Paraty, Quantum Information School, August 2007 Antonio Acín ICFO-Institut de Ciències Fotòniques (Barcelona) Quantum Cryptography

Quantum Information Theory (QIT) studies how information can be transmitted and processed when encoded on quantum states. New information applications are possible because of quantum features: communication complexity and computational speed-up, secure information transmission and quantum teleportation. The key resource for all these applications is quantum correlations, or entanglement. A pure state is entangled whenever it cannot be written in a product form: A mixed state is entangled whenever it cannot be obtained by mixing product states: Quantum Information Theory

Quantum Information Theory makes my life, as a physicist, much easier! 1.Quantum Mechanics goes often against our classical intuition. 2.Standard probability theory does not apply. 3.The more quantum, the better!!

Quantum Superpositions A photon is sent into a mirror of transmission coefficient 1/2. The photon is detected in each of the two detectors half of the times. The experiment is slightly modified and two the two paths are now combined into a second mirror with the same transmission. One can adjust the difference between the two paths in such a way that only one of the detectors click!

Entanglement and Bell’s inequalities Entanglement is the most intrinsic quantum feature and Bell’s inequality violation its most striking consequence. Game: two players meet and decide about which colour to wear for their shirt and trouser. This colour can be red or green. Then, they are separated into two distant locations where they cannot communicate. A referee asks them about the colour of the shirt or trouser. Their correlated strategy has to be such that if both are asked about the trouser, their colour should be different, otherwise they should agree. S T S T S or T? S S

Entanglement and Bell’s inequalities Example: they both wear everything in red. They succeed in ¾ of the events. This is just a rewriting of the CHSH Bell’s inequality S T S T S or T? SS If the parties share a correlated quantum state when they meet, they can succeed with a probability ! Quantum correlations are more powerful than classical correlations.

Quantum Cryptography: a new form of security Standard Classical Cryptography schemes are based on computational security. Assumption: eavesdropper computational power is limited. Even with this assumption, the security is unproven. E.g.: factoring is believed to be a hard problem. Quantum computers sheds doubts on the long- term applicability of these schemes, e.g. Shor’s algorithm for efficient factorization.

Quantum Cryptography: a new form of security Quantum Cryptography protocols are based on physical security. Assumption: Quantum Mechanics offers a correct physical description of the devices. No assumption is required on the eavesdropper’s power, provided it does not contradict any quantum law. Using this (these) assumption(s), the security of the schemes can be proven.

Quantum Key Distribution (QKD) Sent: sum mod 2 Contains NO info! Private-key cryptography This scheme is information-theoretically secure! How is the key distributed? Quantum states. Alice Bob

The Quantum Bit

Heisenberg Uncertainty Relation The measurement process can modify the quantum state of the measured system.

The no-cloning theorem There is no quantum operation that makes a perfect copy of any quantum state.

The no-cloning theorem Assume there is a machine duplicating the state of a two-dimensional system: When cloning a superposition of these two orthogonal states

Basics of Quantum Cryptography The security of Quantum Key Distribution is based on:  Heisenberg’s uncertainty relation: A system is perturbed when it is measured.  No-cloning theorem: Quantum states cannot be perfectly copied. These weird quantum properties can be used to send private information!

BB84 (Bennett & Brassard) Alice Bob Alice sends states from the x and z bases with random probability. Bob measures in the same basis. The choices of bases are local and independent. Alice Bob 0 z 0 x 1

BB84 (Bennett & Brassard) Basis reconciliation: Alice and Bob announce their choices of bases. They keep only those symbols where the bases were equal → they get a list of perfectly correlated random bits. This list will provide the secret key. Intercept-Resend attack: Eve intercepts the quantum state, measures it and prepares a new state for Bob, according to her measurement result. Alice 0 Bob z Eve z ERRORS!

BB84 (Bennett & Brassard) Cloning attack: Eve perfectly clones the states in the z basis. Bob’s state is mixed, that is noisy! ERRORS! Eve’s intervention causes errors. Alice and Bob can detect her attack by comparing some of the accepted symbols → they abort the protocol. The amount of errors is related to Eve’s attack. QBER: Quantum Bit Error Rate

Other protocols  Six-state protocol: all the three maximally conjugated bases are employed. Compared to BB84, the use of more states puts extra constraints on Eve’s attack. The protocol is more robust against noise. Alice uses three bases, x, y and z, for information encoding. Bob measures in the same bases. The bases, in principle, agree with probability 1/3. Alice and Bob do not have to choose the basis with the same probability. They can use the same basis almost always, and from time to time change to a different basis. This does not compromise the security and increase the rate.

Other protocols  B92: Two non-orthogonal states are enough for a QKD protocol. Two non-orthogonal states cannot be perfectly cloned/estimated.  Vaidman: Two orthogonal states may also be enough. Alice Bob 01

Other protocols  Generalization to higher dimensional systems: The alphabets are larger, dits instead of bits. They employ nb maximally conjugated bases, where 2 ≤ nb ≤ d+1, and 012  Coherent-state protocol: They employ coherent states of light and homodyne measurements. Interesting alternative to finite-dimensional schemes. 1.A QKD protocol is interesting when its implementation is simple. 2.All these schemes are prepare and measure protocols.

Ekert protocol Alice and Bob share a maximally entangled state of two qubits. Their measurement outcomes are fully random and perfectly correlated. Alice Bob If Alice and Bob know to share a maximally entangled state, they can safely measure in a given basis, say z, and obtain a perfect key.

Ekert protocol Alice Bob The measurements x=2 and y=0 are in the same direction. The corresponding outcomes coincide → these are used for the secret key. Measurements x,y=0,1 give the maximal violation of the CHSH Bell’s inequality for the maximally entangled state. They are used to check that the distributed state is indeed a maximally entangled state of two qubits. The security of the protocol seems to be related to Bell’s inequality violation.

Entanglement vs Prepare & Measure After measuring one qubit of a maximally entangled state of two qubits and getting result b, we are projecting the other qubit into the same state. AliceBob AliceBob Perfect correlations in the x and z bases also suffice to detect a maximally entangled state of two qubits.

Entanglement vs Prepare & Measure The detection of the maximally entangled state can be done using measurements that do not violate any Bell’s inequality. Non-local correlations are not necessary for security. After moving the source into one of the parties, the entanglement-based scheme is transformed in a completely equivalent prepare & measure protocol. No entanglement is needed. This construction, however, introduces a nice correspondence between entanglement based and prepare & measure protocols. This correspondence is largely exploited in security proofs. Entanglement and non-locality will strike back!