# More techniques in quantum information theory

-—-

## Quantum cryptography

Quantum computation is the aspect of quantum information theory that everybody knows about. It would indeed be a great prize to be able to do what would comparatively recently have seemed completely impossible—to demonstrate the gap in Turing’s analysis in a piece of working hardware, and to outdo comprehensively any classical computer. But of course we still expect the route to that point to be long and difficult.

There are other techniques in quantum information theory that seem to be less newsworthy than quantum computation, but which are conceptually just as significant, and which have the advantage of being possible today. The first we shall look at is quantum cryptography.

When we looked at Shor’s algorithm in Chapter 17, we learned that if this algorithm were to be implemented successfully, public-key cryptography would be undermined because it would become straightforward to factorize large numbers.

Yet strangely quantum information in a sense provided the antidote for that difficulty. Also in Chapter 17 we saw that *private-key* cryptography, or the use of the one-time pad, is totally secure in principle, but suffers from the immense problem in practice that key distribution is an administrative and security nightmare. Quantum cryptography can make key distribution totally secure. Indeed a more down-to-earth name for quantum cryptography is just quantum key distribution.

The earliest ideas on the topic were invented by Stephen Wiesner in the 1970s, but unfortunately it seems that they were thought of as little more than amusements, instructive examples of how quantum theory might work perhaps, but of no real significance, conceptually or practically.

The first set of ideas to gain general interest was produced by Charles Bennett and Giles Brassard and collaborators, who included Wiesner, in 1982, and the famous BB84 protocol was published by Bennett and Brassard [1] two years later. We met Bennett in connection with Maxwell’s demon and the reversible computer earlier, and we shall meet him again later in this chapter in connection with quantum teleportation. He is certainly a hero of quantum information theory.

To give some idea of the BB84 protocol, we shall briefly revise some elements of quantum physics and quantum measurement with polarized photons. We may start by considering an analyser of polarized light oriented so that it may distinguish between photons with vertical polarization and those with horizontal polarization. This means that if a stream of photons, each with either vertical or horizontal polarization, reaches the polarizer in this orientation, a complete list of the polarization of each photon may be built up.

However, let us now consider the analyser still in this orientation, but a photon with polarization bisecting the horizontal and vertical axes incident on the analyser. In fact we may note that there are actually two such directions of polarization, one bisecting the +x- and +y-axes, and the other at right angles to this direction. We can call these directions +45° and -45° respectively. When a photon polarized in either of these directions meets the analyser, it will record either a horizontal or a vertical polarization at random; for a stream of many such photons, the numbers of horizontal and vertical measurement results will be roughly equal.

Alternatively we can rotate the analyser so that it can record correctly and distinguish between photons with polarizations in the +45° and -45° directions. However, this will record random results when photons with horizontal or vertical polarization reach it.

Now we shall discuss the BB84 protocol. Alice and Bob are attempting to establish a shared set of private keys. They are able to communicate on a private quantum channel such as an optical fibre, but will also need to use a public channel, which can just be a telephone line.

Alice has four polarizers available, each of which can polarize photons along one of the horizontal, vertical, +45° and -45° directions. Bob has two analysers, one that can distinguish between vertically and horizontally polarized photons, and a second that distinguishes between photons polarized in the +45° and -45° directions.

Alice now sends a stream of photons to Bob, in each case choosing one of her four polarizers at random and recording which polarizer she chooses. Bob detects each photon with one of his analysers chosen at random. For each photon he records which analyser he chooses and the result that he obtains.

In half the cases there will be a mismatch between the choices made by Alice and Bob. For example, Alice may have sent a photon polarized in the +45° direction, but Bob has used the analyser that distinguishes between photons polarized horizontally and those polarized vertically. Bob then has a 50% chance of obtaining either result, so that the particular result that he does obtain is meaningless.

In order to remove these meaningless results from the record, Bob now sends Alice on the public channel a list of the analysers he used in each case. She replies by sending Bob a list of the numbers of the occasions when the polarizer and the analyser were compatible. This provides the two of them with common knowledge in the form of Alice’s polarizer settings and Bob’s results. This is called the *raw quantum transmission* (RQT), and it can be used to generate a shared key, at least provided Eve has not been at work.

Let us now examine what Eve will do if she is able to intercept the data being transmitted on the quantum channel. Actually we shall look only at her most straightforward strategy. She may be a little more sophisticated, but this does not change the general nature of the conclusions we shall reach. We assume that she intercepts and analyses each photon with her own analyser, and the direction of this analyser will be selected at random between distinguishing horizontally and vertically polarized photons, and distinguishing photons polarized along the +45° and -45° directions (just the same choices as Bob). We shall consider only those cases for which the choices of Alice and Bob were compatible, so the event has entered the RQT.

In 50% of the cases, Eve’s choice of analyser is compatible with those of Alice and Bob. Her measurement result will tell her Alice’s choice of polarizer. Her measurement does not interfere with the photon, so she sends it on to Bob in the same state as it was delivered by Alice, and he, of course, analyses it in the normal way. The event enters the RQT in an absolutely correct form, but, unfortunately for Alice and Bob, and unbeknown to them, Eve knows it as well.

However, in 50% of the cases, Eve’s polarizer is incompatible with the choices of Alice and Bob. It may be that Alice has sent a photon polarized in the +45° direction, but Eve uses the analyser that distinguishes between vertical and horizontal polarization. In this case Eve will get a random result. Whichever result she obtains, she will send on to Bob a photon in a state corresponding to the result of her measurement. So Bob will receive a photon polarized in either the horizontal or vertical direction. Since we are considering an event that has entered the RQT, Bob uses his analyser that distinguishes between photons polarized in the + 45° and - 45° directions, and his result will be random.

There is a 50% probability that he will register a result of +45%, which is what Alice had actually sent, but an equal probability that the result he registers will be - 45°, which is obviously incorrect.

So let us sum up. There is a 50% probability that Eve makes the right choice of analyser, and does not disturb the passage of the photon from Alice to Bob. There is a 25% probability that she uses the wrong analyser but nevertheless the result measured by Bob corresponds to what was sent by Alice. But there is also a 25% probability that, as a result of her using the wrong analyser, the result measured by Bob has been affected by Eve, and in the RQT there is an error.

To check this, Alice and Bob use the public channel to check a section of the RQT, which must obviously then be discarded. According to our analysis above, it may, of course, be that their versions of the checked section agree totally, and this shows that there has been no eavesdropper. However, it may be that, for about a quarter of the events in the RQT, Alice’s record is different from that of Bob. This is clearly the sign that Eve has been at work, and the whole RQT must be abandoned.

In practice things will probably be a little complicated. As we have said, Eve may use rather more sophisticated strategies. There may also be some noise in the circuit. And, of course, Eve may only have intercepted some part of the quantum signal. The good news, and it is really the central point of quantum cryptography, is that, however sophisticated Eve may be, if the channel is noiseless, Eve must always leave some trace of her activities. So if there is no such trace, Alice and Bob know that they have a secure key.

I f the channel is noisy, things are obviously more complicated, because there will be mismatches between Alice’s and Bob’s version of the RQT, even in the absence of eavesdropping. Alice and Bob may use error correction, as sketched for quantum computation in Chapter 17, and they may then apply a series of operations called *privacy amplification* that cut down further any possible information Eve may have obtained. This is achieved, though, only at the expense of cutting down further the proportion of the RQT that is usable. In the end, it will never be possible to say that Eve has obtained no information, only to limit the amount of information she might have obtained. The whole process is known as *key distillation.*

It is important to stress how central the no-cloning theorem is to the fact that Eve will leave some trace of her misdeeds. If she had a cloning device, she could clone the state of the photon that she receives from Alice, and send the original directly on to Bob without having performed any measurement on it. Thus her presence could not be detected. She could also, in fact, clone many copies of the original state for her own benefit, and hence determine its polarization. If, for example, using the vertical/horizontal analyser always gives the result as horizontal polarization, but the +45°/-45° analyser gives either result randomly, it would be clear that the polarization is in the horizontal direction. But, as has been said, this relies on the availability of a cloning device, which is impossible.

The BB84 protocol is unusual among applications of quantum information theory in that it does not make use of entanglement or the ideas of Bell. So it is interesting that a different protocol was proposed by Artur Ekert in 1991 [2], and this was based totally on Bell’s theorem. In this scheme, the first member of an EPR pair is sent to Alice, the second to Bob. They each make a measurement along the x-, *y-* or z-axis, their choices of axis being independent and random. Later, rather as in the BB84 protocol, they ascertain the case where they made the same choice of measurement direction using the public channel, and this will give them an RQT.

The remaining measurements are used to test Bell’s inequality on the EPR system. If violation is found, they will conclude that there has been no eavesdropping, and so the key is secure. However, if Bell’s inequalities are obeyed, that is a sign that there has been an eavesdropper. The point is that the result of eavesdropping effectively creates a hidden variable, because it collapses a superposition of different states into a single state, which corresponds to the value of the hidden variable, and which in turn causes Bell’s inequalities to be obeyed.

We now turn to practical implementation of the BB84 scheme, and the first such implementation was by Bennett and Brassard [3] themselves in 1989. Weak polarized pulses were transmitted through free space over a distance of about 30 cm. The bit rate was slow and system errors were about 4%, but the key distillation worked efficiently. As Brassard later admitted, any potential Eve would have had a tremendous advantage; the devices used to put the photons into different polarization states gave very different noises depending on the state involved!

But, despite the practical limitations, this was actually an extremely important achievement for quantum information theory. As Deutsch remarked, it was the very first time that a device of any type had been produced with capabilities exceeding those of a Turing machine.

However, it is in any case clear that, while achievement of the useful quantum computer may be decades away, making quantum cryptography useful imposes comparatively few demands on the experimenter. It is relatively straightforward to make the scheme work in a laboratory, and the significant step has been to make it work in a practical and challenging application.

The group that has performed the most work to this end is that of Gisin, and this work has followed on from that done on checking Bell’s inequalities described in Chapter 11 in a very natural way. In 1996 [4], a quantum key was shared by users 23 km apart across Lake Geneva. The connector was standard Swiss Telecom optical fibre, and the normal telecommunication wavelength of 1.3 x 10^{-6} m was used. The key was encoded in very weak laser pulses, each pulse carrying on average only 0.12 photons.

In other interesting work, Richard Hughes’ group at Los Alamos has demonstrated quantum cryptography in free space over a distance of about 1.0 km in broad daylight [5]. Possible problems from a high background of photons from the Sun and a turbulent atmosphere were overcome by a careful choice of experimental parameters. The atmosphere has a high transmission window for photons around 7.7 x 10^{-7} m, and it has little effect on the polarization states of photons, while the periods involved in atmospheric turbulence are long enough that its effect on Hughes’ experiment could be compensated for. This is a very exciting development because it implies that perfectly secure communication between the Earth and a satellite may be possible.

Meanwhile on Earth itself, quantum cryptography is gradually coming into use for civic and commercial security. In October 2007, for example, during the Swiss National Elections, Gisin took charge of the process, made secure by quantum cryptography, by which the Geneva canon counted the votes and communicated the result between the polling station and the counting office [6].