Quantum Information Processing manuscript No. (will be inserted by the editor)
Qutrit-based semi-quantum key distribution protocol
Hasnaa Hajji · Morad El Baz
the date of receipt and acceptance should be inserted later
Abstract This article provides the unconditional security of a semi quantum key distribution (SQKD) protocol based on 3-dimensional quantum states. By deriving a lower bound for the key rate, in the asymptotic scenario, as a function of the quantum channel’s noise, we find that this protocol has improved secret key rate with much more tolerance for noise compared to the previous 2-dimensional SQKD protocol. Our results highlight that, similar to the fully quantum key distribution protocol, increasing the dimension of the system can increase the noise tolerance in the semi-quantum key distribution, as well. Keywords Quantum cryptography, Semi-Quantum key distribution, Qutrit, Security analysis.
1 Introduction
In 2007 Boyer [1] suggested a semi quantum key distribution protocol (SQKD) which enables two parties to establish a secret and secure key using principles of quantum mechanics. In this scheme, Alice, the sender of the quantum√ information, transmits quantum bits in the computation basis {|0i, |1i} or the conjugate basis, {|±i = 1/ 2(|0i ± |1i} to, Bob, the receiver, who is restricted to performing one of two operations:
– Measure and Resend: measuring the received qubits in the computation basis and resending his result to Alice. (i.e Bob will generate the state he measured and resends it towards Alice) – Reflect: Ignoring the quantum bit and reflecting it back to Alice, learning nothing about its state in the process. Since Bob is limited to the above operations, he is typically referred to as a classical user. SQKD protocols require a two-way quantum communication channel, which allows a quantum bit to travel from Alice to Bob and then back. This gives, Eve, the attacker, two opportunities to interact with the quantum bit, thus substantially increasing the complexity of the security analysis. For this reason, up until 2015, most security proofs for SQKD protocols focused on the notion of robustness(see [1],[2],[3],[4],[5],[6],[7],[10]). In 2015, Krawec [11] gave the proof of the unconditional security of Boyer’s original SQKD protocol. Then, in 2017, arXiv:2101.02583v1 [quant-ph] 7 Jan 2021 Krawec [13] also proved that a SQKD protocol can tolerate the same noise level as the fully quantum BB84 protocol. Besides, in 2016 Zhang et al. demonstrated the unconditional security of the SQKD protocol using less than four quantum states[12]. Due to the interesting features of the semi-quantum protocols, researchers have shown great enthusiasm on it and absorbed it into traditional quantum cryptography tasks such as secret sharing [17,19,18], private comparison [20,21,22], and direct communication [14,15,16]. All these works have been carried out based on two level systems: qubits, as the fundamental unit of quantum information. Independently of this, high dimensional systems (qudits) have attracted much attention with many the- oretical proposals and experimental realizations [33]. They offer advantages ranging from withstanding high channel noise levels, to possible implementation in the fundamental tests of quantum mechanics. As a result of the dimension increase, quantum computing and quantum information processing in general, gets more efficient
ESMaR, Faculty of Sciences, Mohammed V University in Rabat, Morocco. E-mail: hasnaa [email protected] · [email protected] 2 Hasnaa Hajji, Morad El Baz with qudits, as one can achieve the same computational dimension employing fewer qudits [34]. High dimen- sional quantum key distribution was introduced [28], realized experimentally [31] and was shown to increase the channel capacity and thus the key generation rate [32]. This paper introduces a generalized scheme of the SQKD protocol from [1] based on the use of three-dimensional quantum states: qutrits. The use of qurtits, the simplest system capable of exhibiting quantum contextuality [33], has been proven to carry more information and have greater resistance to noise than qubits. Encouraged by this, we use the technique developed in [11] to produce an expression for the key rate of this protocol, in the asymptotic scenario, as a function of the quantum channel’s noise. The rest of the paper is organized as follows: the next section, introduces some preliminaries about SQKD. Section 3 describes the SQKD protocol using qutrits as information carriers. Section 4 presents a security analysis of our proposal while results and discussions are given in section 5. A conclusion with some perspectives are given at the end of the paper.
2 Preliminaries
In this section we present some notations and definitions that will be used throughout the paper.
2.1 Entropy of the shared states:
Let ρ be a density operator, i.e. a Hermitian positive semi-definite operator of unit trace, acting on some finite dimensional Hilbert space H. If ρ is acting on a bipartite space HA ⊗ HB, we often write it as ρAB; in this case, ρB means the reduced density matrix resulting from tracing out over subsystem A i.e. the partial trace: ρB = trAρAB. S(AB) denotes the von Neumann entropy of ρAB:
X S(AB) = S(ρAB) = −tr (ρAB log3 ρAB) = − λi log3 λi (1) i where the λi’s are the eigenvalues of ρAB. Note that, since our protocol is based on qutrits, we use the base three logarithm instead of base two, as is customary the case, when dealing with qubits. Similarly, S(B) denotes the von Neumann entropy of ρB. We also write S(A|B) to mean the conditional von Neumann entropy [30], namely
S(A|B) = S(AB) − S(B) = S(ρAB) − S(ρB). (2)
We use H(p1, p2, . . . , pn) to represent the classical Shannon entropy of the probability distribution {p1, p2, . . . , pn}: P H(p1, p2, . . . , pn) = − i pi log pi. Unless otherwise specified all logarithms in this paper are base three.
Lemma 1 Given a finite dimensional Hilbert space H = HC ⊗ HE, let {|1iC ,..., |niC } be an orthonormal basis of HC . Consider the following density operator acting on H:
n X (j) ρ = pj|jihj|C ⊗ σE , (3) j=1
P (i) where pi = 1, pi ≥ 0, and each σE is a Hermitian positive semi-definite operator of unit trace acting on HE. Then the von Neumann entropy of ρ is
n X (i) S(ρ) = H(p1, p2, . . . , pn) + pjS(σE ). (4) j=1
For a proof of this Lemma, one may refer to the book [30]. Qutrit-based semi-quantum key distribution protocol 3
Fig. 1 A symmetric ternary channel, where a trit i from the input X has a probability p to be flipped into trit j in the output Y (i 6= j = 0, 1, 2).
2.2 Qutrit bases:
Let {|0i, |1i, |2i} be the unit vectors of the basis A of a three dimensional Hilbert space (the state space of a qutrit system). Alternative choices of bases would be the T basis, given by vectors {|00i, |10i, |20i}:
0 1 2iπ |0 i = √ (e 3 |0i + |1i + |2i), 3 0 1 2iπ |1 i = √ (|0i + e 3 |1i + |2i), (5) 3 0 1 2iπ |2 i = √ (|0i + |1i + e 3 |2i), 3
and the K basis, given by vectors {|000i, |100i, |200i}:
1 |000i = √ (|0i + |1i + |2i), 3 00 1 2iπ −2iπ |1 i = √ (|0i + e 3 |1i + e 3 |2i), (6) 3 00 1 −2iπ 2iπ |2 i = √ (|0i + e 3 |1i + e 3 |2i). 3
It is worthwhile noting that other choices of bases are possible [28], however we restrict ourselves to these two bases as they are the natural choice when extending the usual two mutually unbiased bases in qubits based protocols such as BB84 [29] or the semi-quantum ones [1]. It turns out (see section 4) that these two choices are those leading to optimal results in terms of security or key rate.
2.3 (S)QKD security
Any key distribution protocol, being quantum or semi-quantum, operates in two stages. The first, called the quantum communication stage, performs several iterations to agree on a so-called raw key of size N bits. Following this, a classical stage consisting of error correction and privacy amplification is run, resulting in a secret key of size l(N) ≤ N (see [26] for more information on these, now standard, processes). The key rate, r, in the asymptotic scenario is defined as [8,9]
l(N) r = lim . (7) N→∞ N
Based on the observed parameters, we wish to evaluate the key rate expression under a particular attack scenario. Namely, we will consider a symmetric attack modeled by a ternary channel as depicted in Fig. 1. A noisy quantum channel modeled as a ternary channel with parameter Q is simply the map :
ξ(ρ) = (1 − 3Q)ρ + QI, (8) where I is the identity operator. 4 Hasnaa Hajji, Morad El Baz
3 The Protocol
The protocol we consider in this paper is an extension of the qubit based semi-quantum key distribution (SQKD) protocol introduced in [1] to a three dimensional case (qutrits). Two natural choices (5, 6) for the two bases that Alice is allowed to use emerge as a result of working with qutrits instead of qubits; we study both versions of the protocol. Let Φ1 (respectively Φ2) be the set of six states in the bases A and T (respectively A and K) from which Alice may choose the state to send to Bob:
0 0 0 Φ1 = |0i, |1i, |2i, |0 i, |1 i, |2 i , (9) 00 00 00 Φ2 = |0i, |1i, |2i, |0 i, |1 i, |2 i . (10)
The steps of the protocol being the same, independently of the choice of bases, we present the protocol in what follows and we delay the distinction between the two cases, to the discussion of the security and the key rate in section 4, for which the choice of bases is crucial.
Fig. 2 3-dimensional SQKD protocol: The fully quantum user, Alice, prepares one of six states from the set φ1,sends it to the classical user, Bob, through the forward channel. Bob either ignores the qutrit and returns it to Alice (R) or performs a measurement on the basis A (M). Through the reverse channel, He sends the measured state to Alice who measures it in the same basis she prepared it initially (A or T basis)
Quantum Communication Stage: The quantum communication stage of the protocol repeats the following single iteration until a sufficiently large raw key is established:
1. Alice, the fully quantum capable user, randomly prepares a qutrit in a state from the set Φi, where i = 1, 2 depending on the version of the protocol adopted. This qutrit is then sent to Bob. 2. Bob, being the classical user, is restricted to randomly choosing to either reflect the qutrit (R) or to measure it in the basis A and then re-sending it in the measured state 1 (henceforward denoted operation M). In this last case, Bob saves the result of his measurement as his potential raw key. However he does not, yet, reveal his choice of operation (R or M). 3. Upon receiving her qutrit back from Bob, Alice will measure it in the same basis she originally used to prepare it in, in step 1. Classical Communication Stage: 4. Using an authenticated classical channel, Alice reveals her choice of basis while Bob reveals his choice of operation (M or R). – If Alice chose the A basis to encode her qutrit and Bob chose to measure and resend it (M), they keep their respective results to form their respective version of the raw key. – Using a randomly chosen sample of this raw key, Alice and Bob divulge their measurement results to estimate the noise level in the channel. They may also observe the noise in the K or T (depending on the set chosen for the protocol Φ1 or Φ2) using those iterations where Alice chose to encode her qutrit in the K or a T basis, respectively, while Bob chose to reflect it. 5. Assuming the channel noise is low enough, Alice and Bob perform error correction and privacy amplification, resulting in a secret key.
1 Bob’s qualification as a classical user stems from his inability to use (measure and/or prepare states in) more than one basis, unlike Alice, the fully quantum user, capable of using both the A and K bases (or the A and T bases, based on the version of the protocol adopted). Qutrit-based semi-quantum key distribution protocol 5
4 Security proof against collective attacks
The security of (S)QKD protocols against sophisticated attacks is among the most important issues in quantum information theory. In this section we prove the security of our protocol against a very important class of attacks called collective attacks. In conjunction with that, we bound the von Neumann entropy and the key rate. The final results depend on the choice of the alternative basis Alice uses to encode her qubits, the K or T basis. Both cases will be treated and compared.
4.1 Collective attacks
In collective attacks Eve keeps her ancillary states (or probes) in a quantum memory till receiving all classical data including error-correction and privacy amplification data, and performs the optimal measurement on her ancillary states (or probes) to learn the maximal information on the final key. Assuming collective attacks, we may employ the Devetak-Winter [8] key rate equation:
r = inf[S(B|E) − H(B|A)], (11) which states that the key rate is the difference between Eve’s uncertainty on Bob’s raw key, S(B|E) (which, for a successful protocol, should be high) and Alice’s uncertainty of Bob’s key, H(B|A) (which should be low). The infimum is over all collective attacks that induce the observed error rates. From this, our main focus in this work is to determine a lower bound on our protocol’s key rate. To do so, we will first describe the quantum system after one successful iteration of the protocol. As is generally the case with the security analysis of any (S)QKD protocol, we assume that Eve is powerful enough to control the natural noise and without loss of generality, we may assume that her ancilla is in some initial state |0iE. Eve’s most general attack comprises two unitary operations: UF attacking qutrits as they go from Alice to Bob (the forward direction) and UR as they go back from Bob to Alice (the reverse direction). So in the collective attack, the state |ai ⊗ |0iE, where |ai is the qutrit’ state sent by Alice to Bob, will be subjected, in the forward channel, to Eve’s unitary transformation operators UF and will yield
UF |0i ⊗ |0iE −−→|0, e0i + |1, e1i + |2, e2i,
UF |1i ⊗ |0iE −−→|0, e3i + |1, e4i + |2, e5i, (12)
UF |2i ⊗ |0iE −−→|0, e6i + |1, e7i + |2, e8i.
On the backward channel, Bob’s qutrit state will be altered by the operation UR and will yield the final global state as follows
UR 0 1 2 |i, eji −−→|0, ei,ji + |1, ei,ji + |2, ei,ji, (13)
k where i = 0, 1, 2, j = 0, 1,..., 8. The vectors |eii and |ei,ji are Eve’s ancillary states, not necessarily normalized nor orthogonal, after the attack on the forward channel and reverse channel respectively. However, due to the unitarity of UF and UR we have
he0|e0i + he1|e1i + he2|e2i = he3|e3i + he4|e4i + he5|e5i = he6|e6i + he7|e7i + he8|e8i = 1, (14)
he0|e3i + he1|e4i + he2|e5i = he3|e6i + he4|e7i + he5|e8i = he0|e6i + he1|e7i + he2|e8i = 0. (15)
Following Eve’s attack, and conditioning on an iteration being used to contribute towards the raw key (i.e Alice sent |0i , |1i or |2i with probability 1/3 each and Bob measured it and resent it), the density operator 6 Hasnaa Hajji, Morad El Baz
describing Bob and Eve’s system after Alice’s measurement is 1 ρ = |0ih0| ⊗ |e0 ihe0 | + |e1 ihe1 | + |e2 ihe2 | + |e0 ihe0 | BE 3 B 0,0 0,0 0,0 0,0 0,0 0,0 0,3 0,3 1 1 2 2 0 0 1 1 2 2 + |e0,3ihe0,3| + |e0,3ihe0,3| + |e0,6ihe0,6| + |e0,6ihe0,6| + |e0,6ihe0,6| 1 + |1ih1| ⊗ |e0 ihe0 | + |e1 ihe1 | + |e2 ihe2 | + |e0 ihe0 | 3 B 1,1 1,1 1,1 1,1 1,1 1,1 1,4 1,4 1 1 2 2 0 0 1 1 2 2 + |e1,4ihe1,4| + |e1,4ihe1,4| + |e1,7ihe1,7| + |e1,7ihe1,7| + |e1,7ihe1,7| 1 + |2ih2| ⊗ |e0 ihe0 | + |e1 ihe1 | + |e2 ihe2 | + |e0 ihe0 | 3 B 2,2 2,2 2,2 2,2 2,2 2,2 2,5 2,5 1 1 2 2 0 0 1 1 2 2 + |e2,5ihe2,5| + |e2,5ihe2,5| + |e2,8ihe2,8| + |e2,8ihe2,8| + |e2,8ihe2,8| . (16)
This state will be used next, to bound the von Neumann entropy in equation (11).
4.2 Bounding the von Neumann entropy
Our goal in the remainder of the security proof is to bound the von Neumann Entropy S(B|E). However, due to the higher dimension of the system, this might prove to be a difficult task. To overcome this, we will employ a technique proposed in [27] and also used in [11]. This technique requires to condition on an additional random variable C, in order to simplify the entropy computations. Owing to the strong sub-additivity of the von Neumann entropy, for any tripartite system, it holds that
S(B|E) ≥ S(B|EC) =⇒ S(B|E) − H(B|A) ≥ S(B|EC) − H(B|A), (17) thus supplying us with a lower bound on the key rate of this protocol. The system, c, we append will be in a four-dimensional space, spanned by {|c, 0i, |c, 1i, |w, 1i, |w, 2i} where |c, iihc, i| is the event that Alice and Bob’s raw key bits match (i.e. are correct), and that the qutrit sent from Alice was flipped i times, while |w, iihw, i| denotes the event where their raw key bits don’t match (i.e. are wrong). Incorporating this system, we can rewrite the global state system (16) as 1 ρ = |0ih0| ⊗ (|e0 ihe0 | ⊗ |c, 0ihc, 0| + |e1 ihe1 | ⊗ |w, 1ihw, 1| + |e2 ihe2 | ⊗ |w, 1ihw, 1| BEC 3 B 0,0 0,0 0,0 0,0 0,0 0,0 0 0 1 1 2 2 + |e0,3ihe0,3| ⊗ |c, 1ihc, 1| + |e0,3ihe0,3| ⊗ |w, 2ihw, 2| + |e0,3ihe0,3| ⊗ |w, 2ihw, 2| 0 0 1 1 2 2 + |e0,6ihe0,6| ⊗ |c, 1ihc, 1| + |e0,6ihe0,6| ⊗ |w, 2ihw, 2| + |e0,6ihe0,6| ⊗ |w, 2ihw, 2|) 1 + |1ih1| ⊗ (|e0 ihe0 | ⊗ |w, 2ihw, 2| + |e1 ihe1 | ⊗ |c, 1ihc, 1| + |e2 ihe2 | ⊗ |w, 2ihw, 2| 3 B 1,1 1,1 1,1 1,1 1,1 1,1 0 0 1 1 2 2 + |e1,4ihe1,4| ⊗ |w, 1ihw, 1| + |e1,4ihe1,4| ⊗ |c, 0ihc, 0| + |e1,4ihe1,4| ⊗ |w, 1ihw, 1| 0 0 1 1 2 2 + |e1,7ihe1,7| ⊗ |w, 2ihw, 2| + |e1,7ihe1,7| ⊗ |c, 1ihc, 1| + |e1,7ihe1,7| ⊗ |w, 2ihw, 2|) 1 + |2ih2| ⊗ (|e0 ihe0 | ⊗ |w, 2ihw, 2| + |e1 ihe1 | ⊗ |w, 2ihw, 2| + |e2 ihe2 | ⊗ |c, 1ihc, 1| 3 B 2,2 2,2 2,2 2,2 2,2 2,2 0 0 1 1 2 2 + |e2,5ihe2,5| ⊗ |w, 2ihw, 2| + |e2,5ihe2,5| ⊗ |w, 2ihw, 2| + |e2,5ihe2,5| ⊗ |c, 1ihc, 1| 0 0 1 1 2 2 + |e2,8ihe2,8| ⊗ |w, 1ihw, 1| + |e2,8ihe2,8| ⊗ |w, 1ihw, 1| + |e2,8ihe2,8| ⊗ |c, 0ihc, 0|). (18)
Let pi,j,k denote the probability that Alice initially sends the state |ii, Bob finds the results |ji when measuring it and Alice finds |ki when measuring the qutrit returned by Bob. If there is no noise in the A basis (which is what we are going to assume for now), it should hold that p0,0,0 = p1,1,1 = p2,2,2 = 1. These a a probabilities can be used to estimate the value heb,c|eb,ci as follows:
0 0 0 0 0 0 p0,0,0 = he0,0|e0,0i p1,0,0 = he0,3|e0,3i p2,0,0 = he0,6|e0,6i
1 1 1 1 1 1 p0,0,1 = he0,0|e0,0i p1,0,1 = he0,3|e0,3i p2,0,1 = he0,6|e0,6i 2 2 2 2 2 2 p0,0,2 = he0,0|e0,0i p1,0,2 = he0,3|e0,3i p2,0,2 = he0,6|e0,6i Qutrit-based semi-quantum key distribution protocol 7
0 0 0 0 0 0 p0,1,0 = he1,1|e1,1i p1,1,0 = he1,4|e1,4i p2,1,0 = he1,7|e1,7i
1 1 1 1 1 1 p0,1,1 = he1,1|e1,1i p1,1,1 = he1,4|e1,4i p2,1,1 = he1,7|e1,7i
2 2 2 2 2 2 p0,1,2 = he1,1|e1,1i p1,1,2 = he1,4|e1,4i p2,1,2 = he1,7|e1,7i
0 0 0 0 0 0 p0,2,0 = he2,2|e2,2i p1,2,0 = he2,5|e2,5i p2,2,0 = he2,8|e2,8i
1 1 1 1 1 1 p0,2,1 = he2,2|e2,2i p1,2,1 = he2,5|e2,5i p2,2,1 = he2,8|e2,8i
2 2 2 2 2 2 p0,2,2 = he2,2|e2,2i p1,2,2 = he2,5|e2,5i p2,2,2 = he2,8|e2,8i. (19)
Given ρBEC , we may easily compute S(B|EC) = S(BEC) − S(EC) now using the above notations. Indeed, it is easy to see that
1 1 1 S(BEC) = S(ρ ) = H( p , p , ..., p ). (20) BEC 3 0,0,0 3 0,0,1 3 2,2,2 Next, to compute S(EC), let us introduce the following notations
0 0 1 1 2 2 σ1 = |e0,0ihe0,0| + |e1,4ihe1,4| + |e2,8ihe2,8| 0 0 0 0 1 1 1 1 2 2 2 2 σ2 = |e0,3ihe0,3| + |e0,6ihe0,6| + |e1,1ihe1,1| + |e1,7ihe1,7| + |e2,2ihe2,2| + |e2,5ihe2,5| 1 1 2 2 0 0 2 2 0 0 1 1 σ3 = |e0,0ihe0,0| + |e0,0ihe0,0| + |e1,4ihe1,4| + |e1,4ihe1,4| + |e2,8ihe2,8| + |e2,8ihe2,8| 1 1 2 2 1 1 2 2 0 0 2 2 σ4 = |e0,3ihe0,3| + |e0,3ihe0,3| + |e0,6ihe0,6| + |e0,6ihe0,6| + |e1,1ihe1,1| + |e1,1ihe1,1| 0 0 2 2 0 0 1 1 0 0 1 1 +|e1,7ihe1,7| + |e1,7ihe1,7| + |e2,2ihe2,2| + |e2,2ihe2,2| + |e2,5ihe2,5| + |e2,5ihe2,5| (21)
Furthermore, we define tj = trσj > 0, for all j = 1, 2, 3, 4 with t1 representing the total probability that there is no error between Alice and Bob in both channels (forward and backward), t2 the total probability that there is an error in the forward channel, t3 the total probability that there is an error in the backward channel and t4 is the total probability that there is an error in both channels (forward and backward). We can write the normalized, positive, semi-definite operators now asσ ˜j = σj/tj. Using this notations, tracing out Bob’s state from the density operator ρBEC in (18) yields 1 1 1 1 ρ = ( t σ˜ ) ⊗ |c, 0ihc, 0| + ( t σ˜ ) ⊗ |c, 1ihc, 1| + ( t σ˜ ) ⊗ |w, 1ihw, 1| + ( t σ˜ ) ⊗ |w, 2ihw, 2|. (22) EC 3 1 1 3 2 2 3 3 3 3 4 4
Applying Lemma 1 at this point will allow us to write S(EC) as
4 1 1 1 X S(EC) = S(ρ ) = H( t , ..., t ) + t S(σ ˜ ). (23) EC 3 1 3 4 3 j j j=1
A lower bound on the key rate equation (11), requires an upper bound on S(EC), which we can find easily using (23): 1 1 1 1 1 1 S(EC) ≤ H t , t , t , t + (t + t + t ) + t S(σ ˜ ). (24) 3 1 3 2 3 3 3 4 3 2 3 4 3 1 1
Evidently if the noise of the quantum channel is low, then pi,j,k should be low except for p0,0,0, p1,1,1 and p2,2,2 that should be high. Next we introduce a new basis {|ai, |bi, |ci} and without loss of generality, we write
0 |e0,0i = χ|ai + σ|bi + ρ|ci, 1 √ |e1,4i = p1,1,1|ci, (25) 2 √ |e2,8i = p2,2,2|ci, (26)
where ha|ai = hb|bi = hc|ci = 1, ha|bi = hb|ci = ha|ci = 0, and χ, σ, ρ ∈ C. This further implies
2 2 2 0 0 |χ| + |σ| + |ρ| = he0,0|e0,0i = p0,0,0. 8 Hasnaa Hajji, Morad El Baz
In this basis, we may writeσ ˜1 as
|χ|2 χσ∗ χρ∗ 1 ∗ 2 ∗ σ˜1 = σχ |σ| σρ . p0,0,0 + p1,1,1 + p2,2,2 ∗ ∗ 2 ρχ ρσ p1,1,1 + p2,2,2 + |ρ|
After some algebraic manipulation, the eigenvalues ofσ ˜1, denoted λ˜0, λ˜1 and λ˜2 can be found:
λ˜0 = 0, (27)
q 2 2 2 1 4p + p0,0,0 − 2p0,0,0p1,1,1 + p1,1,1 − 2p0,0,0p2,2,2 − 2p1,1,1p2,2,2 + p2,2,2 λ˜1 = + , (28) 2 2(p0,0,0 + p1,1,1 + p2,2,2) q 2 2 2 1 4p + p0,0,0 − 2p0,0,0p1,1,1 + p1,1,1 − 2p0,0,0p2,2,2 − 2p1,1,1p2,2,2 + p2,2,2 λ˜2 = − , (29) 2 2(p0,0,0 + p1,1,1 + p2,2,2)