Unconditional security of quantum key distribution over arbitrarily long distances

Science

Volumn 283, Issue 5410, 1999, Pages 2050-2056

  Lo, Hoi Kwong ^a   Chau, H F ^b  

^a HEWLETT PACKARD LABORATORIES   (United Kingdom)

^b UNIVERSITY OF HONG KONG   (Hong Kong)

Author keywords

[No Author keywords available]

Indexed keywords

ARTICLE; COMPUTER; PRIORITY JOURNAL; PROBABILITY; QUANTUM MECHANICS; TELECOMMUNICATION;

EID: 0033605546     PISSN: 00368075     EISSN: None     Source Type: Journal    
DOI: 10.1126/science.283.5410.2050     Document Type: Article

References (70)

1. The idea of quantum cryptography was first proposed by 5. Wiesner around 1970 but remained unpublished until 1983 [S. Wiesner, SIGACT News 15 (no. 1), 78 (1983)]. Wiesner proposed quantum money and multiplexing channel (essentially one-out-of-two oblivious transfer) but not QKD per se.
2. C. H. Bennett and G. Brassard, in Proceedings of the IEEE International Conference on Computers, Systems, and Signal Processing (IEEE Press, New York, 1984), pp. 175-179.
3. A. K. Ekert, Phys. Rev. Lett. 67, 661 (1991).
4. H.-K. Lo, S. Popescu, T. Spiller, Eds., Introduction to Quantum Computation and Information (World Scientific, Singapore, 1998).
5. For a review on quantum cryptography, see, for example, H.-K. Lo, in (4), pp. 76-119.
6. W. K. Wootters and W. Zurek, Nature 299, 802 (1982); D. Dieks, Phys. Lett. A 92, 271 (1982).
7. W. K. Wootters and W. Zurek, Nature 299, 802 (1982); D. Dieks, Phys. Lett. A 92, 271 (1982).
8. P. D. Townsend, Electron. Lett. 30, 809 (1994); A. Muller, H. Zbinden, N. Gisin, Europhys. Lett. 33, 335 (1996); R. J. Hughes, G. G. Luther, G. L. Morgan, C. G. Peterson, C. Simmons, in Advances in Cryptology: Proceedings of CRYPTO '96, vol. 1109 of Lecture Notes in Computer Science, N. Koblitz, Ed. (Springer-Verlag, Berlin, 1996), pp. 329-342. For a review, see, for example, H. Zbinden, in (4), pp. 120-142.
9. P. D. Townsend, Electron. Lett. 30, 809 (1994); A. Muller, H. Zbinden, N. Gisin, Europhys. Lett. 33, 335 (1996); R. J. Hughes, G. G. Luther, G. L. Morgan, C. G. Peterson, C. Simmons, in Advances in Cryptology: Proceedings of CRYPTO '96, vol. 1109 of Lecture Notes in Computer Science, N. Koblitz, Ed. (Springer-Verlag, Berlin, 1996), pp. 329-342. For a review, see, for example, H. Zbinden, in (4), pp. 120-142.
10. P. D. Townsend, Electron. Lett. 30, 809 (1994); A. Muller, H. Zbinden, N. Gisin, Europhys. Lett. 33, 335 (1996); R. J. Hughes, G. G. Luther, G. L. Morgan, C. G. Peterson, C. Simmons, in Advances in Cryptology: Proceedings of CRYPTO '96, vol. 1109 of Lecture Notes in Computer Science, N. Koblitz, Ed. (Springer-Verlag, Berlin, 1996), pp. 329-342. For a review, see, for example, H. Zbinden, in (4), pp. 120-142.
11. P. D. Townsend, Electron. Lett. 30, 809 (1994); A. Muller, H. Zbinden, N. Gisin, Europhys. Lett. 33, 335 (1996); R. J. Hughes, G. G. Luther, G. L. Morgan, C. G. Peterson, C. Simmons, in Advances in Cryptology: Proceedings of CRYPTO '96, vol. 1109 of Lecture Notes in Computer Science, N. Koblitz, Ed. (Springer-Verlag, Berlin, 1996), pp. 329-342. For a review, see, for example, H. Zbinden, in (4), pp. 120-142.
12. G. Brassard and C. Crépeau, SIGACT News 27 (no. 3), 13 (1996).
13. G. Brassard, C. Crépeau, R. Jozsa, D. Langlois, in Proceedings of the 34th annual IEEE Symposium on the Foundation of Computer Science (IEEE Computer Society Press, Los Alamitos, CA, 1993), pp. 362-371, and references cited therein.
14. For the impossibility of bit commitment, see the following: D. Mayers, Los Alamos e-Print archive (available at http://xxx.lanl.gov/abs/quant-ph/9603015); H.-K. Lo and H. F. Chau, Phys. Rev. Lett. 78, 3410 (1997); D. Mayers, ibid., p. 3414; H.-K. Lo and H. F. Chau, Physica D 120, 177 (1998). For the impossibility of other schemes, including one-out-of-two oblivious transfer, see H.-K. Lo, Phys. Rev. A 56, 1154 (1997). For a review, see, for example, H. F. Chau and H.-K. Lo, Fortschr. Phys. 46, 507 (1998); (5).
15. For the impossibility of bit commitment, see the following: D. Mayers, Los Alamos e-Print archive (available at http://xxx.lanl.gov/abs/quant-ph/9603015); H.-K. Lo and H. F. Chau, Phys. Rev. Lett. 78, 3410 (1997); D. Mayers, ibid., p. 3414; H.-K. Lo and H. F. Chau, Physica D 120, 177 (1998). For the impossibility of other schemes, including one-out-of-two oblivious transfer, see H.-K. Lo, Phys. Rev. A 56, 1154 (1997). For a review, see, for example, H. F. Chau and H.-K. Lo, Fortschr. Phys. 46, 507 (1998); (5).
16. For the impossibility of bit commitment, see the following: D. Mayers, Los Alamos e-Print archive (available at http://xxx.lanl.gov/abs/quant-ph/9603015); H.-K. Lo and H. F. Chau, Phys. Rev. Lett. 78, 3410 (1997); D. Mayers, ibid., p. 3414; H.-K. Lo and H. F. Chau, Physica D 120, 177 (1998). For the impossibility of other schemes, including one-out-of-two oblivious transfer, see H.-K. Lo, Phys. Rev. A 56, 1154 (1997). For a review, see, for example, H. F. Chau and H.-K. Lo, Fortschr. Phys. 46, 507 (1998); (5).
17. For the impossibility of bit commitment, see the following: D. Mayers, Los Alamos e-Print archive (available at http://xxx.lanl.gov/abs/quant-ph/9603015); H.-K. Lo and H. F. Chau, Phys. Rev. Lett. 78, 3410 (1997); D. Mayers, ibid., p. 3414; H.-K. Lo and H. F. Chau, Physica D 120, 177 (1998). For the impossibility of other schemes, including one-out-of-two oblivious transfer, see H.-K. Lo, Phys. Rev. A 56, 1154 (1997). For a review, see, for example, H. F. Chau and H.-K. Lo, Fortschr. Phys. 46, 507 (1998); (5).
18. For the impossibility of bit commitment, see the following: D. Mayers, Los Alamos e-Print archive (available at http://xxx.lanl.gov/abs/quant-ph/9603015); H.-K. Lo and H. F. Chau, Phys. Rev. Lett. 78, 3410 (1997); D. Mayers, ibid., p. 3414; H.-K. Lo and H. F. Chau, Physica D 120, 177 (1998). For the impossibility of other schemes, including one-out-of-two oblivious transfer, see H.-K. Lo, Phys. Rev. A 56, 1154 (1997). For a review, see, for example, H. F. Chau and H.-K. Lo, Fortschr. Phys. 46, 507 (1998); (5).
19. For the impossibility of bit commitment, see the following: D. Mayers, Los Alamos e-Print archive (available at http://xxx.lanl.gov/abs/quant-ph/9603015); H.-K. Lo and H. F. Chau, Phys. Rev. Lett. 78, 3410 (1997); D. Mayers, ibid., p. 3414; H.-K. Lo and H. F. Chau, Physica D 120, 177 (1998). For the impossibility of other schemes, including one-out-of-two oblivious transfer, see H.-K. Lo, Phys. Rev. A 56, 1154 (1997). For a review, see, for example, H. F. Chau and H.-K. Lo, Fortschr. Phys. 46, 507 (1998); (5).
20. J. S. Bell, Physics 1, 195 (1964); [reprinted in Quantum Theory and Measurement, J. A. Wheeler and W. H. Zurek, Eds. (Princeton Univ. Press, Princeton, 1983), pp. 403-408]; A. Einstein, B. Podolsky, N. Rosen, Phys. Rev. 47, 777 (1935) [reprinted in Quantum Theory and Measurement, J. A. Wheeler and W. H. Zurek, Eds. (Princeton Univ. Press, Princeton, 1983), pp. 138-141].
21. J. S. Bell, Physics 1, 195 (1964); [reprinted in Quantum Theory and Measurement, J. A. Wheeler and W. H. Zurek, Eds. (Princeton Univ. Press, Princeton, 1983), pp. 403-408]; A. Einstein, B. Podolsky, N. Rosen, Phys. Rev. 47, 777 (1935) [reprinted in Quantum Theory and Measurement, J. A. Wheeler and W. H. Zurek, Eds. (Princeton Univ. Press, Princeton, 1983), pp. 138-141].
22. J. S. Bell, Physics 1, 195 (1964); [reprinted in Quantum Theory and Measurement, J. A. Wheeler and W. H. Zurek, Eds. (Princeton Univ. Press, Princeton, 1983), pp. 403-408]; A. Einstein, B. Podolsky, N. Rosen, Phys. Rev. 47, 777 (1935) [reprinted in Quantum Theory and Measurement, J. A. Wheeler and W. H. Zurek, Eds. (Princeton Univ. Press, Princeton, 1983), pp. 138-141].
23. J. S. Bell, Physics 1, 195 (1964); [reprinted in Quantum Theory and Measurement, J. A. Wheeler and W. H. Zurek, Eds. (Princeton Univ. Press, Princeton, 1983), pp. 403-408]; A. Einstein, B. Podolsky, N. Rosen, Phys. Rev. 47, 777 (1935) [reprinted in Quantum Theory and Measurement, J. A. Wheeler and W. H. Zurek, Eds. (Princeton Univ. Press, Princeton, 1983), pp. 138-141].
24. C. H. Bennett, F. Bessette, G. Brassard, L. Salvail, J. Smolin, J. Cryptol. 5, 3 (1992); N. Lütkenhaus, Phys. Rev. A 54, 97 (1996); C. H. Bennett, T. Mor, J. A. Smolin, ibid., p. 2675; C. A. Fuchs, N. Gisin, R. B. Griffiths, C.-S. Niu, A. Peres, ibid. 56, 1163 (1997); R. B. Griffiths and C.-S. Niu, ibid., p. 1173; N. Lütkenhaus and S. M. Barnett, Los Alamos e-Print archive (available at http://xxx.lanl.gov/abs/quant-ph/9711033).
25. C. H. Bennett, F. Bessette, G. Brassard, L. Salvail, J. Smolin, J. Cryptol. 5, 3 (1992); N. Lütkenhaus, Phys. Rev. A 54, 97 (1996); C. H. Bennett, T. Mor, J. A. Smolin, ibid., p. 2675; C. A. Fuchs, N. Gisin, R. B. Griffiths, C.-S. Niu, A. Peres, ibid. 56, 1163 (1997); R. B. Griffiths and C.-S. Niu, ibid., p. 1173; N. Lütkenhaus and S. M. Barnett, Los Alamos e-Print archive (available at http://xxx.lanl.gov/abs/quant-ph/9711033).
26. C. H. Bennett, F. Bessette, G. Brassard, L. Salvail, J. Smolin, J. Cryptol. 5, 3 (1992); N. Lütkenhaus, Phys. Rev. A 54, 97 (1996); C. H. Bennett, T. Mor, J. A. Smolin, ibid., p. 2675; C. A. Fuchs, N. Gisin, R. B. Griffiths, C.-S. Niu, A. Peres, ibid. 56, 1163 (1997); R. B. Griffiths and C.-S. Niu, ibid., p. 1173; N. Lütkenhaus and S. M. Barnett, Los Alamos e-Print archive (available at http://xxx.lanl.gov/abs/quant-ph/9711033).
27. C. H. Bennett, F. Bessette, G. Brassard, L. Salvail, J. Smolin, J. Cryptol. 5, 3 (1992); N. Lütkenhaus, Phys. Rev. A 54, 97 (1996); C. H. Bennett, T. Mor, J. A. Smolin, ibid., p. 2675; C. A. Fuchs, N. Gisin, R. B. Griffiths, C.-S. Niu, A. Peres, ibid. 56, 1163 (1997); R. B. Griffiths and C.-S. Niu, ibid., p. 1173; N. Lütkenhaus and S. M. Barnett, Los Alamos e-Print archive (available at http://xxx.lanl.gov/abs/quant-ph/9711033).
28. C. H. Bennett, F. Bessette, G. Brassard, L. Salvail, J. Smolin, J. Cryptol. 5, 3 (1992); N. Lütkenhaus, Phys. Rev. A 54, 97 (1996); C. H. Bennett, T. Mor, J. A. Smolin, ibid., p. 2675; C. A. Fuchs, N. Gisin, R. B. Griffiths, C.-S. Niu, A. Peres, ibid. 56, 1163 (1997); R. B. Griffiths and C.-S. Niu, ibid., p. 1173; N. Lütkenhaus and S. M. Barnett, Los Alamos e-Print archive (available at http://xxx.lanl.gov/abs/quant-ph/9711033).
29. C. H. Bennett, F. Bessette, G. Brassard, L. Salvail, J. Smolin, J. Cryptol. 5, 3 (1992); N. Lütkenhaus, Phys. Rev. A 54, 97 (1996); C. H. Bennett, T. Mor, J. A. Smolin, ibid., p. 2675; C. A. Fuchs, N. Gisin, R. B. Griffiths, C.-S. Niu, A. Peres, ibid. 56, 1163 (1997); R. B. Griffiths and C.-S. Niu, ibid., p. 1173; N. Lütkenhaus and S. M. Barnett, Los Alamos e-Print archive (available at http://xxx.lanl.gov/abs/quant-ph/9711033).
30. E. Biham and T. Mor, Phys. Rev. Lett. 78, 2256 (1997); E. Biham, M. Boyer, G. Brassard, J. van de Graaf, T. Mor, Los Alamos e-Print archive (available at http:// xxx.lanl.gov/abs/quant-ph/9801022).
31. E. Biham and T. Mor, Phys. Rev. Lett. 78, 2256 (1997); E. Biham, M. Boyer, G. Brassard, J. van de Graaf, T. Mor, Los Alamos e-Print archive (available at http:// xxx.lanl.gov/abs/quant-ph/9801022).
32. D. Deutsch et al., Phys. Rev. Lett. 77, 2818 (1996); D. Deutsch et al., ibid. 80, 2022 (1998).
33. D. Deutsch et al., Phys. Rev. Lett. 77, 2818 (1996); D. Deutsch et al., ibid. 80, 2022 (1998).
34. D. Mayers, in Advances in Cryptology: Proceedings of CRYPTO '95, vol. 963 of Lecture Notes in Computer Science, D. Coppersmith, Ed. (Springer-Verlag, Berlin, 1995), pp. 124-135; in Advances in Cryptology: Proceedings of CRYPTO '96, vol. 1109 of Lecture Notes in Computer Science, N. Koblitz, Ed. (Springer-Verlag, Berlin, 1996), pp. 343-357.
35. D. Mayers, in Advances in Cryptology: Proceedings of CRYPTO '95, vol. 963 of Lecture Notes in Computer Science, D. Coppersmith, Ed. (Springer-Verlag, Berlin, 1995), pp. 124-135; in Advances in Cryptology: Proceedings of CRYPTO '96, vol. 1109 of Lecture Notes in Computer Science, N. Koblitz, Ed. (Springer-Verlag, Berlin, 1996), pp. 343-357.
36. In some applications, a nonnegligible amount of information leakage to Eve can be disastrous. The following example is due to J. Smolin (41). If a key is used in a so-called one-time pad to encrypt a president's order that ends with the password for launching a nuclear missile, an adversary who is aware of the structure of the message will, in principle, be able to steal the password.
37. The goal of making Eve's expected information small, conditional only on passing the test, is generally unattainable. One must include the following proviso: for any eavesdropping strategy with a nonnegligible chance of success.
38. C. H. Bennett, D. P. DiVincenzo, J. A. Smolin, W. K. Wootters, Phys. Rev. A 54, 3824 (1996).
39. D. Mayers, Los Alamos e-Print archive (available at http://xxx.lanl.gov/abs/quant-ph/9802025), version 4.
40. D. Mayers and A. Yao, in Proceedings of 39th Annual Symposium on Foundations of Computer Science (IEEE Computer Society Press, Los Alamitos, CA, 1998), pp. 509-515 [also available at Los Alamos e-Print archive (http://xxx.lanl.gov/abs/quant-ph/ 9809039)].
41. A big worry in cryptography is the Trojan horse attack. Any untrusted material received from an open channel poses serious security risks. As J. Smolin has often remarked (41), it is even conceivable that a robot is hidden in the received material and that it pops out to find and disclose secrets to adversaries. It is not just that the Trojan horse might leak information once it is in Bob or Alice's laboratory. One might think that this problem could be eliminated by simply shielding the laboratory very well or that such shielding is, in fact, assumed anyway in cryptographic protocols. The real problem is that the Trojan horse pretends to be real EPR pairs when Alice and Bob do their testing but behaves differently when they generate key, thus causing them to leak the information themselves. This worry is not unfounded because it is notoriously difficult to prepare almost perfect EPR pairs. [See (20) for a related discussion.] Real quantum systems often contain other degrees of freedom that are ignored in quantum computation. One might wonder if Eve could perform a quantum Trojan horse attack by hiding robots in (the hidden Hilbert space dimensions of) the quantum systems received by Alice and Bob. This would certainly make a rigorous proof of security of QKD based on imperfect sources impossible. Our answer is the following proposition. Proposition 1. As long as there is no security risk for Alice and Bob to receive untrusted classical messages, quantum Trojan horse attack can be foiled. Remark. Before we present our proof, notice that the assumption that there is no security risk in receiving classical messages is most reasonable because Eve can always send classical messages to Alice and Bob in a "man-in-the-middle" attack during a classical authentication process. If Alice and Bob could not afford to receive any untrusted classical message, the whole enterprise of cryptography would be hopeless. Proof. Instead of receiving any untrusted quantum system directly from an open quantum channel, a user (say Bob) demands that the state of the system must be converted into classical messages through teleportation (30) right at his doorstep. More concretely, Bob prepares trusted EPR pairs in his laboratory and sends one member of each pair to his untrusted representative Robert, who is working in an insecure area just outside his laboratory, when the untrusted quantum data (potentially a Trojan horse) is waiting. Robert teleports the nominal state of the untrusted system (that is, the state in its nonclandestine variables) into Bob's laboratory. In other words, Bob conveys the untrusted quantum state into his laboratory by means of trusted EPR pairs and untrusted classical messages. Now, assuming that there is no security risk in receiving classical messages, Bob can safely receive those classical messages and use them to reconstruct the original quantum state. Teleportation provides an exact counting of the effective dimensions of the Hilbert space because each qubit requires two classical bits to teleport. Therefore, there is no hidden Hilbert space to worry about in the reconstructed quantum system. This conclusion is valid even if the original EPR pairs prepared by Bob do contain hidden dimensions.
42. S. J. van Enk, J. I. Cirac, P. Zoller, Phys. Rev. Lett. 78, 4293 (1997); J. Preskill, Proc. R. Soc. London A 454, 385 (1998); J. I. Cirac, A. Ekert, S. F. Huelga, C. Macchiavello, Los Alamos e-Print archive (available at http://xxx.lanl.gov/abs/quant-ph/9803017).
43. S. J. van Enk, J. I. Cirac, P. Zoller, Phys. Rev. Lett. 78, 4293 (1997); J. Preskill, Proc. R. Soc. London A 454, 385 (1998); J. I. Cirac, A. Ekert, S. F. Huelga, C. Macchiavello, Los Alamos e-Print archive (available at http://xxx.lanl.gov/abs/quant-ph/9803017).
44. S. J. van Enk, J. I. Cirac, P. Zoller, Phys. Rev. Lett. 78, 4293 (1997); J. Preskill, Proc. R. Soc. London A 454, 385 (1998); J. I. Cirac, A. Ekert, S. F. Huelga, C. Macchiavello, Los Alamos e-Print archive (available at http://xxx.lanl.gov/abs/quant-ph/9803017).
45. H.-J. Briegel, W. Dür, S. J. van Enk, J. I. Cirac, P. Zoller, Philos. Trans. R. Soc. London Ser. A 356, 1713 (1998); H.-J. Briegel, W. Dür, J. I. Cirac, P. Zoller, Phys. Rev. Lett. 81, 5932 (1998); W. Dür, H.-J. Briegel, J. I. Cirac, P. Zoller, Phys. Rev. A. 59, 169 (1999).
46. H.-J. Briegel, W. Dür, S. J. van Enk, J. I. Cirac, P. Zoller, Philos. Trans. R. Soc. London Ser. A 356, 1713 (1998); H.-J. Briegel, W. Dür, J. I. Cirac, P. Zoller, Phys. Rev. Lett. 81, 5932 (1998); W. Dür, H.-J. Briegel, J. I. Cirac, P. Zoller, Phys. Rev. A. 59, 169 (1999).
47. H.-J. Briegel, W. Dür, S. J. van Enk, J. I. Cirac, P. Zoller, Philos. Trans. R. Soc. London Ser. A 356, 1713 (1998); H.-J. Briegel, W. Dür, J. I. Cirac, P. Zoller, Phys. Rev. Lett. 81, 5932 (1998); W. Dür, H.-J. Briegel, J. I. Cirac, P. Zoller, Phys. Rev. A. 59, 169 (1999).
48. P. W. Shor, in Proceedings of the 37th Symposium on Foundations of Computer Science (IEEE Computer Society Press, Los Alamitos, CA, 1996), pp. 56-65.
49. A. Yu. Kitaev, Russ. Math. Surv. 52, 1191 (1997); D. Aharonov and M. Ben-Or, in Proceedings of the 29th Annual ACM Symposium on the Theory of Computing, (ACM Press, New York, 1998), pp. 176-188; E. Knill, R. Laflamme, W. H. Zurek, Science 279, 342 (1998); for a review, see, for example, J. Preskill, in (4), pp. 213-269.
50. A. Yu. Kitaev, Russ. Math. Surv. 52, 1191 (1997); D. Aharonov and M. Ben-Or, in Proceedings of the 29th Annual ACM Symposium on the Theory of Computing, (ACM Press, New York, 1998), pp. 176-188; E. Knill, R. Laflamme, W. H. Zurek, Science 279, 342 (1998); for a review, see, for example, J. Preskill, in (4), pp. 213-269.
51. A. Yu. Kitaev, Russ. Math. Surv. 52, 1191 (1997); D. Aharonov and M. Ben-Or, in Proceedings of the 29th Annual ACM Symposium on the Theory of Computing, (ACM Press, New York, 1998), pp. 176-188; E. Knill, R. Laflamme, W. H. Zurek, Science 279, 342 (1998); for a review, see, for example, J. Preskill, in (4), pp. 213-269.
52. A. Yu. Kitaev, Russ. Math. Surv. 52, 1191 (1997); D. Aharonov and M. Ben-Or, in Proceedings of the 29th Annual ACM Symposium on the Theory of Computing, (ACM Press, New York, 1998), pp. 176-188; E. Knill, R. Laflamme, W. H. Zurek, Science 279, 342 (1998); for a review, see, for example, J. Preskill, in (4), pp. 213-269.
53. For instance, in the study of standard P/M schemes such as BB84 (2), one often assumes that the signal carriers are perfect single photons. Unfortunately, producing almost perfect single-photon pulses is beyond current technology, and dim coherent light pulses with a Poisson distribution in the number of photons are often used instead. The attenuation of an optical fiber is also large (say 0.35 dB/km), and detector efficiencies are far from perfect Therefore, rather surprisingly, in an actual experimental implementation of polarization-coding BB84 over a significant distance (say 40 km), Eve may, in principle, break the system by a generalized beam-splitting attack. The key point is that many of the signals contain more than one photons and as such Eve is allowed to make copies (details are available at www.sciencemag.org/feature/data/984035.shl). For short-distance applications, the relevance of such an attack remains an important subject for future investigations. In summary, standard theoretical security analyses on BB84 do not apply to most real-life experimental systems to date.
54. A qubit is simply a two-level quantum system. It plays the role of a fundamental unit of quantum information, just like a bit in classical information.
55. e2)]. In other words. Eve's information (more precisely, mutual information with the final key) is exponentially small as a function of k. This result follows directly from two lemmas (see discussion, available at www.sciencemag.org/feature/ data/984035.shl).
56. P. W. Shor, Phys. Rev. A 52, 2493 (1995); A. M. Steane, Phys. Rev. Lett. 77, 793 (1996).
57. P. W. Shor, Phys. Rev. A 52, 2493 (1995); A. M. Steane, Phys. Rev. Lett. 77, 793 (1996).
58. C. H. Bennett et al., Phys. Rev. Lett. 70, 1895 (1993).
59. Here, we assume that the error rate per unit length varies smoothly along the channel. For example, the errors for different parts of the channel are almost independent.
60. The decomposition of the quantum state into the tensor product of the logical qubits and ancillary qubits is a mathematical one. In the actual physical system, the state of the local qubits is delocalized among all physical qubits. Such a delocalisation is necessary for both error correction and fault-tolerant computation. See, for example, A. Peres, Los Alamos e-Print archive (available at http://xxx.lanl.gov/abs/ quant-ph/9609015).
61. Efficient quantum error correcting schemes exist for reducing the error rate to an exponentially small amount (see discussion, available at www. sciencemag.org/feature/data/984035.shl).
62. Such an "(N - m)-singlets-or-not" measurement can be performed if Alice and Bob bring the two halves of each EPR pair together to perform a measurement along a Bell basis. This is a very subtle point because such a Bell measurement is not actually performed and, indeed, could not be performed without bringing the two halves together. Successful cheating thus means that the actual verification test is passed, but a hypothetical second test of bringing the remaining pairs back into the same laboratory and measuring them in a Bell basis would fail (that is, some of the remaining N - m pairs are shown to be nonsinglets upon Bell measurements).
63. 2; (ii) bilateral rotations by π/2 rad; and (iii) bilateral application of the two-bit quantum exclusive OR (or controlled NOT). These basic operations plus local measurements and classical communication allow Alice and Bob to correct quantum errors using the one-way random-hashing scheme by BDSW. See (18) for details.
64. e2)].
65. R. B. Griffiths and C.-S. Niu, Phys. Rev. Lett. 76, 3228 (1996).
66. Our classical argument applies to the N-Bell basis, whose basis vectors are highly entangled. It is perhaps surprising at first that the coarse-grained probabilities of a quantum mechanical experiment involving only local operations and classical communication can have a classical interpretation with respect to such a highly nonlocal basis. Put in another way, given the lesson from the EPR paradox, it is perhaps surprising that classical arguments can still be used to demonstrate that two distantly separated quantum subsystems are, in fact, highly quantum (that is, highly entangled).
67. C. A. Fuchs, Fortschr. Phys. 46, 535 (1998), and references cited therein.
68. Incidentally, our result also proves the security of quantum money proposed by Wiesner (1). Indeed, the proof for our second example can be used to derive a probabilistic bound on the entropy of the combined system consisting of the quantum banknote and the bank. Consequently, any double-spending strategy will almost surely fail in the verification step (as in BB84) done by the bank because this entropy will no longer be close to zero.
69. J. Smolin, personal communication.
70. H.-K. Lo particularly thanks A. Ekert for pressing him to investigate the security of QKD. We thank numerous colleagues, including C. H. Bennett G. Brassard, I. Chuang, D. P. DiVincenzo, C. A. Fuchs, N. Gisin, D. Gottesman, E. Knill, D. W. C. Leung, N. Lütkenhaus, D. Mayers, S. Popescu, J. Preskill, J. Smolin, T. Spiller, A. Steane, and A. C.-C. Yao for invaluable conversations and suggestions. Many helpful suggestions from an anonymous referee are gratefully acknowledged. H. F. Chau is supported by Hong Kong Government RGC grant HKU 7095/97P.