Security of Quantum Key Distribution with Entangled Qutrits

View metadata, citation and similar papers at core.ac.uk brought to you by CORE

provided by CERN Document Server

Security of Quantum Key Distribution with Entangled Qutrits.

Thomas Durt,1 Nicolas J. Cerf,2 Nicolas Gisin,3 and Marek Zukowski˙ 4

1 Toegepaste Natuurkunde en Fotonica, Theoeretische Natuurkunde, Vrije Universiteit Brussel, Pleinlaan 2, 1050 Brussels, Belgium 2 Ecole Polytechnique, CP 165, Université Libre de Bruxelles, 1050 Brussels, Belgium 3 Group of Applied Physics - Optique, Université de Genève, 20 rue de l’Ecole de Médecine, Genève 4, Switzerland, 4Instytut Fizyki Teoretycznej i Astrofizyki Uniwersytet, Gdański, PL-80-952 Gdańsk, Poland

July 2002

Abstract

The study of quantum cryptography and quantum non-locality have traditionnally been based on two-level quantum systems (qubits). In this paper we consider a generalisation of Ekert’s cryptographic protocol[20] where qubits are replaced by qutrits. The security of this protocol is related to non-locality, in analogy with Ekert’s protocol. In order to study its robustness against the optimal individual attacks, we derive the information gained by a potential eavesdropper applying a cloning-based attack.

Introduction

Quantum cryptography aims at transmitting a random key in such a way that the presence of an eavesdropper that monitors the communication is revealed by disturbances in the transmission of the key (for a review, see e.g. [21]). Practically, it is enough in order to realize a cryptographic protocol that the key signal is encoded into quantum states that belong to incompatible bases, as in the original protocol of Bennett and Brassard[4]. In 1991, Ekert suggested[20] to base the security of quantum cryptography on non-locality, and therefore to encrypt the key signal into the incompatible qubit bases that maximise non-locality as revealed by Bell or CHSH inequalities[14]. Recently, it was shown that the tests of non-locality can be made more

1 sensitive for entangled qutrits (3-dimensional systems) than entangled qubits[12, 15, 22]. Also several qutrit-based cryptographic protocols were shown to be more secure than their qubit counterparts[2, 5, 11]. It appears therefore very tempting to investigate the performances of a generalization of Ekert’s protocol relying on the non-locality of a pair of entangled qutrits instead of qubits. In what follows, we shall analyze the security of this entangled-based cryptographic protocol against individual attacks (where Eve monitors the qutrits separately). To do this, we will consider a fairly general class of eavesdropping attacks that are based on (state-dependent) quantum cloning machines. This yields an upper bound on the acceptable error rate, which is a necessary condition for security against individual attacks (higher error rates cannot permit to establish a secret key using one-way communication).

1 The four maximally non-local qutrit bases

In the Ekert91 protocol[20], the four qubit bases chosen by Alice and Bob, the authorised users of the quantum cryptographic channel, are the four bases that maximize the violation of the CHSH inequalities[14]. They consist of two pairs of mutually conjugate bases1. When representing these four bases on the Bloch sphere, their eight component states form a perfect octogon. Similarly, there exists a natural generalisation of this set of bases in the case of qutrits[17]. In analogy with the CHSH bases, which belong to a great circle, these bases belong to a set of bases parametrized by a phase φ on a generalized equator, which we shall from now on call the φ-bases. The expression of these φ-bases in the computational basis 0 , 1 , 2 is: {| i | i | i} 2 1 ik( 2π l+φ) l = e 3 k ,l=0, 1, 2. (1) | φi √3 | i kX=0 Actually, we can rewrite this transformation as follows:

1 i( 2π l+φ) 2π 2π lφ = e 3 1 +cos( l + φ)( 0 + 2 )+sin( l + φ)( i)( 0 2 ) , (2) | i √3 | i 3 | i | i 3 − | i−| i with l =0, 1, 2. Obviously, these basis vectors form an equilateral triangle on a great circle centered in 1 . When φ varies, these triangles turn around 1 . It has been shown that when local observers| i measure the correlations exhibited by the maximally| i entangled state 1 φ+ = ( 0 0 + 1 1 + 2 2 )(3) | 3 i √3 | i⊗| i | i⊗| i | i⊗| i 2π in the four φ bases that we obtain when φi = 12 i (with i =0, 1, 2, 3), then degree of non- locality that characterizes the correlations is higher· than the degree of non-locality allowed by Cirelson’s theorem[13] for qubits, and also higher than for a large class of other qutrit bases. This can be shown by estimating the resistance of non-locality against noise[22], or by considering generalisations of the CHSH inequality to a situation in which trichotomic observables are considered[12, 15], instead of dichotomic ones as for the CHSH inequalities. Note that the states of the four maximally non-local qutrit bases form a perfect dodecagon, which generalizes the octogon encountered in the qubit case. 1By deﬁnition, two orthonormal bases of an N-dimensional Hilbert space are said to be mutually conjugate if the norm of the scalar product between any two vectors belonging each to one of the bases is equal to 1 . √N

2 2 A 3-dimensional entanglement-based (3DEB) protocol

+ Let us now assume that the source emits the maximally entangled qutrit state φ3 and that Alice and Bob share this entangled pair and perform measurements along one of the| maximallyi + non-local bases described in the previous section. It is easy to check that φ3 may be rewritten as | i + 1 φ = ( 0 0∗ + 1 1∗ + 2 2∗ (4) | 3 i √3 | φi⊗| φi | φi⊗| φi | φi⊗| φi where 2 1 ik( 2π l+φ) l∗ = e− 3 k (l =0, 1, 2) (5) | φi √3 | i kX=0 Therefore, when Alice performs a measurement in the φ basis ( l ) and Bob in its conjugate | φi basis ( lφ∗ ), their results are 100 % correlated. It is easy to check that the maximally non-local bases deﬁned| i above are two by two 100 % correlated. This can be understood as follows: phase conjugation corresponds to a symmetry that interchanges the bases of the dodecagon.

For this reason, it is natural to consider the generalization of the Ekert91 protocol for qutrits, which we shall denote the 3-dimensional entangled-based (3DEB) protocol. In this + protocol[18], Alice and Bob share the entangled state φ3 and choose each their measurement basis at random among one of the four maximally non-local| i qutrit bases (according to the statistical distribution that they consider to be optimal). Because of the existence of 100 % correlations between the maximally non-local bases, a fraction of the measurement results can be used in order to establish a deterministic cryptographic key. The rest can be used in order to detect the presence of an eavesdropper, as we shall show in the following. Let us now study the security of this protocol against optimal individual attacks.

3 Individual attacks and optimal qutrit cloning machines

We use a general class of cloning transformations as deﬁned in [9, 10]. If Alice sends the input state ψ belong to an N-dimensional space (we will consider N = 3 later on), the resulting | i joint state of the two clones (A and B) and of the cloning machine (C)is

N 1 N 1 − − ψ am,n Um,n ψ A Bm, n B,C = bm,n Um,n ψ B Bm, n A,C (6) | i→ | i | − i | i | − i m,nX=0 m,nX=0 where N 1 − U = e2πi(kn/N) k + m k (7) m,n | ih | kX=0 is an “error” operator: it shifts the state by m units (modulo N) in the computational basis, and multiplies it by a phase so as to shift its Fourier transform by n units (modulo N). We also deﬁne the N 2 generalized Bell states for a pair of N-dimensional systems as

N 1 1/2 − 2πi(kn/N) B = N − e k k + m (8) | m,ni | i| i kX=0 3 with m and n (0 m, n N 1) labelling these Bell states. Tracing over systems B and C ≤ ≤ − (or A and C) yields the ﬁnal states of clone A (or clone B): if the input state is ψ , the output clone that is resent to Bob and the ouput clone conserved by Eve are in a mixture| i of the states ψ = U ψ with respective weights p ,andq : | m,ni m,n| i m,n m,n N 1 N 1 − − ρ = p ψ ψ ,ρ= q ψ ψ (9) A m,n| m,nih m,n| B m,n| m,nih m,n| m,nX=0 m,nX=0

where the weight functions of the two clones (pm,n and qm,n) are related in the following way:

p = a 2,q= b 2 (10) m,n | m,n| m,n | m,n|

where am,n and bm,n are two (complex) amplitude functions that are dual under a Fourier transform[9]: N 1 nx my 1 − 2πi − b = e N a (11) m,n N x,y x,yX=0

Let us now assume that Eve clones the state of the qutrit that is sent to Bob (represented as the ket ψ in Eq. 6), and resends the imperfect copy (labelled by the index A) to Bob. Then, in analogy| withi [5], Eve will measure her clone (labelled by the index B in Eq. 6) in the same basisasBob(theφ basis) and her ancilla (labelled by the index C) in the conjugate basis (the φ∗ basis). For deriving Eve’s information, we need ﬁrst to rewrite the cloning transformation in these bases. By straightforward computations we get, when φ is equal to zero, that:

2 2π 2π 1/2 im( 3 (l n)+φ) im( −3 n+φ) ˜ Bm,n =3− e − lφ (l n)φ∗ = e B nφ,m∗ (12) | i | i| − i | − φ i Xl=0 where, by definition, N 1 ˜ 1/2 − 2πi(kn/3) Bm ,n =3− e kφ (k + m)∗ (13) | φ φ∗ i | i| φi kX=0 and 2 im( 2π (k+n)+φ) im( 2π n+φ) ˜ Um,n = e− 3 (k + n)φ kφ = e− 3 Un , m (14) | ih | φ − φ kX=0 where the tilde subscript refers to the new (φ and φ∗) bases. After substitution in Eq. 6, we get: 2 2 ˜ ˜ ψ am,n Um,n ψ A Bm, n B,C = a˜m,n Um ,n ψ A Bm ,n B,C (15) | i→ | i | − i φ φ | i | φ φ i m,nX=0 m,nX=0 where we the new amplitudes are defined asa ñ, m = am,n. We are interested in a cloning machine that has the same effect when expressed− in the four maximally non-local bases, so to 2π say when φi = 12 i(i =0, 1, 2, 3). This imposes strong constraints on the amplitudes am,n.It can be shown that· the cloner that clones equally well the four maximally non-local bases must be defined by an amplitude matrix amn of the form:

vxx (am,n)= yyy (16) zzz     4 It is possible to check that, in analogy with the qubit case[7], such a cloner is phase-covariant, which means that it acts identically on each state of the φ-bases. In particular, the identity (15) can be shown to hold for all values of φ. The deep reason for this property is, roughly speaking, that if the cloner remains invariant when expressed in several bases, then it means that certain combinations of Bell states possess several Schmidt bi-orthogonal decompositions. It is well-known that when at least two such decompositions exist for a bipartite pure state, then there exist inﬁnitely many of them. This explains why requiring a same cloning ﬁdelity in two maximally non-local bases (φ = 2π i, φ = 2π j(i, j =0, 1, 2, 3,i = j)) implies i 12 · j 12 · 6 phase-covariance (i.e., φ arbitrary). A proof of this property is out of the scope of the present paper.

Let us now evaluate the fidelity of this phase-covariant cloner for qutrits, along with the information that Bob and Eve can get about Alice’s state. The fidelity of the first clone (that sent to Bob) when copying a state ψ can be written, in general, as | i N 1 − F = ψ ρ ψ = a 2 ψ ψ 2 (17) A h | A| i | m,n| |h | m,ni| m,nX=0 Of course, the same relation can be used for the second clone (that kept by Eve) by replacing am,n by bm,n. For the cloning machine defined in Eq.(16), it is possible to compute the values of the fidelities by a straightforward but lenghty computation. It can be shown that they do 2 2 2 not depend on φ,thatis, lφ ρA lφ = v + y + z . The disturbances DA1 and DA2 of the h | | i 2 2 2 first clone, defined respectively as lφ+ 2π ρA lφ+ 2π and lφ 2π ρA lφ 2π yield both x + y + z . h 3 | | 3 i h − 3 | | − 3 i Making use of Eq. (11), we obtain that, for the second clone, the states of the maximally non-local bases are all copied with a same fidelity (and same disturbances), and that the 2 2 2 disturbance is minimal when y = z. Then, FB =(v +2x +12y +8xy +4vy)/3and 2 2 2 DB1,2 =(v +2x +3y 4xy 2vy)/3. We must now find what is the optimal strategy for Eve. In virtue of the phase-covariance,− − and in order to simplify the notations, we shall from now on omit the labels that refer to the particular bases in which the measurement is carried out (actually to particular values of φ). After substitution in Eq. (6), we get

2 1 ψk 3− 2 ψk+m Ac˜m,k l ψl B ψl+m C (18) | i→ | i − | i | i m,lX=0 2 i 2π jn wherec ˜m,j = n=0 a˜m,ne 3 .Now,ãm,n = y + δn0((v y)δm0 +(x y)(δm1 + δm2)) so that c˜ =(3yδ +(v y)δ +(x y)(δ + δ )). Therefore,− − m,j j0 P − m0 − m1 m2 2 1 ψ 3− 2 ψ (3y ψ ψ +(v y) ψ ψ )+ | ki→ {| kiA | kiB| kiC − | liB| liC Xl=0 2 ψ (3y ψ ψ +(x y) ψ ψ )+ | k+1iA | kiB| k+1iC − | liB| l+1iC Xl=0 2 ψk 1 A(3y ψk B ψk 1 C +(x y) ψl B ψl 1 C ) (19) | − i | i | − i − | i | − i } Xl=0 After Alice (or Bob)’s measurement basis is disclosed, Eve’s optimal strategy can be shown [5] to be the following: first she measures both her copy B and the cloning machine C in the same basis as Bob, the difference (modulo 3) of the outcomes simply giving Bob’s error m.

5 Conditionally on Eve’s measured value of m (i.e., conditionally on Bob’s error), this information can be expressed as

(v +2y)2 (v y)2 (v y)2 I(A:E m =0)=log(3) H , − , − | − " 3FA 3FA 3FA # 2(x +2y)2 2(x y)2 2(x y)2 I(A:E m =0)=log(3) H , − , − (20) | 6 − " 3(1 F ) 3(1 F ) 3(1 F )# − A − A − A In average we get that

I = F I(A:E m =0)+(1 F ) I(A:E m = 0) (21) AE A | − A | 6 Of course, one also has

1 FA 1 FA IAB =log(3) H FA, − , − (22) − 2 2 We now use a theorem due to Csiszár and Körner[16], which provides a lower bound on the secret key rate, that is, the rate R at which Alice and Bob can generate secret key bits via privacy amplification: if Alice, Bob and Eve share many independent realizations of a probability distribution p(a, b, e), then there exists a protocol that generates a number of key bits per realization satisfying R max(I I ,I I ) (23) ≥ AB − AE AB − BE In our case, IAE = IBE; it is therefore sufficient that IAB >IAE in order to establish a secret key with a non-zero rate. If we restrict ourselves to one-way communication on the classical channel, this actually is also a necessary condition. Consequently, the quantum cryptographic protocol above ceases to generate secret key bits precisely at the point where Eve’s information attains Bob’s information. For the optimal cloner, we need to evaluate what is the maximal fidelity FA (minimal error rate) for which a cloning machine exists such that IAE >IAB. In contrast with the case of the phase-covariant qubit cloning machine[7], the problem must thr. be solved numerically. Numerically, we obtain that this point is at FA 0, 7733, actually the same result as for the universal cloning machine, the one that clones equivalently' all the qutrit bases[5]. This result clearly shows that the 3DEB protocol is more robust than its qubit counterpart against optimal incoherent attacks, since the optimal qubit phase-covariant cloning machine has the fidelity F thr. = 1 + 1 0.854 [7, 1, 11]. A 2 √8 '

4 Conclusions

The Ekert91 protocol and its qutrit counterpart, the 3DEB protocol, involve bases of encryption for which the violation of “local realism” is maximal (i.e., the maximally non-local bases). Thanks to the presence of perfect correlations, Alice and Bob can communicate key information to each other with non-zero probability. After a sequence of measurement is performed on each member of a sequence of maximally-entangled qutrit pairs, Alice and Bob can reveal on a public channel what were their respective choices of basis and identify which trit was correctly transmitted. They can use the rest of the data in order to check that it does not admit a local realistic simulation, as in Ekert’s original scheme[20]. For instance they can check that

6 their correlations violate generalised Bell or CHSH inequalities. As the resistance of non- locality against noise is maximal when the maximally-entangled qutrit pair is measured in the maximally non-local qutrit bases (and is higher than all what can be achieved with qubits), the 3DEB protocol is optimal from the point of view of the survivance of non-local correlations in a noisy environment. Actually, it is easy to show that the violation of generalised Bell inequalities is guaranteed provided[12, 15] that the fidelity FA that characterizes the communication channel between Alice and Bob (detectors included: 1-FA is the effective error rate in the transmission) is larger than 2 6√3 9 + 1 0 797 (instead of 1 + 1 0 854 in the case of qubits[13, 14, 21]). Note that 3 2− 3 , 2 √8 . when this violation≈ occurs, the security of the' protocol against individual attacks is necessarily guaranteed, in virtue of the results established at the end of the Section 3.. Therefore, the violation of Bell inequalities is thus a sufficient condition for security, as it implies that Bob’s fidelity is higher than the security threshold. For qubits, this sufficient condition was also necessary[21]. In addition, the violation of Bell inequalities guarantees that the 3DEB protocol is protected against so-called Trojan horse attacks during which the eavesdropper would control the whole transmission line, and replace the signal by a fake, predetermined, signal that mimicks the quantum correlations. Such an attack can be thwarted when the signal is encrypted in the maximally non-local bases provided the noise level is low enough so that no such local realistic simulation of the signal does exist, and provided Alice and Bob perform their respective choices of bases independently and quickly enough[19] in order that their measurements are distinct events, separated by a negative Minkoskian distance (spacelike vector). Note that it is easy to show that all the protocols in which mutually conjugate bases only are involved but with no entanglement (such as the BB84[4], the 6-state[8, 1] and 12-state[2] protocols) admit a local realistic model, so that they are not secure against Trojan horse attacks. In summary, our analysis confirms a seemingly general property that qutrit schemes for quantum key distribution are generally more robust against noise and more safe than the corresponding qubit schemes. Note: After completion of this work, a related and independent paper on a similar topic has been posted on the quant-ph preprint server [23]. The approach was different in the following sense: in our approach, we assume that Eve clones the state of the qutrit that is sent to Bob according to Eq. 6, which is not the most general possible transformation, and then we impose covariance in order to fix the parameters am,n. In [23], a more general transformation is postulated from the beginning, but extra-constraints are imposed. We checked that our (optimalised) cloning machine satisfies these constraints. Nevertheless, a small discrepancy thr. thr. remains between our results and theirs (we obtain: FA 0, 7733, and they obtain: FA 2 1 ' ' 3 0, 6629 + 3 0, 7753). This discrepancy could be due to numerical approximations or to an implicit· hypothesis' of existence in their case that is not necessarily fulfilled by realistic clonong machines. Our approach being constructive, we obtain directly an explicit form for the cloning machine which is not the case in conventional approaches. Acknowledgment T.D. is a Postdoctoral Fellow of the Fonds voor Wetenschappelijke Onderzoek, Vlaanderen. N.C. acknowledges funding by the European Union under the project EQUIP (IST-FET pro- gramme).

7 References

[1] H. Bechmann-Pasquinucci, and N. Gisin, Phys. Rev. A 59, 4238 (1999). [2] H. Bechmann-Pasquinucci, and A. Peres, Phys. Rev. Lett. 85, 3313 (2000). [3] J.S. Bell, Physics 1, 195 (1965). [4] C. H. Bennett, and G. Brassard, in Proceedings of IEEE International Conference on Computers, Systems and Signal Processing, Bangalore, India (IEEE, New York, 1984) p. 175. [5] M. Bourennane, A. Karlsson, and G. Björk, Phys. Rev. A 64, 052313 (2001); M. Bouren- nane, A. Karlsson, G. Björk, N. Gisin, and N. J. Cerf, e-print quant-ph/0106049; N. J. Cerf,M.Bourennane,A.Karlsson,andN.Gisin,Phys.Rev.Lett.88, 127902 (2002). [6] D. Bruss, Phys. Rev. Lett. 81, 3018 (1998). [7]C.Fuchs,N.Gisin,R.Griffiths,C-S.NiuandA.Peres,Phys.Rev.A56, 1163 (1997), D. Bruss, M. Cinchetti, G. M. D’Ariano, and C. Macchiavello, Phys. Rev. A 62 012302 (2000). [8] D. Bruss, Phys. Rev. Lett. 81, 3018 (1998). [9] N. J. Cerf, Acta Phys. Slov. 48, 115 (1998); special issue on quantum information. [10]N.J.Cerf,J.Mod.Opt.47, 187 (2000); special issue on quantum information. [11] N. J. Cerf, T. Durt, and N. Gisin, quant-ph/0110092; J. Mod. Opt, in press (2002); special issue on quantum information. [12] J.-L. Chen, D. Kaszlikowski, L.C. Kwek, M. Zukowski and C.H. Oh, quant-ph/0103099 [13] B.S. Cirel’son, Lett. Math. Phys. 4 (1980) 93. [14] J.F. Clauser, M.A. Horne, A. Shimony and R.A. Holt, Phys. Rev. Lett. 23, 880 (1969). [15] D. Collins, N. Gisin, N. Linden, S. Massar, S. Popescu, Phys. Rev. Lett. 88, 040404 (2002). [16] I. Csiszár, and J. Körner, IEEE Trans. Inf. Theory 24, 339 (1978). [17] T. Durt, D. Kaszlikowski and M. Zukowski, Phys. Rev. A 64, 024101 (2000). [18] T. Durt, D. Kaszlikowski and M. Zukowski, private communication (2000). [19] T. Durt, Phys. Rev. Lett. 86, 1392 (2001). [20] A. K. Ekert, Phys. Rev. Lett. 67, 661 (1991). [21] N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, Rev. Mod. Phys. 74, 145 (2002). [22] D. Kaszlikowski, P. Gnacinski, M. Zukowski, A. Zeilinger and W. Miklaszewski, Phys. Rev. Lett. 85, 4418 (2000). [23] D. Kaszlikowski, K. Chang, D. Kuan Li Oi, L. C. Kwek, C. H. Oh, e-print quant- ph/0206170.