VOLUME 77, NUMBER 13 P H Y S I C A L R E V I E W L E T T E R S 23 SEPTEMBER1996

eyt

2818

Quantum Privacy Amplification and the Security of Quantum Cryptographyover Noisy Channels

David Deutsch,1 Artur Ekert,1 Richard Jozsa,2 Chiara Macchiavello,1 Sandu Popescu,3 and Anna Sanpera1

1Clarendon Laboratory, Department of Physics, University of Oxford,Parks Road, Oxford OX1 3PU, United Kingdom

2School of Mathematics and Statistics, University of Plymouth,Plymouth, Devon PL4 8AA, United Kingdom

3Department of Electrical, Computer and Systems Engineering, Boston University,Boston, Massachusetts 02215

(Received 26 April 1996)

Existing quantum cryptographic schemes are not, as they stand, operable in the presence of noison the quantum communication channel. Although they become operable if they are supplemented bclassical privacy-amplification techniques, the resulting schemes are difficult to analyze and have nobeen proved secure. We introduce the concept of quantum privacy amplification and a cryptographicscheme incorporating it which is provably secure over a noisy channel. The scheme uses an“entanglement purification” procedure which, because it requires only a few quantum controlled-not and single-qubit operations, could be implemented using technology that is currently beingdeveloped. [S0031-9007(96)01288-4]

PACS numbers: 89.70.+c, 02.50.–r, 03.65.Bz, 89.80.+h

a-ureocaonin

ns

vene

teursineglehale-ennot.lyyhteesn

peroicthtoosh

tionrea-eney

ighyety ofm-y doomeuan-ingt isnge

ureusesh are.a

andrilyof

ven(see

edlo-

tionde-

tumrs,

Quantum cryptography [1–3] allows two parties (trditionally known as Alice and Bob) to establish a secrandom cryptographic key if, first, they have access tquantum communication channel, and second, theyexchange classical public messages which can be mtored but not altered by an eavesdropper (Eve). Ussuch a key, a secure message of equal length catransmitted over the classical channel. However, thecurity of quantum cryptography has so far been proonly for the idealized case where the quantum chanin the absence of eavesdropping, isnoiseless. That isbecause, under existing protocols, Alice and Bob deeavesdropping by performing certain quantum measments on transmitted batches of qubits and then ustatistical tests to determine, with any desired degreconfidence, that the transmitted qubits are not entanwith any third system such as Eve. The problem is tthere is in principle no way of distinguishing entangment with an eavesdropper (caused by her measuremfrom entanglement with the environment caused by incentnoise, some of which is presumably always presen

This implies that all existing protocols are, strictspeaking, inoperable in the presence of noise, since thequire the transmission of messages to be suspended wever an eavesdropper (or, therefore, noise) is detecConversely, if we want a protocol that is secure in the prence of noise, we must find one that allows secure tramission to continue even in the presence of eavesdropTo this end, one might consider modifying the existing ptocols by reducing the statistical confidence level at whAlice and Bob accept a batch of qubits. Instead ofastronomically high level envisaged in the idealized procol, they would set the level so that they would accept mbatches that had encountered a given level of noise. T

0031-9007y96y77(13)y2818(4)$10.00

ani-

gbee-dl,

cte-g

ofdt

ts)-

re-en-d.-

s-rs.-he-t

ey

would then have to assume that some of the informain the batch was known to an eavesdropper. It seemssonable that classical privacy amplification [4] could thbe used to distill, from large numbers of such qubits, a kin whose security one could have an astronomically hlevel of confidence [5]. However, no such scheme hasbeen proved to be secure. Existing proofs of the securitclassical privacy amplification apply only to classical comunication channels and classical eavesdroppers. Thenot cover the new eavesdropping strategies that becpossible in the quantum case: for instance, causing a qtum ancilla to interact with the encrypted message, storthe ancilla and later performing a measurement on it thachosen according to the data that Alice and Bob exchapublicly.

In this paper we present a protocol that is secin the presence of noise and an eavesdropper. Itentanglement-based quantum cryptography [2], but witnew element, an “entanglement purification” proceduThis allows Alice and Bob to generate a pair of qubits instate that is close to a pure, maximally entangled state,whose entanglement with any outside system is arbitralow. They can generate this from any supply of pairsqubits in mixed states with nonzero entanglement, eif an eavesdropper has had access to those qubitsalso [6,7]).

Our procedure—aquantum privacy amplificationalgo-rithm—(abbreviated as QPA algorithm) can be performby Alice and Bob at distant locations by a sequence ofcal operations which are agreed upon by communicaover a public channel. It is related to the procedurescribed in [8], but is more efficient.

In the idealized theory of entanglement-based quancryptography, Alice and Bob have a supply of qubit pai

© 1996 The American Physical Society

VOLUME 77, NUMBER 13 P H Y S I C A L R E V I E W L E T T E R S 23 SEPTEMBER1996

ta

olir

na

rei

Othit

a

h

v

otu

ci

rsuit

rs

-

p

he

d

nal’orxt

not

cial

ity

s.

tthesity

fnt

a-isof

-

u-

oly

each pair being in the pure, maximally entangled sjf1l, where

jf6l ­1

p2

sj00l 6 j11ld ,

jc6l ­1

p2

sj01l 6 j10ld .(1)

These are the so-called “Bell states” which form a cvenient basis for the state space of a qubit pair. Aand Bob each have one qubit from each pair. In the pence of noise, each pair would in general have becometangled with other pairs and with the environment, awould be described by a density operator on the spspanned by (1).

Note that any two qubits that are jointly in a pustate cannot be entangled with any third physical objTherefore any algorithm that delivers qubit pairspure states must also have eliminated the entanglembetween any of those pairs and any other system.scheme is based on an iterative quantum algoriwhich, if performed with perfect accuracy, starting wa collection of qubit pairs in mixed states, would discasome of them and leave the remaining ones in stconverging tojf1l kf1j.

Our first departure from existing quantum cryptograpschemes is to assume that Evedoesinteract with all thequbits that are transmitted or received by either AliceBob. Indeed we analyze the scenario that is most faable for eavesdropping, namely where Eve herself islowed to prepare all the qubit pairs that Alice and Bwill subsequently use for cryptography. Any realistic siation would also involve environmental noise that is nunder Eve’s control, but this may be treated as a specase in which Eve is not using the full information avaable to her.

Suppose, then, that Eve has prepared two qubit paisome manner of her own choosing and sends one qfrom each pair to both Alice and Bob. Let the densoperators of the two pairs ber andr0, respectively. Aliceperforms a unitary operation

j0l !1

p2

sj0l 2 ij1ld , (2)

j1l !1

p2

sj1l 2 ij0ld (3)

on each of her two qubits; Bob performs the inveoperation

j0l !1

p2

sj0l 1 ij1ld , (4)

j1l !1

p2

sj1l 1 ij0ld (5)

on his. If the qubits are spin-12 particles and the compu

tation basis is that of the eigenstates of thez componentsof their spins, then the two operations correspond, restively, to rotations bypy2 and2py2 about thex axis.

te

n-cees-en-dce

ect.nenturm

hrdtes

ic

oror-al-b-

otial

l-

inbit

y

e

ec-

Then Alice and Bob each perform two instances of tquantum controlled-not operation

controljal

target

jbl !controljal

target

ja © bl sa, bd [ h0, 1j , (6)

where one pairsrd comprises the two control qubits anthe other onesr0d the two target qubits [9]. Alice andBob then measure the target qubits in the computatiobasis (e.g., they measure thez components of the targetsspins). If the outcomes coincide (e.g., both spins upboth spins down) they keep the control pair for the neround and discard the target pair. If the outcomes docoincide, both pairs are discarded.

To see the effect of this procedure, consider the specase in which each pair is in stater and the joint stateof the two pairs is the simple productr ≠ r. This casewill suffice for our applications. We express the densoperatorr in the Bell basishjf1l, jc2l, jc1l, jf2lj anddenote byhA, B, C, Dj the diagonal elements in that basiNote that the first diagonal elementA ­ kf1jrjf1l,which we call the “fidelity,” is the probability that thequbit would pass a test for being in the statejf1l. Thuswe wish to drive the fidelity to 1 (which implies thathe other three diagonal elements go to 0). Now, incase where the control qubits are retained, their denoperator r˜ will have diagonal elementshA, B, C, Djwhich depend on averageonly on the diagonal elements or (the average is taken over the two different coincideoutcomes, e.g., both spins up and both spins out):

A ­A21B2

N ,

B ­2CD

N ,

C ­C21D2

N ,(7)

D ­2ABN ,

whereN ­ sA 1 Bd2 1 sC 1 Dd2 is the probability thatAlice and Bob obtain coinciding outcomes in the mesurements on the target pair. That is, if the procedurecarried out many times on an ensemble of such pairspairs, thenA, B, C, andD give the average diagonal entries of the surviving pairs. Note that if the averageA isdriven to 1 then each of the surviving pairs must individally approach the pure statejf1l kf1j.

In passing, we note that if the two input pairs havedif-ferentstatesr andr0 with diagonal elementshA, B, C, DjandhA0, B0, C0, D0j, respectively, then the retained contrpairs will, on average, have diagonal elements given b

A ­AA01BB0

N ,

B ­C0D1CD0

N ,

C ­CC01DD0

N ,(8)

D ­AB01A0B

N ,

where N ­ sA 1 Bd sA0 1 B0d 1 sC 1 Dd sC0 1 D0d,which generalizes (7).

2819

VOLUME 77, NUMBER 13 P H Y S I C A L R E V I E W L E T T E R S 23 SEPTEMBER1996

u

taatgw

if

h

ien

io

a

s

l

in

Ilita

eit

1y

E9

y

there

wse

nstyalem.an

reayeis

isted

st

heinenirsove

oftheTheer

dse.

a

wurentbe

Suppose that Eve has providedL pairs of qubits, withdensity operatorsr1, r2, . . . , rL. This is not to say thattheir overall density operator is necessarily of the prodform

r1 ≠ r2 ≠ · · · ≠ rL (9)

for Eve may have prepared them in an entangled sHowever, let us consider first the case in which the pare not entangled with each other, i.e., the overall sis of the form (9) above. Alice and Bob know nothinabout the state preparation, they are simply presentedan ensemble ofL pairs of qubits from which they can (they wish) estimate the average density operatorrave:

rave ­ 1L sr1 1 r2 1 · · · 1 rLd , (10)

which characterizes the ensemble of pairs.Alice and Bob now select pairs at random from t

ensemble of provided pairs and apply the QPA procedto pairs of these selected pairs. Thus we may setr ­rave in (7) and we are in effect studying the propertiesthe map 0BBB@

ABCD

1CCCA !

0BBB@ABCD

1CCCA ­1N

0BBB@A2 1 B2

2CDC2 1 D2

2AB

1CCCA . (11)

hA, B, C, Dj in (11) gives the average diagonal entrfor the states of the surviving pairs, i.e., the diagoentries of the average density operator of the ensemof surviving pairs. Therefore the repeated applicatof the QPA procedure—generating successive ensemof surviving pairs—corresponds to iteration of the min (11).

Several interesting properties of this map can be eaverified. For example, if at any stage the fidelityAexceeds1

2 , then after one more iteration, it still exceeds12 .

Although A does not necessarily increase monotonicaour target point,A ­ 1, B ­ C ­ D ­ 0, is a fixed pointof the map and is the only fixed point in the regionA .

12 .

It is a local attractor. We have been unable to obtaproof that it is also a global attractor in the regionA .

12 ,

but we have verified this by computer simulation.other words, if we begin with pairs whose average fideexceeds1

2 , but which are otherwise in an arbitrary sta(unentangled with each other), then the states of psurviving after successive iterations always convergethe unit-fidelity pure statejf1l. Since this is a pure statnone of the surviving pairs is, in the limit, entangled wany other system.

To illustrate the behavior of the iteration in Fig.we plot the fidelity as a function of the initial fidelitand the number of iterations, in cases whereA .

12 and

B ­ C ­ D initially.The above analysis applies to the case in which

does not entangle the pairs with each other [c.f. Eq. (

2820

ct

te.irsate

ith

eure

of

salblen

blesp

ily

ly,

a

ntyeirsto

,h

ve)].

FIG. 1. Average fidelity as a function of the initial fidelitand the number of iterations.

However, if Eve provides pairs whichare entangledwith each other, then Eq. (11) no longer holds, andQPA iterations may or may not converge to the pustate jf1l kf1j. Nevertheless it isnever of advantageto Eve to entangle pairs with each other: Eve knothat Alice and Bob will apply the QPA procedure to thdistributed pairs. In the course of the QPA iteratioAlice and Bob will periodically check the average fideliof the surviving pairs, which is achieved by purely locoperations and classical communication between thThus they determine whether they have achievedacceptably high fidelity. If Eve provides pairs which aentangle with each other then the QPA procedure mnot converge. In this case the protocol will force Alicand Bob to discard the entire transmission, and Evemerely in effect blocking the quantum channel. (Thwould also be the case if, for example, she distribupairs unentangled with each other, but havingA ,

12 .)

On the other hand, if Eve provides pairs whichdoconverge tojf1l kf1j (at an acceptable rate, i.e., at leathe rate corresponding to the starting values ofA, B,C, and D, which can be measured before starting tQPA procedure), then the QPA procedure is effectiveexcluding Eve despite the initial entanglement betwethe pairs. Thus Eve never benefits from providing pawhich are entangled with each other, and hence the abanalysis suffices to prove the security of the protocol.

The QPA procedure is rather wasteful in termsdiscarded particles—at least on half of the particles (ones used as targets) are lost at every iteration.efficiency of the procedure (i.e., the ratio of the numbof surviving pairs to the number of initial pairs) depenon the final fidelity required and on the initial statAs an example, in Fig. 2(a) we plot the efficiency asfunction of the initial fidelityA (taking B ­ C ­ D), forpurification to fidelity 0.99, and in Fig. 2(b) we shothe number of iterations used. The efficiency of oscheme compares very favorably with the entanglempurification scheme as described in [8], and it can

VOLUME 77, NUMBER 13 P H Y S I C A L R E V I E W L E T T E R S 23 SEPTEMBER1996

oe

ri

b

n1b

lr

iethta

aty

eion

rp

o

iza-thenttalPA

iley.

areon-. isRe-

bez-

ms

J.d,ry

t-r,

s

s

her,

ys.

nt-nt-

s.

s.

nd

FIG. 2. States withB ­ C ­ D are purified up to a fidelityof 0.99. (a) The efficiency of the purification as a functionthe initial fidelity A. (b) The number of iterations used in thQPA procedure as a function of the initial fidelity.

directly applied to purify states which are not necessaof the Werner form [10].

Even though the efficiency of our procedure maylow in many cases, it nevertheless establishes that thexist unconditionally secure quantum key distributioprotocols. This is in contrast to recent claims [1that quantum bit commitment protocols can neverunconditionally secure.

The QPA procedure is capable of purifying a collectioof pairs in any stater of the product form (9), whoseaverage fidelity with respect to at least one maximaentangled state (i.e., a Bell state or a state obtained fa Bell state via local unitary operations) is greater than1

2(because any state of that type can be transformedjf1l via local unitary operations [12]). If we denotby B a class of pure, maximally entangled states (generalized Bell states) then the condition that the sr can be purified using the QPA procedure is

maxf[B

kfjrjfl .12 . (12)

Note that this condition is not equivalent to the Horodeccondition [13] characterizing mixed states which cviolate a generalized Bell inequality (CHSH inequali[14]). Indeed there exist mixed states which satisfybothour condition (12)and the CHSH inequalities. Thus thQPA algorithm reveals a more complete characterizatof nonlocality than that given by Bell’s theorem (c.f. als[6,7,15–17]). We hope to elaborate this in a forthcomipaper.

The practical implementation of the QPA proceduwould require efficient quantum controlled-not gates oerating directly on information carriers. Perhaps the mpromising implementation of gates of this type (in thQPA context) is the one proposed by Turchetteet al. [18].

f

ly

eere

]e

n

lyom

nto

ete

kin

on

g

e-

ste

It operates on polarized photons and allows the polartion of the target photon to be rotated depending onpolarization of the control photon. Although the curreefficiency of the device is quite low, recent experimenprogress in this field raises hopes for a successful Qexperiment in the not too distant future.

This research was supported in part by Elsag-BaPLC. We would like to thank A. Barenco and W. KWootters for stimulating discussions. A. E. and R. J.sponsored by The Royal Society, London. C. M. is spsored by the European Union HCM Programme. A. Ssponsored by U.K. Engineering and Physical Sciencessearch Council. A. E., R. J., and S. P. acknowledge Razana Grignolino d’Asti.

[1] C. H. Bennett and G. Brassard, inProceedings of theIEEE International Conference on Computers, Systeand Signal Processing, Bangalore, India, 1984(IEEE,New York, 1984), p. 175.

[2] A. K. Ekert, Phys. Rev. Lett.67, 661 (1991).[3] C. H. Bennett, Phys. Rev. Lett.68, 3121 (1992).[4] C. H. Bennett, G. Brassard, and J.-M. Robert, SIAM

Comput. 17, 210 (1988); C. H. Bennett, G. BrassarC. Crépeau, and U. M. Maurer, IEEE Trans. Inf. Theo41, 1915 (1995).

[5] H. K. Lo and H. F. Chau, Los Alamos Report No. quanph/9511025; D. Mayers,Lecture Notes in ComputeScience (Springer-Verlag, Berlin, 1995), Vol. 963pp. 124–135.

[6] M. Horodecki, P. Horodecki, and R. Horodecki, LoAlamos Report No. quant-ph/9605038.

[7] M. Horodecki, P. Horodecki, and R. Horodecki, LoAlamos Report No. quant-ph/9607009.

[8] C. H. Bennett, G. Brassard, S. Popescu, B. SchumacJ. Smolin, and W. K. Wootters, Phys. Rev. Lett.76, 722(1996).

[9] A. Barenco, D. Deutsch, A. Ekert, and R. Jozsa, PhRev. Lett.74, 4083 (1995).

[10] R. F. Werner, Phys. Rev. A40, 4277 (1989).[11] H. K. Lo and H. F. Chau, Los Alamos Report No. qua

ph/9603004; D. Mayers, Los Alamos Report No. quaph/9603015.

[12] C. H. Bennett and S. J. Wiesner, Phys. Rev. Lett.69, 2881(1992).

[13] R. Horodecki, P. Horodecki, and M. Horodecki, PhyLett. A 200, 340 (1995).

[14] J. Clauser, M. Horne, A. Shimony, and R. Holt, PhyRev. Lett.23, 880 (1969).

[15] S. Popescu, Phys. Rev. Lett.72, 797 (1994).[16] S. Popescu, Phys. Rev. Lett.74, 2619 (1995).[17] N. Gisin, Phys. Lett. A210, 151 (1996).[18] Q. A. Turchette, C. J. Hood, W. Lange, H. Mabuchi, a

H. J. Kimble, Phys. Rev. Lett.75, 4710 (1995).

2821