Quantum Information (WiSe 22/23) Last updated: 2022-12-08

Chapter 3.1: Quantum Communication: Cryptography

Instructor: Dr. Christian Schilling Scriber: Ignacio Cirac and Sirui Lu

Now that the basic formalism of quantum information has been introduced, we are in a position
to discuss the applications of quantum information theory. We will introduce three applications:
(i) quantum communication (Chapter 3), (ii) quantum computing (Chapter 4), and (iii) quantum
metrology (Chapter 5).

1 Introduction
This chapter deals with applications of quantum information theory in the context of communi-
cation. It is divided into three parts: the first (and present) one is about cryptography: how to
use quantum physics to achieve secure communication. The second is about complexity: how to
use quantum physics to solve some communication tasks efficiently. The last one is about how to
overcome the problems of decoherence in quantum communication.

1.1 Cryptography: basic concepts and historical remarks

Scenario The goal of cryptography is secret communication. That is, a sender (whom we will call
Alice) wants to transmit a secret text (called plaintext) to the receiver (Bob). This transmission
has to be such that any Eavesdropper (Eve) does not capture the message, even if she is able to
read any messages sent from Alice and Bob in the channel. This is typically achieved by Alice
encoding the text in what is called the ciphertext, which is sent to Bob, who decodes it to obtain
the plaintext.

Encoding and decoding Given the plain text, represented by x, the encoding is obtained by
applying some function y = Ek (x). This function may depend on some parameter k, called the
key. The decoding is obtained by applying another function, Dk (y), which may also depend on
the key. Ideally, Dk [Ek (x)] = x so that Bob can recover the plaintext, while it is difficult for Eve
to apply such a function (for instance, if she does not know the key).

Alice (sender) Bob (receiver)

Plaintext Plaintext’
Eve (attacker)
Key K Key K
Encryption Decryption

Ciphertext Ciphertext’

Figure 1: Scenario of classical cryptography.

Texts to bits conversion Typically, plaintext is text, like ABCDE, but the messages that go
through the channel are bits, like 00011. Therefore one must first convert text to bits. This can
be accomplished by creating a look up table/dictionary that convert each letter in the alphabet to
different numbers.
A→0 →00000
B→1 →00001
(1.1)
··· → ··· →···
Z → 25 →11001

Cryptosystem A set of algorithms that generate key, encrypt plaintext to ciphertext, and decrypt
ciphertext.

1
Chapter 3.1 Quantum Information (WiSe 22/23)

Cryptanalysis The study of methods to obtain plaintext from ciphertext without the key.

Traditional methods Cryptographic methods have been known since long ago. For example,
the Spartans used simple transposition methods to send secret messages, whereas Romans used
substitution methods.

• Transposition: It consists of changing the place (transposing) of the letters that compose the
message. For example, one can exchange consecutive letters: COLD→OCDL.
• Substitution: It consists of changing the order of the letters that compose the alphabet.
For example, Ek (x) = x + 3 mod 26 transforms A→D B→E, C→F, etc. In this case,
COLD→FROG.

Security These methods are not secure. For example, it is well known that the frequency of
appearance of a given letter in any intelligible text is more or less constant. This means that if Eve
takes the message (which is supposed to be long) and compares the relative frequency appearance
of the signs with the standard tables, she can decode the message. Therefore, these methods have
been abandoned, and people turned to modern cryptography.

1.2 Modern cryptography

The idea of modern cryptography is to base security on the difficulty of solving certain mathematical
problems.

One-way functions Informally, a one-way function is a function f : S −→ T , where S and T are

any two sets, such that

• for any x ∈ S, it is “easy” to compute f (x). By easy we mean that the computational time
grows as a polynomial function of the number of digits of x. For instance, multiplying x by 5
is easy since the number of operations (and thus the computational time) only grows linearly.
• given y = f (x) ∈ T , it is “difficult” to obtain the inverse x. By difficult we mean that
the computational time grows faster than any polynomial of the number of digits of y. For
instance, finding a non-trivial factor of y is difficult.

Encryption and decryption The idea is to use for Ek (x) a one-way function, so that Eve cannot
invert and get the message. Bob, however, knows some extra information (which is stored in the
key) that allows him to invert the function, i.e., such that Dk (y) is also easy.

Computational security All practical public-key cryptosystems are based on functions that are
believed to be one-way, but no function has been proven to be so. In fact, it is not known whether
such functions do exist. Hence, the security of public-key cryptosystems is based on the belief that
there is no fast algorithm to solve a certain problem, like factorization. That is, its security is
based on an unproven computational assumption. If there would be a mathematical breakthrough,
i.e., an algorithm will be discovered that can compute the inverse function easily, or once we have
a device (like a quantum computer) that is able to do that, these systems would be insecure and
useless.

Quantum methods Quantum computing may threaten the security of the cryptosystem if f can
be computed efficiently with a quantum computer. This calls for new cryptography methods. Two
directions have emerged: post-quantum cryptography and quantum cryptography. Post-quantum
cryptography uses one-way functions that are believed to be difficult to compute even on quantum
computers. Here we will cover the second one, although before that we will give more detailed
information about some classical cryptosystems that are widely used.

2
Chapter 3.1 Quantum Information (WiSe 22/23)

2 Public key cryptosystems

2.1 One-time pad
Idea In 1917, a cryptographic scheme was proposed, which is provably secure (i.e., unbreakable).
The idea is that Alice and Bob, prior to the transmission, have a Key that nobody else knows. This
key is a random sequence of bits k1 , k2 , . . .. The procedure is as follows: Alice takes her message
and encrypts it using the key. To do that, she first uses a public table to translate the message to
bits x1 , x2 , . . .. Then, the encrypted message is obtained by adding x and k modulo 2,

Eki (xi ) = xi + ki mod 2 = xi ⊕ ki , (2.1)

where the symbol ⊕ represents addition modulo 2. She sends the encrypted message y to Bob,
who decrypts it using the key, as
Dki (yi ) = yi ⊕ ki . (2.2)

Security Since the key is random, for somebody who does not know the key, xi ⊕ki are completely
random. Additionally, Dki [Eki (xi )] = xi . The assumptions for security are: (i) the key must be
random; (ii) the key cannot be reused (this is why it is called a one-time pad); (iii) the key has to
be as long as the plaintext; (iv) nobody else apart from Alice and Bob should know the key.

Key distribution The problem is that Alice and Bob have to know the key in advance, and
therefore they have to communicate to establish this key. This process is called key distribution.
In principle, there are two ways of achieving that, but none of them is completely secure.
• Use a private channel (safe courier): This may not always be secure because somebody may
intercept the communication.
• Use mathematical methods: Public key cryptography was introduced in 1976. The idea is to
use a private channel, which Eva can also access, but to encode the information containing
the key using one-way functions. This method, as mentioned above, is based on unproven
mathematical assumptions. In the next section, we will give a particular method to achieve
that.

2.2 Diffie-Hellman key exchange

Idea Diffie-Hellman key exchange relies on a one-way function f called modular exponentiation,
a function that is easy to compute. The inverse function of f is the discrete logarithm, a function
that is difficult to compute.

Modular exponentiation Given x, y, and a prime number, p, each of them with r or less (binary)
digits, the modular exponentiation compute

xy mod p. (2.3)

If p is prime, the encoding function E is polynomial

Pr computable in r. This can be done as follows:
Let use first write y in the binary form y = n=0 cn 2n . This can be done with only r computations.
Next, we can compute
x mod p = x1
x21 mod p = x2
(2.4)
x22 mod p = x3
···
Since there are at most r variables, x1 , . . . , xr and computing each of them requires taking a square
and dividing by p, this can also be done efficiently. Since we can write
r
Y
xy = xcnn mod (p), (2.5)
n=0

we just have to compute at most r products, and thus this can be done efficiently. Therefore, the
modular exponentiation function can be computed efficiently.

3
Chapter 3.1 Quantum Information (WiSe 22/23)

Discrete logarithm The inverse of the modular exponentiation function is the discrete logarithm.
Note xy = z gives logx z = y. Given x, z and a prime p, the discrete logarithm yields an integer 0 ≤
y ≤ p such that xy mod p = z. We write y = logx z mod p. This operation is “difficult”, because
the best existing algorithm has a computational time that increases faster than any polynomial in
r.

Diffie–Hellman Protocol Alice and Bob agree on a large prime number p and another number
x with approximately has the same number of digits. Since they do that publicly, these numbers
are also known to Eve. Additionally, Alice generates a large random number y that is only known
to her, and Bob does the same with z. Alice computes A = xy mod p and sends it to Bob. He
computes B = xz mod p and sends it to Alice. Then Alice computes B y mod p and Bob Az
mod p. It turns out that these two numbers coincide K = B y mod p = Az mod p, which will be
taken as the key. Since y and z are random, K is also random. Eve only knows x, p, A, B. If she
wants to get K, she must compute a discrete logarithm (of A or B). But this is difficult, so that
the Diffie–Hellman protocol delivers the required security.

B = xz mod p
Alice Bob
A=x y
mod p

Private y Private z
K := (xz )y mod p Eve K := (xy )z mod p

Public information: p, x, A and B

Figure 2: Diffie-Hellman key exchange protocol.

One-way functions These are some examples of other one-way functions that are used in classical
cryptography:
(1) Discrete logarithm (used in the Diffie-Hellman protocol above).
(2) Factoring (used in RSA, another public-key cryptosystem).
(3) Ecliptic curves (used in other protocols).
(4) Short lattice vectors.
(5) Learning with errors.
Since there exists an efficient quantum algorithm for computing discrete logarithm and factoring,
and solving elliptic curves, RSA and Diffie-Hellman protocol are not considered secure if one has
a quantum computer. For the last two, no efficient quantum algorithms exist, and thus they are
candidates for post-quantum cryptography.

3 Quantum key distribution

Idea Most methods in quantum cryptography aim at distributing a key using qubits in superpo-
sitions or entangled states. These methods are referred to as quantum key distribution. The laws
of quantum physics imply that if Eve tries to measure the qubits, she will change the states, which
can be detected by Alice and Bob. Thus, the security is provided by the laws of physics instead of
some mathematical assumptions.

Protocols There are many protocols in quantum key distribution. Here we will cover the first
two, which are widely used nowadays.

4
Chapter 3.1 Quantum Information (WiSe 22/23)

3.1 BB84 Protocol

Goal The goal for Alice and Bob is to share a secret random key. The key is a long sequence of
random bits.

Idea Alice is sending Bob some qubits in superpositions and Bob will measure them in some
random basis. If the superposition turns out to be an eigenstate of Bob’s observable, then Alice
and Bob will know what state they had and with that they can establish the key. If Eve tries to
measure any qubit to get that information, she will distort the superposition and thus Alice and
Bob will be able to find out.

Procedure:
(1) Preparation and transmission: Alice prepares a set of qubits in states chosen randomly among
the set S = {|0iz , |1iz , |0ix , |1ix }, where |0iz and |1iz are the eigenstate of the σz operator,
and |0ix and |1ix are the eigenstate of σx . Thus, for each qubit Alice chooses randomly the
value of the qubit (0 or 1) and the basis (Z or X). She sends these qubits to Bob.
(2) Measurement: For each of the qubits received, Bob chooses randomly among Z and X,
and correspondingly he measures either (1 − σz )/2 or (1 − σx )/2, assigning 0 and 1 to the
outcomes.

(3) Public discussion: Bob announces publicly the value (Z or X) he has chosen for each of the
qubits, without saying the outcome of the measurement. Then, Alice announces publicly for
each qubit if that value coincides with the one she has used in her preparation. If they are
the same, they keep the value of the bit (0 or 1). Otherwise, they discard it. Note that in
the first case, the value of the bit will be the same for Alice and Bob, since the preparation
and the measurement was in the same basis. Thus, these bits will be the basis of the random
key.
(4) Authentication: Bob announces publicly the result of part of the measurements they kept,
and Alice says if they coincide with her values for each of them. If nothing happened, they
should coincide. Thus, if they do not coincide, then they will suspect that somebody (or
something) has interfered in the communication. The publicly announced bits are discarded
because Eve can also listen to that communication. The surviving bits will be the basis of
the key.

a b c d e f g h i j
1 0 σx |0ix σz 0
2 1 σx |1ix σx 1 OK 1
3 1 σz |1iz σx 1
4 1 σz |1iz σz 1 OK 1 OK
5 0 σx |0ix σx 0 OK 0
6 0 σz |0iz σx 1
7 1 σx |1ix σx 1 OK 1 OK
8 0 σz |0iz σz 0 OK 0 OK
9 1 σz |1iz σx 1
10 0 σz |0iz σz 0 OK 0

Table 1: An example of the BB84 protocol. Here: (a) qubit; (b) Random bit selected by Alice; (c)
Random operator selected by Alice; (d) State sent by Alice; (e) Random operator selected
by Bob; (f) Bob’s result of the measurement (0 if measures −1 and 1 if he measures 1);
(g) result of the public discussion; (h) Authentication; (i) result of the authentication; (j)
Key.

Example

5
Chapter 3.1 Quantum Information (WiSe 22/23)

Eavesdropping If Eve tries to obtain the key, she will have to make measurements. Then, she
will disturb the state, and the authentication will tell Alice and Bob of the presence of Eve. The
important point here is that Eve does not know the operators selected by Alice and Bob until Bob
performs the measurement and publicly announces it. For example, imagine that Alice prepares
the qubit in the state |1ix (7–th qubit in the table). Consider the following two cases: (a) If Eve
happens to measure σx , then she will measure 1 and will send again the state |1ix to Bob; in that
case, Alice and Bob cannot tell anything about the presence of Eve; (b) On the contrary, if she
happens to measure σz then she will obtain 1 or 0 with probability 1/2. If she obtains 1, she
will send the state |1iz to Bob, which is not the one sent by Alice. Therefore, in the process of
authentication there is a probability 1/2 that Alice and Bob check that there is an error. Analogous
conclusions apply if Eve measures 0. The probability for Eve to be detected if she measures every
qubit using this procedure is 1 − (3/4)N if Alice and Bob use N qubits in the authentication.

3.2 E91 Protocol

Goal The goal for Alice and Bob is to share a secret random key. The key is a long sequence of
random bits.

Idea Alice and Bob share pairs of qubits prepared in the Bell state
1
|Ψ− i = √ (|01i − |10i). (3.1)
2
The idea is that if they measure one of these pairs along the same direction (that is, measure the
same σ~n , the result will be completely random but also correlated. That is, if one obtains −1 the
other one will obtain 1 and vice versa. Thus, they can establish the key by simply taking −1 → 0
and Bob applying an extra NOT operation 0 ↔ 1. They can announce some results. If these
results are not the same, then somebody (something) must have interfered with the communication.
Even better, with the results they can test CHSH inequalities. If the results violate the CHSH
inequalities, they can be confident that nothing has happened and the key is secure.

Procedure
(1) Preparation and transmission: A source emits pairs of qubits in the state Ψ− . The particles
fly apart towards the two legitimate users of the channel (Alice and Bob).

(2) Measurements: Alice and Bob perform measurement of Pauli operators along three different
directions given by unit vectors ~ai for Alice and ~bj for Bob (i, j = 1, 2, 3). Both ~ai and ~bj
vectors lie in the x − z plane, and characterized by azimuthal angles φa1 = 0, φa2 = 41 π, φa3 =
2 π and φ1 = 4 π, φ2 = 2 π, φ3 = 4 π. They use choose these orientations randomly and
1 b 1 b 1 b 3

independently for each pair.

(3) Public discussion: Alice and Bob publicly announce the directions used in each measurement,
and divide the measurements into two separate groups: a first group for which they used
different orientations, and a second one for which they used the same. In case they use the
same, they transform the results into 0 and 1’s, and Bob applies an extra Not operation. If
nothing happens in the communication, the resulting bits for Alice and Bob will coincide and
can be used for the key.
(4) Authentication: Alice and Bob reveal publicly the results they obtained but within the first
group only. With these measurements √ they check whether their measurements
√ violate CHSH
inequality (i.e., if the value of S = 2 2). In case they find S = 2 2, they used the results of
the second group to establish the key.

Eavesdropping Any attempt of Eve to measure or modify the singlet states will √ disturb them,
and therefore S will decrease (for the set of measurements described above S = 2 2 only occur
for a singlet state; otherwise, it is smaller).

6
Chapter 3.1 Quantum Information (WiSe 22/23)

Similarities The BB84 and E91 protocols for quantum public key distributions are somehow
similar. In fact, one can view the E91 protocol as follows: if Alice measures along the z direction
and obtains |0iz (|1iz ), then Bob’s particle will be projected onto the state |1iz (|0iz ). If Alice
measures along the x direction and obtains |0ix (|1ix ), then Bob’s particle will be projected onto
the state |1ix (|0ix ). Therefore, Alice can prepare the sequence of random states as in the BB84
form by performing appropriate measurements on singlet pairs.

4 Information reconciliation and privacy amplification

Practicalities Any realistic quantum channel is subject to decoherence. Consequently, even in
the absence of an adversary, Eve, the values of the bits for Alice and Bob whenever they are
kept, will not always be the same. Thus, they may believe that Eve is present and stop the
communication. In such a case, they would never be able to communicate, and thus quantum
cryptography would be useless. Additionally, the key would be different and thus not useful for
the one-time pad procedure. However, there are some procedures to circumvent both problems by
sacrificing a fraction of bits. They can be very sophisticated, so that here we will just give the
basic ideas. We will concentrate on the bits that Alice and Bob have after the public discussion.

Bit error rate (BER) Let us consider the subset of bits Alice and Bob kept after the public
discussion. The bit error rate is the number of them that are different divided by the total number
of such bits. In the authentication, they will be able to estimate the value of the BER by sacrificing
a small portion of those bits.

Eve’s probability of guessing Similarly, if Eve has intercepted the communication, she will have
a guess for the value of each bit. This can be characterized by, Pguess
Eve
, the probability that she has
the right one.

Information reconciliation Information reconciliation can be seen as an error-correction proce-

dure conducted over the public channel that makes sure that, at the end, Alice and Bob’s bits are
the same. One simple way of doing that is as follows: Alice picks k bits which are identical and
announces the locations of these bits over the classical public channel. Bob (and Eve) perform a
majority vote1 on their copies of the key. An example (k = 3) is given in Table 2. After perform-
ing this operation several rounds, they will end up with the same key as long as the BER is small
enough (smaller than 1/2). The number of rounds to achieve that will depend on the BER.

Alice 0 0 0 1 1 0 1 0 1 1 1 0
Bob 0 0 1 1 1 0 0 0 1 1 0 0
Alice (MAJ) 0 1 0 1
Bob (MAJ) 0 1 0 1

Table 2: An example of information reconciliation. We use the different colors (yellow, green, red,
blue) to distinguish digits in different subgroups. After doing majority vote within each
subgroup, we obtain a key of reduced length 4.

Privacy amplification After the information reconciliation step, Alice and Bob have ensured that
their keys are identical. However, Eve has also corrected her errors. If PguessEve
is small enough
(smaller than the BER), she will still have some errors. Privacy amplification will amplify those
errors so that, at the end, Pguess
Eve
= 1/2, which means that she possesses no information whatsoever
on the value of the remaining bits. A way of doing that is as follows: Alice and Bob take q bits at
random positions they agree upon over a public channel and generate a single bit of their new key
by calculating the parity of these bits. An example (q = 4) is given in Table 3. By repeating this

1 The action of majority vote is self-explanatory. For three bits, the map is
000 → 0, 111 → 1,
001, 100, 010 → 0, 110, 101, 011 → 1.

7
Chapter 3.1 Quantum Information (WiSe 22/23)

procedure a number of times (depending on the BER and Pguess

Eve
), we arrive at a much shorter key,
but the bits held by Eve become completely random (no correlation with the true key string).

Alice Bob Eve

0 0 0
1 1 0
0 0 0
1 1 1
Parity 0 0 1

Table 3: An example of privacy amplification.

5 Cryptanalysis
idea In order to know how many rounds of information reconciliation and privacy amplification
need to be performed, Alice and Bob have to know the BER and Pguess Eve
. While the BER can be
measured by sacrificing part of the key, the value of Pguess will depend on Eve’s strategy. Thus,
Eve

the worst-case scenario for Alice and Bob is that, for a given BER, Pguess
Eve
is as large as possible.
The cryptanalysis deals precisely with that question, namely, finding the optimal attack by Eve.
Here we will take some specific sets of attacks and analyze the optimal value of PguessEve
. As a
full treatment would require extensive mathematical techniques, this will not be a fully general
treatment, but it should provide enough insight to get a general idea.

Errors due to Eavesdropping Consider the BB84 protocol. One strategy of Eavesdropping for
Eve is to measure every qubit Alice sends through the channel. In fact, Eve can use a more general
and better strategy. Eve can entangle his/her qubits, initialized in state |Ai with the qubits sent
by Alice. In this way, Eve can acquire more information by waiting until Alice and Bob announce
their measurement basis in the public discussion. Let us take the unitary operation Eve performs
as the one that implements the map
U
→ |0iA |A00 iE + |1iA |A01 iE ,
|0iA |AiE −
(5.1)
U
→ |0iA |A10 iE + |1iA |A11 iE .
|1iA |AiE −
Since this is an unitary operation, the normalization condition and the orthogonality condition put
the constraints that
hA00 |A00 i + hA01 |A01 i = 1,
hA10 |A10 i + hA11 |A01 i = 1, (5.2)
hA00 |A10 i + hA01 |A11 i = 0.
When the qubit arrives at Bob, it will be entangled with Eve’s qubits.
U to Bob
|ϕiA |AiE −
→ |ψiAE −−−−→ |ψiBE . (5.3)
The state Bob gets is described by the reduced density matrix after tracing out Eve (and similarly
for Eve)
ρB = trE |ψi hψ|BE ,
(5.4)
ρE = trB |ψi hψ|BE .
Depending on the message Alice sends and the basis she chooses, each time Bob will receive one
of four different kinds of states {ρB
0x , ρ1x , ρ0z , ρ1z }, as given in the following Table 4.
B B B

Errors due to decoherence This kinds of couplings (5.1) do not only happen due to the existence
of Eve. Even when there is no eavesdropper, the qubit Bob receives may still couples with the
environment, which leads to decoherence. Similarly, we can model the effect of the environment
as
U
→ |0iz |E00 ienv + |1iz |E01 ienv ,
|0iA |Eienv −
(5.5)
U
→ |0iz |E10 ienv + |1iz |E11 ienv ,
|1iA |Eienv −
and the state received by Bob is given by ρB = trenv |ψi hψ|B+env .

8
Chapter 3.1 Quantum Information (WiSe 22/23)

Probability Alice Bob measurement Bob’s state

1/4 |0ix x basis ρB0x
1/4 |1ix x basis ρB1x
1/4 |0iz z basis ρB0z
1/4 |1iz z basis ρB1z

Table 4: Bob’s state depending on Alice’s message and basis

Bit error rate In the presence of Eve’s attacking or decoherence, the state received by Bob will be
mixed and different from the one Alice sends. Therefore, when Alice and Bob do the authentication
step of the BB84 protocol, they will realize that some of the results are wrong. But they will not
know if the errors are due to Eve, the decoherence, or both. Recall that Alice sends one of
{|0ix , |1ix , |0iz , |1iz } each with probability 14 . For each case, the states Bob gets after tracing out
the environment or/ and Eve are different, and lead to error probabilities Perror 0x 1x
, Perror 0z
, Perror 1z
, Perror .
Taking all four cases into account, the bit error rate for Bob is
1 0x
BER = (P + Perror
1x
+ Perror
0z
+ Perror
1z
). (5.6)
4 error
In the original BB84 protocol, Bob measures in the Z or the X basis. However, in the presence of
errors, this may not be the best measurement to distinguish if Alice prepared a 0 or a 1 since he
has the states ρ0x and ρ1x (in case he chooses X and this coincides with Alice’s choice, which are
the only ones that count). Thus, he would be better off if he performs the measurement that is
able to optimally distinguish ρ0a and ρ1a if he knows (the value of a = x, z). If he knows that, the
probability of error will be decreased.

Eavesdropping Remember, in the authorization process, Alice and Bob will reveal the basis they
sent and measured; therefore, a better strategy for Eve is to wait until then and perform the
measurements in the same basis as Bob does. Let denote Eve’s probability to distinguish ρ0x E and
ρ1x
E by P x
guess , and Eve’s probability to distinguish ρ 0z
E and ρ 1z
E by P z
guess . Again, for doing that she
will carry out the optimal measurement that distinguishes those states. The probability that Eve
has correct guess is
1 x
Eve
Pguess = (Pguess + Pguess
z
). (5.7)
2
The guess probability of Eve has to be larger than one half; otherwise, it would be useless because
a random guess will achieve a probability of 1/2.
Note that we have already presented two figures of merits: the bit error rate and the probability
of Eve. In practice, Eve wants to know for a given BER, what is the optimal Pguess E
. Bob wants
to know for a given BER, what is the optimal Pguess . In cryptanalysis, one commonly plots the
B

optimal guess probability as a function of the bit error rate (one example is given in Fig. 3).

0x/z 1x/z
Quantum hypothesis testing Bob wants to distinguish (ρB , ρB ) and Eve wants to distin-
0x/z 1x/x
guish (ρE , ρE ). At a high level, both Bob and Eve wants to perform the optimal measurement
to distinguish two mixed states. It can be proved that the best success probability to discriminate
two mixed states represented by ρ1 and ρ2 is given by
1 1
 
Pr = 1 + ||ρ1 − ρ2 ||1 (5.8)
2 2
with 21 ||ρ1 − ρ2 ||1 the trace distance, which is defined as the sum of eigenvalues of ρ1 − ρ2 .

*Interlude: optimal measurements to distinguish two mixed states Given a state ρ which is
known to be either ρ0 or ρ1 , our general strategy for discriminating ρ0 and ρ1 (i.e., to assign 0 or 1
based on ρ0 , ρ1 ) will be to perform a POVM {E0 , E1 } (E0 +E1 = 1) and to guess that ρ = ρi when
we obtain measurement outcome i (i = 1, 2). For each ρi , a successful guess event happens with
a probability of tr[Ei ρi ]. Since each state is prepared with an equal probability 1/2, the average
probability of identifying the state correctly is
1 1
Pguess = tr[E0 ρ0 ] + tr[E1 ρ1 ] (5.9)
2 2

9
Chapter 3.1 Quantum Information (WiSe 22/23)

Use the normalization property of the POVM: E0 + E1 = 1.

1 1
= tr [E0 ρ0 ] + tr [(1 − E0 )ρ1 ] (5.10)
2 2
Use the linearity of the trace operation and density matrices have unit traces.
1 1
 
= 1 + tr[(E0 − E1 )(ρ0 − ρ1 )] . (5.11)
2 2

Thus, the remaining problem is to maximize Pguess over all measurement operators. To this end,
we only need to maximize the the trace of the matrix (E0 − E1 )(ρ0 − ρ1 ).
Note that ρ1 − ρ2 is Hermitian, so we can perform the spectral decomposition.
r
X m
X r
X
ρ1 − ρ2 = λi |ψi i hψi | = |λi | · |ψi i hψi | − |λi | · |ψi i hψi |, (5.12)
i=1 i=1 i=m+1
| {z } | {z }
T S

where we have ordered the eigenvalues λi such that λi ≥ 0 for i = 1, . . . , m and λi < 0 for
i = m + 1, . . . , r. In terms of the new positive semi-definite matrices T, S ≥ 0 defined above,

tr[(E0 − E1 )(ρ0 − ρ1 )] = tr(E0 T ) + tr(E1 S) − tr(E0 S) − tr(E1 T )

(5.13)
≤ tr(E0 T ) + tr(E1 S)

where the inequality follows from the fact that tr(Ai T ), tr(Ai S) ≥ 0 for Ai , S, T ≥ 0. The success
probability is then bounded by
m r
!
1 1 X X
Pguess ≤ + max |λi | hψi | E0 |ψi i + |λi | hψi | E1 |ψi i . (5.14)
2 4 E0 ,E1 i=1 i=m+1
E0 +E1 =1

The upper bound is saturated by choosing E0 and E1 = 1 − E0 as the projector onto the positive
and negative eigenspace of (ρ0 − ρ1 ) respectively
m
X r
X
E0 = |ψi i hψi | , E1 = |ψi i hψi | , (5.15)
i=1 i=m+1

in which case
r
1 1X
optimal
Pguess = + |λi |
2 4 i=1
(5.16)
1 1
 
= 1 + kρ0 − ρ1 k1 .
2 2
Here k · k1 is the trace norm of the operator and it is equal to the sum of eigenvalues.
In summary, the maximal probability of distinguishing the two states is given by (5.16), and
the best POVM measurement can be understood as a projective measurement in the ONB basis
of ρ0 − ρ1 .

A simple eavesdropping Let us consider a simple strategy of Eve. Eve takes |0i → |0i|E0 i and
|1i → |1i|E1 i with hE0 |E1 i = α ∈ [0, 1]. Then, Eve sends the qubit of Alice to Bob, waits until
Bob announces the basis, and then measure in that basis. There are 4 encoded states in BB84:
{|0i , |1i , |+i , |−i} and Eve’s action map these four states to

|0i → |0i ,
|1i → |1i ,
1 (5.17)
|+i → ρ+ := (|0i h0| + |1i h1| + α |0i h1| + α |1i h0|),
2
1
|−i → ρ− := (|0i h0| + |1i h1| − α |0i h1| − α |1i h0|).
2
Alternatively, this could also happen due to the decoherence from the coupling with the environ-
ment.

10
Chapter 3.1 Quantum Information (WiSe 22/23)

Bob discriminates the messages Bob needs to discriminate between the states he received from
Alice. If Alice chooses the σz basis to encode her bit, then Bob is able to discriminate the final
states with unit probability PBz = 1, because |0i and |1i are orthogonal. In the case where Alice
chooses the σx basis to encode her bit, the probability that Bob will be able to distinguish the
states ρ+ and ρ− by a measurement in the σx basis will be determined by (5.16)
1 1
PBx = tr(|+i h+| ρ+ ) + tr(|−i h−| ρ− )
2 2
1 1 1 1
 
= (2 + α + α) + (2 + α + α) (5.18)
2 4 2 4
1
= (1 + α).
2
Therefore, given that all four states occur with equal probability in the protocol, the bit error rate
is
1 1
BER = 1 − (PBz + PBx ) = (1 − α). (5.19)
2 4
Note that this makes sense physically. For α = 0, |E0 i and |E1 i are orthogonal, and Bob receives
maximally mixed states, i.e., he is only able to obtain the same success rate as if he were to guess
randomly (Pr = 1/2 and BER = 1/4). Under the ideal situation α = 1, the BB84 protocol can
achieve a zero bit error rate BER = 0.

1
B
3/4
A
PGuess

1/2
E

0
0 1/4 1/2
Bit Error Rate

Figure 3: The guess probability of Eve as a function of the bit error rate (BER). The black curve
corresponds to the simple strategy in the lecture we described. With more complicated
scheme and use more parameters, one can design better strategies, such as the blue curve.

Eve guesses the messages Following the same line of thoughts, we can analyze the probability
that Eve obtains the information. The eavesdropping implement the following map

|0i → ρ0 = |E0 i hE0 |

|1i → ρ1 = |E1 i hE1 |
1 (5.20)
|+i → ρ+ = (|E0 i hE0 | + |E1 i hE1 |)
2
1
|−i → ρ− = (|E0 i hE0 | + |E1 i hE1 |)
2
First, we note that ρ+ = ρ− so the probability of discriminating these two states is PEve
x
= 1/2. To
minimize the error in distinguishing ρ0 and ρ1 , Eve should apply the optimal measurement strategy
we discussed above, namely she should measure in the eigenbasis of operator |E0 i hE0 | − |E1 i hE1 |.
By (5.16), the optimal success probability for discriminating ρ0 and ρ1 is
1 1 1 
= + ||ρ0 − ρ1 ||1 = 1 + 1 − |α|2 . (5.21)
z
p
PEve
2 4 2
Taking both cases into account, the probability of Eve obtaining the encrypted information Pguess
Eve

is
1 1p
 
Pguess =
Eve
1+ 1−α 2 . (5.22)
2 2

11
Chapter 3.1 Quantum Information (WiSe 22/23)

We plot Pguess
Eve
as a function of the bit error rate in Fig. 3. Now let us check some special cases to
make sure the result make sense physically. For α = 0, PguessEve
= 3/4 which is its maximum value
i.e. Eve is most successful when she uses orthogonal states. For α = +1, Pguess
Eve
= 1/2 and so Eve
has the same success rate as if she were to simply guess the value of the encrypted bit randomly.
Hence with strategy α = 1, Eve will never know with transmitted information with certainty.

More general strategy More general strategies for Eve may involve entangling all the qubits sent
by Alice with some of her qubits, and performing joint measurements in all of them after the public
discussion. This has been analyzed, and one can find similar curves like the ones presented in the
figure (however, one does not use PEguess but some other measures of information).

♣♣♣

Acknowledgement.— We thank Adrian O. Paulus for providing their handwritten notes. We thank
Yilun Yang for providing the Tikz codes that inspire Figure 1 and 2.

These lecture notes were kindly provided by Ignacio Cirac and Sirui Lu.

12