Quantum mechanics for security related tasks

by

Seyed Arash Sheikholeslam

B.Sc., Isfahan University of Technology, 2005

A Thesis Submitted in Partial Fulfillment of the Requirements for the Degree of

MASTER OF APPLIED SCIENCE

in the Department of Electrical and Computer Engineering

c

Seyed Arash Sheikholeslam, 2012 University of Victoria

All rights reserved. This thesis may not be reproduced in whole or in part, by photocopying or other means, without the permission of the author.

Quantum Mechanics for Security Related Tasks

by

Seyed Arash Sheikholeslam

B.Sc., Isfahan University of Technology, 2005

Supervisory Committee

Dr. T. Aaron Gulliver, Supervisor

(Department of Electrical and Computer Engineering)

Dr. Mihai Sima, Departmental Member

Supervisory Committee

Dr. T. Aaron Gulliver, Supervisor

(Department of Electrical and Computer Engineering)

Dr. Mihai Sima, Departmental Member

(Department of Electrical and Computer Engineering)

ABSTRACT

This thesis considers the use of quantum mechanics for information security re-lated tasks. Two secure quantum bit commitment protocols are introduced and the security of the protocols against attackers is discussed. The use of quantum entangle-ment breaking channels for making a protocol secure is considered and some security bounds are given. Entanglement measurement in multipartite systems and a universal entanglement measure are also introduced and discussed.

Contents

Supervisory Committee ii Abstract iii Table of Contents iv List of Figures vi Acknowledgements vii DEDICATION viii 1 Introduction 1 1.1 Measurements . . . 4 1.1.1 Projective Measurements . . . 4 1.1.2 POVM Measurements . . . 5

1.2 How Qubits and Bits Differ . . . 5

1.2.1 Superposition . . . 5

1.2.2 Entanglement . . . 5

1.3 Quantum Information . . . 6

1.4 Quantum Bit Commitment . . . 7

1.5 Outline . . . 8

2 A Quantum Circuit Approach To Generating Random Numbers 9 2.1 Introduction . . . 9

2.2 The Proposed Circuits . . . 10

2.3 Conclusions . . . 12 3 Classification and Measurement of Multipartite Quantum

3.1 A New Entanglement Measure . . . 15

3.1.1 Additivity . . . 18

3.1.2 Continuity . . . 19

3.2 Conclusions . . . 20

4 A Practical Approach to Quantum Bit-Commitment 23 4.1 The Proposed Bit Commitment Protocol . . . 25

4.2 Security and Cheating Strategies . . . 26

4.2.1 Practical security against an EPR (entanglement) attack . . . 26

5 EPR Secure Non-relativistic Bit Commitment Through Entangle-ment Breaking Channels 28 5.1 Entanglement Breaking Channel Bit Commitment . . . 29

5.1.1 The Protocol . . . 29

6 Conclusions and Future Work 33

List of Figures

Figure 2.1 A quantum feedback shift register. Bold lines carry the qubits whereas the doubled lines carry the classical information. . . 11 Figure 2.2 A feedforward shift register. Bold lines carry the qubits whereas

the doubled lines carry the classical information. . . 13 Figure 3.1 All possible entanglements for a pure 3-partite state. The outer

square defines the borders of the isolated system, and each col-ored line around a set of parties is an entanglement. . . 21 Figure 3.2 An example of a 2-mixed entangled system. . . 22 Figure 5.1 Two possible implementations of the depolarizing channel for bit

ACKNOWLEDGEMENTS I would like to thank:

my Mom and Dad for giving me permission to be successful.

Professor T. Aaron Gulliver, for mentoring, support, encouragement, and pa-tience.

Uvic, for funding me with a Fellowship.

”Anyone not shocked by quantum mechanics has not yet understood it.” Niels Bohr

DEDICATION

Introduction

Richard Feynman introduced the quantum computer in 1982 [3]. Such devices take direct advantage of quantum mechanical phenomena such as entanglement and super-position of states for computational tasks. The unit of data in quantum computation and information is called a qubit (quantum bit), in contrast with the bit in classical computation. A qubit can, for example, be realised using two spin particles with |0i for spin “down” and |1i for spin “up”. This is the standard Dirac notation used in quantum mechanics.

Next, some mathematical definitions are given followed by the basic postulates of quantum mechanics.

Hilbert Space: A Hilbert space H is a complex inner product space. It is a complete metric space with respect to the distance function induced by the inner product [1].

Unitary Transform: A unitary transform (also called a unitary operator), U on a Hilbert space H is a linear operator on H satisfying

U U∗ = U∗U = I

where U∗ is the adjoint of U and I is the identity operator [2]. As an example, one can consider |0i = " 1 0 # and |1i = " 0 1 #

as a basis for a Hilbert space along with the standard vector inner product. Each element of this Hilbert space is a linear combination of these two vectors. An example

of a unitary operator for this space is U = " 0 1 1 0 #

which when applied on |bi gives |¯bi. Using the Dirac notation for two vectors hφ| (the complex conjugate of |φi), and |ψi, hφ|ψi is simply the inner product of the two.

Tensor product: The tensor product of two vectors is defined as

" a1 a2 # ⊗ " b1 b2 # =       a1b1 a1b2 a2b1 a2b2      

Note that the tensor product increases the dimension and therefore Hilbert spaces are not closed under the tensor product operation.

Postulate 1: Any isolated physical system is a Hilbert space, called a state space, and the system is described by its state vector which is a normalized vector in the state space.

Postulate 2: The evolution of an isolated quantum system is described by a unitary transformation

|ψi−→ U |ψi.U

Note that for a system which interacts with the outside world, we can simply assume a state vector for the world which consists of the system and the rest of the world, and discard the unwanted portion via tracing out the system (the tracing operation will be described later in this chapter), after the unitary transform has been applied to the world.

Postulate 3: Measurements are described as a collection of measurement operators {Mm}, where m denotes the outcome. The probability of the result m occurring is

p(m) = hψ|M_m†Mm|ψi. The state of the system after the measurement is

Mm|ψi

q

hψ|Mm†Mm|ψi

Note that measurement operators satisfy the completeness equation. X

i

Mi = I

One drawback of quantum measurements is that from Postulate 3 non-orthogonal states are not reliably distinguishable.

Postulate 4: The state space of a composite quantum system is a tensor product of the component systems.

Next, another useful formulation for quantum mechanics is presented. This is called the density operator or density matrix, and is equivalent to the state vector formu-lation. Consider an ensemble of pure states {|ψii, pi}, where pi is the probability of

the state occurring. The density operator for the system is defined as ρ ,X

i

pi|ψiihψi|

This definition can be interpreted as not knowing the exact state of the system but rather the probabilities of the possible states.

A system is said to be pure if its state is known exactly (ρ = |ψihψ|), otherwise it is called mixed.

As a result of this new formulation, the quantum postulates can be restated as follows.

Postulate 10: Any isolated physical system is a Hilbert space and the system is described by its density operator.

Postulate 20: The evolution of a closed quantum system is described by a unitary transformation ρ−→ U ρUU †_.

Postulate 30: As in Postulate 3 but with: p(m) = tr(M_m†Mmρ), and the state after

measurement is

MmρMm†

tr(Mm†Mmρ)

.

Postulate 40: This is the same as Postulate 4.

Some features of the density operator are now introduced, followed by a discussion of measurements. It has been proven that an operator is a density operator if and only if it has trace equal to one and is a positive operator. In addition, for a pure state tr(ρ2_{) = 1 while for a mixed state tr(ρ}2_{) < 1. Another important fact about density}

operators is that they allow for the analysis of composite systems via the partial trace operation

ρA _{, tr}B(ρAB) (1.1)

which is defined as

trB(|a1iha2| ⊗ |b1ihb2|) , |a1iha2|tr(|b1ihb2|) (1.2)

where A and B are two Hilbert spaces and |aii and |bii are the corresponding vectors

in these Hilbert spaces.

1.1

Measurements

Two important special cases of measurements, namely projective measurements and POVM measurements, are now presented.

1.1.1

Projective Measurements

In many applications, it is necessary to work with projective measurements. It also can be proved that a projective measurement along with a unitary transform are sufficient to implement a general measurement. In this case our measurement oper-ators will be some projections say prm with eigenvalues m and our observable will

be M =P

mmpm and the probability for measuring m for state |ψi as measurement

1.1.2

POVM Measurements

There are some cases where the post-measurement state of the system is not known, but knowledge of the measurement outcome is required. An example of such a mea-surement would be when we want to measure the position of a photon and we know in such a measurement there is no post-measurement position (state) for the photon (because it will collapse after hitting, e.g. the flourescent panel used in measuring its position). This type of measurement is defined by positive operator valued measure (POVM) elements Em, where Em = MmMm† and Mm is as defined in postulate 3. In

this type of measurement, Mm is not known so the post-measurement state cannot

be determined. The complete set of elements {Em} is called POVM.

1.2

How Qubits and Bits Differ

There are two major differences between a bit and a qubit, superposition and entan-glement. These differences are described below.

1.2.1

Superposition

Unlike a bit which can be either a 0 or 1, a qubit can be a superposition of |0i and |1i, therefore the value of a qubit can be |φi = α|0i + β|1i, where α and β are complex numbers and |α|2 _{+ |β|}2 _{= 1. This means that if one measures the value of |φi, the}

outcome will be |0i with probability |α|2 _{and |1i with probability |β|}2_{. Note that}

there is also a 3-dimensional model for a qubit, called a Bloch sphere, but it is not considered in this thesis and therefore is not discussed further.

1.2.2

Entanglement

For two Hilbert spaces HA and HB, we have that |0iA⊗ |0iB ∈ HA⊗ HB. Therefore

one might assume that any vector |φi ∈ HA⊗ HB consists of the tensor product of

a vector in HA and one in HB, but this interpretation is incorrect. In fact there are

states such as √1

2(|0iA|0iB+|1iA|1iB) which are in HA⊗HB but cannot be represented

as a tensor product of states in HA and HB. Quantum entanglement and measuring

this entaglement for two or more systems is the concern of one the chapters in this thesis.

1.3

Quantum Information

Now that we have discussed the differences between classical and quantum informa-tion units, we briefly introduce the concept of quantum informainforma-tion in contrast with classical information. Quantum information differs from its classical counterpart in two major ways, the information unit (which has already been discussed), and the lack of a means of copying qubits. According to the no-cloning theorem, it is impos-sible to make copies of non-orthogonal states [4]. This means that no device exists which can make copies of both |φi and |ψi unless these two states are orthogonal.

As discussed earlier in this chapter, a standard formulation for quantum applica-tions is the density operator. Note that this formulation is equivalent to the state vector formulation. Both notations will be used in this thesis depending on the ap-plication, but only the density operator is considered in this section.

Shannon entropy is the key quantity in classical information theory. For a set of symbols {xi} it is defined as H(X) = −

P

ip(xi)log(p(xi)) also H(X, Y ) = H(Y |X)+

H(X) where H(Y |X) =P

i,jp(xi, yj)log( p(yj)

p(xi,yj)). The quantum counterpart of

Shan-non entropy is called Von Neumann entropy. It is similar to ShanShan-non entropy and is defined as

S(ρ) , −tr(ρ log ρ),

where ρ is the density operator. Using the eigenvalues of ρ, S(ρ) can be expressed as S(ρ) = −X

i

λilog λi.

As with Shannon entropy, quantum entropy is a concave function. The subadditivity (for a function f : A −→ B subadditivity is defined as ∀x, y ∈ A, f (x + y) ≤ f (x) + f (y)), inequality also holds for Von Neumann entropy. However, some properties of Shannon entropy do to hold for Von Neumann entropy. For example, the inequality H(X) ≤ H(X, Y ) which is intuitively obvious for Shannon entropy, fails for Von Neumann entropy. This is a consequence of entanglement. It has even been proven that the (pure state) |ABi is entangled if and only if S(A|B) is negative.

Among the other important features of Von Neumann entropy are strong subad-ditivity

A measure of relative entropy can also be defined similar to the classical case S(ρ k σ) , −S(ρ) − tr(ρ log σ).

This relative entropy is a monotonic measure. To be monotonic, two density operators of a composite system AB must satisfy

S(ρAk σA_{) ≤ S(ρ}AB _{k σ}AB_).

This means that if part of a system is discarded, it is harder to distinguish between two states of that system, which is intuitive.

1.4

Quantum Bit Commitment

Quantum cryptography in the sense of key distribution was first introduced in [3] with the BB84 protocol. In the same paper, a bit commitment protocol was intro-duced which the authors admit is not secure. Construction of a secure quantum bit commitment protocol has since become an important research problem in the field of quantum security. Other important topics in quantum bit commitment are quantum key distribution, oblivious transfer, and quantum coin tossing.

There have been many quantum bit commitment schemes created, as well as a number of results on the impossibility of secure commitment [5] [6] [7]. Even teleportation has been considered to achieve unconditional security [8].

The bit commitment protocol is now described. Consider a two party (Alice and Bob) bit commitment. Alice chooses a bit b ∈ {0, 1}, locks it and sends it to Bob (commitment phase). When it is time to reveal b (opening phase), Bob locks the bit with his own lock (i.e., he locks the bit locked by Alice), and sends it back to Alice. She then opens her lock and sends the bit back to Bob and announces b. Bob then opens his lock and checks whether the locked bit b is the same as the one which was announced.

The most successful cheating strategy against non-relativistic bit commitment schemes is the entanglement attack (also known as the EPR attack) [5] [6]. In this strategy, one of the parties (Alice) entangles a system with the one she uses for commitment and keeps this second system secret. Then she is able to cheat before the opening phase through local operations on her own system. One approach to

counter this cheating strategy is to determine a means of breaking the entanglements. This must be done either through local transformations performed by the other party (Bob), or through local noise applied to his system (from the transmission channel).

The security of a protocol is measured based on two factors:

1. the security against Bob learning the value of the committed bit before the opening phase, and

2. the security against Alice changing her mind after the commitment phase and eventually opening a bit other than the one she has committed to.

Based on the above discussion, a bit commitment protocol is called hiding if the probability of Bob learning the committed value before the opening phase is negligible. Further, such a protocol is called binding if the probability of successful cheating (and therefore passing Bob’s test on the committed bit), is negligible.

1.5

Outline

This section provides an outline of the thesis.

Chapter 2 discusses the use of quantum circuits for unbiasing (increasing the en-tropy) quantum random bit generators. For this purpose, a hybrid quantum-classic feedback circuit is introduced.

Chapter 3 introduces a new measure for multipartite entanglement which will be useful in designing quantum public key cryptography protocols.

Chapter 4 presents a practically secure quantum bit commitment protocol. The security against Alice and Bob breaking the protocol is also discussed.

Chapter 5 introduces another bit commitment protocol. This protocol uses entan-glement breaking channels to achieve security against Einstein-Podolskey-Rosen type attacks. A lower bound on the security of this system is presented. Chapter 6 contains a summary of the results of the thesis.

Chapter 2

A Quantum Circuit Approach To

Generating Random Numbers

2.1

Introduction

Generating random numbers based on quantum mechanics has been the subject of significant research effort. The most popular approaches are based on projective measurements of photon states [9], [10], [11]. Methods that exploit the Poisson nature of photon arrivals in lasers have also been developed [12], [13].

This chapter considers the use of projective measurements to obtain random num-bers. This method can be realized by employing a simple quantum circuit. With this approach, a photon source is used and the photons are passed through a 50:50 beam-splitter (BSP). A beambeam-splitter is designed so that a photon randomly follows one of two paths that lead to detectors. Depending on the path chosen, the bit generated is a 0 or 1. The model can then be expressed as

|1i −→ 50 : 50 BSP −→ |1iA_√+ |1iB

2 .

According to this model, a photon should choose path A or path B with equal proba-bility 1/2. The set of our measurement operators are then M = {|1i_Ah1|_A, |1i_Bh1|_B}. The problem with this approach is that it requires an ideal 50:50 splitter, which is impossible to implement (though it can be closely approximated). The beamsplitter output is then α|1i_A+ β|1i_B, and the probabilities of bits 0 and 1 being generated are not the same. A solution to this problem is to employ post-processing to unbias the

output values. This chapter considers the use of quantum shift registers to adjust the output of a binary random generator. Both feedback and feedforward shift registers are examined. It will be shown that this approach can provide random bits that are asymptotically equiprobable.

2.2

The Proposed Circuits

A quantum feedback shift register with one memory element is shown in Fig. 5.1. Let |xi be the shift register input and |yi the output. The input qubits are assumed to be independent and identically distributed with P (xi = 0) = p (for example the

output of a 50:50 beam splitter). Ignoring any delay between input and output, |x1i

is the first input qubit and |y1i is the first output qubit. Then we have

|y1i = |x1i |y2i = |x1i ⊕ |x2i |y3i = |x1⊕ |x2i ⊕ |x3i .. . ... |yni = |x1i ⊕ |x2i ⊕ . . . ⊕ |xni (2.1) or |y1i = |x1i |y2i = |y1i ⊕ |x2i |y3i = |y2i ⊕ |x3i .. . ... |yni = |yn−1i ⊕ |xni (2.2)

where |Y i ⊕ |Xi is defined as CNOT(|0i, CNOT(|M(|Yi)i, |Xi)), CNOT(|Y i, |Xi) = trY( I ⊗ X|Y i ⊗ |Xi), X is one of the 3 Pauli matrices [17], M is a measurement,

and m = M(|Yi) ∈ {0, 1} and CNOT is the controlled not gate [17]. Note that in 5.1, the block |mi generates a qubit based on the classical data it receives from the measurement.

Without loss of generality, assume |xii =

√

pi|0i +

√

1 − pi|1i where pi is the

probability that |xii is detected as |0i. Then from (2.2), we have

Figure 2.1: A quantum feedback shift register. Bold lines carry the qubits whereas the doubled lines carry the classical information.

and

p2 = P (|y2i = |0i) = p1(1 − p) + p(1 − p1) = 2p − 2p2.

The last line of (2.2) gives the following linear recurrence relation pn = pn−1(1 − p) + p(1 − pn−1)

= p + (1 − 2p)pn−1

If p = 1/2, then pn = 1/2, as expected. If p = 1, then xi = 0 ∀ i, and pn = 1.

Conversely, if p = 0, then xi = 1 ∀ i, and pn = 0 Now considering the bias caused

by the beam splitter we have p = 1

2 + , and substituting this expression into the

recurrence relation (and using induction) gives pn = 1 2 + 1 2(−1) n_(2)n_{. (2.3)}

Therefore after n iterations, the bias is reduced exponentially, i.e., by a factor (2)n_.

From [9], a typical output sequence of length 122912 bits has a mean of .5014. Thus  = 1.4 × 10−3, which is quite high and would not be suitable in many applications, particularly cryptography. Using the circuit in Fig. 1, after just 100 bits, this bias is reduced to 5.2 × 10−526, which is insignificant.

A single memory element feedforward shift register is shown in Fig. 2.2. In this case, we have |y1i = |x1i ⊕ |x2i |y2i = |x2i ⊕ |x3i |y3i = |x3i ⊕ |x4i |y4i = |x4i ⊕ |x5i .. . ... |yni = |xni ⊕ |xn+1i

Therefore pn = 2p − 2p2. If p = 0 or p = 1, pn = 0. If 0 ≤ p ≤ 1, the feedforward

shift register shown in Fig. 2.2 changes the probability to only pn = 1₂ − 22. Thus

feedforward circuits are not suitable for unbiasing.

2.3

Conclusions

In this chapter, the concept of using quantum shift registers to reduce the bias in quantum random generators has been introduced. A simple design for a quantum

Figure 2.2: A feedforward shift register. Bold lines carry the qubits whereas the doubled lines carry the classical information.

feedback shift register was also proposed. Using a feedback shift register provides a significant improvement because it combines a number of measurements together recursively to obtain the next output.

Chapter 3

Classification and Measurement of

Multipartite Quantum

Entanglements

Entanglement has always been an important concept in quantum physics, thus there has been significant effort in quantifying entanglement. Among the many review articles concerning this task are [18] and [19]. Several measures have been developed for bipartite entanglement, in particular the entanglement of formation and negativity measures. However, the extension of these measures to tripartite or multipartite systems is a difficult problem [20], [22]. In [20], an attempt is made to extend the definition of maximally entangled systems to multipartite systems, while [22] provides a classification for entanglements in 3 qubit systems based on the extended form of the Schmidt decomposition for 3 qubits [21].

Note that the Schmidt decomposition is a way of expressing vectors in a composite system. It simply indicates that for a vector |ψi ∈ H1⊗H2, we have |ψi =P_iαi|aii⊗

|bii where {ai} and {bi} are orthonormal sets for H1 and H2.

A major concern with all entanglement measures is the approach taken for mixed states. The idea of purifying and then measuring the entanglement was proposed in [25]. They introduced an entanglement measure based on purification of bipartite quantum systems, and then applied the entanglement of formation measure on the pure states. This approach solves the problem of classifying and measuring mixed state entanglements. However, there is a significant drawback with this approach, namely, the measured value for a separable mixed state and an entangled pure state

may be the same. As an example, consider the separable mixed state ρ = 1

2[|01ih01| + |10ih10|] and the pure entangled state

|ψi = √1

2[|001i + |110i].

It is clear that the purified version of ρ is equal to |ψi, and therefore applying any entanglement measure on these states will produce the same outcome even though ρ is separable.

Two approaches are presented in this chapter for the classification and measure-ment of multipartite entanglemeasure-ment. First, the concept of purifying an entangled sys-tem is extended to multipartite syssys-tems using the generalized Schmidt decomposition (GSD) proposed in [21] for ternary qubit (qutrit) systems and extended in [27] to mul-tipartite systems of any dimension. The second approach is to decompose the mixed states to their pure state components and then apply the measure on these com-ponents taking into consideration the probability of occurrence of each component. Both of these measurement techniques can be employed with multipartite systems of any dimension.

3.1

A New Entanglement Measure

In order to classify multipartite entangled systems, some definitions are required. An entanglement is called an n-partite pure entanglement when there is an entan-glement between the n parties, but there is no entanentan-glement if one of the parties is traced out. System 9 in 3.1 is an example of this case, which in general is given by

1 √

2 (|0 . . . 0i + |1 . . . 1i).

An n-partite system has a p-mixed entanglement if there exist p sets of n-partite local operations S1, . . . , Sp with i1 ⊗ . . . ⊗ in ∈ Si and there are members of these

sets that when applied to the system preserve the mi-partite pure entanglements. For

such systems, tracing out one party does not break the entanglement between all of the parties. Note that the terms pure and mixed entanglements above do not denote pure and mixed states. Here we provide an example of what we mean by p-mixed entanglement. Consider the 2-mixed entanglement of a set of 5 parties (A, B, C, D

and E) shown in 3.2. The sets of local operations S1 and S2 with 11 ⊗ · · · ⊗ 15 ∈ S1

and 2₁⊗ · · · ⊗ 2

5 ∈ S2, respectively, give

1₁⊗ · · · ⊗ 1

5[|ABCDEimixed entangled] = |ABCipure entangled⊗ |Di ⊗ |Ei)

2

1⊗ · · · ⊗ 25[|ABCDEi] = |ABCDipure entangled⊗ |Ei

As can be observed, there is at least one local operation in S1 which gives rise to a

3-partite pure entanglement between the parties A, B and C, and also two separate states D and E. Further, there is a local operation in S2 which results in a 4-partite

pure entanglement and one separate party.

A fully entangled multipartite system is defined as follows. A fully entangled n-partite system is one in which all possible sets of m-partite systems, m < n, are entangled. System 16 in Fig. 1 is an example of a fully entangled system. The follow-ing proposition establishes the connection between fully entangled and maximally entangled systems.

Proposition 1: A maximally entangled system is fully entangled.

Proof : Assume we have an n-partite system. According to [18], a maximally entan-gled system is a system from which all the other entanentan-gled and pure states can be produced via local operations. In addition, local operations are not able to create entanglement. Assuming that all pure m-partite entanglements are possible for an n-partite entanglement, m < n, then the maximally entangled n-partite system must be fully entangled in order to be able to produce all pure m-partite entangled sys-tems. Establishing the existence of m-partite entanglements in an n-partite system is straightforward. An example of such an entanglement is

1 √

2|0 · · · 0in−m⊗ (|0 · · · 0im+ |1 · · · 1im).

Note that this proof does not guarantee the existence of a fully entangled n-partite system. However, it does imply that if there is no fully entangled n-partite system, then a maximally entangled n-partite system cannot exist.

Figure 3.1 shows all possible types of entanglement in a 3-partite system. There are 8 different classes of entanglement including the non-entangled system, namely {1}, {2, 3, 4}, {5, 6, 7}, {8}, {9}, {10, 11, 12}, {13, 14, 15}, and {16}. Note that

Sys-tems 2, 3 and 4 are similar, but with different parties involved. Finding all possible entanglements for a n-partite system is a simple combinatorial problem.

Some examples of entangled systems are given in Fig. 3.1, and these are classified below.

Simple entanglement examples are given by Systems 2, 3 and 4 in Fig. 3.1. In these cases, two states are maximally entangled but the other one is separate from them

1 √

2|000i + |011i).

An example of a 3-partite pure entanglement is given by System 9 in 3.1, with 1

√

2|000i + |111i).

All three parties are entangled, but if one is traced out the other two become disen-tangled. The last example of a 3-partite entanglement is given by System 8 in 3.1, with

1 √

3|010i + |100i + |001i).

The three parties are again entangled, but in this case tracing out one of the parties does not eliminate the entanglement between the other two parties.

A mixed entangled state is simply a combination of one or more types of entan-glements. Another means of dealing with mixed states is to purify them and then classify them according to the resulting pure states, as in Fig. 1 for 3-partite sys-tems. Note that, as discussed in the Introduction, they will be entangled states after purification.

The above definitions and discussions provide some insight into the requirements for a proper measure of entanglement. For example, one can say intuitively that the system

1 √

3|010i + |100i + |001i, is more entangled than the system

1 √

2|000i + |111i.

Although both systems have all parties entangled, the first does not become disen-tangled when one of the parties is traced out. A good measure of entanglement must

take this into account.

Let ρ1···nbe an n-partite entangled system in the Hilbert space H1⊗· · ·⊗Hn(note

that the dimensions dim(Hi) need not be equal). If {λi, |ψii} are the eigenvalues and

eigenvectors of ρ1···n_{, then a generic purification for the system is given by}

|ψpurei =

X

i

p

λi|ψii|01· · · 0n−1ini, (3.1)

so that an ancillary qubit |0i is attached to each system except the last where |ii is attached. All other purifications can be derived from (3.1) by applying local unitary transforms. From Theorem 3 in [27], there exists a local equivalent of |ψpurei, say

|ψdecomposei = U1⊗ · · · ⊗ Un|ψpurei,

where |ψdecomposei can be expressed in the form

X i1···in Ci1···in|ψ (1) i1 i · · · |ψ (n) in i,

and {|ψ(r)_i i} is a fixed orthonormal basis for the state space Hr. The Ingarden-Urbanik

(IU) entropy can be used to measure the entanglement, which gives M (ρ) = SIU(|ψdecomposei) = SIU(U1⊗ · · · ⊗ Un|ψpurei) = − X i1···in |Ci1···in| 2 log |Ci1···in| 2 .

Note that |ψdecomposei is locally equivalent to |ψpurei and therefore is just a purification

of ρ1···n. The Schmidt number plays a crucial role in this measure, as the larger the number of terms in the generalized Schmidt decomposition (i.e., the greater the number of nonzero Ci1···in), the larger the IU entropy [23]. This dependency on the

Schmidt number (generalized Schmidt number in this case), is a desirable feature for an entanglement measure because, as discussed in [26], the Schmidt number is related to the amount of entanglement.

3.1.1

Additivity

Consider two systems ρ and σ with n and m parties, respectively. The standard purification of ρ ⊗ σ is |ψpurei =

Pn,m

i,j pλiδj|ψii|φji|0

tensor product of the generalized Schmidt decomposition of ρ and σ is given by X i1···in Ci1···in|ψ (1) i1 i · · · |ψ (n) in i ⊗ X j1···jn C_j0_1···jn|ψ_j(1)₁ i · · · |ψ_j(n)_n i. Using the entanglement measure we have

M (ρ ⊗ σ) = − X i1···in,j1···jn |Ci1···inCj1···jn| 2_{log |C} i1···inCj1···jn| 2 _{= M (ρ) + M (σ),} whereP i1···in|Ci1···in|

2 _{= 1. Therefore the measure is additive. From the above result,}

we also have that M (ρ ⊗ σ) = M (σ ⊗ ρ).

3.1.2

Continuity

The continuity of the measure is considered for states with generalized Schmidt de-compositions which are close. This is because two states ρ and σ may not be close with respect to the trace distance, but their local equivalents, which can be expressed in the form of Schmidt decompositions, can be close. Since our measure is based on these decompositions, we only require the following.

Proposition 2: If the trace distance for the generalized Schmidt decomposition of two arbitrary states ρ and σ is less than 

D(GSD(ρ), GSD(σ)) < , then

|M (ρ) − M (σ)| <  log(N ), where N is the dimension of the Hilbert spaces of ρ and σ.

Proof : This is just a special case of the theorem of Fannes [24].

Another measure is obtained by applying the GSD technique on the pure states and then computing SIU. For the mixed states, instead of purifying and applying

the measure for a state ρ = P

ipi|ψiihψi|ρi, the measure is computed as M (ρ) =

SIU(

√

Proposition 3: The measure M [·] given above is additive.

Proof : The proof is similar to that for the additivity of the first measure based on purification, and therefore is omitted.

As discussed in this chapter, averaging over the pure components of the states has the advantage of properly measuring the separable mixed states, whereas the first measure may not be able to distinguish between pure entangled states and mixed separable states.

3.2

Conclusions

In this chapter, a measure of entanglement was introduced for multipartite entangled systems. This measure is the first of its kind that can be used in analyzing multipartite quantum communication systems.

Figure 3.1: All possible entanglements for a pure 3-partite state. The outer square defines the borders of the isolated system, and each colored line around a set of parties is an entanglement.

Chapter 4

A Practical Approach to Quantum

Bit-Commitment

Practically secure bit-commitment protocols have already been introduced in [14]. In this chapter, we propose a simple scheme using the principles of the well-known Diffie-Hellman key exchange protocol (details of this protocol can be found in [15]). However, we employ multiplication by a unitary transform instead of exponentiation in a multiplicative group modulo a prime. Although this commitment scheme also falls within the category for which entanglement cheating is a proof of insecurity, (since it satisfies the criteria based on the simplified Yao model [16] as described in [7]), it is practically very hard for Alice to cheat. This is due to the fact that building the unitary transform required to apply on her share of the entangled pair is practically infeasible, as will be discussed.

We consider the following binding experiment (BE).

• Alice and Bob share a system HA⊗ HB and a protocol π for which the final

state before the opening phase is ρAB ∈ HA⊗ HB.

• A cheating Alice performs the operation A ⊗ I[ρAB] and reveals b ←R{0, 1} to

Bob. (A is a trace preserving operation).

• Bob then performs the operation (actually a measurement) I ⊗B[ρAB] to obtain

b0.

• The outcome of the experiment is 1 (success) if b = b0 _{and 0 (fail) otherwise.}

quantum operations Alice can perform we have Pr[BE_πA(1n) = 1] ≤ 1₂ + negl(n), where negl(n) is a negligible function of the secrecy parameter n.

Proposition 4: If a protocol is CB then there is no collection of circuits {Qx|x ∈

S} (where S is any string) which can be generated in polynomial time that can approximate the operation A.

Proof : The proof is obvious given the definition.

Achieving CB security is a general task and Alice may employ different approaches in an attempt to compromise the security of a protocol. One important case is an EPR attack by Alice. EPR attacks [7] have been proven to make all quantum bit commitment schemes theoretically insecure. Therefore we introduce the notion of EPR-Computationally Binding (EPR-CB).

Definition: A protocol π is EPR-Computationally Binding (EPR-CB) if for all poly-nomial time quantum operations by Alice, we have Pr[BEA

π(1n) = 1] ≤ 12 + negl(n),

where negl(n) is a negligible function of the secrecy parameter n. Note that Alice is only capable of entangling an ancillary system in the corresponding Hilbert space, and can perform unitary transforms and POVM measurements on her part before the opening phase.

Proposition 5: CB is equivalent to EPR-CB if a cheating Alice can extend any system to a larger system in polynomial time.

Proof : Obviously, any EPR-CB protocol is also CB. It is known that all trace preserv-ing quantum operations on a Hilbert space can be extended to a higher dimensional system in which these operations can be reduced to a unitary transform. Therefore, a cheating Alice can extend a system and then perform a unitary transform. A general CB experiment on a Hilbert space Hn _{is equivalent to a (unitary and POVM)-CB}

experiment on a Hilbert space Hm _{where m ≥ n. Therefore EPR-CB security is}

equivalent to CB security.

Note that this proof is important as it connects the concept of binding to EPR security.

Definition: An ensemble of protocols Π = {π1, · · · , πn} is computationally binding

(CB) if all πi ∈ Π are CB. This definition is needed because if there is only one protocol

for which the bit commitment is CB, a cheating Alice can prepare the necessary circuit for changing the qubit in advance and use it at the time of commitment.

4.1

The Proposed Bit Commitment Protocol

In this section, a new method of bit commitment is presented. With this protocol, each party prepares a secret unitary operator. It is assumed that a quantum channel as well as a classical side-channel are available, as with other bit commitment schemes. The qubits are exchanged through the quantum channel, while the side-channel is used to exchange the secret unitary operators in the opening phase. The proposal can then be described as follows.

• Commitment Phase:

– Bob prepares two previously agreed upon orthogonal states |φ0i, |φ1i, and

applies his secret transform UB on them. He sends these to Alice and tells

her which to use if she wants to commit 0 or 1.

– Alice prepares UA· UB|φ0i or UA· UB|φ1i and sends |φi ∈ {UA· UB|φ0i, UA·

UB|φ1i} back to Bob depending on the bit she wants to share. (where dot

is the standard matrix inner product) • Opening Phase:

– Alice reveals her unitary transform UA to Bob through the classical

chan-nel.

– Bob computes |ψi = UB· UA|φi and checks if it agrees with the committed

qubit.

Note that the secret unitary transforms can be chosen at random from a continuous subset of the unitary group. As an example, we can assume that |φ0i = |0i and

|φ1i = |1i, and UA, UB ∈ {Rx(θ), Ry(θ), Rz(θ)} where Rx(θ) is a rotation about the

4.2

Security and Cheating Strategies

One approach for Alice to attempt to cheat is to apply a unitary transform UAduring

the committing phase but then send V · UA during the opening phase (where V is

another unitary transform), such that when Bob tries to open the commitment he receives a bit other than the one which was committed (say Alice has committed |φ0i

but now wants Bob to open |φ1i). For Alice to be successful in cheating, the following

must be true for the last step of the opening phase

|ψi = UB· V · UA· UA· UB|φ0i = |φ1i ⇒ UB· V · UB = |φ1ihφ0|

This shows that Alice can construct such a transform V only if she knows the secret transform of Bob. By a similar analysis, Bob also cannot determine the state |φii if

he knows UA· UB|φii.

4.2.1

Practical security against an EPR (entanglement)

at-tack

Proposition 6: The proposed protocol is practically secure against an EPR (entan-glement) attack by Alice.

Proof : Let |Ai and |Bi denote the uniform superposition of all possible UA and

UB on |φii. In other words, assuming UA and UB are controlled gates and |Ai and

|Bi the corresponding control registers, we have a register (|Ai or |Bi) which is a superposition of all possible choices of the unitary transformations by Alice and Bob. Considering these registers at the end of the commitment phase, we have

|ψ0i =P_AP_B|BiUAUB|φ0i ⊗ UAUB|φ1i|Ai;

|ψ1i =P_AP_B|BiUAUB|φ1i ⊗ UAUB|φ0i|Ai,

where |ψ0i denotes 0 and |ψ1i denotes 1. In each state, the component on the right side

of the tensor product is possessed by Alice. Now, if the protocol is secure against Bob then the local trace over the system components of Alice must be equal for both |ψ0i

and |ψ1i. As a result, considering the Schmidt decomposition [17], we have a unitary

transform V on Alice’s side which can take values from |ψ0i to |ψ1i. In order for Alice

know a particular choice of UB). The existence of V shows that the protocol is not

theoretically secure, but the two parties can hide their sets of unitary transforms and make the protocol practically secure against an entanglement attack. This protocol is practically secure because in order to construct |Bi one has to construct an arbitrary unitary operation on n qubits to take a state (say |0i) to |Bi. It has been shown that this requires O(n2₄n_(log(n2₄n

 ))

c_{) gates in order to approximate such a transformation}

Chapter 5

EPR Secure Non-relativistic Bit

Commitment Through

Entanglement Breaking Channels

Recall that a bit commitment protocol is called hiding if the probability for Bob to learn the committed value before the opening phase is negligible. In addition, a protocol is called binding if the probability of successful cheating (and therefore passing Bob’s test on the committed bit), is negligible. As discussed above, any possible EPR attack will be thwarted through the use of an entanglement breaking channel.

Entanglement breaking channels are a relatively new concept in quantum informa-tion first introduced in 2010 [28]. The characteristics of two-qubit entanglements are discussed in [29] and [17]. In particular, the local two-qubit entanglement-annihilating channel (2-LEA) is examined in [29]. From [28], a local channel c is called entangle-ment breaking if the output of the channel operating on an entangled state is separa-ble, where separability for a density matrix ρ means ρ =P

ipiρ i

a⊗ρib. It was shown in

[30],[31] that the evolution of any entangled state in a channel (entanglement break-ing channel in this case), is determined by the evolution of a maximally entangled state in the channel. Thus an entanglement breaking channel such as the depolariz-ing channel is able to fully separate maximally entangled states. Such a channel is suitable for the setting in this paper, and therefore is considered below. In the next section, we describe through an example how an entanglement breaking channel can be used to secure the Bennett and Brassard bit commitment scheme [3] against an

EPR attack. In fact, a particular example of using an entanglement breaking channel is the noisy storage model [29]. Intuitively, an entanglement breaking channel must have some form of noisy behavior.

5.1

Entanglement Breaking Channel Bit

Commit-ment

As is typical, we assume Alice is working in a noise free environment, i.e., a perfectly shielded and isolated lab. Therefore the channel which breaks the entangled state ρAB is I ⊗ εc[ρAB], where εc is a local operation. This entanglement breaking

opera-tion must either be applied by Bob through some apparatus he possesses, or by the quantum channel through which Alice sends the qubits to Bob, as shown in Fig. 5.1. The effect of an entanglement breaking channel on a state |ψi is

(|ψihψ|) = qU |ψihψ|Ut+ (1 − q)ρchannel.

In the noisy storage model, this operation is in the form of noise. Such as depolarizing channel is defined in [17] as

(X) = qX + (1 − q)tr[X]1 2I.

The action of the depolarizing channel transforms the qubit to a mixed state, I₂, with probability 1 − q and this channel is an entanglement breaking channel for q < 1₃.

5.1.1

The Protocol

The protocol works as follows: Commitment

Alice

• Alice chooses b ∈ {0, 1}.

• If b = 0, Alice generates a string of length n with elements randomly se-lected from {|0i, |1i}, and if b = 1 she randomly selects from 1

2(|0i + |1i)

Bob

• Bob receives the qubits from Alice and applies the entanglement breaking op-eration (channel) on the qubits.

• Bob measures the result by randomly choosing between the basis for 0 and 1.

Opening Alice

• Alice reveals her committed bit (and the polarization for each qubit). Bob

• Bob checks whether or not the polarization is correct for those qubits that he has measured with the correct basis.

Proposition 7: The bit commitment protocol given above is hiding.

Proof : The proof is straightforward as the Bennett and Brassard scheme is already hiding. After the local operation of the entanglement breaking channel is applied as described above the final density matrices for bits zero and one will be the same.

Proposition 8: The bit commitment protocol given above is binding. The probabil-ity of a successful attack by Alice is at most 2√2 where  is the error rate decided upon by Bob.

Proof : Assume Alice tries to cheat by entangling a state to Bob’s state according to the EPR attack setting given above. After Bob applies an entanglement breaking channel on his own state, the final state shared between Alice and Bob will be a separable state ρ = n X i piρia⊗ ρ i b,

where n is the dimension of this state [28]. Without loss of generality, in order to cheat Alice needs to purify this system and then apply her own local operations. Now

assuming that {λij, |ψAiji ⊗ |ψijBi} are the eigenvalues and corresponding eigenvectors

for each ρi_a⊗ ρi

b, it can then be assumed that Alice purifies the system as n X i n X j ppiλij|jAi|ψijAi|ψ B iji. (5.1)

If the states which Bob expects to receive after applying the entanglement breaking channel are |φ0i and |φ1i, then in order for Alice to successfully cheat, she must change

the state of the system possessed by Bob to |φ_bi =P

iqi|ψ B

i i when b ∈ {0, 1} is sent.

Rearranging (1) with respect to the computational basis of system AB, we have Pn

i ri|αAi i|ψiAi|ψBi i where

P

ir2i = 1. Alice cannot determine the ri as they are based

on the entanglement breaking operation used by Bob. Alice therefore has to choose them at random. Assume Alice employs

|φcheati = A(|ψABi) = " X i r0_i|αA i ihα A i | ⊗ |ψ A i ihψ A i | ! ⊗ IB # |ψABi = m X i r00_i|ψB i i,

where the r0_i are randomly chosen by Alice, and m is the dimension of the system possessed by Bob. If Alice successfully cheats then Bob will, with high probability, measure b where b is the initial committed value. Therefore we have

hφ_b|φcheati =

m

X

i

r_i00qi ≥ 1 − , (5.2)

where  is the error rate decided upon by Bob but limited by the system error rate. For m = 2, we have q1 = q and q2 =p(1 − q2), so that (2) becomes

qr00+p(1 − q2_{)(1 − r}002_{) ≥ 1 − . (5.3)}

The left hand side of (3) equals 1 if r00 = q. Squaring both sides of (3) and neglecting the term 2_{, we have q}2_{+ r}002 _{≥ 2 + 2qr}00_{(1 − ) which gives that}

q −√2 ≤ r00 ≤ q +√2.

Thus the probability of Alice successfully cheating is 2√2, which is proportional to the square root of the error rate. Similar results can be obtained for other values of m. Thus the system is binding.

Figure 5.1: Two possible implementations of the depolarizing channel for bit com-mitment.

Note that the probability of success given in Proposition 8 is an upper bound, so the actual probability may be much lower.

Chapter 6

Conclusions and Future Work

A new universal measure of entanglement was introduced. It is based on extending the idea of purification and then applying a measurement technique on the pure states. The additivity and continuity of this measure were examined. Measuring the pure components of a mixed state instead of employing purification was also considered.

We also proposed a simple but secure bit commitment protocol which is based on the application of secret unitary transforms by each party (Alice and Bob), in succession. Cheating strategies, including EPR cheating, were examined and the system was shown to be effective against these attacks.

It was shown that by using an entanglement breaking channel, the simple Bennett and Brassard bit commitment scheme can be made practically secure against EPR attacks. Security against both Alice and Bob was proven. It was also determined that the noisy storage model is a particular case of the proposed protocol.

One may want to consider developing simpler protocols that can achieve the same level of security. In particular, the protocol designed in Chapter 5 which requires a very large quantum memory.

Bibliography

[1] W. Rudin, Principles of Mathematical Analysis, Third Edition, (1976). [2] S. Lang, Introduction to Differentiable Manifolds, (2004).

[3] C. H. Bennett and G. Brassard, Quantum cryptography: Public key distribution and coin tossing, Proceedings of IEEE International Conference on Computers Systems and Signal Processing, Bangalore, India, pp. 175-179, (1984).

[4] W.K. Wootters and W.H. Zurek, A Single Quantum Cannot be Cloned, Nature 299, pp. 802803, (1982).

[5] D. Mayers, Unconditionally secure quantum bit commitment is impossible, 78, 17, Phys. Rev. Lett., (1997).

[6] D. Mayers, The trouble with quantum bit commitment, Computing Research Repository (CoRR), (1999).

[7] H.-K. Lo and H. F. Chau, Why quantum bit commitment and ideal quantum coin tossing are impossible, 120, no. 12, Physica D: Nonlinear Phenomena, (1998). [8] H.P. Yuen, A simple unconditionally secure quantum bit commitment protocol

via quantum teleportation, arXiv:quant-ph/0305142v3, (2004).

[9] M.-H. Qiang et al., A random number generator based on quantum entangled photon pairs, Chinese Phys. Lett. 21, 1961–1964, (2004).

[10] A. Stefanov et al., Optical quantum random number generator, quant-ph/9907006v1, (1999).

[11] T. Jennewein et al., A fast and compact quantum random number generator, quant-ph/9912118v1, (1999).

[12] J. F. Dynes et al., A high speed, postprocessing free, quantum random number generator, Appl. Phys. Lett. 93, (2008).

[13] M. Fiorentino et al., Secure self-calibrating quantum random-bit generator, Phys. Rev. A 75, (2007).

[14] A. Danan and L. Vaidman, Practical quantum bit commitment protocol, Quan-tum Information Processing, (2012).

[15] A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, (1996).

[16] A. C.-C. Yao, Security of quantum protocols against coherent measurements, Proc. ACM Symp. on Theory of Computing, (1995).

[17] M.A. Nielsen and I.L. Chuang, Quantum Computation and Quantum Informa-tion, Cambridge University Press, (2000).

[18] M. B. Plenio and S. Virmani, An introduction to entanglement measures, arXiv:quant-ph/0504163v3, (2005).

[19] J. Eisert and M. B. Plenio, Introduction to the theory of continuous-variable entanglement, Int. J. Quant. Inf., (2003).

[20] P. Facchi, G. Florio, G. Parisi, and S. Pascazio, Maximally multipartite entangled states, Phys. Rev. A, 77 (6), 060304 (2008).

[21] A. Ac´ın, A. Andrianov, L. Costa, E. Jan´e,1, J. I. Latorre, and R. Tarrach, Gen-eralized Schmidt decomposition and classification of three-quantum-bit states, Phys. Rev. Lett., 85 (7), 1560–1563 (2000).

[22] C. Sabin and G. Garcia-Alcaine, A classification of entanglement in three-qubit systems, Eur. Phys. J. D, 48(3), 453–442 (2008).

[23] R. Spekkens, and J. Sipe, A modal interpretation of quantum mechanics based on a principle of entropy minimization, Foundations of Physics, 31, 1431-1464 (2001).

[24] M. Fannes, A continuity property of the entropy density for spin lattice systems, Commun. Math. Phys. 31(4), 291–294 (1973).

[25] B. M. Terhal, M. Horodecki, D. W. Leung, and D. P. DiVincenzo, The entangle-ment of purification, J. Math. Phys., 43(9), 4286–4298 (2002).

[26] J. Sperling and W. Vogel, The Schmidt number as a universal entanglement measure, Phys. Scr., 83, 045002 (2011).

[27] H. A. Carteret, A. Higuchi, and A. Sudbery, Multipartite generalization of the Schmidt decomposition, J. Math. Phys., 41, 7932–7939 (2000).

[28] L. Moravˇc´ıkov´a and M. Ziman, Entanglement-annihilating and entanglement-breaking channels, Journal of Physics A: Mathematical and Theoretical, 43, 27, 275306, 2010

[29] S. N. Filippov, T. Rybar, M. and Ziman, Local two-qubit entanglement annihi-lating channels, arxiv.org/pdf/1110.3757, (2011).

[30] T Konrad et al, Evolution equation for quantum entanglement, Nat Phys, Vol. 4, No. 4., pp. 99-102, (2008).

[31] Z.-G. Li et al, Evolution equation of entanglement for bipartite systems, Phys. Rev. A, 024303, 79, (2009).