0712:0712.4247/analysis.tex

1: \chapter{Analysis and Results}

2: \label{ch:analysis}

3:

4: This chapter describes in detail our proposed amendment to the BB84 protocol. The purpose of the modification is to yield Alice and Bob advantage against an eavesdropper in terms of mutual information. As a demonstration of the idea behind the modification, we present an analysis of the difficulty of approximating an entangled state of two qubits with two product-state qubits. As our main result, we give explicit bounds on the information of an eavesdropper employing an intercept-resend attack against our protocol as a function of the qubit error rate. We also discuss a special kind of attack against this protocol, one in which Eve recreates destroyed entanglement using EPR pairs.

5: %In addition, we compare the gained advantage to other variations of the BB84 protocol, and discuss the applicability and implementation of our proposed modification.

6:

7: \section{Proposed modification to the BB84 protocol}

8: \label{sec:propmod}

9:

10: We analyze a protocol based on the BB84 protocol. Our protocol differs from the original one in the following:

11: \begin{enumerate}

12: \item Prior to the key distribution, Alice and Bob publicly agree on an $N$-qubit unitary transformation $U\!:\mathcal{H}^N \to \mathcal{H}^N$.

13: \item Alice's actions differ from BB84 such that she

14: \label{item:alicediffer}

15: 	\begin{enumerate}

16: 	\item \label{item:apost1} postpones her transmissions\footnote{Postponing the processing of existing qubits in items \ref{item:alicediffer}(a), \ref{item:alicediffer}(c), and \ref{item:bobdiffer}(a) requires that Alice and Bob employ short-term quantum memory.} until she has generated $N$ qubits to transmit,

17: 	\item then applies $U$ to the qubits, and

18: 	\item \label{item:apost2} transmits them one at a time, always waiting for Bob to acknowledge the reception of the previous qubit before sending the next one.

19: 	\end{enumerate}

20: \item Bob's actions differ from BB84 such that he

21: \label{item:bobdiffer}

22: 	\begin{enumerate}

23: 	\item \label{item:bpost} postpones his measurements until $N$ qubits have arrived,

24: 	\item immediately acknowledges each received qubit to Alice, and

25: 	\item having received a sequence of $N$ qubits, applies $U^{-1} = U^{\dagger}$ to the qubits and measures them exactly as in BB84.

26: 	\end{enumerate}

27: \end{enumerate}

28:

29: The transformation $U$ can be viewed as an extension or a plug-in to the BB84 protocol. Without Eve's interference, the use of $U$ and $U^{-1}$ is fully transparent from Alice's and Bob's point of view. Note that Eve is fully aware of $U$, since it is announced in public. Because Bob acknowledges every arrived qubit, Eve has only one-by-one access to the particles of the $N$-qubit state. The transformation is

30: \begin{equation}

31: U (|a_1\rangle\otimes|a_2\rangle\otimes\cdots\otimes|a_N\rangle) = |\psi_{a_1,a_2,\ldots,a_N}\rangle \; ,

32: \end{equation}

33: where $|a_i\rangle$ are the states of the original BB84 protocol, i.e., $|a_i\rangle \in \{|0\rangle, |1\rangle, |+\rangle, |-\rangle\}$. In our modified protocol, Alice sends the qubits of the state $|\psi_{a_1,a_2,\ldots,a_N}\rangle$ to Bob one at a time.

34:

35: If $U$ is of the form

36: \begin{equation}

37: \label{eq:udekompo}

38: U = U_1\otimes U_2\otimes \cdots\otimes U_N \; ,

39: \end{equation}

40: where $U_j$ are single-qubit gates, i.e, $U_j\!:\mathbb{C}^2 \to \mathbb{C}^2$ for $j \in \{1,2,\ldots,N\}$, then

41: \begin{eqnarray}

42: U (|a_1\rangle\otimes|a_2\rangle\otimes\cdots\otimes|a_N\rangle)	& =	& (U_1\otimes U_2\otimes \cdots\otimes U_N) (|a_1\rangle\otimes|a_2\rangle\otimes\cdots\otimes|a_N\rangle) \nonumber \\

43: 																									& =	& U_1|a_1\rangle \otimes U_2 |a_2\rangle \otimes \cdots \otimes U_N |a_N\rangle \nonumber \\

44: 																									& =	& |\psi_{a_1}\rangle \otimes |\psi_{a_2}\rangle \otimes \cdots \otimes |\psi_{a_N}\rangle \label{eq:uprodstate} \; .

45: \end{eqnarray}

46: In other words, if $U$ is decomposable to single-qubit gates, the transmitted $N$-qubit state is a product state. Given the product state, Eve can perfectly undo $U$, attack the individual unentangled qubits, and reconstruct the transmitted state by using the single-qubit gates $U_j^{\dagger}$ and $U_j$. Therefore, Alice and Bob should choose $U$ such that it produces an entangled $N$-qubit state. This implies

47: \begin{equation}

48: U \neq U_1\otimes U_2\otimes \cdots\otimes U_N \; .

49: \end{equation}

50: That is, by using a non-local $U$, Alice and Bob utilize entanglement to prohibit Eve from fully accessing the transmitted qubits. In the following sections we restrict our analysis to the case $N=2$.

51:

52: %\small{Tarkka ja formaali selitys meidan protokollasta.}

53: %\small{Vahan siita miten entanglementti on se oleellinen juttu tassa tyossa.}

54:

55:

56: \section{Product-state approximation of an entangled qubit pair}

57:

58: To demonstrate the underlying idea in using an entangling $N$-qubit gate in BB84, we perform an analysis on how closely an entangled two-qubit state can be approximated with two product-state qubits. This analysis shows that even if perfect cloning of quantum states was possible, the protocol poses an inherent limitation for Eve.

59:

60: Assume that Eve constructs the state

61: \begin{equation}

62: \bigotimes_{i=1}^N |\psi_i\rangle \; , \quad |\psi_i\rangle \in \mathbb{C}^2 = \mathcal{H}^1 \; , \left|\left||\psi_i\rangle\right|\right|=1 \; ,

63: \end{equation}

64: in an attempt to approximate a normalized state $|\psi\rangle \in \mathbb{C}^{2^N} = \mathcal{H}^N$ being transmitted one qubit at a time from Alice to Bob. Eve tries to minimize the error in this approximation whereas

65: %\begin{equation}

66: %E_{min} = \min_{\{|\psi_i\rangle\}} \big|\big||\psi\rangle - \bigotimes_{i=1}^N |\psi_i\rangle \big|\big| \; .

67: %\end{equation}

68: Alice and Bob want to maximize Eve's minimal error by choosing $|\psi\rangle$ appropriately. This maximal-minimal error is

69: \begin{equation}

70: \label{eq:emaxmin}

71: E_{\mathrm{mm}} := \max_{|\psi\rangle} \min_{\{|\psi_i\rangle\}} \Big|\Big||\psi\rangle - \bigotimes_{i=1}^N |\psi_i\rangle \Big|\Big| \; .

72: \end{equation}

73: %appropriately wiktionary

74:

75: \subsection{Theory}

76: We assume that Alice and Bob have chosen $N=2$. We write the state Alice uses as

77: \begin{equation}

78: |\psi\rangle =	\left( \begin{array}{cccc} r_{\alpha_1}e^{i\alpha_1}	& r_{\alpha_2}e^{i\alpha_2} & r_{\alpha_3}e^{i\alpha_3} & r_{\alpha_4}e^{i\alpha_4} \end{array} \right)^{\mathrm{T}} \; ,

79: \end{equation}

80: and the states Eve uses as

81: \begin{eqnarray}

82: |\psi_1\rangle	& =	& \left( \begin{array}{cc} r_{\phi_1}e^{i\phi_1}				& r_{\phi_2}e^{i\phi_2} \end{array} \right)^{\mathrm{T}} \; , \\

83: |\psi_2\rangle	& =	& \left( \begin{array}{cc} r_{\omega_1}e^{i\omega_1}	& r_{\omega_2}e^{i\omega_2} \end{array} \right)^{\mathrm{T}} \; .

84: \end{eqnarray}

85: Normalization of the state vectors implies

86: \begin{eqnarray}

87: r_{\alpha_1}^2 + r_{\alpha_2}^2 + r_{\alpha_3}^2 + r_{\alpha_4}^2		& =	& 1 \; , \\

88: r_{\phi_1}^2 + r_{\phi_2}^2																& =	& 1 \; , \\

89: r_{\omega_1}^2 + r_{\omega_2}^2													& =	& 1 \; .

90: \end{eqnarray}

91: The moduli $r_{\alpha_j}$ are conveniently parametrized by three angles $\bar{\theta} = (\theta_1,\theta_2,\theta_3)$ as the surface of a four-dimensional sphere:

92: \begin{equation}

93: \left \{

94: \begin{array}{lcl}

95: r_{\alpha_1}	& =	& \cos \theta_1 \\

96: r_{\alpha_2}	& =	& \sin \theta_1 \cos \theta_2  \\

97: r_{\alpha_3}	& =	& \sin \theta_1 \sin \theta_2 \cos \theta_3 \\

98: r_{\alpha_4}	& =	& \sin \theta_1 \sin \theta_2 \sin \theta_3 \; .

99: \end{array}

100: \right .

101: \end{equation}

102: The moduli of Eve's qubits represent two circles for which two angles $\Phi$ and $\Omega$ suffice as

103: \begin{eqnarray}

104: && r_{\phi_1} = \cos \Phi \quad \mathrm{and} \quad r_{\phi_2} = \sin \Phi \; , \\

105: && r_{\omega_1} = \cos \Omega \quad \mathrm{and} \quad r_{\omega_2} = \sin \Omega \; .

106: \end{eqnarray}

107:

108: After several simplifying steps, one obtains

109: \begin{equation}

110: E_{\mathrm{mm}} = \big\{ 2[1 - \min_{\bar{\theta}, \bar{\alpha}} \max_{\Phi, \Omega, \bar{\phi}, \bar{\omega}} G(\bar{\theta}, \bar{\alpha}, \Phi, \Omega, \bar{\phi}, \bar{\omega})] \big\}^{1/2} \; ,

111: \end{equation}

112: where the complex argument parameters are gathered into vectors

113: \begin{equation}

114: \bar{\alpha} = (\alpha_1, \alpha_2, \alpha_3, \alpha_4) \; ; \quad \bar{\phi} = (\phi_1, \phi_2) \; ; \quad \bar{\omega} = (\omega_1, \omega_2) \;.

115: \end{equation}

116: The function $G$, which Eve tries to maximize and whose maximum Alice and Bob attempt to minimize, is

117: \begin{eqnarray}

118: G(\bar{\theta}, \bar{\alpha}, \Phi, \Omega, \bar{\phi}, \bar{\omega})& :=	& \cos \Phi \,[ \cos \Omega \cos(\alpha_1 - \phi_1 - \omega_1) \cos \theta_1 \nonumber\\

119: &&																									+ \sin \Omega \cos(\alpha_2 - \phi_1 - \omega_2) \sin \theta_1 \cos \theta_2] \nonumber\\

120: &&																									+ \sin \Phi \,[ \cos \Omega \cos(\alpha_3 - \phi_2 - \omega_1) \sin \theta_1 \sin \theta_2 \cos \theta_3 \nonumber\\

121: &&																									+ \sin \Omega \cos(\alpha_4 - \phi_2 - \omega_2) \sin \theta_1 \sin \theta_2 \sin \theta_3 ] \; .

122: \end{eqnarray}

123: Global bounds for the error follow from the extreme values of $G$

124: \begin{equation}

125: -1 \leq G \leq 1 \quad \Rightarrow \quad 0 \leq E_{\mathrm{mm}} \leq 2 \; .

126: \end{equation}

127:

128: Because Alice and Bob wish to maximize the norm in Eq.~(\ref{eq:emaxmin}), it is of no use to consider parameters in the set $\left\{\bar{\theta}, \bar{\alpha}\right\}$ that have no effect on the minimal value Eve is trying to achieve. We show that it is in fact sufficient to consider the maximization with three of the phases $\alpha_j$ fixed---varying them cannot increase the minimum. Firstly, the global phase of the pair $|\psi\rangle$ offers Alice and Bob no advantage, as it is directly reproduced by Eve. Secondly, Eve can apply any single-qubit gates to $|\psi_1\rangle$ and $|\psi_2\rangle$. For instance, Eve can freely choose $\beta_1,\beta_2,\beta_3 \in \mathbb{R}$ and apply the gate

129: \begin{equation}

130: e^{i \beta_0} \left( e^{i\beta_1\sigma_z} \otimes e^{i\beta_2\sigma_z} \right) = \left(\begin{array}{cccc}

131: 	e^{i(\beta_0 + \beta_1 + \beta_2)}	& 0	& 0	& 0 \\

132: 	0	& e^{i(\beta_0 + \beta_1 - \beta_2)}		& 0	& 0 \\

133: 	0	& 0	& e^{i(\beta_0 - \beta_1 + \beta_2)}		& 0 \\

134: 	0	& 0	& 0	& e^{i(\beta_0 - \beta_1 - \beta_2)} \\

135: \end{array} \right) \;

136: \end{equation}

137: to her qubit pair. The global phase shift is implemented by $\beta_0$. By choosing the $\beta_j$ as

138: \begin{equation}

139: \left\{ \begin{array}{lcl}

140: 	\beta_0 + \beta_1 + \beta_2	& =	& \alpha_1 \\

141: 	\beta_0 + \beta_1 - \beta_2	& =	& \alpha_2 \\

142: 	\beta_0 - \beta_1 + \beta_2	& =	& \alpha_3 \\

143: \end{array} \right.

144: \quad \Leftrightarrow \quad

145: \left\{ \begin{array}{lcl}

146: 	\beta_0	& =	& \frac{1}{2}\left(\alpha_2 + \alpha_3\right) \\

147: 	\beta_1	& =	& \frac{1}{2}\left(\alpha_1 - \alpha_3\right) \\

148: 	\beta_2	& =	& \frac{1}{2}\left(\alpha_1 - \alpha_2\right)

149: \end{array} \right. \; ,

150: \end{equation}

151: Eve can reproduce the phases $\alpha_1, \alpha_2, \alpha_3$ in $|\psi\rangle$. Therefore, Alice and Bob may as well fix their value. Similar reasoning can be applied to the amplitudes $r_\Delta$, which is, however, not carried out here.

152:

153: \subsection{Solution}

154:

155: Having fixed $\alpha_1 = \alpha_2 = \alpha_3 = 0$, we solve for $E_{\mathrm{mm}}$, optimizing over $\bar{\theta}, \alpha_4$ and $\Phi, \Omega, \bar{\phi}, \bar{\omega}$. We use the built-in numerical optimization function of \textit{Mathematica} version 5.1.0.0 by Wolfram Research, Inc. As with any numerical maximization or minimization method, there are no guarantees that the found optimum is the global optimum. As discussed below, however, it is likely that a global optimum is found.

156:

157: For the maximization of $G$ over Eve's parameters, we employ the \textit{RandomSearch} optimization method which generates, in this case, 100 random parameter starting points for the standard \textit{FindMinimum} function. \textit{RandomSearch} is a suitable method for maximizing $G$, since $G$ is a continuous and smooth function in all its arguments \cite{mathrs}. The minimization of this maximum is performed with the \textit{SimulatedAnnealing} method. Simulated annealing is a well-known optimization method that has similarities to the process of a physical system cooling down. First, the method randomly generates a set of starting points for the parameters. It also generates a random direction in the parameter space for each point. If moving to the selected direction satisfies the optimization goal better, the move is accepted, whereas if the move satisfies the goal worse, it is accepted with probability $p_m$. The probability $p_m$ decreases with each iteration, and also depends on how well the move satisfies the optimization goal. This procedure is repeated until the method stays at the same point for sufficiently many iterations, or until a predefined number of iterations is exceeded. Simulated annealing is a universally valid optimization method.

158:

159: \subsection{Results}

160:

161: We find that $E_{\mathrm{mm}} = 0.673$. This is achieved by choosing $\bar{\theta} = (1.228, 0.848, -0.499)$ and $\alpha_4 = 0.474$ with $\bar{\alpha} = (0,0,0,\alpha_4)$. To further confirm the result, the maximization of $G$ over Eve's parameters was also performed with the differential evolution, Nelder-Mead, and simulated annealing methods, in addition to \textit{RandomSearch}. The details of the methods are not discussed here, for more information, see, e.g., Ref.~\cite{mathrs}. Many different initial values were also tested. All these methods and all tested initial values resulted in the same maximum for $G$. Therefore, we are confident that we indeed have obtained the global maximum of $G$ for the values of $\bar{\theta}$ and $\bar{\alpha}$ given above. The optimal choice of Eve's parameters is not unique. Due to finite computing resources, no such intensive testing was applied to the more demanding minimization of the maximum of $G$ over $\bar{\theta}$ and $\bar{\alpha}$. Hence, we only state that the obtained values for $\bar{\theta}$ and $\bar{\alpha}$ are the optimal choice for Alice and Bob with high probability. That is, we settle for the confidence the simulated annealing method provides.

162:

163: The obtained optimal values for $\bar{\theta}$ and $\bar{\alpha}$ approximately correspond to the state

164: \begin{equation}

165: \label{eq:optpsi}

166: |\psi\rangle = \left( \begin{array}{cccc} 0.34	& 0.62	& 0.62 & -0.30 - 0.15i \end{array} \right)^{\mathrm{T}} \; .

167: \end{equation}

168: The best Eve can do to approximate $|\psi\rangle$ with her two unentangled qubits is to choose, for example, $\Phi = 2.365$, $\Omega = 0.797$, $\phi_1 = 1.243$, $\phi_2 = 3.034$, $\omega_1 = 2.801$, and $\omega_2 = 1.472$. This approximately corresponds to the state

169: \begin{equation}

170: |\psi_1\rangle \otimes |\psi_2\rangle = \left( \begin{array}{cccc} 0.31 + 0.39i	& 0.46 - 0.21i	& 0.44 - 0.21i	& -0.10 - 0.49i

171: 																	\end{array} \right)^{\mathrm{T}} \; .

172: \end{equation}

173: To recapitulate, if Alice and Bob provide Eve with the state in Eq.~(\ref{eq:optpsi}), it is guaranteed that the error in Eve's approximation is at least $0.673$.

174: %&& = \left( \begin{array}{cc} -0.23 - 0.68i	& -0.70 - 0.08i \end{array} \right)^{\mathrm{T}} \otimes \left( \begin{array}{cc} -0.66 + 0.23i	& 0.07 + 0.71i \end{array} \right)^{\mathrm{T}} \nonumber \\

175:

176: %\small{Siita mista puhuttiin nyt viimeksi eli miten kahdella product state -qubitilla ei paasta kuin niin ja niin lahelle mielivaltaista 2-qubittitilaa (ja Eve minimoi etaisyytta ja Alice ja Bob maksimoi).}

177:

178:

179:

180: %-----------------------------------------------------------------------------------------------------------------------------------------------------------------------

181:

182: \section{Analysis of an intercept-resend attack}

183: In this section, we aim at answering the question: ``Assuming Eve uses the intercept-resend attack strategy, which $U$ should Alice and Bob choose?'' In the BB84 protocol, the IR attack strategy is less efficient than an optimal incoherent attack. However, it is not clear that the same holds for our augmented protocol. Moreover, if a transformation $U$ provides Alice and Bob advantage against an IR attack, it is likely that the advantage stands, at least to some extent, against more sophisticated attacks, as well.

184: %Therefore, it is well worthwhile to study how much advantage using a transformation $U$ gives Alice and Bob against an IR eavesdropper.

185:

186: \subsection{Parametrization of $U$}

187: An arbitrary two-qubit gate has 16 degrees of freedom. For Alice and Bob's purposes however, several of these are useless. Firstly, one degree of freedom arises from the global phase shift introduced by the gate. It is well known that the global phase of the qubit pair is irrelevant. We can always choose the global phase such that the determinant of the gate is $+1$. Thus we can restrict our search to the special unitary group SU(4), the members of which have $4^2 -1 = 15$ degrees of freedom.

188:

189: Following the treatment of J.\ Zhang \emph{et al.} \cite{pra67zhang}, we partition the group SU(4) into two: the subset of local gates, $\mathrm{L}_4 := \mathrm{SU(2)}\otimes\mathrm{SU(2)}$, and the subset of non-local gates, $\mathrm{NL}_4 := \mathrm{SU(4)}\backslash\mathrm{SU(2)}\otimes\mathrm{SU(2)}$. It is shown in Ref.~\cite{pra67zhang} that any $U \in \mathrm{SU(4)}$ can be decomposed as

190: \begin{eqnarray}

191: U	&=& k_2 A(c_1,c_2,c_3) k_1 \label{eq:su4decomp} \\

192: 	&=& (k_{2,1} \otimes k_{2,2}) \, \exp \left[ \frac{i}{2} \left(c_1\, \sigma_x \otimes \sigma_x + c_2\, \sigma_y \otimes \sigma_y + c_3\, \sigma_z \otimes \sigma_z\right) \right] \, (k_{1,1} \otimes k_{1,2}) \; , \nonumber

193: \end{eqnarray}

194: where $k_i \in \mathrm{L}_4$ and thus $k_{i,j} \in \mathrm{SU(2)}$ and the parameters $c_l \in [0,\pi]\,,\; l = 1,2,3$.

195:

196: %Let us represent the decomposition in Eq.~(\ref{eq:su4decomp}) as a quantum circuit.

197: Quantum circuits are a graphical way of representing quantum information processing, such as the application of a gate $k_2 A(c_1,c_2,c_3) k_1$ on two qubits. In a quantum circuit diagram, a single horizontal line represents a qubit. A double horizontal line represents a cbit. Time progresses from left to right, and an operation $O$ targeted to one or more qubits is shown as a box placed on top of the qubits involved in the operation $O$.

198: %Let a semicircle open to the left denote a projective measurement.

199:

200: \begin{figure}[hbt]

201: \vspace{5mm}

202: \begin{center}

203: \includegraphics[height=23mm]{su4decomp.eps}

204: \caption{Any $U \in \mathrm{SU(4)}$, shown left, is equal to a decomposition shown on the right. The number of degrees of freedom is shown in parentheses for each gate. }

205: \label{fig:su4decomp}

206: \end{center}

207: \end{figure}

208:

209: \begin{figure}[hbt]

210: \vspace{5mm}

211: \begin{center}

212: \includegraphics[height=23mm]{su4useful.eps}

213: \caption{A simplified gate model that is at least as useful for Alice and Bob as any other two-qubit transformation. The number of degrees of freedom is displayed in parentheses for each gate.}

214: \label{fig:su4useful}

215: \end{center}

216: \end{figure}

217:

218: Figure \ref{fig:su4decomp} shows on the right the quantum circuit of the decomposed gate $U$. The qubits $|a_1\rangle, |a_2\rangle \in \{|0\rangle, |1\rangle, |+\rangle, |-\rangle\}$ generated by Alice enter the circuit from the left and depart at the right end after the application of $U$. Since we are interested in the security of this protocol, we assume that after the gate $U$ both qubits travel to Eve. Note that we do not assume that Eve necessarily does anything to either qubit. If Alice employs $k_2 = k_{2,1} \otimes k_{2,2}$, Eve can always undo and redo it perfectly with the single-qubit gates $k_{2,1}^{\dagger}$, $k_{2,2}^{\dagger}$ and $k_{2,1}$, $k_{2,2}$. Hence, $k_2$ is useless to Alice and Bob, and we may further restrict our search for a good gate $U$ to gates of the form $A(c_1, c_2, c_3) k_1$, shown in Fig.~\ref{fig:su4useful}. Thus we are left with 9 degrees of freedom for $U$.

219:

220: %t�h�n ehk� viel� 1-qubittiportin parametrisointi

221:

222: %\small{Selvennys miten mielivaltainen 2-qubittiportti dekomposoitiin 1-qubittiporteiksi ja \\yhdeksi 3:n vapausasteen 2-qubittiportiksi (J. Zhang phys rev A 67, 042313).}

223:

224: \subsection{Explicit matrices}

225: To be able to simulate the amended protocol, we have to write down the matrix for the transformation $U$ explicitly. Any single-qubit gate $k \in \mathrm{SU(2)}$ can be written as

226: \begin{equation}

227: k(a_1,a_2,a_3) = \left( \begin{array}{cc}	e^{ia_1} \cos a_2	& e^{ia_3} \sin a_2 \\

228: 															-e^{-ia_3} \sin a_2	& e^{-ia_1} \cos a_2

229: 						\end{array} \right) \; .

230: \end{equation}

231: The explicit matrix for the non-local gate $A(c_1,c_2,c_3) = \exp [i (c_1\, \sigma_x \otimes \sigma_x + c_2\, \sigma_y \otimes \sigma_y + c_3\, \sigma_z \otimes \sigma_z)/2]$ is obtained by first finding the eigensystem of the hermitian operator $B := c_1\, \sigma_x \otimes \sigma_x + c_2\, \sigma_y \otimes \sigma_y + c_3\, \sigma_z \otimes \sigma_z$ and then applying

232: \begin{equation}

233: \label{eq:spectralconseq}

234: f(B) = \sum_j f(\lambda_j) |\lambda_j\rangle\langle\lambda_j| \; ,

235: \end{equation}

236: where $\lambda_j$ are the eigenvalues and $|\lambda_j\rangle$ the corresponding eigenvectors of the hermitian operator $B$. Equation (\ref{eq:spectralconseq}) is a direct consequence of the spectral decomposition theorem and holds for any analytic function $f$. In this case, $f(\cdot) = e^{i(\cdot)/2}$. The result is

237: \begin{multline}

238: A(c_1,c_2,c_3) = \\[3mm]

239: \begin{pmatrix}	e^{ic_3/2} \cos\left(\frac{c_1-c_2}{2}\right)	& 0	& 0	& i e^{ic_3/2} \sin\left(\frac{c_1-c_2}{2}\right) 			\\

240: 											0	& e^{-ic_3/2} \cos\big(\frac{c_1+c_2}{2}\big)	& i e^{-ic_3/2} \sin\big(\frac{c_1+c_2}{2}\big)	& 0	\\

241: 											0	& i e^{-ic_3/2} \sin\big(\frac{c_1+c_2}{2}\big)	& e^{-ic_3/2} \cos\big(\frac{c_1+c_2}{2}\big)	& 0	\\

242: 											i e^{ic_3/2} \sin\big(\frac{c_1-c_2}{2}\big)	& 0	& 0	& e^{ic_3/2} \cos\big(\frac{c_1-c_2}{2}\big)

243: 						\end{pmatrix} \; .

244: \end{multline}

245:

246: \subsection{Simulation}

247: We simulate the progress of our protocol with different transformations $U$ and observe the QBER induced by Eve and Eve's mutual information on Alice's sifted key. Eve is assumed to employ the intercept-resend attack. She is allowed to choose between a projective measurement in either the $z$ or $x$ basis and not to perform any measurement individually for each of the two transmitted qubits. In the original BB84 protocol, it is clear that the $z$ and $x$ bases are the best measurement bases for Eve. In our augmented protocol, this is not necessarily true. For simplicity, however, we restrict Eve's measurements to these bases.

248:

249: \subsubsection{Preliminary remarks}

250:

251: Let $A$ denote the random variable that fully determines which pair of BB84 states $|a_1\rangle|a_2\rangle$ Alice constructs prior to the application of the non-local gate. That is, $A$ takes its values with uniform probability from the set $\{00,01,10,11,0+,0-,1+,\linebreak1-,+0,+1,-0,-1,++,+-,-+,--\}$. The physical state is obtained for each outcome $a_1a_2$ by surrounding the label with the bracket construct $|a_1a_2\rangle$. Let us re-label the outcomes with integers in the range $[0,15]$, in the order they are presented above, with the symbol $a$. For example, $a_1 = +$ and $a_2 = 1$ is expressed as $a=9$.

252:

253: Let $E$ denote the random variable that gives the joint result of Eve's measurements, and let $e$ denote the outcome of $E$. The value of $e \in \{0,1,2,3\}$ is obtained by interpreting the separate results $e_1, e_2 \in \{0,1\}$ as a binary number $e_1e_2$ with $e_2$ as the least significant bit.

254:

255: We may calculate Eve's mutual information on Alice's sifted key as her mutual information $I(A,E)$ on the random variable $A$. These two mutual informations are equal, which can be shown in exactly the same way as was done in Sec.~\ref{sec:bb84attacks} for one cbit and qubit in the original BB84 protocol. Due to the close similarities, the proof is not reproduced for the case of two cbits and qubits.

256: %Let $a$ denote the outcome of $A$, i.e., $a := a_1a_2$.

257:

258: Because of finite computing resources, we use only the non-local gate $A(c_1,c_2,c_3)$ in our simulation. It is likely that using in addition the local gate $k_1$ benefits Alice and Bob, but it is also plausible that part of this gate commutes with the gate $A$ in the sense that Eve would be able to undo $k_1$ partially with single-qubit gates. This possibility is not investigated further in this Thesis.

259:

260: Figure \ref{fig:protcirc} shows the quantum transmission phase of the protocol and the attack we simulate as a quantum circuit for one qubit pair. In practice, Eve's measurement scheme may be such that the measured qubits are demolished. In this case, she creates new physical qubits in the logical state corresponding to her measurement result. This is equivalent to performing a non-demolishing projective measurement.

261:

262: %t�h�n koko simulaation quantum circuit (even 1-qubittiportteineen?)

263: \begin{figure}[hbt]

264: \vspace{5mm}

265: \begin{center}

266: \includegraphics[width=\textwidth]{fullcircuit.eps}

267: \caption{The full quantum circuit of the proposed protocol and the attack for a qubit pair. The interleaving classical communication between Alice and Bob is not shown. The circuit is run a large number of times in each use of the protocol. The actions of each participant are enclosed in dotted boxes. A semicircle represents a projective measurement. Eve performs measurements but not necessarily on the first qubit. Symbols $e_1$ and $e_2$ denote Eve's measurement results, and $b_1$ and $b_2$ Bob's results which are assumed to contribute to the sifted key.}

268: \label{fig:protcirc}

269: \end{center}

270: \end{figure}

271:

272: The protocol is sampled over a large number of different gates $A(c_1,c_2,c_3)$. We run a numerical \emph{Mathematica} code that records $I(A,E)$ and the QBER observed by Bob for Eve's allowed measurement bases and a given gate $A$. The algorithm is presented below. The code is run with different values of the parameters $c_1,c_2,c_3$ for the gate $A$. Each $c_i$ takes values in the interval $[0,\pi]$ with $\frac{\pi}{32}$ steps. That is, we sample the three-dimensional parameter space uniformly with $33^3 \approx 36000$ points. This is not an exhaustive survey of the possibilities of the use of a non-local gate, but as long as Eve obeys the presented assumptions, the obtained maximum of $I(A,E)$ holds for the given parameters $c_1,c_2,c_3$.

273:

274: The following paragraphs describe phase-by-phase the algorithm used in the simulation of our protocol. The algorithm has not been optimized for performance, but instead kept in a form close to the underlying mathematics and physics. In the actual code, all calculation is done numerically. Every transmission state of the original BB84 protocol is assumed to occur with equal probability, and we only consider transmissions that contribute to the sifted key.

275:

276: \subsubsection{Phase 1: Non-local transformation}

277: First, the gate $A(c_1,c_2,c_3)$ is applied to all 16 possible qubit-pair states used in the original BB84 protocol.

278: \begin{equation}

279: |\psi_{a_1a_2}\rangle = A(c_1,c_2,c_3) |a_1\rangle|a_2\rangle \; , \quad a_1,a_2 \in \{0,1,+,-\} \; .

280: \end{equation}

281: The qubit in the left slot, i.e., originally in state $|a_1\rangle$, is sent first.

282:

283: \subsubsection{Phase 2: Eve's first measurement}

284: Eve may choose not to measure either of the two qubits. Since we apply a symmetric gate to the qubit pair, measuring only the first qubit is equivalent to measuring only the second qubit. Therefore, it suffices to simulate the protocol with Eve skipping the measurement only on the first qubit. If Eve does not measure either qubit, there is nothing to simulate.

285:

286: If Eve has chosen to measure the first qubit, the measurement is calculated in the $z$ and $x$ bases. Based on Eq.~(\ref{eq:measprob}), the probability of measurement outcome $e_1$ is

287: \begin{equation}

288: \label{eq:eve1p}

289: p\left(E_1=e_1 | P_{\mathrm{E}1} = \epsilon_1, A=a\right) = \langle\psi_{a_1a_2}|\left(P^{\epsilon_1}_{e_1} \otimes I \right)|\psi_{a_1a_2}\rangle \; ,

290: \end{equation}

291: where $E_n$ is the random variable corresponding to the result of Eve's measurement of qubit $n \in \{1,2\}$ and $\epsilon_1$ is Eve's basis choice. The post-measurement state is

292: \begin{equation}

293: |\psi_{a_1a_2}(e_1,\epsilon_1)\rangle := \left(P^{\epsilon_1}_{e_1} \otimes I \right)|\psi_{a_1a_2}\rangle \big/ \sqrt{p(e_1 | \epsilon_1, a)} \; ,

294: \end{equation}

295: in accordance with Eq.~(\ref{eq:measstate}). However, if $p(e_1|\epsilon_1, a)=0$, we define

296: \begin{equation}

297: |\psi_{a_1a_2}(e_1,\epsilon_1)\rangle := \left( \begin{array}{cccc} 0 & 0 & 0 & 0 \end{array} \right)^{\mathrm{T}} \; .

298: \end{equation}

299: If Eve does not measure the first qubit, we define $|\psi_{a_1a_2}(e_1,\epsilon_1)\rangle := |\psi_{a_1a_2}\rangle$ and mark the probabilities of all outcomes as 1, which is mathematically inconsistent, but is later taken into account.

300:

301: \subsubsection{Phase 3: Eve's second measurement}

302: Eve chooses a measurement basis for the second qubit and applies a projective measurement in the $z$ or $x$ basis. The probability of measurement outcome $e_2$ is

303: \begin{eqnarray}

304: \label{eq:eve2p}

305: &&p\left(E_2=e_2 | E_1 = e_1, P_{\mathrm{E}1}=\epsilon_1, P_{\mathrm{E}2}=\epsilon_2, A=a\right) \nonumber \\

306: &&= \langle\psi_{a_1a_2}(e_1,\epsilon_1) | \left(I \otimes P_{e_2}^{\epsilon_2} \right) |\psi_{a_1a_2}(e_1,\epsilon_1)\rangle \; ,

307: \end{eqnarray}

308: where $\epsilon_2$ is Eve's basis choice for the second measurement. If the result $e_1$ is impossible, the probability in Eq.~(\ref{eq:eve2p}) is correctly zero, since in this case the state vector is the zero vector. After both of Eve's measurements, Bob is in possession of the qubit pair which is in state

309: \begin{equation}

310: |\psi_{a_1a_2}(e_1,\epsilon_1,e_2,\epsilon_2)\rangle := \left(I \otimes P_{e_2}^{\epsilon_2} \right) |\psi_{a_1a_2}(e_1,\epsilon_1)\rangle \big/ \sqrt{p\left(e_2 | e_1, \epsilon_1, \epsilon_2, a\right)} \; .

311: \end{equation}

312: Again, if $p\left(e_2 | e_1, \epsilon_1, \epsilon_2, a\right) = 0$, we define the state to be the zero vector.

313:

314: \subsubsection{Mutual information}

315:

316: We allow Eve to choose the measurement basis independently for each qubit and calculate $I(A,E)$ for the different basis choices. Since the QBER also depends on the measurement basis, we must keep track of the results of all the choices to obtain a complete picture of Eve's capabilities. Because we consider the different basis choices separately, we may omit the explicit conditioning on the basis in all probabilities.

317:

318: To be able to compare our results with other QKD protocols, we calculate Eve's information per bit. The mutual information of $A$ and $E$ given by Eq.~(\ref{eq:mi}) yields Eve's information on a two-bit entity. Thus the mutual information per bit is half of this, i.e.,

319: \begin{equation}

320: \label{eq:aeinfo2}

321: I(A,E) = \frac{1}{2} \left[ H(A) + H(E) - H(A,E) \right] \; .

322: \end{equation}

323: The entropy $H(A)$ is always

324: \begin{equation}

325: H(A) = - \sum_{j=0}^{15} p(a) \log p(a) = - \sum_{j=0}^{15} \frac{1}{16} \log \left(\frac{1}{16}\right) = 4 \; .

326: \end{equation}

327: According to Eq.~(\ref{eq:cond1}),

328: \begin{eqnarray}

329: &&p(e|a) \nonumber \\

330: &&= p(E=e_1e_2| A=a) \nonumber \\

331: &&= p(e_2 | e_1, \epsilon_1, \epsilon_2, a) p(e_1 | \epsilon_1, \epsilon_2, a) \; ,

332: \end{eqnarray}

333: the two factors of which have been calculated in Eqs.~(\ref{eq:eve1p}) and (\ref{eq:eve2p}). The entropy of Eve's variable is

334: \begin{eqnarray}

335: H_m(E)	& =	& - \sum_{e=0}^m p(e) \log p(e) \nonumber \\

336: 		& \stackrel{(\ref{eq:totalprob})}{=}	& - \sum_{e=0}^m \left[\sum_{a = 0}^{15} p(e|a)p(a) \right] \log \left[\sum_{a = 0}^{15} p(e|a)p(a) \right] \nonumber \\

337: 		& =	& - \frac{1}{16} \sum_{e=0}^m \left[\sum_{a = 0}^{15} p(e|a)\right] \left\{\log\left[\sum_{a = 0}^{15} p(e|a)\right] - 4 \right\} \; ,

338: \end{eqnarray}

339: where $m = 1$, if Eve measures only the second qubit, and $m=3$, if Eve measures both qubits. This is justified by noting that if the first measurement is not performed, all probabilities of $e_1$ are designated value 1 and $E_2$ does not depend on $E_1$, and thus $p(e|a) = p(e_2|a)$ given by Eq.~(\ref{eq:eve2p}).

340:

341: The joint entropy of $A$ and $E$ is

342: \begin{eqnarray}

343: H_m(A,E)	& \stackrel{(\ref{eq:jointentr})}{=}		& -\sum_{e=0}^m \sum_{a = 0}^{15} p(e,a) \log p(e,a) \nonumber \\

344: 				& \stackrel{(\ref{eq:condprob})}{=}	& -\sum_{e=0}^m \sum_{a = 0}^{15} p(e|a) p(a) \log \left[p(e|a) p(a)\right] \nonumber \\

345: 				& =	& -\frac{1}{16} \sum_{e=0}^m \sum_{a = 0}^{15} p(e|a) \left[ \log p(e|a) - 4 \right] \nonumber \\

346: 				& =	& \frac{1}{4} \sum_{e=0}^m \sum_{a = 0}^{15} p(e|a) - \frac{1}{16} \sum_{e=0}^m \sum_{a = 0}^{15} p(e|a) \log p(e|a) \; .

347: \end{eqnarray}

348: If $p(e|a)=0$ for some $e$ and $a$, we assign value zero to the term $p(e|a) \log p(e|a)$.

349:

350: \subsubsection{Phase 4: Inverse non-local transformation}

351:

352: Once Bob has received both qubits, he applies $A^{\dagger}(c_1,c_2,c_3)$ to the pair, and obtains the state

353: \begin{equation}

354: |\psi_{a_1a_2}^{\mathrm{Bob}}(e_1,\epsilon_1,e_2,\epsilon_2)\rangle := A^{\dagger}(c_1,c_2,c_3) |\psi_{a_1a_2}(e_1,\epsilon_1,e_2,\epsilon_2)\rangle \; .

355: \end{equation}

356: If Eve had not interfered with either qubit, it would be safe to write this as a product state.

357:

358: \subsubsection{Phase 5: Bob's first measurement}

359: Bob projectively measures both qubits in correct bases. For the first qubit, the probability of result $b_1 \in \{0,1\}$ given $A = a_1a_2$ and $E = e_1e_2$ is

360: \begin{equation}

361: p(b_1|a_1a_2,e_1e_2) = \langle\psi_{a_1a_2}^{\mathrm{Bob}}(e_1,\epsilon_1,e_2,\epsilon_2)| \left(P_{b_1}^{\delta_{1,a}} \otimes I \right) |\psi_{a_1a_2}^{\mathrm{Bob}}(e_1,\epsilon_1,e_2,\epsilon_2)\rangle \; ,

362: \end{equation}

363: where

364: \begin{equation}

365: \delta_{1,a} = \left\{ \begin{array}{ll}

366: 	z & \textrm{if $a \in [0,7]$}\\

367: 	x & \textrm{if $a \in [8,15]$\;.}

368: 	\end{array} \right.

369: \end{equation}

370: If the result $e_1e_2$ is impossible, the probability is zero because the state vector is the zero vector. The probability of $b_1$ given only $A = a_1a_2$ is

371: \begin{equation}

372: p(b_1|a) \stackrel{(\ref{eq:probsum})}{=} \sum_{e=0}^m p(b_1,e|a) \stackrel{(\ref{eq:cond1})}{=} \sum_{e=0}^m p(b_1|a,e) p(e|a) \; .

373: \end{equation}

374: Bob's first measurement projects the qubit pair into state

375: \begin{equation}

376: |\psi_{a_1a_2}^{\mathrm{Bob}}(e_1,\epsilon_1,e_2,\epsilon_2,b_1)\rangle = P_{b_1}^{\delta_{1,a}}|\psi_{a_1a_2}^{\mathrm{Bob}}(e_1,\epsilon_1,e_2,\epsilon_2)\rangle \big/ \sqrt{p(b_1|a_1a_2,e_1e_2)} \; ,

377: \end{equation}

378: unless $p(b_1|a_1a_2,e_1e_2) = 0$, in which case the state is the zero vector.

379:

380: \subsubsection{QBER of the first qubit}

381: If the transmission has no errors, the first measurement yields value 0 for $a \in \mathcal{A}_{10} = \{0,1,4,5,8,9,12,13\}$, and value 1 for $a \in \mathcal{A}_{11} = \{2,3,6,7,10,11,14,15\}$. Thus the QBER of the first qubit is, according to Eq.~(\ref{eq:QBER}),

382: \begin{equation}

383: \mathrm{QBER}_1 = \frac{1}{16} \left[ \sum_{a \in \mathcal{A}_{10}} p(B_1 = 1 |a) + \sum_{a \in \mathcal{A}_{11}} p(B_1 = 0 |a) \right] \; ,

384: \end{equation}

385: where $B_i$ is the random variable that yields the result of Bob's $i$th measurement.

386:

387: \subsubsection{Phase 6: Bob's second measurement}

388: Bob measures the second qubit. The probability of getting result $b_2 \in \{0,1\}$ given $A = a_1a_2$ is

389: \begin{eqnarray}

390: p(b_2 | a)	& \stackrel{(\ref{eq:probsum})}{=}	& \sum_{b_1=0}^1 p(b_2, b_1 | a) \nonumber \\

391: 				& \stackrel{(\ref{eq:cond1})}{=}		& \sum_{b_1=0}^1 p(b_2| b_1, a) p(b_1|a) \nonumber \\

392: 				& \stackrel{(\ref{eq:probsum})}{=}	& \sum_{b_1=0}^1 \sum_{e=0}^m p(b_2, e| b_1, a) p(b_1| a) \nonumber \\

393: 				& \stackrel{(\ref{eq:cond1})}{=}		& \sum_{b_1=0}^1 \sum_{e=0}^m p(b_2| b_1,e,a) p(e| b_1, a) p(b_1|a) \nonumber \\

394: 				& \stackrel{(\ref{eq:cond4})}{=}		& \sum_{b_1=0}^1 \sum_{e=0}^m p(b_2| b_1,e,a) p(b_1| e, a) \frac{p(e|a)}{p(b_1|a)} p(b_1|a) \nonumber \\

395: 				& =	& \sum_{b_1=0}^1 \sum_{e=0}^m p(b_2| b_1,e,a) p(b_1| e, a) p(e|a) \; .

396: \end{eqnarray}

397: The first factor in the term is obtained by calculating

398: \begin{equation}

399: p(b_2| b_1,e, a) = \langle\psi_{a_1a_2}^{\mathrm{Bob}}(e_1,\epsilon_1,e_2,\epsilon_2,b_1)| \left( I \otimes P_{b_2}^{\delta_{2,a}} \right) |\psi_{a_1a_2}^{\mathrm{Bob}}(e_1,\epsilon_1,e_2,\epsilon_2,b_1)\rangle \; ,

400: \end{equation}

401: where

402: \begin{equation}

403: \delta_{2,a} = \left\{ \begin{array}{ll}

404: 	z & \textrm{if $a \in [0,3]$ or $a \in [8,11]$}\\

405: 	x & \textrm{if $a \in [4,7]$ or $a \in [12,15]$\;.}

406: 	\end{array} \right.

407: \end{equation}

408: Again, if result $b_1$ or result $e_1e_2$ is impossible, the probability is zero because the state is the zero vector.

409:

410: \subsubsection{Total QBER}

411: After an error-free transmission, the second measurement yields value 0 for even values of $a$ and 1 for odd values of $a$. Therefore, the QBER of the second qubit is

412: \begin{equation}

413: \mathrm{QBER}_2 = \frac{1}{16} \left[ \sum_{a \mathrm{\ even}} p(B_2 = 1 |a) + \sum_{a \mathrm{\ odd}} p(B_2 = 0 |a) \right] \; .

414: \end{equation}

415: The total QBER is the average over the individual error rates:

416: \begin{equation}

417: \mathrm{QBER} = \frac{1}{2}\left(\mathrm{QBER}_1 + \mathrm{QBER}_2\right) \; .

418: \end{equation}

419:

420:

421: \subsection{Results}

422: We are interested in finding the maximum of Eve's mutual information on Alice's sifted key, $I(A,E)$, for a given QBER observed by Alice and Bob. In the analyzed attack, Eve has six different measurement configurations for each gate $A(c_1,c_2,c_3)$. She can measure both qubits in bases $zz$, $zx$, $xz$, or $xx$, or she can measure only the second qubit, in $z$ or $x$ basis. Due to the symmetry of the protocol with respect to the two transmitted qubits, the case where Eve measures only the first qubit needs no analysis---it is equivalent to measuring only the second one. Furthermore, using any of the six configurations, Eve can choose to interfere with only a fraction $0 \leq \xi \leq 1$ of the transmitted qubit pairs.

423:

424: Figure \ref{fig:siivut} shows $I(A,E)$ as a function of QBER for the sampled parameter values in the different measurement configurations. The results are identical for bases $zx$ and $xz$, and very similar for bases $zz$ and $xx$, if Eve measures both qubits. If Eve measures only the second qubit, the results are very similar for both basis choices. The fraction $\xi = 1$ in all plots.

425:

426: \begin{figure}[hbtp]

427: \vspace{5mm}

428: \begin{center}

429: \includegraphics[width=0.47\textwidth]{rawzx1.eps}\quad \quad

430: \includegraphics[width=0.47\textwidth]{rawzz1n0.eps}

431: \caption{Eve's mutual information per bit on Alice's sifted key and the corresponding QBER for the sampled values of $c_1,c_2,c_3$, and $\xi = 1$. The left panel shows the case where Eve measures both qubits and chooses $zx$ or $xz$ as her measurement bases. In the right panel, the lower set of points corresponds to Eve measuring only the second qubit in either basis, and the upper set to Eve measuring both qubits in the same basis. The upper envelope curve of the set in the left panel is the lower envelope curve for the upper set in the right panel.}

432: \label{fig:siivut}

433: \end{center}

434: \end{figure}

435:

436: Which measurement configuration yields most information on Alice's key? For example, consider the situation for the gate $A\left(\frac{6 \pi}{32},\frac{25 \pi}{32},\frac{5 \pi}{32}\right)$, shown in Fig.~\ref{fig:7365}. The filled circle represents Eve measuring only the second qubit. This configuration provides least information and induces least errors. For the same QBER $\approx 0.24$, Eve obtains more information with any other configuration by adjusting $\xi$ properly, illustrated by the dashed and solid lines parametrized by $0 \leq \xi \leq 1$. Hence, measuring only one of the qubits does not provide maximal information. In fact, the same reasoning applies for any gate setting $c_1,c_2,c_3$, and we therefore ignore this measurement configuration in the following analysis.

437:

438: By measuring both qubits in the $z$ basis, denoted by the square in Fig.~\ref{fig:7365}, Eve maximizes her information as well as the QBER for the considered gate. Although measuring both qubits in the $x$ basis, denoted by the triangle, yields less information, the relative decrease in the QBER is larger. Thus, for any QBER up to that of the triangle, the $xx$ bases provide most information. That is, the slope of the $\xi$ line is larger for the $xx$ bases. Furthermore, as is shown in Fig.~\ref{fig:siivut}, for $\xi=1$, the induced QBER is always at least 25\%. Having observed a QBER this high, Alice and Bob would most likely abort the protocol. Hence, Eve should always adjust $\xi < 1$ such that the QBER is well below 25\%, and choose the configuration providing the largest slope for the line and thus maximal information. For any gate $A$, this configuration always involves measuring both qubits in either the $z$ basis or the $x$ basis, and hence we choose this to be Eve's configuration. This result is consistent with the symmetry of the gate $A$---there is no reason why it would be beneficial to employ different measurement bases for the qubits. Figure \ref{fig:miqsel} shows the mutual information as a function of QBER for the selected configuration and $\xi=1$. For each sampled gate, the maximal information is at most $0.011$ bits more than that given by the configuration corresponding to the largest slope.

439:

440: \begin{figure}[hbtp]

441: \vspace{5mm}

442: \begin{center}

443: \includegraphics[width=0.72\textwidth]{sit7365_2.eps}

444: \caption{Eve's information on Alice's key and the induced QBER for the gate $A\left(\frac{6 \pi}{32},\frac{25 \pi}{32},\frac{5 \pi}{32}\right)$. The filled circle corresponds to Eve measuring only the second qubit. The open symbols correspond to the cases where Eve measures both qubits: The circle denotes the $zx$ or $xz$ bases, the square bases $zz$, and the triangle bases $xx$. The mutual information and the QBER are slightly larger for the $zz$ than for the $xx$ choice. The solid, dashed, and dotted lines show Eve's information for $\xi \in [0,1]$ for bases $zz$, $xx$, and $zx$, respectively.}

445: \label{fig:7365}

446: \end{center}

447: \end{figure}

448:

449: \begin{figure}[hbtp]

450: \vspace{5mm}

451: \begin{center}

452: \includegraphics[width=0.85\textwidth]{miqselect.eps}

453: \caption{Eve's information on Alice's key and the induced QBER for the sampled gates and $\xi=1$, given that Eve chooses the measurement configuration yielding the largest slope for the $\xi$-parametrized line. The solid line illustrates the lower envelope of the set, obtained by sweeping over $c_2$ for $c_1=c_3=0$. The dashed line is obtained by sweeping over $c_3$ for $c_1=0$ and $c_2=\frac{13 \pi}{16}$.}

454: \label{fig:miqsel}

455: \end{center}

456: \end{figure}

457:

458: The plot in Fig.~\ref{fig:miqsel} is generated as follows. For $\left(c_1,c_2,c_3\right) = (0,0,0)$ the mutual information is 0.5 and the QBER 25\%. This is consistent with the original BB84, since $A(0,0,0)$ is just the two-qubit identity transformation. The smallest information and the highest QBER, point $(0.5,0.125)$, is achieved with, e.g., the gate $A\left(0,\frac{\pi}{2},0\right)$. The lower envelope curve for the set of points in Fig.~\ref{fig:miqsel} is obtained by sweeping $c_2 \in \left[0,\frac{\pi}{2}\right]$ while keeping $c_1 = c_3 = 0$. Each of the concave arcs above the envelope are obtained by sweeping over $c_3$ for different values of $c_2$. For instance, if $c_1=0$ and $c_2 = \frac{13 \pi}{16}$, increasing $c_3$ from 0 to $\frac{\pi}{2}$ produces the dashed arc in Fig.~\ref{fig:miqsel}. For different values of $c_1$, the sweeps over $c_2$ and $c_3$ yield arcs of different shape in the same set of points. We thus observe that adjusting $c_1$ is redundant, the same effect is achieved by an appropriate choice of $c_2$ and $c_3$.

459:

460: Let us compare our protocol with the original BB84. Figure \ref{fig:vertailu} shows Eve's maximal information as a function of QBER for BB84 and for three representative gates in our protocol. The oblique lines are obtained by varying $\xi \in [0,1]$. The solid line denotes BB84 and the densely dashed lines our protocol for settings $c_1=c_3=0$ and $c_2 = \frac{\pi}{8}, \frac{\pi}{4}, \frac{\pi}{2}$. Our protocol provides Eve less information and induces more errors in the sifted key for a given $\xi$. For instance, by employing gate $A(0,\frac{\pi}{8},0)$, Eve's information is decreased by $0.0875$ bits and the QBER increased by only 0.037, for $\xi=1$. In BB84, the incoherent attack provides approximately 0.13 bits more information than the IR attack for a 20\% QBER, as is shown in Fig.~\ref{fig:bb84miqber}. In our protocol, Eve's information for the same QBER can be reduced from 0.4 to 0.05---much more than what is gained by applying an incoherent attack in BB84. The difference is significant for any QBER less than 25\%.

461:

462: The error correction phase provides Eve further information. Equation (\ref{eq:errcorrbits}) gives a lower bound on the number of bits Alice and Bob need to exchange to correct the errors, with an error probability of $p$ = QBER in each bit. The bound is valid for an error process affecting each bit individually, but in our protocol, the errors in the bits obtained from one qubit pair are correlated due to entanglement. However, we can apply the bound to our protocol as well, since correcting pairwise correlated errors cannot be more demanding than correcting independent errors. That is, Alice and Bob can treat the errors as uncorrelated. Because the number of exchanged bits only depends on the QBER, the differences of the lines in Fig.~\ref{fig:vertailu} remain the same after adding to them the information provided by the error-correction step. Thus, for a given QBER, our protocol provides Eve strictly less information with $c_2$ and $c_3$ chosen properly, assuming that Eve uses the described IR attack.

463: %The graph on the right in Fig.~\ref{fig:vertailu} shows Eve's combined information from both sources for BB84 and for our protocol with the same gates as on the left. In BB84, Eve achieves full information on the key at $\mathrm{QBER} \approx 17\%$.

464:

465: \begin{figure}[hbt]

466: \vspace{5mm}

467: \begin{center}

468: \includegraphics[width=0.6\textwidth]{vert1.eps}

469: \caption{Eve's maximal mutual information and the induced QBER for BB84 (solid line) and for our protocol with gate settings $c_2 = \frac{\pi}{8}, \frac{\pi}{4}, \frac{\pi}{2}$ and $c_1 = c_3 = 0$, denoted by the uppermost, middle, and lowest dashed line, respectively. Eve employs an IR attack. The sparsely dashed line denotes the envelope curve of the set shown in Fig.~\ref{fig:miqsel}.}

470: \label{fig:vertailu}

471: \end{center}

472: \end{figure}

473:

474: %muutama ote ja sit error correctionilla -> turhaa

475: %ec kaava p�tee iid erroreille, mutta voidaan k�ytt�� yl�rajana/arviona

476:

477: Which gate $A\left(c_1,c_2,c_3\right)$ should Alice and Bob choose? The answer is complicated by the fact that any practical implementation of the protocol includes a quantum channel with a finite error rate. Eve's interference acts as an approximate, although poor, model for the noise in the quantum channel. While the choice $A\left(0,\frac{\pi}{2},0\right)$ limits Eve's information most effectively for any QBER, it also presumably amplifies the noise in the quantum channel the most. Whether this amplification is tolerable depends on the noise. However, since Eve's information decreases rapidly compared to the increase in QBER in the upper part of the envelope curve shown in Fig.~\ref{fig:vertailu}, it is plausible that even for a very noisy channel a non-identity gate benefits Alice and Bob. Moreover, the noise of a practical quantum channel decreases as technology advances.

478:

479: For instance, assume that Alice and Bob employ the gate $A\left(0,\frac{\pi}{2},0\right)$ corresponding to the lowest dashed line in Fig.~\ref{fig:vertailu}. Assume also that the inherent noise of the used quantum channel results in a QBER of at most 10\%. If Eve's interference is used as a model for the noise, the QBER is doubled by the gate, since QBER = $\xi/4$ without the gate, and QBER = $\xi/2$ with the gate. Hence, we assume that if the gate is employed, Alice and Bob must accept a 20\% QBER. Without the gate, Eve's maximal information can be limited to 0.2 bits, and with the gate to 0.05 bits. That is, the gate reduces Eve's information to 1/4 of that in BB84 even if the noise is taken into account. Exactly which gate to employ depends on the actual noise of the realized quantum channel, however.

480:

481: %oletetaan ett� eve valitsee aina jyrkimm�n slopen

482: %pistejoukko = set of points

483:

484: %\small{Miten laskettiin ja mita kun Evella kaytossa Z- ja X-kannat intercept-resendissa. \\Mathematica-koodi esitettyna pseudokoodina? Liiteeksi?}

485: %\small{Tulokset edellisista}

486:

487: \section{EPR-pair attack}

488: Since Alice and Bob utilize entanglement to keep their key a secret, it is an intuitive idea for Eve to also make use of this resource. One way of taking advantage of entanglement in eavesdropping is to send qubits of an EPR pair, defined in Eq.~(\ref{eq:eprcharlie}), to Bob. Let us label the qubits of the EPR pair as

489: \begin{equation}

490: \label{eq:eprpairlab}

491: |\Phi^+\rangle = \frac{1}{\sqrt{2}} \left(|0\rangle_1|0\rangle_2 + |1\rangle_1|1\rangle_2\right) \; .

492: \end{equation}

493:  After intercepting the first qubit of the transmitted pair, Eve sends qubit 1 of an EPR pair to Bob while keeping qubit 2 for herself. Bob acknowledges the reception of the first qubit, and Alice sends the second qubit which Eve also intercepts. Eve can, e.g., measure the intercepted qubits, and based on the result, apply a single-qubit transformation to the second qubit of the EPR pair which she then sends to Bob. More complicated transformations involving the intercepted qubits are also possible. Eve has thus sent Bob a qubit pair in an entangled state one qubit at a time, and has partial control over the state of the pair after learning the measurement results for both intercepted transmissions.

494:

495: For instance, assume that Alice and Bob have chosen $U_1 := \textrm{CNOT}\left(H \otimes I\right)$ as their two-qubit unitary transformation. CNOT is the non-local controlled-not operation which transforms input states as

496: \begin{equation}

497: \textrm{CNOT:\;} \left\{

498: \begin{array}{lcl}

499: |00\rangle	& \to	& |00\rangle \\

500: |01\rangle	& \to	& |01\rangle \\

501: |10\rangle	& \to	& |11\rangle \\

502: |11\rangle	& \to	& |10\rangle

503: \end{array}

504: \nonumber

505: \right.

506: \end{equation}

507: and $H$ is the Hadamard gate that transforms $|0\rangle \to (|0\rangle + |1\rangle)/\sqrt{2}$ and $|1\rangle \to (|0\rangle - |1\rangle)/\sqrt{2}$. The only BB84 states $|a_1\rangle|a_2\rangle$ not resulting in a tensor product state with the application of $U_1$ are states $|00\rangle, |01\rangle, |10\rangle, |11\rangle$. These states are transformed into the Bell states by $U_1$ as

508: \begin{eqnarray}

509: U_1|00\rangle	& =	& |\Phi^+\rangle = (|00\rangle + |11\rangle)/ \sqrt{2} \; , \\

510: U_1|01\rangle	& =	& |\Psi^+\rangle = (|01\rangle + |10\rangle)/ \sqrt{2} \; , \\

511: U_1|10\rangle	& =	& |\Phi^-\rangle = (|00\rangle - |11\rangle)/ \sqrt{2} \; , \\

512: U_1|11\rangle	& =	& |\Psi^-\rangle = (|01\rangle - |10\rangle)/ \sqrt{2} \; .

513: \end{eqnarray}

514: %In this case, on average 1/4 of the qubit pairs travel from Alice to Bob in a maximally entangled Bell state \cite{gisin}, and the rest in unentangled states.

515:

516: Assume that Eve has some way of knowing if Alice uses the $z$ basis for the initial state $|a_1\rangle|a_2\rangle$. This capability would, of course, severely compromise the security of any BB84-based QKD protocol. Nevertheless, let us demonstrate how Eve could in this case eavesdrop on the transmission and still preserve its entanglement. If Alice has chosen some other combination of bases than $zz$ for the qubits, Eve attacks the unentangled transmission using any strategy suitable for the original BB84 protocol. However, if Alice's choice of bases is $zz$, Eve knows to expect a transmission of a qubit pair in one of the Bell states, and does the following.

517:

518: %Note that Bob has not yet measured the EPR-pair qubit in his possession because he is waiting for the second qubit of the transmitted pair.

519: Eve intercepts and stores the first transmitted qubit in short-term quantum memory, and immediately sends qubit 1 of the pair in Eq.~(\ref{eq:eprpairlab}) to Bob. She then intercepts and stores the second transmitted qubit and is thus in possession of the transmitted qubit pair as well as the second qubit of the EPR pair. Eve undoes $U_1$ by applying $U_1^{\dagger} = (H \otimes I) \mathrm{CNOT}$ to the intercepted pair, after which she measures the qubits in $z$ basis, thus recovering $a_1$ and $a_2$ exactly. Based on the result, Eve chooses a single-qubit gate

520: \begin{equation}

521: E_{a_1a_2} = I \left(\sigma_x\right)^{a_2} \left(\sigma_z\right)^{a_1} \; ,

522: \end{equation}

523: which she applies to qubit 2 of the EPR pair. This transforms the pair to the state that Alice transmitted, i.e., $\left(I \otimes E_{a_1a_2} \right)|\Phi^+\rangle = U_1 |a_1\rangle|a_2\rangle$. Eve sends the second qubit to Bob, who applies $U_1^{\dagger}$ to the qubit pair. Bob measures the qubits in the $z$ basis, and recovers $a_1$ and $a_2$. That is, Bob observes a zero QBER while Eve has full knowledge about the key bits Alice and Bob established, given that Alice used the $zz$ basis. Note that this result only applies if Alice's basis choices are available to Eve at the time of the quantum transmission---a feature that would render the original BB84 protocol useless. The utilization of entanglement in eavesdropping is not discussed further in this Thesis.

524:

525: %\section{Applicability}

526:

527:

528: %---

529: %\small{Jos ehditaan saada, niin Even incoherent attack tata protokolla vastaan.} -> ei ehdit�

530: