. 1
( 2)



>>

A Quick Glance at Quantum Cryptography
Samuel J. Lomonaco, Jr.—
Dept. of Comp. Sci. & Elect. Engr.
University of Maryland Baltimore County
1000 Hilltop Circle
Baltimore, MD 21250
E-Mail: Lomonaco@UMBC.EDU
WebPage: http://www.csee.umbc.edu/˜lomonaco
November 8, 1998


Abstract
The recent application of the principles of quantum mechanics to
cryptography has led to a remarkable new dimension in secret commu-
nication. As a result of these new developments, it is now possible to
construct cryptographic communication systems which detect unau-
thorized eavesdropping should it occur, and which give a guarantee of
no eavesdropping should it not occur.


Contents
1 Cryptographic systems before quantum cryptography 3

2 Preamble to quantum cryptography 7

Partially supported by ARL Contract #DAAL01-95-P-1884, ARO Grant #P-38804-
PH-QC, and the L-O-O-P Fund.




1
3 The BB84 quantum cryptographic protocol without noise 10
3.1 Stage 1. Communication over a quantum channel . . . . . . . 12
3.2 Stage 2. Communication in two phases over a public channel . 14
3.2.1 Phase 1 of Stage 2. Extraction of raw key . . . . . . . 14
3.2.2 Phase 2 of Stage 2. Detection of Eve™s intrusion via
error detection . . . . . . . . . . . . . . . . . . . . . . 15

4 The BB84 quantum cryptographic protocol with noise 16
4.1 Stage 1. Communication over a quantum channel . . . . . . . 16
4.2 Stage 2. Communication in four phases over a public channel . 16
4.2.1 Phase 1 of Stage 2. Extraction of raw key . . . . . . . 16
4.2.2 Phase 2 of Stage 2. Estimation of error in raw key . . . 17
4.2.3 Phase 3 of Stage 2. Extraction of reconciled key . . . . 17
4.2.4 Phase 4 of Stage 2. Privacy ampli¬cation, i.e., extrac-
tion of ¬nal secret key . . . . . . . . . . . . . . . . . . 18
4.3 “Priming the pump” to start authentication . . . . . . . . . . 18

5 The B92 quantum cryptographic protocol 19
5.1 Stage 1. Communication over a quantum channel . . . . . . . 19
5.1.1 Stage 2. Communication in four phases over a public
channel . . . . . . . . . . . . . . . . . . . . . . . . . . 21

6 EPR quantum cryptographic protocols 21
6.1 Stage 1. Communication over a quantum channel . . . . . . . 23
6.2 Stage 2. Communication over a public channel . . . . . . . . . 23
6.2.1 Phase 1 of Stage2. Separation of key into raw and
rejected keys . . . . . . . . . . . . . . . . . . . . . . . 23
6.2.2 Phase 2 of Stage 2. Detection of Eve™s presence with
Bell™s inequality applied to rejected key . . . . . . . . . 24
6.2.3 Phase 3 of Stage 2. Reconciliation . . . . . . . . . . . . 24

7 Other protocols 25

8 Eavesdropping strategies and counter measures 25
8.1 Opaque eavesdropping . . . . . . . . . . . . . . . . . . . . . . 25
8.2 Translucent eavesdropping without entanglement . . . . . . . 25
8.3 Translucent eavesdropping with entanglement . . . . . . . . . 26
8.4 Countermeasures to Eve™s eavesdropping strategies . . . . . . 26


2
9 Conclusion 26

10 Acknowledgment 28

11 Addendum 28

12 Appendix A. The no cloning theorem 29

13 Appendix B. Proof that an undetectable eavesdropper can
obtain no information from the B92 protocol 30

14 Appendix C. Part of a Rosetta stone for quantum mechanics. 31
14.1 Polarized light: Part I. The classical perspective . . . . . . . . 31
14.2 A Rosetta stone for Dirac notation: Part I. Bras, kets, and
bra-(c)-kets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
14.3 Polarized light: Part II. The quantum mechanical perspective 34
14.4 A Rosetta stone for Dirac notation: Part II. Operators . . . . 36
14.5 Quantum measurement: General principles . . . . . . . . . . . 39
14.6 Polarized light: Part III. Three examples of quantum mea-
surement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
14.7 A Rosetta stone for Dirac notation: Part III. Expected values 41
14.8 Dynamics of closed quantum systems: Unitary transforma-
tions, the Hamiltonian, and Schr¨dinger™s equation . . . . . .
o 42
14.9 There is much more to quantum mechanics . . . . . . . . . . . 43

15 References 44


1 Cryptographic systems before quantum cryp
tography
A brief description of a classical cryptographic system (CCS) [106] is illus-
trated in Fig. 1.




3
Figure 1. A classical cryptographic communication system.

A message, called plaintext P , is encrypted via a secret key K into
ciphertext C, sent over a non-secure communication channel, and ¬nally
decrypted via a secret key K back into readable plaintext P . Following the
conventions of the cryptographic literature, we will refer to the transmitter
as Alice, to the receiver as Bob, and to an adversarial eavesdropper as Eve.
There are classical cryptographic systems which are perfectly secure
(see [106]), such as the Vernam cipher, better know as the one time pad,
which uses a perfectly random key K equal in length to the length of the
message. The chief practical di¬culty with such perfectly secure systems
is that Alice must ¬rst communicate a random key in secret via some to-
tally secure channel. In most cases, the length of the key makes this secure
communication impractical and too costly. Because of the large cost of trans-


4
mitting such long keys over a secure channel, Alice is frequently tempted to
use the same key twice. If she makes this fatal mistake, then her ciphertext
immediately changes from being perfectly secure to ciphertext that is easily
read by Eve.
Thus, for almost all practical cryptographic systems, the key K is sub-
stantially shorter than the length of the plaintext. As a result, the ciphertext
is no longer perfectly secure. However, if the encryption method and key K
are wisely chosen, then Alice™s communication to Bob will be practically
secure. By “practically secure,” we mean that, although adversary Eve is
theoretically able to decrypt Alice and Bob™s communication without any
knowledge of their key, she can not do so because the required computa-
tional time and resources are simply beyond her capability and means. The
Data Encryption Standard (DES) is believed to be an example of such
a practically secure encryption system. (See for example [110].)
In any case, one Achilles heal of classical cryptographic communication
systems is that secret communication can only take place after a key is com-
municated in secret over a totally secure communication channel. This is
frequently referred to as the “catch 22” of cryptography, i.e.,


Catch 22: Before Alice and Bob can communicate in secret, they must ¬rst
communicate in secret.


There is even more to this catch 22, namely:


Catch 22a: Even if Alice and Bob somehow succeed in communicating
their key over a secure communication channel, there is simply no classical
cryptographic mechanism guaranteeing with total certainty that their key
was transmitted securely, i.e., that their “secure” communication channel is
free of Eve™s unauthorized intrusion.


As we shall see, quantum encryption does provide a means of circumvent-
ing this impasse of intrusion detection.




5
A proposed solution to the catch 22 of classical cryptographic communi-
cation systems is the modern public key cryptographic system (PKCS)
as illustrated in Fig. 2. (See [49] [50].)
For public key cryptographic systems, it is no longer necessary for Alice
and Bob to exchange key over a secure channel. Instead, Alice and Bob both
create their own individual encryption/decryption key pairs (EA, DA ) and
(EB , DB ), respectively. Then they both keep their decryption keys DA and
DB secret from everyone, including each other, and “publish” or publicly
broadcast their encryption keys EA and EB for the entire world to see. The
security of such a public key cryptographic system depends on the selection
of an encryption/decryption algorithm which is a trapdoor function. As
a result, recovering the decryption key from the encryption key is computa-
tionally infeasible. The RSA public key cryptographic system is believed to
be an example of such a cryptographic system. (See for example [110].)




Figure 2. A public key cryptographic communication system.

One major drawback to public key cryptographic systems is that no one
has yet been able to prove that practical trapdoor functions exist. As a result,
no one is really sure how secure such public key cryptographic systems are.
Moreover, if researchers succeed in building a feasible quantum computer,
Shor™s quantum factoring algorithm [108] could break RSA easily, i.e., in
polynomial time.

6
Yet another drawback to public key cryptographic systems is that, in
terms of some everyday implementations, such systems frequently do not
circumvent the catch 22 of classical cryptography after all. The keys for many
practical public key cryptographic systems are frequently managed by a key
bank that is independent of Alice and Bob. Thus, secret communications
over a secure channel from the key bank to Alice and Bob are required before
Alice and Bob can secretly communicate.

Finally, it should be noted that the most important contribution of quan-
tum cryptography is a mechanism for detecting eavesdropping. This is a
totally new contribution to the ¬eld of cryptography. Neither classical cryp-
tographic systems nor public key cryptographic systems have such a capa-
bility. In the next section, we will see how quantum mechanics provides a
means for detecting intrusion.




2 Preamble to quantum cryptography
The recent results in quantum cryptography are based on the Heisenberg
uncertainty principle of quantum mechanics1. Using standard Dirac no-
tation2 , this principle can be succinctly stated as follows:

Heisenberg Uncertainty Principle: For any two quantum mechanical
observables A and B
1
(∆B)2 ≥
(∆A)2 2
[A, B] ,
4
where

∆A = A ’ A ∆B = B ’ B ,
and

and where

[A, B] = AB ’ BA.
1
For those not familiar with quantum mechanics, please refer to appendix C for a quick
overview.
2
As outlined in Appendix C


7
Thus, (∆A)2 and (∆B)2 are variances which measure the uncertainty
of observables A and B. For incompatible observables, i.e., for observables
A and B such that [A, B] = 0, reducing the uncertainty (∆A)2 of A forces
the uncertainty (∆B)2 of B to increase, and vice versa. Thus the observ-
ables A and B can not be simultaneously measured to arbitrary precision.
Measuring one of the observables interferes with the measurement of the
other.


Young™s double slit experiment is an example suggesting how Heisen-
berg™s uncertainty principle could be used for detecting eavesdropping in a
cryptographic communications. This experiment is illustrated in Fig. 3.




Figure 3. Young™s double slit experiment when electron trajectories are not
observed. The ¬rst of two incompatible observables is measured.

An electron gun randomly emits electrons over a fairly large angular
spread. In front of the gun is a metal wall with two small slits. Beyond the
wall is a backstop that absorbs the electrons that pass through the two slits.
The probability density pattern of the absorbed electrons is described by the
curves P1 , P2 , and P21 which, for the convenience of the reader, have been
drawn behind the backstop. The curve P1 denotes the probability density

8
pattern if only slit 1 is open. The curve P2 denotes the probability density
pattern if only slit 2 is open. Finally, the curve P12 denotes the probability
density pattern if both slits 1 and 2 are open. Thus, P12 shows a quantum
mechanical interference pattern demonstrating the wave nature of electrons.




Figure 4. Young™s double slit experiment when electron trajectories are
observed by Eve. The second of two incompatible observables is measured.

Comparing this with our description of a classical cryptographic system,
the electron gun can be thought of as the transmitter Alice. And the inter-
ference pattern P12 can be thought of as the message received by Bob. If
however, Eve tries to eavesdrop by trying to detect through which slit each
electron passes, as illustrated in Fig. 4, the interference pattern P12 is de-
stroyed and replaced by the bell curve P12 (which is a classical superposition
of curves P1 and P2 ) drawn in Fig. 4, thus demonstrating the particle nature
of the electron. As a result, Bob knows with certainty that Eve is eavesdrop-
ping in on his communication with Alice. Bob knows that, because of the
Heisenberg uncertainty principle, both the wave and particle natures of the
electron can not be simultaneously detected.




9
In the next sections, we describe a number of methods, i.e., quantum
cryptographic communication protocols, that utilize the Heisenberg
uncertainty principle to communicate random binary sequences (i.e., keys)
with automatic eavesdrop detection. These quantum communication pro-
tocols provide a means of circumventing the “catch 22” of classical crypto-
graphic systems. As a result, the perfect security of the Vernam cipher (i.e.,
one-time-pad) is an inexpensively implementable reality.
All the quantum cryptographic systems we discuss in this paper can be
implemented by transmissions over ¬ber optic cable of individual photons,
each with a single bit encoded in its quantum mechanical state space. We
describe all of these systems in terms of the polarization states of a single
photon. It should be noted that they could equally well be described in
terms of any two-state quantum system. Examples of such a system include
a spin- 1 particle, and a two-state level atom.
2
The quantum cryptographic protocols discussed will of necessity use some
encoding scheme (or schemes) which associates the bits 0 and 1 with distinct
quantum states. We call such an association a quantum alphabet. Should
the associated states be orthogonal, we call the encoding scheme an orthog-
onal quantum alphabet.




3 The BB84 quantum cryptographic protocol
without noise
The ¬rst quantum cryptographic communication protocol, called BB84, was
invented in 1984 by Bennett and Brassard [10]3. This protocol has been
experimentally demonstrated to work for a transmission over 30 km of ¬ber
optic cable [101] [111] [112] [113], and also over free space for a distance of
over one hundred meters[80] [67]. It is speculated, but not yet experimentally
veri¬ed, that the BB84 protocol should be implementable over distances of
at least 100 km.
In this section we describe the BB84 protocol in a noise free environ-
ment. In the next section, we extend the protocol to one in which noise is
considered.4
3
Quantum cryptographic protocols evolved from the earlier work of Wiesner [117].
4
The proofs given in this and the next section are based on the assumption that Eve uses

10
We now describe the BB84 protocol in terms of the polarization states of
a single photon. Please note that the BB84 protocol could equally well be
described in terms of any other two-state quantum system.

Let H be the two dimensional Hilbert space whose elements representate
the polarization states of a single photon. In describing BB84, we use two
di¬erent orthogonal bases of H. They are the circular polarization basis,
which consists of the kets

| and |

for right and left circular polarization states, respectively, and the lin-
ear polarization basis which consists of the kets

| and |”

for vertical and horizontal linear polarization states, respectively.
The BB84 protocol utilizes any two incompatible orthogonal quantum
alphabets in the Hilbert space H. For our description of BB84, we have
selected the circular polarization quantum alphabet A

Symbol Bit
| 1
| 0

Circular Polarization
Quantum Alphabet A

and the linear polarization quantum alphabet A
Symbol Bit
| 1
|” 0

Linear Polarization
Quantum Alphabet A


the opaque eavedropping strategy. Other eavesdropping strategies are brie¬‚y discussed
in section 8 of this paper.

11
Bennett and Brassard note that, if Alice were to use only one speci¬c
orthogonal quantum alphabet for her communication to Bob, then Eve™s
eavesdropping could go undetected. For Eve could intercept Alice™s trans-
mission with 100% accuracy, and then imitate Alice by retransmitting her
measurements to Bob. If, for example, Alice used only the orthogonal quan-
tum alphabet A , then Eve could measure each bit of Alice™s transmission
with a device based on some circular polarization measurement operator such
as

| | | |
or

Or if, Alice used only the orthogonal quantum alphabet A , then Eve could
measure each transmitted bit with a device based on some linear polarization
measurement operator such as

| | |” ”|
or

The above strategy used by Eve is called opaque eavesdropping [55]. (We
will consider other and more sophisticated eavesdropping strategies later.)


To assure the detection of Eve™s eavesdropping, Bennett and Brassard
require Alice and Bob to communicate in two stages, the ¬rst stage over
a one-way quantum communication channel from Alice to Bob, the second
stage over a two-way public communication channel. (Please refer to Figure
5.)




3.1 Stage 1. Communication over a quantum channel


In the ¬rst stage, Alice is required, each time she transmits a single bit,
to use randomly with equal probability one of the two orthogonal alphabets
A or A . Since no measurement operator of A is compatible with any
measurement operator of A , it follows from the Heisenberg uncertainty
principle that no one, not even Bob or Eve, can receive Alice™s transmission
with an accuracy greater than 75%.

12
Figure 5. A quantum cryptographic communication system for securely
transfering random key.

This can be seen as follows. For each bit transmitted by Alice, one can
choose a measurement operator compatible with either A or A , but not
both. Because of incompatibility, there is no simultaneous measurement
operator for both A and A . Since one has no knowledge of Alice™s secret
choice of quantum alphabet, 50% of the time (i.e., with probability 1 ) one
2
will guess correctly, i.e., choose a measurement operator compatible with
Alice™s choice, and 50% of the time (i.e., with probability 1 ) one will guess
2
incorrectly. If one guesses correctly, then Alice™s transmitted bit is received
with probability 1. On the other hand, if one guesses incorrectly, then Alice™s
transmitted bit is received correctly with probability 1 . Thus in general, the
2
probability of correctly receiving Alice™s transmitted bit is
1 11 3
·1+ · =
P=
2 22 4



13
For each bit transmitted by Alice, we assume that Eve performs one of
two actions, opaque eavesdropping with probability », 0 ¤ » ¤ 1, or no
eavesdropping with probability 1 ’ ». Thus, if » = 1, Eve is eavesdropping
on each transmitted bit; and if » = 0, Eve is not eavesdropping at all.


Because Bob™s and Eve™s choice of measurement operators are stochas-
tically independent of each other and of Alice™s choice of alphabet, Eve™s
eavesdropping has an immediate and detectable impact on Bob™s received
bits. Eve™s eavesdropping causes Bob™s error rate to jump from 1 to
4

1 3 1»
(1 ’ ») + » = +
4 8 48
Thus, if Eve eavesdrops on every bit, i.e., if » = 1, then Bob™s error rate
jumps from 1 to 3 , a 50% increase.
4 8


3.2 Stage 2. Communication in two phases over a pub-
lic channel


In stage 2, Alice and Bob communicate in two phases over a public channel
to check for Eve™s presence by analyzing Bob™s error rate.

3.2.1 Phase 1 of Stage 2. Extraction of raw key



Phase 1 of stage 2 is dedicated to eliminating the bit locations (and
hence the bits at these locations) at which error could have occurred without
Eves eavesdropping. Bob begins by publicly communicating to Alice which
measurement operators he used for each of the received bits. Alice then
in turn publicly communicates to Bob which of his measurement operator
choices were correct. After this two way communication, Alice and Bob
delete the bits corresponding to the incompatible measurement choices to
produce shorter sequences of bits which we call respectively Alice™s raw
key and Bob™s raw key.



14
If there is no intrusion, then Alice™s and Bob™s raw keys will be in total
agreement. However, if Eve has been at work, then corresponding bits of
Alice™s and Bob™s raw keys will not agree with probability
1 »
0 · (1 ’ ») + ·» =
4 4

3.2.2 Phase 2 of Stage 2. Detection of Eve™s intrusion via error
detection



Alice and Bob now initiate a two way conversation over the public channel
to test for Eve™s presence.
In the absence of noise, any discrepancy between Alice™s and Bob™s raw
keys is proof of Eve™s intrusion. So to detect Eve, Alice and Bob select a
publicly agreed upon random subset of m bit locations in the raw key, and
publicly compare corresponding bits, making sure to discard from raw key
each bit as it is revealed.
Should at least one comparison reveal an inconsistency, then Eve™s eaves-
dropping has been detected, in which case Alice and Bob return to stage 1
and start over. On the other hand, if no inconsistencies are uncovered, then
the probability that Eve escapes detection is:
m
»
1’
Pf alse =
4

For example, if » = 1 and m = 200, then
200
3
≈ 10’25
Pf alse =
4

Thus, if Pf alse is su¬ciently small, Alice and Bob agree that Eve has not
eavesdropped, and accordingly adopt the remnant raw key as their ¬nal
secret key.




15
4 The BB84 quantum cryptographic protocol
with noise
In this section, the BB84 protocol is extended to a noisy environment. Since,
in a noisy environment, Alice and Bob can not distinguish between error
caused by noise and error caused by Eve™s eavesdropping, they must and do
adopt the assumption that all errors in raw key are caused by Eve.


As before, there are two stages to the protocol.

4.1 Stage 1. Communication over a quantum channel


This stage is exactly the same as before, except that errors are now also
induced by noise.

4.2 Stage 2. Communication in four phases over a
public channel


In stage 2, Alice and Bob communicate over a public channel in four
phases. Phase 1 is dedicated to raw key extraction, phase 2 to error esti-
mation, phase 3 to reconciliation, i.e., to reconciled key extraction, and
phase 4 to privacy ampli¬cation, i.e., extraction of ¬nal secret key.

4.2.1 Phase 1 of Stage 2. Extraction of raw key



This stage is the same as before, except Alice and Bob also delete those
bit locations at which Bob should have received but did not receive a bit.
Such “non-receptions” could be caused by Eve™s intrusion or by dark counts
in Bob™s detecting device. The location of the dark counts are, of course,
communicated by Bob to Alice over the public channel.



16
4.2.2 Phase 2 of Stage 2. Estimation of error in raw key



Alice and Bob now use the public channel to estimate the error rate in
raw key. They publicly select and agree upon a random sample of raw key,
publicly compare these bits to obtain an estimate R of the error-rate. These
revealed bits are discarded from raw key. If R exceeds a certain threshold
RM ax, then it will be impossible for Alice and Bob to arrive at a common
secret key. If so, Alice and Bob return to stage 1 to start over. On the other
hand, If the error estimate R does not exceed RM ax, then Alice and Bob
move onto phase 3.

4.2.3 Phase 3 of Stage 2. Extraction of reconciled key



In phase 35 , Alice and Bob™s objective is to remove all errors from what
remains of raw key to produce an error free common key, called reconciled
key. This phase is of course called reconciliation, and takes place in two
steps [6] .
In step 1, Alice and Bob publicly agree upon a random permutation,
and apply it to what remains of their respective raw keys. Next Alice and
Bob partition the remnant raw key into blocks of length , where the length
is chosen so that blocks of this length are unlikely to contain more than
one error. For each of these blocks, Alice and Bob publicly compare overall
parity checks, making sure each time to discard the last bit of the compared
block. Each time a overall parity check does not agree, Alice and Bob initiate
a binary search for the error, i.e., bisecting the block into two subblocks,
publicly comparing the parities for each of these subblocks, discarding the
right most bit of each subblock. They continue their bisective search on the
subblock for which their parities are not in agreement. This bisective search
continues until the erroneous bit is located and deleted. They then continue
to the next -block.
Step 1 is repeated, i.e., a random permutation is chosen, remnant raw
key is partitioned into blocks of length , parities are compared, etc. This is
done until it becomes ine¬cient to continue in this fashion.
5
The procedure given in Phase 3 Stage 2 is only one of many possible procedures. In
fact, there are now much more e¬cient procedures than the procedure described below.

17
Alice and Bob then move to step 2 by using a more re¬ned reconciliation
procedure. They publicly select randomly chosen subsets of remnant raw
key, publicly compare parities, each time discarding an agreed upon bit from
their chosen key sample. If a parity should not agree, they employ the binary
search strategy of step 1 to locate and delete the error.
Finally, when, for some ¬xed number N of consecutive repetitions of step
2, no error is found, Alice and Bob assume that to a very high probability, the
remnant raw key is without error. Alice and Bob now rename the remnant
raw key reconciled key, and move on to the ¬nal and last phase of their
communication.

4.2.4 Phase 4 of Stage 2. Privacy ampli¬cation, i.e., extraction of
¬nal secret key



Alice and Bob now have a common reconciled key which they know is
only partially secret from Eve. They now begin the process of privacy
ampli¬cation, which is the extraction of a secret key from a partially secret
one [6] [13].
Based on their error estimate R, Alice and Bob obtain an upper bound
k of the number of bits known by Eve of their n bits of reconciled key. Let
s be a security parameter that Alice and Bob adjust as desired. They then
publicly select n ’ k ’ s random subsets of reconciled key, without revealing
their contents, and without revealing their parities. The undisclosed parities
become the common ¬nal secret key. It can be shown that Eve™s average
information about the ¬nal secret key is less than 2’s / ln 2 bits.




4.3 “Priming the pump” to start authentication
Unfortunately, there is no known way to initiate authentication without ini-
tially exchanging secret key over a secure communication channel. So, quan-
tum protocols have not entirely overcome the “catch 22” of classical cryp-
tography. However, this secret key exchange for authentication need only
be done once. Thereafter, a portion of the secure key communicated via a
quantum protocol can be used for authentication.


18
5 The B92 quantum cryptographic protocol
As with the BB84 quantum protocol, the B92 protocol [7] can be described
in terms of any quantum system represented by a two dimensional Hilbert
space. For our description, we choose the two dimensional Hilbert space H
representing the polarization states of a single photon.
B92 can be implemented in terms of any non-orthogonal basis. We choose
as our non-orthogonal basis the kets

|θ and θ,

where |θ and θ denote respectively the kets representing the polarization
state of a photon linearly polarized at an angle θ and an angle ’θ with
respect to the vertical, where 0 < θ < π/4.
Unlike BB84 which requires two orthogonal quantum alphabets, B92 re-
quires only a single non-orthogonal quantum alphabet. We choose the non-
orthogonal quantum alphabet Aθ :

Symbol Bit
|θ 1
θ 0

Linear Polarization
Quantum Alphabet Aθ


As in BB84, Alice and Bob communicate in two stages, the ¬rst over a
one-way quantum channel, the second over a two-way public channel.




5.1 Stage 1. Communication over a quantum channel
Alice uses the quantum alphabet Aθ to send her random binary sequence to
Bob. Since |θ and θ are not orthogonal, there is no one experiment that
will unambiguously distinguish between these two polarization states.

19
Bob can use one of many possible measurement strategies. Bennett [7]
suggests the measurements be based on the two incompatible experiments
corresponding to the projection operators
P¬θ = 1 ’ |θ θ| and P¬θ = 1 ’ θ θ
In this case, Bob either correctly detects Alice™s transmitted bit, or an am-
biguous result, i.e., an erasure, denoted by “?”. Assuming that Alice trans-
mits 0™s and 1™s at random with equal probability and that, for each incoming
bit, Bob at random with equal probability chooses to base his experiment
on either of the incompatible operators P¬θ or P¬θ , then the probability of
Bob™s correctly receiving Alice™s transmission is
2
1’ θ|θ
2
and the probability of receiving an erasure is
2
θ|θ
1+
2
where
θ|θ = cos (2θ)
and where 0 < θ < π/4. Thus, Bob receives more than 50% erasures.


On the other hand, Ekert et al [55] suggest a more e¬cient measurement
process for Bob. They suggest that Bob base his experiments on the positive
operator valued measure (POVM) [36] [99] consisting of the operators
P¬θ P¬θ
, and A? = 1 ’ Aθ ’ Aθ
Aθ = , Aθ =
1+ θ |θ 1+ θ |θ
With this more e¬cient detection method, the probability of an inconclusive
result is now
θ|θ = cos (2θ)
where again 0 < θ < π/4.



20
5.1.1 Stage 2. Communication in four phases over a public chan-
nel
Stage2 for the B92 protocol is the same as that for the BB84 protocol except
for phase 1.


In phase 1 of stage 2, Bob publicly informs Alice as to which time slots he
received non-erasures. The bits in these time slots become Alice™s and Bob™s
raw keys.
Eve™s presence is detected by an unusual error rate in Bob™s raw key. It
is also possible to detect Eve™s presence by an unusual erasure rate for Bob.
However, Ekert et al [55] do point out that Eve can choose eavesdropping
strategies which have no e¬ect on the erasure rate, and hence, can only be
detected by unusual error rates in Bob™s raw key6.




6 EPR quantum cryptographic protocols
Ekert in [60] has devised a quantum protocol based on the properties of
quantum-correlated particles.


Einstein, Podolsky, and Rosen (EPR) in the their famous 1935 paper [64]
challenged the foundations of quantum mechanics by pointing out a “para-
dox.” There exist spatially separated pairs of particles, henceforth called
EPR pairs, whose states are correlated in such a way that the measure-
ment of a chosen observable A of one automatically determines the result of
the measurement of A of the other. Since EPR pairs can be pairs of particles
separated at great distances, this leads to what appears to be a paradoxical
“action at a distance.”
For example, it is possible to create a pair of photons (each of which we
label below with the subscripts 1 and 2, respectively) with correlated linear
polarizations. An example of such an entangled state is given by
1 π π
|„¦0 = √ |0 1 ’ |0
21 2
22
2
6
This is true for all 2-state protocols. On the other hand, for n-state protocols with
n > 2, Eve™s presence is always detectable from rejected key. See section 7 of this paper.

21
where the notation |θ has been de¬ned in the previous section. Thus, if
one photon is measured to be in the vertical linear polarization state |0 , the
other, when measured, will be found to be in the horizontal linear polarization
state |π/2 , and vice versa.
Einstein et al [64] then state that such quantum correlation phenomena
could be a strong indication that quantum mechanics is incomplete, and that
there exist “hidden variables,” inaccessible to experiments, which explain
such “action at a distance.”
In 1964, Bell [4] gave a means for actually testing for locally hidden
variable (LHV) theories. He proved that all such LHV theories must satisfy
the Bell inequality. Quantum mechanics has been shown to violate the
inequality.


The EPR quantum protocol is a 3-state protocol that uses Bell™s in-
equality to detect the presence or absence of Eve as a hidden variable. Fol-
lowing the theme of this paper, we now describe this protocol in terms of the
polarization states of an EPR photon pair. As the three possible polarization
states of our EPR pair, we choose

|„¦0 = |0 ’ |0
1 3π 3π
√ .
1 2
62 61
2


|„¦1 = ’
1 π 4π 4π π
√ , and
61 62 6162
2


|„¦2 = ’
1 2π 5π 5π 2π

6162 6162
2




For each of these states, we choose the following corresponding mutually
non-orthogonal alphabets A0, A1 ,and A2, given by the following tables:

Symbol Bit Symbol Bit Symbol Bit
|0 π 2π
0 0 0
6 6
3π 4π 5π
1 1 1
6 6 6


Linear Polarization Linear Polarization Linear Polarization
Quantum Alphabet A0 Quantum Alphabet A1 Quantum Alphabet A

The corresponding measurement operators chosen for these alphabets are

22
respectively
π π 2π 2π
M0 = |0 0| , M1 = , and M2 =
6 6 6 6


As with the BB84 and B92 , there are two stages to the EPR protocol,
the ¬rst stage over a quantum channel, the second over a public channel.



6.1 Stage 1. Communication over a quantum channel
For each time slot, a state |„¦j is randomly selected with equal probability
from the set of states {|„¦0 , |„¦1 , |„¦2 }. Than an EPR pair is created in
the selected state |„¦j . One photon of the constructed EPR pair is sent to
Alice, the other to Bob. Alice and Bob at random with equal probability
separately and independently select one of the three measurement operators
M0, M1 , and M2 , and accordingly measure their respective photons. Alice
records her measured bit. On the other hand, Bob records the complement
of his measured bit. This procedure is repeated for as many time slots as
needed.



6.2 Stage 2. Communication over a public channel
In stage 2, Alice and Bob communicate over a public channel.

6.2.1 Phase 1 of Stage2. Separation of key into raw and rejected
keys
In phase 1 of stage 2, Alice and Bob carry on a discussion over a public chan-
nel to determine those bit slots at which they used the same measurement
operators. They each then separate their respective bit sequences into two
subsequences. One subsequence, called raw key, consists of those bit slots at
which they used the same measurement operators. The other subsequence,
called rejected key, consists of all the remaining bit slots.



23
6.2.2 Phase 2 of Stage 2. Detection of Eve™s presence with Bell™s
inequality applied to rejected key
Unlike the BB84 and B92 protocols, the EPR protocol, instead of discarding
rejected key, actually uses it to detect Eve™s presence. Alice and Bob now
carry on a discussion over a public channel comparing their respective re-
jected keys to determine whether or not Bell™s inequality is satis¬ed. If it is,
Eve™s presence is detected. If not, then Eve is absent.


For the EPR protocol, Bell™s inequality can be written as follows. Let
P (=| i, j) denote the probability that two corresponding bits of Alice™s and
Bob™s rejected keys do not match given that the measurement operators
chosen by Alice and Bob are respectively either Mi and Mj or Mj and Mi .
Let P (=| i, j) = 1 ’ P (=| i, j). Let
∆ (i, j) = P (=| i, j) ’ P (=| i, j)
Finally, let

β = 1 + ∆ (1, 2) ’ |∆ (0, 1) ’ ∆ (0, 2)|



Then Bell™s inequality in this case reduces to
β≥0

Moreover, for quantum mechanics (i.e., no hidden variables)
1
β=’
2
which is a clear violation of Bell™s inequality.



6.2.3 Phase 3 of Stage 2. Reconciliation
In the presence of noise, the remaining phase of the EPR protocol is recon-
ciliation, as described in the BB84 and B92 protocols.



24
7 Other protocols
It is not possible to cover all possible quantum protocols in this paper. There
is the EPR protocol with a single particle. There is also a 2-state EPR
implementation of the BB84 protocol. For details, see [12] [46]. For various
multiple state and rejected data protocols, see [21].




8 Eavesdropping strategies and counter mea-
sures
There are many eavesdropping strategies available to Eve. (See for example
[55],[24].) We list only a few.




8.1 Opaque eavesdropping
For this strategy, Eve intercepts Alice™s message, and then masquerades as
Alice by sending her received message on to Bob. Opaque eavesdropping
has already been discussed in sections 4 and 5 of this paper. For more
information, the reader is referred to [55].




8.2 Translucent eavesdropping without entanglement
For this strategy, Eve makes the information carrier interact unitarily with
her probe, and then lets it proceed on to Bob in a slightly modi¬ed state.
In the case of the B92 protocol, Eve™s detection probe with initial state |Ψ
would perform a unitary transformation U of the form
±
 |θ |Ψ ’ U |θ |Ψ = |θ |Ψθ


 θ |Ψ ’ U θ |Ψ = θ |Ψθ



25
where |θ and θ denote the slightly changed states received by Bob after
the action of the probe, and where |Ψθ and |Ψθ denote the states of the
probe after the transformation.. We refer the reader to [55] for an in depth
analysis of this eavesdropping strategy.



8.3 Translucent eavesdropping with entanglement
For this strategy, Eve entangles the state of her probe and the carrier, and
then she sends the carrier on to Bob. In the case of the B92 protocol, Eve™s
detection probe with initial state |Ψ would perform a unitary transformation
U of the form
±
 |θ |Ψ ’ U |θ |Ψ = a |θ |Ψθ + b θ |Ψθ

θ |Ψ ’ U θ |Ψ = b |θ |Ψθ + a θ |Ψθ
We refer the reader to [55], [24] for an in depth analysis of this eavesdropping
strategy.



8.4 Countermeasures to Eve™s eavesdropping strate-
gies
As far as the author has been able to determine, all quantum intrusion detec-
tion algorithms in the open literature depend on some assumption as to which
eavesdropping strategy is chosen by Eve. It is important that eavesdropping
algorithms be developed that detect Eve™s intrusion no matter which eaves-
dropping strategy she chooses to use. (For some insight in intrusion detection
algorithms, the reader is referred to [55],[24].)




9 Conclusion
It is not easy to emphasize how dramatic an impact the application of quan-
tum mechanics has had and will have on cryptographic communication sys-

26
tems. From the perspective of defensive cryptography, it is now within the
realm of possibility to build practical cryptographic systems which check for,
detect, and prevent unauthorized intrusion. Quantum mechanics provides
an intrusion detection mechanism never thought possible within the world
of classical cryptography. Most importantly, the feasibility of these methods
has been experimentally veri¬ed in a laboratory setting.
Moreover, from the perspective of o¬ensive cryptography, the application
of quantum mechanics to computation also holds forth the promise of a dra-
matic increase of computational parallelism for cryptanalytic attacks. Shor™s
quantum factoring algorithm [107] [57] is just one example of such potential.
However, unlike quantum protocols, quantum computational parallelism has
yet to be fully veri¬ed in a laboratory setting.


Much remains to be done before quantum cryptography is a truly prac-
tical and useful tool for cryptographic communication. We list below some
of the areas in need of development:

• Quantum protocols need to be extended to a computer network setting.
(See [102] and [115].)

• More sophisticated error correction and detection techniques need to
be implemented in quantum protocols. (See [6], [13], and [18].)

• There is a need for greater understanding of intrusion detection in the
presence of noise. The no cloning theorem of Appendix A of this paper
and the “no detection implies no information” theorem of Appendix B
of this paper simply do not provide a complete picture. (See [55].)

• There is a need for better intrusion detection algorithms. As far as
the author has been able to determine, all quantum intrusion detection
algorithms in the open literature depend on some assumption as to
which eavesdropping strategy is chosen by Eve. It is important that
eavesdropping algorithms be developed that detect Eve™s intrusion no
matter which eavesdropping strategy she uses. (See [55].)




27
10 Acknowledgment
I would like to thank Howard Brandt for his helpful discussions, and the
referees for their helpful suggestions. Finally I would like to thank Alan
Sherman for his encouragement to publish this paper.


11 Addendum
Quantum cryptography has continued its rapid pace of development since
this paper was written. There is the recent experimental work found in [93],
[94]. Progress has been made in correcting errors received from noisy channels
[32], [33], [62], [63]. A number of protocols, in particular, the quantum bit
commitment protocol, have been shown to be insecure [83], [84], [86]. There
has been progress in the development of multi-user quantum cryptography
[116]. The security of quantum cryptography against collective key attacks
has been studied [20]. There have been at least two independent claims of
the proof of ultimate security of quantum cryptography, i.e., security against
all possible attacks [85], [87], [88], [89]. Finally, although tangentially related
to this paper, it should be mentioned that a new quantum algorithm for
searching databases has been developed [71], [72], [73].




28
12 Appendix A. The no cloning theorem
In this appendix, we prove that there can be no device that produces exact
replicas or copies of a quantum system. If such a “quantum copier” existed,
then Eve could eavesdrop without detection. This proof is taken from [99].
It is an amazingly simple application of the linearity of quantum mechanics.
(See also [119] for a proof using the creation operators of quantum electro-
dynamics.)
Let us assume that there exists a quantum replicator initially in state
|Ψ which duplicates quantum systems via a unitary transformation U.
Let |u and |v be two arbitrary states such that

u|v
0< < 1.

Then the application of the quantum replicator to |u and |v yields

|Ψ |u ’ U |Ψ |u = |Ψ |u |u

|Ψ |v ’ U |Ψ |u = |Ψ |v |v

where |Ψ and |Ψ denote the states of the quantum replicator after the
two respective duplications.
Thus,

u| Ψ| U † U |Ψ |v = u| Ψ | Ψ |v = u | v ,

because of the unitarity of U and because Ψ | Ψ = 1. On the other hand,

u| u| Ψ | Ψ |v |v = Ψ | Ψ u | v 2.

As a result, we have the equation

u|v = Ψ |Ψ u|v 2



Ψ |Ψ ¤ 1 and |u and |v
But this equation cannot be satis¬ed since
were chosen so that 0 < u | v < 1.
Hence, a quantum replicator cannot exist.



29
13 Appendix B. Proof that an undetectable
eavesdropper can obtain no information
from the B92 protocol
In this appendix we prove that an undetectable eavesdropper for the B92
protocol obtains no information whatsoever. The proof is taken from [12].
Let |a and |b denote the two non-orthogonal states used in the B92
protocol7 . Thus,
a|b =0
Let U be the unitary transformation performed by Eve™s detection probe,
which we assume is initially in state |Ψ .
Since Eve™s probe is undetectable, we have
|Ψ |a ’ U |Ψ |a = |Ψ |a

|Ψ |b ’ U |Ψ |b = |Ψ |b
where |Ψ and |Ψ denote the states of Eve™s prober after the detection
of |a and |b respectively. Please note that, since Eve is undetectable, her
probe has no e¬ect on the states |a and |b . So |a appears on both sides of
the ¬rst equation, and |b appears on both sides of the second equation.
Thus,
a| Ψ| U † U |Ψ |b = a| Ψ | Ψ |b = a | b ,
because of the unitarity of U and because Ψ | Ψ = 1. On the other hand,
a| Ψ | Ψ |b = Ψ | Ψ a|b .
As a result, we have the equation
a|b = Ψ |Ψ a|b


But a | b = 0 implies that Ψ | Ψ = 1. Since |Ψ and |Ψ are
normalized, this implies that |Ψ = |Ψ . It follows that Eve™s probe is in
the same state no matter which of the states |a and |b is received. Thus,
Eve obtains no information whatsoever.
In section 6 of this paper we denoted these states by |θ and θ .
7



30
14 Appendix C. Part of a Rosetta stone for
quantum mechanics.
This appendix is intended for readers unfamiliar with quantum mechanics.
It™s purpose is to provide those readers with enough background in quantum
mechanics to understand a substantial portion of this paper. Because of
space limitations, this appendix is of necessity far from a complete overview
of the subject.


14.1 Polarized light: Part I. The classical perspective
Light waves in the vacuum are transverse electromagnetic (EM) waves with
both electric and magnetic ¬eld vectors perpendicular to the direction of
propagation and also to each other. (See ¬gure 6.)




Figure 6. A linearly polarized electromagnetic wave.

If the electric ¬eld vector is always parallel to a ¬xed line, then the EM
wave is said to be linearly polarized. If the electric ¬eld vector rotates
about the direction of propagation forming a right-(left-)handed screw, it is
said to be right (left) elliptically polarized. If the rotating electric ¬eld
vector inscribes a circle, the EM wave is said to be right-or left-circularly
polarized.




31
14.2 A Rosetta stone for Dirac notation: Part I. Bras,
kets, and bra-(c)-kets
A Hilbert space H is a vector space over the complex numbers C with a
complex valued inner product

(’, ’) : H — H ’C

which is complete with respect to the norm

u= (u, u)

induced by the inner product.

Remark 1 By a complex valued inner product, we mean a map

(’, ’) : H — H ’C

from H — H into the complex numbers C such that:

1) (u, u) = 0 if and only if u = 0
2) (u, v) = (v, u)—
3) (u, v + w) = (u, v) + (u, w)
4) (u, »v) = »(u, v)

where ˜—™ denotes the complex conjugate.

Remark 2 (Please note that (»u, v) = »— (u, v). )

The elements of H will be called ket vectors, state kets, or simply
kets. They will be denoted as:

| label

where ˜label™ denotes some label.
Let H# denote the Hilbert space of all Hilbert space morphisms of H into
the Hilbert space of all complex numbers C, i.e.,

H# = HomC (H, C) .

32
The elements of H# will be called bra vectors, state bras, or simply bras.
They will be denoted as:

label |

where once again ˜label™ denotes some label.
Also please note that the complex number

label1 | (| label2 )

will simply be denoted by

label1 | label2

and will be called the bra-(c)-ket product of the bra label1 | and the ket
| label2 .
There is a monomorphism (which is an isomorphism if the underlying
Hilbert space is ¬nite dimensional)
#
H ’ H#

de¬ned by

| label ’’ ( | label , ’)

The bra ( | label , ’) is denoted by label |.
Hence,

label1 | label2 = (| label1 , | label2 )



Remark 3 Please note that (» | label )# = »— label|.

The tensor product8 H — K of two Hilbert spaces H and K is simply
the “simplest” Hilbert space such that
8
Readers well versed in homological algebra will recognize this informal de¬nition as a
slightly disguised version of the more rigorous universal de¬nition of the tensor product.
For more details, please refer to [37], or any other standard reference on homological
algebra.

33
1) (h1 + h2 ) — k = h1 — k + h2 — k, for all h, h1, h2 ∈ H and for all k,
k1 , k2 ∈ K, and

2) h — (k1 + k2 ) = h — k1 + h — k2 for all h, h1 , h2 ∈ H and for all k,
k1 , k2 ∈ K.

It immediately follows that

3) » (h — k) ≡ (»h) — k = h — (»k) for all » ∈ C, h ∈ H, k ∈ K.

Finally, if | label1 and | label2 are kets respectively in Hilbert spaces H1
and H2 , then their tensor product will be written in any one of the following
three ways:

| label1 — | label2

| label1 | label2

| label1 , label2



14.3 Polarized light: Part II. The quantum mechanical
perspective
The states of a quantum mechanical system are represented by state kets
in a Hilbert space H. Two kets |± and |β represent the same quantum
mechanical state if they di¬er by a non-zero multiplicative constant. I.e.,
|± and |β represent the same quantum mechanical state if there exists a
non-zero » ∈ C such that

|± = » |β

Hence, the quantum mechanical states are the elements of the manifold

H/˜ = CP n

where n denotes the dimension of H, and CP n denotes complex projective
space.


34
Convention: Since a quantum mechanical state is represented by a state
ket up to a multiplicative constant, we will unless stated otherwise,
choose those kets |± which are unit normal, i.e., such that

± | ± = 1 ⇐’ |± =1



The polarization states of a photon are represented as state kets in a two
dimensional Hilbert space H. One orthonormal basis of H consists of the
kets

| and |

which represent respectively the quantum mechanical states of left- and right-
circularly polarized photons. Another orthonormal basis consists of the kets

| and |”

representing respectively vertically and horizontally linearly polarized pho-
tons. And yet another orthonormal basis consists of the kets

| and |

for linearly polarized photons at the angles θ = π/4 and θ = ’π/4 o¬ the
vertical, respectively.
These orthonormal bases are related as follows:
± ±
| = √2 (| + |” )
1
| | + 1’i |
 1+i
= 2 2

 
| ’ |” ) | | + 1+i |
1 1’i

= (| = 2 2
2




± ±
| +| | +|
1 1
√ √
= (| ) = (| )
2 2

 
|” ’| |” ’|
1 i
√ √
= (| ) = (| )
2 2




35
± ±
| ’ i |” )
1
| | |
√ 1’i 1+i
= (| = +
2 2 2

 
| + i |” ) | | |
1 1+i 1’i

= (| = +
2 2
2



The bracket products of the various polarization kets are given in the
table below:
| |” | | | |
| 1 1 1 1
√ √ √ √
1 0 2 2 2 2
”| ’ √2 ’ √2
1 1 i i
√ √
0 1 2 2
| 1 1 1+i 1’i
√ √ 1 0 2 2
2 2
| ’ 12
1 1’i 1+i
√ √ 0 1 2 2
2
| 1 i 1’i 1+i
√ √ 1 0
2 2
2 2
| ’ i2
1 1+i 1’i
√ √ 0 1
2 2
2




14.4 A Rosetta stone for Dirac notation: Part II. Op-
erators
An (linear) operator or transformation O on a ket space H is a Hilbert
space morphism of H into H, i.e., is an element of

HomC (H, H)


The adjoint O† of an operator O is that operator such that

O† | label1 , | label2 = (| label1 , O | label2 )

for all kets | label1 and | label2 .
In like manner, an (linear) operator or transformation on a bra space H#
is an element of

HomC H# , H#

36
Moreover, each operator O on H can be identi¬ed with an operator, also
denoted by O, on H# de¬ned by

label1 | ’’ label1 | O

where label1 | O is the bra de¬ned by

( label1 | O) (| label2 ) = label1 | (O | label2 )

(This is sometimes called Dirac™s associativity law.) Hence, the expression

label1 | O | label2

is unambiguous.

Remark 4 Please note that

(O | label )# = label| O†



In quantum mechanics, an observable is simply a Hermitian (also
called self-adjoint) operator on a Hilbert space H, i.e., an operator O such
that

O† = O .

An eigenvalue a of an operator A is a complex number for which there is a
ket |label such that

A |label = a |label .

The ket |label is called an eigenket of A corresponding to the eigenvalue a.

An important theorem about observables is given below:

Theorem 5 The eigenvalues ai of an observable A are all real numbers.
Moreover, the eigenkets for distinct eigenvalues of an observable are orthog-
onal.


37
De¬nition 6 An eigenvalue is degenerate if there are at least two linearly
independent eigenkets for that eigenvalue. Otherwise, it is nondegenerate.

Notational Convention: If all the eigenvalues ai of an observable A are
nondegenerate, then we can and do label the eigenkets of A with the
eigenvalues ai . Thus, we can write:

A |ai = ai |ai

for each eigenvalue ai . In this paper, unless stated otherwise, we assume
that the eigenvalues of observables are non-degenerate.

One exception to the above notational convention is the measurement
operator

|ai ai |

for the eigenvalue ai , which is the outer product of ket |ai with its ad-
joint ai |. It has two eigenvalues 0 and 1. 1 is a nondegenerate eigenvalue
with eigenket |ai . 0 is a degenerate eigenvalue with corresponding eigenkets
{ |aj }j=i .
An observable A is said to be complete if its eigenkets |ai form a basis
(hence, an orthonormal basis) of the Hilbert space H. Given a complete
nondegenerate observable A, then any ket |ψ in H can be written as:

|ψ = |ai ai | ψ
i

Thus, for a complete nondegenerate observable A, we have the following
operator equation which expresses the completeness of A,

|ai ai | = 1
i

Thus, in this notation, we have

. 1
( 2)



>>