9512.net

甜梦文库

甜梦文库

当前位置：首页 >> >> # Security of Quantum Key Distribution with Entangled Photons Against Individual Attacks

Security of Quantum Key Distribution with Entangled Photons Against Individual Attacks

Edo Waks, Assaf Zeevi, Yoshihisa Yamamoto?

Quantum Entanglement Project, ICORP, JST, E.L. Ginzton Laboratory, Stanford University Stanford, CA 94305 (February 1, 2008) Security of the Ekert protocol is proven against individual attacks where an eavesdropper is allowed to share any density matrix with the two communicating parties. The density matrix spans all of the photon number states of both receivers, as well as a probe state of arbitrary dimensionality belonging to the eavesdropper. Using this general eavesdropping strategy, we show that the Shannon information on the ?nal key, after error correction and privacy ampli?cation, can be made exponentially small. This is done by ?nding a bound on the eavesdropper’s average collision probability. We ?nd that the average collision probability for the Ekert protocol is the same as that of the BB84 protocol for single photons, indicating that there is no analog in the Ekert protocol to photon splitting attacks. We then compare the communication rate of both protocols as a function of distance, and show that the Ekert protocol has potential for much longer communication distances, up to 170km, in the presence of realistic detector dark counts and channel loss. Finally, we propose a slightly more complicated scheme based on entanglement swapping that can lead to even longer distances of communication. The limiting factor in this new scheme is the ?ber loss, which imposes very slow communication rates at longer distances.

arXiv:quant-ph/0012078v1 16 Dec 2000

I. INTRODUCTION

The ?eld of quantum information theory has brought the potential to accomplish feats considered impossible by purely classical methods. One of these is the ability to transmit an unconditionally secure message between two parties, known as quantum cryptography. The ?rst full protocol for quantum cryptography was proposed by Bennett and Brassard using four di?erent states of a quantum system [2], and has since been known as BB84. Following the discovery of BB84, other protocols such as the two-state and six-state schemes have been proposed [1,21]. The security of all of these protocols relies on the impossibility of an eavesdropper to measure the wavefunction of a quantum system without imposing a backaction on the state. This backaction will usually result in a measurable increase in errors across the communication channel. In 1991 it was proposed by Ekert that quantum key distribution could also be implemented using non-local correlations between quantum systems [16]. Ekert pointed out that two correlated quantum systems cannot lead to violations of Bell’s inequality if they are also correlated to a local variable which an eavesdropper can observe in order to gain knowledge of the measurement results. A test of Bell’s inequality could then provide a statement of security against eavesdropping. It was later discovered that Bell’s inequality is not necessary for security of Ekert’s protocol [4]. An eavesdropper cannot obtain knowledge from a correlated quantum state without inducing errors, just as in the other protocols. The experimental e?ort to perform quantum key distribution began soon after the theory was established. Several groups have reported implementations of BB84 and other single photon schemes [12,38,28,33,8]. Long distance violations of Bell’s inequality have been demonstrated in [36], and recently several proof-of-principle experiments using entangled photons have also been performed [22,37,31]. For experimental quantum cryptography it is insu?cient to show that tampering with the quantum channel will always result in some error. Practical systems have a baseline error rate which cannot be distinguished from tampering. These errors can be handled by public discussion through two additional steps, error correction and privacy ampli?cation. The error correction step serves the dual purpose of correcting all erroneously received bits and giving an estimate of the error rate. Privacy ampli?cation is then used to distill a shorter key which can be made as secure as desired. The length of this key depends on the amount of information which may have been leaked, and this should ideally be determined from the measured error rate and the laws of quantum mechanics.

?

Also at NTT Basic Research Laboratories, Atsugi, Kanagawa, Japan.

1

The security of quantum key distribution against any attack allowed by the laws of quantum mechanics is a complex subject. Earlier work showed security for several restricted types of attacks [17,20]. Later security was proved for the most general individual attacks in BB84 [18,35,26], and these proofs were extended to practical photon sources in [27]. In an individual attack the eavesdropper is restricted to measuring each quantum transmission independently, but is allowed to use any measurement which is not forbidden by quantum mechanics. A more general attack allows collective measurements which make use of the correlations introduced during error correction and privacy ampli?cation by exchange of block parities. This information can be used to re?ne an eavesdropper’s quantum measurement. Security against these more general attacks has been shown in [7]. The most general type of attack is known as a joint attack where the eavesdropper treats the entire quantum transmission as one system which she entangles with a probe of very large dimensionality. There are currently several proofs of security against this most general scenario [29,24,6,34]. Security against collective and joint attacks is an important milestone in quantum information theory, however the current proofs of security are di?cult to apply to realistic systems. Furthermore, it seems practically impossible to implement such attacks using currently available technology. On the other hand practical systems can be rendered completely insecure even by very simple measurements [9]. Thus, restricting Eve to only individual attacks is usually deemed reasonable for practical purposes. The security of the Ekert protocol has not been studied as closely as that of BB84. Unlike BB84, in the Ekert protocol the photon source is located somewhere between the sender and receiver and provides both with photons. Since the two communicating parties no longer have control over the source, the eavesdropper is not restricted to making measurements. She can take on the more aggressive strategy of blocking out the source and providing the two parties with her own photons. For example, she can provide each receiver with a photon in a known quantum state. This is the two-photon analog to the ”intercept and re-send” attack in BB84, and will always result in a 25% error rate. A more general eavesdropping attack allows Eve to send one photon to each receiver, while maintaining a probe system that can be measured later on. This model was used in [4] to show that if the eavesdropper insisted on not causing any errors, then she could not obtain any information about the measurements at the two receivers. However, as previously mentioned, this is not su?cient for practical quantum key distribution. We need to know the explicit relationship between the error rate and amount of information leaked, which has yet to be given. Furthermore, an eavesdropper could send more than one photon to either receiver, and a proof of security must take this into account. In this paper we prove the security of the Ekert protocol against the most general types of individual attacks. In such an attack the eavesdropper is allowed to share any density matrix ρabe with the two receivers. This density matrix describes the state of the signal sent to each receiver, and a probe state of arbitrary dimensions which the eavesdropper will use to infer information. Security is proved by upper bounding Eve’s mutual information on the ?nal key, as well as explicitly deriving an equation for the length of this key after privacy ampli?cation. We make no idealized assumptions about the source, such as that it emits only one pair of photons per clock cycle. Thus, our results can be directly applied to practical key distribution schemes. One interesting aspect of our result is that the relationship between error rate and leaked information for the Ekert protocol with any source is the same as that of BB84 with an ideal single photon device. This indicates that, at least against individual attacks, there is no analog in the Ekert protocol to the powerful photon splitting attacks which severely jeopardize the security of BB84. Using the derived expression for the length of the ?nal key, we calculate the communication rate for the Ekert protocol with ideal entangled photon sources, as well as realistic sources based on parametric down-conversion. We compare these rates with the communication rate for BB84 using poissonian, sub-poissonian, and ideal photon sources. It should be stated that some of the derivations in this paper are involved, but the results themselves are extremely easy to use, involving simple functions of experimentally measurable quantities. A concise review of the important equations is given in Section V. In Section II we review the general theory behind quantum key distribution. We restate some important information theoretic results on error correction and privacy ampli?cation. We then derive a method for handling the side information leaked during error correction. This method allows us to account for the e?ect of error correction on the length of the ?nal key. We also re-derive rates for BB84 using both poissonian and sub-poissonian light sources. These rates will later be used to make a comparison to the Ekert protocol. In Section III we derive a proof of security for the Ekert protocol, and use it to calculate expected communication rates under practical experimental conditions. Finally, in Section IV we investigate an experimental con?guration based on entanglement swapping which is less sensitive to channel loss and detector dark counts. With some technological improvement this con?guration may be useful for long distance quantum key distribution.

2

II. PRELIMINARIES

In this section we provide a concise review of important concepts in quantum key distribution (QKD). We also derive some preliminary results which we will use in the upcoming sections. The standard participants in QKD are Alice, Bob, and Eve. Alice would like to exchange a secret key with Bob, which can later be used to encode the actual message. To do this she uses both a quantum channel and a public channel. The enemy, Eve, can listen in on the public channel, but is assumed incapable of altering the messages being exchanged. Eve is also allowed to make any measurements she can on the quantum channel. The secret key is formed in three steps. The ?rst is the raw quantum transmission, which uses both the quantum and public channel simultaneously. The next two steps, error correction and privacy ampli?cation, make use of only the public channel. After privacy ampli?cation Alice and Bob each posses a copy of the secret key, about which Eve knows only a negligibly small amount of information.

A. Quantum transmission

45/-45

Channel Photon Source Pol. Mod. POVM

α/(1?α)

H/V

c

Eve

a 50/50

FIG. 1. Schematic of experimental setup for BB84.

In the BB84 protocol Alice sends Bob a sequence of individual quantum bits (qubits) which randomly encode binary 0 or 1. The qubits are assumed to be photons with the information encoded in the polarization, but other physical implementations can usually be treated in an analogous way. Alice uses two di?erent non-orthogonal bases to encode her information. For example, half of the time she may encode her information along the x-y axes, and the other half she uses the 45o rotated axes which we will refer to as u-v. Bob randomly chooses one of the two bases and makes a projective measurement. After all of the quantum bits have been exchanged, Alice and Bob will publicly disclose the bases they used, but not the measurement results. They agree to keep only the bits in which both parties used the same basis. These bits form the sifted key. Figure 1 shows a schematic of the BB84 protocol. Bob is looking for photons in a spatial mode which we will label as mode a. The photons in this mode are randomly partitioned by a 50/50 beamsplitter and sent to one of the two polarizing beamsplitter. This technique, known as passive modulation, is an easy way to randomly modulate Bob’s measurement basis. Passive modulation was chosen because it is easier to implement in practical systems, and also because it simpli?es the proof of security [26]. In order to model the loss in the quantum channel, detectors, and optics, we introduce an additional beamsplitter with transmission α and a loss mode c. We can set the value of α to the total loss of the system and assume that the channel, detectors, and optics are lossless. The advantage of this approach is that it allows us to easily treat the e?ect of losses on the quantum state of the incoming photon. All we need to do is apply a beamsplitter transformation onto the photon and trace out over mode c to get its ?nal state. This is not as important in the BB84 protocol since the e?ect of the losses is rather obvious. Either a photon is detected or it is not. However, when we analyze the Ekert protocol this model will prove to be extremely helpful. Figure 1 also shows the role of Eve. Eve tries to measure the state of each transmission that has been sent into the quantum channel. The most general type of individual measurement Eve can perform is a Positive Operator Value Measurement (POVM) [19]. In this type of measurement Eve entangles a quantum mechanical probe with each photon through a unitary evolution. The probe is stored coherently until all information from public discussion is revealed. Eve then uses all publicly disclosed information to make the best measurement on her probe. Her only restriction is that she measures each probe independently in compliance with the assumption of individual attacks. Any POVM can be characterized by a complete set of positive maps Ak which satisfy the condition

3

Ak A? = I. k

k

(2.1)

If Alice sends the signal in a quantum state described by the density matrix ρ, the measurement backaction on the state is described by ρ= ?

k

Ak ρA? , k

(2.2)

where ρ is the quantum state after the measurement. A pure state can evolve into a mixed state through this type of ? intervention. The probability that Eve will measure her probe in the state k is given by p(k) = Tr Ak ρA? , k while the probability that Bob measures outcome ψ is p(ψ, k) = Tr Ak ρA? Eψ , k (2.4) (2.3)

where Eψ denotes the projection operator onto the state |ψ . Unlike BB84, in the Ekert protocol both Alice and Bob are recipients of a signal. The source of this signal is presumed to be somewhere in between both parties. In the ideal case each party receives one of a pair of photons in a quantum mechanically entangled state. For example, the two photons may be in the state 1 |ψ = √ (|xx + |yy ) , 2 (2.5)

which implies that if both receivers measure their photon in the x-y basis, their measurment results will be completely correlated. However, one can rewrite the above state in the completely equivalent form 1 |ψ = √ (|uu + |vv ) . 2 (2.6)

Thus, if both receivers choose to measure in the u-v instead of the x-y basis their measurement results will remain correlated. This suggests the following protocol for quantum cryptography. Each receiver measures their respective photon randomly in either the x-y or u-v basis. Later they agree to keep only the instances in which the measurement bases were the same, forming the sifted key. Figure 2 shows a schematic of a key distribution experiment based on the Ekert protocol. In this experiment Alice is assumed to monitor mode a, and Bob mode b. Both parties use passive modulation to switch their basis. As before, we insert an additional beamsplitter into each arm to account for the losses and presume that the channel, optics, and detectors are all lossless.

45/-45 H/V H/V 45/-45

b 50/50 d α/(1?α)

ρabe

α/(1?α)

ha nn el

a 50/50 c

Eve

C e nn l

FIG. 2. Schematic of experimental setup for Ekert protocol.

C ha

EPR Pair

4

In the Ekert protocol, the role of the Eve is also modi?ed. Since she now has complete control over the source, Eve is not restricted to making measurements on the photons. In fact, she can can completely block out the source and provide the two receivers with any signal she chooses, as shown in Figure 2. For example, Eve can send both receivers a photon polarized along the x axis. If Alice and Bob measure in the x-y basis then she will know their measurement result. But if they choose the u-v basis, then their measurements are completely random, resulting in a 50% error rate. This is the equivalent version of the intercept and re-send strategy in BB84. A more general attack strategy is to generate a pure state consisting of one photon for Alice, one for Bob, and some probe which Eve can later use to infer the measurement results. The most general pure state of this type that Eve can generate is |ψabe = |xx |Pxx + |yy |Pyy + |xy |Pxy + |yx |Pyx , (2.7)

where |Pxx , |Pyy , |Pxy , and |Pyx are the states of her probe and are not assumed to be orthogonal or normalized. As with BB84, she can store her probe until all public information is revealed, and use this to re?ne her measurement. But even this is not completely general, because Eve could send a mixed state instead of a pure state. Furthermore, she may decide to send more than one photon to either Alice or Bob if this is advantageous. The most general state that Eve can generate is a density matrix ρabe , which spans the entire Hilbert space of Eve’s probe, as well as the entire photon number manifold of Alice and Bob. Once again it should be emphasized that we are restricting Eve to individual attacks, which means that she measures her probes independently, and that ρabe is independently generated for each clock cycle. It is important to point out one additional subtlety regarding security of the Ekert protocol. In the above model we assume that Eve is in fact sending photons, and not some other particle. This assumption may seem silly, but appears unavoidable, at least if one insists on using passive modulation. The reason for this is that both receivers take for granted that the optics they are using perform the measurement which they intended. They rely on the polarizing beamsplitters to make a projective measurements in the polarization basis, and the 50/50 beamsplitter to randomly partition the photons. Suppose that Eve has access to a mysterious particle which is also capable of triggering a detection event in the photon counters. However, assume that this particle has a spin angular momentum of 3/2. Furthermore, the particle interacts in such a way that the 50/50 beamsplitter re?ects the 3/2 and 1/2 spin states, but transmits ?3/2 and ?1/2. The polarizing beamsplitters instead re?ect 3/2 and ?3/2, but transmit 1/2 and ?1/2. If Eve sends this strange unnamed particle instead of a photon she has complete control over the detection events at both receivers. Although it is highly unlikely that such a particle exists, it is a very di?cult claim to prove. It has been recently shown that this loophole can be circumvented if Alice and Bob rapidly switch their measurement basis [30]. However, this method requires very low loss, which is extremely di?cult to achieve with practical systems.

B. Error correction

In any realistic communication system errors are bound to occur, and some form of error correction is required. In quantum cryptography the errors typically arise from technological imperfections in the optics and detectors, but can also come from eavesdropping. In order to achieve noise free communication these errors must be corrected, and this can be done through public discussion. Following the raw quantum transmission Alice, Bob, and Eve each possess the strings X, Y , and Z respectively. In order to correct the errors, Alice and Bob exchange an additional message U such that knowledge of string Y and U leave very little uncertainty about string X. One way to mathematically express this is to use the Shannon entropy function [15] H(X) = ? p(x) log2 p(x).

x

(2.8)

The conditional entropy function H(X|Z = z) is de?ned as above using the conditional probability distribution p(x|Z = z). The average conditional entropy H(X|Z) is simply de?ned as H(X|Z) =

z

p(z)H(X|Z = z).

(2.9)

The message U should provide Bob with enough information so that H(X|Y U ) ≈ 0. Since string U is publicly disclosed Eve may learn additional information as well, but good error correction algorithm will reduce this information leakage to a minimum. Unfortunately, given the error rate e, a lower bound exists on the minimum number of bits in U . This limit, which is a variant of the Shannon noiseless coding theorem can be stated as

5

n→∞

lim

κ ≥ h (e) , n

(2.10)

where n is the length of the string, κ is the number of bits in message U , and h(e) is the conditional entropy of a single bit over a binary symmetric channel which is given by h (e) = ?e log e ? (1 ? e) log (1 ? e) . (2.11)

An error correction algorithm should ideally operate very close to this limit. At the same time the algorithm should be computationally e?cient or the execution time may become prohibitively long. Error correction algorithms can usually be divided into two classes, unidirectional and bidirectional algorithms. In a unidirectional algorithm information ?ows only from Alice to Bob. Alice provides Bob with an additional string U which he then uses to try to ?nd his errors. Unidirectional algorithms that are both computationally e?cient and operate near the Shannon limit are di?cult to ?nd [26,10]. In a bidirectional algorithm information can ?ow both ways, and Alice can use the feedback from Bob to determine what additional information she should provide him. This makes it easier to construct e?cient algorithms. These two classes can be further subdivided into two subclasses, one for algorithms which discard errors and one for those which correct them. Discarding errors is usually done in oder to prevent additional side information from leaking to Eve. Algorithms which correct errors allow for this additional ?ow of side information and account for it during privacy ampli?cation. Since privacy ampli?cation is typically a very e?cient process, algorithms which correct the errors tend to perform better The communication rate in QKD strongly depends on the type of error correction algorithm used. In order to get an estimate of this rate we must at least decide on which of the four subclasses the algorithm belongs to. Since we are interested in practical systems, and because e?ciency is very important in quantum key distribution, we will assume that the algorithm is bidirectional and corrects the errors. An example of such an algorithm can be found in [10].

C. Privacy ampli?cation

After error correction, Alice and Bob share an error free string X. Eve has also potentially obtained at least partial information about this string from attacks on the raw quantum transmission and side information leaked during error correction. In [18] it is shown that even with a measured error rate of 1% ? 5% a non-negligible amount of information on string X could have been revealed. Thus X cannot by itself be used as a key. However, through the method of generalized privacy ampli?cation [3], the string X can be compressed to a shorter string K over which any eavesdropper has only a negligible amount of information. The amount of compression needed depends on how much information may have been compromised during the previous phases of the transmission. To do privacy ampli?cation Alice picks a function g out of a universal class of functions G which map all n bit strings to r bit strings where r < n (see [3] for more details). Once g has been picked and publicly announced both parties calculate the string K = g(X), which serves as the ?nal key. This key is considered secure if Eve’s mutual information on K, de?ned as [15] IE (K; GV ) = H(K) ? H(K|GV ), (2.12)

is negligibly small, where G is the random variable corresponding to the choice of function g and V is all the information available to Eve. An important quantity in the analysis of privacy ampli?cation is the collision probability de?ned as Pc (X) =

x

p2 (x).

(2.13)

One can show that the conditional entropy H(K|G) is bounded by [3, Thm. 3] H(K|G) ≥ r ? 2r Pc (X) ln 2 2r Pc (X|Z = z), ln 2 (2.14)

This theorem can be applied to conditional distributions as well, which leads to H(K|G, Z = z) ≥ r ? (2.15)

where Pc (X|Z = z) is just the collision probability of the distribution p(x|Z = z). By averaging both sides of the above equation we get 6

H(K|GZ) ≥ r ? where Pc (X|Z = z)

z

2r Pc (X|Z = z) z , ln 2

(2.16)

=

z

p(z)Pc (X|Z = z)

(2.17)

is the average collision probability. This is a quantity of central importance in privacy ampli?cation. In the case of individual attacks, the i’th bit in Z depends only on the i’th bit in X. Under these circumstances the average collision probability factors into the product of the average collision probability of each bit. Thus, Pc (X|Z = z) where n is the number of bits in string X and

k z

= (pc )n ,

(2.18)

pc =

α=0,1 β=1

p2 (α, β) . p(β)

(2.19)

In the above expression α sums over the possible values of a single bit in Alices string and β sums over the possible measurement outcomes of the probe, which are enumerated from 1 to k. Suppose that we are able to come up with a bound of the form ? log2 Pc (X|Z = z) z ≥ c. If we set r = c ? s, where s is a security parameter chosen by Alice and Bob, then (2.16) leads to IE (X; Z) ≤ 2?s / ln 2. (2.20)

Thus, a bound on the average collision probability tells how short we should make string K. Before concluding this review of the main concepts in privacy ampli?cation we would like to make a few comments on the notion of security in QKD. As stated above we consider the key secure if the mutual information is very small. One might raise concerns about this de?nition of security. The mutual information can be interpreted as the average number of bits Eve will obtain on the ?nal key. In any given experiment it is possible that Eve can obtain signi?cantly more bits than the average, but this happens with small probability. Perhaps a more satisfactory notion of security would be a statement of the form, with probability no greater than ε Eve obtains no more than ? bits of information on the ?nal key. The mutual information is an important quantity because it allows us to make such a statement. A simple method for doing this is to use the Markov bound P (I ≥ ?) ≤ IE (K; GU Z) , ? (2.21)

where I is the actual number of bits of information Eve has obtained. Setting ? = 1 gives us a bound on the probability that Eve obtains more than one bit of information on the ?nal string. This may serve as a more convincing statement of security than statements about the average. Plugging (2.20) into the above expression shows that the probability that Eve obtains more than one bit on the ?nal key is exponentially small in the security parameter s.

D. Handling side information from error correction

If the only information available to Eve comes from string Z, which is obtained from attacks on the quantum transmission, then the discussion in the previous section is su?cient. But in the case of bi-directional error correction Eve will also learn an additional string U which gives her more information about Alice’s key. This side information must also be included in the calculation. We can apply the bound in (2.14) to the conditional distribution p(x|U = u, Z = z), which leads to H(K|G, U = u, Z = z) ≥ r ? 2r Pc (X|U = u, Z = z). ln 2 (2.22)

We can then try to average both sides of the above expression but doing this introduces additional complications. The random variable U introduces correlations between di?erent bits in strings X and Z. Because of this the average collision probability no longer factors into the product of individual bits, as in (2.18). This makes the problem of ?nding a bound on the average collision probability signi?cantly more di?cult. This problem has been previously 7

investigated in [13], where several bounds on the collision probability Pc (X|Z = z, U = u) were derived. But the extension of this work to the average collision probability involves a few subtleties, which we deal with in Appendix A. In this appendix we show that if we set r = nτ ? κ ? t ? s, where τ = ? log2 pc , (2.24) (2.23)

κ is the number of bits in message U , n is the length of the error corrected key, and both s and t are security parameters chosen by Alice and Bob, then IE ≤ 2?t r + 2?s . ln 2 (2.25)

This bound on Eve’s information is still exponentially small in the security parameters, and only involves the collision probability averaged over her measurements on the quantum transmission.

E. Communication rates for BB84

The main e?ort in proving security of quantum key distribution against individual attacks comes down to ?nding a bound for pc , de?ned in (2.19). This bound should come from the laws of quantum mechanics. The quantity pc has been extensively studied by L¨ tkenhaus in the context of the BB84 protocol [26]. In this work several bounds u are derived using the model of a POVM, which Eve performs on each quantum transmission. L¨ tkenhaus points u out that it is better not to discard any signals, even ambiguous dual ?re events, in order not to open up a security loophole. Monitoring the dual ?re events can be very useful to prevent Eve from sending Bob additional photons. This is precisely why we picked passive modulation, where the 50/50 beamsplitter randomly partitions all incoming photons. If Eve uses more than one photon she will cause dual ?re events with very high probability. By keeping track of these events and dealing with them during error correction, Alice and Bob can make it unfavorable for Eve to employ such tactics. One convenient way to keep track of dual ?re events is to de?ne a disturbance measure ?= nerr + wD nD , nrec (2.26)

where nrec , nerr , and nD are the number of error corrected bits, error bits, and ambiguous dual ?re events respectively, and wD is an independently chosen weighting parameter. The value of wD should be made su?ciently large so that it is to Eve’s advantage to only use single photons. It is shown in [26] that if the passive modulation scheme is used and wD is set to 1/2 the collision probability can be bounded by pc ≤ 1 + 2? ? 2?2 . 2 (2.27)

Throughout our calculations we will assume that dual ?re events are very rare. In this limit we have ? = e, where e is the error rate. This approximation is usually reasonable, and is extremely good in the limit of large loss which is what we are mainly interested in. The above bound on the collision probability is valid for the BB84 protocol only if the photon source never injects more than one photon into the channel. However, practical photon sources sometimes inject a multi-photon state. These states are vulnerable to photon splitting attacks where Eve splits one of the photons from the pulse and leaves the remaining ones undisturbed. This can be done with a Jaynes-Cummings type interaction [27]. She can store this photon coherently until the measurement basis is revealed, after which she learns the exact value of the bit. The most powerful types of photon splitting attacks will also presume that Eve has access to lossless optical ?bers. This allows her to transmit the remaining photons from a multi-photon states with unity probability. At the same time she blocks o? a fraction of the single photon states while conserving the overall transmission rate, giving her complete knowledge over a larger fraction of the sifted key. The extension of security for realistic sources which sometimes create a multi-photon state is given in [27]. Each multi-photon state can in principle result in a collision probability of one while producing no errors. This can be accounted for by ?rst de?ning the parameter β= nrec ? nm nrec 8 (2.28)

where nm is the number of transmissions in which more than one photon was injected into the channel. The de?nition of τ in (2.24) should then be modi?ed to [27] τ = ?β log2 pc (e/β), (2.29)

where pc is the collision probability of a single photon state which is bounded by (2.27). We can now put all the previously discussed elements together to calculate the communication rate of the BB84 protocol with both ideal and realistic photon sources. An ideal source generates exactly one photon every clock cycle of the experiment. Such sources are beyond current technological capabilities, so most implementations of BB84 use photon sources based on attenuated coherent light. In such schemes the number of photons N in each pulse follows a poisson distribution

n P (N = j) = e??

nj ? j!

(2.30)

where n is the average number of photons per pulse. The average photon number should be made su?ciently low ? so that the the probability of injecting more than one photon into the channel is small. At the same time n cannot ? be made small without having a larger fraction of the pulses contain zero photons. The average number should be chosen carefully to balance both e?ects. After the source emits a pulse its polarization is set by an electro-optic modulator, and the signal is injected into the channel. It is detected by Bob with some probability which depends on ?ber losses, the quantum e?ciency of Bob’s detector, and any other loss mechanism in the system. We assume that the channel transmission is an exponentially decaying function of distance. Thus, the channel transmission TF can be written as TF = 10?(σL/10) , (2.31)

where σ is the loss coe?cient. As previously discussed, we combine all losses from the channel, detectors, and optics into one beamsplitter with transmission αL = ηTF (2.32)

and one loss mode c, which is shown in Figure 1. The subscript L is used to denote that the loss is a function of distance. The factor η accounts for all constant losses in the system such as detector ine?ciency and re?ection loss from optics. In a practical system detection events can also arise from dark counts in the detection unit. The probability that a detection event occurs can be written as pclick = psignal + pdark ? psignal pdark , (2.33)

where psignal is the probability that the detector registers a count due to a photon, and pdark is the probability it registers a dark count. If the probability of a simultaneous signal and dark count event is negligibly small we can write pclick ≈ psignal + pdark . The expression psignal can be written as

∞

(2.34)

psignal =

i=1

p(i)(1 ? (1 ? αL )i ),

(2.35)

where p(i) is the probability the source generated i photons. For an ideal source p(1) = 1 and we have the rather trivial result that psignal = αL . For a poissonian light source we can derive the closed form solution

? psignal = 1 ? e?αL n .

(2.36)

We assume that all detectors have the same dark count rate, and de?ne d as the probability of having a dark count within the measurement time window. If we neglect the events where more than one dark count is detected in a clock cycle then pdark = 4d. 9 (2.37)

Thus, the error rate e is given by e= pdark /2 + ?psignal . pclick (2.38)

where ? takes into account the error rate of the signal photons, which may result from imperfect polarizing optics or channel distortion. The expected number of bits in the error corrected key, nrec , is given by ntot pclick nrec = , (2.39) 2 where ntot is the total number of pulses sent by Alice. We now need estimate of β de?ned in (2.28). In the limit of long strings β becomes β= pclick ? pm . pclick (2.40)

where pm is the probability that more than one photon is injected into the channel by a pulse. An ideal source never emits more than one photon we so pm = 0. For poisson light we have

n pm = 1 ? (1 + n)e?? . ?

(2.41)

Finally, we need to take into account the side information leaked by the correction. We de?ne the function f (e) in the same way as was done in [27]. This function determines how far o? from the Shannon limit the error correction algorithm is performing. Thus, κ lim = ?f (e) [e log2 (e) + (1 ? e) log2 (1 ? e)] . (2.42) nrec →∞ nrec The value of f (e) can be determined by benchmark tests. Such tests have been performed for the algorithm given in [10], and values for f (e) taken from this experiment are shown in table I. We interpolate these values to determine f (e) for intermediate values of e.

e 0.01 0.05 0.1 0.15 TABLE I. Benchmark performance of error correction algorithm. f(e) 1.16 1.16 1.22 1.35

We can now put everything together. Using (2.23) one ?nds r = nrec βτ (e/β) ? κ nrec ? t ? s, (2.43)

with the expression for nrec given in (2.39). One can then de?ne the communication rate RBB84 as r RBB84 = lim ntot →∞ ntot pclick = {βτ (e/β) + f (e) [e log2 (e) + (1 ? e) log2 (1 ? e)]} . 2 This is the normalized rate per clock pulse, which can be multiplied by the clock rate of the source to get the actual bit rate.

III. SECURITY OF THE EKERT PROTOCOL

In this section we tackle the problem of proving security for the Ekert protocol. As shown in the previous section, this involves ?nding an upper bound on pc given in (2.19) using the laws of quantum mechanics. We derive this bound by allowing Eve to generate any density matrix ρabe which she will share with Alice and Bob. We then calculate the communication rate for the Ekert protocol in the presence of detector dark counts and channel losses. This is done for both an ideal source which creates exactly one entangled pair per clock cycle, as well as a more practical source based on parametric down-conversion. 10

A. Proof of security against individual attacks

We begin the proof of security by de?ning the Hilbert space over which Alice and Bob make their measurements. Alice and Bob’s signal are assumed to be distinguishable by their spatial and momentum states. Let us assume that Alice’s photon is in mode a and Bob’s photon is in mode b. The most general photon signal in these two modes can be written as a linear superposition of the eigenstates |ψ

ab

= |n1 , n2 a |n3 , n4

b

(3.1)

where n1 , and n2 are the number of photons in the x and y polarization of mode a, and n3 and n4 are the number of photons in the x and y polarization of mode b. Eve is allowed to pick any density matrix ρabe which represents some entangled state of her probe and the signals transmitted to Alice and Bob. She can send any number of photons she wishes, or a coherent superposition of photon numbers. We ?rst de?ne the disturbance in the same way as (2.26). The only di?erence is that now both Alice and Bob could see a dual-?re event, so pD is interpreted as the probability that either sees such an event. We assume that Eve has complete control over whether a photon is detected or not, so she can provide any density matrix ρabe of her choosing. Our ?rst step is to show that Eve’s best strategy is to keep track of how many photons she is sending to both receivers. This is done in Appendix B, where we ?rst show that o? diagonal terms in ρabe which couple di?erent photon number states sent to Alice and Bob do not contribute to any measurement results. This is simply a consequence of the detection apparatus used by Alice and Bob, which is composed of passive linear optics and photon counters. These elements alone cannot distinguish between a coherent superposition and random mixture of photon number states. By keeping track of how many photons she is sending Eve destroys these o? diagonal terms. But since they never factor into the measurements she can do this without e?ecting the disturbance, and knowing the number of photons received can potentially re?ne her attack. The main consequence of the above result is that the most general density matrix ρabe can be assumed to be in the block diagonal form

∞

ρabe =

i,j=1 (ij)

ρabe

(ij)

(3.2)

where ρabe spans the subspace where Alice is sent i photons and Bob is sent j photons. Furthermore, because Eve knows how many photons were sent her collision probability can be broken up into di?erent photon number contributions as

∞

pc =

i,j=1

prec (ij) p , prec c

(ij)

(3.3)

where p(ij) = c

m∈M (ij) ,ψ

1 p2 (ψ, m) . (ij) prec p(m)

(3.4)

The set M (ij) is de?ned as the set of all measurement results on Eve’s probe if she sent i photons to Alice and j (ij) (ij) to Bob, and prec is the probability that the signal component ρabe enters the error corrected key. We can similarly break up the disturbance measure ? into di?erent photon number contributions as ?=

ij (ij)

prec perr + wD pD (ij) prec prec

(ij)

(ij)

(ij)

(ij)

=

ij

prec (ij) ? . prec

(ij)

(ij)

(3.5)

In the above expression perr is the probability that ρabe enters the sifted key as an error, and pD is the probability that it causes a dual ?re event. (11) Our next step is to investigate the term pc . In Appendix C we show that this term is bounded by p(11) ≤ c 1 + 2?(11) ? 2 ?(11) 2

2

.

(3.6)

11

Once this is established, we show in Appendix D that if the weighting parameter wD in (3.5) is set to 1/2 than Eve’s optimal strategy is to only send one photon to Alice and Bob. Given that this is the optimal strategy one is led directly to the result pc ≤ 1 + 2? ? 2?2 . 2 (3.7)

which is exactly the same collision probability given in (2.27). Our proof makes no idealized assumptions about the entangled photon source, such as that it only emits one pair of photons per clock cycle. As a matter of fact the source never enters the picture since we assume that Eve blocks it out and replaces it with the best possible source allowed by the laws of quantum mechanics. The error rate and dual ?re rate alone are enough to put a bound on her collision probability.

B. Ideal entangled photon source

Before analyzing practical entangled photon sources for the Ekert protocol we will ?rst analyze the simpler case of an ideal entangled photon source. This source is assumed to create exactly one pair of photons per clock cycle, whose quantum state is given by 1 |ψ+ = √ (|HV + |V H ) . 2 (3.8)

Although proposals for creating such a source exist [5], we do not know of any successful implementations of this proposal to date. Nevertheless, this simpli?ed analysis will set the groundwork for the analysis of entangled photon sources based on parametric down-conversion. When doing two photon experiments, one is no longer interested in individual detection events. Instead, one looks for coincidence events where two detectors simultaneously ?re. We separate the coincidence probability into two parts, ptrue is the probability of a true coincidence from a pair of entangled photons, and pf alse is the probability of a false coincidence which for an ideal source can only occur from a photon and dark count, or two dark counts. We write pcoin = ptrue + pf alse , (3.9)

where once again the probability of a simultaneous true and false coincidence are considered negligibly small. First we need to decide where to put the source. Using the de?nition in (2.32), we set the source a distance x from Alice and L ? x from Bob. Then ptrue = αx αL?x , = αL , and pf alse = αx (1 ? αL?x ) 4d(1 ? d)3 + αL?x (1 ? αx ) 4d(1 ? d)2 + 16d2 (1 ? d)2 . (3.10)

It can be seen that the probability of a true coincidence does not change with x, but the false coincidence rate does. A simple optimization shows that the false coincidence rate achieves a minimum halfway between Alice and Bob. At this optimal location the false coincidence rate is pf alse = 8αL/2 d + 16d2 , (3.11)

where we keep only terms that are quadratic in αL/2 and d. Higher order terms can be ignored because they correspond to more than one detection event at either receiver. The error rate e is e= pf alse /2 + ?ptrue , pcoin (3.12)

which then leads to an expression for the communication rate REkert REkert = pcoin {τ (e) + f (e) [e log2 e + (1 ? e) log2 (1 ? e)]} . 2 (3.13)

12

C. Entangled photons from parametric down-conversion

A more practical way of generating entangled photons is to use the spontaneous emission of a non-degenerate parametric ampli?er. This technique, known as parametric down-conversion, is extensively used to generate entanglement in polarization as well as other degrees of freedom such as energy and momentum. Parametric ampli?ers exploit the second order non-linearities of non-centrosymmetric materials. These non-linearities couple three di?erent modes of an electromagnetic ?eld via the interaction Hamiltonian [39] HI = i? χ(2) V ei(ω?ωa ?ωb )t a??? + h.c. h ? b where modes a and b are treated quantum mechanically while the third mode V eiωt is considered su?ciently strong to be treated classically. The state of the ?eld after the nonlinear interaction is given by |ψ = exp 1 i? h

T 0

HI (t)dt |0 .

We assume the energy conservation condition, ω = ωa + ωb , which leads directly to

a |ψ = eχ(?

? ??

b ??? ab)

|0 ,

where the parameter χ depends on several factors including the non-linear coe?cient χ(2) , the pump energy, and the interaction time. Using the operator identity [39]

a eχ(?

? ??

b ??? ab)

a = eΓ?

? ??

b

a e?g(?

?

a+?? ? ? b b+1) ?Γ?? ab

e

,

(3.14)

where Γ = tanh χ g = ln cosh χ, directly leads to the relation |ψ = 1 tanhn χ|n a |n cosh χ n=0

∞ b

(3.15)

The above equation makes it clear that whenever a photon is detected in one mode, the conjugate mode must also contain a photon. In order to generate entanglement in polarization one needs to create a correlation between the polarization of these two modes. This is typically done using non-colinear Type II phase matching [23], which leads to the slightly more complicated interaction ? x by ? y bx HI = i? χ(2) Aeiωt a? ?? + a? ?? + h.c. h where x and y refer to the polarization of the photon. Since all creation operators in the Hamiltonian commute, we can apply (3.14) to both mode pairs which directly leads to

? a etanh χ(ax by +?y bx ) |ψ = |0 cosh2 χ

? ?? ? ??

(3.16)

In the limit of small χ one can make the approximation √ |ψ ≈ 1 ? 2χ2 |0 + 2χ |1 ax |1 by |0

ay |0 bx

+ |0

ax |0 by |1 ay |1 bx

(3.17)

Thus, a parametric down-converter creates an approximate Bell state if χ is su?ciently small to ignore higher order contributions. But χ cannot be made small without sacri?cing the rate of down-conversion. We want to calculate the probability pcoin and the error rate e as a function of the parameter χ, as well as the optical losses and dark counts of the detectors. We begin by de?ning the ?eld operator

tanh χ(ax by +? y bx ) ? a ? e . ψ= cosh2 χ

? ?? ? ??

(3.18)

13

The beamsplitter model that we have introduced previously to account for the losses becomes very useful here. The beamsplitters perform a unitary operation on the modes which is given by √ ? aσ → αL/2 aσ + ? √ ?σ → αL/2?σ + b b 1 ? αL/2 cσ , ? ? 1 ? αL/2 dσ ,

where σ represents polarization and the modes c and d are the re?ected modes of the beamsplitter. To determine the state of the photons after the loss we ?rst apply this beamsplitter transformation. To simplify the notation we de?ne another ?eld operator ψρφ = ρ? φ? + ρ? φ? ?x ?y ?y ?x where ρ and φ are any two independent modes. Using this de?nition, (3.18) is transformed by the two beamsplitters into ? ψ= 1 exp tanh χ αL/2 ψab + cosh2 χ αL/2 1 ? αL/2 (ψad + ψbc ) + 1 ? αL/2 ψcd .

We can expand this expression in terms of a? and ?? as ? b ? ψ= 1 exp tanh χ 1 ? αL/2 ψcd cosh2 χ 1+ tanh χn n n! n=1 + ψD

∞

αL/2 (1 ? αL/2 ) (ψad + ψcb )

αL/2 nψab + n(n ? 1) 1 ? αL/2 ψad ψcb

where ψD is the wave operator which contains all the terms that create more than one photon in either modes. It is now necessary to operate on the vacuum and trace out over modes c and d to get the ?nal density matrix. As shown in Appendix B we can ignore any o? diagonal terms that couple di?erent photon number states because they do not contribute to the signal. We de?ne the density matrix ρψ+ as the two photon density matrix in which the photons are in the entangled state |ψ+ given in (3.8). The matrices ρa and ρb represent a zero photon vacuum state in mode 0 0 a and b respectively. Finally we de?ne the matrices ρa and ρb as u u ρa,b = u I , 2 (3.19)

where I is the identity matrix. The above matrices correspond to an unpolarized photon in mode a or b respectively. After tracing out loss modes c and d the density matrix becomes ρAB = Aρψ+ + Bρa ? ρb + C ρa ? ρb + ρa ? ρb + Dρa ? ρb + (1 ? A ? 2B ? C ? D) ρD , u u 0 0 u 0 0 u (3.20)

where ρD is the matrix which represents all the possible states in which more than one photon is in either mode a or b after the losses. The coe?cients A,B,C, and D are A= 2α2 tanh2 χ 1 L/2 cosh4 χ 1 ? tanh2 χ 1 ? α L/2 1 1 cosh4 χ 1 ? tanh2 χ 1 ? αL/2 , 2 4 , (3.21)

B=

2

(3.22)

C=

2αL/2 1 ? αL/2 tanh2 χ 1 , 4 2 2 cosh χ 1 ? tanh2 χ 1 ? α L/2

2

(3.23)

4α2 1 ? αL/2 tanh4 χ 1 . D= cosh4 χ 1 ? tanh2 χ 1 ? αL/2 4

(3.24)

In the above expression, A is the probability that Alice and Bob share an entangled pair of photons. This component on the signal will be de?ned as a true coincidence, because it leads to error free transmission. The coe?cient B is 14

then the probability that neither receiver gets a photon, either because the source failed to generate a pair or because all photons where lost. Similarly, C is the probability that one of the two receivers gets a photon but the other does not. In order for these signals to be factored into the key the must be accompanied by dark counts. Coe?cient D is the probability that both receivers get a photon, but these photons are unpolarized and uncorrelated. Note that D is at least fourth order in tanh χ, indicating that at least two pairs must be created in order for it to exist. The intuitive explanation for the presence of this unpolarized component is that when higher order number states are created, and some of these photons are lost, the loss mode c and d play a similar role to Eve. The photons in this mode can potentially carry some information about the quantum state of the other photons, and will thus result in decoherence. Since this component of the signal causes a 50% error, we can lump it into the de?nition of a false coincidence. Hence, ptrue = A pf alse = 16d2 B + 8dC + D The communication rate can be calculated by simply plugging these expressions into (3.12) and (3.13).

D. Calculations

a)

10 10 10 1x10

-1

-2

-3

BB84 - Poisson Light BB84 - Single Photons Ekert - PDC Ekert - Ideal Source

-4

Bits Per Pulse

1x10 10 10 10 10

-5

-6

-7

-8

-9

0

20

40

60

80

100

120

140

160

180

200

Distance (km)

b)

1x10

0

1x10

-2

1x10

-4

BB84 - Poisson Light BB84 - Single Photons Ekert - PDC Ekert - Ideal EPR

Bits Per Pulse

1x10

-6

1x10

-8

1x10

-10

10

-12

10

-14

0

20

40

60

80

100

120

Loss (dB)

FIG. 3. Comparison of communication rate for BB84 and Ekert protocol. Plot (a) is for 1.5?m ?ber optical communication experiment. In this wavelength η = 0.18, d = 5 × 10?5 , and the channel loss σ is set to 0.2dB/km. For the Ekert protocol the distance is the total separation between Alice and Bob. Plot (b) shows calculated values for free-space quantum key distribution with visible photons. The rate is plotted as a function of the total loss, including detector quantum e?ciency. The detectors are assumed to have a dark count rate of d = 5 × 10?8 . For the Ekert protocol the loss is the total loss in both arms.

15

We now use the previously derived equation to calculate the rate of quantum key distribution using both the Ekert protocol and BB84. We perform simulations for ?ber optical and free space key distribution experiments. For the ?ber optical simulation we look at the 1.5?m telecommunication window, while for free space communication we focus on the visible wavelengths where single photon counters tend to perform best. In free space communication the channel loss is no longer an exponential function of distance. Instead, it is a complicated function which results from atmospheric e?ects, beam di?raction, and beam steering problems. Thus for free space we are more interested in the rate as a function of the total loss rather than distance. Figure 3 shows the calculation results, for both BB84 and Ekert protocols with ideal and realistic sources. In plot (a) of the ?gure we show results for ?ber optical communications. Using experimental values from [8] we set the detector quantum e?ciency to 0.18, d = 5 × 10?5 , and the channel loss σ = 0.2dB/km. We also set the baseline error rate ? = 0.01, and add an extra 1dB of loss to account for losses in the receiver unit. The curves corresponding to the Ekert protocol plot the distance from Alice to Bob, with the source assumed halfway in between. Plot (b) shows calculations for free space quantum key distribution. The communication rate is plotted as a function of the total loss, including the detector quantum e?ciency. In the free space curves for the Ekert protocol we again put the source halfway between Alice and Bob and plot the rate as a function of the total loss in both arms. The dark counts of the detectors are set to 5 × 10?8. In the curve for BB84 with a poisson light source the average photon number n is a free ? adjustable parameter. Similarly in the Ekert protocol with parametric down-conversion we are free to adjust χ. For both cases we numerically optimize the communication rate at each point with respect to the adjustable parameter. Each curve features a cuto? distance where the communication rate quickly drops to zero. This cuto? is due to the dark counts, which begin to make a non-negligible contribution to the signal at some point. However the two curves for the Ekert protocol feature a much longer cuto? distance than the BB84 counterparts. This is due partially to the absence of the photon splitting attacks. But even when performing BB84 with ideal single photon sources, which don’t su?er from photon splitting attacks either, the cuto? distance for the Ekert protocol is still signi?cantly longer. The reason for this is that in the Ekert protocol, a dark count alone cannot produce an error. It must be accompanied by a photon or another dark count, and thus is much less likely to contribute to the signal. The di?erence in rates between the ideal EPR source and the parametric down-converter can be attributed to the interplay between coe?cient A in (3.22), and coe?cient D in (3.24). Term A is the probability of a real coincidence, and increases with χ. Term D on the other hand contributes to false coincidences and increases with χ as well, but is of higher order. One cannot make A arbitrarily large without getting an increased contribution from D. This leads to an optimum value for χ which is less than one.

IV. ENTANGLEMENT SWAPPING

H/V

H/V

50/50

Alice

B

B

B

B

Bob

EPR

EPR

EPR

EPR

EPR

EPR

FIG. 4. Experimental setup for quantum key distribution with entanglement swaps.

In this section we analyze a more complicated scheme based on entanglement swapping. Figure 4 gives a diagram of the proposed con?guration. A series of entangled photon sources, which we assume to be ideal sources, are spread out an equal distance distance apart from Alice to Bob. The sources are clocked to simultaneously emit a single pair of entangled photons. Each of the pair is sent to a corresponding Bell State Analyzer, whose actions is to perform an entanglement swap. If all the swaps have been successfully performed, Alice and Bob will share a pair of entangled

16

photons. Experimental demonstrations of a single entanglement swap can be found in [32]. Entanglement swapping is a key element for quantum repeaters, which use entanglement puri?cation protocols to reliably exchange quantum correlated photons between two parties [11]. We show that even without such protocols, using only linear optical elements, photon counters, and a clocked source of entangled photons, swapping can enhance the communication distance. The key element to the scheme is the Bell Analyzer. Since we restrict ourselves to passive linear elements and vacuum auxiliary states we cannot achieve a complete Bell Measurement. It has recently been shown that Bell Analyzers based on only these components cannot have better than a 50% e?ciency [14]. One scheme which achieves this maximum is shown on the inset of Figure 4. This scheme will distinguish between the states 1 |ψ± = √ (|HV ± |V H ) 2 but will register an inconclusive result if sent the states 1 |φ± = √ (|HH ± |V V ) 2 (4.2) (4.1)

The state generated by the entangled photon sources is assumed to be |ψ+ . Considering only a single swap, we can write |ψ+

12 |ψ+ 34

=

1 [|ψ+ 2

23 |ψ+ 14

? |ψ?

23 |ψ? 14

+ |φ+

23 |ψ+ 14

? |φ?

23 |φ? 14 ]

(4.3)

The above expression makes it clear that a Bell measurement on photons 2 and 3 leaves photons 1 and 4 in an entangled state, and the measurement result tells which one. After N such Bell measurements photon 1 and 2N will be entangled, and the N Bell measurement results will allow Alice and Bob to know which entangled state they share. Knowledge of this state allows them to do entangled photon key distribution and interpret their data correctly. Since our Bell analyzer has an e?ciency of only 50%, in the best possible case we will pay a price of 2?N in communication rate. Consider the single swap. We will de?ne α to be the detection probability for each photon. The probability that both photon 2 and 3 reach the Bell analyzer and are successfully projected is ptrue = swap 1 2 α 2 (4.4)

If a photon is lost in the ?ber or due to detector ine?ciency the Bell analyzer may still indicate that a Bell measurement has been performed due to detector dark counts. The probability of this happening is pf alse = 6αd + 12d2 . swap De?ning the factor g= ptrue swap ptrue + pf alse swap swap (4.6) (4.5)

it is straightforward to show that, given the Bell analyzer registered a successful Bell measurement, the density matrix of photons 1 and 4 is given by ρ14 = gρψ± + (1 ? g) I 4 (4.7)

where ρψ± is the pure state |ψ+ or |ψ? depending on the measurement result. For the case of N entanglement swaps the detection probability for each photon is α = η10? 10(2N +2) ,

σL

(4.8)

where L is the distance from Alice to Bob. It is again straightforward to show that after N swaps, the state of photon 1 and 2N is ρ1,2N = g N ρψ± + (1 ? g N ) 17 I 4 (4.9)

and the probability that all N bell measurements registered a successful result is pBell = (ptrue + pf alse )N swap swap We then have ptrue = pN g N α2 Bell pf alse = pN (8αd + 16d2 + (1 ? g N )α2 ) Bell These can be plugged into (3.12) and (3.13) to get the ?nal communication rate.

-2

(4.10)

1x10 1x10 1x10 1x10 1x10 1x10 1x10 1x10 10

-4

Ekert - Ideal Source One swap Two swaps

-6

-8

Bits per Pulse

-10

-12

-14

-16

-18

0

50

100

150

200

250

300

350

400

450

Distance (km)

FIG. 5. Comparison of Ekert protocol with regulated EPR source, one swap scheme, and two swap scheme. Fibers and detectors are taken for the 1.5?m window.

In Figure 5 we show a comparison between the Ekert protocol with an ideal entangled photon source, a one swap scheme, and a two swap scheme using a ?ber optic channel at 1.5?m. The swaps result in a longer cuto? distance which can lead to longer communication ranges. It should be noted however that at these distances the natural ?ber loss is substantial and will lead to very slow communication rates. It is unclear whether swapping will lead to a practical form of quantum key distribution, but a single swap could be useful for very long distance QKD.

V. DISCUSSION

A standard quantum key distribution experiment involves three steps: raw quantum transmission, error correction, and privacy ampli?cation. In the ?rst two steps, Alice and Bob exchange a key which is partially secure. The purpose of the third step is to compress this partially secure key to a shorter key which is as secure as desired. The natural question to ask is, what is the relationship between the length of the ?nal key and its security? This question has already been answered in previous work for the BB84 protocol with the restriction that Eve is only allowed to attack each bit individually. In this paper we provide a similar answer for the Ekert protocol. In summary, suppose that two parties wish to communicate using the Ekert protocol. They can then ensure that their ?nal key is secure against general individual attacks by performing the following. After error correction, they 18

calculate the disturbance measure which is de?ned as ?= nerr + nD /2 , nrec

where nrec is the number of bits in the error corrected string, nerr is the number of error bits, and nD is the number of dual-?re events in which more than one photon counter was triggered. They next calculate the parameter τ , which is given by τ = ? log2 1 + 2? ? 2?2 . 2

Using the techniques of generalized privacy ampli?cation discussed in [3], they compress their key to a shorter key of length r given by r = τ nrec ? κ ? s ? t, where κ is the number of bits exchanged during error correction and t and s are independent security parameters chosen by the two parties. The choice of these parameters depends on how much security is desired on the ?nal key, which is quanti?ed by an upper bound on Eve’s mutual information. This bound is explicitly given by IE (K; GU Z) ≤ 2?t r + 2?s / ln 2, which is exponentially small in s and t. Using the above results we compared the performance of BB84 and Ekert for both ideal and practical sources. We investigated ?ber-optic as well as free-space key distribution scenarios. The Ekert protocol was shown to have signi?cantly better performance at longer distance provided that the source can be placed midway between the two communicating parties. This opens up the possibility for communication lengths of up to 170km, although at low bit rates. The low bit rate is predominantly caused by the ?ber losses. Finally, we analyzed a more complicated scheme based on entanglement swaps using only linear optical components, photon counters, and a clocked source of entangled photons. Entanglement swapping can allow for even longer distance secure communication, but at some point the natural loss of the ?ber becomes so severe that the communication rate is prohibitively slow.

ACKNOWLEDGMENTS

The authors would like to thank Norbert L¨ tkenhaus for his many comments and suggestions. u

APPENDIX A: INFORMATION BOUNDS ON EAVESDROPPING.

In this appendix we show how to bound Eve’s expected information IE (K; GU Z) by the average collision probability pc (x|z) where Pc (X|Z = z) =

x z

=

z

p(z)Pc (X|Z = z),

(A1)

p2 (x|z).

(A2)

Let U and Z be arbitrary, possibly correlated, random variables over alphabets U and Z respectively. Let | · | denote the cardinality of a given set. Let t > 0 be a security parameter chosen by Alice and Bob and de?ne set A as A= (u, z) ∈ (U, Z) : p(u|z) ≥ 2?t |U| . (A3)

De?ning Ac as the complement of set A we have

19

P (Ac ) =

(u,z)∈Ac

p(u, z) p(u|z)p(z)

(u,z)∈Ac

= ≤ 2?t |U|

p(z)

u∈U ,z∈Z

= 2?t . Thus with probability of at least 1 ? 2?t the combined string (U, Z) take a value in A. Then for another random variable X Pc (X|Z = z)

z

=

z∈Z

p(z)

x

p2 (x|z)

2

=

z∈Z

p(z)

x u∈U

p(u|z)p(x|uz) p2 (u|z)p2 (x|uz)

x u∈U

≥ =

p(z)

z∈Z

p(u, z)p(u|z)

z∈Z,u∈U x

p2 (x|uz) p2 (x|uz)

x

≥ ≥ Thus

p(u|z)p(u, z)

(z,u)∈A

2 |U|

?t

p(u, z)Pc (X|U = z, Z = z).

(z,u)∈A

(z,u)∈A

p(u, z)Pc (X|U = z, Z = z) ≤ 2t |U| Pc (X|Z = z) z .

(A4)

We can now use this result to bound H(K|GU Z) as follows: H(K|GU Z) =

u,z

p(u, z)H(K|G, U = u, Z = z) p(u, z)H(K|G, U = u, Z = z) +

(u,z)∈A (u,z)∈Ac

= ≥

p(u, z)H(K|G, U = u, Z = z)

p(u, z)H(K|G, U = u, Z = z),

(u,z)∈A

using the positivity of the conditional entropy functions, and the fact that U and Z are independent of G. Plugging (2.22) into the above inequality leads to H(K|GU Z) ≥ p(u, z) r ? 2r pc (X|U = u, Z = z) ln 2

(u,z)∈A

≥ (1 ? 2?t )r ? as follows from (A4). We can then set

2r t 2 |U| pc (X|Z = z) z ln 2 = (1 ? 2?t )r ? 2r+t+log2 |U |+log2 pc (X|Z=z) z , ? t ? κ ? s, (A5)

r = ? log2 pc (X|Z = z)

z

where κ = log2 |U| is the number of bits in message U and s is another security parameter. This leads to the bound 20

H(K|GU Z) ≥ (1 ? 2?t )r ? Eve’s mutual information can now be bounded by

2?s . ln 2

(A6)

IE (K; GU Z) = H(K) ? H(K|GU Z) 2?s . ≤ 2?t r + ln 2 Plugging ( 2.18) into (A5) leads directly to r = nτ ? t ? κ ? s, where τ = ? log2 pc .

APPENDIX B: SEPARATING COLLISION PROBABILITY INTO PHOTON NUMBER CONTRIBUTIONS

(A7)

We begin by ?rst restating a theorem proven in the Appendix of [25] which will play an important role in this and some of the following appendices. This theorem states that the expected collision probability can only increase in the presence of more detailed knowledge. Mathematically it is stated as follows: if the joint probability of signal i and measurement outcome l is split up into two measurements l′ and l” as p(i, l) = p(i, l′ ) + p(i, l”) for all i then the average collision probability can only increase. Multiple applications of this theorem show that if a joint probability for all signals is broken up into more measurements this can only improve the average collision probability. We now de?ne the projectors

i a Ei = x=0 i b Ei = y=0

|x, i ? x |y, i ? y

a

x, i ? x| y, i ? y|,

(B1) (B2)

b

which projects modes a and b onto the the subspace where the total photon number is i. It is clear from the above de?nition that

∞ a Ei = i=0 i=0 ∞ b Ei = I.

(B3)

Eve will generate a density matrix ρabe which represents the combined state of Alice and Bob’s signal and Eve’s measurement probe. We expanded ρabe as

∞

ρabe =

i,j=0

a b ρabe Ei Ej .

(B4)

We now prove that if ρabe is replaced by the density matrix

∞

ρ′ = abe

i,j=0

a b a b Ei Ej ρabe Ei Ej ,

(B5)

this has no e?ect on the measurements of Alice, Bob, or Eve. Note that ρ′ is the same density matrix as ρabe minus abe the o? diagonal terms which couple states in di?erent photon number spaces. To prove our claim let ψa and ψb be the measurement results of Alice and Bob. They could represent the reception of an x, y, u, or v polarized photon, or they could represent an ambiguous dual ?re detection. We de?ne Fψa and Fψb as the POM’s corresponding to these di?erent measurement results. All the POM’s which Alice can perform are of the form

∞

Fψa =

m,n=0

αmn |m, n

+

m, n| + βmn |m, n 21

×

m, n|,

(B6)

where |m, n as

+

and |m, n

×

represent number occupations in the x-y and u-v basis respectively. We can rewrite this

∞ ∞ a Ei i=0 ∞ m,n=0 a Ei i=0 ∞ m+n=i a Ei i=0 ∞ m+n=i a a Ei Fia Ei . i=0

Fψa = =

αmn |m, n αmn |m, n

+

m, n| + βmn |m, n m, n| + βmn |m, n

+

×

m, n| m, n|

a m, n| Ei

+

×

= = Similarly we can write

αmn |m, n

m, n| + βmn |m, n

×

∞

Fψb =

i=0

b b Ei Fib Ei .

(B7)

The joint probability that Alice measures result ψa , Bob measures ψb , and Eve ?nds her probe in state k is where Ek is the projection onto state k of Eve’s probe. This can be rewritten as p(ψa , ψb , k) =

i,j a b Tr ρabe Ei Ej Fψa Fψb Ek

p(ψa , ψb , k) = Tr {ρabe Fψa Fψb Ek } ,

(B8)

=

i,j

a b Tr ρabe Ei Ej mn

a b a b a b Em En Fm Fn Em En Ek

=

i,j

a b a b Tr ρabe Ei Ej Fia Fjb Ek Ei Ej a b a b Tr Ei Ej ρabe Ei Ej Fia Fjb Ek i,j a b a b Tr Ei Ej ρabe Ei Ej Fψa Fψb Ek i,j

= =

Thus, both matrices result in the same joint probability. This means that the most general density matrix can be written in block diagonal form

∞

= Tr {ρ′ Fψa Fψa Ek } . abe

ρabe =

i,j=1 ∞

a b a b Ei Ej ρabe Ei Ej

=

i,j=1 (ij)

ρabe ,

(ij)

where the matrix ρabe is a matrix over the entire hibert space of Eve’s probe, and the subspace in which Alice receives i photons and bob receives j photons. We now show that Eve’s optimal strategy will be to keep track of how many photons she is sending to Alice and Bob. We de?ne |?k as the measurement basis over which Eve will measure her probe, and Fψ as the positive operator measurement performed by Alice’s detection unit. We then have, using the above expansion p(ψ, ?k ) = Tr {ρabe Fψ |?k =

ij (ij) ρabe Fψ

?k |} |?k ?k |

Tr Tr

ij

=

?k |ρabe |?k Fψ . 22

(ij)

Eve can always construct a new state which will perform at least as well as the above and will allow her to keep track of how many photons she sent. De?ne the new density matrix ρabe = ?

ij

ρabe , ?

(ij)

(B9)

where ρabe = ρabe ? |ij ?

(ij) (ij) a

ij| ,

(B10)

and the term |ij a ij| is the state of an auxiliary system which keeps track of the number of photons sent. This new state will not change the measurement outcome of Alice or Bob because tracing out over the auxiliary system leads to the original density matrix. We de?ne the new measurement basis as |?k If Eve measures in this new basis we have p(ψ, ?k

(mn) (mn)

= |?k ? |mn a .

(mn) (mn)

(B11)

) = Tr

?k

|?abe |?k ρ

Fψ ,

(B12)

and using the above de?nitions it is easy to show that ?k

(mn)

|?abe |?k ρ

(mn

) = ?k |ρabe |?k δim δjn .

(ij)

(B13)

Combining these two equations one gets p(ψ, ?k Furthermore, p(ψ, ?k ) =

mn (mn)

) = Tr

?k |ρabe |?k Fψ .

(mn)

(B14)

p(ψ, ?k

(mn)

).

(B15)

The measurement ?k has been split up into more detailed measurements whose probabilities add up to the original. As stated earlier this more detailed information can only lead to an increase in the average collision probability, thus the new probe and measurement basis must be at least as good as the old one.

APPENDIX C: BOUND ON ONE PHOTON CONTRIBUTION FOR COLLISION PROBABILITY

In this Appendix we put a bound on pc which is de?ned as the contribution to the collision probability from signals in which Alice and Bob each receive one photon. We assume that Eve can store her probe coherently until until she learns all relevant information from public discussion. Her only restriction is that she must measure each probe independently. During the public discussion, Eve will learn the measurement basis used by Alice and Bob. She will also learn which bits were received correctly, and which incorrectly from the error correction phase. This information can potentially re?ne her measurement by allowing her to split bits into groups which will receive di?erent treatment. A di?erent measurement basis will be used for each case. We will de?ne this basis as |ak |bk |ck |dk

(11)

(11)

? bit ? bit ? bit ? bit

received received received received

correctly in x-y basis correctly in u-v basis incorrectly in x-y basis incorrectly in u-v basis

Each signal sent has a probability prec of entering the reconciled (error corrected) key. The signal can enter the key (11) as a correct transmission or an error which will happen with probability perr . (11) We ?rst assume that ρabe is a pure state. There is no loss of generality in this because for any mixed state one can (11) construct a pure state which is at least as good. We can show this by ?rst expanding ρabe in pure states 23

ρabe =

i

(11)

σi |ψi ψi | .

(C1)

If Eve uses the measurement basis |?k then p(ψ, ?k ) =

i

σi Tr { ?k | ψi ψi | ?k Fψ } .

(11)

(C2)

Suppose now that instead of sending the mixed state ρabe Eve sends the pure state |ψ

abe

=

i

√ σi |ψi ? |i ,

(C3)

where |i are the eigenstates of an additional system which keeps track of which pure state was sent. One can de?ne a new measurement basis |?i = |?k ? |i . k It is easy to show that p(ψ, ?k ) =

i

(C4)

p(ψ, ?i ). k

(C5)

It is also clear that this new state does not change the measurement outcomes for Alice and Bob, because tracing out the additional system results in the same density matrix as before. Thus, the new state must be at least as good. Rather than using the more cumbersome occupation number notation, we will adopt a shorthand notation for the case where only one photon is sent to either Alice or Bob. We will use the eigenstates |xx , |yy , |xy , |yx to denote the di?erent polarization states. Starting with the most generic state |ψ abe , we expand it in the polarization basis as |ψ = |xx xx| ψ + |yy yy| ψ + |xy xy| ψ + |yx yx| ψ = |xx |Pxx + |yy |Pyy + |xy |Pxy + |yx |Pyx , (C6) (C7)

where the states |Pst represent Eve’s probe and are not necessarily normalized or orthogonal. It should be noted that the above state is not normalized to 1 but Pxx | Pxx + Pyy | Pyy + Pxy | Pxy + Pyx | Pyx = p11 , where p11 is the probability that Eve only sends one photon to Alice and Bob. Using the relationships 1 |u = √ (|x + |y ) 2 1 |v = √ (|x ? |y ) , 2 one can rewrite (C6) as |ψ = |uu |Puu + |vv |Pvv + |uv |Puv + |vu |Pvu , where |Puu = |Pvv |Puv |Pvu We will introduce the notation 24 1 (|Pxx 2 1 = (|Pxx 2 1 = (|Pxx 2 1 = (|Pxx 2 + |Pyy + |Pxy + |Pyx ) + |Pyy ? |Pxy ? |Pyx ) ? |Pyy ? |Pxy + |Pyx ) ? |Pyy + |Pxy ? |Pyx ) . (C12) (C13) (C14) (C15) (C11) (C9) (C10) (C8)

k ak | Pxx = Pxx ,

(C16)

and use the same notation for all other projections. Without loss of generality we can assume that the projections k Pst are real. If these projection are complex numbers then we can always ?nd a probe of higher dimensionality which has real projections and is at least as good, using the same trick of probability splits described in Appendix B. Take k for example the projection Pxx . We can rewrite this as p(x, ak ) = 1 1 k k Re[Pxx ]2 + Im[Pxx ]2 . 4 4 (C17)

We expand |ak and |Pxx in the some orthogonal basis |vi so that |Pxx = |ak = and de?ne

? |Pxx = i

αi |vi βi |vi ,

i

i

α? |vi i

? βi |vi .

|a? = k We can then de?ne a new probe

i

1 ? ? |Pxx = √ (|Pxx ? |x + |Pxx ? |y ) , 2 and two new measurements 1 |aRe = √ (|ak ? |x + |a? ? |y ) k k 2 1 |aIm = √ (|ak ? |x ? |a? ? |y ) . k k 2 It is easy to show, using (C17), that the projections on this new probe are all real and that p(x, ak ) = p(x, aRe ) + p(x, aIm ). k k

(C18)

(C19) (C20)

(C21)

This state must be at least as good for the aforementioned reason, so an optimal solution exists which has only real projections. We can now write all the relevant probabilities as p(x, ak ) = 1 4 1 p(y, ak ) = 4 1 p(x, ck ) = 4 1 p(y, ck ) = 4

k Pxx k Pyy k Pxy k Pyx 2 2 2 2

(C22) (C23) (C24) . (C25)

The probabilities in the u-v basis are obtained by replacing x and y with u and v and a and c with b and d respectively. (11) These de?ne all the probabilities which will factor into pc . We can now write the collision probability in terms of the above expressions p(11) = c 1 4prec

(11) k k Pxx 4 2 k + Pyy 4 2

k k (Pxx ) + Pyy

+

k Puu

4 2

k + Pvv

4 2

k k (Puu ) + (Pvv )

+

k Pxy k Pxy

4 2

k + Pyx k + Pyx

4 2

+

k Puv

4 2

k + Pvu

4 2

k k (Puv ) + (Pvu )

.

(C26)

25

Using the Cauchy inequality discussed in [26, Appendix] we can put an upper bound on the above expression of the form p(11) c ≤1? 1 2prec

k Pxy (11) k k k Pxy Pyx 2 2 k Pyx 2 k k k Pxx Pyy 2 k 2 k (Pxx ) 2

k (Pxx ) +

+

k

k

k k Puu Pvv 2 k

2 k (Pvv ) 2

k (Puu ) + 2 k (Pvu ) 2

+

k k

+

+

k

k

k k Puv Pvu 2 k

k

k (Puv ) +

.

However we notice that

k k Pst Ps′ t′ = k k

Pst ?k

(11)

?k

(11)

Ps′ t′ = Pst | Ps′ t′ ,

(C27)

using the completeness of Eve’s measurement basis. Thus our new bound on the collision probability is p(11) ≤ 1 ? c 1 2prec

(11)

Puu | Puu Pxx | Pyy + + Pxx | Pxx + Pyy | Pyy Puu | Puu + Pvv | Pvv

2 2

2

2

Puv | Pvu Pxy | Pyx + Pxy | Pxy + Pyx | Pyx Puv | Puv + Pvu | Pvu

.

The relations in (C12)-(C15) can be used to replace the u-v terms with x-y terms. We also impose the symmetric eavesdropping conditions Pxx | Pxx = Pyy | Pyy Pxy | Pxy = Pyx | Pyx , (C28) (C29)

which state that Eve must keep the number of x and y states balanced. If Eve does not maintain these conditions, she will be immediately detected because Alice and Bob will note an asymmetry in their measurements. It is also shown in [26] that these are not restrictions because any state which does not satisfy the above symmetry conditions can be replaced by one that does and which is at least as good. Taking into account all these conditions one sees that there are very few degrees of freedom left to optimize. They are Pxx | Pxx , Pxy | Pxy , and the angles ?yy , and ?yx . xx xy The probability that a signal will enter the reconciled key is p(11) = rec 1 ( Pxx | Pxx + Pyy | Pyy + Pxy | Pxy + Pyx | Pyx ) , 2 1 ( Pxx | Pxx + Pyy | Pyy + Puu | Puu + Pvv | Pvv ) . 4 (C30)

and the probability that it will enter the sifted key as an error is given by p(11) = p11 ? err rec (C31)

The above relations can be directly plugged into the de?nition of the disturbance to give ?(11) = Pxx | Pxx (1 ? cos ?yy ) + Pxy | Pyx (3 ? cos ?yx ) xx xy . 4 ( Pxx | Pxx + Pxy | Pyx ) (C32)

The collision probability is then bounded by p(11) ≤ c Pxx | Pxx cos2 ?yy + Pxy | Pyx cos2 ?yy 3 xx xy ? + 4 4 ( Pxx | Pxx + Pxy | Pyx ) (1 + cos ?yy )(1 + cos ?yx ) Pxx | Pxx Pxy | Pyx xx xy 2 ( Pxx | Pxx + Pxy | Pyx ) Pxx | Pxx (1 + cos ?yy ) + Pxy | Pyx (1 + cos ?yx ) xx xy (1 ? cos ?yy )(1 ? cos ?yx ) xx xy + . Pxx | Pxx (1 ? cos ?yy ) + Pxy | Pyx (1 ? cos ?yx ) xx xy

The right hand side of the above equation should be maximized subject to the constraint given in Equation C32. As shown in [26], the maximum is achieved when cos ?yy = cos ?yx = 1 ? 2?11 and Pxx | Pxx = Px y| Px y (1 ? ?11 )/?11 . xx xy The resulting bound on the collision probability is 26

p(11) ≤ c

1 + 2?(11) ? 2(?(11) )2 . 2

(C33)

The above equation indicates that for ?(11) = 1/2 Eve can have complete knowledge over Alice’s key. This can be accomplished by sending Alice one of a pair of maximally entangled photons and keeping the other, while sending Bob a third photon with completely random polarization. After the measurement basis is revealed, a measurement of the retained photon will tell the bit value of Alice’s string.

APPENDIX D: HIGHER ORDER NUMBER STATE CONTRIBUTIONS

Higher number states are taken into account by setting wD su?ciently large so that Eve’s optimal strategy is to only use single photon states. If Eve sends n photons to Alice or Bob, the probability that all n photons will be measured in the same basis is 2 × 2?n . If Eve sends i photons to Alice and j photons to Bob we have pij ≥ 2 D pij ≤ 2 rec which leads to pij D pij rec ≥

1 2

1 ? 2 1 2

i

1 2 1 2

i

1 ? 2

1 2

j

Tr ρij abe

(D1) (D2)

j

Tr ρij , abe

?

1 i 2 1 i 2

1 2

?

1 j 2 1 j 2

≥ 1.

(D3)

As noted above a disturbance of 1/2 already implies that Eve can obtain the entire string. So setting wD to 1/2 means that Eve can do at least as good by sending only one photon to Alice of Bob. Thus pc ≤ 1 + 2? ? 2?2 . 2 (D4)

[1] C.H. Bennett. Quantum cryptography using any two nonorthogonal states. Phys. Rev. Lett., 68(21):3121–3124, May 1992. [2] C.H. Bennett and G. Brassard. Proceedings of IEEE International Conference on Computers, Systems, and Signal Processing, Bangalore, India (IEEE, New York, 1984), pp. 175-179, 1984. [3] C.H. Bennett, G. Brassard, C. Crpeau, and U.M. Maurer. Generalized privacy ampli?cation. IEEE Trans. Inf. Theory, 41(6):1915–1923, 1995. [4] C.H. Bennett, G. Brassard, and N.D. Mermin. Quantum cryptography without bell’s theorem. Phys. Rev. Lett., 68(5):557– 559, 1992. [5] O. Benson, C. Santori, M. Pelton, and Y. Yamamoto. Regulated and entangled photons from a single quantum dot. Phys. Rev. Lett., 84(11):2513–2516, March 2000. [6] E. Biham, M. Boyer, P.O. Boykin, T. Mor, and V. Roychowder. Proceedings of the Thirty-Second Annual ACS Symposium of Theory of Computing (ACM Press, New York, 2000), pp. 715-724. [7] E. Biham and T. Mor. Security of quantum cryptography against collective attacks. Phys. Rev. Lett., 78(11):2256–2259, March 1997. [8] M. Bourennane, F. Gibson, A. Karlsson, A. Hening, P. Johnson, T. Tsegaye, D. Ljunggren, and E. Sundberg. Opt. Express, 4:383, 1999. [9] G. Brassard, N. L¨tkenhaus, T. Mor, and B.C. Sanders. Limitations on practical quantum cryptography. Phys. Rev. Lett., u 85(6):1330–1333, August 2000. [10] G. Brassard and L. Salvail. Secret-key reconciliation by public discussion. Advances in Cryptology – EUROCRYPT ’93, Vol. 765 of Lecture Notes in Computer Science, edited by T. Hellseth (Springer, Berlin, 1994), pp. 410-423, 1993. [11] H. J. Briegel, W. D¨r, J.I. Cirac, and P. Zoller. Quantum repeaters: The role of imperfect local operations in quantum u communication. Phys. Rev. Lett., 81(26):5932–5935, December 1998.

27

[12] W.T. Buttler, R.J. Hughes, S.K. Lamoreaux, G.L. Morgan, J.E. Nordholt, and C.G. Peterson. Daylight quantum key distribution over 1.6km. Phys. Rev. Lett., 84(24):5652–5655, June 2000. [13] C. Cachin and U.M. Maurer. Linking information reconciliation and privacy ampli?cation. J. Cryptology, 10:97, 1997. [14] J. Calsamiglia and N. Lutkenhaus. Maximum e?ciency of a linear-optical bell-state analyzer. e-print quant-ph/0007058, July 2000. [15] T.M. Cover. Elements of information theory. Wiley, New York, 1991. [16] A.K. Ekert. Quantum cryptography based on bell’s theorem. Phy. Rev. Lett., 67(6):661–663, August 1991. [17] A.K. Ekert, B. Huttner, G.M. Palma, and A. Peres. Eavesdropping on euantum-cryptographical systems. Phys. Rev. A, 50(2):1047–1056, 1994. [18] C.A. Fuchs, N. Gisin, R.B. Gri?ths, C.S. Niu, and A. Peres. Optimal eavesdropping in quantum cryptography. i. information bound and optimal strategy. Phys. Rev. A, 56(2):1163–1172, 1997. [19] C.W. Helstrom. Operator-valued measures in quantum decision and estimation theory. Notices of the American Mathematical Society, 23(1):A163, 1976. [20] B. Huttner and A.K. Ekert. Information gain in quantum eavesdropping. J. Mod. Optics, 41(12):2455–2466, 1994. [21] B. Huttner, N. Imoto, N. Gisin, and T. Mor. Quantum cryptography with coherent states. Phy. Rev. A, 51(3):1863–1869, March 1995. [22] T. Jennewein, C. Simon, G. Weihs, H. Weinfurter, and A. Zeilinger. Quantum cryptography with entangled photons. Phys. Rev. Lett., 84(20):4729–4732, May 2000. [23] P.G. Kwiat, K. Mattle, H. Weinfurter, and A. Zeilinger. New high-intensity source of polarization entangled photon pairs. Phys. Rev. Lett., 75(24):4337–4341, December 1995. [24] H.K. Lo and H.F. Chau. Unconditional security of quantum key distribution over arbitrarily long distances. Science, 283:2050–2056, March 1999. [25] N. L¨tkenhaus. Security against eavesdropping in quantum cryptography. Phys. Rev. A, 54(1):97–111, 1996. u [26] N. L¨tkenhaus. Estimates for practical quantum cryptography. Phys. Rev. A, 59(5):3301–3319, 1999. u [27] N. L¨tkenhaus. Security against individual attacks for realistic quantum key distribution. Phys. Rev. A, 61(5):2304–, 2000. u [28] C. Marand and P.T. Townsend. Opt. Lett., 20:1695, 1995. [29] D. Mayers. e-print quant-ph/9802025. [30] D. Mayers and A. Yao. Quantum cryptography with imperfect apparatus. e-print quant-ph/0007058, September 1998. [31] D.S. Naik, C.G. Peterson, A.G. White A.J. Berglung, and P.G. Kwiat. Entangled state quantum cryptography: Eavesdropping on the ekert protocol. Phys. Rev. Lett., 84(20):4733–4736, May 2000. [32] J.W. Pan, D. Bouwmeester, H. Weifurter, and A. Zeilinger. Experimental entanglement swapping: Entangling photons that never interacted. Phys. Rev. Lett., 80(18):3891–3894, May 1998. [33] G. Rigbordy, J.D. Gautier, N. Gisin, O. Guinnard, and H. Zbinden. J. Mod. Opt., 47:517, 2000. [34] P.W. Shor and J. Preskill. Simple proof of security of the bb84 quantum key distribution protocol. Phys. Rev. Lett., 85(2):441–444, July 2000. [35] B.A. Slutsky, R. Rao, P.C. Sun, and Y. Fainman. Security of quantum cryptography against individual attacks. Phys. Rev. A, 57(4):2383–2398, 1998. [36] W. Tittel, J. Brendel, N. Gisin, and H. Zbinden. Long-distance bell-type tests using energy-time entangled photons. Phys. Rev. A, 59(6):4150–4163, June 1999. [37] W. Tittel, J. Brendel, H. Zbinden, and N. Gisin. Quantum cryptography using entangled photons in energy-time bell states. Phys. Rev. Lett., 84(20):4737–4740, May 2000. [38] P.D. Townsend. IEE Photonics Technol. Lett., 10:1048, 1998. [39] D.F. Walls and G.J. Milburn. Quantum Optics. Springer, Berlin, 1994.

28

赞助商链接

- Device-independent security of quantum cryptography against collective attacks
- The Security of Practical Quantum Key Distribution
- Experimental demonstration of time-shift attack against practical quantum key distribution
- Aharonov-Bohm Effect for Quasiparticles around a Vortex Line in a D-wave Superconductor
- Broadening the bandwidth of entangled photons a step towards the generation of extremely sh
- Security of Quantum Key Distribution with Entangled Qutrits
- Security of the Quantum Key Distribution with Blind Polarization Bases against Impersonatio
- Secret Key Distillation for Continuous Variable Quantum Key Distribution against Gaussian C
- Security of Quantum Key Distribution with Realistic Devices
- Security of the Bennett 1992 quantum-key distribution against individual attack over a real
- Quantum key distribution with bright entangled beams
- Quantum key distribution with entangled photon sources
- Security proof of quantum key distribution with detection efficiency mismatch
- SECURITY AND IMPLEMENTATION OF DIFFERENTIAL PHASE SHIFT QUANTUM KEY DISTRIBUTION SYSTEMS
- Long-Distance Quantum Communication with Entangled Photons using Satellites

更多相关文章：
更多相关标签：