Embed Size (px)
DESCRIPTION
Quantum Cryptography. Antonio Acín ICFO-Institut de Ciències Fotòniques (Barcelona) www.icfo.es. Paraty, Quantum Information School, August 2007. Quantum Information Theory. - PowerPoint PPT Presentation
Citation preview
Paraty, Quantum Information School, August 2007
Antonio AcínICFO-Institut de Ciències Fotòniques (Barcelona)
www.icfo.es
Quantum Cryptography
• Quantum Information Theory (QIT) studies how information can be transmitted and processed when encoded on quantum states.
• New information applications are possible because of quantum features: communication complexity and computational speed-up, secure information transmission and quantum teleportation.
• The key resource for all these applications is quantum correlations, or entanglement.
• A pure state is entangled whenever it cannot be written in a product form:
• A mixed state is entangled whenever it cannot be obtained by mixing product states:
Quantum Information Theory
baAB
iiiii
iAB bbaap
Quantum Information Theory
Quantum Information Theory makes my life, as a physicist, much easier!
1. Quantum Mechanics goes often against our classical intuition.
2. Standard probability theory does not apply.
3. The more quantum, the better!!
Quantum Superpositions
50%
50%
T
R
100%
0%
A photon is sent into a mirror of transmission coefficient 1/2. The photon is detected in each of the two detectors half of the times.
The experiment is slightly modified and two the two paths are now combined into a second mirror with the same transmission. One can adjust the difference between the two paths in such a way that only one of the detectors click!
Entanglement and Bell’s inequalities
Entanglement is the most intrinsic quantum feature and Bell’s inequality violation its most striking consequence.
Game: two players meet and decide about which colour to wear for their shirt and trouser. This colour can be red or green. Then, they are separated into two distant locations where they cannot communicate. A referee asks them about the colour of the shirt or trouser. Their correlated strategy has to be such that if both are asked about the trouser, their colour should be different, otherwise they should agree.
S S
T T
S S
T T
S or T? S or T?
SS
Entanglement and Bell’s inequalities
Example: they both wear everything in red. They succeed in ¾ of the events.
3 BABABABA TTpSTpTSpSSp This is just a rewriting of the CHSH Bell’s inequality
S S
T T
S S
T T
S or T? S or T?
S S
If the parties share a correlated quantum state when they meet, they can succeed with a probability ! 85.04/22
Quantum correlations are more powerful than classical correlations.
Quantum Cryptography: a new form of security
• Standard Classical Cryptography schemes are based on computational security.
• Assumption: eavesdropper computational power is limited.
• Even with this assumption, the security is unproven. E.g.: factoring is believed to be a hard problem.
• Quantum computers sheds doubts on the long-term applicability of these schemes, e.g. Shor’s algorithm for efficient factorization.
Quantum Cryptography: a new form of security
• Quantum Cryptography protocols are based on physical security.
• Assumption: Quantum Mechanics offers a correct physical description of the devices.
• No assumption is required on the eavesdropper’s power, provided it does not contradict any quantum law.
• Using this (these) assumption(s), the security of the schemes can be proven.
Quantum Key Distribution (QKD)
0101110010100011
1000100011110101 1000100011110101
1101010001010110
Sent: sum mod 2Contains NO info!
0101110010100011
• Private-key cryptography
•This scheme is information-theoretically secure!
•How is the key distributed? Quantum states.
Alice Bob
The classical bit can take twovalues, the so-called logical 0 and 1. Examples of realizations of a bit are:
0
1All these realizations encodethe same amount of information:one bit.
The classical bit
0
1
The quantum bit or qubit can be represented by a point onthe so-called Bloch sphere. The poles are associated tothe states and . Any superposition of these two statesgenerates a unique point on this sphere. Therefore, anyquantum bit can be specified by means of two angles, that is, two real numbers.
0 1
The Quantum Bit10
ie
2sin
2cos
Heisenberg Uncertainty Relation
M
If the state of a system is equal to one of the poles of the Bloch sphere and one measures in the same direction, only one result is possibleand the measurement process does not change the state of the system.
MIf the state of the system is on the equator of the Bloch sphere, the two possible results appear with equal probability and the initial state “collapses” to the state associated to the obtained result.
The measurement process can modify the quantum state of the measured system.
C
C
It is possible to designa quantum operation thatperfectly clones the twopoles of the Bloch sphere.
CThe same machine producesnoisy copies, with errorsof states lying on theequator of the Bloch sphere.
The no-cloning theorem
There is no quantum operation that makes a perfect copy of any quantum state.
The no-cloning theoremAssume there is a machine duplicating the state of a two-dimensional system:
aaCL
0000 aaCL
When cloning a superposition of these two orthogonal states
1010 102110
211100
21
102110
21
aaa
aCLaCLaCL
1111 aaCL
Basics of Quantum CryptographyThe security of Quantum Key Distribution is based on:
Heisenberg’s uncertainty relation:
A system is perturbed when it is measured.
No-cloning theorem:
Quantum states cannot be perfectly copied.
These weird quantum properties can be used to send private information!
BB84 (Bennett & Brassard)
Alice Bob
Alice sends states from the x and z bases with random probability. Bob measures in the same basis. The choices of bases are local and independent.
11
21
11
21
110
001
xx
zz
Alice Bob
z
0
z
0
x 1
21
p
21
p
BB84 (Bennett & Brassard)Basis reconciliation: Alice and Bob announce their choices of bases. They keep only those symbols where the bases were equal → they get a list of perfectly correlated random bits. This list will provide the secret key.
Intercept-Resend attack: Eve intercepts the quantum state, measures it and prepares a new state for Bob, according to her measurement result.
Alice
z
0 Bob
z
Evez
0
0
0ERRORS!
BB84 (Bennett & Brassard)Cloning attack: Eve perfectly clones the states in the z basis.
EBB
EBB
E
E
111
000
110021
BE
Ex
1001
21
BEEB tr
Bob’s state is mixed, that is noisy! ERRORS!
Eve’s intervention causes errors. Alice and Bob can detect her attack by comparing some of the accepted symbols → they abort the protocol.
The amount of errors is related to Eve’s attack.
QBER: Quantum Bit Error Rate
zxi j
ii jbjaQBER, 1,0
1,Pr
Other protocolsSix-state protocol: all the three maximally conjugated bases are employed.
jizyxjibbb ji ,,,1,0212
Compared to BB84, the use of more states puts extra constraints on Eve’s attack. The protocol is more robust against noise.
Alice uses three bases, x, y and z, for information encoding. Bob measures in the same bases. The bases, in principle, agree with probability 1/3.
Alice and Bob do not have to choose the basis with the same probability. They can use the same basis almost always, and from time to time change to a different basis. This does not compromise the security and increase the rate.
Other protocols
B92: Two non-orthogonal states are enough for a QKD protocol.
Two non-orthogonal states cannot be perfectly cloned/estimated.
Vaidman: Two orthogonal states may also be enough.
z11100211100
21
Alice
Bobz1
0 1
Other protocols Generalization to higher dimensional systems: The alphabets are larger, dits instead of bits. They employ nb maximally conjugated bases, where 2 ≤ nb ≤ d+1, and
0 1 2 0010 0101 1002
1,,1,012 db
dbb ji
111310 *1
311 *1
312
32exp i
Coherent-state protocol: They employ coherent states of light and homodyne measurements. Interesting alternative to finite-dimensional schemes.
1. A QKD protocol is interesting when its implementation is simple.
2. All these schemes are prepare and measure protocols.
Ekert protocolAlice and Bob share a maximally entangled state of two qubits. Their measurement outcomes are fully random and perfectly correlated.
110021
AB
0
1
0 1
21
21
0
0
Alice Bob
If Alice and Bob know to share a maximally entangled state, they can safely measure in a given basis, say z, and obtain a perfect key.
Ekert protocolAlice
x=0
x=1
x=0
x=1x=2 Bob
y=1
y=0
• The measurements x=2 and y=0 are in the same direction. The corresponding outcomes coincide → these are used for the secret key.
• Measurements x,y=0,1 give the maximal violation of the CHSH Bell’s inequality for the maximally entangled state. They are used to check that the distributed state is indeed a maximally entangled state of two qubits.
222101100 Qbbabba
The security of the protocol seems to be related to Bell’s inequality violation.
Entanglement vs Prepare & Measure
After measuring one qubit of a maximally entangled state of two qubits and getting result b, we are projecting the other qubit into the same state.
Alice Bob
Alice Bob
Perfect correlations in the x and z bases also suffice to detect a maximally entangled state of two qubits.
Entanglement vs Prepare & Measure
• The detection of the maximally entangled state can be done using measurements that do not violate any Bell’s inequality. Non-local correlations are not necessary for security.
• After moving the source into one of the parties, the entanglement-based scheme is transformed in a completely equivalent prepare & measure protocol. No entanglement is needed.
• This construction, however, introduces a nice correspondence between entanglement based and prepare & measure protocols. This correspondence is largely exploited in security proofs.
Entanglement and non-locality will strike back!
