Experimental Bit String Generation

1
Experimental Bit String Generation

• Serge Massar
• Université Libre de Bruxelles

2
Plan

• Recall earlier work on quantum coin tossing
• Theory of quantum bit string generation (joint
  work with Jonathan Barrett, PRA69(2004)022322 and
  quant-ph0408120)
• Experimental implementation of bit string
  generation
• (L.-Ph. Lamoureux, E. Brainis, D. Amans, J.
  Barrett, S. M., quant-ph/0408121)

3
Coin Tossing (Blum)

• Two parties dont trust each other.They need to
  choose a random bit
•  Alice (in the USA) and Bob (in the EU) are
  divorcing, they need to decide who keeps the
  children. They decide to toss a coin. 

Bit String Generation Tossing many coins
4
Applications of coin tossing

• Divorce cases
• Cryptographic primitive
• Are there any good applications?
• ??Classically certified bit committement secure
  against polynomial quantum attack (Kent03)??

5
How to toss a coin?

• Trusted third party YES
• Classical communication alone NO
• Classical communication plus relativity OK. (But
  each party needs to be in multiple locations)
• Quantum Communication yes, to some extent.

6

• Weak coin tossing
• Alice knows the outcome Bob wants
• Bob knows the outcome Alice wants
• Strong coin tossing
• Alice and Bob do not know the outcome the other
  party wants.
• We will be concerned with Strong coin tossing

7
Bit commitment impliesCoin Tossing

• Alice chooses a0,1 at random
• Alice commits a to Bob
• Bob chooses b0,1 at random
• Bob tells Alice the value of b
• Alice reveals the commitment
• Coin cab mod 2

8
Quantum protocol based on imperfect bit commitment

• Alice chooses a0,1 at random
• Commitment
• Alice sends ?agt to Bob
• lt?0?1gtcos?
• Bob chooses b0,1 at random.
• Bob tells Alice the value of b
• Alice reveals a
• Bob checks
• measures in basis ?agt, space orthogonal to ?agt
• If outcome is ?agt, coin cab mod 2
• If outcome orthogonal to ?agt, Bob aborts

9

• Wining means getting the outcome you want.
• The protocol may abort. If the protocol aborts,
  everybody looses

• Classical communication either ?A or ?B ½
• There exists a quantum protocol with
• ?A ?B ¼ (Ambainis)
• For all quantum protocols,
• ?gt 1/v2 ½ (Kitaev)

10
Alice cheats

• Alice does not choose a
• Commitment
• Alice sends ?gtN(?0gt ?1gt) to Bob
• lt?0?1gtcos?
• Bob chooses b0,1 at random.
• Bob tells Alice the value of b
• Alice reveals a chosen so that ba has the
  desired value
• Bob checks
• measures in basis ?agt, space orthogonal to ?agt
• Alice hopes outcome is ?agt, then
• coin cab mod 2
• Alice wins
• If outcome orthogonal to ?agt, Bob aborts
• It is easy for Alice to cheat if lt?0?1gtcos? is
  SMALL

11
Bob cheats

• Alice chooses a0,1 at random
• Commitment
• Alice sends ?agt to Bob
• lt?0?1gtcos?
• Bob tries to learn whether a0 or a1
• He measures the state
• He chooses b so that if his measurement outcome
  was correct, he wins ba has the desired value
• Bob tells Alice the value of b
• Alice reveals a
• Hopefully Bob has won (if his measurement outcome
  gave the correct value of a)
• It is easy for Bob to cheat if cos? is LARGE

12

• One can choose an optimal value of
  lt?0?1gtcos?1/v2 so that neither Alice nor Bob
  can cheat too much.
• Then

13
Bit String Generation

• Alice and Bob want to generate a string of n bits
  c1, c2, , cn
• A. Kent (2003) noted that this should be easier
  than tossing a single coin. Proposed a protocol
  based on the parties sharing many singlets. No
  security analysis.

14
Present work

• Bit string generation based on n repetitions of
  above protocol for coin tossing.
• Detailed security analysis.

15
1) Classical Protocol for bit string generation

• Best classical protocol we have found (optimal
  for some security criteria)
• Alice chooses the value of half the bits
• Bob chooses the value of the other half
• Thus if Alice is dishonest, Bob honest, half the
  bits are random, half are fixed.

16
2) Quantum Protocol

• For i1 to n
• Alice chooses ai0,1 at random
• Commitment
• Alice sends ?aigt to Bob
• lt?0?1gtcos?
• Bob chooses bi0,1 at random.
• Bob tells Alice the value of bi .
• Alice reveals the value of ai to Bob
• Bob checks
• measures in basis ?aigt, space orthogonal to
  ?aigt
• If outcome orthogonal to ?agt, Bob aborts
• Next i
• If Bob has not aborted, ciai bi mod 2

17
Cheating 1

• Cheating Bob
• He must measure the states received from Alice
  immediately ? Same security analysis than when
  tossing a single coin.
• Cheating Alice
• She can send an entangled state, measure her
  state, then decide on the value of ai depending
  on the measurement outcome.
• She can correlate/entangle her strategy between
  rounds

18
Cheating 2

• For fixed lt?0?1gtcos? it is more and more
  difficult for Alice to cheat when n increases
  (since Bob carries out n measurements)
• ? One can decrease ? as n increases
• This makes it more and more difficult for Bob to
  cheat
• Optimal rate of decrease ?n- a for some a
• ?Good security both with respect to Alice and Bob

19
Security CriteriaAverage Bias
20
Security CriteriaEntropy
21
Security criteriaMin Entropy
22
Summary

• Open Questions
• Improve quantum results. (Can entanglement help?)
• Obtain Kitaev type bounds for the different
  security criteria.
• Prove classical conjecture.

23
Experimental Bit String Generation

• Easier than tossing a single coin because some
  experimental imperfections (detector efficiency,
  detector dark counts) can be subtracted.
• Experiment reported by Zeilinger et al
  (quant-ph/0404027) but incomplete security
  analysis.
• Our experiment we did our best to prove security
  against ALL attacks by a dishonest party.

24
Bobs Lab
Alices Lab
Communication line

• Experimental imperfections
• Alices state preparation may be noisy
• The communication line may be noisy
• Bobs measurement apparatus may be imperfect
• A dishonest party can controle everything outside
  the other partys lab.
• Thus in the presence of imperfections, the
  guaranteed bounds on randomness will be worse

25
Quantum Protocol with imperfections

• For i1 to n
• Alice chooses ai0,1 at random
• Commitment
• Alice sends ?aigt to Bob
• lt?0?1gtcos?
• Bob chooses bi0,1 at random.
• Bob tells Alice the value of bi .
• Alice reveals the value of ai to Bob
• Bob checks
• estimates fidelity of states sent by Alice
• measures in basis ?aigt, space orthogonal to
  ?aigt
• Next i
• If fidelity too small, Bob aborts
• If fidelity sufficiently large,
• Bob does not abort and ciai bi mod 2

26
Security Analysis

• Important parameters
• Scalar product lt?0?1gtcos? between states
  prepared by Alice
• Fidelity f of states as estimated by Bob.
• Bounds on eB , HB depend on ? only.
• Bounds on eA , HA depend on f and ?,
• for instance
• Thus choose good compromise between lt?0?1gtcos?
  and fidelity f

27
Implementation

• ?0gtagt , ?1gt-agt are
• two coherent states
• (by changing the intensity a2,
• one changes the overlap
• lt?0?1gtexp-2a2)
• Bobs measurement
• displaces the states by Da
• Uses a single photon detector to
• check that the state is the vacuum.
• If the detector clicks, then Alice could be
  cheating
• Notes
• Displacement is simply realised by an
  interferometer
• No need to restrict Hilbert space to single
  photon subspace

28
Experimental setup

• All fiber optics
• Telecommunication wavelenghts
• Based on  plug an play  system for quantum key
  distribution (N. Gisin)
• ?suitable for long distance communication (our
  realisation table top)

29

• Security Complication
• Light pulses produced by Bob, then go to Alice,
  then reflected back to Bob
• Remark upon attenuation, any state tends towards
  a mixture of coherent states
• Typically A104

30

• Security Solution
• first measure intensity, then attenuate this
  produces a mixture of coherent states of known
  intensity

Mixture of coherent states of known intensity
A
Classical Detector
Intensity known
31
Experimental Results

• Different choices of a, hence of
  lt?0?1gtexp-2a2
• Curves assume a visibility v97 (but it is
  sometimes worse)
• Number of coins tossed n104

32
Summary

• Using quantum communication it is possible to
  generate very random strings of bits in the
  absence of noise.
• In the presence of imperfections the randomness
  goes down. Nevertheless experimental
  demonstration of bit strings generation using
  quantum communication (bits are more random than
  can be achieved using classical communication, at
  least according to the average bias criterion).

33
Outlook

• improve theoretical bounds,
• Improve experiment
• toss a single coin more random than possible
  using classical communication
• long distance bit string generation

34

• Collaborators
• Jonathan Barrett
• Louis-Philippe Lamoureux
• Edouard Brainis
• David Amans
• Funding and Support
• Université Libre de Bruxelles (ULB)
• Fonds National de la Recherche Scientifique
  (FNRS)
• Communauté Française de Belgique (ARC)
• Gouvernement Fédéral Belge (PAI)
• European Community (project RESQ)