Quantum Key Distribution Using Equiangular Spherical Codes Joseph M. Renes Department of Physics and Astronomy, University of New Mexico, Albuquerque, New Mexico 87131–1156, USA [email protected] Mutuallyunbiasedbaseshavebeenextensivelystudiedintheliteratureandaresimpleandeffec- tive in quantum key distribution protocols, but they are not optimal. Here equiangular spherical codes are introduced as a more efficient and robust resource for key distribution. Such codes are setsofstatesthatareasevenlyspacedthroughoutthevectorspaceaspossible. Inthecasethetwo partiesusequbitsandfacetheintercept/resendeavesdroppingstrategy,theycanmakeuseofthree equally-spaced states, called a trine, to outperform the original four-state BB84 protocol in both 4 speed and reliability. This points toward theoptimality of spherical codes in arbitrary dimensions. 0 0 PACSnumbers: 03.67.Dd,03.67.Hk,03.67.-a 2 n a The possibility of secure key distribution using quantum presented in a subsequent paper [6]. J states is by now a well established feature of quantum Recall the general setting of quantum key distribu- 4 informationtheory. Intheoriginal1984proposalofBen- tion. Two parties, Alice and Bob, wish to make use of 1 nett and Brassard (BB84) [1], four states of a spin-1/2 an authenticated public classical channel and an inse- 2 system, the eigenstates of σz and of σx, are used as sig- cure quantum channel controlled by an adversary Eve v nals by the sender Alice. These states are naturally par- to establish a secret key for the purposes of encrypt- 6 titioned into two orthonormal bases from which the re- ing and sharing other data. They start with a sequence 0 ceiver Bob chooses one at random to measure the sig- of samples from a given tripartite probability distribu- 1 nal. Because the bases are unbiased—i.e., the overlap tion shared between the three parties. Alice and Bob 1 between vectors from distinct bases is always the same, then proceed to “distill” the key by sharing informa- 1 3 equal to 1/2 for qubits—Bob learns nothing when his tion based on their individual sequences over the clas- 0 measurement doesn’t correspond to Alice’s preparation, sical channel. How exactly this distillation is achieved / but everything when it does. The nonorthogonality of is an information-theoreticproblem. However,for eaves- h p the states allows Alice and Bob to detect eavesdropping dropping strategies in which Eve doesn’t directly make - by an adversaryEve, so the states form an uncondition- use of the distillation information, how the probability t n ally secure cryptographic protocol [2]. distribution arisesin practice andwhat distributions are a One more unbiased basis, the eigenvectors of σ , can at all possible are purely questions of physics, and these u y beaddedtotheBB84set,forminganewsix-stateproto- questions are addressed in this paper. q : col[3]. Unbiasedbasescanbefoundinhigherdimensions The probability distribution arises from using the v aswell[4],andthekeydistributionprotocolhasbeenex- quantum channel to send quantum information. Alice i X tended to such cases, with increasing dimension leading sendsquantumstatesdrawnfromacertainsignalensem- r to improved security [5]. In these analyses, however,the ble through the channel to Bob, who performs a specific a securityisnotprovedtobeunconditional,sinceonlypar- measurement(in the case of signaling states drawn from ticular eavesdropping attacks are studied. mutually unbiased bases, the severalmeasurement bases Unbiasedbaseshavebeenthecornerstoneofkeydistri- Bob chooses from for his measurement are here amalga- butionschemes. Butaretheyoptimal? Forsimpleeaves- matedintoasinglePOVMmeasurement). AliceandBob dropping strategies, I show here in the qubit case that fix the signal ensemble and the measurement using the they are not, suggesting that they are not optimal for public channel. Eve is free to exploit this information unconditionaleavesdroppingattackseither. Theanalysis to mount an attack on their protocol, using her control here is basedona moreefficientandrobustsetofstates, of the quantum channel; she can in principle subject the the equiangular spherical codes, also known as Grass- signal states to any physical interaction that she wishes. mann frames. Analysis of the qubit case reveals a key Alice and Bob’s goalis to exploit the quantum nature of distribution protocol based on three states having equal the channel to make Eve’s eavesdropping ineffective. overlap, the trine ensemble, which is both faster and The relevantprobabilitydistributionis the jointprob- more secure than the BB84 protocol when subjected to ability p(a ,b ,e ) of Alice’s signal, Bob’s measurement i j k two simple eavesdropping attacks, intercept-resend and result, and the result of any measurement Eve performs cloning. This provides compelling evidence that spher- in the course of eavesdropping. Repeated use of the pro- ical codes can outperform their unbiased cousins. An tocol yields a sequence of samples drawn from this dis- analysis of spherical codes in higher dimensions will be tribution. Alice and Bob, however,must establish which 2 distribution they are sampling from, as it depends on TofindalowerboundfortheminimumofV2,letλjk = 2 Eve’s attack. Typically, Eve has some physical setup φ φ , andemploy the same method again. We have j k |h | i| whichcangiverisetomanydifferentdistributionsasshe immediately that j6=kλjk = V1−n = n(n−d)/d and changes the strength of her interference with the chan- j6=kλ2jk = V2−nP, whence the minimum of V2 over all nel. Givenanassumptionofthetypeofattack,Aliceand sets minimizing V1 is bounded below by making all the BobdeterminetheextentofEve’sinterferencebymaking λP the same and given by Eq. (2). When this lower jk publicandcomparingafractionoftheAlice’ssignalsand bound is achieved, i.e V2 =n2(n 2d+d2)/(n 1), the − − Bob’s measurement results. Knowing the distribution p, result is a Grassman frame. they can distill a key of length MR from the remaining The existence of Grassmann frames isn’t known for M samples in accordance with the bounds arbitrary n and d, though some general statements can be made [12]. They alwaysexist for n=d+1 (a regular IE R I(A:B E), (1) simplex), but never when n > d2. For n d2, when ≤ ≤ | ≤ a Grassman frame exists, it is a spherical code, but for where I(X:Y)=H(X)+H(Y) H(XY) is the mutual 2 − n>d , spherical codes aren’t equiangular. informationofX andY,H()beingtheShannonentropy, · By minimizing V1, Grassmann frames automati- and I = I(A:B) min I(A:E),I(B:E) . The lower E − { } cally form measurement POVMs, which can be used bound obtains when the key is distilled using one-way by Bob to detect Alice’s signal. This is true be- communication [7]; to progress beyond this requires a cause S = φ φ = (n/d)I, so that a POVM technique called advantage distillation, though this is of k| kih k| can be constructed from the subnormalized projectors limited efficiency [8, 9]. P (d/n)φ φ . To see this, fix an orthonormal basis k k These bounds provide a method of investigating the | ih | e and consider the matrix T = e φ . The k jk j k cryptographic usefulness of a signal ensemble. Given a {| i} h | i Gram matrix can be written as G = (T†T) , while jk jk signalensemble,Bob’smeasurement,andanassumption S =(TT†) ,sobothhavethesameeigenvalues. When jk jk about the nature of Eve’s attack, the probability distri- V1 isminimized,thesedeigenvaluesarealln/d,implying butioncanbe calculated,andthe keyratebounds deter- that the vectors form a resolution of the identity. mined. In this way the security of the protocol against Such sets are appealing because they are the sets that this attack is established. To say that a protocol is un- are “least classical” in the following sense [13]. Con- conditionallysecureistodemonstrateitssecurityagainst sider using these quantum states as signals on a clas- all possible attacks. sical channel as follows. Instead of sending the quantum The focus now turns to Alice’s signal ensemble and state, Alice performs the associated measurement and Bob’smeasurement. Anintuitivelyappealingensembleis communicates the result to Bob using a classical chan- aspherical code,acomplex-vector-spaceversionofpoints nel. Bob then prepares the associated quantum state at onaspherewhoseminimalpairwisedistanceismaximal. his end. The fidelity ofBob’sreconstructionwiththe in- Thecomplexversion,calledtheGrassmannpackingprob- putstate,averagedoverinputsandmeasurementresults, lem, asks for a set of unit vectors in Cd whose maximal measures how well the classical channel can be used to pairwise overlap is minimal [10]. When all these pair- transmit quantum information. This fidelity is dV2/n2, wiseoverlapsareequal,thisequiangular sphericalcodeis so among all ensembles which themselves form POVMs, calledaGrassmann frame;i.e.,aset = φ Cd n C {| ki∈ }k=1 Grassmann frames are hardest to transmit “cheaply” in for n d is a Grassmann frame if ≥ this way. Eavesdropping on the communication between n d Alice and Bob makes the channel more classical—Eve is 2 φj φk = − j=k. (2) essentiallytryingtocopythesignal—soonemightexpect |h | i| d(n 1) ∀ 6 − that Grassmann frames are useful in foiling the eaves- Grassmann frames also arise as the solution to the dropper. “minimum energy problem.” For a set of unit vectors For the case of qubits, there are only two equiangular , call V ( ) = φ φ 2t the t-th “potential en- spherical codes, the trine and the tetrahedron. These C t C j,k|h j| ki| ergy”ofthesetofthevectors[11]. Theminimumenergy are named after their Bloch-sphere representation: the P problem is to find having n d elements such that trineisasetofthreeequally-spacedcoplanarvectors,and V1 = n2/d and V2 iCs minimized≥. Note that n2/d is the the tetrahedron is the familiar regular simplex in three globalminimumofV1. This followsfromconsideringthe dimensions. Here we use the following representation of (atmost)dnonzero(real)eigenvaluesγ oftheGramma- the trine states: j TtrhixesGejbke=inhgφjt|hφekie.quCaletaiornlys forkaγkp=lanneanadnd aksγpk2h=erVe1,(tCh)e. φ = e2πij/3 0 +e2πij/3 1 , j =0,1,2. (3) j P P | i √2 | i | i minimumofV1occursifandonlyifalltheγk areequalto (cid:16) (cid:17) n/d,whence V1 is boundedbelow byn2/d. Thus whatis The task now is to determine key rate bounds for the soughtis the setofvectorswith the minimum V2 energy, trine protocol and to compare with the original BB84 given minimum V1 energy. scheme. Generically, Bob uses the same Grassmann 3 frame to measure as Alice uses to signal. Such a mea- positive for allvalues of q. Cloning every signalprovides surementattemptstoconfirm whichstateAlicesent. For Eve as much information as Bob about Alice’s string, qubits, however, Bob can construct an “inverted mea- as the cloning procedure turns out two copies of equal surement”fromthestates φ thatareorthogonaltothe quality. However,Alice’s informationaboutBob’s string j | i trinestates;thismeasurementattemptstoexclude oneof is still greater than Eve’s, so they may use that string the possible signal states. Bey so doing, he increases the as the starting point for key distillation. By computing mutual information of his outcomes with Alice’s signals, the bounds from equation 1 it is easily verified that the thus improving the prospects for creating a key. This trine ensemble offers higher key generation rates, but as strategy doesn’t work in higher dimensions, as the or- cloning is a very weak attack, this conclusion is of little thogonalcomplement of a signal state isn’t a pure state. force. Two eavesdropping attacks are considered here, the The focus now shifts to the intercept-resend attack. cloning attack andthe intercept-resendattack. Bothare Thisissimilartosplicingaclassicalchannelintoaquan- single-system,incoherent attacks,asopposedtothemost tum channel, as described above. Eve receives Alice’s general many-system, coherent attacks. One feature of signal, measures it, creates a new quantum state based generic attacks is Eve’s ability to control the interaction onthatmeasurement,andsendsitontoBob. Duetothe strength of her probe with the signal. To mimic this symmetryofinversionbetweenAliceandBob’sstatesit’s featureintheseschemes,Eveinterceptsonlyafractionq best for Eve to include in her measurement both ensem- of the signals, allowing the rest to pass unmolested. bles. This ensures that her mutual information with Al- Now consider the two attacks in turn. The cloning at- iceisthesameaswithBob. Uponobservingaparticular tackissimple: Eveattemptstoclonetheincomingsignal result, she simply leaves the system in the correspond- state as best she can and then makes the same measure- ing state; thus the joint distribution when q =1 is quite ment as Bob on her probe. She implements the unitary simple: operator U acting on the signaland her probe state, ini- tially in the state 0 , which maximizes the average fi- 2 φ φ 2 φ φ 2 0 k 2 tdhealittyall sjta|htφejs,aφrje|Uc|l|oφinje,d0ie|2q/una,llsyubwjeelcl.tItfoEthvee’scoantstatrcakinist p(ai,bj,ek)= 27( ||hhφii||φekkii||2||hhφekk||φejjii||2 k≤≤3≤≤5 (7) P notsymmetricinthissense,AliceandBobmightbeable Again, for varying q, the probabilityedistribution simply to improve their detection by exploiting the asymmetry. includes an extra value that occurs when Eve doesn’t The resulting distribution for a clone attack is simply intercept the signal. From this distribution it is easy to calculatethekeyrateboundsandtherateEofadditional 4 p(a ,b ,e )= φ ,φ U φ ,0 2 . (4) errors,due toEve’sattack,whichAlice andBobobserve i j k j k i 27|h | | i| when comparing samples using the public channel. Con- Todescribevaryingq,Eve’sreandeomvariableincludesan sidering the key rate R as a function of the error rate E additional value which occurs when she does not imple- enables a comparison with the same quantities derived mentU,inwhichcasetheexpressionforthedistribution from the BB84 protocol. Figure 1 shows the upper and is the same, but with I replacing U. A numerical max- lowerkey generationratebounds for the trine andBB84 imization of U for the trine and the four states of the protocolsasafunctionoferrorrate. Byhavingonefewer BB84 protocol was carried out using Mathematica’s im- outcome, the trine is inherently better at information plementation of the simulated annealing algorithm. The transfer between the parties. The lower bound, which trine result is is more relevant for realistic implementation, shows that thetrineisalsomuchmoresecure,toleratingroughly9% 0 0 0 √2 error. 1 1 1 0 0 Note that in this analysis, the usual first step in the U = , (5) √2 1 1 0 0 BB84protocol,i.e.,sifting overthe public channeltode- − 0 0 √2 0 termine when Bob’s measurement basis matches Alice’s signal basis, cannot be performed for the trine, as there for a fidelity of (1+√2)/4. For BB84, the 1 σz eigen- is nothing like different bases. Strictly speaking, sifting ± states are cloned to belongs to the key distillation phase of the protocol, so it is appropriate to exclude it here. 1 (2 √2)00 i√2(01 + 10 )+(2 √2)11 , (6) This analysis strongly suggests that the trine-based 4 ± | i∓ | i | i ∓ | i (cid:16) (cid:17) protocol might be much more useful for key distribution and the other two clonedstates are obtainedby the pos- than BB84, but this conclusion is not firm, as the two itive and negative superpositions of these states. Some- attacksconsideredareinsufficientlygeneral. Itisknown, what surprisingly, the cloning fidelity for BB84 is the however,fortheBB84protocolthattheintercept-resend same as for the trine. More surprisingly, cloning is use- attack is nearly optimal [14], so it is quite reasonable lesstoEveinbothcases,sincethelowerkeyrateboundis to expect the analysis here to be indicative of the more 4 R Key Rate vs Error Rate intercept-resend analysis to higher dimensions is simple, if tedious, and is done in detail elsewhere [6]. The result Trine is the same: in every dimension, a suitable Grassmann 0.5 frame can be found to outperform the unbiased bases in both speed and reliability. 0.4 Physicsdictates the distributionsthatcanbe realized, 0.3 and information theory determines how to distill a key from the data drawn from the distribution. It is impor- 0.2 BB84 tant to remember that distillation is relatively straight- forward when using unbiased bases. After making many 0.1 measurements, Alice and Bob sift the data to determine inwhichcasestheyhaveselectedthe samebasis. Absent E 0.025 0.05 0.075 0.1 0.125 0.15 any eavesdropper, this creates a key, and if errors are present they can employ a simple privacy amplification FIG.1: Upper(solid) andlower (dashed)keyrateboundsas schemetoensuresecurity. First,theydeterminetheerror afunctionoferrorrateforthetrine-basedandBB84protocols rateofBob’sdata,andknowingthis,theycreateasecret subjecttotheintercept-resendattack. Foreachprotocol, the key that Eve has vanishingly small probability of know- bounds emanate from the same point on the vertical axis at ingsimplybytakingtheEXCLUSIVE-ORoflargeblocks zeroerror(noeavesdropping)anddropdowntozerokeyrate of the data. When using equiangular sphericalcodes, no at thelargest tolerable errorrateonthehorizontalaxis. The trine is both faster (higher key generation rate) and more such simple key distillation protocol is available. robust (highertolerable error) than the BB84 protocol. The author acknowledges helpful input from C. M. Caves, A. J. Scott, and K. K. Manne. This work was supported in part by Office of Naval Research Grant No. N00014-00-1-0578. general case. Recently a strong relationshipbetween secure key dis- tributionandentanglementhasbeenidentifiedbyconsid- ering a coherent version of these “prepare-and-measure” protocols. Instead of preparing a state and sending it to [1] C. H. Bennett and G. Brassard, in Proceedings of the Bob for measurement, Alice prepares a bipartite state, IEEE International Conference on Computers, Systems, ostensibly entangled, and sends half to Bob. Each party and Signal Processing (IEEE, New York,1984), p.175. then measures his or her half, returning the protocol to [2] D. Mayers, quant-ph/9802025. the original picture. In this setting both the upper and [3] D. Bruß, Phys. Rev.Lett. 81, 3018 (1998). lower key generation rate bounds can be translated into [4] W. K. Wootters and B. D. Fields, Ann. Phys. (N.Y.) 191, 363 (1989). questionsofentanglementandnonlocality. Fromtheup- [5] N. J. Cerf, M. Bourennane, A. Karlsson, and N. Gisin, perbound,itfollowsthatsecurekeydistributionispossi- Phys. Rev.Lett. 88, 127902 (2002). bleifthecorrespondingcoherentprocessleavesAliceand [6] J. M. Renes, “Spherical Codes in Quantum Information Bob with a state which is one-copy distillable [15, 16]. Theory”, in preparation. From the lower bound, it follows that key distribution is [7] I. Csisz´ar and J. K¨orner, IEEE Trans. Inf. Theory, IT- possible if the bipartite state violates some Bell inequal- 24, 339 (1978). ity [17]. [8] U. M. Maurer, IEEE Trans. Inf. Th. 39, 733 (1993). [9] N. Gisin and S.Wolf, Phys. Rev.Lett. 83, 4200 (1999). Equiangularsphericalcodesfitnicelyintothispicture, [10] T. Strohmer and R. Heath, Appl. Comp. Harm. Anal. astheycanalwaysberealizedfrommaximallyentangled 14, 257 (2003). states. Thus they start on the same footing as unbiased [11] J.J.BenedettoandM.Fickus,Adv.Comput.Math.18, bases, for which this is also true. To demonstrate this, 357 (2003). consider a spherical code = φ and a “conjugate” [12] J. M. Renes, R. Blume-Kohout, A. J. Scott, and k C {| i} code ∗ = φ∗ formed by complex conjugating each C. M. Caves, quant-ph/0310075. codesCtatein{|thkei}standardbasis. Thenitisasimplemat- [13] C. A. Fuchs and M. Sasaki, Quant. Info. Comp. 3, 377 ter to show that Φ =(√d/n) φ φ∗ is maximally (2003). | i k| ki| ki [14] C. A.Fuchset al.,Phys.Rev.A 56, 1163 (1997). entangled. Thus if Alice prepares this state and sends P [15] A.Ac´in,L.Masanes, and N.Gisin, Phys.Rev.Lett. 91, the second half to Bob, they can realize the “prepare- 167901 (2003). and-measure” scheme by measurement. [16] M. Curty, M. Lewenstein, and N. Lu¨tkenhaus, The performance of the trine-based protocol estab- quant-ph/0307151. lishes the usefulness and suggests the superiority of [17] A. Ac´in, N. Gisin, L. Masanes, and V. Scarani, Grassmann frames for key distribution. Extending the quant-ph/0310166.