Documente Academic
Documente Profesional
Documente Cultură
May 2004
Introduction
May 2004
smaller parts and inevitably reach a point where logic gates are so small that they are
made out of only a handful of atoms. So, if computers are to become smaller in the
future, new, quantum technology must replace or supplement what we have now. The
point is, however, that quantum technology can offer much more than cramming more
and more bits to silicon and multiplying the clock-speed of microprocessors. It can
support entirely new kind of computation, known as quantum computation, with
qualitatively new algorithms based on quantum principles.
The potential power of quantum phenomena to perform computations was first
adumbrated in a talk given by Richard Feynman at the First Conference on the Physics
of Computation, held at MIT in 1981. He observed that it appeared to be impossible, in
general, to simulate an evolution of a quantum system on a classical computer in an
efficient way. The computer simulation of quantum evolution typically involves an
exponential slowdown in time, compared with the natural evolution, essentially
because the amount of classical information required to describe the evolving quantum
state is exponentially larger than that required to describe the corresponding classical
system with a similar accuracy. However, instead of viewing this intractability as an
obstacle, Feynman regarded it as an opportunity. He pointed out that if it requires that
much computation to work out what will happen in a quantum multi-particle
interference experiment, then the very act of setting up such an experiment and
measuring the outcome is equivalent to performing a complex computation.
The foundations of the quantum theory of computation were laid down in 1985 when
David Deutsch, of the University of Oxford, published a crucial theoretical paper in
which he described a universal quantum computer and a simple quantum algorithm.
Since then, the hunt has been on for interesting things for quantum computers to do,
and at the same time, for the scientific and technological advances that could allow us
to build quantum computers.
A sequence of steadily improving quantum algorithms led to a major breakthrough in
1994, when Peter Shor, of AT&Ts Bell Laboratories in New Jersey, discovered a
May 2004
quantum algorithm that could perform efficient factorisation. Since the intractability of
factorisation underpins the security of many methods of encryption, including the most
popular public key cryptosystem RSA (named after its inventors Rivest, Shamir and
Adelman).1 Shor's algorithm was soon hailed as the first `killer application' for
quantum computation -- something very useful that only a quantum computer could do.
By some strange coincidence, several of the superior features of quantum computers
have applications in cryptanalysis. Once a quantum computer is built many popular
ciphers will become insecure. Indeed, in one sense they are already insecure. For
example, any RSA-encrypted message that is recorded today will become readable
moments after the first quantum factorisation engine is switched on, and therefore RSA
cannot be used for securely transmitting any information that will still need to be secret
on that happy day. Admittedly, that day is probably decades away, but can anyone
prove, or give any reliable assurance, that it is? Confidence in the slowness of
technological progress is all that the security of the RSA system now rests on.
What quantum computation takes away with one hand, it returns, at least partially, with
the other. Quantum cryptography offers new methods of secure communication that are
not threatened by the power of quantum computers. Unlike all classical cryptography it
relies on the laws of physics rather than on ensuring that successful eavesdropping
would require excessive computational effort.
May 2004
In 1990, independently and initially unaware of the earlier work, Artur Ekert, then a
Ph.D. student at the University of Oxford, developed a different approach to quantum
cryptography based on peculiar quantum correlations known as quantum entanglement.
Since then quantum cryptography has evolved into a thriving experimental area and is
quickly becoming a commercial proposition.
This popular account is aimed to provide some insights into the fascinating world of
quantum phenomena and the way we exploit them for computation and secure
communication.
May 2004
different states, representing two logical values: no or yes, false or true, or simply 0 or
1. For example, in digital computers, the voltage between the plates in a capacitor
represents a bit of information: a charged capacitor denotes bit value 1 and an
uncharged capacitor bit value 0. One bit of information can be also encoded using two
different polarisations of light or two different electronic states of an atom. However, if
we choose a quantum system, such as an atom, as a physical bit then quantum
mechanics tells us that apart from the two distinct electronic states the atom can be also
prepared in a coherent superposition of the two states. This means that the atom is
both in state 0 and state 1. Such a physical object is called a quantum bit or a qubit.
To get used to the idea that a qubit can represent two bit values at once it is helpful
to consider the following experiment. Let us try to reflect a single photon off a halfsilvered mirror, i.e. a mirror which reflects exactly half of the light which impinges
upon it, while the remaining half is transmitted directly through it (Figure 1). Such a
mirror is also known as a beam-splitter.
Input 0
Output 0
Input 1
Output 1
Let the photon in the reflected beam represents logical 0 and the photon in the
transmitted beam the logical 1. Where is the photon after its encounter with the beam-
May 2004
splitter, in the reflected or in the transmitted beam? Does the photon at the output
represent logical 0 or logical 1?
One thing we know is that the photon doesn't split in two thus it seems sensible to
say that the photon is either in the transmitted or in the reflected beam with the same
probability. That is, one might expect the photon to take one of the two paths, choosing
randomly which way to go. Indeed, if we place two photodetectors behind the halfsilvered mirror directly in the lines of the two beams, the photon will be registered with
the same probability either in the detector 0 or in the detector 1. Does it really
mean that after the half-silvered mirror the photon travels in either reflected or
transmitted beam with the same probability 50% ? No, it does not! In fact the photon
takes two paths at once.
This can be demonstrated by recombining the two beams with the help of two fully
silvered mirrors and placing another half-silvered mirror at their meeting point, with
two photodectors in direct lines of the two beams (Figure 2) .
Input 0
Input 1
Output 0
Output 1
Figure 2. Two concatenated beam-splitters affect logical NOT gate. Thus each beamsplitter separately represents an inherently quantum operation called the square root
of NOT.
May 2004
If it was merely the case that there was a 50% chance that the photon followed one
path and a 50% chance that it followed the other, then we should find a 50%
probability that one of the detectors registers the photon and a 50% probability that the
other one does. However, that is not what happens. If the two possible paths are exactly
equal in length, then it turns out that there is a 100% probability that the photon reaches
the detector 1 and 0 per cent probability that it reaches the other detector 0. Thus the
photon is certain to strike the detector 1.
The inescapable conclusion is that the photon must, in some sense, have travelled both
routes at once, for if either of the two paths is blocked by an absorbing screen, it
immediately becomes equally probable that 0 or 1 is struck. In other words, blocking
off either of the paths illuminates 0; with both paths open, the photon somehow is
prevented from reaching 0.
Furthermore, if we insert slivers of glass of different thickness into each path (see
Figure 3) then we can observe a truly amazing quantum interference phenomenon. We can
choose the thickness of the glass, and hence the effective optical length of each path, in
such a way that the photon can be directed to any of the two detectors with any
prescribed probability.
Input 0
Input 1
May 2004
Output 0
Output 1
of two consecutive applications of beam-splitters (see Figure 2). This purely quantum
operation has no counterpart in classical logic and forms one of the elementary building
blocks of a quantum computer.
May 2004
Entanglement
numbers at once.
May 2004
qubits at a time. Qubits in such superpositions are said to be entangled. They cannot be
described by specifying the state of individual qubits and they may together share
information in a form which cannot be accessed in any experiment performed on either
of them alone. Erwin Schrdinger, who was probably the first to be baffled by this
quantum phenomenon, writing for the Cambridge Philosophical Society in 1935,
summarized it as follows
``When two systems, of which we know the states by their respective representatives, enter
into temporary physical interaction due to known forces between them, and when after a
time of mutual influence the systems separate again, then they can no longer be described
in the same way as before, viz. by endowing each of them with a representative of its own. I
would not call that one but rather the characteristic trait of quantum mechanics, the one
that enforces its entire departure from classical lines of thought. By the interaction the two
representatives [the quantum states] have become entangled.''
10
May 2004
gate and can be obtained by switching on for a prescribed period of time the exchange
interaction between qubits. The resulting quantum dynamics takes the input state 01
half way towards the swapped state 10 and effectively generates a superposition of 01
and 10.
The square root of SWAP together with the square root of NOT and phase shifters
(operations equivalent to those induced by the slivers of glass in Figure 3) allow
constructing arbitrary superpositions of binary strings of any length. They form an
adequate (universal) set of quantum gates. Once we can implement these operations
with sufficient precision we can perform any quantum computation. This is very
reminiscent of constructing classical computation out of simple primitives such as
logical NOT, AND, OR etc.
For example, if you need a superposition of 00 and 11 you can construct it using only
the square root of NOT and the square root of SWAP. Start with two qubits in state 00,
apply the square root of NOT twice to the first qubit, this gives state 10. (Of course,
this is just applying logical NOT, but the point is to use only the prescribed adequate
gates.) Then apply the square root of SWAP to obtain the superposition of 10 and 01.
Now comes an interesting part; once the register is prepared in an initial superposition
of different numbers quantum gates perform operations which affect all numbers in the
superposition. Thus if we apply the square root of NOT twice to the second qubit it will
turn 10 into 11 and 01 into 00, which gives the superposition of 00 and 11. It is
convenient to illustrate this sequence of operations in a diagram, shown in Figure 5.
11
NOT
May 2004
NOT
SWAP
NOT
NOT
12
May 2004
The big issue in designing algorithms or their corresponding families of networks is the
optimal use of physical resources required to solve a problem. Complexity theory is
concerned with the inherent cost of computation in terms of some designated
elementary operations such as the number of elementary gates in the network (the size
of the network). An algorithm is said to be fast or efficient if the number of elementary
operations taken to execute it increases no faster than a polynomial function of the size
of the input. We generally take the input size to be the total number of bits needed to
specify the input (for example, a number N requires log2N bits of binary storage in a
computer). In the language of network complexity - an algorithm is said to be efficient
if it has a uniform and polynomial-size network family. Problems which do not have
efficient algorithms are known as hard problems.
From the computational complexity point of view, quantum networks are more
powerful than their classical counterparts. This is because individual quantum gates
operate not just on one number but on superpositions of many numbers. During such
evolution each number in the superposition is affected and as a result we generate a
massive parallel computation albeit in one piece of quantum hardware. This means that
a quantum gate, or a quantum network, can in only one computational step perform the
same mathematical operation on different input numbers encoded in coherent
superpositions of L qubits. In order to accomplish the same task any classical device
has to repeat the same computation 2L times or one has to use 2L processors working in
parallel. In other words a quantum computer offers an enormous gain in the use of
computational resources such as time and memory.
Here we should add that this gain is more subtle than the description above might
suggest. If we simply prepare a quantum register of L qubits in a superposition of 2L
numbers and then try to read a number out of it then we get only one, randomly chosen,
number. This is exactly like in our experiment in Figure 1 where a half-silvered mirror
prepares a photon in a superposition of the two paths but when the two photodetectors
are introduced we see the photon in only one of the two paths. This kind of situation is
13
May 2004
of no use to us for although the register now holds all the 2L numbers, the laws of
physics only allow us to see one of them. However, recall the experiments from Figure
2 and Figure 3 where just the single answer 0 or 1 depends on each of the two
paths. In general quantum interference allows us to obtain a single, final result that
depends logically on all 2L of the intermediate results. One can imagine that each of the
2L computational paths is affected by a process which has an effect similar to that of
the sliver of glass in Figure 3. Thus each computational path contributes to the final
outcome. It is in this way, by quantum interference of many computational paths, a
quantum computer offers an enormous gain in the use of computational resources --though only in certain types of computation.
Quantum algorithms
What types? As we have said, ordinary information storage is not one of them, for
although the computer now holds all the outcomes of 2L computations, the laws of
physics only allow us to see one of them. However, just as the single answer in the
experiments of Figure 2 and Figure 3 depends on information that travelled along each
of two paths, quantum interference now allows us to obtain a single, final result that
depends logically on all 2L of the intermediate results. This is how Shors algorithm
achieves the mind-boggling feat of efficient factorization of large integers.
5.1
Shors Algorithm
As is well known, a naive way to factor an integer number N is based on checking the
remainder of the division of N by some number p smaller than
N . If the remainder is
10
computer ever built), the average time to find the factor of a 60-digit long number
would exceed the age of the universe.
14
May 2004
Rather than this naive division method, Shors algorithm relies on a slightly different
technique to perform efficient factorisation. The factorisation problem can be related to
evaluating the period of a certain function f which takes N as a parameter. Classical
computers cannot make much of this new method: finding the period of f requires
evaluating the function f many times. In fact mathematicians tell us that the average
number of evaluation required to find the period is of the same order of the number of
divisions needed with the naive method we outlined first. With a quantum computer,
the situation is completely different quantum interference of many qubits can
effectively compute the period of f in such a way that we learn about the period without
learning about any particular value f (0), f (1), f(2), The algorithm mirrors our
simple interference experiment shown in Figure 3. We start by setting a quantum
register in a superposition of states representing 0, 1, 2, 3, 4 This operation is
analogous to the action of the first beam-splitter in Figure 3 which prepares a
superposition of 0 and 1. The next step is the function evaluation. The values f(0), f
(1), f(2), are computed in such a way that each of them modifies one computational
path by introducing a phase shift. This operation corresponds to the action of the
slivers of glass in Figure 3. Retrieving the period from a superposition of f (0), f (1),
f(2), requires bringing the computational paths together. In Figure 3 this role is
played by the second beam-splitter. In Shors algorithm the analogous operation is
known as a quantum Fourier transform. Subsequent bit by bit measurement of the
register gives a number, in the binary notation, which allows the period of f to be
estimated with a low probability of error. The most remarkable fact is that all these can
be accomplished with a uniform quantum network family of polynomial size!
Mathematicians believe (firmly, though they have not actually proved it) that in order
to factorise a number with L binary digits, any classical computer needs a number of
steps that grows exponentially with L: that is to say, adding one extra digit to the
number to be factorised generally multiplies the time required by a fixed factor. Thus,
as we increase the number of digits, the task rapidly becomes intractable. No one can
even conceive of how one might factorise, say, thousand-digit numbers by classical
15
May 2004
means; the computation would take many times as long the estimated age of the
universe. In contrast, quantum computers could factor thousand-digit numbers in a
fraction of a second --- and the execution time would grow at most as the cube of the
number of digits.
5.2
Grovers Algorithm
In Shors algorithm all computational paths are affected by a single act of quantum
function evaluation. This generates an interesting quantum interference that gives
observable effects at the output. If a computational step affects just one computational
path it has to be repeated several times. This is how another popular quantum
algorithm, discovered in 1996 by Lov Grover of AT&Ts Bell Laboratories in New
Jersey, searches an unsorted list of N items in only
N or so steps.
which entry contains the desired number will be accessible to measurement with
probability 50% - i.e. it will have spread to more than half the terms in the
16
May 2004
superposition. Therefore repeating the entire algorithm a few more times will find the
desired entry with a probability overwhelmingly close to 1.
One important application of Grovers algorithm might be, again, in cryptanalysis,
to attack classical cryptographic schemes such as DES (the Data Encryption Standard).
Cracking DES essentially requires a search among
these can be checked at a rate of, say, one million keys per second, a classical computer
would need over a thousand years to discover the correct key while a quantum
computer using Grovers algorithm would do it in less than four minutes.
quantum logic gates, such as the square root of NOT, the square root of SWAP, and
phase gates, and try to integrate them together into quantum networks (circuits).
However, subsequent logical operations usually involve more complicated physical
operations on more than one qubit. If we keep on putting quantum gates together into
circuits we will quickly run into some serious practical problems. The more interacting
qubits are involved the harder it tends to be to engineer the interaction that would
display the quantum interference. Apart from the technical difficulties of working at
single-atom and single-photon scales, one of the most important problems is that of
preventing the surrounding environment from being affected by the interactions that
generate quantum superpositions. The more components the more likely it is that
quantum computation will spread outside the computational unit and will irreversibly
dissipate useful information to the environment. This process is called decoherence.
17
May 2004
18
May 2004
Figure 6. One of the first experimental schemes for quantum computation used an
array of single-electron quantum dots. A dot is activated by applying suitable
voltage to the two metal wires that cross at that dot. Similarly, several dots may be
activated at the same time. Because the states of an active dot are asymmetrically
charged, two adjacent active dots are each exposed to an additional electric field that
depends on the others state. This way the resonant frequency of one dot depends on
the state of the other. Light at carefully selected frequencies will selectively excite only
adjacent, activated dots that are in certain states. Such conditional quantum dynamics
are needed to implement quantum logic gates.
Although these early schemes showed how to translate mathematical prescriptions into
physical reality they were difficult to implement and to scale up, due to decoherence. In
1994 Ignacio Cirac and Peter Zoller, from the University of Innsbruck, came up with a
model that offered the possibility of fault tolerant quantum computation. It was quickly
recognized as a conceptual breakthrough in experimental quantum computation. They
considered a trap holding a number of ions in a straight line. The ions would be laser
cooled and then each ion could be selectively excited by a pulse of light from a laser
beam directed specifically at that ion. The trap would therefore act as a quantum
register with the internal state of each ion playing the role of a qubit. Pulses of light
can also induce vibrations of ions. The vibrations are shared by all of the ions in the trap
19
May 2004
and they enable the transfer of quantum information in between distant ions and the
implementation of quantum logic gates (Figure 7). In mid-1995 Dave Wineland and his
colleagues at NIST (National Institute of Standards and Technology) in Boulder, Colorado,
used the idea of Cirac and Zoller to build the worlds first quantum gate operating on two
qubits.
0.2 mm
Figure 7. Photograph of five beryllium ions in a linear ion trap. The separation
between ions is approximately 10 microns. Pulses of light can selectively excite
individual ions and induce vibrations of the whole line of ions. The vibrations
inform other ions in the trap that a particular ion was excited; they play the same
role as a data bus in conventional computers. This picture was taken in Dave
Winelands laboratory at National Institute of Standards and Technology in Boulder,
U.S.
Today there are many interesting approaches to experimental quantum computation and
related quantum technologies. The requirements for quantum hardware are simply
20
May 2004
stated but very demanding in practice. Firstly, a quantum register of multiple qubits
must be prepared in an addressable form, and isolated from environmental influences,
which cause the delicate quantum states to decohere. Secondly, although weakly
coupled to the outside world, the qubits must nevertheless be strongly coupled together
through an external control mechanism, in order to perform logic gate operations.
Thirdly, there must be a read-out method to determine the state of each qubit at the end
of the computation. There are many beautiful experiments which show that these
requirements, at least in principle, can be met. They involve technologies such linear
optics,
nuclear
magnetic
resonance
(NMR),
trapped
ions,
cavity
quantum
We have mentioned that several of the superior features of quantum computers have
applications in cryptanalysis i.e. in the art of breaking ciphers. The quantum answer to
quantum cryptanalysis is quantum cryptography.
Despite a long and colourful history, cryptography became part of mathematics and
information theory only in the late 1940s, mainly as a result of the work of Claude
Shannon of Bell Laboratories in New Jersey. Shannon showed that truly unbreakable
ciphers do exist and, in fact, they had been known for over 30 years. The one time pad,
devised in about 1918 by an American Telephone and Telegraph engineer named
Gilbert Vernam, is one of the simplest and most secure encryption schemes. The
message, also known as a plaintext, is converted to a sequence of numbers using a
publicly known digital alphabet (e.g. ASCII code) and then combined with another
21
May 2004
sequence of random numbers called a key to produce a cryptogram. Both sender and
receiver must have two exact copies of the key beforehand; the sender needs the key to
encrypt the plaintext, the receiver needs the exact copy of the key to recover the
plaintext from the cryptogram. The randomness of the key wipes out various frequency
patterns in the cryptogam that are used by code-breakers to crack ciphers. Without the
key the cryptogram looks like a random sequence of numbers.
01011100
11001010
10010110
plaintext
KEY
cryptogram
1 0 0 1 0 1 1 0
cryptogram
KEY
plaintext
10010110
11001010
01011100
Figure 8. One time pad. The modern version ``one-time pad" is based on binary
representation of messages and keys. The message is converted into a sequence of 0's
and 1's and the key is another sequence of 0's and 1's of the same length. Each bit of
the message is then combined with the respective bit of the key using addition in base
2, which has the rules 0+0=0, 0+1=1+0=1, 1+1=0. Because the key is a random string
of 0's and 1's the resulting cryptogram---the plaintext plus the key---is also random
and therefore completely scrambled unless one knows the key. The message is
recovered by adding (in base 2 again) the key to the cryptogram.
There is a snag, however. All one-time pads suffer from a serious practical
drawback, known as the key distribution problem. Potential users have to agree
secretly, and in advance, on the key---a long, random sequence of 0's and 1's. Once
22
May 2004
they have done this, they can use the key for enciphering and deciphering and the
resulting cryptograms can be transmitted publicly such as by radio or in a newspaper
without compromising the security of messages. But the key itself must be established
between the sender and the receiver by means of a very secure channel---for example, a
very secure telephone line, a private meeting or hand-delivery by a trusted courier.
Such a secure channel is usually available only at certain times and under certain
circumstances.
So users who are far apart, in order to guarantee perfect security of subsequent
crypto-communication, have to carry around with them an enormous amount of secret
and meaningless (as such) information (cryptographic keys), equal in volume to all the
messages they might later wish to send. For perfect security the key must be as long as
the message, in practice, however, in order not to distribute keys too often, much
shorter keys are used. For example, the most widely used commercial cipher, the Data
Encryption Standard, depends on a 56-bit secret key, which is reused for many
encryptions over a period of time. This simplifies the problem of secure key
distribution and storage, but it does not eliminate it.
Mathematicians tried very hard to eliminate the problem. The seventies brought a
clever mathematical discovery of the so-called public-key cryptosystems. They avoid the
key distribution problem but unfortunately their security depends on unproved
mathematical assumptions, such as the difficulty of factoring large integers.
Physicists view the key distribution problem as a physical process associated with sending
information from one place to another. From this perspective eavesdropping is a set of
measurements performed on carriers of information. Until now, such eavesdropping has
depended on the eavesdropper having the best possible technology. Suppose an
eavesdropper is tapping a telephone line. Any measurement on the signal in the line may
23
May 2004
disturb it and so leave traces. Legitimate users can try to guard against this by making their
own measurements on the line to detect the effect of tapping. However, the tappers will
escape detection provided the disturbances they cause are smaller than the disturbances that
the users can detect. So given the right equipment, eavesdropping can go undetected. Even
if legitimate users do detect an eavesdropper, what do they conclude if one day they find no
traces of interception? Has the eavesdropping stopped? Or has the eavesdropper acquired
better technology? The way round this problem of key distribution may lie in quantum
physics.
We have already mentioned that when two qubits representing logical 0 and 1 enter the
square root of SWAP gate they interact and emerge in an entangled state which is a
superposition of 01 and 10. They remain entangled even when they are separated and
transported, without any disturbance, to distant locations. Moreover, results of
measurements performed on the individual qubits at the two distant locations are
usually highly correlated.
For example, in a process called parametric down conversion we can entangle two
photons in such a way that their polarizations are anti-correlated. If we choose to test
linear polarization then one photon will be polarized vertically and the other one
horizontally . The same is true if we choose to test circular polarization, one photon
will carry left-handed and the other right-handed polarization. In general, the
perfect anti-correlation appears if we carry out the same test on the two photons. The
individual results are completely random e.g. it is impossible to predict in advance if
we will get or on a single photon. Moreover, the laws of quantum physics forbid a
simultaneous test of both linear and circular polarization on the same photon. Once the
photon is tested for linear polarization and we find out that it is, say, vertical then all
information about its circular polarization is lost. Any subsequent test for circular
polarization will reveal either left-handed or right-handed with the same
probability.
24
May 2004
Both linear and circular polarization can be used for encoding the bits of information.
For example, we can agree that for linearly polarized photons stands for 0 and
for 1, and for circularly polarized photons 0 is represented by and 1 by .
However, for the decoding of these bits to be meaningful the receiver must know in
advance which type of test, or measurement, to carry out for each incoming photon.
Testing linear (circular) polarization on a photon that carries one bit of information
encoded in circular (linear) polarization will reveal nothing.
The quantum key distribution which we are going to discuss here is based on
distribution of photons with such anti-correlated polarizations. Imagine a source that
emits pairs of photons in an entangled state which can be viewed both a superposition
of and , and a superposition of and . The photons fly apart towards the
two legitimate users, called Alice and Bob, who, for each incoming photon, decide
randomly and independently from each other whether to test linear or circular
polarization. A single run of the experiment may look like this
Alice
Bob
For the first pair both Alice and Bob decided to test circular polarization and their
results are perfectly anti-correlated. For the second pair Alice measured linear
polarization whilst Bob measured circular. In this case their results are not correlated at
all. In the third instant they both measured linear polarization and obtained perfectly
anti-correlated results, etc.
After completing all the measurements, Alice and Bob discuss their data in public
so that anybody can listen including their adversary, an eavesdropper called Eve, but
25
May 2004
nobody can alter or suppress such public messages. Alice and Bob tell each other
which type of polarization they measured for each incoming photon but they do not
disclose the actual outcomes of the measurements. For example, for the first pair Alice
may say I measured circular polarization and Bob may confirm So did I. At this
point they know that the results in the first measurement are anti-correlated. Alice
knows that Bob registered because she registered , and vice versa. However,
although Eve learns that the results are anti-correlated she does not know whether it is
for Alice and Bob, or for Alice and Bob. The two outcomes are equally likely,
so the actual values of bits associated with different results are still secret.
Alice and Bob then discard instances in which they made measurement of different
types (shaded columns in the table below).
Alice
Bob
They end up with shorter strings which should now contain perfectly anti-correlated
entries. They check whether the two strings are indeed anti-correlated by comparing, in
public, randomly selected entries (shaded columns in the table below).
Alice
Bob
26
May 2004
The publicly revealed entries are discarded and the remaining results can be translated
into a binary string, following the agreed upon encoding e.g. as in the table below.
Alice
Bob
KEY
In order to analyse security of the key distribution let us adopt the scenario that is most
favourable for eavesdropping, namely we will allow Eve to prepare all the photons and
send them to Alice and Bob!
Eves objective is to prepare the pairs in such a way that she can predict Alices and
Bobs results and that the pairs pass the anti-correlation test. This is impossible.
Suppose Eve prepares a pair of photons choosing randomly on of the four states: ,
, or . She then sends one photon to Alice and one to Bob. Let us assume that
Alice and Bob measure the same type of polarization on their respective photons. If
Alice and Bob choose to measure the right type of polarization then they obtain anticorrelated results but Eve knows the outcomes; if they choose to measure the wrong
type of polarization then, although the outcomes are random, they can still obtain anticorrelated results with probability 50%. This will result in 25% of errors in the anticorrelation test and in Eve knowing, on average, every second bit of the key. Eve may
want to reduce the error rate by entangling the photons. She can prepare them in a
state that is a superposition of and and also of and . In this case the
pairs will pass the test without any errors but Eve has no clue about the results. Once
27
May 2004
Experimental
quantum
cryptography
has
rapidly
evolved
from
early
28
May 2004
Concluding remarks
When the physics of computation was first investigated systematically in the
1970s, the main fear was that quantum-mechanical effects might place fundamental
bounds on the accuracy with which physical objects could realise the properties of bits,
logic gates, the composition of operations, and so on, which appear in the abstract and
mathematically sophisticated theory of computation. Thus it was feared that the power
and elegance of that theory, its deep concepts such as computational universality, its
deep results such as Turings halting theorem, and the more modern theory of
complexity, might all be mere figments of pure mathematics, not really relevant to
anything in nature.
Those fears have not only been proved groundless by the research we have been
describing, but also, in each case, the underlying aspiration has been wonderfully
vindicated to an extent that no one even dreamed of just twenty years ago. As we have
explained, quantum mechanics, far from placing limits on what classical computations
can be performed in nature, permits them all, and in addition provides whole new
modes of computation. As far as the elegance of the theory goes, researchers in the
field have now become accustomed to the fact that the real theory of computation
hangs together better, and fits in far more naturally with fundamental theories in other
fields, than its classical approximation could ever have been expected to.
29
May 2004
10 Further reading
For a lucid exposition of some of the deeper implications of quantum computing
see The Fabric of Reality by David Deutsch (Allen Lane, The Penguin Press, 1997).
For popular introduction to quantum information technology see Schrdinger's
Machines by Gerard Milburn, (W.H. Freeman & Company). Julian Brown in his
Minds, machines, and the multiverse (Simon & Schuster), gives a very readable
account of quantum information science. The Centre for Quantum Computation
(http://cam.qubit.org) has several WWW pages and links devoted to quantum
computation and cryptography.
30