Key Disclosing in Multiphotons with Quantum Cloning

1 downloads 33 Views 156KB Size Report
arXiv:quant-ph/0305136v2 29 May 2003. Key Disclosing in Multiphotons with Quantum Cloning. Tsuyoshi NISHIOKA,∗ Toshio HASEGAWA,† and Hirokazu ...
Key Disclosing in Multiphotons with Quantum Cloning Tsuyoshi NISHIOKA,∗ Toshio HASEGAWA,† and Hirokazu ISHIZUKA‡

arXiv:quant-ph/0305136v2 29 May 2003

Information Technology R & D Center, Mitsubishi Electric Corporation 5-1-1 Ofuna, Kamakura, Kanagawa 247-8501, JAPAN TEL: +81-467-41-2190 FAX: +81-467-41-2185 Multiphoton state in quantum cryptography decreases its security. Key disclosing with universal quantum cloning machine (UQCM) is considered in explicit manner. Although UQCM cannot make perfect clones, there is some invariant quantity between the original photon and the imperfect clones. The invariant quantity, the direction of Stokes parameters, tells us the auxiliary information leading into key information. The attack, then, corresponds to some kind of quantum non-demolition measurement. Its application to recent high-performance quantum cryptography, Y-00 protocol, is also studied. PACS numbers: 03.67.Dd, 42.50.Dv, 89.70.+c

I.

INTRODUCTION

Quantum cryptography[1, 2] is expected to play an important role in near future information security. Because its security is based on quantum mechanics instead of computational complexity and is absolutely proved in recent reports[3]-[5]. Quantum cryptography in real world has, however, no perfect security, since it consists of imperfect devices[6]. Almost reports[7]-[11] on their experiments use weak coherent pulse and its pulse includes a little multiphoton. The multiphoton decreases its security. In this paper, we study how to disclose key information in multiphoton using universal quantum cloning machine(UQCM)[12, 13] in explicit manner. No-cloning theorem[14], however, says that it is impossible to make perfect clones from unknown quantum state and any UQCM cannot make perfect clones. Imperfect clones do not tell us the exact information. Our strategy consists of three steps. The first step splits multiphoton into two identical (multi-)photons. The second step amplifies the split one to large number of imperfect clones with UQCM and measures them for ‘auxiliary’ information to be needed in the following correct observation. The third step observes the other split one correctly with the auxiliary information and gets correct ‘parity’ information which equals to key information generally. The auxiliary information is, for example, a polarization base in the polarization coding and corresponds to the direction of Stokes parameters. The parity information, then, corresponds to ‘up’ and ‘down.’ Key point of our attack is that the imperfect clones with low fidelity keep the original direction exactly, although their parity information becomes obscure. Therefore we can measure accurately the direction of the Stokes parameters with large number of clones.

∗ Electronic

address: [email protected] † Electronic address: [email protected] ‡ Electronic address: [email protected]

Recently much higher performance quantum cryptography named “Y-00 protocol[15]” with mesoscopic coherent pulse is reported[16]-[19]. Its bit rate is 1,000-10,000 times higher than that of conventional quantum cryptography because its pulse has 100-1,000 photons. The proposers say that it has enough security by virtue of quantum noise, although its pulse has multiphoton. Its two key ingredients are multi-valued modulation related to the auxiliary information and ‘ciphering wheel’ which is a table of mapping from the parity and the auxiliary information to the key information. The attacker, Eve, knowing the correct parity information, gets wrong key information, if her auxiliary information differs from the correct one slightly. Disclosing the correct key information needs the accurate auxiliary information. We, then, apply our quantum amplification attack to Y-00 protocol. The outline of the paper is as follows. We define qubit and introduce its related quantities in Section II. Gisin and Massar’s UQCM is introduced in Section III. Quantum amplification attack is described in section IV. The attack is applied to Y-00 protocol in section V. Finally we discuss physical background of the quantum amplification attack in section VI. II.

QUBIT

Qubit is generally defined by θ θ |ψi = cos |Hi + sin eiφ |V i, 2 2

(1)

on some basis, where |Hi is horizontal linear polarized single photon state, |V i is vertical linear polarized single photon state, and 0 ≤ θ ≤ π, 0 ≤ φ < 2π. We focus on photon state as qubit in this paper. The photon state is represented as a point on Poincar´e sphere and is parameterized with Stokes parameters. Stokes parameters are macroscopically defined by S1 = PLH − PLV , S2 = PL+45 − PL−45 , S3 = PRHC − PLHC ,

(2) (3) (4)

2 where PLH , PLV , PL+45 , PL−45 , PRHC , and PLHC are power of horizontal, vertical, +45 degree, -45 degree linear and right-handed, left-handed circular polarized components of light. These definitions are microscopically equivalent to S1 = a†H aH − a†V aV , S2 =

S3 =

a†H aV + a†V aH , i(a†H aV − a†V aH ),

(5) (6) (7)

where aH and aV are annihilation operators of horizontal and vertical linear polarized mode. These parameters are, then, equivalent to angular momentum operators with the following commutation relations: [Si , Sj ] = −2iǫijk Sk ,

(8)

where ǫijk is the totally antisymmetric Levi-Civita symbol and ǫ123 = 1. The commutation relations, thus, prevent all Stokes parameters from being measured simultaneously and exactly. The photon state |ψi has the following density matrix: θ θ θ ρ = cos2 |HihH| + cos sin e−iφ |HihV | 2 2 2 θ θ iφ θ + cos sin e |V ihH| + sin2 |V ihV |. 2 2 2

(9)

The expectation value of Stokes parameters are, then, calculated by hS1 i = Tr[S1 ρ] = cos θ, hS2 i = Tr[S2 ρ] = sin θ cos φ, hS3 i = Tr[S3 ρ] = sin θ sin φ,

(13) (14) (15)

Measuring Stokes parameters on single photon, therefore, gains no sufficient large S/N ratio. The parity information is defined by the sign of S2 and the auxiliary information is defined by the quotient space of (θ, φ) which has the following equivalent class: (θ, φ) ≡ (π − θ, φ + π). III.

ψ

0

⊗p

ancilla

q

U Q C M

ρ out

⊗q

ancilla'

FIG. 1: Gisin and Massar’s UQCM

Their density matrix has the following form: ρout = F ρ + Dρ⊥ ,

(17)

where ρ⊥ is the density matrix of the orthogonal state of |ψi and F is fidelity and D is disturbance. The fidelity and the disturbance satisfy the relation F + D = 1. The orthogonal state with the following form: θ θ |ψ⊥ i = sin |Hi − cos eiφ |V i, 2 2

(18)

has the diametrical Stokes parameters hS⊥1 i = − cos θ, hS⊥2 i = − sin θ cos φ, hS⊥3 i = − sin θ sin φ.

(10) (11) (12)

and their dispersions are given by h∆S12 i = hS12 i − hS1 i2 = 1 − cos2 θ, h∆S22 i = hS22 i − hS2 i2 = 1 − sin2 θ cos2 φ, h∆S22 i = hS32 i − hS3 i2 = 1 − sin2 θ sin2 φ.

Buˇzek and Hillery’s UQCM making two clones of one qubit is, however, insufficient for our attack[20] and we use Gisin and Massar’s generalized UQCM[12] making q-identical clones of p-identical qubits (q > p). Given the p-identical input states |ψi, UQCM makes q-clones in Fig. 1.

(19) (20) (21)

Therefore the direction of Stokes parameters is invariant in quantum cloning and its length is shrinking whose factor is given by η = F − D in Fig. 2. The UQCM,

S2 +

ρ out θ

ρ S1

1

(16)

UNIVERSAL QUANTUM CLONING MACHINE

The concept of universal quantum cloning machine (UQCM) is introduced by Buˇzek and Hillery[13] although No-cloning theorem prohibits perfect clones. UQCM, then, makes imperfect clones and ‘universal’ means that the quality of clone does not depend on an input state.

ρ⊥

at φ = 0 FIG. 2: Clone State

then, decreases the parity information but conserves the auxiliary information.

3 Gisin and Massar give the following fidelity[12]: F =

q(p + 1) + p . q(p + 2)

(22)

The result includes Buˇzek and Hillery’s result at p = 1 and q = 2. We, then, get the following disturbance: D=

q−p , q(p + 2)

IV.

B.

p(q + 2) . q(p + 2)

(24)

QUANTUM AMPLIFICATION ATTACK

We assume the targeted multiphoton can be divided into two (multi-) photons. The attack consists of two phases; the first one is measurement for the auxiliary information using the divided (multi-) photon and the second one is observation for the parity information using the other divided (multi-) photon. The first phase is divided into two steps; Step 1 is quantum amplification of the former (multi-) photon and Step 2 is measurement of the quantum amplified photons for the auxiliary information. The whole attack, then, consists of three steps in Fig. 3. "1" H Q W W P P

BS

U Q C M

H W P

The final state is much depolarized and its parity information cannot be gained, if L is large enough .

(23)

and the shrinking factor is given by η=

from (17). Solving the recurrences, we get the following final state:   1 1 ρfinal = 1 + ηL ρ + 1 − η L ρ⊥ . (28) 2 2

"0" PBS

 S1    θ   S 2  →    S  φ   3

Q W P

Measurement for the auxiliary information

Eve measures Stokes parameters of the (q/p)L -clones though the states are much depolarized. The expectation values of Stokes parameters per single photon are calculated by hS1 i = Tr[S1 ρfinal ] = η L cos θ, hS2 i = Tr[S2 ρfinal ] = η L sin θ cos φ, hS3 i = Tr[S3 ρfinal ] = η L sin θ sin φ, and their dispersions are given by ∆S12 = 1 − η 2L cos2 θ, ∆S22 = 1 − η 2L sin2 θ cos2 φ, ∆S32 = 1 − η 2L sin2 θ sin2 φ.

The whole Stokes parameters and the whole dispersions are proportional to the total photon number (q/p)L . The whole Stokes parameters are obtained by  L L  q q+2 total S1 = hS1 i = cos θ, (35) p p+2 L  q+2 sin θ cos φ, (36) S2total = p+2  L q+2 total S3 = sin θ sin φ. (37) p+2

(q/p)L hS∗ i S/N = ≈ (q/p)L/2 ∆S∗ Quantum amplification

L  L2  q L p(q + 2)2 2 , (38) η = p q(p + 2)2

and then the S/N ratio grows large if the index satisfies the inequality

Eve makes Gisin and Massar’s UQCM work in L-steps cascade manner and propagates the imperfect clones to (q/p)L -photons. Assuming that the density matrix in the k-step is given by ρk = ak ρ + b k ρ⊥ ,

(32) (33) (34)

Their S/N ratio is also estimated by

FIG. 3: Quantum Amplification Attack

A.

(29) (30) (31)

p(q + 2)2 > 1. q(p + 2)2 The growing condition is as follows:

(25)

the coefficients ak and bk obey the following recurrences:

(39)

q+

4 4 >p+ , q p

(40)

and its solution becomes ak+1 = F ak + Dbk ,

(26)

bk+1 = Dak + F bk ,

(27)

q > 4 at p = 1,

or q > p ≥ 2.

(41)

Therefore the whole Stokes parameters grow large enough to be measured accurately if L is sufficiently large and the

4 inequality (41) is satisfied. Buˇzek and Hillery’s UQCM does not satisfy the condition and cannot be used in the attack[20]. Eve, then, measures the Stokes parameters and gets the accurate auxiliary information. We can also estimate statistical S/N ratio although the S/N ratio by quantum noise has been estimated in the above argument. The final states are (q/p)L -identical states obeying binominal distribution P (k) =N Ck Ffinal

N −k

Dfinal k ,

(42)

where P (k) is probability distribution function with the N − k-original state ρ and the k-orthogonal state ρ⊥ , N = (q/p)L , Ffinal = (1 + η L )/2, Dfinal = (1 − η L )/2, and N Ck is binominal coefficient. The mean value of Stokes parameter is, then, calculated by hS1 istatistics =

N X

k=0

((N − k) − k)P (k) cos θ,

= (1 − 2Dfinal )N cos θ,  L q = η L cos θ. p

(43)

Its variance is given by h∆S12 istatistics = hS12 istatistics − hS1 i2statistics , = 4Ffinal Dfinal N cos2 θ. (44) Therefore the statistical S/N ratio is obtained by ηL N , S/Nstatistics = √ 4Ffinal Dfinal N  L q ηL , = p 2L p 1−η  L p(q + 2)2 2 ∼ . q(p + 2)2

A.

Essence of Y-00 protocol

We roughly sketch the essence of Y-00 protocol with polarization coding in the following. Y-00 protocol prepares the M -pair states:   θk θk |+, ki= α cos α sin , (46) 2 H 2 V   θk + π α sin θk + π |−, ki= α cos , (47) 2 2 H V

where k = 0, . . . , M − 1 and the right-sided ket vector is coherent state on each basis and |α|2 equals to the average photon number and θk = πk/M . The two pairing states have the diametrical relation with each other on Poincar´e sphere. The sign in the left side corresponds to the parity information and the multi-valued k in the left side corresponds to the auxiliary information. Key information is not the same as the parity information in Y-00 protocol. The ciphering wheel maps from the parity information and the auxiliary information to the key information in the following: CW (+, k : even) CW (−, k : even) CW (+, k : odd) CW (−, k : odd)

(45)

The result is the same as (38) in the quantum noise. C.

faster than conventional quantum cryptography because it uses mesoscopic coherent pulse including 100-1,000 photons. The quantum amplification attack seems to be applicable to Y-00 protocol whose security depends on quantum noise with two important ingredients: multivalued modulation and ciphering wheel.

Observation for the parity information

Eve observes the latter (multi-)photon with the auxiliary information obtained in step 2 and gets the correct parity information. The parity information is equivalent to key information generally and she obtains the correct key information. The attack enables Eve to disclose key information before the auxiliary information is opened by the legitimate entities and is effective for some protocols with multiphoton having no public announcement of the auxiliary information[21].

= = = =

0, 1, 1, 0.

(48) (49) (50) (51)

Eve without knowing the auxiliary information, thus, cannot guess the correct key information even though she knows the correct parity information. The state |+, ki has the following Stokes parameters: hS1 i = |α|2 cos θ, hS2 i = |α|2 sin θ, hS3 i = 0,

(52) (53) (54)

and their dispersions are given by ∆S12 = ∆S22 = |α|2 .

(55)

The neighboring states with the same parity cannot be discriminated if M is sufficiently large, where the neighboring condition is given by ~±,k − S ~±,k′ | < ∆S = |α|. |S

(56)

The condition is equivalent to V.

APPLICATION TO Y-00 PROTOCOL

Recently reported Y-00 protocol[15]-[19] is a kind of quantum key expansion protocol and 1,000-10,000 times

∆k
|α|π is satisfied.

5 B.

Quantum Amplification Attack to Y-00 protocol

The quantum amplification attack needs no auxiliary information opened publicly and then seems to be effective against Y-00 protocol. It uses mesoscopic coherent pulse instead of single photon state. Eve must extract some single photon states from the mesoscopic coherent state in order to let the UQCM work. She splits the targeted state into two mesoscopic coherent state by a beam splitter at first. The one state |α1 cos θ/2iH |α1 sin θ/2iV is used in the quantum amplification and measurement for the auxiliary information. The other state |α2 cos θ/2iH |α2 sin θ/2iV is used in measurement for the parity information. Eve, moreover, splits the first state into J-weak coherent states by beam splitters in a cascade way    ⊗J α1 α1 √ cos θ √ sin θ , (58) J 2 H J 2 V where |α1 |2 /J ≪ 1. One of the weak coherent states is equivalent to   θ θ α cos |1iH |0iV + sin |0iH |1iV |0iH |0iV + √ 2 2 J |α|2 +O( ), (59) J

where |0i, |1i are numbering states in each mode. The first term is a vacuum and the second is single photon state. Other multiphoton states are negligible. The single photon state can be represented by   θ θ α1 √ (60) cos |Hi + sin |V i , 2 2 J in qubit-like representation. Eve expects to get |α1 |2 identical single photons because she has J-states. The state, moreover, keeps the auxiliary information θ perfectly. Eve quantum-amplifies the obtained single photon states and measures them for the accurate auxiliary information. She obtains the correct parity information using the auxiliary information finally. VI.

DISCUSSION

In the quantum amplification attack, the UQCM plays an important role though any UQCM cannot make perfect clones. Because the UQCM, which is some kind of unitary transformation, has invariant subspace in the space of Stokes parameters R3 . Although the fidelity of an imperfect clone to the original photon decreases below 1, the direction of its Stokes parameters is invariant between the original and the clone. The space of Stokes parameters is, then, divided by one-dimensional real space and two-dimensional projective space, R3 ∼ R × P 2 ,

(61)

where the parity information corresponds to the sign of the one-dimensional real space R and the auxiliary information corresponds to the two-dimensional projective space P 2 which is invariant under the transformation by the UQCM. The commutation relations (8) among Stokes parameters say that the all parameters cannot be observed simultaneously and accurately by uncertainty relations. It, then, seems strange that the attack measures the accurate direction of the Stokes parameters. The accurate measurement, however, does not contradict the uncertainty relations because the attack gains no parity information and then two diametrical points on Poincar´e sphere cannot be discriminated. The attack, then, squeezes any state to extending to the parity real space and to shrinking in the projective space in Fig. 4. Therefore the attack may be regarded as some kind of quantum non-demolition measurement[22]. S2

S2

ρ out θ

ρ⊥

ρ

ρ

at φ = 0

ρ out θ

S1

ρ⊥

S1

at φ = 0

FIG. 4: Squeezing

The attack is applicable to BB84 protocol with multiphoton although it does not work in the protocol with single photon because the protocol carries critical information on the parity information. On the other hand, the attack is also expected to be effective in Y-00 protocol because the protocol carries critical information on the auxiliary information rather than the parity information. The attack has, however, some open problems. It is generally said that no photon-number amplifier can avoid fluctuation of photon-number and then sufficient large S/N ratio cannot be gained[20]. The UQCM is, however, a kind of unitary transformation and the photon-number is conserved. It, then, seems to be hard for the UQCM to exist. It is more severe problem that the measurement of Strokes parameters is executed to the whole clones and the treatment as the mixed states is somewhat wondered since the output state of the UQCM is entangled state and independent measurement changes the entangled output into the mixed states. The cascade manner operation of the UQCM is not a severe problem because the attack is effective at L = 1. Its application to B92 protocol[23] whose critical information is also carried on the auxiliary information would be challenging because recent reports[24, 25] have proved its unconditional security.

6 Acknowledgments

We thank Prof. Barbosa for helpful discussion though he doubts that there is such a UQCM that conserves photon-number without photon-number fluctuation. This work was supported by the project on “Re-

[1] C. H. Bennett and G. Brassard, “Quantum cryptography: Public key distribution and coin tossing,” in Proc. of IEEE Int. Conf. Computers, Systems and Signal Processing, Bangalore, India, pp.175-179, 1984. [2] N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, “Quantum Cryptography,” Rev. of Mod. Phys. 74, pp.145-195, 2002. [3] D. Mayers, “Unconditional security in Quantum Cryptography,” quant-ph/9802025, 1998. [4] H.-K. Lo and H. F. Chau, “Unconditional Security Of Quantum Key Distribution Over Arbitrary Long Distances,” Science283, pp.2050, 1999. [5] P. W. Shor and J. Preskill, “Simple proof of security of the BB84 quantum key distribution protocol,” Phys. Rev. Lett. 85, pp.441-444, 2000. [6] N. L¨ utkenhaus, “Security against individual attacks for realistic quantum key distribution,” Phys. Rev. A 61, 052304, 2000. [7] C. H. Bennett, F. Bessette, G. Brassard, L. Salvail, and J. Smolin, “Experimental Quantum Cryptography,” J. of Cryptol. 5, pp.3-28, 1992. [8] T. Hasegawa, T. Nishioka, H. Ishizuka, J. Abe, K. Shimizu, M. Matsui, and S. Takeuchi, “An Experimental Realization of Quantum Cryptosystem,” IEICE Trans. Fundamentals E85-A, (1), pp.149-157, 2002. [9] D. Stucky, N. Gisin, O. Guinnard, G. Ribordy, and H. Zbinden, “Quantum Key Distribution over 67km with a plug&play system,” New J. Phys. 4, 41.1-41.8, 2002, qunat-ph/0203118. [10] T. Hasegawa, T. Nishioka, H. Ishizuka, J. Abe, M. Matsui, and S. Takeuchi, “Telecom wavelength Quantum Cryptosystem,” QIT2002-56, 2002, in Japanese. [11] T. Hasegawa, T. Nishioka, H. Ishizuka, J. Abe, M. Matsui, and S. Takeuchi, “Experimental Realization of Quantum Cryptosystem over 87km,” International Conference on Laser and Electro-optics/Quantum Electronics & Laser Science Conference (CLEO/QELS2003), QTuB, Baltimore, Maryland, USA, June 3, 2003.

search and Development on Quantum Cryptography” of Telecommunications Advancement Organization as part of the programme “Research and Development on Quantum Communication Technology” of the Ministry of Public Management, Home Affairs, Posts and Telecommunications of Japan.

[12] N. Gisin and S. Massar, “Optimal Quantum Cloning Machines,” Phys. Rev. Lett. 79, pp.2153-2156, 1997. [13] V. Buˇzek and M. Hillery, “Quantum copying: Beyond the no-cloning theorem,” Phys. Rev. A 54, pp.1844-1852, 1996. [14] W. K. Wootters and W. H. Zurek, “A single quantum cannot be cloned,” Nature 299, pp.802, 1982. [15] in private communication with Prof. Hirota. [16] G. A. Barbosa, E. Corndorf, P. Kumar, H. P. Yuen, G. M. D’Ariano, M. G. A. Paris, and P. Perinotti, “Secure communication using coherent states,” in Proc. QCMC’02, quant-ph/0210089, 2002. [17] G. A. Barbosa, E. Corndorf, P. Kumar, and H. P. Yuen, “Secure communication using mesoscopic coherent states,” quant-ph/0212018, 2002. [18] G. A. Barbosa, “Fast and secure key distribution using mesoscopic coherent states of light,” quant-ph/0212033, to be submitted to Phys. Rev. A, 2002. [19] O. Hirota, K. Kato, and M. Sohma, “Experimental study for Yuen-Kim protocol of quantum key distribution with unconditional secure,” quant-ph/0212050, 2002. [20] in private communication with Prof. Barbosa. [21] W. Y. Hwang, I. G. Koh, and Y. D. Han, “Quantum cryptography without public announcement bases,” Phys. Lett. A244, pp489-494, 1998. [22] V. B. Braginsky and F. Ya. Khalili, “Quantum nondemolition measurements: the route from toys to tools,” Rev. Mod. Phys.68, pp.1-11, 1996. [23] C. H. Bennett, “Quantum Cryptography Using Any Nonorthogonal States,” Phys. Rev. Lett.68, pp.31213124, 1992. [24] Z. Quan and T. Chaojing, “Simple proof of the unconditional security of the Bennett 1992 quantum key distribution protocol,” Phys. Rev. A 65, 062301, 2002. [25] K. Tamaki, M. Koashi, and N. Imoto, “Unconditionally Secure Key Distribution Based on Two Nonorthogonal States,” quant-ph/0212162, 2002.