Experimental Bit String Generation Serge Massar Université Libre de Bruxelles

Plan Recall earlier work on quantum coin tossing Theory of quantum bit string generation (joint work with Jonathan Barrett, PRA69(2004) and quant- ph ) Experimental implementation of bit string generation (L.-Ph. Lamoureux, E. Brainis, D. Amans, J. Barrett, S. M., quant- ph/ )

Coin Tossing (Blum) Two parties dont trust each other.They need to choose a random bit: –« Alice (in the USA) and Bob (in the EU) are divorcing, they need to decide who keeps the children. They decide to toss a coin. » Bit String Generation: Tossing many coins

Applications of coin tossing Divorce cases Cryptographic primitive Are there any good applications? –??Classically certified bit committement secure against polynomial quantum attack (Kent03)??

How to toss a coin? Trusted third party: YES Classical communication alone: NO Classical communication plus relativity: OK. (But each party needs to be in multiple locations) Quantum Communication: yes, to some extent.

Weak coin tossing: –Alice knows the outcome Bob wants –Bob knows the outcome Alice wants Strong coin tossing: –Alice and Bob do not know the outcome the other party wants. We will be concerned with Strong coin tossing

Bit commitment implies Coin Tossing Alice chooses a=0,1 at random Alice commits a to Bob Bob chooses b=0,1 at random Bob tells Alice the value of b Alice reveals the commitment Coin c=a+b mod 2

Quantum protocol based on imperfect bit commitment Alice chooses a=0,1 at random Commitment: –Alice sends |ψ a > to Bob – =cosθ Bob chooses b=0,1 at random. Bob tells Alice the value of b Alice reveals a Bob checks: –measures in basis |ψ a >, space orthogonal to |ψ a > –If outcome is |ψ a >, coin c=a+b mod 2 –If outcome orthogonal to |ψ a >, Bob aborts

Wining means getting the outcome you want. The protocol may abort. If the protocol aborts, everybody looses Classical communication: either Є A or Є B = ½ There exists a quantum protocol with Є A = Є B = ¼ (Ambainis) For all quantum protocols, Є> 1/√2 – ½ (Kitaev)

Alice cheats Alice does not choose a Commitment: –Alice sends |ψ>=N(|ψ 0 > + |ψ 1 >) to Bob – =cosθ Bob chooses b=0,1 at random. Bob tells Alice the value of b Alice reveals a chosen so that b+a has the desired value Bob checks: –measures in basis |ψ a >, space orthogonal to |ψ a > –Alice hopes outcome is |ψ a >, then: coin c=a+b mod 2 Alice wins –If outcome orthogonal to |ψ a >, Bob aborts It is easy for Alice to cheat if =cosθ is SMALL

Bob cheats Alice chooses a=0,1 at random Commitment: –Alice sends |ψ a > to Bob – =cosθ Bob tries to learn whether a=0 or a=1: –He measures the state –He chooses b so that if his measurement outcome was correct, he wins: b+a has the desired value Bob tells Alice the value of b Alice reveals a Hopefully Bob has won (if his measurement outcome gave the correct value of a) It is easy for Bob to cheat if cosθ is LARGE

One can choose an optimal value of =cosθ=1/√2 so that neither Alice nor Bob can cheat too much. Then

Bit String Generation Alice and Bob want to generate a string of n bits c1, c2, …, cn –A. Kent (2003) noted that this should be easier than tossing a single coin. Proposed a protocol based on the parties sharing many singlets. No security analysis.

Present work Bit string generation based on n repetitions of above protocol for coin tossing. Detailed security analysis.

1) Classical Protocol for bit string generation Best classical protocol we have found (optimal for some security criteria) –Alice chooses the value of half the bits –Bob chooses the value of the other half Thus if Alice is dishonest, Bob honest, half the bits are random, half are fixed.

For i=1 to n Alice chooses a i =0,1 at random Commitment: –Alice sends |ψ ai > to Bob – =cosθ Bob chooses b i =0,1 at random. Bob tells Alice the value of b i. Alice reveals the value of a i to Bob Bob checks: –measures in basis |ψ ai >, space orthogonal to |ψ ai > –If outcome orthogonal to |ψ a >, Bob aborts Next i If Bob has not aborted, c i =a i + b i mod 2 2) Quantum Protocol

Cheating 1 Cheating Bob: –He must measure the states received from Alice immediately → Same security analysis than when tossing a single coin. Cheating Alice: –She can send an entangled state, measure her state, then decide on the value of ai depending on the measurement outcome. –She can correlate/entangle her strategy between rounds

Cheating 2 For fixed =cosθ it is more and more difficult for Alice to cheat when n increases (since Bob carries out n measurements) → One can decrease θ as n increases This makes it more and more difficult for Bob to cheat Optimal rate of decrease θ=n - α for some α →Good security both with respect to Alice and Bob

Security Criteria: Average Bias

Security Criteria: Entropy

Security criteria: Min Entropy

Summary Open Questions: Improve quantum results. (Can entanglement help?) Obtain Kitaev type bounds for the different security criteria. Prove classical conjecture.

Experimental Bit String Generation Easier than tossing a single coin because some experimental imperfections (detector efficiency, detector dark counts) can be subtracted. –Experiment reported by Zeilinger et al (quant- ph/ ) but incomplete security analysis. –Our experiment: we did our best to prove security against ALL attacks by a dishonest party.

Experimental imperfections: –Alice’s state preparation may be noisy –The communication line may be noisy –Bob’s measurement apparatus may be imperfect A dishonest party can controle everything outside the other party’s lab. Thus in the presence of imperfections, the guaranteed bounds on randomness will be worse Alice’s Lab Bob’s Lab Communication line

For i=1 to n Alice chooses a i =0,1 at random Commitment: –Alice sends |ψ ai > to Bob – =cosθ Bob chooses b i =0,1 at random. Bob tells Alice the value of b i. Alice reveals the value of a i to Bob Bob checks: –estimates fidelity of states sent by Alice: measures in basis |ψ ai >, space orthogonal to |ψ ai > Next i If fidelity too small, Bob aborts If fidelity sufficiently large, Bob does not abort and c i =a i + b i mod 2 Quantum Protocol with imperfections

Important parameters: –Scalar product =cosθ between states prepared by Alice –Fidelity f of states as estimated by Bob. Bounds on ε B, H B depend on θ only. Bounds on ε A, H A depend on f and θ, for instance: Thus choose good compromise between =cosθ and fidelity f Security Analysis

Implementation |ψ 0 >=|+α>, |ψ 1 >=|-α> are two coherent states (by changing the intensity |α| 2, one changes the overlap =exp[-2|α| 2 ]) Bob’s measurement: – displaces the states by D ±α –Uses a single photon detector to check that the state is the vacuum. –If the detector clicks, then Alice could be cheating Notes: Displacement is simply realised by an interferometer No need to restrict Hilbert space to single photon subspace x p |α>|α> |-α> x p |α>|α> |0>=D -α |α>

Experimental setup All fiber optics Telecommunication wavelenghts Based on « plug an play » system for quantum key distribution (N. Gisin) →suitable for long distance communication (our realisation: table top)

Security Complication: – Light pulses produced by Bob, then go to Alice, then reflected back to Bob Remark: upon attenuation, any state tends towards a mixture of coherent states Typically A=10 4 Attenuation A Gaussian Noise 1/A Arbitrary state Mixture of coherent states (positive P function)

Security Solution: first measure intensity, then attenuate: this produces a mixture of coherent states of known intensity A Classical Detector Mixture of coherent states of known intensity Intensity known

Experimental Results Different choices of |α|, hence of =exp[-2|α| 2 ] Curves assume a visibility v=97% (but it is sometimes worse) Number of coins tossed n=10 4 All classical protocols have ε A + ε B ≥0.5 All classical protocols have (H A + H B )/n ≤1 (conjecture)

Summary Using quantum communication it is possible to generate very random strings of bits in the absence of noise. In the presence of imperfections the randomness goes down. Nevertheless experimental demonstration of bit strings generation using quantum communication (bits are more random than can be achieved using classical communication, at least according to the average bias criterion).

Outlook improve theoretical bounds, Improve experiment: –toss a single coin more random than possible using classical communication; –long distance bit string generation

Collaborators: –Jonathan Barrett –Louis-Philippe Lamoureux –Edouard Brainis –David Amans Funding and Support: –Université Libre de Bruxelles (ULB) –Fonds National de la Recherche Scientifique (FNRS) –Communauté Française de Belgique (ARC) –Gouvernement Fédéral Belge (PAI) –European Community (project RESQ)