Introduction to Quantum Cryptography

2.1. Entanglement state

The counterintuitive predictions of quantum mechanics about correlated systems were first discussed by Albert Einstein in 1935, in a joint paper with Boris Podolsky and Nathan Rosen [10]. They demonstrated a thought experiment that attempted to show that quantum mechanical theory was impossible.

But flowing the EPR paper, Erwin Schrodinger wrote letter (in German) to Einstein in which he used the word Verschrankung (translated by himself as entanglement) “to describe the correlations between two particles that interact and then separate, as in the EPR experiment” [11]. He shortly thereafter published a seminal paper defining and discussing the notion, and terming it “entanglement”.

Entanglement is usually created by direct interactions between subatomic particles. These interactions can take numerous forms. One of the most commonly used methods is spontaneous parametric down-conversion to generate a pair of photons entangled in polarization [12]. Other methods include the use of a fiber coupler to confine and mix photons, the use of quantum dots to trap electrons until decay occurs, the use of the Hong-Ou-Mandel effect, etc. In the earliest tests of Bell’s theorem, the entangled particles were generated using atomic cascades. It is also possible to create entanglement between quantum systems that never directly interacted, through the use of entanglement swapping.

Consider two noninteracting systems A and B, with respective Hilbert spaces HA and HB. The Hilbert space of the composite system is the tensor product HA⊗HB. If the first system is in state |ψ⟩A and the second in state |ψ⟩B, the state of the composite system is |ψ⟩A⊗|ψ⟩B. States of the composite system which can be represented in this form are called separable states, or product states. Not all states are separable states. Fix a basis {|i⟩A} for HA and a basis {|j⟩B} for HB. The most general state in HA⊗HB is the form of

This state is separable if cij=ciAcjB yielding |ψ⟩A=∑iciA|i⟩A and |ϕ⟩B=∑jcjB|j⟩B. It is inseparable if cij≠ciAcjB If a state is inseparable, it is called an entangled state. For example, given two basis vectors {|0⟩A,|1⟩A} of HAand two basis vectors {|0⟩B,|1⟩B} of HB, the following is an entangled state:

If the composite system is in this state, it is impossible to attribute to either system A or system B a definite pure state. Another way to say this is that while the von Neumann entropy of the whole state is zero, the entropy of the subsystems is greater than zero. In this sense, the systems are “entangled”. This has specific empirical ramifications for interferometry [13]. It is worthwhile to note that the above example is one of four Bell states, which are maximally entangled pure states.

2.2. One-time-pad and key distribution problem

In conventional cryptography, an unbreakable code does exist. It is called the one-time-pad and was invented by Gilbert Vernam in 1918 [14]. In the one-time-pad method, a message (traditionally called the plain text) is first converted by Alice into a binary form (a string consisting of “0”s and “1”s) by a publicly known method. A key is a binary string of the same length as the message. By combining each bit of the message with the respective bit of the key using XOR (i.e. addition modulo two), Alice converts the plain text into an encrypted form (called the cipher text). i.e. for each bit

Alice then transmits the cipher text to Bob via a broadcast channel. Anyone including an eavesdropper can get a copy of the cipher text. However, without the knowledge of the key, the cipher text is totally random and gives no information whatsoever about the plain text. For decryption, Bob, who shares the same key with Alice, can perform another XOR (i.e. addition modulo two) between each bit of the cipher text with the respective bit of the key to recover the plain text. This is because

The one-time-pad method is unbreakable, but it has a serious drawback: it supposes that Alice and Bob initially share a random string of secret that is as long as the message. Therefore, the one-time-pad simply shifts the problem of secure communication to the problem of key distribution. This is the key distribution problem. The one of possible solution to the key distribution problem is public key cryptography.

Quantum mechanics can provide a solution to the key distribution problem. In quantum key distribution, an encryption key is generated randomly between Alice and Bob by using non orthogonal quantum states. In quantum mechanics there is a quantum no-cloning theorem, which states that it is fundamentally impossible for anyone including an eavesdropper to make an additional copy of an unknown quantum state. Therefore, any attempt by an eavesdropper to learn information about a key in a QKD process will lead to disturbance, which can be detected by Alice and Bob who can, for example, check the bit error rate of a random sample of the raw transmission data.

2.3. Quantum no-cloning theorem

The quantum no-cloning theorem was stated by Wootters, Zurek, and Dieks in 1982, and has profound implications in quantum computing and related fields.

Theorem (Quantum no-cloning theorem) An arbitrary quantum state cannot be duplicated perfectly.

Proof: Suppose the state of a quantum system A, which we wish to copy, is |ψ⟩A. In order to make a copy, we take a system B with the same state space and initial state |e⟩B. The initial, or blank, state must be independent of |ψ⟩A, of which we have no prior knowledge. The composite system is then described by the tensor product, and its state is |ψ⟩A|e⟩B.

There are only two ways to manipulate the composite system. We could perform an observation, which irreversibly collapses the system into some eigenstate of the observable, corrupting the information contained in the qubit. This is obviously not what we want. Alternatively, we could control the Hamiltonian of the system, and thus the time evolution operator U (for a time independent Hamiltonian, U(t)=e−iHt/ℏ, where −H/ℏ is called the generator of translations in time) up to some fixed time interval, which yields a unitary operator. Then U acts as a copier provided that

for all possible states |ϕ⟩ in the state space (including |ψ⟩). Since U is unitary, it preserves the inner product:

and since quantum mechanical states are assumed to be normalized, it follows that ⟨ϕ|ψ⟩=⟨ϕ|ψ⟩2.

This implies that either ϕ=ψ (in which case ⟨ϕ|ψ⟩=1) or ϕ is orthogonal to ψ (in which case ⟨ϕ|ψ⟩=0 ). However, this is not the case for two arbitrary states. While orthogonal states in a specifically chosen basis {|0⟩,|1⟩}, for example, |ϕ⟩=12(|0⟩+|1⟩) and |ψ⟩=12(|0⟩−|1⟩)fit the requirement that⟨ϕ|ψ⟩=⟨ϕ|ψ⟩2, this result does not hold for more general quantum states. Apparently U cannot clone a general quantum state.

Quantum no-cloning theorem is a direct result of the linearity of quantum physics. It is closely related to another important theorem in quantum mechanics, which states: if a measurement allows one to gain information about the state of a quantum system, then in general the state of this quantum system will be disturbed, unless we know in advance that the possible states of the original quantum system are orthogonal to each other.

At first sight, the impossibility of making perfect copies of unknown quantum states seems to be a shortcoming. Surprisingly, it can also be an advantage. It turned out that by using this impossibility smartly, unconditionally secure key distribution could be achieved: any attempts by the eavesdropper to learn the information encoded quantum mechanically will disturb the quantum state and expose her existence. Specially, we can get the following characteristics about quantum no-cloning theorem:

• The no-cloning theorem prevents us from using classical error correction techniques on quantum states. For example, we cannot create backup copies of a state in the middle of a quantum computation, and use them to correct subsequent errors. Error correction is vital for practical quantum computing, and for some time this was thought to be a fatal limitation. In 1995, Shor and Steane revived the prospects of quantum computing by independently devising the first quantum error correcting codes, which circumvent the no-cloning theorem.

• Similarly, cloning would violate the no teleportation theorem, which says classical teleportation (not to be confused with entanglement-assisted teleportation) is impossible. In other words, quantum states cannot be measured reliably.

• The no-cloning theorem does not prevent superluminal communication via quantum entanglement, as cloning is a sufficient condition for such communication, but not a necessary one. Nevertheless, consider the EPR thought experiment, and suppose quantum states could be cloned. Assume parts of a maximally entangled Bell state are distributed to Alice and Bob. Alice could send bits to Bob in the following way: If Alice wishes to transmit a “0”, she measures the spin of her electron in the z direction, collapsing Bob’s state to either |z+⟩B or |z−⟩B. To transmit “1”, Alice does nothing to her qubit. Bob creates many copies of his electron’s state, and measures the spin of each copy in the z direction. Bob will know that Alice has transmitted a “0” if all his measurements will produce the same result; otherwise, his measurements will have outcomes +1/2 and −1/2 with equal probability. This would allow Alice and Bob to communicate across space-like separations.

• The no-cloning theorem prevents us from viewing the holographic principle for black holes as meaning we have two copies of information lying at the event horizon and the black hole interior simultaneously. This leads us to more radical interpretations like black hole complementarity.

2.4. Heisenberg uncertainty principle

Heisenberg’s Uncertainty Principle (abbreviated HUP) is one of the fundamental concepts of quantum physics, and is the basis for the initial realization of fundamental uncertainties in the ability of an experimenter to measure more than one quantum variable at a time. Attempting to measure an elementary particle’s position to the highest degree of accuracy, for example, leads to an increasing uncertainty in being able to measure the particle’s momentum to an equally high degree of accuracy.

Suppose A and B are two Hermitian operators, and |ψ⟩ is a quantum state. Suppose ⟨ψ|AB|ψ⟩=x+iy, where x and y are real. Note that ⟨ψ|[A,B]|ψ⟩=2iy and ⟨ψ|{A,B}|ψ⟩=2x. This implies that

By the Cauchy-Schwarz inequality |⟨ψ|AB|ψ⟩|2≤⟨ψ|A2|ψ⟩⟨ψ|B2|ψ⟩, which combined with the equation (1) and dropping a non-negative term gives

Suppose C and D are two observables. Substituting A=C−<C> and B=D−<D> into the last equation, where the average value of the observable C is often written <C> = ⟨ψ|C|ψ⟩ and similar to D, we obtain Heisenberg’s uncertainty principle as it is usually stated

Quantum communication the sending of encoded messages that are un-hackable by any computer. This i allows s possible because the messages are carried by tiny particles of light called photons. If an eavesdropper attempts to read out the message in transit, they will be discovered by the disturbance their measurement causes to the particles as an inevitable consequence of the HUP. In the regime of quantum experiments, by contrast, we are uncertain about the results of experiments because the particle itself is uncertain. It has no position or speed until we measure it. We can design some protocol of quantum cryptography by using the property of quantum from HUP.

3.1. The BB84 QKD protocol

The best-known protocol for QKD is the Bennett and Brassard protocol (BB84). The procedure of BB84 is as follows (also shown in Table 1).

1. Quantum communication phase

1. In BB84, Alice sends Bob a sequence of photons through an insecure quantum channel, each independently chosen from one of the four polarizations-vertical, horizontal, 45-degrees and 135-degrees.

2. For each photon, Bob randomly chooses one of the two measurement bases (rectilinear and diagonal) to perform a measurement.

3. Bob records his measurement bases and results. Bob publicly acknowledge his receipt of signals.

1. Public discussion phase

1. Alice broadcasts her bases of measurements. Bob broadcasts his bases of measurements.

2. Alice and Bob discard all events where they use different bases for a signal.

3. To test for tampering, Alice randomly chooses a fraction, p, of all remaining events as test events. For those test events, she publicly broadcasts their positions and polarizations.

4. Bob broadcasts the polarizations of the test events.

5. Alice and Bob compute the error rate of the test events (i.e., the fraction of data for which their value disagree). If the computed error rate is larger than some prescribed threshold value, say 11%, they abort. Otherwise, they proceed to the next step.

6. Alice and Bob each convert the polarization data of all remaining data into a binary string called a raw key (by, for example, mapping a vertical of 45-degrees photon to “0” and a horizontal or 135-degrees photon to “1”). The can perform classical postprocessing such as error correction and privacy amplification to generate a final key.

The basic idea of the BB84 QKD protocol is beautiful and its security can be intuitively understood from the quantum no-cloning theorem. On the other hand, to apply QKD in practice, Alice and Bob need to find the upper bound of Eve’s information quantitatively, given the observed quantum bit error rate (abbreviated QBER) and other system parameters. This is the primary goal of various QKD security proofs and it had turned out to be extremely difficult. One major challenge comes from the fact that Eve could launch attacks way beyond today’s technologies and our imaginations. Nevertheless, QKD was proved to be unconditionally secure. This is most significant achievements in quantum information.

3.2. QKD based on EPR

An essentially equivalent protocol that utilizes Einstein-Podolsky-Rosen (EPR) correlations has been worked on by Artur Ekert [19] and Bennett, Brassard, and Mermin [20]. To take advantage of EPR correlations, particles are prepared in such a way that they are “entangled”. This means that although they may be separated by large distances in space, they are not independent of each other. Suppose the entangled particles are photons. If one of the particles is measured according to the rectilinear basis and found to have a vertical polarization, then the other particle will also be found to have a vertical polarization if it is measured according to the rectilinear basis. If however, the second particle is measured according to the circular basis, it may be found to have either left-circular or right-circular polarization.

In his 1991 paper, Ekert [19] suggested basing the security of this two-qubit protocol on Bell’s inequality, an inequality which demonstrates that some correlations predicted by quantum mechanics cannot be reproduced by the local theory. To do this, Alice and Bob can use a third basis. In this way the probability that they might happen to choose the same basis is reduced from 12 to 29, but at the same time as they establish a key, they collect enough data to test Bell’s inequality. They can thus check that the source really emits the entangled state and not merely product states. The following year Bennett, Brassard, and Mermin [20] criticized Ekert’s letter, arguing that the violation of Bell’s inequality is not necessary for the security of quantum cryptography and emphasizing the close connection between the Ekert and the BB84 schemes. This criticism quantum cryptography might be missing an important point. Although the exact relation between security and Bell’s inequality is not yet fully known, there are clear results establishing fascinating connections.

The steps of the protocol for developing a secret key using EPR correlations of entangled photons are explained below.

1. Alice creates EPR pairs of polarized photons, keeping one particle for herself and sending the other particle of each pair to Bob.

2. Alice randomly measures the polarization of each particle she kept according to the rectilinear or circular basis. She records each measurement type and the polarization measured.

3. Bob randomly measures each particle he received according to the rectilinear or circular basis. He records each measurement type and the polarization measured.

4. Alice and Bob tell each other which measurement types were used, and they keep the data from all particle pairs where they both chose the same measurement type.

5. They convert the remaining data to a string of bits using a convention such as: left-circular = 0, right-circular = 1, horizontal = 0, vertical = 1.

One important difference between the BB84 and the EPR methods is that with BB84, the key created by Alice and Bob must be stored classically until it is used. Therefore, although the key was completely secure when it was created, its continued security over time is only as great as the security of its storage. Using the EPR method, Alice and Bob could potentially store the prepared entangled particles and then measure them and create the key just before they were going to use it, eliminating the problem of insecure storage.

So the idea consists in replacing the quantum channel carrying two qubits from Alice to Bob by a channel carrying two qubits from a common source, one qubit to Alice and one to Bob. A first possibility would be that the source always emits the two qubits in the same state chosen randomly among the four states of the BB84 protocol. Alice and Bob would then both measure their qubit in one of the two bases, again chosen independently and randomly. The source then announces the bases, and Alice and Bob keep the data only when they happen to have made their measurements in the compatible basis. If the source is reliable, this protocol is equivalent to that of BB84: It is as if the qubit propagates backwards in time from Alice to the source, and then forward to Bob. But better than trusting the source, which could be in Eve’s hand the Ekert protocol assumes that the two qubits are emitted in a maximally entangled state like |ϕ+⟩=12(|00⟩+|11⟩).

Then, when Alice and Bob happen to use the same basis, either the x basis or the y basis, i.e., in about half of the cases, their results are identical, providing them with a common key.

3.3. Continuous variable QKD

In the BB84 QKD protocol, Alice’s random bits are encoded in a two dimensional space like the polarization state of a single photon. More recently, QKD protocols working with continuous variables have been proposed. Among them, the Gaussian modulated coherent state (GMCS) QKD protocol has drawn special attention [21].

The protocol runs as follows. First, Alice draws two random numbers xA and pA from a gaussian distribution of mean zero and variance VAN0, where N0 denotes the shot-noise variance. Then, she sends the coherent state |xA+ipA⟩ to Bob, who randomly chooses to measure either quadrature x or p. Later, using a public authenticated channel, he informs Alice about which quadrature he measured, so she may discard the irrelevant data. After many similar exchanges, Alice and Bob (and possibly the eavesdropper Eve) share a set of correlated gaussian variables, which we call ‘key elements’.

The basic scheme of the GMCS QKD protocol can be shown in Figure 2.

Alice modulates both the amplitude quadrature and phase quadrature of a coherent state with Gaussian distributed random numbers. In classical electromagnetism, these two quadratures correspond to the in-phase and out-of-phase components of electric field, which can be conveniently modulated with optical phase and amplitude modulators. Alice sends the modulated coherent state together with a strong local oscillator (a strong laser pulse which serves as a phase reference) to Bob. Bob randomly measures one of the two quadratures with a phase modulator and a homodyne detector. After performing his measurements, Bob informs Alice which quadrature he actually measures for each pulse and Alice drops the irrelevant data. At this stage, they share a set of correlated Gaussian variables which are called the ― raw key. Given the variances of the measurement results below certain thresholds, they can further work out perfectly correlated secure key by performing reconciliation and privacy amplification. Classical data processing is then necessary for Alice and Bob to obtain a fully secret binary key.

The security of the GMCS QKD can be comprehended from the uncertainty principle. In quantum optics, the amplitude quadrature and phase quadrature of a coherent state form a pair of conjugate variables, which cannot be simultaneously determined with arbitrarily high accuracies due to Heisenberg uncertainty principle. From the observed variance in one quadrature, Alice and Bob can upper bound Eve‘s information about the other quadrature. This provides a way to verify the security of the generated key. Recently, an unconditional security proof of the GMCS QKD appeared [23].

Different from the BB84 QKD, in GMCS QKD, homodyne detectors are employed to measure electric fields rather than photon energy. By using a strong local oscillator, high efficiency and fast photo diodes can be used to construct the homodyne detector which could result in a high secure key generation rate. However, the performance of the GMCS QKD is strongly dependent on the channel loss. Recall that in the BB84 QKD system, the channel loss plays a simple role: it reduces the communication efficiency but it will not introduce QBER. A photon is either lost in the channel, in which case Bob will not register anything, or it will reach Bob‘s detector intact. On the other hand, in the GMCS QKD, the channel loss will introduce vacuum noise and reduce the correlation between Alice and Bob’s data. As the channel loss increases, the vacuum noise will become so high that it is impossible for Alice and Bob to resolve a small excess noise (which is used to upper bound Eve‘s information) on the top of a huge vacuum noise.

Comparing with the BB84 QKD, the GMCS QKD could yield a high secure key rate over short distances [24] [25].

3.4. Decoy state QKD

The security of QKD has been rigorously proven in a number of recent papers. There has been tremendous interest in experimental QKD [26] [27]. Unfortunately, all those exciting recent experiments are, in principle, insecure due to real-life imperfections. More concretely, highly attenuated lasers are often used as sources. But, these sources sometimes produce signals that contain more than one photon. Those multi-photon signals open the door to powerful new eavesdropping attacks including photon splitting attack. For example, Eve can, in principle, measure the photon number of each signal emitted by Alice and selectively suppress single photon signals. She splits multi-photon signals, keeping one copy for herself and sending one copy to Bob. Now, since Eve has an identical copy of what Bob possesses, the unconditional security of QKD is completely compromised.

In summary, in standard BB84 protocol, only signals originated from single photon pulses emitted by Alice are guaranteed to be secure. Consequently, paraphrasing GLLP (Gottesman, Lo, Lutkenhaus, Preskill [28]), the secure key generation rate (per signal state emitted by Alice) can be shown to be given by:

where Qμ and Eμ are respectively the gain and quantum bit error rate (QBER) of the signal state (Here, the gain means the ratio of the number of Bob’s detection events (where Bob chooses the same basis as Alice) to Alice’s number of emitted signals. QBER means the error rate of Bob’s detection events for the case that Alice and Bob use the same basis), Ω and e1 are respectively the fraction and QBER of detection events by Bob that have originated from single-photon signals emitted by Alice and H2 is the binary Shannon entropy. It is a prior very hard to obtain a good lower bound on Ω and a good upper bound on e1. Therefore, prior art methods (as in GLLP [28], under (semi-) realistic assumptions, if imperfections are sufficiently small, then BB84 is unconditionally secure.) make the most pessimistic assumption that all multi-photon signals emitted by Alice will be received by Bob. For this reason, until now, it has been widely believed that the demand for unconditional security will severely reduce the performance of QKD systems.

In [29], they present a simple method that will provide very good bounds to Ω and e1. The method is based on the decoy state idea first proposed by Hwang [12]. While the idea of Hwang was highly innovative, his security analysis was heuristic. Consequently, H.K. Lo etc’s method for the first time makes most of the long distance QKD experiments reported in the literature unconditionally secure. And their method has the advantage that it can be implemented with essentially the current hardware. So, unlike prior art solutions based on single-photon sources, their method does not require daunting experimental developments. The key point of the decoy state idea is that Alice prepares a set of additional states — decoy states, in addition to standard BB84 states. Those decoy states are used for the purpose of detecting eavesdropping attacks only, whereas the standard BB84 states are used for key generation only. The only difference between the decoy state and the standard BB84 states is their intensities (i.e., their photon number distributions). By measuring the yields and QBER of decoy states, Alice and Bob can obtain reliable bounds to Ω and e1, thus allowing them to surpass all prior art results substantially [30].

At first, we recall the original decoy state QKD by Hwang [12] in detail.

Define Yn= yield = conditional probability that a signal will be detected by Bob, given that it is emitted by Alice as an n-photon state.

To design a method to test experimentally the yield (i.e. transmittance) of multi-photons, we can use two-photon states as decoys and test their yield. For example, Alice and Bob estimate the yield Y2=x/N if Alice sends N two-photon signals to Bob and Bob detects x signals. If Eve selectively sends multi-photons, Y2 will be abnormally large. So Eve will be caught.

The two kinds of states are as follows for the decoy state QKD (Toy Model).

1. Signal state: Poisson photon number distribution μ (at Alice).

2. Decoy state: two-photon signals.

The procedure of decoy state QKD (Toy Model) is as following.

1. Alice randomly sends either a signal state or decoy state to Bob.

2. Bob acknowledges receipt of signals.

3. Alice publicly announces which are signal states and which are decoy states.

4. Alice and Bob compute the transmission probability for the signal states and for the decoy states respectively.

If Eve selectively transmits two-photons, an abnormally high fraction of the decoy state B) will be received by Bob. Eve will be caught. But the practical problem with toy model is making perfect two-photon state is hard. So the solution of Hwang’s decoy state QKD is to make another mixture of good and bad photons with a different weight.

There is two kinds of states for Hwang’s decoy state QKD.

1. Signal state: Poisson photon number distribution: α (at Alice) with mixture 1.

2. Decoy state: Poisson photon number distribution: μ∼2 (at Alice) with mixture 2.

If Eve lets an abnormally high fraction of multi-photons go to Bob, then decoy states (which has high weight of multi-photons) will have an abnormally high transmission. Therefore, Alice and Bob can catch Eve.

But there are some drawbacks of Hwang’s original idea:

1. Hwang’s security analysis was heuristic, rather than rigorous.

2. “Dark counts”–an important effect–are not considered.

3. Final results (distance and key generation rate) are unclear.

Suppose that a decoy state and a signal state have the same characteristics (wavelength, timing information, etc) by H.K. Lo etc’s methods [29]. Therefore, Eve cannot distinguish a decoy state from a signal state and the only piece of information available to Eve is the number of photons in a signal. Therefore, the yield, Yn (yield of an n-photon signal), and QBER, en (quantum bit error rate of an n-photon signal), can depend on only the photon number,n, but not which distribution (decoy or signal) the state is from. If Eve cannot treat the decoy state any differently from signal state, then

Yn(signal)=Yn(decoy)=Ynen(signal)=en(decoy)=en.

Let us imagine that Alice varies over all non-negative values of μ randomly and independently for each signal, Alice and Bob can experimentally measure the yield Qμ and the QBER Eμ.

Since the relations between the variables Qμ’s and Yn’s and between Eμ’s and en’s are linear, given the set of variables Qμ’s and Eμ’s measured from their experiments, Alice and Bob can deduce mathematically with high confidence the variables Yn’s and en’s. This means that Alice and Bob can constrain simultaneously the yields, Yn and QBER en simultaneously for all n. Suppose Alice and Bob know their channel property well. Then, they know what range of values of Yn’s and en’s is acceptable. Any attack by Eve that will change the value of any one of the Yn’s and en’s substantially will, in principle, be caught with high probability by decoy state method. Therefore, in order to avoid being detected, the eavesdropper, Eve, has very limited options in her eavesdropping attack. In summary, the ability for Alice and Bob to verify experimentally the values of Yn and en’s in the decoy state method greatly strengthens their power in detecting eavesdropping, thus leading to a dramatic improvement in the performance of their QKD system. The decoy state method allows Alice and Bob to detect deviations from the normal behavior due to eavesdropping attacks.

In [29], they also give for the first time a rigorous analysis of the security of decoy state QKD. Moreover, they show that the decoy state idea can be combined with the prior art GLLP analysis. And we can get the comparison results with and without decoy state as the following Figure3.

4.1. Eavesdropping attacks

In order to simplify the problem, several eavesdropping strategies of limited generality have been defined ([31-33]) and analyzed. Of particular interest is the assumption that Eve attaches independent probes to each qubit and measures her probes one after the other. They can be classified as follows:

Individual attacks: In an individual attack, Eve performs an attack on each signal independently. The intercept-resend attack is an example of an individual attack. let us consider the simple example of an intercept-resend attack by an eavesdropper Eve, who measures each photon in a randomly chosen basis and then resends the resulting state to Bob. For instance, if Eve performs a rectilinear measurement, photons prepared by Alice in the diagonal bases will be disturbed by Eve’s measurement and give random answers. When Eve resends rectilinear photons to Bob, if Bob performs a diagonal measurement, then he will get random answers. Since the two bases are chosen randomly by each party, such an intercept-resend attack will give a bit error rate of 0.5×0.5+0.5×0 = 25%, which is readily detectable by Alice and Bob. Sophisticated attacks against QKD do exist. Fortunately, the security of QKD has now been proven.

Collective attacks: A more general class of attacks is collective attack where for each signal, Eve independently couples it with an ancillary quantum system, commonly called an ancilla, and evolves the combined signal/ancilla unitarily. She can send the resulting signals to Bob, but keep all ancillas herself. Unlike the case of individual attacks, Eve postpones her choice of measurement. Only after hearing the public discussion between Alice and Bob, does Eve decide on what measurement to perform on her ancilla to extract information about the final key.

Joint attacks: The most general class of attacks is joint attack. In a joint attack, instead of interacting with each signal independently, Eve treats all the signals as a single quantum system. She then couples the signal system with her ancilla and evolves the combined signal and ancilla system unitarily. She hears the public discussion between Alice and Bob before deciding on which measurement to perform on her ancilla.

For joint and collective attacks, the usual assumption is that Eve measures her probe only after Alice and Bob have completed all public discussion about basis reconciliation, error correction, and privacy amplification. For the more realistic individual attacks, one assumes that Eve waits only until the basis reconciliation phase of the public discussion. With today’s technology, it might even be fair to assume that in individual attacks Eve must measure her probe before the basis reconciliation [34]. The motivation for this assumption is that one hardly sees what Eve could gain by waiting until after the public discussion on error correction and privacy amplification before measuring her probes, since she is going to measure them independently anyway. About practical QKD, they summary some assumptions about security of QKD in [18]. We describe them in the next subsection 4.2.

4.2. Some assumptions about security of QKD

Quantum key distribution is often described by its proponents as “unconditionally secure” to emphasize its difference with computationally secure classical cryptographic protocols. While there are still conditions that need to be satisfied for quantum key distribution to be secure, the phrase “unconditionally secure” is justified because, not only are the conditions reduced, they are in some sense minimal necessary conditions. Any secure key agreement protocol must make a few minimal assumptions, for security cannot come from nothing: we must be able to identify and authenticate the communicating parties, we must be able to have some private location to perform local operations, and all parties must operate within the laws of physics.

The following statement describes the security of quantum key distribution, and there are many formal mathematical arguments for the security of QKD.

Theorem 1 (Security statement for quantum key distribution) If 1) quantum mechanics is correct, and 2) authentication is secure, and 3) our devices are reasonably secure, then with high probability the key established by quantum key distribution is a random secret key independent (up to a negligible difference) of input values.

Assumption 1: Quantum mechanics is correct. This assumption requires that any eavesdropper be bounded by the laws of quantum mechanics, although within this realm there are no further restrictions beyond the eavesdropper’s inability to access the devices. In particular, we allow the eavesdropper to have arbitrarily large quantum computing technology, far more powerful than the current state of the art. Quantum mechanics has been tested experimentally for nearly a century, to very high precision. But even if quantum mechanics is superseded by a new physical theory, it is not necessarily true that quantum key distribution would be insecure: for example, secure key distribution can be achieved in a manner similar to QKD solely based on the assumption that no faster-than-light communication is possible [35].

Assumption 2: Authentication is secure. This assumption is one of the main concerns of those evaluating quantum key distributions. In order to be protected against man-in-the-middle attack, much of the classical communication in QKD must be authenticated. Authentication can be achieved with unconditional security using short shared keys, or with computational security using public key cryptography.

Assumption 3: Our devices are secure. Constructing a QKD implementation that is verifiably secure is a substantial engineering challenge that researchers are still working on. Although the first prototype QKD system leaked key information over a side channel (it made different noises depending on the photon polarization, and thus the “prototype was unconditionally secure against any eavesdropper who happened to be deaf” [36] ), experimental cryptanalysis leads to better theoretical and practical security. More sophisticated side-channel attacks continue to be proposed against particular implementations of existing systems (e.g., [37]), but so too are better theoretical methods being proposed, such as the decoy state method [38]. Device-independent security proofs [39, 40] aim to minimize the security assumptions on physical devices. It seems reasonable to expect that further theoretical and engineering advances will eventually bring us devices which have strong arguments and few assumptions for their security.

4.3. Security proofs for QKD

Proving the security of QKD against the most general attack was a very hard problem. It took more than 10 years, but the unconditional security of QKD was finally established in several papers in the 1990s. One approach by Mayers [16] was to prove the security of the BB84 directly. A simpler approach by Lo and Chau [17], mad use of the idea of entanglement distillation by Bennett, DiVincenzo, Smolin and Wootters (BDSW) [41] and quantum privacy amplification by Deutsch et al. [42] to solve the security of an entanglement-based QKD protocol. The two approaches have been unified by the work of Shor and Preskill [43], who provided a simple proof of security of BB84 using entanglement distillation idea. Other early security proofs of QKD include Biham, Boyer, Boykin, Mor, and Roychowdhury [44], and Ben-Or [45].

There are several approaches to security proof as following. [5]

5.1. QSS based on entanglement states

Quantum entanglement is an indispensable physical resource in QSS. Many application fields of QSS such as this entanglement feature, so the study of entanglement is the core issue of quantum information theory.

Let’s see the QSS based on entanglement. The entanglement states are all generated by the sender, and the order of two or more photons sent to the same agent is randomly changed. After the photons send to the receiver, for the detection mode, the order of the two photons is announced, so that the two parties detected the security of the quantum channel, for the information mode, the two receivers respectively does Bell measurement on the two photons they owned, and then communicate through classical channel to share the secret key with the sender. This protocol ensures the validity and security of the shared information.

We can see an example of QSS based on entanglement state GHZ [55].

Let us suppose that Alice, Bob, and Charlie each have one particle from a GHZ triplet that is in the state |ψ⟩=12(|000⟩+|111⟩). They each choose at random whether to measure their particle in the x or y direction. They then announce publicly in which direction they have made a measurement, but not the results of their measurements. Half the time, Bob and Charlie, by combining the results of their measurements, can determine what the result of Alice’s measurement was. This allows Alice to establish a joint key with Bob and Charlie, which she can then use to send her message. Let us see how this works in more detail. Define the x and y eigenstates

We can see the effects of measurements by Alice and Bob on the state of Charlie’s particle if we express the GHZ state in different ways. Noting that

we can write

This decomposition of |ψ⟩ tells us what happens if both Alice and Bob make measurements in the x direction. If they both get the same result, then Charlie will have the state 12(|0⟩c+|1⟩c); if they get different results, he will have the state 12(|0⟩c−|1⟩c). He can determine which of these states he has by performing a measurement along the x direction. The following table summarizes the effects of Alice’s and Bob’s measurements on Charlie’s state:

Alice’s measurements are given in the columns and Bob’s are given in the rows. Charlie’s state, up to normalization, appears in the boxes. From the table it is clear that if Charlie knows what measurements Alice and Bob made (that is, x or y), he can determine whether their results are the same or opposite and also that he will gain no knowledge of what their results actually are. Similarly, Bob will not be able to determine what Alice’s result is without Charlie’s assistance because he does not know if his result is the same as Alice’s or the opposite of hers.

To improve the efficiency of QSS, a protocol share the message directly among the users was proposed. The scheme made full use of entanglement swapping of Bell states and local operations. For detection of eavesdropping, the EPR pairs were divided into two parts: the checking parts and the encoding parts. After insuring the security of the quantum channel by measuring the checking particles in conjugate bases, the sender encoded her bits via the local unitary operations on the encoding parts. And the protocol is secure, and two Bell states can be used to share two bits message. And there is a scheme for multiparty quantum secret sharing which is based on EPR entangled state. In the scheme, the secret messages are imposed on the auxiliary particles, and the transmitted particles of EPR pairs do not carry any secret messages during the whole process of transmission. After both of the communicators reliably share the EPR entangled states, all the participants can securely share the secret messages of the sender. Because there is no particles that carrying the secret message being transmitted on the quantum channel during the process of transmission, the scheme can efficiently resist the eavesdropper’s attack on secret message.

So, entanglement makes an important role in quantum secret sharing and many application fields of quantum information theory such as quantum teleportation, QKD, quantum computing need to use this entanglement feature. But the quantification of the entanglement receives a better solution only for bipartite quantum system, and the quantification of multipartite entanglement is still open even for a pure multipartite state. Until now, a variety of different entanglement measures have been proposed for multipartite setting, such as the robustness of entanglement, the relative entropy of entanglement, and the geometric measure.

However, all these methods involve variable complexity problem, which make the quantification of multipartite entanglement very difficult. Fortunately, it is hopeful to obtain the exact value of the multipartite entanglement of graph states, which are very useful multipartite quantum states in quantum information processing. Graph states are the specific algorithm resources for one-way quantum computing model, and they are subsets of stabilizer states which are widely used in quantum error correction.

5.2. QSS with qudit graph states

The quantification of entanglement has attracted wide attention in recent years, but the quantification of the entanglement receives a better solution only for bipartite quantum system. And the quantification of multipartite entanglement is still open even for a pure multipartite state. Until now, a variety of different entanglement measures have been proposed for multipartite setting, such as the robustness of entanglement, the relative entropy of entanglement, and the quantification of multipartite entanglement is still open even for a pure multipartite state. Fortunately, it is hopeful to obtain the exact value of the multipartite entanglement of graph states, which are useful multipartite quantum states in quantum information processing.

The entanglement quantification of graph state is relatively simple, for it can be described by graph language. So far, the study of graph state entanglement has just started, the latest research results is determining the upper and lower bounds of graph state entanglement by using local operation and classical communication, which can only confirm the entanglement of graph states that have equal bounds. But for graph states which have unequal bounds, it can only give a range of entanglement but not the exact value.

In quantum computing, a graph state is a special type of multi-qubit state that can be represented by a graph. Each qubit is represented by a vertex of the graph, and there is an edge between every interacting pair of qubits. In particular, they are a convenient way of representing certain types of entangled states.

Given a graph G=(V, E)with the set of vertices V and the set of edges E, the corresponding graph

where the operator U{a,b} is the controlled-Z interaction between the two vertices (qubits) a, b, U{a,b}=[100001000010000−1].

And |+⟩=12(|0⟩+|1⟩). With each graph G=(V, E), we associate a graph state. A graph state is a certain pure quantum state on a Hilbert space HV=(C2)⊗V.

An alternative and equivalent definition is the following. Hence each vertex labels a two-level quantum system or qubit — a notion that can be extended to quantum systems of finite dimension d. To every vertex a∈V of the graph G=(V, E) is attached a Hermitian operator

In terms of the adjacency matrix, this can be expressed as

As usual, the matrices σx(a),σy(a),σz(a) are the Pauli matrices, where the upper index specifies the Hilbert space on which the operator acts KG(a) is an observable of the qubits associated with the vertex a and all of its neighbors b∈Na. The graph state |G⟩ is then defined as the simultaneous eigenstate of the N=|V| operators {KG(a)}a∈V with eigenvalue 1:

Here they consider three specific varieties of such schemes previously demonstrated in graph states. They note that all existing forms of secret sharing that have been proposed fall into one of these categories. [60]

1. CC scheme: The secret is classical, the dealer is connected to the player via private quantum channels and all players are connected by private classical channels.

2. CQ scheme: The secret is classical, the dealer shares public quantum channels with each player and the players are connected to each by private classical channels.

3. QQ scheme: The secret is quantum, the dealer shares either private or public quantum channels with each player and the players are connected to each other by private quantum or classical channels.

Now let’s see an example of QSS with graph states. It is the third scenario presented in the previous QQ scheme. This QQ scheme proposed is readily generalisable to qudits. In this scheme, the secret to be shared is a quantum state |s⟩ in a d-dimensional Hilbert space now, initially possessed by the dealer, who distributes it to the other parties via a joint operation on the secret state and parties’ shared graph state, in a manner analogous to quantum teleportation. We describe the general protocol explicitly below.

Denoting the dealer’s secret qudit as

The dealer prepares the state |s⟩D|G⟩D,V. Corresponding to some graph state G for the dealer’s qudit D and all the players’ qudits V. The dealer distributes the player’s qudits to them. The dealer then measures her two qudits in the generalized Bell basis {|ψ⟩mn}, where

If the dealer’s measurement result is (m,n), corresponding to the state |ψ⟩mn, then it follows from the rules for projective measurement that the resultant state for all parties is

where |gz⟩ is the encoded reduced graph state on the players 1,⋯,n with labels z.

If the dealer informs the players of their measurement result (m,n), then a set of players ∈V can apply a correction operator

to obtain the state

The access properties of this final state depend on the graph state used. Qualitatively, for certain initial graph states, the state |sg⟩V can be regarded as a superposition of orthogonal labelled graph states whose labels have the same access structure as CC protocols. Thus, the ability to recover the quantum secret corresponds to the ability to recover these classical labels, providing a natural extension of the classical protocols to the quantum case.

Acknowledgments