Towards a Tight Finite Key Analysis for BB84

Transcription

1 The Uncertainty Relation for Smooth Entropies joint work with Charles Ci Wen Lim, Nicolas Gisin and Renato Renner Institute for Theoretical Physics, ETH Zurich Group of Applied Physics, University of Geneva [arxiv: , 2011] Vienna, July 2011

2 1 Entropic Uncertainty Relations Heisenberg s Uncertainty Principle Variance vs. Shannon Entropy Entropic Uncertainty Relation Quantum Memory 2 Uncertainty Relation for Smooth Entropies The Uncertainty Relation for Smooth Entropies Guessing Probability Smooth Min-entropy Smooth Max-entropy 3 Application to Quantum Key Distribution Protocol and Security Numerical Results

3 Heisenberg s Uncertainty Principle Fresh from Wikipedia: In quantum mechanics, the Heisenberg uncertainty principle states by precise inequalities that certain pairs of physical properties, such as position and momentum, cannot be simultaneously known to arbitrarily high precision. That is, the more precisely one property is measured, the less precisely the other can be measured.

4 Heisenberg s Uncertainty Principle Fresh from Wikipedia: In quantum mechanics, the Heisenberg uncertainty principle states by precise inequalities that certain pairs of physical properties, such as position and momentum, cannot be simultaneously known to arbitrarily high precision. That is, the more precisely one property is measured, the less precisely the other can be measured.

5 Heisenberg s Uncertainty Principle Fresh from Wikipedia: In quantum mechanics, the Heisenberg uncertainty principle states by precise inequalities that certain pairs of physical properties, such as position and momentum, cannot be simultaneously known to arbitrarily high precision. That is, the more precisely one property can be measured, the less precisely the other can be measured. Think of it as a gedankenexperiment. No quantum states will be harmed (i.e. measured, forced to collapse) during this talk!

6 Robertson s Uncertainty Relation A common formalization of the uncertainty principle is due to Robertson: σ X σ Z 1 ψ [ ˆX, Ẑ] ψ, 2 where ˆX and Ẑ are two observables, [ ˆX, Ẑ] = ˆX Ẑ Ẑ ˆX is their commutator, ψ is the state of the system before measurement, and σ X and σ Z are the standard deviations of the two potential measurement outcomes.

7 Inadequacies of Robertson s Relation σ X σ Z 1 ψ [ ˆX, Ẑ] ψ 2 The lower bound on the uncertainty in general depends on the state ψ, which might be unknown. The standard deviation is not always a good measure of the uncertainty about the measurement outcome.

8 Uncertainty as Shannon Entropy The Shannon entropy of a random variable X, H(X ), is a functional of the probability distribution over outcomes, Pr[X = x], and not the outcomes themselves. H(X ) := x Pr[X = x] log 2 1 Pr[X = x].

9 Uncertainty as Shannon Entropy The Shannon entropy of a random variable X, H(X ), is a functional of the probability distribution over outcomes, Pr[X = x], and not the outcomes themselves. H(X ) := x Pr[X = x] log 2 1 Pr[X = x]. The entropies of the distributions on the previous slide are ( ) ( ) H = 1 and H 3.

10 Entropic Uncertainty Relation The entropic uncertainty relation gives a lower bound on the sum of the entropies of the two possible measurements in terms of the overlap of the measurements, c. Deutsch, Maassen/Uffink 1988 H(X ) + H(Z) log 2 1 c with c := max x z 2, x,z where x and z are the eigenvectors of the observables ˆX and Ẑ. For general positive operator valued measurements (POVMs) with elements {M x } for X and {N z } for Z, the overlap is c := max x,z M x Nz 2.

11 Quantum Memory What happens when we allow quantum memory? A ψ B

12 Quantum Memory What happens when we allow quantum memory? X σ X A σ Z Z ψ B

13 Quantum Memory What happens when we allow quantum memory? σ X A σ Z ψ σ X B σ Z X Z X Z

14 Quantum Memory What happens when we allow quantum memory? σ X A σ Z ψ σ X B σ Z X Z X Z For this example H(X B) = H(Z B) = 0 while c = 1/2. Hence, the following does not hold in general: H(X B) + H(Z B) log 2 1 c.

15 Uncertainty Relation for Quantum Memory An uncertainty relation is possible if we introduce an additional quantum memory, E. X A ρ ABE Z The monogamy of entanglement helps. B E Berta et al. 2010, Coles et al H(X E) + H(Z B) log 2 1 c.

16 Main Tool The uncertainty relation for smooth entropies: Tomamichel/Renner 2011 For any state ρ ABE, ε 0 and POVMs {M x } and {N z } on A: H ε min(x E) + H ε max(z B) log 2 1 c, c = max M x Nz x,z 2. This generalizes previous results for the Shannon/von Neumann entropy. It has direct applications in quantum cryptography.

17 Guessing Probability Let X be a random variable correlated to a memory E. We denote by p guess (X E) the probability that X is guessed correctly using the optimal strategy with access to E. E is empty: We pick the most probable event and p guess (X ) = max Pr[X = x]. x E is classical: We pick the most probable event given the state of our memory and p guess (X E) = e Pr[E = e] max Pr[X = x E = e]. x

18 Guessing Probability Let X be a random variable correlated to a memory E. We denote by p guess (X E) the probability that X is guessed correctly using the optimal strategy with access to E. E is quantum: The state of the joint system is of the form ρ XE = x Pr[X = x] x x ρ x E, where ρ x E is the state of the memory when x is measured. The guessing probability is p guess (X E) = sup Pr[X = x] tr ( F x ρ x ) E, {F x } where the optimization is over all POVM s {F x } on the quantum memory. x

19 Smooth Min-Entropy The min-entropy is defined as Renner 2005, König/Renner/Schaffner 2009 H min (X E) := log p guess (X E). The smooth min-entropy, Hmin ε (X E), results from a maximization of the min-entropy over an ε-neighborhood of the density operator of the state. It quantifies how many random bits that are independent of the memory E can be extracted from X. Renner/König 2005 l secr H ε min(x E).

20 Smooth Max-Entropy The smooth max-entropy, H ε max(z B), quantifies how many bits of additional information about Z are needed to reconstruct it from B. Renes/Renner 2010 l enc H ε max(z B). If Z = Z 1...Z n is a bit string and B = Z 1...Z n is classical, then H ε max(z 1...Z n Z 1...Z n) nh(δ), where δ is chosen such that the fraction of errors that Z has on Z is smaller than δ with high probability.

21 BB84 Type Protocol Alice encodes a random bit into a qubit in one of two bases, either X or Z, chosen at random. The X bits will be used to extract a key, while the Z are used to check security. She sends the qubit over a public channel to Bob, while the eavesdropper, Eve, may interfere as she wishes. Bob measures the system randomly either in the X or Z basis. Alice and Bob sift the strings containing their binary measurement outcomes so that they contain n bits where both used X, denoted X 1... X n, and k bits where they both used Z, denoted Z 1... Z k. If the security criterion is satisfied, they extract l bits of shared secret key, using classical post-processing (data reconciliation and privacy amplification).

22 Proof Sketch E A 1 B 1 A 2 B 2 A 3 B 3 A 4 B 4. ρ A1...A N B 1...B N E. A N 1 A N B N 1 B N

23 Proof Sketch E X 1 A 1 B 1 X 1 Z 1 A 2 B 2 Z 1 X 2 A 3 B 3 X 2 X 3 A 4 B 4 X 3. ρ A1...A N B 1...B N E X n A N 1 B N 1 X n Z k A N B N Z k.

24 Proof Sketch E X 1 A 1 B 1 X 1 Z 1 A 2 B 2 Z 1 X 2 A 3 B 3 X 2 X 3 A 4 B 4 X 3. ρ A1...A N B 1...B N E X n A N 1 B N 1 X n Z k A N B N Z k. l secr H ε min(x 1...X n E)

25 Proof Sketch E X 1 A 1 B 1 X 1 Z 1 A 2 B 2 Z 1 X 2 A 3 B 3 X 2 X 3 A 4 B 4 X 3. ρ A1...A N B 1...B N E X n A N 1 B N 1 X n Z k A N B N Z k. l secr H ε min(x 1...X n E) n H ε max(ẑ1...ẑn Ẑ 1...Ẑ n)

26 Proof Sketch E X 1 A 1 B 1 X 1 Z 1 A 2 B 2 Z 1 X 2 A 3 B 3 X 2 X 3 A 4 B 4 X 3. ρ A1...A N B 1...B N E X n A N 1 B N 1 X n Z k A N B N Z k. l secr H ε min(x 1...X n E) n H ε max(ẑ1...ẑn Ẑ 1...Ẑ n) n ( 1 h(δ) )

27 Proof Sketch E X 1 A 1 B 1 X 1 Z 1 A 2 B 2 Z 1 X 2 A 3 B 3 X 2 X 3 A 4 B 4 X 3. ρ A1...A N B 1...B N E X n A N 1 B N 1 X n Z k A N B N Z k. l secr Hmin(X ε 1...X n E) n Hmax(Ẑ1. ε..ẑn Ẑ 1...Ẑ n) n ( 1 h(δ) ) n ( ( 1 k ) ) 1 h Z i Z i k i=1

28 Secure Key Rate The extractable ɛ-secure key per block of size N = n + k is l ɛ n ( 1 h(q tol + µ) ) 3 log(3/ɛ) leak EC µ 1/k ln(1/ɛ) is the statistical deviation from the tolerated channel noise, Q tol. k is the number of test bits used for statistics. leak EC nh(q tol ) is the information about the key leaked during error correction. The achievable key rate, l/n, deviates from its optimal asymptotic value, 1 2h(Q tol ), only by (probably unavoidable) terms due to finite statistics.

29 Numerical Results Plot of the expected key rate as function of the block size n for channel bit error rates Q {1%, 2.5%, 5%} (from left to right). The security rate is fixed to ɛ/l =

30 Comparison to Scarani/Renner Asymptotic limit, Q=1.0% Asymptotic limit, Q=2.5% Asymptotic limit, Q=5.0% The plots show the rate l/n as a function of the sifted key size N = n + k and a security bound of ɛ =

31 Conclusion and Outlook The improved finite key bounds are due to the simplicity of the proof via the uncertainty relation. No tomography of single quantum systems is necessary. Instead, the min-entropy of the whole string can be bounded directly. Security against general attacks comes for free no De Finetti or Post-Selection necessary. This proof technique can (hopefully) be applied to other problems in quantum cryptography. As pointed out by Hayashi/Tsurumaru (arxiv: , yesterday), the key rates can be improved when we allow a dynamic protocol that chooses a different l in each run.

32 Thank you for your attention. Any questions?