Table Of ContentUnconditionally Secure Key Distribution Based on Two Nonorthogonal States
Kiyoshi Tamaki, Masato Koashi, and Nobuyuki Imoto
CREST Research Team for Interacting Carrier Electronics, School of Advanced Sciences,
The Graduate University for Advanced Studies (SOKENDAI), Hayama, Kanagawa, 240-0193, Japan
We prove the unconditional security of the Bennett 1992 protocol, by using a reduction to an
entanglementdistillationprotocolinitiatedbyalocalfilteringprocess. Thebiterrorsandthephase
errors are correlated after the filtering, and we can bound the amount of phase errors from the
observed bit errors by an estimation method involving nonorthogonal measurements. The angle
between the two states shows a trade-off between accuracy of the estimation and robustness to
noises.
PACSnumbers: 03.67.Dd03.67.-a
3
0
Quantum key distribution (QKD) provides a way to security proofs of BB84 rely on the symmetry of the
0
share a secret key between two parties (Alice and Bob) protocol which is not shared in B92, it is not a trivial
2
with very small leak of information to an eavesdropper task to modify it for B92, except for the limiting case of
n (Eve). One of the simplest of such protocols is called ϕ ϕ 2 =1/2 [9].
a |h 0| 1i|
J B92 [1], which is based on the transmission of only two In this Letter, we give a proof of the unconditional
8 nonorthogonal states. For a qubit channel between Al- securityoftheB92protocolforqubitchannels,applicable
ice and Bob, this protocol proceeds as follows. Alice to any amount of nonorthogonality α. We show that
2 randomly chooses a bit value j, and prepare a qubit in the B92 protocol is related to an EDP initiated by a
v state ϕj β 0x +( 1)jα1x , where 0 < α < 1/√2, localfiltering[10]. Wealsodevelopamethodtoestimate
62 β ≡ √| 1i−≡α2,|anid {|−0xi,|1x|i}iis a basis (X-basis) of an error rate by measuring randomly chosen samples on
1 the qubit. She sends the qubit through the channel to a different basis, which plays an important role in the
2 Bob,whoperformsameasurement B92 withthreeout- proof.
M
1 comes j′ = 0,1,“null”. The measurement is de-
B92 We first introduce a protocol involving EDP, which is
2 fined by the POVM F = ϕ ϕ /2, F =Mϕ ϕ /2,
0 andF =1 F F 0,whe|re1ihϕ 1| α01 |( 01i)hjβ0|1 then shown to be reduced to the B92 protocol. We as-
/ null − 0− 1 | ji≡ | xi− − | xi sume that Alice initially prepares a pair of qubits AB in
h is the state orthogonal to ϕj . When the outcome is the state Ψ =(0 ϕ + 1 ϕ )/√2, which
p j′ =null, Bob announces th|atito Alice and they discard | iAB | ziA| 0iB | ziA| 1iB
is nonmaximally entangled. Here Z-basis 0 , 1
t- the event. Otherwise, they take notes of their bit values of a qubit is related to the X-basis by j {=| z[i0| zi+}
an j andj′,whichshouldcoincide inthe absenceofchannel ( 1)j 1x ]/√2. Alice sends Bob the qubi|tzBi thro|uxgih a
noises and Eve’s intervention. Repeating this procedure − | i
u quantum channel. Suppose that Bob performs a “local
q many times, each of Alice and Bob obtains a sequence filtering operation” on qubit B, described by the Her-
: of bits. Then they converts the sequences into a shared
v mitian operator Ffil α0x B 0x +β 1x B 1x . When
i secret key through public discussions. the state of AB was≡ρ, |thei qhubi|t B |pasisehs th|e filter-
X
Although the QKD protocols themselves are simple, ing with probability p = Tr[ρ(1A Ffil)2], resulting
ar proving the unconditional security is quite hard, since in the filtered state [(1A Ffil)ρ(1A⊗ Ffil)]/p. When
⊗ ⊗
Eve may make a very complicated attack such as inter- the channel is noiseless and Eve does nothing, this pro-
actingallofthetransmittedqubitsjointlytoabigprobe cess is just the Procrustean method mentioned in [11]:
system. Thistaskhasbeenaccomplished[2]fortheBB84 the filtered state should be the maximally entangled
protocol [6], which involves four states forming two con- state (EPRstate) Φ+ =(0x A 0x B+ 1x A 1x B)/√2,
| i | i | i | i | i
jugate bases. Subsequent proofs [3, 4, 5] have provided since the initial state is also written as Ψ AB =
| i
us more than a basic claim of security, including a beau- β 0x A 0x B + α1x A 1x B. When noises are present,
| i | i | i | i
tiful interplay [4, 5] between QKD and other important the filtered state may include a bit error,representedby
protocols in quantum information, such as the entangle- the subspace spanned by 0z A 1z B, 1z A 0z B , and
{| i | i | i | i }
mentdistillationprotocol(EDP)[7]andtheCalderbank- a phase error, represented by the subspace spanned by
Shor-Steane (CSS) quantum error correcting codes [8]. 0x A 1x B, 1x A 0x B . In parallel to the protocols for
{| i | i | i | i }
It is natural to ask about the unconditional security of BB84 [4, 5], we can consider the following protocol that
the B92 protocol, which is conceptually the simplest of will work under the presence of noises.
the QKD protocols. In contrast to BB84, it involves a Protocol 1: (1) Alice creates 2N pairs in the state
freeparameterαrepresentingthenonorthogonality. The Ψ ⊗2N, and she sends the second half of each pair to
| iAB
analyses of the B92 protocol is hence expected to give Bob over a quantum channel. (2) By public discussion,
us an idea about how the nonorthogonality is related AliceandBobrandomlypermutethepositionof2N pairs
to the ability to convey secret information. Since the of qubits. (3) For the first N pairs (check pairs), Alice
2
measures her halves on Z-basis, and Bob performs mea- pairs. Then, from a classical probability estimate, we
surement onhishalves. Bypublicdiscussion,they may assume
B92
M
determinethenumbern oferrorsinwhichAlicefound
err
n n Nǫ . (2)
0 and Bob’s outcome was 1, or Alice found 1 with bit err 1
z z | − |≤
| i | i
Bob’soutcome0. (4)ForthesecondN pairs(datapairs),
ForanystrategybyEve,the probabilityofviolatingthis
Bob performs the filtering F on each of his qubits, and
fil inequality is asymptotically less than exp( Nǫ2).
announces the total number nfil and the positions of the The estimation of the phase errorsis far−mor1e compli-
qubits that have passed the filtering. (5) From n and
err cated. To do this, we derive several inequalities by as-
n , they estimate an upper bound for the number of bit
fil suming gedankenmeasurements that are not reallydone
errorsn , andanupper bound forthe number ofphase
bit in the Protocol 1. The number of phase errors n could
errorsn ,inthen pairs. Iftheseboundsaretoolarge, ph
ph fil be determined if Alice and Bob measure the n pairs in
they abort the protocol. (6) They run an EDP that can fil
X-basis just after step (4). Since the filtering operator
produce n nearly perfect EPR pairs if the estimation
key F isalsodiagonalinX-basis,n andn couldalsobe
is correct. (7) Alice and Bob each measures the EPR fil fil ph
determined by another measurement scheme, in which
pairs in Z-basis to obtain a shared secret key.
Alice and Bob perform X-basis measurements first, and
For the same reason as in the proofs of BB84 [4, 5], if
thenBobappliesthefilteringF . Notethatthisfiltering
fil
the estimation in step (5) is correct except for a proba-
can be done classically by Bernoulli trials since the out-
bility that becomes exponentially small as N increases,
comes of the X-basis measurements are available. This
the finalsharedkey is essentially secure. Intuitively, this
new scheme also produces the numbers n (i,j =0,1)of
ij
comesfromthefactthatEvehasnoclueontheoutcomes
pairs found in state i j . Since n and n (n )
x A x B ij fil ph
of a measurement performed on an EPR pair, since it is | i | i
are related by Bernoulli trials, we have
in a pure state by definition. We will soon show how to
estimate the upperbounds forthe errorsinstep(5). Be- α2(n +n )+β2(n +n ) n Nǫ (3)
00 10 01 11 fil 2
forethat, wewillshowthatProtocol 1 canbe reducedto | α2n +β2n −n |≤Nǫ , (4)
10 01 ph 3
the B92 protocol. | − |≤
AccordingtothediscussionbyShorandPreskill[5],we which are violated with probability asymptotically less
can use a one-way EDP based on CSS codes in step (6). than exp( 2Nǫ2) and exp( 2Nǫ2), respectively.
− 2 − 3
Then,theyhavefurthershownthatthewholeextraction Next,recallthefactthatneitherthenoisychannelnor
process of the nkey-bit final secret key from the noisy EvecantouchthequbitsheldbyAlice. Thisimpliesthat
nfil pairs in steps (6) and (7) can be equivalently accom- the marginalstate ofAlice’s data qubits before the mea-
plished by Z-basis measurements directly performed on surements should be ρ⊗N, where ρ Tr (Ψ Ψ)=
A A ≡ B | iABh |
Alice’s and Bob’s qubits of the nfil noisy pairs, followed β2 0x A 0x +α2 1x A 1x . We canthus regardn10+n11
| i h | | i h |
by a public discussion. Hence, without affecting the se- as a result of a Bernoulli trial, obtaining
curity, we can assume that Alice performs Z-basis mea-
surements immediately after she has prepared the state α2N (n10+n11) Nǫ4 (5)
| − |≤
Ψ ,andthatBobperformsZ-basismeasurementsim-
AB
|meidiatelyafterhehasperformedthefiltering. Protocol 1 with probability of violation asymptotically less than
exp( 2Nǫ2).
isthusreducedtoaprepare-and-measureprotocol. Now, − 4
Let us switch to the measurement on the check pairs
note the following relation for j′ = 0,1, which is easily
(thefirstN pairs). TheelementofPOVMcorresponding
confirmed:
to the error in step (3) is given by Π = (Γ Γ +
err 11 11
| ih |
Γ Γ )/2, where Γ α0 0 β 1 1
Ffil|jz′iBhjz′|Ffil =Fj′. (1) |an0d1ihΓ 01| β 0 1| 11i ≡α1| xiA0| xi.BT−his|ixsirAe|adxiilBy
01 x A x B x A x B
| i ≡ | i | i − | i | i
derivedfromtherelation j ϕ = Γ ( 1)j Γ .
This implies that the filtering followed by the Z-basis | ziA| jiB | 11i− − | 01i
Let us add two more states, Γ β 0 0 +
measurement is, as a whole, equivalent to the measure- | 00i ≡ | xiA| xiB
α1 1 and Γ α0 1 +β 1 0 , to
ment B92. Hence in the reduced protocolAlice simply | xiA| xiB | 10i ≡ | xiA| xiB | xiA| xiB
M form a basis. While n is determined from local mea-
sends ϕ and ϕ randomly, and Bob performs err
0 1 B92
| i | i M surementsinstep3,thesameoutcomecouldbeobtained
on all of the receivedqubits, which completes the reduc-
byperforminggloballythecompletemeasurementonba-
tion to B92.
sis Γ , followed by a Bernoulli trial with probability
Theestimationinstep(5)canbedoneasfollows. The {| iji}
1/2. Letm bethenumberofpairsfoundin Γ . Then
numberofbiterrorsnbitcouldbedeterminedifAliceand we have ij | iji
Bobexchangetheir measurementresultsin Z-basis. But
thisisthe sameprocessastheoneperformedonthe first
(m +m )/2 n Nǫ , (6)
11 01 err 5
N pairs to obtain n , due to the relation (1). Thanks | − |≤
err
to the random permutation in step (2), the check pairs which is violated with probability asymptotically less
are regarded as a classical random sample from the 2N than exp( 2Nǫ2).
− 5
3
Since Γ , Γ and 0 1 , 1 0 span Then, χρχ (p /dV) χP χ . Substituting the
{| 01i | 10i} {| xiA| xiB | xiA| xiB} h | | i ≤ k k k h | k| i
thesamesubspace,wecanrelatem +m andn +n form of (9) to P , we have
10 01 10 01 k
P
by the classical probability estimate as in Eq. (2):
dU
χρχ max k χS k,n 2 (10)
(m10+m01) (n10+n01) Nǫ6, (7) h | | i≤ k,n M! |h | p| i|
| − |≤ p
X
which is violated with probability asymptotically less
Recall that χ takes the form of χ = ν ⊗nν,
than exp( Nǫ2). We would like further to relate | i | i ν| i
− 6 where ν represents the double index (b,j). Then,
m01/(m01 + m10) to n01/(n01 + n10), but we can no χSp k,n 2 becomes the product of (SννN′)sνν′ and
longer apply classical arguments here, since |Γ01i and (|hTν|)tν|,wheir|eSνν′ ν ν′ Ψ 2 andTν ν n 2. The
0 1 are nonorthogonal. We will thus extend the ≡|h |h || i| ≡|h | i|
| xiA| xiB numbers sνν′ and tν depend on the permutation p. Let
classicalprobability estimate to the quantum casein the
µ( sνν′ , tν ) be the number of different permutations
following. { } { }
that give the same values of sνν′ , tν . Explicitly, this
The problem to be considered is as follows. M = { } { }
degeneracy factor is given by
M +M qubits arepreparedinastate,andthe position
0 1
of qubits are then randomly permuted. Then, each of
k! (M 2k)!
sthise fi0rs,t0M, 00,1qub,itasndis tmheearseusrtedofonManquobrtihtsogaornealmbeaa-- µ= ν nν!! ν,ν′sνν′! −νtν! (11)
{| i | i} 1 Y
sured on another basis 1,0 , 1,1 . What we ask is Q Q
{| i | i} Using this factor, the summation over p can be replaced
the bound for the probabilityp(δ ,δ ), with which M δ
0 1 0 0 by the summation over sνν′ , tν , which take at most
tqoubbitesianre1fo,u1n.dtLoebteρinb|e0,t1hieanstdatMe1aδf1teqrubthitesapreermfouutnad- poly(M)values. Since dUk{ =M} {−2}k+1 is also poly(M),
| i we obtain
tion, and |χi ≡ b,j|b,ji⊗nb,j, where nb,1 = Mbδb and µ
nb,0 =Mb(1−δbN). Then, the probability is given by hχ|ρ|χi≤poly(M)k,n,{msννa′x},{tν}M!ν,ν′(Sνν′)sνν′ ν (Tν)tν
M ! Y Y
p(δ ,δ )= χρχ b (8) (12)
0 1
h | | i nb,0!nb,1! Combining the Eqs. (8), (11), and (12), and
b=0,1
Y
replacing the factorials by the entropy function
The technique used [12] for problems involving i.i.d. H(p ) p logp using the formula poly(N)−1
i ≡ − i i i ≤
quantumsourcesis alsousefulhere,althoughinourcase exp[ NH(p )]N!/ (Np )! 1, we can cast the upper
i i
− P ≤
the state ρ may be highly correlated. The Hilbert space boundintotheformp(δ ,δ ) poly(M)exp[ MminR],
0 1
for the M qubits, ⊗M, can be decomposed as ⊗M = where the exponenQt R is give≤n by −
H H ∼
such that any operator of form U⊗M with
UL∈λUSλU⊗(2V)λisdecomposedasU⊗M ∼= λπλ(U)⊗1,and R = H(Mb/M)+(k/M)[D(sνν′/k|Sνν′/4)−2]
apn∈y uSnMitairsydoepceormaptoorseSdpacsorSrpesp∼=ondiLλng1t⊗oπ˜pλe(rpm).utaHtieorne +(1−2k/M)[D(tν/(M −2k)|Tν/2)−1], (13)
tShUe(2m)aapnsdπSλMa,ndresπ˜pλecatriveeliyrr.edTuhceibLilnedreexpλresreunntsatoivoenrsaolfl whieprieloDg2(ispit/hqei).relatTivheeenemtrpopiryicadlefipnreodbabbyiliDty(pip|bqji) ≡=
Young diagrams with two rows and M boxes, namely, tν/(M 2k) appearing here can be regarded as a joint
P −
λ = (M k,k) with k = 0,1,..., M/2 . We will thus probability over the two variables b and j, and we can
− ⌊ ⌋
use k instead of λ below. For later use, we derive a consider its marginal probability pj p0j +p1j and the
≡
cuosnpvaernaiemnetteforrizme tohfethpeurperosjteactteisonofPakqounbtoitUaks⊗nV,ku.sLinegt cnoontadtitioionnsafloprrootbhaebrilijtoyintpbp|jro≡babpbilji/tipejs. qbWb′jej′use ssiνmν′i/lakr,
the unit vector n in the Bloch sphere. Define a| sitate on αbj Tν/2, and βbb′jj′ Sνν′/4. We further≡introduce
≡ ≡
⊗M as k,n Ψ ⊗k n ⊗M−2k,where Ψ isthesinglet a variable a, which takes three values 1,2,3 , define a
sHtate (0|1 i≡1|0i)/√|2iof two qubits.|Thie state k,n probability ξa by ξ1 = 1 2k/M and{ξ2 = ξ}3 = k/M,
| i| i−| i| i | i −
is contained in subspace k k. Consider the operator and define a joint probability γab over a and b, defined
U ⊗V
with unit trace by γ1b =ξ1pb, γ2b =ξ2qb, and γ3b′ =ξ3qb′. Then, it is a
bit tedious but straightforwardto rewrite Eq. (13) as
1
dnS k,n k,nS†. (9)
4πM! p Z p| ih | p R=(k/M)[D(qbb′ qbqb′)+ qbb′D(qjj′|bb′ βjj′|bb′)]
X | |
bb′
X
Since it commutes with any S and any U SU(2), it
should be equal to (dUdV)−1Pp, where dU ∈dim and +(1−2k/M) pbD(pj|b|αj|b)+D(γab|γaγb) (14)
k k k k ≡ Uk b
dV dim . X
k ≡ Vk
Since ρ commutes with any Sp, it can be decomposed where we have used γb = Mb/M, αb = 1/2 and βbb′ =
asρ∼= k(pk/dVk)ρk⊗1,where pk =1 andTrρk =1. 1/4. Since all terms are nonnegative, R is zero only
L P
4
1 1/2 [note that positions of errors are randomized in step
0.5
p=0.03
0.8 (2)]. Here h(p) H(p,1 p). Inorderto showa quanti-
00..43 | j 0|j 1 |2 0.6 tative example o≡f the sec−urity, we assume that the chan-
0.2 0.4 nel is the depolarizing channel where the state ρ evolves
as ρ (1 p)ρ+p/3 σ ρσ , where σ is the
0.1 G 0.2 → − a=x,y,z a a a
Pauli operator of a component. In Fig. 1(a), we plot
0.01 0.02 0.03 0.04 0.2 0.4 0.6 0.8 1 P
p | j |j |2 the key generation rate G = nkey/N optimized over the
(a) (b) 0 1 nonorthogonality ϕ0 ϕ1 2. It is seen that our proto-
|h | i|
col is secure up to p 0.034, which is smaller than in
∼
BB84 with one-way EDP (p 0.165) [5]. In Fig. 1(b),
FIG. 1: (a) The optimum value of |hϕ0|ϕ1i|2 and the key it canbe seenthat when ϕ ∼ϕ 2 becomes smaller,the
0 1
generation rate G in the depolarizing channel. (b) The error |h | i|
estimation of the phase errors becomes poorer. On the
rates (normalized by nfil) in the data qubits for the depolar- other hand, larger values of ϕ ϕ 2 make the signal
izing channel with p=0.03. The estimated upper bound for 0 1
|h | i|
phaseerrors(dot-dashed),theactualphaseerrors(solid),and more vulnerable to the noises, resulting in larger errors.
thebit errors (dotted). Thistrade-offisincontrasttoBB84,inwhichagoodes-
timation and small errors are achieved at the same time
by adding two more states in the protocol.
if each pair of probabilities in D are identical. This
In summary, the B92 protocol can be regarded as an
implies p = b,j n 2(M /M), q = (1/2)(M /M),
bj |h | i| b bj b EDP witha filtering process,andthe filtering makesthe
and qb′j′ = (1/2)(Mb′/M). From the relation nb,j = phaseandbit errorsrelatedto eachother,whichenables
M(ξ1pbj +ξ2qbj +ξ3qb′j′|b′=b,j′=j) we conclude that, for us to estimate the phase errors from the amount of the
minR to be zero, it is necessary that
bit errors. The estimation scheme involving nonorthog-
δ =ξ b,1n 2+(1 ξ )/2 (15) onal measurements developed here will also be useful in
b 1 1
|h | i| − practical QKD schemes having lower symmetries due to
for a choice of n and 0 ξ 1, or equivalently, imperfections in the apparatus.
1
| i ≤ ≤
δ = b,1σ b,1 forastateσofasinglequbit. Otherwise, We thank Hoi-Kwong Lo, John Preskill, and Takashi
b
h | | i
p(δ ,δ ) is as exponentially small as exp[ MminR]. Yamamoto for helpful discussions.
0 1
−
Note that in the limit of M , the result is consis-
→ ∞
tent with what is expected from the quantum de Finetti
theorem [13].
Now applying this general result to our case, we have
[1] C. H.Bennett, Phys. Rev.Lett, 68, 3121 (1992).
sin2(θ θ) ǫ sin2φ sin2(θ +θ)+ǫ (16) [2] D. Mayers, Lecture Notes in Computer Science, 1109,
l 7 l l 8
− − ≤ ≤ Springer–Verlag, 1996, pp.343–357.
[3] E. Biham, M. Boyer, P. O. Boykin, T. Mor, and
forl=0,1,wherealltheanglesaredefinedin[0,π/2]by
therelationsn /(n +n )=sin2θ ,n /(n +n )= V. Roychowdhury, quant-ph/9912053; H. Inamori,
11 11 00 0 01 01 10 N. Lu¨tkenhaus, and D. Mayers, quant-ph/0107017;
sin2θ , m /(m +m )=sin2φ , m /(m +m )=
1 11 11 00 0 01 01 10 M. Koashi and J. Preskill, quant-ph/0208155.
sin2φ1, and α2 = sin2θ. Together with Eqs. (3)–(7), an [4] H. -K.Lo and H.F. Chau, Science 283, 2050 (1999).
exponentially-reliable upper bound of nph can be found. [5] P. W. Shor and J. Preskill, Phys. Rev. Lett. 85, 441
In the following, we calculate the final key length in (2000).
the limit of large N, by setting all ǫ to be zero. From [6] C. H. Bennett and G. Brassard, in Proceeding of the
j
IEEE International Conference on Computers, Systems,
Eq. (2), n is found to be equal to n . Eqs. (3)–(7)
bit err
and Signal Processing, Bangalore, India (IEEE, New
are now linear equations, and together with the relation
York, 1984), pp.175-179 (1984).
n = m = N, they can be used to eliminate n
ij ij ij [7] C. H. Bennett, D. P. DiVincenzo, J. A. Smolin, and
and mij. Then, the inequalities (16) for l = 0,1 are W. K. Wootters, Phys.Rev.A 54, 3824 (1996).
P P
combined to give [8] A.R.CalderbankandP.W.Shor,Phys.Rev.A54,1098
(1996),A.M.Steane,Proc.R.Soc.LondonA452,2551
nfil 2nerr Nαβf(x), (17) (1996).
| − |≤ [9] Z. Quan and T. Chaojing, Phys. Rev. A 65, 062301
where f(x) √x2 ∆2 + (1 x)2 (β2 α2 ∆)2 (2002).
with∆ (n≡/N 2−α2β2)/(β2 −α2)a−ndx −2n −/N [10] N. Gisin, Phys. Lett.A 210, 151 (1996) ;M. Horodecki,
fil ph
(β2 α2≡)∆. Thep−ositivityopfn−requirestha≡t ∆ x− P. Horodecki, and R. Horodecki, Phys. Rev. Lett. 78,
ij
1 −β2 α2 ∆. SolvingEq.(17)givesanupp|er|b≤oun≤d 574 (1997).
−| − − | [11] C.H.Bennett,H.J.Bernstein,S.Popescu,andB. Schu-
n of the number of phase errors n , as a function of
ph ph macher, Phys.Rev.A 53, 2046 (1996).
the observed values nerr and nfil. [12] M. Keyl and R. F. Werner, Phys. Rev. A 64, 052311
Theachievablelengthofthefinalkeyisgiven[8,14]by (2001); M. Hayashi and K. Matsumoto, Phys. Rev. A
nkey =nfil[1 h(nbit/nfil) h(nph/nfil)],whennph/nfil 66, 022311 (2002).
− − ≤
5
[13] C.M.Caves,C.A.Fuchs,R.Schack,quant-ph/0104088. quant-ph/0212066.
[14] D.Gottesman,H.-K.Lo,N.Lu¨tkenhaus,andJ.Preskill,