Professional Documents
Culture Documents
Lecture13 14
Lecture13 14
Now that the basic formalism of quantum information has been introduced, we are in a position
to discuss the applications of quantum information theory. We will introduce three applications:
(i) quantum communication (Chapter 3), (ii) quantum computing (Chapter 4), and (iii) quantum
metrology (Chapter 5).
1 Introduction
This chapter deals with applications of quantum information theory in the context of communi-
cation. It is divided into three parts: the first (and present) one is about cryptography: how to
use quantum physics to achieve secure communication. The second is about complexity: how to
use quantum physics to solve some communication tasks efficiently. The last one is about how to
overcome the problems of decoherence in quantum communication.
Encoding and decoding Given the plain text, represented by x, the encoding is obtained by
applying some function y = Ek (x). This function may depend on some parameter k, called the
key. The decoding is obtained by applying another function, Dk (y), which may also depend on
the key. Ideally, Dk [Ek (x)] = x so that Bob can recover the plaintext, while it is difficult for Eve
to apply such a function (for instance, if she does not know the key).
Plaintext Plaintext’
Eve (attacker)
Key K Key K
Encryption Decryption
Ciphertext Ciphertext’
Texts to bits conversion Typically, plaintext is text, like ABCDE, but the messages that go
through the channel are bits, like 00011. Therefore one must first convert text to bits. This can
be accomplished by creating a look up table/dictionary that convert each letter in the alphabet to
different numbers.
A→0 →00000
B→1 →00001
(1.1)
··· → ··· →···
Z → 25 →11001
Cryptosystem A set of algorithms that generate key, encrypt plaintext to ciphertext, and decrypt
ciphertext.
1
Chapter 3.1 Quantum Information (WiSe 22/23)
Cryptanalysis The study of methods to obtain plaintext from ciphertext without the key.
Traditional methods Cryptographic methods have been known since long ago. For example,
the Spartans used simple transposition methods to send secret messages, whereas Romans used
substitution methods.
• Transposition: It consists of changing the place (transposing) of the letters that compose the
message. For example, one can exchange consecutive letters: COLD→OCDL.
• Substitution: It consists of changing the order of the letters that compose the alphabet.
For example, Ek (x) = x + 3 mod 26 transforms A→D B→E, C→F, etc. In this case,
COLD→FROG.
Security These methods are not secure. For example, it is well known that the frequency of
appearance of a given letter in any intelligible text is more or less constant. This means that if Eve
takes the message (which is supposed to be long) and compares the relative frequency appearance
of the signs with the standard tables, she can decode the message. Therefore, these methods have
been abandoned, and people turned to modern cryptography.
• for any x ∈ S, it is “easy” to compute f (x). By easy we mean that the computational time
grows as a polynomial function of the number of digits of x. For instance, multiplying x by 5
is easy since the number of operations (and thus the computational time) only grows linearly.
• given y = f (x) ∈ T , it is “difficult” to obtain the inverse x. By difficult we mean that
the computational time grows faster than any polynomial of the number of digits of y. For
instance, finding a non-trivial factor of y is difficult.
Encryption and decryption The idea is to use for Ek (x) a one-way function, so that Eve cannot
invert and get the message. Bob, however, knows some extra information (which is stored in the
key) that allows him to invert the function, i.e., such that Dk (y) is also easy.
Computational security All practical public-key cryptosystems are based on functions that are
believed to be one-way, but no function has been proven to be so. In fact, it is not known whether
such functions do exist. Hence, the security of public-key cryptosystems is based on the belief that
there is no fast algorithm to solve a certain problem, like factorization. That is, its security is
based on an unproven computational assumption. If there would be a mathematical breakthrough,
i.e., an algorithm will be discovered that can compute the inverse function easily, or once we have
a device (like a quantum computer) that is able to do that, these systems would be insecure and
useless.
Quantum methods Quantum computing may threaten the security of the cryptosystem if f can
be computed efficiently with a quantum computer. This calls for new cryptography methods. Two
directions have emerged: post-quantum cryptography and quantum cryptography. Post-quantum
cryptography uses one-way functions that are believed to be difficult to compute even on quantum
computers. Here we will cover the second one, although before that we will give more detailed
information about some classical cryptosystems that are widely used.
2
Chapter 3.1 Quantum Information (WiSe 22/23)
where the symbol ⊕ represents addition modulo 2. She sends the encrypted message y to Bob,
who decrypts it using the key, as
Dki (yi ) = yi ⊕ ki . (2.2)
Security Since the key is random, for somebody who does not know the key, xi ⊕ki are completely
random. Additionally, Dki [Eki (xi )] = xi . The assumptions for security are: (i) the key must be
random; (ii) the key cannot be reused (this is why it is called a one-time pad); (iii) the key has to
be as long as the plaintext; (iv) nobody else apart from Alice and Bob should know the key.
Key distribution The problem is that Alice and Bob have to know the key in advance, and
therefore they have to communicate to establish this key. This process is called key distribution.
In principle, there are two ways of achieving that, but none of them is completely secure.
• Use a private channel (safe courier): This may not always be secure because somebody may
intercept the communication.
• Use mathematical methods: Public key cryptography was introduced in 1976. The idea is to
use a private channel, which Eva can also access, but to encode the information containing
the key using one-way functions. This method, as mentioned above, is based on unproven
mathematical assumptions. In the next section, we will give a particular method to achieve
that.
Modular exponentiation Given x, y, and a prime number, p, each of them with r or less (binary)
digits, the modular exponentiation compute
xy mod p. (2.3)
we just have to compute at most r products, and thus this can be done efficiently. Therefore, the
modular exponentiation function can be computed efficiently.
3
Chapter 3.1 Quantum Information (WiSe 22/23)
Discrete logarithm The inverse of the modular exponentiation function is the discrete logarithm.
Note xy = z gives logx z = y. Given x, z and a prime p, the discrete logarithm yields an integer 0 ≤
y ≤ p such that xy mod p = z. We write y = logx z mod p. This operation is “difficult”, because
the best existing algorithm has a computational time that increases faster than any polynomial in
r.
Diffie–Hellman Protocol Alice and Bob agree on a large prime number p and another number
x with approximately has the same number of digits. Since they do that publicly, these numbers
are also known to Eve. Additionally, Alice generates a large random number y that is only known
to her, and Bob does the same with z. Alice computes A = xy mod p and sends it to Bob. He
computes B = xz mod p and sends it to Alice. Then Alice computes B y mod p and Bob Az
mod p. It turns out that these two numbers coincide K = B y mod p = Az mod p, which will be
taken as the key. Since y and z are random, K is also random. Eve only knows x, p, A, B. If she
wants to get K, she must compute a discrete logarithm (of A or B). But this is difficult, so that
the Diffie–Hellman protocol delivers the required security.
B = xz mod p
Alice Bob
A=x y
mod p
Private y Private z
K := (xz )y mod p Eve K := (xy )z mod p
One-way functions These are some examples of other one-way functions that are used in classical
cryptography:
(1) Discrete logarithm (used in the Diffie-Hellman protocol above).
(2) Factoring (used in RSA, another public-key cryptosystem).
(3) Ecliptic curves (used in other protocols).
(4) Short lattice vectors.
(5) Learning with errors.
Since there exists an efficient quantum algorithm for computing discrete logarithm and factoring,
and solving elliptic curves, RSA and Diffie-Hellman protocol are not considered secure if one has
a quantum computer. For the last two, no efficient quantum algorithms exist, and thus they are
candidates for post-quantum cryptography.
Protocols There are many protocols in quantum key distribution. Here we will cover the first
two, which are widely used nowadays.
4
Chapter 3.1 Quantum Information (WiSe 22/23)
Idea Alice is sending Bob some qubits in superpositions and Bob will measure them in some
random basis. If the superposition turns out to be an eigenstate of Bob’s observable, then Alice
and Bob will know what state they had and with that they can establish the key. If Eve tries to
measure any qubit to get that information, she will distort the superposition and thus Alice and
Bob will be able to find out.
Procedure:
(1) Preparation and transmission: Alice prepares a set of qubits in states chosen randomly among
the set S = {|0iz , |1iz , |0ix , |1ix }, where |0iz and |1iz are the eigenstate of the σz operator,
and |0ix and |1ix are the eigenstate of σx . Thus, for each qubit Alice chooses randomly the
value of the qubit (0 or 1) and the basis (Z or X). She sends these qubits to Bob.
(2) Measurement: For each of the qubits received, Bob chooses randomly among Z and X,
and correspondingly he measures either (1 − σz )/2 or (1 − σx )/2, assigning 0 and 1 to the
outcomes.
(3) Public discussion: Bob announces publicly the value (Z or X) he has chosen for each of the
qubits, without saying the outcome of the measurement. Then, Alice announces publicly for
each qubit if that value coincides with the one she has used in her preparation. If they are
the same, they keep the value of the bit (0 or 1). Otherwise, they discard it. Note that in
the first case, the value of the bit will be the same for Alice and Bob, since the preparation
and the measurement was in the same basis. Thus, these bits will be the basis of the random
key.
(4) Authentication: Bob announces publicly the result of part of the measurements they kept,
and Alice says if they coincide with her values for each of them. If nothing happened, they
should coincide. Thus, if they do not coincide, then they will suspect that somebody (or
something) has interfered in the communication. The publicly announced bits are discarded
because Eve can also listen to that communication. The surviving bits will be the basis of
the key.
a b c d e f g h i j
1 0 σx |0ix σz 0
2 1 σx |1ix σx 1 OK 1
3 1 σz |1iz σx 1
4 1 σz |1iz σz 1 OK 1 OK
5 0 σx |0ix σx 0 OK 0
6 0 σz |0iz σx 1
7 1 σx |1ix σx 1 OK 1 OK
8 0 σz |0iz σz 0 OK 0 OK
9 1 σz |1iz σx 1
10 0 σz |0iz σz 0 OK 0
Table 1: An example of the BB84 protocol. Here: (a) qubit; (b) Random bit selected by Alice; (c)
Random operator selected by Alice; (d) State sent by Alice; (e) Random operator selected
by Bob; (f) Bob’s result of the measurement (0 if measures −1 and 1 if he measures 1);
(g) result of the public discussion; (h) Authentication; (i) result of the authentication; (j)
Key.
Example
5
Chapter 3.1 Quantum Information (WiSe 22/23)
Eavesdropping If Eve tries to obtain the key, she will have to make measurements. Then, she
will disturb the state, and the authentication will tell Alice and Bob of the presence of Eve. The
important point here is that Eve does not know the operators selected by Alice and Bob until Bob
performs the measurement and publicly announces it. For example, imagine that Alice prepares
the qubit in the state |1ix (7–th qubit in the table). Consider the following two cases: (a) If Eve
happens to measure σx , then she will measure 1 and will send again the state |1ix to Bob; in that
case, Alice and Bob cannot tell anything about the presence of Eve; (b) On the contrary, if she
happens to measure σz then she will obtain 1 or 0 with probability 1/2. If she obtains 1, she
will send the state |1iz to Bob, which is not the one sent by Alice. Therefore, in the process of
authentication there is a probability 1/2 that Alice and Bob check that there is an error. Analogous
conclusions apply if Eve measures 0. The probability for Eve to be detected if she measures every
qubit using this procedure is 1 − (3/4)N if Alice and Bob use N qubits in the authentication.
Idea Alice and Bob share pairs of qubits prepared in the Bell state
1
|Ψ− i = √ (|01i − |10i). (3.1)
2
The idea is that if they measure one of these pairs along the same direction (that is, measure the
same σ~n , the result will be completely random but also correlated. That is, if one obtains −1 the
other one will obtain 1 and vice versa. Thus, they can establish the key by simply taking −1 → 0
and Bob applying an extra NOT operation 0 ↔ 1. They can announce some results. If these
results are not the same, then somebody (something) must have interfered with the communication.
Even better, with the results they can test CHSH inequalities. If the results violate the CHSH
inequalities, they can be confident that nothing has happened and the key is secure.
Procedure
(1) Preparation and transmission: A source emits pairs of qubits in the state Ψ− . The particles
fly apart towards the two legitimate users of the channel (Alice and Bob).
(2) Measurements: Alice and Bob perform measurement of Pauli operators along three different
directions given by unit vectors ~ai for Alice and ~bj for Bob (i, j = 1, 2, 3). Both ~ai and ~bj
vectors lie in the x − z plane, and characterized by azimuthal angles φa1 = 0, φa2 = 41 π, φa3 =
2 π and φ1 = 4 π, φ2 = 2 π, φ3 = 4 π. They use choose these orientations randomly and
1 b 1 b 1 b 3
Eavesdropping Any attempt of Eve to measure or modify the singlet states will √ disturb them,
and therefore S will decrease (for the set of measurements described above S = 2 2 only occur
for a singlet state; otherwise, it is smaller).
6
Chapter 3.1 Quantum Information (WiSe 22/23)
Similarities The BB84 and E91 protocols for quantum public key distributions are somehow
similar. In fact, one can view the E91 protocol as follows: if Alice measures along the z direction
and obtains |0iz (|1iz ), then Bob’s particle will be projected onto the state |1iz (|0iz ). If Alice
measures along the x direction and obtains |0ix (|1ix ), then Bob’s particle will be projected onto
the state |1ix (|0ix ). Therefore, Alice can prepare the sequence of random states as in the BB84
form by performing appropriate measurements on singlet pairs.
Bit error rate (BER) Let us consider the subset of bits Alice and Bob kept after the public
discussion. The bit error rate is the number of them that are different divided by the total number
of such bits. In the authentication, they will be able to estimate the value of the BER by sacrificing
a small portion of those bits.
Eve’s probability of guessing Similarly, if Eve has intercepted the communication, she will have
a guess for the value of each bit. This can be characterized by, Pguess
Eve
, the probability that she has
the right one.
Alice 0 0 0 1 1 0 1 0 1 1 1 0
Bob 0 0 1 1 1 0 0 0 1 1 0 0
Alice (MAJ) 0 1 0 1
Bob (MAJ) 0 1 0 1
Table 2: An example of information reconciliation. We use the different colors (yellow, green, red,
blue) to distinguish digits in different subgroups. After doing majority vote within each
subgroup, we obtain a key of reduced length 4.
Privacy amplification After the information reconciliation step, Alice and Bob have ensured that
their keys are identical. However, Eve has also corrected her errors. If PguessEve
is small enough
(smaller than the BER), she will still have some errors. Privacy amplification will amplify those
errors so that, at the end, Pguess
Eve
= 1/2, which means that she possesses no information whatsoever
on the value of the remaining bits. A way of doing that is as follows: Alice and Bob take q bits at
random positions they agree upon over a public channel and generate a single bit of their new key
by calculating the parity of these bits. An example (q = 4) is given in Table 3. By repeating this
1 The action of majority vote is self-explanatory. For three bits, the map is
000 → 0, 111 → 1,
001, 100, 010 → 0, 110, 101, 011 → 1.
7
Chapter 3.1 Quantum Information (WiSe 22/23)
5 Cryptanalysis
idea In order to know how many rounds of information reconciliation and privacy amplification
need to be performed, Alice and Bob have to know the BER and Pguess Eve
. While the BER can be
measured by sacrificing part of the key, the value of Pguess will depend on Eve’s strategy. Thus,
Eve
the worst-case scenario for Alice and Bob is that, for a given BER, Pguess
Eve
is as large as possible.
The cryptanalysis deals precisely with that question, namely, finding the optimal attack by Eve.
Here we will take some specific sets of attacks and analyze the optimal value of PguessEve
. As a
full treatment would require extensive mathematical techniques, this will not be a fully general
treatment, but it should provide enough insight to get a general idea.
Errors due to Eavesdropping Consider the BB84 protocol. One strategy of Eavesdropping for
Eve is to measure every qubit Alice sends through the channel. In fact, Eve can use a more general
and better strategy. Eve can entangle his/her qubits, initialized in state |Ai with the qubits sent
by Alice. In this way, Eve can acquire more information by waiting until Alice and Bob announce
their measurement basis in the public discussion. Let us take the unitary operation Eve performs
as the one that implements the map
U
→ |0iA |A00 iE + |1iA |A01 iE ,
|0iA |AiE −
(5.1)
U
→ |0iA |A10 iE + |1iA |A11 iE .
|1iA |AiE −
Since this is an unitary operation, the normalization condition and the orthogonality condition put
the constraints that
hA00 |A00 i + hA01 |A01 i = 1,
hA10 |A10 i + hA11 |A01 i = 1, (5.2)
hA00 |A10 i + hA01 |A11 i = 0.
When the qubit arrives at Bob, it will be entangled with Eve’s qubits.
U to Bob
|ϕiA |AiE −
→ |ψiAE −−−−→ |ψiBE . (5.3)
The state Bob gets is described by the reduced density matrix after tracing out Eve (and similarly
for Eve)
ρB = trE |ψi hψ|BE ,
(5.4)
ρE = trB |ψi hψ|BE .
Depending on the message Alice sends and the basis she chooses, each time Bob will receive one
of four different kinds of states {ρB
0x , ρ1x , ρ0z , ρ1z }, as given in the following Table 4.
B B B
Errors due to decoherence This kinds of couplings (5.1) do not only happen due to the existence
of Eve. Even when there is no eavesdropper, the qubit Bob receives may still couples with the
environment, which leads to decoherence. Similarly, we can model the effect of the environment
as
U
→ |0iz |E00 ienv + |1iz |E01 ienv ,
|0iA |Eienv −
(5.5)
U
→ |0iz |E10 ienv + |1iz |E11 ienv ,
|1iA |Eienv −
and the state received by Bob is given by ρB = trenv |ψi hψ|B+env .
8
Chapter 3.1 Quantum Information (WiSe 22/23)
Bit error rate In the presence of Eve’s attacking or decoherence, the state received by Bob will be
mixed and different from the one Alice sends. Therefore, when Alice and Bob do the authentication
step of the BB84 protocol, they will realize that some of the results are wrong. But they will not
know if the errors are due to Eve, the decoherence, or both. Recall that Alice sends one of
{|0ix , |1ix , |0iz , |1iz } each with probability 14 . For each case, the states Bob gets after tracing out
the environment or/ and Eve are different, and lead to error probabilities Perror 0x 1x
, Perror 0z
, Perror 1z
, Perror .
Taking all four cases into account, the bit error rate for Bob is
1 0x
BER = (P + Perror
1x
+ Perror
0z
+ Perror
1z
). (5.6)
4 error
In the original BB84 protocol, Bob measures in the Z or the X basis. However, in the presence of
errors, this may not be the best measurement to distinguish if Alice prepared a 0 or a 1 since he
has the states ρ0x and ρ1x (in case he chooses X and this coincides with Alice’s choice, which are
the only ones that count). Thus, he would be better off if he performs the measurement that is
able to optimally distinguish ρ0a and ρ1a if he knows (the value of a = x, z). If he knows that, the
probability of error will be decreased.
Eavesdropping Remember, in the authorization process, Alice and Bob will reveal the basis they
sent and measured; therefore, a better strategy for Eve is to wait until then and perform the
measurements in the same basis as Bob does. Let denote Eve’s probability to distinguish ρ0x E and
ρ1x
E by P x
guess , and Eve’s probability to distinguish ρ 0z
E and ρ 1z
E by P z
guess . Again, for doing that she
will carry out the optimal measurement that distinguishes those states. The probability that Eve
has correct guess is
1 x
Eve
Pguess = (Pguess + Pguess
z
). (5.7)
2
The guess probability of Eve has to be larger than one half; otherwise, it would be useless because
a random guess will achieve a probability of 1/2.
Note that we have already presented two figures of merits: the bit error rate and the probability
of Eve. In practice, Eve wants to know for a given BER, what is the optimal Pguess E
. Bob wants
to know for a given BER, what is the optimal Pguess . In cryptanalysis, one commonly plots the
B
optimal guess probability as a function of the bit error rate (one example is given in Fig. 3).
0x/z 1x/z
Quantum hypothesis testing Bob wants to distinguish (ρB , ρB ) and Eve wants to distin-
0x/z 1x/x
guish (ρE , ρE ). At a high level, both Bob and Eve wants to perform the optimal measurement
to distinguish two mixed states. It can be proved that the best success probability to discriminate
two mixed states represented by ρ1 and ρ2 is given by
1 1
Pr = 1 + ||ρ1 − ρ2 ||1 (5.8)
2 2
with 21 ||ρ1 − ρ2 ||1 the trace distance, which is defined as the sum of eigenvalues of ρ1 − ρ2 .
*Interlude: optimal measurements to distinguish two mixed states Given a state ρ which is
known to be either ρ0 or ρ1 , our general strategy for discriminating ρ0 and ρ1 (i.e., to assign 0 or 1
based on ρ0 , ρ1 ) will be to perform a POVM {E0 , E1 } (E0 +E1 = 1) and to guess that ρ = ρi when
we obtain measurement outcome i (i = 1, 2). For each ρi , a successful guess event happens with
a probability of tr[Ei ρi ]. Since each state is prepared with an equal probability 1/2, the average
probability of identifying the state correctly is
1 1
Pguess = tr[E0 ρ0 ] + tr[E1 ρ1 ] (5.9)
2 2
9
Chapter 3.1 Quantum Information (WiSe 22/23)
Thus, the remaining problem is to maximize Pguess over all measurement operators. To this end,
we only need to maximize the the trace of the matrix (E0 − E1 )(ρ0 − ρ1 ).
Note that ρ1 − ρ2 is Hermitian, so we can perform the spectral decomposition.
r
X m
X r
X
ρ1 − ρ2 = λi |ψi i hψi | = |λi | · |ψi i hψi | − |λi | · |ψi i hψi |, (5.12)
i=1 i=1 i=m+1
| {z } | {z }
T S
where we have ordered the eigenvalues λi such that λi ≥ 0 for i = 1, . . . , m and λi < 0 for
i = m + 1, . . . , r. In terms of the new positive semi-definite matrices T, S ≥ 0 defined above,
where the inequality follows from the fact that tr(Ai T ), tr(Ai S) ≥ 0 for Ai , S, T ≥ 0. The success
probability is then bounded by
m r
!
1 1 X X
Pguess ≤ + max |λi | hψi | E0 |ψi i + |λi | hψi | E1 |ψi i . (5.14)
2 4 E0 ,E1 i=1 i=m+1
E0 +E1 =1
The upper bound is saturated by choosing E0 and E1 = 1 − E0 as the projector onto the positive
and negative eigenspace of (ρ0 − ρ1 ) respectively
m
X r
X
E0 = |ψi i hψi | , E1 = |ψi i hψi | , (5.15)
i=1 i=m+1
in which case
r
1 1X
optimal
Pguess = + |λi |
2 4 i=1
(5.16)
1 1
= 1 + kρ0 − ρ1 k1 .
2 2
Here k · k1 is the trace norm of the operator and it is equal to the sum of eigenvalues.
In summary, the maximal probability of distinguishing the two states is given by (5.16), and
the best POVM measurement can be understood as a projective measurement in the ONB basis
of ρ0 − ρ1 .
A simple eavesdropping Let us consider a simple strategy of Eve. Eve takes |0i → |0i|E0 i and
|1i → |1i|E1 i with hE0 |E1 i = α ∈ [0, 1]. Then, Eve sends the qubit of Alice to Bob, waits until
Bob announces the basis, and then measure in that basis. There are 4 encoded states in BB84:
{|0i , |1i , |+i , |−i} and Eve’s action map these four states to
|0i → |0i ,
|1i → |1i ,
1 (5.17)
|+i → ρ+ := (|0i h0| + |1i h1| + α |0i h1| + α |1i h0|),
2
1
|−i → ρ− := (|0i h0| + |1i h1| − α |0i h1| − α |1i h0|).
2
Alternatively, this could also happen due to the decoherence from the coupling with the environ-
ment.
10
Chapter 3.1 Quantum Information (WiSe 22/23)
Bob discriminates the messages Bob needs to discriminate between the states he received from
Alice. If Alice chooses the σz basis to encode her bit, then Bob is able to discriminate the final
states with unit probability PBz = 1, because |0i and |1i are orthogonal. In the case where Alice
chooses the σx basis to encode her bit, the probability that Bob will be able to distinguish the
states ρ+ and ρ− by a measurement in the σx basis will be determined by (5.16)
1 1
PBx = tr(|+i h+| ρ+ ) + tr(|−i h−| ρ− )
2 2
1 1 1 1
= (2 + α + α) + (2 + α + α) (5.18)
2 4 2 4
1
= (1 + α).
2
Therefore, given that all four states occur with equal probability in the protocol, the bit error rate
is
1 1
BER = 1 − (PBz + PBx ) = (1 − α). (5.19)
2 4
Note that this makes sense physically. For α = 0, |E0 i and |E1 i are orthogonal, and Bob receives
maximally mixed states, i.e., he is only able to obtain the same success rate as if he were to guess
randomly (Pr = 1/2 and BER = 1/4). Under the ideal situation α = 1, the BB84 protocol can
achieve a zero bit error rate BER = 0.
1
B
3/4
A
PGuess
1/2
E
0
0 1/4 1/2
Bit Error Rate
Figure 3: The guess probability of Eve as a function of the bit error rate (BER). The black curve
corresponds to the simple strategy in the lecture we described. With more complicated
scheme and use more parameters, one can design better strategies, such as the blue curve.
Eve guesses the messages Following the same line of thoughts, we can analyze the probability
that Eve obtains the information. The eavesdropping implement the following map
is
1 1p
Pguess =
Eve
1+ 1−α 2 . (5.22)
2 2
11
Chapter 3.1 Quantum Information (WiSe 22/23)
We plot Pguess
Eve
as a function of the bit error rate in Fig. 3. Now let us check some special cases to
make sure the result make sense physically. For α = 0, PguessEve
= 3/4 which is its maximum value
i.e. Eve is most successful when she uses orthogonal states. For α = +1, Pguess
Eve
= 1/2 and so Eve
has the same success rate as if she were to simply guess the value of the encrypted bit randomly.
Hence with strategy α = 1, Eve will never know with transmitted information with certainty.
More general strategy More general strategies for Eve may involve entangling all the qubits sent
by Alice with some of her qubits, and performing joint measurements in all of them after the public
discussion. This has been analyzed, and one can find similar curves like the ones presented in the
figure (however, one does not use PEguess but some other measures of information).
♣♣♣
Acknowledgement.— We thank Adrian O. Paulus for providing their handwritten notes. We thank
Yilun Yang for providing the Tikz codes that inspire Figure 1 and 2.
These lecture notes were kindly provided by Ignacio Cirac and Sirui Lu.
12