Transcript Document

Quantum Information
Stephen M. Barnett
University of Strathclyde
[email protected]
The Wolfson Foundation
1. Probability and Information
2. Elements of Quantum Theory
3. Quantum Cryptography
4. Generalized Measurements
3.1
3.2
3.3
3.4
5. Entanglement
6. Quantum Information Processing
7. Quantum Computation
8. Quantum Information Theory
Information security
Quantum communications
Optical polarization
Quantum key distribution
3.1 Information security
A
T
M
Honest John’s
Bank5678 9012 3456
1234
I M A SUCKER
PIN: 3141
Cash machine fraud netts thieves £100 million
pounds each year in the UK.
THE TIMES Wednesday February 16 2000
PRESIDENT
Clinton
an astonishing
to
Internet pest
putshad
words
in Clinton’sconfession
mouth
FROM DAMIANhe
WHITWORTH
IN WASHINGTON
make. “Personally”
said, “I would
like to see more
PRESIDENT
Clinton
had an astonishing confession to make. “Personally” he said, “I would like to see
porn
on
the
Internet”.
more porn on the Internet”.
That his own sexual predilections were revealed to the world by a cyber-gossip and then
chronicled in an explicit report first revealed on the Web only made his comment all the more
intriguing.
Then the truth emerged: a prankster had managed to circumvent filtering software to speak
as if he were the President in an Internet interview.
Mr Clinton had given his first live online interview to CNN, which was confident that it had
the technology to stop interference with its website for the duration. Instead, pranksters had a field day,
posting ribald remarks that were attributed to Mr Clinton and asking impertinent questions. One, in a
reference to Mr Clinton’s attempts to blur the truth about whether there was, or “is”, a sexual
relationship with Monica Lewinsky, asked the question no professional interviewer has dared: “Can
you define ‘is’ for us yet?”
Mr Clinton had given his first live online interview to CNN,
which was confident that it had the technology to stop
interference with its website for the duration. Instead,
pranksters had a field day, posting ribald remarks that were
attributed to Mr Clinton and asking impertinent questions.
Caeserean or transposition cipher
Shift the letters by a fixed (and secret) number of places in the alphabet, e.g:
A  B, B  C, , Y  Z, Z  A
The weakness of this cipher is that it has only 25 possible shifts so we can try them all:
YBTXOB QEB FABP LC JXOZE
ZCUYPC RFC GBCQ MD KYPAF
ADVZQD SGD HCDR NE LZQBG
BEWARE THE IDES OF MARCH
CFXBSF UIF JEFT PG NBSDI
Codes and ciphers:
A code is produced by a
substitution of the symbols in
a message by another symbol
e.g. ASCII or Morse code.
A cipher is a message
specifically modified to
protect its meaning.
Single Key Cryptography
Alice

the key must be kept secret

sender & recipient must have same key

scrambling done by series of complex
permutations

Is it secure?
Bob
Classical Cryptography
crypto-key
(secret)
crypto-key
(secret)
Alice
mathematical
transformation
Bob
Protected
Data
inverse
mathematical
transformation
Hostile
Network
unprotected
data
unprotected
data
Eavesdropping
Tampering
The message or plaintext P is protected by a key K used to produce a ciphertext C:
C = C(P,K)
P = P(C,K)
In a substitution cipher, each letter is replaced by another one. Here the number
of possible ciphers is
26! 4  1026
Clearly an extensive key search is impractical, but we can use the known letter
frequencies:
A 8.2% B 1.5%
G 2.0% H 6.1%
M 2.4% N 6.7%
S 6.3% T 9.0%
Y 2.0% Z 0.1%
C 2.8%
I 7.0%
O 7.5%
U 2.8%
D 4.2%
J 0.1%
P 1.9%
V 1.0%
E 12.7%
K 0.8%
Q 0.1%
W 2.4%
F 2.2%
L 4.0%
R 6.0%
X 0.1%
Perfect secrecy?
Let {pi} be the set of possible plaintexts and {cj} the set
of possible ciphertexts. The cipher is perfectly secure if
we can learn nothing by reading it:
P( pi | c j )  P( pi ) i, j
Equivalently:
P(c j | pi )  P(c j ) i, j
Were this not the case then Eve could associate a given ciphertext with a
restricted group of messages and thereby learn something.
The number of possible keys required is at least as great as the number of
possible plaintexts or messages.
The Vernam Cipher or One-Time Pad
message
010111001001001
010111 . . . . . .
cryptogram
message
100010111101010
101100 . . . . . .
010111001001001
010111 . . . . . .
M
M
K
=
C
C
K
=
M
110101110100011
111011 . . . . . .
110101110100011
111011 . . . . . .
key
key
M
=
Identity
binary
addition
(logical
XOR)
0 1
0
1
0 1
1 0
Secrecy of the Vernam cipher:
The key is a random string of N bits and so it can take any one of 2N values, each
with probability 2-N. It follows that any chosen plaintext will be mapped to any
of 2N possible ciphertexts and these are all equally likely:
P(c j | pi )  2- N  P(c j ) i, j
An eavesdropper, having access only to the ciphertext has no information
about the plaintext:
P(c j , pi )  P(c j | pi ) P( pi )  P(c j ) P( pi )
Hence the mutual information between the ciphertext and the plaintext is zero:
H(P:C) = 0
The noisy channel coding theorem tells us that no information about P is carried
by C alone.
Practical Secret-Key Cryptography
EVE
(eavesdropper)
ALICE
Cryptogram
BOB
Algorithm : public standard e.g. DES
Key : short random bit sequence (DES key = 56 bits)
Yes
we want
the EU
Constitution
Alice
Bob
Yes
we want
the EU
Constitution
Protocol Failure
Alice locks case
M  K A  C1
Bob locks case
C1  K B  M  K A  K B  C2
Alice unlocks case
C2  K A  M  K B  C3
Bob unlocks case
C3  K B  M
Eve ?
C1  C 2  C 3 
( M  K A )  (M  K A  K B )  (M  K B )  M
The failure was due to the simplicity of the protocol, but more complicated protocols
have problems of their own.
Suppose that Alice and Bob each use their own 26 letter one-time pads, then for the
first letter:
Alice
Plaintext
Substitution
ABCDEFGHIJKLMNOPQRSTUVWXYZ
XBJIFWMLQTAZUODECSNKHPGRVY
Bob
Plaintext
Substitution
ABCDEFGHIJKLMNOPQRSTUVWXYZ
FPOAZWIRJXTCUVEKYGBHMNDLSLQ
The failure was due to the simplicity of the protocol, but more complicated protocols
have problems of their own.
Suppose that Alice and Bob each use their own 26 letter one-time pads, then for the
first letter:
Alice
Plaintext
Substitution
ABCDEFGHIJKLMNOPQRSTUVWXYZ
XBJIFWMLQTAZUODECSNKHPGRVY
Bob
Plaintext
Substitution
ABCDEFGHIJKLMNOPQRSTUVWXYZ
FPOAZWIRJXTCUVEKYGBHMNDLSLQ
The failure was due to the simplicity of the protocol, but more complicated protocols
have problems of their own.
Suppose that Alice and Bob each use their own 26 letter one-time pads, then for the
first letter:
Alice
Plaintext
Substitution
ABCDEFGHIJKLMNOPQRSTUVWXYZ
XBJIFWMLQTAZUODECSNKHPGRVY
Bob
Plaintext
Substitution
ABCDEFGHIJKLMNOPQRSTUVWXYZ
FPOAZWIRJXTCUVEKYGBHMNDLSLQ
3.2 Quantum communications
A quantum communications channel is one in which the message is carried by
a quantum system
Eavesdropping
Information
source
Alice
Receiver
Transmitter
Signal
Received
signal
ˆ i , P(ai )
Bob
Choice of what
to measure
Noise source
Destination
As usual, A denotes the events in Alice’s domain:
She selects a message from the set {ai} with probabilities P(ai).
She prepares the associated state from the corresponding set {i}.
We shall assume that the states and their probabilities of occurrence are known to
Bob (and Eve).
Bob can describe the state of the quantum signal, before his measurement, by the
a priori density operator:
ˆ 
 P(a ) ˆ
i
i
i
Bob’s task is to determine which of the states was prepared and so
recover the message.
ˆ i ˆ j  0, i  j
If the signal states are all orthogonal,
then Bob need
only measure an observable with these density operators as non-degenerate
eigenstates.
If the signal states are not all mutually orthogonal then there is no certain way
for Bob to distinguish between them.
Consider, for example, just two pure and non-orthogonal signal states:
1
 2   1  

1
 1  1  0,   0
1
Bob might try measuring the observable:


ˆ
A  1 1 - 1 1
 2    1    1
 1  1  0,   0
For Bob it is the other conditional
probabilities that are important!
P(1 |  1 )  1
P( 1 | 1) 
good?
P(1 |  2 )  
2
P(-1 |  2 )  
2
P( 1 )
2
P ( 1 )   P( 2 )
2
 1- 
2
P( 2 | 1) 
 P( 2 )
2
P( 1 )   P ( 2 )
P( 2 | -1)  1
The no-cloning theorem - accurate copying of a quantum state is impossible.
Wootters, Zurek and Dieks
If cloning were possible then it would mean copying a qubit state onto an
second ‘blank’ qubit whilst leaving the state of the original unchanged.
  B  
This would have to hold for all possible qubit states |>.
We can show that this would violate the linearity of quantum theory by means
of a simple example:
Suppose that the copying device works perfectly for the states |0> and |1>:
0  B  0 0
1  B 1 1
The superposition principle then tells us that:
 0
  1  B   0  B   1  B
 0  0   1  1
But this is NOT two copies of the original state:
     0   1   0   1 
  2 0  0    0  1  1  0    2 1  1
FLASH - First Light Amplification Superluminal Hookup
Herbert (1982)
The entangled state
- 
1
2
0
1 -1  0

is the zero-angular momentum state of two spin-half particles. It follows
that the two ‘spins’ must be oppositely aligned so that
ˆ x  ˆ x  -  -  ˆ y  ˆ y  -  -  ˆ z  ˆ z  -  -  If we measure on component of the spin and find the value +1(-1), then the
other particle is immediately projected into the -1(+1) eigenstate of the same
observable.
FLASH - First Light Amplification Superluminal Hookup
Alice
measures
x or z.
singlet source
Such superluminal signalling would
clearly be in conflict with relativity.
In fact, no signalling is possible in this
way and this is a consequence of the
powerful ‘no-signalling’ theorem.
Herbert (1982)
Cloning
machine
Bob determines the state
from multiple copies:
0
1 
0 -1
2
0 ,1,
1
2
 1 ,
and hence whether Alice
measured x or z.
3.3 Optical polarisation
Maxwell’s equations in an isotropic dielectric medium take the form:
E  0
B  0
E, B and k are mutually orthogonal
B
E  t
 E
B  2
c t
E
S
k
B
For plane waves (and lab. beams that are
not too tightly focussed) this means that
the E and B fields are constrained to lie in
the plane perpendicular to the direction of
propagation.
-1
0 E  B
Consider a plane EM wave of the form
E  E 0 expi (kz - t )
B  B 0 expi (kz - t )
If E0 and B0 are constant and real then the wave is said to be linearly polarised.
B
Polarisation is defined by an axis
rather than by a direction:
B
E
E
If the electric field for the plane wave can be written in the form
E  E0 (i  ij) expi(kz - t )
Then the wave is said to be circularly polarised.
For right-circular polarisation, an observer
would see the fields rotating clockwise as
the light approached.
B
E
Spin and polarisation Qubits
Poincaré and Bloch Spheres
Two state quantum system
Bloch Sphere
Electron spin
Poincaré Sphere
Optical polarization
We can realise a qubit as the state of single-photon polarisation
Horizontal
0
Vertical
1
Diagonal up
1
2
0  1 
Diagonal down
1
2
Left circular
1
2
Right circular
1
2
0 - 1 
0
i 1 
0
-i 1 
3.4 Quantum key distribution
Recall that perfect secrecy is possible using a one-time pad.
message
010111001001001
010111 . . . . . .
cryptogram
message
100010111101010
101100 . . . . . .
010111001001001
010111 . . . . . .
M
K
=
C
C
K
=
110101110100011
111011 . . . . . .
110101110100011
111011 . . . . . .
key
key
M
But this leaves, of course, the problem of communicating the key.
Quantum key distribution is designed to tackle this problem.
1960’s Wiesner’s quantum money
£1,000,000

ZQ23165F
Bennett-Brassard protocol: BB84
Alice is going to send a
random bit stream to
Bob
0 1 1 0 1 0 0 1 1 0 0 0 1 0 1 1 1 0 . . . .
She takes a single photon and prepares it in one of the four polarisation states chosen at
random
OR
OR
OR
1
0
0
1
0
1
1
0
1
0
Eavesdropping (Intercept & resend)
Alice
Eve
Bob
‘1’
‘0’
50% probability
50% probability
 Eve generates substantial bit-error rate ~ 25%
and gets incomplete information
1
2
3
4
5
6
7
8
9
10 11 12 13 14
1
0
0
0
1
1
0
0
1
1
X
1
X
0
0
X
0 1
1
0
1
1
1
0
0
0
0
1
X
0
0
0
1
Alice transmits random
sequence of bits using
random coding scheme
0
1
0
0
1
Bob receives photon
and
makes
random
choice of measurement
basis
Alice and Bob compare bases and
discard events where no photon
was received and different bases
were used
1
2
3
4
5
6
7
8
9
10 11 12 13 14
1
0
0
0
1
1
0
0
1
1
0
0
1
0
1
0
1
1
1
0
1
0
0
0
0
0
E D D
0
0
0
X
X
1
1 1
D E D D
1
1
ALICE
EVE
X
1
1
0
1
BOB
D E
Bit positions 1,3,4,9,10 and 13 are discarded
Bit positions 2,8 and 14 lead to an error caused by Eve
Bit position 13 is an extra ‘null’ event caused by Eve
Eavesdropping strategy I
Suppose that Eve measures either the linear or circular polarisation of each photon
and prepares a new photon in the measured state for retransmission to Bob.
Bob
Eve
Alice
‘1’
1/2
1/4
1
‘1’
‘1’
1/4
‘0’ 1/4
1/4
1/4
1/4
P(correct) = 3/4
P(error) = 1/4
‘1’ 1/2
‘0’
1/4
‘1’ 1/4
Eavesdropping strategy II
1
2
Measure an
intermediate basis
0
-i 1 
‘1’
P(correct) = 0.85
P(error) = 1/4
‘0’
1
If Alice and Bob
test N bits then the
probability that Eve
has used these
strategies and
produced no errors
is (3/4)N.
0
‘1’
1
2
0
 i 1  ‘0’
Bennett two-state protocol: B92
Alice uses just two different but non-orthogonal polarisation states
Alice is going to send a
random bit stream to
Bob
0 1 1 0 1 0 0 1 1 0 0 0 1 0 1 1 1 0 . . . .
1
0
0
1
1
0
1
0
Bob measures either the horizontal/vertical polarisation or the diagonal polarisation
Bob
Discard
Alice
‘0’
Discard
MUST
correspond to
zero: keep
Bob measures either the horizontal/vertical polarisation or the diagonal polarisation
Bob
Discard
Alice
‘1’
Discard
MUST
correspond to
one: keep
Care needs to be taken as Eve can do the same as Bob!
Into the single photon regime - weak pulses
Attenuate laser pulses to an average of ~ 0.1 photons per pulse.
Single photons?
P(1 photon)
= 0.1
P(0 photons) = 0.9
P(>1 photons) ~ 0.01
Into the single photon regime - down conversion
A pump laser photon can be split to create two daughter photons
 p   s  i

 
k p  k s  ki
Energy conservation
Momentum conservation
Photon pairs arrive at the same time on opposite sides of the
cone of down-converted light.
Use one photon as a herald for its twin.
Into the single photon regime - single emitters
Laser
excitation
Spontaneous
emission
Emitting a photon leaves
the single emitter in its
ground state and unable to
emit a second photon.
First experiment: Bennett et al 1992
Transmission distance 30cm. Rate 10 bits/sec
1993 onwards - fibre systems using polarisation or phase coding
Transmission distances up to 50km. Rates ~ 10 kbits/sec
Multi-User Quantum Key Distribution
at Gigahertz Clock Rates
• Up to 3.3GHz clock rates
• Bit rates approaching
1Mbits-1 at distances < 1km
Bit Rate versus Fibre Distance
at 3GHz Clock Frequency
10,000,000
Raw Bit Rate
Bit Rate (%)
1,000,000
100,000
10,000
Net Bit Rate
1,000
0
2
4
6
8
10
Distance (km)
12
14
16
Bit commitment: quantum promises? (Lo & Chau 97)
Alice
Bob
Bob cannot read without Alice’s help
Alice cannot change her mind
Use polarisation basis
=1
=0
Bob cannot determine basis used by measurement and so cannot
determine Alice’s choice of bit
Alice can cheat using entanglement!
Alice
Bob
Alice prepares the entangled state
1
2
 R A R B  L A L B   12  H A H B - V
A
and can fix the basis later by measuring her particle.
V
B

Summary
Quantum cryptography was designed to solve the problem of secure key distribution.
It relies on the fact that measuring, copying or interfering with a quantum system
will usually change its state.
Quantum key distribution requires us to
design a ‘protocol’ whereby Alice and
Bob can be certain that they will be able
to detect any activity by Eve.
Proving security against all possible
attacks is a challenging problem.
The failure was due to the simplicity of the protocol, but more complicated protocols
have problems of their own.
Suppose that Alice and Bob each use their own 26 letter one-time pads, then for the
first letter:
Alice
Plaintext
Substitution
ABCDEFGHIJKLMNOPQRSTUVWXYZ
XBJIFWMLQTAZUODECSNKHPGRVY
Bob
Plaintext
Substitution
ABCDEFGHIJKLMNOPQRSTUVWXYZ
FPOAZWIRJXTCUVEKYGBHMNDLSLQ
The failure was due to the simplicity of the protocol, but more complicated protocols
have problems of their own.
Suppose that Alice and Bob each use their own 26 letter one-time pads, then for the
first letter:
Alice
Plaintext
Substitution
ABCDEFGHIJKLMNOPQRSTUVWXYZ
XBJIFWMLQTAZUODECSNKHPGRVY
Bob
Plaintext
Substitution
ABCDEFGHIJKLMNOPQRSTUVWXYZ
FPOAZWIRJXTCUVEKYGBHMNDLSLQ
The failure was due to the simplicity of the protocol, but more complicated protocols
have problems of their own.
Suppose that Alice and Bob each use their own 26 letter one-time pads, then for the
first letter:
Alice
Plaintext
Substitution
ABCDEFGHIJKLMNOPQRSTUVWXYZ
XBJIFWMLQTAZUODECSNKHPGRVY
Bob
Plaintext
Substitution
ABCDEFGHIJKLMNOPQRSTUVWXYZ
FPOAZWIRJXTCUVEKYGBHMNDLSLQ
The failure was due to the simplicity of the protocol, but more complicated protocols
have problems of their own.
Suppose that Alice and Bob each use their own 26 letter one-time pads, then for the
first letter:
Alice
Plaintext
Substitution
ABCDEFGHIJKLMNOPQRSTUVWXYZ
XBJIFWMLQTAZUODECSNKHPGRVY
Bob
Plaintext
Substitution
ABCDEFGHIJKLMNOPQRSTUVWXYZ
FPOAZWIRJXTCUVEKYGBHMNDLSLQ
Diffie-Hellman
One way function: a function that is easy to calculate but with an inverse that is
easy to evaluate.
We need a large prime number p and another g that is a primitive root modulo p,
which means that for any A less than p-1 there exists an a such that A = ga mod p.
Finding A from a is easy, finding a from A is difficult.
Alice generates the numbers A and a, Bob generates the numbers B and b:
B = gb modp.
Alice sends A to Bob and Bob sends B to Alice.
B a mod p  g ab mod p
Ab mod p  g ab mod p
This is the required shared key: K = gab mod p.
Public-Key Cryptography
Bob’s public
key
(not secret)
Bob’s
private
key
(secret)
public
directory
Alice
mathematical
transformation
Protected
Data
Bob
inverse
mathematical
transformation
Hostile
Network
unprotected
data
unprotected
data
Public Key Cryptography
RSA scheme :
inputs - data x, two large primes p,q
Calculate
m = pq (easy)
Choose e and d such that de = 1 mod (m)
(easy if you know p and q)
 ( m)  ( p - 1)( q - 1)
(m,e) = public key
(m,d) = private key
xe
modm
(x e ) d
encryption
mod m x modm
decryption
Public Key Cryptography
• public key cryptography works in a different way to secret key
schemes
• algorithms - RSA, Diffie-Hellman etc
• public key for RSA = (m, e) with m = pq (product of two large
primes) and d easily found with p (or q)
• difficulty of breaking RSA is thought to be equal to the difficulty of
factoring (no proof) - getting p & q from m
numbers of about 1090 can be factored in a day
such numbers for public keys are clearly
inadequate for good security
Current Applications of Cryptography
• public key cryptography relatively slow, secret key cryptography very fast
• public key cryptography generally used for key management and digital signatures
secret key
protected with public key
message
secret key
message
protected with secret key
Digital Signatures
Bob’s public
key
(not secret)
public
directory
A
inverse
mathematical
transformation
signature
check
8 or 4
Bob’s
private
key
(secret)
Signed
+ Message
Data
B
mathematical
transformation
Hostile
Network
unsigned data
Over long distances losses contribute to the noise; an absorbed quantum cannot
be measured by Bob!
Long distance communications overcome this with:
Repeaters - measure and regenerate the signal
Amplifiers - amplify the signal intensity.
In quantum communications these processes add excess noise which tends to
destroy the quantum information.
If Alice prepares qubits in just the states |0> and |1> then the task is easy:
Measure z and if the result is +1(-1) then make as many qubits as you please in
the state |0>(|1>.
Problems arise when Alice selects from a non-orthogonal set of states.
Measurements will, in general, change the state:
Consider a simple model of a general qubit measurement in which our qubit in
a general state |> is made to interact with an ancilla, prepared in the state |A>.
The interaction is associated with a unitary transformation, the general form of
which is
Uˆ  ˆI  Aˆ0  ˆ x  Aˆ x  ˆ y  Aˆ y  ˆ z  Aˆ z
This unitary operator transforms the original state into
  A    Aˆ 0 A  ˆ x   Aˆ x A
 ˆ y   Aˆ y A  ˆ z   Aˆ z A
The qubit state |> is unchanged, but the change in the ancilla is
independent of |> so this cannot describe a measurement!
The state of the qubit will be unchanged only if it is an eigenstate of U, but
there are no common eigenstates of the three Pauli spin components and our
signal states are non-orthogonal so ...
Optimal (symmetric) cloning - Hillery & Buzek
We can’t clone perfectly but what is the best we can do?
2
1
 0  1  1  0  q 
0  B Q 
0 0  q 
3
6
1  B Q 
2
1
 0  1  1  0  q
1  1  q 
3
6
state of copying machine
Both the original qubit and the clone are left in the correct state with probability 5/6
ˆ 
5
1 
    
6
6
At least one of the qubits is in the
correct state.
Interestingly, the ‘cloning machine’ achieves something closer to a quantum
NOT operation:
Let
q  1,
q  - 0
2
  B Q 
  
3


1
     
6
The third qubit is in the orthogonal
state to the original with probability
2/3:
2 
1

ˆ      
3
3
The Jones representation
We can write the x and y components of the complex electric field amplitude
in the form of a column vector:
i x 

E
E
e
 0x 
0x


E 
i y 
 0 y   E0 y e 
The size of the total field tells us nothing about the polarisation so we can
conveniently normalise the vector:
Horizontal polarisation
Vertical polarisation
1 
0 
 
0 
1 
 
Left circular polarisation
1
2
1
i 

Right circular polarisation
1
2
1
- i 
 
One advantage of this method is that it allows us to describe the effects of optical
elements by matrix multiplication:
Linear polariser
(oriented to horizontal):
Quarter-wave plate
(fast axis to horizontal):
1 0  0 0  1  1  1

0
,
90
,

45
0 0 
0 1 

2

1
1






1 0  1 0  
0 i  0 , 0 - i  90 ,




 1  i


45
 i 1 


1 0 
0 -1


Half-wave plate
(fast axis horizontal or vertical):
The effect of a sequence
of n such elements is:
1
2
 A an
 B  c
   n
bn  a1


d n   c1
b1   A



d1   B 
We refer to two polarisations as orthogonal if
E*2  E1  0
This has a simple and suggestive form when expressed in terms of the Jones
vectors:
 A1 
 A2 
 B  is orthogonalto  B  if
 1
 2
A2* A1  B2* B1  0

A

*
2

B2*  A1 
B   0
 1
†
 A2   A1 
   0
 B2   B1 
There is a clear and simple
mathematical analogy between
the Jones vectors and our
description of a qubit.