information between the result of any measurement Bob may do and Alice™s value, H (B : A) , is bounded above

by Holevo bound (2.6), thus H (B : A) ¤ χB , and similarly Eve™s mutual information is bounded above by

H (E : A) ¤ χE . Since any excess information Bob has relative to Eve, at least above a certain threshold can in

principle be exploited by Bob and Alice to distill a shared secret key using the techniques of the last subsection.

It makes sense to de¬ne privacy as

P sup [H (B : A) ’ H (E : A)] ,

S

29

where S are all the possible strategies Alice and Bob may employ to the channel. This is the maximum excess

classical information that Bob may obtain relative to Eve about Alice™s quantum signal. Using the HSW theorem

(3.10), Alice and Bob may employ a strategy such that H (B : A) = χB , while for any strategy Eve may employ,

H (E : A) ¤ χE . Thus P ≥ χB ’ χE . A lower bound may be obtained by assuming that Alice™s signal states

are pure (refer to discussion after equation (3.10) to see why), ρA = ψA ψA , and if Eve initially had an

k k

unentangled state 0E , which may also assumed pure. Suppose Eve™s interaction is ψEB = U ψA 0E ,

k

since it is a pure state, the reduced density matrices ρE and ρB will have the same non-zero eigenvalues, and thus

k k

the same entropies, S ρk = S ρk . Thus P ≥ χ ’ χ = S ρB ’ k pk S ρB ’ S ρE + k pk S ρE =

E B B

k k

S ρB ’ S ρE = I (ρ, E) , where the de¬nition (2.10) was used. Note that the lower bound for privacy is

protocol independent.

A quantum key distribution (QKD) protocol is de¬ned secure if, for any security parameters s > 0 and

l > 0 chosen by Alice and Bob, and for any eavesdropping strategy, either the scheme aborts, or succeeds with

probability at least 1 ’ O (2’s) , and guarantees that Eve™s mutual information with the ¬nal key is less than

2’l . The key string must also be essentially random.

4.1.4 A provable secure version of the BB84 protocol

It can be proven [1, p.593-599] that using CSS codes one can have a 100% secure quantum key distribution.

However CSS codes need perfect quantum computation, which is not yet achieved. Fortunately there is a chance

of using the classical properties of CSSu,v codes de¬ned in (3.6) to have an equally secure classical computation

version of BB84 protocol (refer to [1, p.599-602] for a proof). This version is made up of the following steps:

1. Alice creates (4 + δ) n random bits.

2. For each bit, she creates a qubit either in the {|0 , |1 } or in {|+ , |’ } basis, according to a random bit

string b, see for example (4.1).

3. Alice sends the resulting qubits to Bob.

4. Alice chooses a random vk ∈ C1.

5. Bob receives the qubits, publicly announces this fact, and measures each in the {|0 , |1 } or in {|+ , |’ }

basis randomly.

6. Alice announces b.

7. Alice and Bob discard those bits Bob measured in a basis other than b. With high probability, there are

at least 2n bits left; if not, abort the protocol. Alice decides randomly on a set of 2n bits to continue to

use, randomly selects n of these to check bits, and announces the selection.

8. Alice and Bob publicly compare their check bits. If more than t of these disagree, they abort the protocol.

Alice is left with the n bit string x, and Bob with x + .

9. Alice announces x ’ vk . Bob subtracts this from his result, correcting it with code C1 to obtain vk .

10. Alice and Bob compute the coset of vk + C2 in C1 to obtain the key k.

4.2 A commercial quantum cryptographic device

After a theoretical presentation of quantum key distribution it is time to present experimental results and then

discuss the possibility of having a commercial device realizing quantum cryptography. These two topics are

discussed correspondingly in subsections 4.2.1 and 4.2.2.

30

4.2.1 Experimental quantum key distribution

The ¬rst demonstration of quantum key distribution was performed at the IBM laboratory in 1989 [33] over

a distance of 30 cm. Since then there has been remarkable improvement, demonstrating quantum key distri-

bution over a distance of 10 km [34, 35], in IBM too, or over distances exceeding 40km, and also in installed

telecommunication ¬ber, under the Lake Geneva [36].

In most cases experimental quantum cryptography is done using single photons, and optical ¬bers are used

to guide them from Alice to Bob. Once the medium is chosen one should pick the right source and detectors.

Since they have to be compatible, the crucial choice is the wave length. There are two main possibilities. Either

one chooses a wavelength around 800 nm where e¬cient photon counters are commercially available, or one

chooses a wavelength compatible with today™s telecommunication optical ¬bers, that is near 1300 nm or 1550

nm. The ¬rst choice requires the use of special ¬bers, hence the installed telecommunications networks can™t

be used. The second choice requires the improvement or development of new detectors not based on silicon

semiconductors which are transparent above 1000 nm wavelength. It is still unclear which of the two alternatives

will turn out to be the best choice.

In what concerns the production of photons according to the BB84 states, de¬ned in equation (4.1), one can

choose di¬erent polarization states, which form non-orthogonal bases. Polarization can be for example linear,

identifying |0 ≡ |‘ and |1 ≡ |“ , or circular identifying |+ ≡ | and |’ ≡ | . However in practice single

photon states are di¬cult to realize thus approximately single photon states are produced by faint laser pulses.

Finally one should detect these approximate single photon states. This is achieved using a variety of tech-

niques. One can choose between photomultipliers, avalanche-photodiodes, multichannel plates and supracon-

ducting Josephson junctions.

A typical experimental setup for quantum key distribution, with the technology described above is sawn in

Figure 4.3.

Bob

Alice

Basis 1

APD

LD 1 "1"

PBS "0"

Quantum

LD 2 Channel /2

PBS

BS

BS "1"

LD 3

BS "0"

F

APD

Waveplates

LD 4

Basis 2

Figure 4.3: Typical system for quantum cryptography using polarization coding (LD: laser diode, BS: beamsplit-

ter, F: neutral density ¬lter, PBS: polarizing beam splitter, »/2: half waveplate, APD: avalanche photodiode).

For more experimental details on the single photon quantum key distribution one should refer to [4, p.11-29].

4.2.2 Commercial quantum cryptography

Once the experimental setup of quantum key distribution has been performed, as discussed in subsection 4.2.1

and as sawn in Figures 4.3 and 4.2, one needs to follow the steps presented in subsection 4.1.4, in order to

achieve perfectly secure quantum cryptography. Of course these steps are nothing but an algorithm, which can

be analyzed and easily implemented into a program which can run on current technology computers. Moreover

special controlling devices are needed in order to instruct the laser diodes, the beam splitters and get the result

of the measurements from the avalanche photodiodes. Such hardware is already available in the market. One

should not forget that a public connection is needed, like for example the internet. For this reason there exist

31

patents [37], which can convert quantum cryptography from a laboratory experiment into a commercial product.

Such a patent is discussed bellow.

One can reconstruct the steps of subsection 4.1.4 into the following computer program:

1. Alice™s computer creates (4 + δ) n random bits, using an unknown to anybody else algorithm. (One can

also use quantum techniques as discussed in the third paragraph of subsection 4.1.1)

2. For each bit, Alice™s computer triggers with a controller one of the four laser diodes, as shown in Figure

4.2, according to a random bit string b.

3. This way the light beams are sent to Bob™s site into an agreed beforehand rate.

4. Alice™s computer has already implemented the classical version of CSS codes, and then it picks up randomly

a v k ∈ C1 .

5. Bob™s computer instructs with a controller the beam splitter sawn in Figure 4.2 in which basis to measure

the light beam. The selection should be according to a random algorithm. There should be a device

returning the result of the measurement of the avalanche photodiodes to Bob™s computer. Bob™s computer

announces the fact through an internet line to Alice™s computer.

6. Alice™s computer announces b.

7. Both computers discard those bits Bob™s measured in a basis other than b. With high probability, there

are at least 2n bits left; if not, abort the protocol. Alice™s computer decides randomly on a set of 2n bits

to continue to use, randomly selects n of these to check bits, and announces to Bob™s computer through

internet.

8. Both computers compare through internet their check bits. If more than t of these disagree, they abort

the protocol. Alice™s computer is left with the n bit string x, and Bob™s with x + .

9. Alice™s computer announces x ’ vk . Bob™s computer subtracts this from his result, correcting it with code

C1 to obtain vk .

10. Both computer calculate the coset of vk + C2 in C1 to obtain the key k.

Concluding it should be noted that what is very important about the above implementation, is that it is

completely automatic and almost no human intervention is needed. Thus users can just write their messages,

command the computers to send them securely and in the other side receive them. Automatic process is what

makes such a device successfully commercial.

32

Summary

The most important tools and results of classical and quantum information theory, obtained in the present

Individual Study Option, are summarized in the Figure S.1.

Information Theory

Classical Quantum

Shannon entropy Von Neumann entropy

H (X) = ’ x px log px S (ρ) = ’tr(ρ log ρ)

Distinguishability and accessible information

Letters always distinguishable Holevo bound

N = |X| H (X : Y ) ¤ S (ρ) ’ px S (ρx )

x

ρ= px (ρx )

x

Information-theoretic relations

Fano inequality Quantum Fano inequality

H (F (ρ, E)) + (1 ’ F (ρ, E)) log d2 ’ 1

H (pe) + pe log (|X| ’ 1) ≥ H (X|Y )

≥ S (ρ, E)

Mutual information Coherent information

H (X : Y ) = H (Y ) ’ H (Y |X) I (ρ, E) = S (E (ρ)) ’ S (ρ, E)

Data processing inequality Quantum data processing inequality

X ’Y ’Z ρ ’ E1 (ρ) ’ (E2 —¦ E1) (ρ)

H (X) ≥ H (X : Y ) ≥ H (X : Z) S (ρ) ≥ I (ρ, E1) ≥ I (ρ, E2 —¦ E1)

Noiseless channel coding

Shannon™s theorem Schumacher™s theorem

nbits = H (X) nqubits = S ( x px ρx )

Capacity of noisy channels for classical information

Shannon™s noisy coding theorem Holevo-Schumacher-Westmoreland

theorem

C (1) (E) = max S (ρ ) ’ px S (ρx )

C (N ) = max H (Y : X)

{pj ,ρj }

p(x) x

ρx = E (ρx ) , ρ = px ρx

x

Figure S.1: Summary of classical and quantum information theory.

The most important results concerning quantum cryptography, are summarized in Figure (S.2).

33

Quantum Cryptography

BB84 protocol, sends the following states

(4+δ)n

ψ a k bk

k=1

see (4.1) for de¬nitions

Privacy of a quantum channel E

P ≥ I (ρ, E)

Figure S.2: Summary of quantum cryptography.

34

Appendix A

Omitted proofs

A.1 Special diagonal transformation of normal matrices

In this appendix it is going to be demonstrated that for a d — d normal matrix A, there exists a set of unitary

(A) (A) (A)†

d

matrices Ui , such that i=1 Ui AUi =tr(A) I. Since A is a normal matrix, by spectral decomposition

(A)

such that U (A) AU (A)† is diagonal, and for this diagonal matrix there exists

theorem there exists a matrix U

†

a unitary transformation Vi”j AVi”j which interchanges the i-th diagonal element with the j-th.

To see this suppose B is a d — d dimensional diagonal matrix, then the following matrix

±

δ kl , k or l = i, j

1, k = j and l = i

(Vi”j )kl ,

1, k = i and l = j

0, else

can be used to exchange the i-th diagonal element with the j-th of B. Following the next steps V i”j is initially

proven to be unitary

d d

† †

Vi”j Vi”j = (Vi”j )kl Vi”j = (Vi”j )kl (Vi”j )nl

ln

l=1 l=1

« «

δ kl , k or l = i, j δ nl , n or l = i, j

d

¬ 1, k = j and l = i · ¬ 1, n = j and l = i ·

¬ ·¬ ·

= 1, k = i and l = j 1, n = i and l = j

l=1

0, else 0, else

«

δ kn, k or n = i, j

¬ 1, k = j and n = j ·

¬ ·

= 1, k = i and n = i = δ kn = I.

0, else

The ability of Vi”j to exchange the diagonal elements of matrix B = diag {. . . , bi, . . . , bj , . . . } is exhibited by

d d d

† † †

Vi”j BVi”j = (Vi”j )kl Blm Vi”j = (Vi”j )kl bl Vi”j

mn nl

l=1 m=1 l=1

« «

δ kl , k or l = i, j δ nl , n or l = i, j

d

¬ 1, k = j and l = i · ¬ 1, n = j and l = i ·

¬ ·¬ ·

= 1, k = i and l = j bl 1, n = i and l = j

l=1

0, else 0, else

«

bnδ kn, k = i, j or n = i, j

¬ ·

bi, k = j and n = j

¬ · = diag {. . . , bj , . . . , bi, . . . } .

=

bj , k = i and n = i

0, else

V1”2V2”3 · · · Vd’1”d Vd”1 , which is unitary matrix as a multiplication of unitary

De¬ning now V23···d1

†

matrices, then V23···d1U AU (A)† V23···d1 is a diagonal matrix where the in the ¬rst diagonal place is the second

(A)

35

diagonal element of A, in the second diagonal place the third diagonal element of A, and so on until the

¬nal diagonal place where the ¬rst diagonal element of A stands. The next display visualizes the similarity

transformation V23···d1

® ®

a11 a22

a22 a33

.. ..

V23···d1

. .

’ .

a(d’2)(d’2) a(d’1)(d’1)

° » ° »

a(d’1)(d’1) add

add a11

Enumerating all the cyclic permutations of (1, 2, . . . , d) with a number i then the following unitary matrices

(A)

Vi U (A) . It is straightforward to verify that,

are de¬ned Ui

®

a11 + a22 + . . . + add

d a22 + a33 + . . . + a11

(A) (A)†

Ui AUi =

..

° »

.

i=1

add + a11 + . . . + a(d’1)(d’1)

= tr (A) I.

A.2 Projective measurements are equivalent to an addition of uni-

tary operations

Let P be a projector and Q I’P the complementary projector, in this appendix it will be sawn that there exist

† †

unitary matrices U1 , U2 and a probability p such that for all ρ, P ρP + QρQ = pU1ρU1 + (1 ’ p) U2 ρU2 . Choose

†

1

p 2 , U1 Q’P and U2 Q+P I. It is obvious that U1 U1 = (Q ’ P ) (Q ’ P ) = QQ+QP ’P Q’+P P =

†

Q + 0 + P = I, and U2 U2 = II = I. Now it is easy to check that

1 1 1 1

† †

(Q ’ P ) ρ (Q ’ P ) + (Q + P ) ρ (Q + P )

U1 ρU1 + U2 ρU2 =

2 2 2 2

1 1

(QρQ ’ QρP ’ P ρQ + P ρP ) + (QρQ + QρP + P ρQ + P ρP )

=

2 2

= P ρP + QρQ.

q.e.d. (Abbas Edalat contributed to this proof)

36

Appendix B

Distance measures of information

B.1 Classical information distance: Hamming

The Hamming distance of two strings, is de¬ned to be the number of places their bits are di¬erent. Assuming

a and b are the two n-bit strings, and ai and bi are their i-th bits, one can write

n

|ai ’ bi | .

d (a, b)

i=1

Very naturally, a Hamming sphere of center c and radius δ, is de¬ned as the set of stings which have distance

from c less or equal to δ

{s : d (c, s) ¤ δ} .

Sph (c, δ)

B.2 Quantum information distance: Fidelity

Fidelity is a measure of distance of two quantum states, de¬ned by

1 1

ρ 2 σρ 2 = max | ψ|φ | ,

F (ρ, σ) tr

|ψ ,|φ

and used to determine how well a quantum channel preserves information. To do this the following function