Entanglement Enhances Security in Secret Sharing
We analyze tolerable quantum bit error rates in secret sharing protocols, and show that using entangled encoding states is advantageous in the case when the eavesdropping attacks are local. We also provide a criterion for security in secret sharing – a parallel of the Csiszár-Körner criterion in single-receiver cryptography.
In the last few years, the role of entanglement in different branches of physics has been studied extensively, ranging from many-body physics adp (); rmp () to quantum information processing HHHH-RMP (). In particular, the qualities and thresholds of entanglement for optimal quantum communication performance have been found, e.g. with regard to teleportation HHH-BE-ebong-tele (), dense coding ref-dense-coding (), and cryptography ref-crypto (). The necessity of entanglement in quantum computation is still under investigation (see e.g. Vidal-natun ()). In a different context, there is an ongoing research on the behavior of entanglement in e.g. quantum phase transitions rmp (), local cloning ref-cloning (), and local state distinguishing ref-distin ().
In this paper, we will investigate the advantage of entanglement in the security of a quantum communication task, known as secret sharing hillery1999 (); cleve (), which is a communication scenario in which a sender Alice () wants to provide a (classical) message to two recipients (Bobs – ), in a way that each of the Bobs individually knows nothing about the message, but they can recover its content once they cooperate. In order to transmit a binary message string , Alice can then take a sequence of completely random bits , send it to , and at the same time send a sequence to , where denotes addition modulo . Thus , assuring that the Bobs can recover the message if they cooperate, and yet none of them can learn anything on the message of Alice on his own, since the sequences , are completely random.
An important issue is of course security, i.e. distributing the message in a way that no third (actually fourth!) party learns about it. This can be achieved using quantum cryptography (e.g. by the BB84 scheme eta-BB84 ()). Alice simply has to establish secret random keys, independently, with both Bobs, and use them as one-time pads to securely send bits in the way required by secret sharing. We call this the BB protocol. It has been argued hillery1999 () that a more natural way of using quantum states in secret sharing is to send entangled states to the Bobs, and as a result, avoid establishing random keys with each of the Bobs separately, by combining the quantum and classical parts of secret sharing in a single protocol. We call the protocol in hillery1999 (); cleve () as E4 (since it uses four entangled states).
In this paper, we consider security thresholds for both E4 and BB, i.e. the highest quantum bit error rates (QBERs) below which one-way distillation of secret key is possible. There are three main results proven in the paper. First, we provide a criterion for security of secret sharing, for which one-way classical distillation of secret key is possible between the sender and the receivers: the parallel of the Csiszár-Körner criterion in (single-receiver, classical) cryptography csiszar1978 (). Secondly, we find the optimal quantum eavesdropping attacks on both E4 and BB, that are individual, without quantum memory, and most importantly, local. Note that an attack which acts by local operations and classical communication (LOCC) on the particles sent through the two channels ( and ) is physically more relevant in this distributed receivers case. We show that the threshold QBER for E4 is about 18.2 % higher than that of BB. This shows, to our knowledge for the first time, that it is more secure to use entangled encoding states in secret sharing. Thirdly, we provide an interesting general method for dealing with local eavesdropping attacks.
The protocols. In our setting, a secret sharing protocol can be characterized by , where labels the different encoding “bases” used, are two-qubit states send by Alice to the Bobs if she uses basis and wants to communicate the logical value , while is a set of observables compatible with basis (so that if the corresponding measurement is performed by the Bobs, it allows them to recover a proper logical bit of Alice). In practice, () randomly measures the observables () on states received from Alice in each round. After the transmission is completed, the Bobs announce the observables they have used in each round to Alice, who, judging on whether this combination of observables is present in for the particular she had used in that round, tells the Bobs whether to keep or reject their measured results for that round – this is called the sifting phase. The BB protocol is defined as
where () are eigenstates of the Pauli () matrix. The fact that there are two states corresponding to a given simply means that each of them is sent randomly with probability . The E4 protocol hillery1999 () (see also eita-GS ()), on the other hand, is defined as
where , , and , are eigenstates of the Pauli operator. The question is which of these protocols tolerates a higher QBER. After the sifting phase, let the bits of Alice and the Bobs, obtained in a given set of rounds, be described by the probability distribution . The corresponding QBER is .
Error correction and privacy amplification. Knowing QBER, we want to perform an one-way error correction procedure, such that all errors are corrected with arbitrarily high probability. In standard (single-receiver) cryptography, error correction can be performed either from the sender to the receiver, or vice-versa. In secret sharing, there are two separated receivers, and each of them individually has bits that are completely random. So there is no way for Alice to perform one-way error correction to Bobs – whatever she sends to each of them individually, it will not be enough for them to correct errors, unless she sends the total information which is of course not the solution we are after.
The only remaining option is that each of Bobs sends some information to Alice, judging on which she is able to correct her bits in a way that for every : . Fortunately, this is indeed possible. We present here an idea how this can be achieved. We will adapt for our needs, a standard method in classical communication theory – namely, that of random coding (see e.g. cover1991 (); nielsen2000 (); brassard1994 ()). Let each of the three parties have bits after the sifting phase. The error correction procedure uses a random coding function , known to all three parties (and the rest of the world), where will be chosen later. This function assigns a random -bit codeword to each of possible -bit strings. Error correction goes as follows: and calculate and respectively, and send their -bit codewords to Alice. After this, Alice looks for all -bit sequences , such that , , and chooses a pair , , for which the Hamming distance is minimal. It can be shown that in the limit , this strategy is successful with arbitrarily high probability, provided
where is the binary entropy function. This result is quite intuitive, since in a standard bipartite error correction, the length of a codeword has to fulfill . In secret sharing however, the two Bobs together have to provide Alice with bits. These additional bits are needed, since a sequence of one of Bobs taken separately is completely random for Alice. As a result each of Bobs has to send a code of length given by Eq. (1).
After the error correction stage is completed, Alice and the Bobs need to perform privacy amplification, in order to obtain a possibly shortened, but a completely secure key, on which an eavesdropper has no information. Privacy amplification presents no additional difficulty in a secret sharing scenario, as compared to standard bipartite cryptography, since its performance, in principle, requires no additional communication between Alice and the Bobs. It is enough that all parties apply the same hashing function privacy () for shortening the key, and if there were no errors, in the sense that for all , , then there will be no errors in the shortened key.
LOCC attacks. We will analyze security of the protocols with the following restrictions imposed on an eavesdropper: (i) Eavesdropper can perform only individual attacks; (ii) Individual attacks are LOCC operations with respect to partition of the encoding states between and ; (iii) Eavesdropper is not allowed any kind of quantum memory. The restriction (i) means that an eavesdropper can interact, in a given round, with only the quantum state send by Alice to Bobs in that round. Restriction (ii) is at the heart of the problem we analyze, and is natural in the distributed receivers scenario. Note here that if no LOCC condition is imposed, then the security analyses of the two-receiver E4 and single-receiver BB84 protocols are isomorphic. The justification of (iii) is based on current technology limitations – no long lasting quantum memory has been developed so far.
Let the probability distribution describe single-round bit values, of Alice, of the Bobs, and of an eavesdropper, after the eavesdropper’s attack and after the sifting stage is completed. In single-receiver cryptography, the maximal one-way secret key distillation rate is given by the Csiszár-Körner criterion csiszar1978 (): , where is the mutual information between the corresponding parties. As discussed in previous paragraphs, error correction in secret sharing can be performed only in one direction (from Bobs to Alice). Thus the secret key distillation rate in case of secret sharing is , which is therefore the parallel of the Csiszár-Körner criterion in (single-receiver) cryptography csiszar1978 ().
In order to analyze eavesdropping attacks, consider the state being sent from Alice to Bobs. Collaborating eavesdroppers , , acting on channels conecting with and respectively, can perform an arbitrary LOCC operation (completely positive trace-preserving LOCC map) to create . The operation is LOCC with respect to the partition . Subsequently, , perform an LOCC measurement on their subsystems in order to obtain information about the bit shared by Alice with Bobs, while sending possibly-perturbed subsystems , to their legitimate recipients. Without loosing generality, we can restrict this measurement to have only two possible outcomes ( or ), since only the value of a transmitted bit is of interest to the eavesdroppers. Hence we model the measurement by a two element positive operator valued measurement (POVM): , . Obviously , and , but here we additionally impose the constraint that the measurements are LOCC-based.
The probability distribution is given by , where is the probability that sends the state in a given round, whereas is a POVM corresponding to Bobs’ measurement in basis (compatible with the state sent by Alice), where the sum of their individual measured values, modulo , is equal : . Probability normalization condition reads . We assume the convention that if one of Bobs (locally) performs a measurement characterized by a Pauli matrix , then he ascribes the bit value or , once in a measurement he projects on an eigenvector with eigenvalue or respectively. To make more revealing, we introduce non-trace-preserving completely positive operations , acting on the input and output Hilbert spaces of the Bobs, and defined as . represents the disturbance experienced by a state transmitted to the Bobs, once the eavesdroppers have obtained a particular value in their measurement. Notice that even though each operation is not trace-preserving the operation is – it corresponds to a situation when one averages over the results of the eavesdroppers’ measurement. We can now write . It is now clear, that the eavesdropping strategy is completely defined by specifying the two operations , , and for a given protocol yields a joint probability distribution .
To calculate the QBER threshold, one should now look for the highest value of QBER, for which it is still possible to find eavesdropping LOCC operations , so that the resulting probability distribution enjoys the property . Forgetting for the moment about the LOCC constraint, the problem of finding the QBER threshold is a semi-definite program. To see this, let us denote , and recall the Jamiołkowski isomorphism jamiolkowski1972 () between completely positive maps and positive semi-definite operators : , where is an unnormalized maximally entangled state in the space , and is an identity operation on . Hence our problem variables are entries of two matrices, which are required to be positive semi-definite. Trace-preservation condition of translates to a condition on positive operators: . This condition is obviously linear in the matrix elements of . Similarly, is also linear, and hence the security condition is linear. Finally, the QBER, which we want to maximize, is linear. In order to deal with an LOCC constraint, we will impose the weaker “PPT constraint”: positivity after partial transposition of the operators – we transpose subsystem . This is a strictly necessary condition for LOCC ref-nlwe (). However, we will show that the optimal PPT maps are also LOCC.
Entangled vs. product encoding. We now present the solutions for maximal tolerable QBER for and E4 protocols found by solving the corresponding semi-definite programs, using the SeDuMi package. Although solving a semi-definite program provided us only with numerical solutions, we were able to recognize their analytical form, and hence all results presented are analytical.
For the protocol, the optimal , in the computational basis, the 16x16 matrix whose only nonzero elements are , , , , and hermitian conjugates. The optimal has the same entries on the diagonal, and the anti-diagonal, while the remaining ones are multiplied by . These optimal PPT maps will later on proven to be LOCC. The optimal .
Moving now to the E4 protocol, the optimal the 16x16 matrix whose only nonzero entries are , , , and the hermitian conjugates, where , , , , . The optimal is the same as , but with replaced by . Again these optimal PPT maps will later on proven to be LOCC. The optimal . Interestingly therefore, is about 18.2 higher than , which indicates that indeed the protocol using entangled states is more secure, in the case of LOCC eavesdropping. In Fig.1, we show the maximum achievable secret-key rates for the two protocols as a function of measured QBER. It is clear that E4 is better not only because of its higher QBER threshold, but because of its higher key rate for all QBER (see Fig. 1, more details will be presented elsewhere ourfuture ())
Explicit LOCC forms of the optimal attacks. We now show that the optimal attacks are separable. We will subsequently show that the attacks are actually LOCC.
Separability of the optimal attack for the BB case is evident once we write it in the form (the procedure leading to this form will be presented elsewhere ourfuture ())
where the local Kraus operators , are
respectively. Since does not depend on (equivalently, can also be chosen to be so), we write it as . The full operation can be written as , which shows that it is indeed LOCC, since it can be realized as follows. First an operation given by the four Kraus operators is performed on the second subsystem, and the measurement result is transmitted to the first subsystem. For given values of received by the first subsystem, an operation using the two Kraus operators , is performed on the first subsystem. This is a legitimate deterministic LOCC operation since , and for every , . Note that it requires only one-way classical communication. Summing up, are separable trace-decreasing operations, such that when added together, they form a trace-preserving LOCC operation , and hence they can both be realized via LOCC.
In a similar way, we can show that the optimal PPT atacks on the E4 protocol are also LOCC. Separable Kraus decompositions of read
where the sum runs over , and , are respectively
Again we can write the full operation as , which shows that it is an LOCC, since it can be realized by performing an operation on the second subsystem using the 27 Kraus operators , communicating the measurement result to the first subsystem, on which an appropriate operation using the two Kraus operators () is performed. Note that , and for every , .
Typical noise. Judging the usefulness of the two protocols by comparing their QBER thresholds, may apriori be not sensible from an experimental point of view, as in an experiment, we face noise caused by natural factors, as well as by the eavesdropper. Hence a relevant question is: Which protocol allows a secure key transmission in presence of a higher level of noise, of the type present in an experiment? Consider a typical situation when we send the qubits via two fibers. A usual model of noise here would be that each channel (fiber) is an isotropically depolarizing channel – and they are independent. Given a channel with a fixed level of depolarization, we ask: Can we securely extract some secret key using either the E4 or the protocol? This may not be equivalent to comparing QBER thresholds, because different states are used in the two protocols, which under the same noise level, may behave differently, and result in different QBERs – in particular it could happen that in such situation it might be advantageous to apply a protocol with lower QBER threshold. In this environment, however, the QBERs for E4 and depend in the same way on the depolarization parameter. If an isotropically depolarizing qubit channel acts as , then the QBER caused by the channel is for both the protocols. Comparing protocols using QBER thresholds as a figure of merit is legitimate both from theoretical and practical point of view.
Summary. We have for the first time shown that entanglement in the encoding states provide a better security in secret sharing. The security was judged by calculating QBER threshold for secure communication, under assumption of local individual quantum attacks without quantum memory. We have found the optimal attacks in such scenario for the two paradigmatic protocols: one using product states and the other using entangled ones for encoding. Further results include the parallel of the Csiszár-Körner criterion for security in (single-receiver) cryptography in the distributed-receivers case, and usefulness of the protocols in the presence of a depolarizing environment.
We acknowledge support from the Spanish MEC (FIS-2005-04627, Consolider QOIT, Acciones Integradas, & Ramón y Cajal), ESF Program QUDEDIS, Euroquam FERMIX, Polish Ministry of Science and Higher Education grant no. 1 P03B 011 29, EU IP SCALA, EU IP QAP.
- (1) M. Lewenstein et al., Adv. Phys. 56, 243 (2007).
- (2) L. Amico et al., to appear in Rev. Mod. Phys. (quant-ph/0703044).
- (3) R. Horodecki et al., to appear in Rev. Mod. Phys. (quant-ph/0702225).
- (4) See e.g. C.H. Bennett et al., Phys. Rev. Lett. 70, 1895 (1993); P. Horodecki, M. Horodecki, and R. Horodecki, Phys. Rev. A 60, 1888 (1999).
- (5) C.H. Bennett and S.J. Wiesner, Phys. Rev. Lett. 69, 2881 (1992).
- (6) See e.g. A.K. Ekert, Phys. Rev. Lett. 67, 661 (1991); N. Gisin et al., Rev. Mod. Phys. 74, 145 (2002); K. Horodecki et al., ibid. 94, 160502 (2005).
- (7) A. Datta and G. Vidal, Phys. Rev. A 75, 042310 (2007).
- (8) See e.g. R. Demkowicz-Dobrzański et al., Phys. Rev. A 73, 032313 (2006).
- (9) See e.g. M. Hayashi et al., Phys. Rev. Lett. 96, 040501 (2006).
- (10) M. Żukowski, A. Zeilinger, M. Horne, and H. Weinfurter, Acta Phys. Pol. 93, 187 (1998); M. Hillery, V. Bužek, and A. Berthiaume, Phys. Rev. A 59, 1829 (1999).
- (11) R. Cleve, D. Gottesman, and H.-K. Lo, Phys. Rev. Lett. 83, 648 (1999); A. Karlsson, M. Koashi, and N. Imoto, Phys. Rev. A 59, 162 (1999).
- (12) C.H. Bennett and G. Brassard, in Proceedings of the International Conference on Computers, Systems and Signal Processing, Bangalore, India (IEEE, NY (1984)).
- (13) I. Csiszár and J. Körner, IEEE Trans. Inf. Th. IT-24, 339 (1978)
- (14) C.H Bennett, G. Brassard, C. Crépeau, and U. Maurer, IEEE Trans. Inf. Theory, 41, 1915 (1995).
- (15) V. Scarani and N. Gisin, Phys. Rev. Lett. 87, 117901 (2001); Phys. Rev. A 65, 012311 (2002); A. Sen(De), U. Sen, and M. Żukowski, Phys. Rev. A 68, 032309 (2003); C. Schmid et al., Phys. Rev. Lett. 95, 230505 (2005).
- (16) T.M. Cover and J.A. Thomas, Elements of Information Theory (Wiley, NJ (1991)).
- (17) G. Brassard and L. Salvail, Adv. Cryptol. 765, 410 (1994).
- (18) M.A. Nielsen and I.L. Chuang, Quantum Computing and Quantum Information (CUP, Cambridge (2000)).
- (19) A. Jamiołkowski, Rep. Math. Phys. 3, 275 (1972).
- (20) P. Horodecki, Phys. Lett. A 232, 333 (1997); M. Horodecki, P. Horodecki, and R. Horodecki, Phys. Rev. Lett. 80, 5239 (1998); C.H. Bennett et al., Phys. Rev. A 59, 1070 (1999).
- (21) R. Demkowicz-Dobrzański, A. Sen(De), U. Sen, and M. Lewenstein, in preparation.