(n) = λi β00(n) ei ei β00

(n)

i

∑ >1−2−s ⇒ ∃i( ) λi ≥1−2−s[ ].

It follows that S) <= Smax) where

€

ρmax=

1−2−s 0 K 0

02−s

22n −1L 0

M 0 O M

0 0 L2−s

22n −1

⎛

⎝

⎜ ⎜ ⎜ ⎜

⎞

⎠

⎟ ⎟ ⎟ ⎟

⇒ S(ρmax) =−(1−2−s)log(1−2−s)−2−s log(2−s

22n −1).

Application to Lo-Chau Protocol

•This is a secure Quantum Key distribution protocol!

•If the estimate for the number of errors is accurate and is such that the QECC allows to fix them then Alice and Bob share m perfect EPR pairs,

•Since the estimate is mistaken only with negligible probability 2-n then the state shared by Alice and Bob is such that <00

(n) ||00

(n) > > 1-2-n,

•By the Corollary to the Holevo bound, the amount of Shannon information available to the Eavesdropper, about the outcome of Alice’s and Bob’s measurements determining the key, is negligible,

1. Alice creates 2n EPR pairs each in state |00>, and picks a random 2n bitstring b,

2. Alice randomly selects n EPR pairs T for checking Eve’s interference,

3. Alice performs H on the qubit to be sent for each i such that bi=1, she sends the qubits to Bob,

4. Bob receives them and announces it,5. Alice announces b and T,6. Bob applies H on the qubits where bi=1,7. Alice and Bob measure their qubits in T in the Z basis, publicly

share the result. If more than t-n errors occurred they abort,8. Alice and Bob measure their remaining qubits according a check

matrix for a predetermined [n,m]-CSS code correcting t errors. They share the results, correct and get m nearly perfect EPR pairs,

9. Alice and Bob measure the m EPR pairs in the Z basis to get a shared secret-key.

Alice creates n random check bits, and n EPR pairs in state |00>. She encodes n qubits in state |0> or |1> according the check bits and picks a random 2n-bit string b,Alice randomly picks n positions T to put the check qubits among n EPR pairs,

Bob measures the check qubits in Z basis, publicly shares the resultwith Alice, if more than t-n errors occurred then they abort.

Modified* Lo-Chau Protocol

1. Alice creates n random check bits, and n EPR pairs in state |00>. She also encodes n qubits in state |0> or |1> according the check bits and picks a random 2n-bit string b,

2. Alice randomly picks n positions T to put the check qubits among n EPR pairs,

3. Alice performs H on the qubit to be sent for each i such that bi=1, she sends the qubits to Bob,

4. Bob receives them and announces it,5. Alice announces b and T,6. Bob applies H on the qubits where bi=1,7. Bob measures the check qubits in {|0>,|1>} basis, publicly shares the

result with Alice, if more than t-n errors occurred then they abort.8. Alice and Bob measure their remaining qubits according the check

matrix for a CSSx,z(C1,C2) where x and z are random. They share the results, correct the errors, decode and gets m perfect EPR pairs.

9. Alice and Bob measure the m EPR pairs in the Z basis to get a shared secret-key.The random CSS code is

randomly selected by Alicewhen she measures.

She could havedone this here !!

The key is random anddetermined by Alice here

Removing the Need for EPR Pairs

• At step 8, Alice gets x and z randomly and uniformly, since (but see note below):

• At step 9, Alice obtains a random m-bit sting k encoded in CSSxz(C1,C2) code: €

2−n / 2 ww∈ 0,1{ }

n

∑ ⊗ w = 2−n / 2 ξ vk ,x,z

vk

∑x,z

∑ ⊗ ξ vk ,x,z

€

2k1 −k2

2 ξ vk ,sx ,sz⊗ ξ vk ,sx ,sz

vk∈ 0,1{ }

k1−k2

∑ decoding ⏐ → ⏐ ⏐ 2k1 −k2

2 k ⊗ kvk∈ 0,1{ }

k1−k2

∑

All measurements could as well occur at the very beginning!Note that measurement of x,z actually return random cosets (of C1 and C2 dual). But Alice could announce random members of the cosetsand then x and z are indeed uniform.

m=k1-k2

1. Alice creates n random check bits, and n EPR pairs in state |00>. She also encodes n qubits in state |0> or |1> according the check bits and picks a random 2n-bit string b,

2. Alice randomly picks n positions T to put the check qubits among n EPR pairs,

3. Alice performs H on the qubit to be sent for each i such that bi=1, she sends the qubits to Bob,

4. Bob receives them and announces it,5. Alice announces b and T,6. Bob applies H on the qubits where bi=1,7. Bob measures the check qubits in Z basis, publicly shares the result

with Alice, if more than t-n errors occurred then they abort.8. Alice and Bob measure their remaining qubits according the check

matrix for a CSSx,z(C1,C2) where x and z are random. They share the results, correct the errors, decode and gets m perfect EPR pairs.

9. Alice and Bob measure the m EPR pairs in the Z basis to get a shared secret-key.

Alice creates n random check bits, a random m bit key k, random x and z. She encodes |k> in CSSxz(C1,C2). She also encodes n qubits in state |0> or |1> according the check bits and picks a random 2n-bit string b.Alice randomly chooses T and put the check qubits among the encoded |k>,

Alice announces x,z, b and T to Bob,

Bob corrects and decodes the remaining qubits according the CSSxz(C1,C2)code,Bob measures the decoded qubits in basis Z and gets key k.

CSS codes protocol

Still needs quantumComputer!!!

Bob needs storing!

Removing the need for Quantum Computer

Alice sends the encoding:

€

k a1

C2

(−1)wz

w∈C2

∑ vk ⊕ w⊕ x =ξvk,z,x ,

Bob receives:

€

1

C2

(−1)wz⊕(vk ⊕w⊕x)e2

w∈C2

∑ vk ⊕ w⊕ x ⊕e1 ,

Bob decodes for bitflips:

€

1

C2

(−1)wz⊕(vk ⊕w⊕x)e2

w∈C2

∑ vk ⊕ w⊕ x ,

Bob can recover k by measuring and identifying the coset:

€

vk ⊕ w a k ∈C1/C2.

x is removed usingAlice’s announcement

z and correcting e2

are now useless!

• Alice creates n random check bits, a random m bit key k, random x and z. She encodes |k> in CSSxz(C1,C2). She also encodes n qubits in state |0> or |1> according the check bits and picks a random 2n-bit string b.

• Alice randomly chooses T and put the check qubits among the encoded |k>,

• Alice performs H on the qubit to be sent for each i such that bi=1, she sends the qubits to Bob,

• Bob receives them and announces it,• Alice announces x,z, b and T to Bob,• Bob applies H on the qubits where bi=1,• Bob measures the check qubits in {|0>,|1>} basis, publicly shares the

result with Alice, if more than t-n errors occurred then they abort.• Bob corrects and decodes the remaining qubits according the

CSSxz(C1,C2) code,• Bob measures the decoded qubits in basis Z and gets key k.

CSS codes protocol

Bob measures the remaining qubits to get vk+w+x+e1 and subtracts x before correcting e1 to get vk+w,Bob computes the coset vk+w+C2=vk+C2 in order to get k.

Alice announces x, b and T to Bob,

Bob doesn’t need todo quantum

error-correction!

But Alice does!

€

=1

C2

vk ⊕ w⊕ xw∈C 2

∑ vk ⊕ w⊕ x.

Removing Alice’s encoding

Since Alice does not need to announce z, she sends a mixture:

€

ρvk,x =12n ξvk,z,x ξvk,z,x

z

∑

€

=1

2n C2

(−1)z(w1⊕w2 ) vk ⊕ w1 ⊕ x vk ⊕ w2 ⊕ xw1 ,w2∈C2

∑z

∑

When w1+w2<>0 then half thez will produce -1 and half +1

This state is simpler to create than a CSS encoding:

Alice classically chooses w in C2 at random, constructs|vk+w+x> as before using random x and k.

• Alice creates n random check bits, a random m bit key k, random x and z. She encodes |k> in CSSxz(C1,C2). She also encodes n qubits in state |0> or |1> according the check bits and picks a random 2n-bit string b.

• Alice randomly chooses T and put the check qubits among the encoded |k>,

• Alice performs H on the qubit to be sent for each i such that bi=1, she sends the qubits to Bob,

• Bob receives them and announces it,• Alice announces x, b and T to Bob,• Bob applies H on the qubits where bi=1,• Bob measures the check qubits in {|0>,|1>} basis, publicly shares the

result with Alice, if more than t-n errors occurred then they abort.• Bob measures the remaining qubits to get vk+w+x+e1 and subtracts x

before correcting e1 to get vk+w,

• Bob computes the coset vk+w+C2=vk+C2 in order to get k.

Alice creates n random check bits, a random x, a random vk in C1/C2, and a random w in C2. She encodes n qubits in state |0> or |1> according vk+w+x. She also encodes n qubits in state |0> or |1> according the check bits and picks a random 2n-bit string b.

No more quantumcomputer needed

Alice randomly chooses T to put as check qubits among the encoded |vk+w+x>,

Further Simplifications

Alice sends:

€

vk ⊕ w⊕ x

in C2

in {0,1}nin C1/C2

€

vk ⊕ w⊕ x⊕ eBob gets :

Alice announces:

Bob subtracts :

€

vk ⊕ w⊕ e

If Alice chooses vk in C1 then w becomes useless!!

€

vk ⊕ x

€

vk ⊕ x⊕ e

€

vk ⊕ e

€

x

Further Simplifications

€

x ⊕vk

€

vk ⊕ x

€

vk ⊕ x⊕ e

€

vk ⊕ e

€

x

€

xAlice sends:

Bob gets :

Alice announces:

Bob subtracts :

Notice that vk+x is completely random, so Alice could choosex at random and send |x> with no change for the rest of the world.

in {0,1}nin C1

ex +

€

vk ⊕ e

• Alice creates n random check bits, a random x, a random vk in C1/C2, and a random w in C2. She encodes n qubits in state |0> or |1> according vk+w+x. She also encodes n qubits in state |0> or |1> according the check bits and picks a random 2n-bit string b.

• Alice randomly chooses T and put the check qubits among the encoded |k>,

• Alice performs H on the qubit to be sent for each i such that bi=1, she sends the qubits to Bob,

• Bob receives them and announces it,• Alice announces x, b and T to Bob,• Bob applies H on the qubits where bi=1,• Bob measures the check qubits T in {|0>,|1>} basis, publicly shares

the result with Alice, if more than t-n errors occurred then they abort.• Bob measures the remaining qubits to get vk+w+x+e1 and subtracts x

before correcting e1 to get vk+w,

• Bob computes the coset vk+w+C2=vk+C2 in order to get k.

Alice chooses random vk in C1 and creates 2n qubits in states |0> and |1> according to 2n random bits. She also picks a random b in {0,1}2n,

Alice randomly chooses n check positions T while the others are |x>,

Alice announces b, x-vk, and T to Bob,

Bob measures the remaining qubits to get x+e, subtracts x-vk to get vk+ e, and

corrects e according C1 to finally get vk,Alice and Bob compute the coset vk+C2 in order to get k.

Almost BB84

Only quantum memory remains to be removed

Alice could preparethe qubits already

in bases b!

Almost done

• Alice could pick (4+)n random bits, for each she creates a qubit in basis |0>,|1> or |+>,|-> according b.

• Upon reception, Bob could measure randomly in the X or Z basis.

• When Alice announces b, they keep only the matching positions.

• Only then, Alice chooses the check qubits.

Secure BB84• Alice creates (4+n random bits,• For each bit, she creates a qubit in the Z or X basis according a random b,• Alice sends the resulting qubits to Bob,• Alice chooses a random vk in C1,• Bob receives and publicly announces it. He measures each qubit in random Z or X basis,• Alice announces b,• Alice and Bob only keep the qubits measured and sent in the same basis. Alice randomly picks 2n of the remaining positions and picks n for testing,• Alice and Bob publicly compared their check bits. If too many errors occurred then they abort. Alice is left with |x> and Bob with |x+e>.• Alice announces x-vk. Bob subtracts this from his result and corrects according C1 to obtain vk,• Alice and Bob compute the coset vk+C2 in C1 to obtain k.

Tolerable noise level for secure QKD

€

kn

=1−2H(2tn

)

Randomizing the positionsof errors allows for correctingt errors with a code of minimumdistance about t (with good prob).

QKD for Sale!

Link Encryptors are hardware Quantum Cryptography appliances for point-to-point wire-speed link

encrpytion. Quantum Key Distribution and AES encryption engines are

combined in a stand-alone unit. Vectis is a layer 2 encryption device that securely

bridges two Fast Ethernet fiber optic networks.

Plug-and-play Quantum Key Distribution system that was designed for research

and development applications. It is the ideal tool for researchers interested to

contribute to the field of Quantum Cryptography.