<< . .

. 6
( : 7)

. . >>

k k k
information between the result of any measurement Bob may do and Alice™s value, H (B : A) , is bounded above
by Holevo bound (2.6), thus H (B : A) ¤ χB , and similarly Eve™s mutual information is bounded above by
H (E : A) ¤ χE . Since any excess information Bob has relative to Eve, at least above a certain threshold can in
principle be exploited by Bob and Alice to distill a shared secret key using the techniques of the last subsection.
It makes sense to de¬ne privacy as

P sup [H (B : A) ’ H (E : A)] ,

where S are all the possible strategies Alice and Bob may employ to the channel. This is the maximum excess
classical information that Bob may obtain relative to Eve about Alice™s quantum signal. Using the HSW theorem
(3.10), Alice and Bob may employ a strategy such that H (B : A) = χB , while for any strategy Eve may employ,
H (E : A) ¤ χE . Thus P ≥ χB ’ χE . A lower bound may be obtained by assuming that Alice™s signal states
are pure (refer to discussion after equation (3.10) to see why), ρA = ψA ψA , and if Eve initially had an
k k

unentangled state 0E , which may also assumed pure. Suppose Eve™s interaction is ψEB = U ψA 0E ,
since it is a pure state, the reduced density matrices ρE and ρB will have the same non-zero eigenvalues, and thus
k k
the same entropies, S ρk = S ρk . Thus P ≥ χ ’ χ = S ρB ’ k pk S ρB ’ S ρE + k pk S ρE =
k k
S ρB ’ S ρE = I (ρ, E) , where the de¬nition (2.10) was used. Note that the lower bound for privacy is
protocol independent.
A quantum key distribution (QKD) protocol is de¬ned secure if, for any security parameters s > 0 and
l > 0 chosen by Alice and Bob, and for any eavesdropping strategy, either the scheme aborts, or succeeds with
probability at least 1 ’ O (2’s) , and guarantees that Eve™s mutual information with the ¬nal key is less than
2’l . The key string must also be essentially random.

4.1.4 A provable secure version of the BB84 protocol
It can be proven [1, p.593-599] that using CSS codes one can have a 100% secure quantum key distribution.
However CSS codes need perfect quantum computation, which is not yet achieved. Fortunately there is a chance
of using the classical properties of CSSu,v codes de¬ned in (3.6) to have an equally secure classical computation
version of BB84 protocol (refer to [1, p.599-602] for a proof). This version is made up of the following steps:

1. Alice creates (4 + δ) n random bits.
2. For each bit, she creates a qubit either in the {|0 , |1 } or in {|+ , |’ } basis, according to a random bit
string b, see for example (4.1).
3. Alice sends the resulting qubits to Bob.
4. Alice chooses a random vk ∈ C1.
5. Bob receives the qubits, publicly announces this fact, and measures each in the {|0 , |1 } or in {|+ , |’ }
basis randomly.
6. Alice announces b.
7. Alice and Bob discard those bits Bob measured in a basis other than b. With high probability, there are
at least 2n bits left; if not, abort the protocol. Alice decides randomly on a set of 2n bits to continue to
use, randomly selects n of these to check bits, and announces the selection.
8. Alice and Bob publicly compare their check bits. If more than t of these disagree, they abort the protocol.
Alice is left with the n bit string x, and Bob with x + .
9. Alice announces x ’ vk . Bob subtracts this from his result, correcting it with code C1 to obtain vk .
10. Alice and Bob compute the coset of vk + C2 in C1 to obtain the key k.

4.2 A commercial quantum cryptographic device
After a theoretical presentation of quantum key distribution it is time to present experimental results and then
discuss the possibility of having a commercial device realizing quantum cryptography. These two topics are
discussed correspondingly in subsections 4.2.1 and 4.2.2.

4.2.1 Experimental quantum key distribution
The ¬rst demonstration of quantum key distribution was performed at the IBM laboratory in 1989 [33] over
a distance of 30 cm. Since then there has been remarkable improvement, demonstrating quantum key distri-
bution over a distance of 10 km [34, 35], in IBM too, or over distances exceeding 40km, and also in installed
telecommunication ¬ber, under the Lake Geneva [36].
In most cases experimental quantum cryptography is done using single photons, and optical ¬bers are used
to guide them from Alice to Bob. Once the medium is chosen one should pick the right source and detectors.
Since they have to be compatible, the crucial choice is the wave length. There are two main possibilities. Either
one chooses a wavelength around 800 nm where e¬cient photon counters are commercially available, or one
chooses a wavelength compatible with today™s telecommunication optical ¬bers, that is near 1300 nm or 1550
nm. The ¬rst choice requires the use of special ¬bers, hence the installed telecommunications networks can™t
be used. The second choice requires the improvement or development of new detectors not based on silicon
semiconductors which are transparent above 1000 nm wavelength. It is still unclear which of the two alternatives
will turn out to be the best choice.
In what concerns the production of photons according to the BB84 states, de¬ned in equation (4.1), one can
choose di¬erent polarization states, which form non-orthogonal bases. Polarization can be for example linear,
identifying |0 ≡ |‘ and |1 ≡ |“ , or circular identifying |+ ≡ | and |’ ≡ | . However in practice single
photon states are di¬cult to realize thus approximately single photon states are produced by faint laser pulses.
Finally one should detect these approximate single photon states. This is achieved using a variety of tech-
niques. One can choose between photomultipliers, avalanche-photodiodes, multichannel plates and supracon-
ducting Josephson junctions.
A typical experimental setup for quantum key distribution, with the technology described above is sawn in
Figure 4.3.

Basis 1
LD 1 "1"
PBS "0"
LD 2 Channel /2
BS "1"
LD 3
BS "0"
LD 4
Basis 2

Figure 4.3: Typical system for quantum cryptography using polarization coding (LD: laser diode, BS: beamsplit-
ter, F: neutral density ¬lter, PBS: polarizing beam splitter, »/2: half waveplate, APD: avalanche photodiode).

For more experimental details on the single photon quantum key distribution one should refer to [4, p.11-29].

4.2.2 Commercial quantum cryptography
Once the experimental setup of quantum key distribution has been performed, as discussed in subsection 4.2.1
and as sawn in Figures 4.3 and 4.2, one needs to follow the steps presented in subsection 4.1.4, in order to
achieve perfectly secure quantum cryptography. Of course these steps are nothing but an algorithm, which can
be analyzed and easily implemented into a program which can run on current technology computers. Moreover
special controlling devices are needed in order to instruct the laser diodes, the beam splitters and get the result
of the measurements from the avalanche photodiodes. Such hardware is already available in the market. One
should not forget that a public connection is needed, like for example the internet. For this reason there exist

patents [37], which can convert quantum cryptography from a laboratory experiment into a commercial product.
Such a patent is discussed bellow.
One can reconstruct the steps of subsection 4.1.4 into the following computer program:

1. Alice™s computer creates (4 + δ) n random bits, using an unknown to anybody else algorithm. (One can
also use quantum techniques as discussed in the third paragraph of subsection 4.1.1)
2. For each bit, Alice™s computer triggers with a controller one of the four laser diodes, as shown in Figure
4.2, according to a random bit string b.

3. This way the light beams are sent to Bob™s site into an agreed beforehand rate.
4. Alice™s computer has already implemented the classical version of CSS codes, and then it picks up randomly
a v k ∈ C1 .
5. Bob™s computer instructs with a controller the beam splitter sawn in Figure 4.2 in which basis to measure
the light beam. The selection should be according to a random algorithm. There should be a device
returning the result of the measurement of the avalanche photodiodes to Bob™s computer. Bob™s computer
announces the fact through an internet line to Alice™s computer.
6. Alice™s computer announces b.
7. Both computers discard those bits Bob™s measured in a basis other than b. With high probability, there
are at least 2n bits left; if not, abort the protocol. Alice™s computer decides randomly on a set of 2n bits
to continue to use, randomly selects n of these to check bits, and announces to Bob™s computer through
8. Both computers compare through internet their check bits. If more than t of these disagree, they abort
the protocol. Alice™s computer is left with the n bit string x, and Bob™s with x + .
9. Alice™s computer announces x ’ vk . Bob™s computer subtracts this from his result, correcting it with code
C1 to obtain vk .
10. Both computer calculate the coset of vk + C2 in C1 to obtain the key k.

Concluding it should be noted that what is very important about the above implementation, is that it is
completely automatic and almost no human intervention is needed. Thus users can just write their messages,
command the computers to send them securely and in the other side receive them. Automatic process is what
makes such a device successfully commercial.


The most important tools and results of classical and quantum information theory, obtained in the present
Individual Study Option, are summarized in the Figure S.1.

Information Theory
Classical Quantum
Shannon entropy Von Neumann entropy
H (X) = ’ x px log px S (ρ) = ’tr(ρ log ρ)

Distinguishability and accessible information
Letters always distinguishable Holevo bound
N = |X| H (X : Y ) ¤ S (ρ) ’ px S (ρx )
ρ= px (ρx )

Information-theoretic relations
Fano inequality Quantum Fano inequality
H (F (ρ, E)) + (1 ’ F (ρ, E)) log d2 ’ 1
H (pe) + pe log (|X| ’ 1) ≥ H (X|Y )
≥ S (ρ, E)
Mutual information Coherent information
H (X : Y ) = H (Y ) ’ H (Y |X) I (ρ, E) = S (E (ρ)) ’ S (ρ, E)
Data processing inequality Quantum data processing inequality
X ’Y ’Z ρ ’ E1 (ρ) ’ (E2 —¦ E1) (ρ)
H (X) ≥ H (X : Y ) ≥ H (X : Z) S (ρ) ≥ I (ρ, E1) ≥ I (ρ, E2 —¦ E1)

Noiseless channel coding
Shannon™s theorem Schumacher™s theorem
nbits = H (X) nqubits = S ( x px ρx )

Capacity of noisy channels for classical information
Shannon™s noisy coding theorem Holevo-Schumacher-Westmoreland
C (1) (E) = max S (ρ ) ’ px S (ρx )
C (N ) = max H (Y : X)
{pj ,ρj }
p(x) x
ρx = E (ρx ) , ρ = px ρx

Figure S.1: Summary of classical and quantum information theory.

The most important results concerning quantum cryptography, are summarized in Figure (S.2).

Quantum Cryptography
BB84 protocol, sends the following states
ψ a k bk
see (4.1) for de¬nitions

Privacy of a quantum channel E
P ≥ I (ρ, E)

Figure S.2: Summary of quantum cryptography.

Appendix A

Omitted proofs

A.1 Special diagonal transformation of normal matrices
In this appendix it is going to be demonstrated that for a d — d normal matrix A, there exists a set of unitary
(A) (A) (A)†
matrices Ui , such that i=1 Ui AUi =tr(A) I. Since A is a normal matrix, by spectral decomposition
such that U (A) AU (A)† is diagonal, and for this diagonal matrix there exists
theorem there exists a matrix U

a unitary transformation Vi”j AVi”j which interchanges the i-th diagonal element with the j-th.
To see this suppose B is a d — d dimensional diagonal matrix, then the following matrix
 δ kl , k or l = i, j

1, k = j and l = i
(Vi”j )kl ,
 1, k = i and l = j

0, else
can be used to exchange the i-th diagonal element with the j-th of B. Following the next steps V i”j is initially
proven to be unitary
d d
† †
Vi”j Vi”j = (Vi”j )kl Vi”j = (Vi”j )kl (Vi”j )nl
l=1 l=1
« « 
δ kl , k or l = i, j δ nl , n or l = i, j
¬ 1, k = j and l = i · ¬ 1, n = j and l = i ·
¬ ·¬ ·
=  1, k = i and l = j   1, n = i and l = j 
0, else 0, else
« 
δ kn, k or n = i, j
¬ 1, k = j and n = j ·
¬ ·
=  1, k = i and n = i  = δ kn = I.
0, else
The ability of Vi”j to exchange the diagonal elements of matrix B = diag {. . . , bi, . . . , bj , . . . } is exhibited by
d d d
† † †
Vi”j BVi”j = (Vi”j )kl Blm Vi”j = (Vi”j )kl bl Vi”j
mn nl
l=1 m=1 l=1
«  « 
δ kl , k or l = i, j δ nl , n or l = i, j
¬ 1, k = j and l = i · ¬ 1, n = j and l = i ·
¬ ·¬ ·
=  1, k = i and l = j  bl  1, n = i and l = j 
0, else 0, else
« 
bnδ kn, k = i, j or n = i, j
¬ ·
bi, k = j and n = j
¬ · = diag {. . . , bj , . . . , bi, . . . } .
=  
bj , k = i and n = i
0, else

V1”2V2”3 · · · Vd’1”d Vd”1 , which is unitary matrix as a multiplication of unitary
De¬ning now V23···d1

matrices, then V23···d1U AU (A)† V23···d1 is a diagonal matrix where the in the ¬rst diagonal place is the second

diagonal element of A, in the second diagonal place the third diagonal element of A, and so on until the
¬nal diagonal place where the ¬rst diagonal element of A stands. The next display visualizes the similarity
transformation V23···d1
®  ® 
a11 a22
   
a22 a33
   
   
.. ..
  V23···d1  
. .
’ .

   
a(d’2)(d’2) a(d’1)(d’1)
   
° » ° »
a(d’1)(d’1) add
add a11

Enumerating all the cyclic permutations of (1, 2, . . . , d) with a number i then the following unitary matrices
Vi U (A) . It is straightforward to verify that,
are de¬ned Ui
® 
a11 + a22 + . . . + add
 
d a22 + a33 + . . . + a11
 
(A) (A)†
Ui AUi = 
° »
add + a11 + . . . + a(d’1)(d’1)
= tr (A) I.

A.2 Projective measurements are equivalent to an addition of uni-
tary operations
Let P be a projector and Q I’P the complementary projector, in this appendix it will be sawn that there exist
† †
unitary matrices U1 , U2 and a probability p such that for all ρ, P ρP + QρQ = pU1ρU1 + (1 ’ p) U2 ρU2 . Choose

p 2 , U1 Q’P and U2 Q+P I. It is obvious that U1 U1 = (Q ’ P ) (Q ’ P ) = QQ+QP ’P Q’+P P =

Q + 0 + P = I, and U2 U2 = II = I. Now it is easy to check that

1 1 1 1
† †
(Q ’ P ) ρ (Q ’ P ) + (Q + P ) ρ (Q + P )
U1 ρU1 + U2 ρU2 =
2 2 2 2
1 1
(QρQ ’ QρP ’ P ρQ + P ρP ) + (QρQ + QρP + P ρQ + P ρP )
2 2
= P ρP + QρQ.

q.e.d. (Abbas Edalat contributed to this proof)

Appendix B

Distance measures of information

B.1 Classical information distance: Hamming
The Hamming distance of two strings, is de¬ned to be the number of places their bits are di¬erent. Assuming
a and b are the two n-bit strings, and ai and bi are their i-th bits, one can write
|ai ’ bi | .
d (a, b)

Very naturally, a Hamming sphere of center c and radius δ, is de¬ned as the set of stings which have distance
from c less or equal to δ

{s : d (c, s) ¤ δ} .
Sph (c, δ)

B.2 Quantum information distance: Fidelity
Fidelity is a measure of distance of two quantum states, de¬ned by

1 1
ρ 2 σρ 2 = max | ψ|φ | ,
F (ρ, σ) tr
|ψ ,|φ

and used to determine how well a quantum channel preserves information. To do this the following function

<< . .

. 6
( : 7)

. . >>