ńņš. 1 |

Samuel J. Lomonaco, Jr.ā—

Dept. of Comp. Sci. & Elect. Engr.

University of Maryland Baltimore County

1000 Hilltop Circle

Baltimore, MD 21250

E-Mail: Lomonaco@UMBC.EDU

WebPage: http://www.csee.umbc.edu/Ėlomonaco

November 8, 1998

Abstract

The recent application of the principles of quantum mechanics to

cryptography has led to a remarkable new dimension in secret commu-

nication. As a result of these new developments, it is now possible to

construct cryptographic communication systems which detect unau-

thorized eavesdropping should it occur, and which give a guarantee of

no eavesdropping should it not occur.

Contents

1 Cryptographic systems before quantum cryptography 3

2 Preamble to quantum cryptography 7

ā—

Partially supported by ARL Contract #DAAL01-95-P-1884, ARO Grant #P-38804-

PH-QC, and the L-O-O-P Fund.

1

3 The BB84 quantum cryptographic protocol without noise 10

3.1 Stage 1. Communication over a quantum channel . . . . . . . 12

3.2 Stage 2. Communication in two phases over a public channel . 14

3.2.1 Phase 1 of Stage 2. Extraction of raw key . . . . . . . 14

3.2.2 Phase 2 of Stage 2. Detection of Eveā™s intrusion via

error detection . . . . . . . . . . . . . . . . . . . . . . 15

4 The BB84 quantum cryptographic protocol with noise 16

4.1 Stage 1. Communication over a quantum channel . . . . . . . 16

4.2 Stage 2. Communication in four phases over a public channel . 16

4.2.1 Phase 1 of Stage 2. Extraction of raw key . . . . . . . 16

4.2.2 Phase 2 of Stage 2. Estimation of error in raw key . . . 17

4.2.3 Phase 3 of Stage 2. Extraction of reconciled key . . . . 17

4.2.4 Phase 4 of Stage 2. Privacy ampliļ¬cation, i.e., extrac-

tion of ļ¬nal secret key . . . . . . . . . . . . . . . . . . 18

4.3 āPriming the pumpā to start authentication . . . . . . . . . . 18

5 The B92 quantum cryptographic protocol 19

5.1 Stage 1. Communication over a quantum channel . . . . . . . 19

5.1.1 Stage 2. Communication in four phases over a public

channel . . . . . . . . . . . . . . . . . . . . . . . . . . 21

6 EPR quantum cryptographic protocols 21

6.1 Stage 1. Communication over a quantum channel . . . . . . . 23

6.2 Stage 2. Communication over a public channel . . . . . . . . . 23

6.2.1 Phase 1 of Stage2. Separation of key into raw and

rejected keys . . . . . . . . . . . . . . . . . . . . . . . 23

6.2.2 Phase 2 of Stage 2. Detection of Eveā™s presence with

Bellā™s inequality applied to rejected key . . . . . . . . . 24

6.2.3 Phase 3 of Stage 2. Reconciliation . . . . . . . . . . . . 24

7 Other protocols 25

8 Eavesdropping strategies and counter measures 25

8.1 Opaque eavesdropping . . . . . . . . . . . . . . . . . . . . . . 25

8.2 Translucent eavesdropping without entanglement . . . . . . . 25

8.3 Translucent eavesdropping with entanglement . . . . . . . . . 26

8.4 Countermeasures to Eveā™s eavesdropping strategies . . . . . . 26

2

9 Conclusion 26

10 Acknowledgment 28

11 Addendum 28

12 Appendix A. The no cloning theorem 29

13 Appendix B. Proof that an undetectable eavesdropper can

obtain no information from the B92 protocol 30

14 Appendix C. Part of a Rosetta stone for quantum mechanics. 31

14.1 Polarized light: Part I. The classical perspective . . . . . . . . 31

14.2 A Rosetta stone for Dirac notation: Part I. Bras, kets, and

bra-(c)-kets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

14.3 Polarized light: Part II. The quantum mechanical perspective 34

14.4 A Rosetta stone for Dirac notation: Part II. Operators . . . . 36

14.5 Quantum measurement: General principles . . . . . . . . . . . 39

14.6 Polarized light: Part III. Three examples of quantum mea-

surement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

14.7 A Rosetta stone for Dirac notation: Part III. Expected values 41

14.8 Dynamics of closed quantum systems: Unitary transforma-

tions, the Hamiltonian, and SchrĀØdingerā™s equation . . . . . .

o 42

14.9 There is much more to quantum mechanics . . . . . . . . . . . 43

15 References 44

1 Cryptographic systems before quantum cryp

tography

A brief description of a classical cryptographic system (CCS) [106] is illus-

trated in Fig. 1.

3

Figure 1. A classical cryptographic communication system.

A message, called plaintext P , is encrypted via a secret key K into

ciphertext C, sent over a non-secure communication channel, and ļ¬nally

decrypted via a secret key K back into readable plaintext P . Following the

conventions of the cryptographic literature, we will refer to the transmitter

as Alice, to the receiver as Bob, and to an adversarial eavesdropper as Eve.

There are classical cryptographic systems which are perfectly secure

(see [106]), such as the Vernam cipher, better know as the one time pad,

which uses a perfectly random key K equal in length to the length of the

message. The chief practical diļ¬culty with such perfectly secure systems

is that Alice must ļ¬rst communicate a random key in secret via some to-

tally secure channel. In most cases, the length of the key makes this secure

communication impractical and too costly. Because of the large cost of trans-

4

mitting such long keys over a secure channel, Alice is frequently tempted to

use the same key twice. If she makes this fatal mistake, then her ciphertext

immediately changes from being perfectly secure to ciphertext that is easily

read by Eve.

Thus, for almost all practical cryptographic systems, the key K is sub-

stantially shorter than the length of the plaintext. As a result, the ciphertext

is no longer perfectly secure. However, if the encryption method and key K

are wisely chosen, then Aliceā™s communication to Bob will be practically

secure. By āpractically secure,ā we mean that, although adversary Eve is

theoretically able to decrypt Alice and Bobā™s communication without any

knowledge of their key, she can not do so because the required computa-

tional time and resources are simply beyond her capability and means. The

Data Encryption Standard (DES) is believed to be an example of such

a practically secure encryption system. (See for example [110].)

In any case, one Achilles heal of classical cryptographic communication

systems is that secret communication can only take place after a key is com-

municated in secret over a totally secure communication channel. This is

frequently referred to as the ācatch 22ā of cryptography, i.e.,

Catch 22: Before Alice and Bob can communicate in secret, they must ļ¬rst

communicate in secret.

There is even more to this catch 22, namely:

Catch 22a: Even if Alice and Bob somehow succeed in communicating

their key over a secure communication channel, there is simply no classical

cryptographic mechanism guaranteeing with total certainty that their key

was transmitted securely, i.e., that their āsecureā communication channel is

free of Eveā™s unauthorized intrusion.

As we shall see, quantum encryption does provide a means of circumvent-

ing this impasse of intrusion detection.

5

A proposed solution to the catch 22 of classical cryptographic communi-

cation systems is the modern public key cryptographic system (PKCS)

as illustrated in Fig. 2. (See [49] [50].)

For public key cryptographic systems, it is no longer necessary for Alice

and Bob to exchange key over a secure channel. Instead, Alice and Bob both

create their own individual encryption/decryption key pairs (EA, DA ) and

(EB , DB ), respectively. Then they both keep their decryption keys DA and

DB secret from everyone, including each other, and āpublishā or publicly

broadcast their encryption keys EA and EB for the entire world to see. The

security of such a public key cryptographic system depends on the selection

of an encryption/decryption algorithm which is a trapdoor function. As

a result, recovering the decryption key from the encryption key is computa-

tionally infeasible. The RSA public key cryptographic system is believed to

be an example of such a cryptographic system. (See for example [110].)

Figure 2. A public key cryptographic communication system.

One major drawback to public key cryptographic systems is that no one

has yet been able to prove that practical trapdoor functions exist. As a result,

no one is really sure how secure such public key cryptographic systems are.

Moreover, if researchers succeed in building a feasible quantum computer,

Shorā™s quantum factoring algorithm [108] could break RSA easily, i.e., in

polynomial time.

6

Yet another drawback to public key cryptographic systems is that, in

terms of some everyday implementations, such systems frequently do not

circumvent the catch 22 of classical cryptography after all. The keys for many

practical public key cryptographic systems are frequently managed by a key

bank that is independent of Alice and Bob. Thus, secret communications

over a secure channel from the key bank to Alice and Bob are required before

Alice and Bob can secretly communicate.

Finally, it should be noted that the most important contribution of quan-

tum cryptography is a mechanism for detecting eavesdropping. This is a

totally new contribution to the ļ¬eld of cryptography. Neither classical cryp-

tographic systems nor public key cryptographic systems have such a capa-

bility. In the next section, we will see how quantum mechanics provides a

means for detecting intrusion.

2 Preamble to quantum cryptography

The recent results in quantum cryptography are based on the Heisenberg

uncertainty principle of quantum mechanics1. Using standard Dirac no-

tation2 , this principle can be succinctly stated as follows:

Heisenberg Uncertainty Principle: For any two quantum mechanical

observables A and B

1

(āB)2 ā„

(āA)2 2

[A, B] ,

4

where

āA = A ā’ A āB = B ā’ B ,

and

and where

[A, B] = AB ā’ BA.

1

For those not familiar with quantum mechanics, please refer to appendix C for a quick

overview.

2

As outlined in Appendix C

7

Thus, (āA)2 and (āB)2 are variances which measure the uncertainty

of observables A and B. For incompatible observables, i.e., for observables

A and B such that [A, B] = 0, reducing the uncertainty (āA)2 of A forces

the uncertainty (āB)2 of B to increase, and vice versa. Thus the observ-

ables A and B can not be simultaneously measured to arbitrary precision.

Measuring one of the observables interferes with the measurement of the

other.

Youngā™s double slit experiment is an example suggesting how Heisen-

bergā™s uncertainty principle could be used for detecting eavesdropping in a

cryptographic communications. This experiment is illustrated in Fig. 3.

Figure 3. Youngā™s double slit experiment when electron trajectories are not

observed. The ļ¬rst of two incompatible observables is measured.

An electron gun randomly emits electrons over a fairly large angular

spread. In front of the gun is a metal wall with two small slits. Beyond the

wall is a backstop that absorbs the electrons that pass through the two slits.

The probability density pattern of the absorbed electrons is described by the

curves P1 , P2 , and P21 which, for the convenience of the reader, have been

drawn behind the backstop. The curve P1 denotes the probability density

8

pattern if only slit 1 is open. The curve P2 denotes the probability density

pattern if only slit 2 is open. Finally, the curve P12 denotes the probability

density pattern if both slits 1 and 2 are open. Thus, P12 shows a quantum

mechanical interference pattern demonstrating the wave nature of electrons.

Figure 4. Youngā™s double slit experiment when electron trajectories are

observed by Eve. The second of two incompatible observables is measured.

Comparing this with our description of a classical cryptographic system,

the electron gun can be thought of as the transmitter Alice. And the inter-

ference pattern P12 can be thought of as the message received by Bob. If

however, Eve tries to eavesdrop by trying to detect through which slit each

electron passes, as illustrated in Fig. 4, the interference pattern P12 is de-

stroyed and replaced by the bell curve P12 (which is a classical superposition

of curves P1 and P2 ) drawn in Fig. 4, thus demonstrating the particle nature

of the electron. As a result, Bob knows with certainty that Eve is eavesdrop-

ping in on his communication with Alice. Bob knows that, because of the

Heisenberg uncertainty principle, both the wave and particle natures of the

electron can not be simultaneously detected.

9

In the next sections, we describe a number of methods, i.e., quantum

cryptographic communication protocols, that utilize the Heisenberg

uncertainty principle to communicate random binary sequences (i.e., keys)

with automatic eavesdrop detection. These quantum communication pro-

tocols provide a means of circumventing the ācatch 22ā of classical crypto-

graphic systems. As a result, the perfect security of the Vernam cipher (i.e.,

one-time-pad) is an inexpensively implementable reality.

All the quantum cryptographic systems we discuss in this paper can be

implemented by transmissions over ļ¬ber optic cable of individual photons,

each with a single bit encoded in its quantum mechanical state space. We

describe all of these systems in terms of the polarization states of a single

photon. It should be noted that they could equally well be described in

terms of any two-state quantum system. Examples of such a system include

a spin- 1 particle, and a two-state level atom.

2

The quantum cryptographic protocols discussed will of necessity use some

encoding scheme (or schemes) which associates the bits 0 and 1 with distinct

quantum states. We call such an association a quantum alphabet. Should

the associated states be orthogonal, we call the encoding scheme an orthog-

onal quantum alphabet.

3 The BB84 quantum cryptographic protocol

without noise

The ļ¬rst quantum cryptographic communication protocol, called BB84, was

invented in 1984 by Bennett and Brassard [10]3. This protocol has been

experimentally demonstrated to work for a transmission over 30 km of ļ¬ber

optic cable [101] [111] [112] [113], and also over free space for a distance of

over one hundred meters[80] [67]. It is speculated, but not yet experimentally

veriļ¬ed, that the BB84 protocol should be implementable over distances of

at least 100 km.

In this section we describe the BB84 protocol in a noise free environ-

ment. In the next section, we extend the protocol to one in which noise is

considered.4

3

Quantum cryptographic protocols evolved from the earlier work of Wiesner [117].

4

The proofs given in this and the next section are based on the assumption that Eve uses

10

We now describe the BB84 protocol in terms of the polarization states of

a single photon. Please note that the BB84 protocol could equally well be

described in terms of any other two-state quantum system.

Let H be the two dimensional Hilbert space whose elements representate

the polarization states of a single photon. In describing BB84, we use two

diļ¬erent orthogonal bases of H. They are the circular polarization basis,

which consists of the kets

| and |

for right and left circular polarization states, respectively, and the lin-

ear polarization basis which consists of the kets

| and |ā”

for vertical and horizontal linear polarization states, respectively.

The BB84 protocol utilizes any two incompatible orthogonal quantum

alphabets in the Hilbert space H. For our description of BB84, we have

selected the circular polarization quantum alphabet A

Symbol Bit

| 1

| 0

Circular Polarization

Quantum Alphabet A

and the linear polarization quantum alphabet A

Symbol Bit

| 1

|ā” 0

Linear Polarization

Quantum Alphabet A

the opaque eavedropping strategy. Other eavesdropping strategies are brieļ¬‚y discussed

in section 8 of this paper.

11

Bennett and Brassard note that, if Alice were to use only one speciļ¬c

orthogonal quantum alphabet for her communication to Bob, then Eveā™s

eavesdropping could go undetected. For Eve could intercept Aliceā™s trans-

mission with 100% accuracy, and then imitate Alice by retransmitting her

measurements to Bob. If, for example, Alice used only the orthogonal quan-

tum alphabet A , then Eve could measure each bit of Aliceā™s transmission

with a device based on some circular polarization measurement operator such

as

| | | |

or

Or if, Alice used only the orthogonal quantum alphabet A , then Eve could

measure each transmitted bit with a device based on some linear polarization

measurement operator such as

| | |ā” ā”|

or

The above strategy used by Eve is called opaque eavesdropping [55]. (We

will consider other and more sophisticated eavesdropping strategies later.)

To assure the detection of Eveā™s eavesdropping, Bennett and Brassard

require Alice and Bob to communicate in two stages, the ļ¬rst stage over

a one-way quantum communication channel from Alice to Bob, the second

stage over a two-way public communication channel. (Please refer to Figure

5.)

3.1 Stage 1. Communication over a quantum channel

In the ļ¬rst stage, Alice is required, each time she transmits a single bit,

to use randomly with equal probability one of the two orthogonal alphabets

A or A . Since no measurement operator of A is compatible with any

measurement operator of A , it follows from the Heisenberg uncertainty

principle that no one, not even Bob or Eve, can receive Aliceā™s transmission

with an accuracy greater than 75%.

12

Figure 5. A quantum cryptographic communication system for securely

transfering random key.

This can be seen as follows. For each bit transmitted by Alice, one can

choose a measurement operator compatible with either A or A , but not

both. Because of incompatibility, there is no simultaneous measurement

operator for both A and A . Since one has no knowledge of Aliceā™s secret

choice of quantum alphabet, 50% of the time (i.e., with probability 1 ) one

2

will guess correctly, i.e., choose a measurement operator compatible with

Aliceā™s choice, and 50% of the time (i.e., with probability 1 ) one will guess

2

incorrectly. If one guesses correctly, then Aliceā™s transmitted bit is received

with probability 1. On the other hand, if one guesses incorrectly, then Aliceā™s

transmitted bit is received correctly with probability 1 . Thus in general, the

2

probability of correctly receiving Aliceā™s transmitted bit is

1 11 3

Ā·1+ Ā· =

P=

2 22 4

13

For each bit transmitted by Alice, we assume that Eve performs one of

two actions, opaque eavesdropping with probability Ī», 0 ā¤ Ī» ā¤ 1, or no

eavesdropping with probability 1 ā’ Ī». Thus, if Ī» = 1, Eve is eavesdropping

on each transmitted bit; and if Ī» = 0, Eve is not eavesdropping at all.

Because Bobā™s and Eveā™s choice of measurement operators are stochas-

tically independent of each other and of Aliceā™s choice of alphabet, Eveā™s

eavesdropping has an immediate and detectable impact on Bobā™s received

bits. Eveā™s eavesdropping causes Bobā™s error rate to jump from 1 to

4

1 3 1Ī»

(1 ā’ Ī») + Ī» = +

4 8 48

Thus, if Eve eavesdrops on every bit, i.e., if Ī» = 1, then Bobā™s error rate

jumps from 1 to 3 , a 50% increase.

4 8

3.2 Stage 2. Communication in two phases over a pub-

lic channel

In stage 2, Alice and Bob communicate in two phases over a public channel

to check for Eveā™s presence by analyzing Bobā™s error rate.

3.2.1 Phase 1 of Stage 2. Extraction of raw key

Phase 1 of stage 2 is dedicated to eliminating the bit locations (and

hence the bits at these locations) at which error could have occurred without

Eves eavesdropping. Bob begins by publicly communicating to Alice which

measurement operators he used for each of the received bits. Alice then

in turn publicly communicates to Bob which of his measurement operator

choices were correct. After this two way communication, Alice and Bob

delete the bits corresponding to the incompatible measurement choices to

produce shorter sequences of bits which we call respectively Aliceā™s raw

key and Bobā™s raw key.

14

If there is no intrusion, then Aliceā™s and Bobā™s raw keys will be in total

agreement. However, if Eve has been at work, then corresponding bits of

Aliceā™s and Bobā™s raw keys will not agree with probability

1 Ī»

0 Ā· (1 ā’ Ī») + Ā·Ī» =

4 4

3.2.2 Phase 2 of Stage 2. Detection of Eveā™s intrusion via error

detection

Alice and Bob now initiate a two way conversation over the public channel

to test for Eveā™s presence.

In the absence of noise, any discrepancy between Aliceā™s and Bobā™s raw

keys is proof of Eveā™s intrusion. So to detect Eve, Alice and Bob select a

publicly agreed upon random subset of m bit locations in the raw key, and

publicly compare corresponding bits, making sure to discard from raw key

each bit as it is revealed.

Should at least one comparison reveal an inconsistency, then Eveā™s eaves-

dropping has been detected, in which case Alice and Bob return to stage 1

and start over. On the other hand, if no inconsistencies are uncovered, then

the probability that Eve escapes detection is:

m

Ī»

1ā’

Pf alse =

4

For example, if Ī» = 1 and m = 200, then

200

3

ā 10ā’25

Pf alse =

4

Thus, if Pf alse is suļ¬ciently small, Alice and Bob agree that Eve has not

eavesdropped, and accordingly adopt the remnant raw key as their ļ¬nal

secret key.

15

4 The BB84 quantum cryptographic protocol

with noise

In this section, the BB84 protocol is extended to a noisy environment. Since,

in a noisy environment, Alice and Bob can not distinguish between error

caused by noise and error caused by Eveā™s eavesdropping, they must and do

adopt the assumption that all errors in raw key are caused by Eve.

As before, there are two stages to the protocol.

4.1 Stage 1. Communication over a quantum channel

This stage is exactly the same as before, except that errors are now also

induced by noise.

4.2 Stage 2. Communication in four phases over a

public channel

In stage 2, Alice and Bob communicate over a public channel in four

phases. Phase 1 is dedicated to raw key extraction, phase 2 to error esti-

mation, phase 3 to reconciliation, i.e., to reconciled key extraction, and

phase 4 to privacy ampliļ¬cation, i.e., extraction of ļ¬nal secret key.

4.2.1 Phase 1 of Stage 2. Extraction of raw key

This stage is the same as before, except Alice and Bob also delete those

bit locations at which Bob should have received but did not receive a bit.

Such ānon-receptionsā could be caused by Eveā™s intrusion or by dark counts

in Bobā™s detecting device. The location of the dark counts are, of course,

communicated by Bob to Alice over the public channel.

16

4.2.2 Phase 2 of Stage 2. Estimation of error in raw key

Alice and Bob now use the public channel to estimate the error rate in

raw key. They publicly select and agree upon a random sample of raw key,

publicly compare these bits to obtain an estimate R of the error-rate. These

revealed bits are discarded from raw key. If R exceeds a certain threshold

RM ax, then it will be impossible for Alice and Bob to arrive at a common

secret key. If so, Alice and Bob return to stage 1 to start over. On the other

hand, If the error estimate R does not exceed RM ax, then Alice and Bob

move onto phase 3.

4.2.3 Phase 3 of Stage 2. Extraction of reconciled key

In phase 35 , Alice and Bobā™s objective is to remove all errors from what

remains of raw key to produce an error free common key, called reconciled

key. This phase is of course called reconciliation, and takes place in two

steps [6] .

In step 1, Alice and Bob publicly agree upon a random permutation,

and apply it to what remains of their respective raw keys. Next Alice and

Bob partition the remnant raw key into blocks of length , where the length

is chosen so that blocks of this length are unlikely to contain more than

one error. For each of these blocks, Alice and Bob publicly compare overall

parity checks, making sure each time to discard the last bit of the compared

block. Each time a overall parity check does not agree, Alice and Bob initiate

a binary search for the error, i.e., bisecting the block into two subblocks,

publicly comparing the parities for each of these subblocks, discarding the

right most bit of each subblock. They continue their bisective search on the

subblock for which their parities are not in agreement. This bisective search

continues until the erroneous bit is located and deleted. They then continue

to the next -block.

Step 1 is repeated, i.e., a random permutation is chosen, remnant raw

key is partitioned into blocks of length , parities are compared, etc. This is

done until it becomes ineļ¬cient to continue in this fashion.

5

The procedure given in Phase 3 Stage 2 is only one of many possible procedures. In

fact, there are now much more eļ¬cient procedures than the procedure described below.

17

Alice and Bob then move to step 2 by using a more reļ¬ned reconciliation

procedure. They publicly select randomly chosen subsets of remnant raw

key, publicly compare parities, each time discarding an agreed upon bit from

their chosen key sample. If a parity should not agree, they employ the binary

search strategy of step 1 to locate and delete the error.

Finally, when, for some ļ¬xed number N of consecutive repetitions of step

2, no error is found, Alice and Bob assume that to a very high probability, the

remnant raw key is without error. Alice and Bob now rename the remnant

raw key reconciled key, and move on to the ļ¬nal and last phase of their

communication.

4.2.4 Phase 4 of Stage 2. Privacy ampliļ¬cation, i.e., extraction of

ļ¬nal secret key

Alice and Bob now have a common reconciled key which they know is

only partially secret from Eve. They now begin the process of privacy

ampliļ¬cation, which is the extraction of a secret key from a partially secret

one [6] [13].

Based on their error estimate R, Alice and Bob obtain an upper bound

k of the number of bits known by Eve of their n bits of reconciled key. Let

s be a security parameter that Alice and Bob adjust as desired. They then

publicly select n ā’ k ā’ s random subsets of reconciled key, without revealing

their contents, and without revealing their parities. The undisclosed parities

become the common ļ¬nal secret key. It can be shown that Eveā™s average

information about the ļ¬nal secret key is less than 2ā’s / ln 2 bits.

4.3 āPriming the pumpā to start authentication

Unfortunately, there is no known way to initiate authentication without ini-

tially exchanging secret key over a secure communication channel. So, quan-

tum protocols have not entirely overcome the ācatch 22ā of classical cryp-

tography. However, this secret key exchange for authentication need only

be done once. Thereafter, a portion of the secure key communicated via a

quantum protocol can be used for authentication.

18

5 The B92 quantum cryptographic protocol

As with the BB84 quantum protocol, the B92 protocol [7] can be described

in terms of any quantum system represented by a two dimensional Hilbert

space. For our description, we choose the two dimensional Hilbert space H

representing the polarization states of a single photon.

B92 can be implemented in terms of any non-orthogonal basis. We choose

as our non-orthogonal basis the kets

|Īø and Īø,

where |Īø and Īø denote respectively the kets representing the polarization

state of a photon linearly polarized at an angle Īø and an angle ā’Īø with

respect to the vertical, where 0 < Īø < Ļ/4.

Unlike BB84 which requires two orthogonal quantum alphabets, B92 re-

quires only a single non-orthogonal quantum alphabet. We choose the non-

orthogonal quantum alphabet AĪø :

Symbol Bit

|Īø 1

Īø 0

Linear Polarization

Quantum Alphabet AĪø

As in BB84, Alice and Bob communicate in two stages, the ļ¬rst over a

one-way quantum channel, the second over a two-way public channel.

5.1 Stage 1. Communication over a quantum channel

Alice uses the quantum alphabet AĪø to send her random binary sequence to

Bob. Since |Īø and Īø are not orthogonal, there is no one experiment that

will unambiguously distinguish between these two polarization states.

19

Bob can use one of many possible measurement strategies. Bennett [7]

suggests the measurements be based on the two incompatible experiments

corresponding to the projection operators

PĀ¬Īø = 1 ā’ |Īø Īø| and PĀ¬Īø = 1 ā’ Īø Īø

In this case, Bob either correctly detects Aliceā™s transmitted bit, or an am-

biguous result, i.e., an erasure, denoted by ā?ā. Assuming that Alice trans-

mits 0ā™s and 1ā™s at random with equal probability and that, for each incoming

bit, Bob at random with equal probability chooses to base his experiment

on either of the incompatible operators PĀ¬Īø or PĀ¬Īø , then the probability of

Bobā™s correctly receiving Aliceā™s transmission is

2

1ā’ Īø|Īø

2

and the probability of receiving an erasure is

2

Īø|Īø

1+

2

where

Īø|Īø = cos (2Īø)

and where 0 < Īø < Ļ/4. Thus, Bob receives more than 50% erasures.

On the other hand, Ekert et al [55] suggest a more eļ¬cient measurement

process for Bob. They suggest that Bob base his experiments on the positive

operator valued measure (POVM) [36] [99] consisting of the operators

PĀ¬Īø PĀ¬Īø

, and A? = 1 ā’ AĪø ā’ AĪø

AĪø = , AĪø =

1+ Īø |Īø 1+ Īø |Īø

With this more eļ¬cient detection method, the probability of an inconclusive

result is now

Īø|Īø = cos (2Īø)

where again 0 < Īø < Ļ/4.

20

5.1.1 Stage 2. Communication in four phases over a public chan-

nel

Stage2 for the B92 protocol is the same as that for the BB84 protocol except

for phase 1.

In phase 1 of stage 2, Bob publicly informs Alice as to which time slots he

received non-erasures. The bits in these time slots become Aliceā™s and Bobā™s

raw keys.

Eveā™s presence is detected by an unusual error rate in Bobā™s raw key. It

is also possible to detect Eveā™s presence by an unusual erasure rate for Bob.

However, Ekert et al [55] do point out that Eve can choose eavesdropping

strategies which have no eļ¬ect on the erasure rate, and hence, can only be

detected by unusual error rates in Bobā™s raw key6.

6 EPR quantum cryptographic protocols

Ekert in [60] has devised a quantum protocol based on the properties of

quantum-correlated particles.

Einstein, Podolsky, and Rosen (EPR) in the their famous 1935 paper [64]

challenged the foundations of quantum mechanics by pointing out a āpara-

dox.ā There exist spatially separated pairs of particles, henceforth called

EPR pairs, whose states are correlated in such a way that the measure-

ment of a chosen observable A of one automatically determines the result of

the measurement of A of the other. Since EPR pairs can be pairs of particles

separated at great distances, this leads to what appears to be a paradoxical

āaction at a distance.ā

For example, it is possible to create a pair of photons (each of which we

label below with the subscripts 1 and 2, respectively) with correlated linear

polarizations. An example of such an entangled state is given by

1 Ļ Ļ

|ā„¦0 = ā |0 1 ā’ |0

21 2

22

2

6

This is true for all 2-state protocols. On the other hand, for n-state protocols with

n > 2, Eveā™s presence is always detectable from rejected key. See section 7 of this paper.

21

where the notation |Īø has been deļ¬ned in the previous section. Thus, if

one photon is measured to be in the vertical linear polarization state |0 , the

other, when measured, will be found to be in the horizontal linear polarization

state |Ļ/2 , and vice versa.

Einstein et al [64] then state that such quantum correlation phenomena

could be a strong indication that quantum mechanics is incomplete, and that

there exist āhidden variables,ā inaccessible to experiments, which explain

such āaction at a distance.ā

In 1964, Bell [4] gave a means for actually testing for locally hidden

variable (LHV) theories. He proved that all such LHV theories must satisfy

the Bell inequality. Quantum mechanics has been shown to violate the

inequality.

The EPR quantum protocol is a 3-state protocol that uses Bellā™s in-

equality to detect the presence or absence of Eve as a hidden variable. Fol-

lowing the theme of this paper, we now describe this protocol in terms of the

polarization states of an EPR photon pair. As the three possible polarization

states of our EPR pair, we choose

|ā„¦0 = |0 ā’ |0

1 3Ļ 3Ļ

ā .

1 2

62 61

2

|ā„¦1 = ā’

1 Ļ 4Ļ 4Ļ Ļ

ā , and

61 62 6162

2

|ā„¦2 = ā’

1 2Ļ 5Ļ 5Ļ 2Ļ

ā

6162 6162

2

For each of these states, we choose the following corresponding mutually

non-orthogonal alphabets A0, A1 ,and A2, given by the following tables:

Symbol Bit Symbol Bit Symbol Bit

|0 Ļ 2Ļ

0 0 0

6 6

3Ļ 4Ļ 5Ļ

1 1 1

6 6 6

Linear Polarization Linear Polarization Linear Polarization

Quantum Alphabet A0 Quantum Alphabet A1 Quantum Alphabet A

The corresponding measurement operators chosen for these alphabets are

22

respectively

Ļ Ļ 2Ļ 2Ļ

M0 = |0 0| , M1 = , and M2 =

6 6 6 6

As with the BB84 and B92 , there are two stages to the EPR protocol,

the ļ¬rst stage over a quantum channel, the second over a public channel.

6.1 Stage 1. Communication over a quantum channel

For each time slot, a state |ā„¦j is randomly selected with equal probability

from the set of states {|ā„¦0 , |ā„¦1 , |ā„¦2 }. Than an EPR pair is created in

the selected state |ā„¦j . One photon of the constructed EPR pair is sent to

Alice, the other to Bob. Alice and Bob at random with equal probability

separately and independently select one of the three measurement operators

M0, M1 , and M2 , and accordingly measure their respective photons. Alice

records her measured bit. On the other hand, Bob records the complement

of his measured bit. This procedure is repeated for as many time slots as

needed.

6.2 Stage 2. Communication over a public channel

In stage 2, Alice and Bob communicate over a public channel.

6.2.1 Phase 1 of Stage2. Separation of key into raw and rejected

keys

In phase 1 of stage 2, Alice and Bob carry on a discussion over a public chan-

nel to determine those bit slots at which they used the same measurement

operators. They each then separate their respective bit sequences into two

subsequences. One subsequence, called raw key, consists of those bit slots at

which they used the same measurement operators. The other subsequence,

called rejected key, consists of all the remaining bit slots.

23

6.2.2 Phase 2 of Stage 2. Detection of Eveā™s presence with Bellā™s

inequality applied to rejected key

Unlike the BB84 and B92 protocols, the EPR protocol, instead of discarding

rejected key, actually uses it to detect Eveā™s presence. Alice and Bob now

carry on a discussion over a public channel comparing their respective re-

jected keys to determine whether or not Bellā™s inequality is satisļ¬ed. If it is,

Eveā™s presence is detected. If not, then Eve is absent.

For the EPR protocol, Bellā™s inequality can be written as follows. Let

P (=| i, j) denote the probability that two corresponding bits of Aliceā™s and

Bobā™s rejected keys do not match given that the measurement operators

chosen by Alice and Bob are respectively either Mi and Mj or Mj and Mi .

Let P (=| i, j) = 1 ā’ P (=| i, j). Let

ā (i, j) = P (=| i, j) ā’ P (=| i, j)

Finally, let

Ī² = 1 + ā (1, 2) ā’ |ā (0, 1) ā’ ā (0, 2)|

Then Bellā™s inequality in this case reduces to

Ī²ā„0

Moreover, for quantum mechanics (i.e., no hidden variables)

1

Ī²=ā’

2

which is a clear violation of Bellā™s inequality.

6.2.3 Phase 3 of Stage 2. Reconciliation

In the presence of noise, the remaining phase of the EPR protocol is recon-

ciliation, as described in the BB84 and B92 protocols.

24

7 Other protocols

It is not possible to cover all possible quantum protocols in this paper. There

is the EPR protocol with a single particle. There is also a 2-state EPR

implementation of the BB84 protocol. For details, see [12] [46]. For various

multiple state and rejected data protocols, see [21].

8 Eavesdropping strategies and counter mea-

sures

There are many eavesdropping strategies available to Eve. (See for example

[55],[24].) We list only a few.

8.1 Opaque eavesdropping

For this strategy, Eve intercepts Aliceā™s message, and then masquerades as

Alice by sending her received message on to Bob. Opaque eavesdropping

has already been discussed in sections 4 and 5 of this paper. For more

information, the reader is referred to [55].

8.2 Translucent eavesdropping without entanglement

For this strategy, Eve makes the information carrier interact unitarily with

her probe, and then lets it proceed on to Bob in a slightly modiļ¬ed state.

In the case of the B92 protocol, Eveā™s detection probe with initial state |ĪØ

would perform a unitary transformation U of the form

ļ£±

ļ£“ |Īø |ĪØ ā’ U |Īø |ĪØ = |Īø |ĪØĪø

ļ£²

ļ£“

ļ£³ Īø |ĪØ ā’ U Īø |ĪØ = Īø |ĪØĪø

25

where |Īø and Īø denote the slightly changed states received by Bob after

the action of the probe, and where |ĪØĪø and |ĪØĪø denote the states of the

probe after the transformation.. We refer the reader to [55] for an in depth

analysis of this eavesdropping strategy.

8.3 Translucent eavesdropping with entanglement

For this strategy, Eve entangles the state of her probe and the carrier, and

then she sends the carrier on to Bob. In the case of the B92 protocol, Eveā™s

detection probe with initial state |ĪØ would perform a unitary transformation

U of the form

ļ£±

ļ£² |Īø |ĪØ ā’ U |Īø |ĪØ = a |Īø |ĪØĪø + b Īø |ĪØĪø

ļ£³

Īø |ĪØ ā’ U Īø |ĪØ = b |Īø |ĪØĪø + a Īø |ĪØĪø

We refer the reader to [55], [24] for an in depth analysis of this eavesdropping

strategy.

8.4 Countermeasures to Eveā™s eavesdropping strate-

gies

As far as the author has been able to determine, all quantum intrusion detec-

tion algorithms in the open literature depend on some assumption as to which

eavesdropping strategy is chosen by Eve. It is important that eavesdropping

algorithms be developed that detect Eveā™s intrusion no matter which eaves-

dropping strategy she chooses to use. (For some insight in intrusion detection

algorithms, the reader is referred to [55],[24].)

9 Conclusion

It is not easy to emphasize how dramatic an impact the application of quan-

tum mechanics has had and will have on cryptographic communication sys-

26

tems. From the perspective of defensive cryptography, it is now within the

realm of possibility to build practical cryptographic systems which check for,

detect, and prevent unauthorized intrusion. Quantum mechanics provides

an intrusion detection mechanism never thought possible within the world

of classical cryptography. Most importantly, the feasibility of these methods

has been experimentally veriļ¬ed in a laboratory setting.

Moreover, from the perspective of oļ¬ensive cryptography, the application

of quantum mechanics to computation also holds forth the promise of a dra-

matic increase of computational parallelism for cryptanalytic attacks. Shorā™s

quantum factoring algorithm [107] [57] is just one example of such potential.

However, unlike quantum protocols, quantum computational parallelism has

yet to be fully veriļ¬ed in a laboratory setting.

Much remains to be done before quantum cryptography is a truly prac-

tical and useful tool for cryptographic communication. We list below some

of the areas in need of development:

ā¢ Quantum protocols need to be extended to a computer network setting.

(See [102] and [115].)

ā¢ More sophisticated error correction and detection techniques need to

be implemented in quantum protocols. (See [6], [13], and [18].)

ā¢ There is a need for greater understanding of intrusion detection in the

presence of noise. The no cloning theorem of Appendix A of this paper

and the āno detection implies no informationā theorem of Appendix B

of this paper simply do not provide a complete picture. (See [55].)

ā¢ There is a need for better intrusion detection algorithms. As far as

the author has been able to determine, all quantum intrusion detection

algorithms in the open literature depend on some assumption as to

which eavesdropping strategy is chosen by Eve. It is important that

eavesdropping algorithms be developed that detect Eveā™s intrusion no

matter which eavesdropping strategy she uses. (See [55].)

27

10 Acknowledgment

I would like to thank Howard Brandt for his helpful discussions, and the

referees for their helpful suggestions. Finally I would like to thank Alan

Sherman for his encouragement to publish this paper.

11 Addendum

Quantum cryptography has continued its rapid pace of development since

this paper was written. There is the recent experimental work found in [93],

[94]. Progress has been made in correcting errors received from noisy channels

[32], [33], [62], [63]. A number of protocols, in particular, the quantum bit

commitment protocol, have been shown to be insecure [83], [84], [86]. There

has been progress in the development of multi-user quantum cryptography

[116]. The security of quantum cryptography against collective key attacks

has been studied [20]. There have been at least two independent claims of

the proof of ultimate security of quantum cryptography, i.e., security against

all possible attacks [85], [87], [88], [89]. Finally, although tangentially related

to this paper, it should be mentioned that a new quantum algorithm for

searching databases has been developed [71], [72], [73].

28

12 Appendix A. The no cloning theorem

In this appendix, we prove that there can be no device that produces exact

replicas or copies of a quantum system. If such a āquantum copierā existed,

then Eve could eavesdrop without detection. This proof is taken from [99].

It is an amazingly simple application of the linearity of quantum mechanics.

(See also [119] for a proof using the creation operators of quantum electro-

dynamics.)

Let us assume that there exists a quantum replicator initially in state

|ĪØ which duplicates quantum systems via a unitary transformation U.

Let |u and |v be two arbitrary states such that

u|v

0< < 1.

Then the application of the quantum replicator to |u and |v yields

|ĪØ |u ā’ U |ĪØ |u = |ĪØ |u |u

|ĪØ |v ā’ U |ĪØ |u = |ĪØ |v |v

where |ĪØ and |ĪØ denote the states of the quantum replicator after the

two respective duplications.

Thus,

u| ĪØ| U ā U |ĪØ |v = u| ĪØ | ĪØ |v = u | v ,

because of the unitarity of U and because ĪØ | ĪØ = 1. On the other hand,

u| u| ĪØ | ĪØ |v |v = ĪØ | ĪØ u | v 2.

As a result, we have the equation

u|v = ĪØ |ĪØ u|v 2

ĪØ |ĪØ ā¤ 1 and |u and |v

But this equation cannot be satisļ¬ed since

were chosen so that 0 < u | v < 1.

Hence, a quantum replicator cannot exist.

29

13 Appendix B. Proof that an undetectable

eavesdropper can obtain no information

from the B92 protocol

In this appendix we prove that an undetectable eavesdropper for the B92

protocol obtains no information whatsoever. The proof is taken from [12].

Let |a and |b denote the two non-orthogonal states used in the B92

protocol7 . Thus,

a|b =0

Let U be the unitary transformation performed by Eveā™s detection probe,

which we assume is initially in state |ĪØ .

Since Eveā™s probe is undetectable, we have

|ĪØ |a ā’ U |ĪØ |a = |ĪØ |a

|ĪØ |b ā’ U |ĪØ |b = |ĪØ |b

where |ĪØ and |ĪØ denote the states of Eveā™s prober after the detection

of |a and |b respectively. Please note that, since Eve is undetectable, her

probe has no eļ¬ect on the states |a and |b . So |a appears on both sides of

the ļ¬rst equation, and |b appears on both sides of the second equation.

Thus,

a| ĪØ| U ā U |ĪØ |b = a| ĪØ | ĪØ |b = a | b ,

because of the unitarity of U and because ĪØ | ĪØ = 1. On the other hand,

a| ĪØ | ĪØ |b = ĪØ | ĪØ a|b .

As a result, we have the equation

a|b = ĪØ |ĪØ a|b

But a | b = 0 implies that ĪØ | ĪØ = 1. Since |ĪØ and |ĪØ are

normalized, this implies that |ĪØ = |ĪØ . It follows that Eveā™s probe is in

the same state no matter which of the states |a and |b is received. Thus,

Eve obtains no information whatsoever.

In section 6 of this paper we denoted these states by |Īø and Īø .

7

30

14 Appendix C. Part of a Rosetta stone for

quantum mechanics.

This appendix is intended for readers unfamiliar with quantum mechanics.

Itā™s purpose is to provide those readers with enough background in quantum

mechanics to understand a substantial portion of this paper. Because of

space limitations, this appendix is of necessity far from a complete overview

of the subject.

14.1 Polarized light: Part I. The classical perspective

Light waves in the vacuum are transverse electromagnetic (EM) waves with

both electric and magnetic ļ¬eld vectors perpendicular to the direction of

propagation and also to each other. (See ļ¬gure 6.)

Figure 6. A linearly polarized electromagnetic wave.

If the electric ļ¬eld vector is always parallel to a ļ¬xed line, then the EM

wave is said to be linearly polarized. If the electric ļ¬eld vector rotates

about the direction of propagation forming a right-(left-)handed screw, it is

said to be right (left) elliptically polarized. If the rotating electric ļ¬eld

vector inscribes a circle, the EM wave is said to be right-or left-circularly

polarized.

31

14.2 A Rosetta stone for Dirac notation: Part I. Bras,

kets, and bra-(c)-kets

A Hilbert space H is a vector space over the complex numbers C with a

complex valued inner product

(ā’, ā’) : H Ć— H ā’C

which is complete with respect to the norm

u= (u, u)

induced by the inner product.

Remark 1 By a complex valued inner product, we mean a map

(ā’, ā’) : H Ć— H ā’C

from H Ć— H into the complex numbers C such that:

1) (u, u) = 0 if and only if u = 0

2) (u, v) = (v, u)ā—

3) (u, v + w) = (u, v) + (u, w)

4) (u, Ī»v) = Ī»(u, v)

where ā˜ā—ā™ denotes the complex conjugate.

Remark 2 (Please note that (Ī»u, v) = Ī»ā— (u, v). )

The elements of H will be called ket vectors, state kets, or simply

kets. They will be denoted as:

| label

where ā˜labelā™ denotes some label.

Let H# denote the Hilbert space of all Hilbert space morphisms of H into

the Hilbert space of all complex numbers C, i.e.,

H# = HomC (H, C) .

32

The elements of H# will be called bra vectors, state bras, or simply bras.

They will be denoted as:

label |

where once again ā˜labelā™ denotes some label.

Also please note that the complex number

label1 | (| label2 )

will simply be denoted by

label1 | label2

and will be called the bra-(c)-ket product of the bra label1 | and the ket

| label2 .

There is a monomorphism (which is an isomorphism if the underlying

Hilbert space is ļ¬nite dimensional)

#

H ā’ H#

deļ¬ned by

| label ā’ā’ ( | label , ā’)

The bra ( | label , ā’) is denoted by label |.

Hence,

label1 | label2 = (| label1 , | label2 )

Remark 3 Please note that (Ī» | label )# = Ī»ā— label|.

The tensor product8 H ā— K of two Hilbert spaces H and K is simply

the āsimplestā Hilbert space such that

8

Readers well versed in homological algebra will recognize this informal deļ¬nition as a

slightly disguised version of the more rigorous universal deļ¬nition of the tensor product.

For more details, please refer to [37], or any other standard reference on homological

algebra.

33

1) (h1 + h2 ) ā— k = h1 ā— k + h2 ā— k, for all h, h1, h2 ā H and for all k,

k1 , k2 ā K, and

2) h ā— (k1 + k2 ) = h ā— k1 + h ā— k2 for all h, h1 , h2 ā H and for all k,

k1 , k2 ā K.

It immediately follows that

3) Ī» (h ā— k) ā” (Ī»h) ā— k = h ā— (Ī»k) for all Ī» ā C, h ā H, k ā K.

Finally, if | label1 and | label2 are kets respectively in Hilbert spaces H1

and H2 , then their tensor product will be written in any one of the following

three ways:

| label1 ā— | label2

| label1 | label2

| label1 , label2

14.3 Polarized light: Part II. The quantum mechanical

perspective

The states of a quantum mechanical system are represented by state kets

in a Hilbert space H. Two kets |Ī± and |Ī² represent the same quantum

mechanical state if they diļ¬er by a non-zero multiplicative constant. I.e.,

|Ī± and |Ī² represent the same quantum mechanical state if there exists a

non-zero Ī» ā C such that

|Ī± = Ī» |Ī²

Hence, the quantum mechanical states are the elements of the manifold

H/Ė = CP n

where n denotes the dimension of H, and CP n denotes complex projective

space.

34

Convention: Since a quantum mechanical state is represented by a state

ket up to a multiplicative constant, we will unless stated otherwise,

choose those kets |Ī± which are unit normal, i.e., such that

Ī± | Ī± = 1 āā’ |Ī± =1

The polarization states of a photon are represented as state kets in a two

dimensional Hilbert space H. One orthonormal basis of H consists of the

kets

| and |

which represent respectively the quantum mechanical states of left- and right-

circularly polarized photons. Another orthonormal basis consists of the kets

| and |ā”

representing respectively vertically and horizontally linearly polarized pho-

tons. And yet another orthonormal basis consists of the kets

| and |

for linearly polarized photons at the angles Īø = Ļ/4 and Īø = ā’Ļ/4 oļ¬ the

vertical, respectively.

These orthonormal bases are related as follows:

ļ£± ļ£±

| = ā2 (| + |ā” )

1

ļ£²| | + 1ā’i |

ļ£² 1+i

= 2 2

ļ£³ ļ£³

| ā’ |ā” ) | | + 1+i |

1 1ā’i

ā

= (| = 2 2

2

ļ£± ļ£±

ļ£²| +| ļ£²| +|

1 1

ā ā

= (| ) = (| )

2 2

ļ£³ ļ£³

|ā” ā’| |ā” ā’|

1 i

ā ā

= (| ) = (| )

2 2

35

ļ£± ļ£±

ļ£²| ā’ i |ā” )

1

ļ£²| | |

ā 1ā’i 1+i

= (| = +

2 2 2

ļ£³ ļ£³

| + i |ā” ) | | |

1 1+i 1ā’i

ā

= (| = +

2 2

2

The bracket products of the various polarization kets are given in the

table below:

| |ā” | | | |

| 1 1 1 1

ā ā ā ā

1 0 2 2 2 2

ā”| ā’ ā2 ā’ ā2

1 1 i i

ā ā

0 1 2 2

| 1 1 1+i 1ā’i

ā ā 1 0 2 2

2 2

| ā’ 12

1 1ā’i 1+i

ā ā 0 1 2 2

2

| 1 i 1ā’i 1+i

ā ā 1 0

2 2

2 2

| ā’ i2

1 1+i 1ā’i

ā ā 0 1

2 2

2

14.4 A Rosetta stone for Dirac notation: Part II. Op-

erators

An (linear) operator or transformation O on a ket space H is a Hilbert

space morphism of H into H, i.e., is an element of

HomC (H, H)

The adjoint Oā of an operator O is that operator such that

Oā | label1 , | label2 = (| label1 , O | label2 )

for all kets | label1 and | label2 .

In like manner, an (linear) operator or transformation on a bra space H#

is an element of

HomC H# , H#

36

Moreover, each operator O on H can be identiļ¬ed with an operator, also

denoted by O, on H# deļ¬ned by

label1 | ā’ā’ label1 | O

where label1 | O is the bra deļ¬ned by

( label1 | O) (| label2 ) = label1 | (O | label2 )

(This is sometimes called Diracā™s associativity law.) Hence, the expression

label1 | O | label2

is unambiguous.

Remark 4 Please note that

(O | label )# = label| Oā

In quantum mechanics, an observable is simply a Hermitian (also

called self-adjoint) operator on a Hilbert space H, i.e., an operator O such

that

Oā = O .

An eigenvalue a of an operator A is a complex number for which there is a

ket |label such that

A |label = a |label .

The ket |label is called an eigenket of A corresponding to the eigenvalue a.

An important theorem about observables is given below:

Theorem 5 The eigenvalues ai of an observable A are all real numbers.

Moreover, the eigenkets for distinct eigenvalues of an observable are orthog-

onal.

37

Deļ¬nition 6 An eigenvalue is degenerate if there are at least two linearly

independent eigenkets for that eigenvalue. Otherwise, it is nondegenerate.

Notational Convention: If all the eigenvalues ai of an observable A are

nondegenerate, then we can and do label the eigenkets of A with the

eigenvalues ai . Thus, we can write:

A |ai = ai |ai

for each eigenvalue ai . In this paper, unless stated otherwise, we assume

that the eigenvalues of observables are non-degenerate.

One exception to the above notational convention is the measurement

operator

|ai ai |

for the eigenvalue ai , which is the outer product of ket |ai with its ad-

joint ai |. It has two eigenvalues 0 and 1. 1 is a nondegenerate eigenvalue

with eigenket |ai . 0 is a degenerate eigenvalue with corresponding eigenkets

{ |aj }j=i .

An observable A is said to be complete if its eigenkets |ai form a basis

(hence, an orthonormal basis) of the Hilbert space H. Given a complete

nondegenerate observable A, then any ket |Ļ in H can be written as:

|Ļ = |ai ai | Ļ

i

Thus, for a complete nondegenerate observable A, we have the following

operator equation which expresses the completeness of A,

|ai ai | = 1

i

Thus, in this notation, we have

ńņš. 1 |