Squash Operator and Symmetry Toyohiro Tsurumaru arXiv:0910.2326v2 [quant-ph] 19 Oct 2009 Mitsubishi Electric Corporation, Information Technology R&D Center, 5-1-1 Ofuna, Kamakura-shi, Kanagawa, 247-8501 Japan. This paper begins with a simple proof of the existence of squash operators compatible with the Bennett-Brassard 1984 (BB84) protocol which suits single-mode as well as multi-mode threshold detectors. The proof shows that, when a given detector is symmetric under cyclic group C4 , and a certain observable associated with it has rank two as a matrix, then there always exists a corresponding squash operator. Next, we go on to investigate whether the above restriction of ‘rank two’ can be eliminated; i.e., is cyclic symmetry alone sufficient to guarantee the existence of a squash operator? The motivation behind this question is that, if this were true, it would imply that one could realize a device-independent and unconditionally secure quantum key distribution protocol. However, the answer turns out to be negative, and moreover, one can instead prove a no-go theorem that any symmetry is, by itself, insufficient to guarantee the existence of a squash operator. Quantum key distribution (QKD) is a technique for distributing information-theoretically-secure secret keys between two parties connected by a quantum channel. The oldest and now defacto standard protocol for QKD is the well-known Bennett-Brassard 1984 (BB84) protocol [1]. Several different approaches are known today for proving its unconditional security [2, 3, 4, 5]; e.g. one based on virtual entanglement distillation protocol (EDP) [2, 3] and another based on the complementarity of quantum theory [4]. The most widely used of these approaches is the one based on EDP, where an actual QKD protocol is converted to an equivalent and virtual EDP performed by Alice and Bob. The conversions must be made so that Alice’s and Bob’s quantum operations are seen by Eve to remain the same positive operator valued measures (POVM); i.e., Eve’s information regarding the secret key bits is not changed by conversion. In the original versions of EDP-based proofs [2, 3], one needed to assume that the actual protocol had access to a perfect single-photon source and photon-number resolving detectors. However, this assumption is invalid for real-world QKD systems, which use attenuated lasers as light sources, and the receiver uses ‘threshold detectors,’ which can discriminate a nonzero photon state from the vacuum, but cannot determine the exact photon number. In fact, techniques are already known that can fill these gaps. As for light sources, by exploiting decoy states, lasers can be driven to effectively emit singlephoton pulses [6]. One of the known solutions for detectors [7, 8, 10] is the powerful theoretical tool called ‘squash operator’. Squash operator is a quantum operation which transforms an incoming n-photon state to a qubit state. By incorporating this operator into a conventional type of security proof where Bob has a photonnumber discriminating detector, one automatically obtains a new proof that remains valid even if threshold detectors are used. A squash operator was first assumed in the security proof by Gottesman et al. [3], however, its existence was only conjectured, no proof was given. For threshold detectors, which are sensitive only to singlemode photon pulses, its existence was proved first by the present author and Tamaki [7], and also independently by Beaudry et al. [8]. The aim of this paper is to investigate how far we can generalize this result from the viewpoint of symmetry constraints imposed on the detector. In the first half of this paper, we show that when a given set of POVM is symmetric under transformations of cyclic group C4 , and the observable Mz related with it has rank two, then there always exists a corresponding squash operator compatible with the BB84 protocol (Theorem 1). An immediate corollary of this theorem is that a squash operator exists, not only for single-mode threshold detectors, but also for multi-mode threshold detectors. Next, in the second half of the paper, we tackle the question of whether the above restriction of ‘rank two’ can be eliminated. The answer, however, turns out to be negative. Furthermore, it can be shown that, more generally, no symmetry is sufficient by itself to guarantee the existence of a squash operator (Theorem 2). Definition of Squash Operator. — In the BB84 protocol, Alice and Bob use two different bases, r, for their measurements, interchangeably. They are usually denoted as the z and the x basis (r = z, x) because they are related to qubit measurements of the Pauli matrices σz , σx . Similarly, the notation of r = +, × bases is used to indicate the directions of photon polarization. In what follows, we stick to the notation of r = z, x for the sake of simplicity. We denote the Hilbert space of the receiver’s incoming states as HB . In this space, there are two sets of POVM elements, M(r,b) , corresponding to basis r = z, x and the output bit b = 0, 1. We also define observables Mr := M(r,0) − M(r,1) for later convenience. For example, if a receiver measures state ρB ∈ HB using the x basis, he observes output bit b = 0 with the probability p(x,0) =
Tr ρB M(x,0) . We also assume that the measurements are complete for each basis; that is, M(r,0) + M(r,1) = IB (1) holds for r = z, x, where IB is the identity operator of HB . 2 Squash operator F is a completely positive tracepreserving (CPTP) map with the following properties [14]. F maps states in HB to those in qubit space HC , and, when F is followed by the z or the x measurement in HC , it reproduces Mr of the actual measurement device. That is, for an arbitrary mixed state ρB ∈ HB , it satisfies Tr (F (ρB )σr ) = Tr (ρB Mr ) for r = z, x (2) with σr being the Pauli operators. A convenient way of describing F is to use an operator sum representation with a set of Kraus operators Fc (see, e.g., [12].) In this notation, P the trace-preserving condition of F takes the form c Fc† Fc = IB . Complete positiveness Pis guaranteed as long as F is expressed as F (ρB ) = c Fc ρB Fc† . This notation has the additional merit that the Hermi† tian conjugate, P F †, of F can be expressed in simple form † as F (ρC ) = Fc ρC Fc with ρc being an arbitrary state in HC . By using these relations, the definition of squash operator F for Mr given in (2) can be equivalently stated as the following two conditions for Kraus operator Fc , X Mr = Fc† σr Fc , (3) c IB = X Fc† Fc . (4) is two, there always exists a corresponding squash operator compatible with the BB84 protocol. Here, it should be noted that the restriction of ‘rank two’ does not necessarily mean that the Hilbert space HB is a qubit space, as illustrated by the following example. An important example of C4 -symmetric POVMs is the threshold detector. In this paragraph, following [7, 8], we concentrate on photon detection modules consisting of two photon threshold detectors, each of which corresponds to output bits b = 0, 1; we call such photon detection units simply ‘threshold detectors’ with a slight abuse of the terminology. We also assume that, when both detectors click coincidently (double-click events), the detection system outputs a random bit as its output, b. However, we differ from [7, 8] in that we do not restrict ourselves to a single mode, but assume that an incoming light pulse may have m ≥ 1 modes of propagation; we label each of them by index i. We also denote the number of photons in mode i as ni , and let N = (n1 , n2 , . . . , nm ). Clearly, any threshold detector is block diagonalized with respect to the photon number configuration N , and there is no loss of generality in considering each of the blocks individually when analyzing security. For each such section, N , the observables Mr can be written as a matrix with rank two c Cyclically Symmetric POVM for the BB84 protocol. — In the first half of this paper, we show that F actually exists for multi-mode threshold detectors as well. Against this goal, we generalize the problem slightly by taking up finite group C4 , i.e., a cyclic group of order 4, and consider POVM elements M(r,b) which are symmetric under its transformations (for details of C4 group, see, e.g., [9].) The C4 -symmetry of M(r,b) is stated rigorously as follows. Definition 1 A set of POVM elements {M(r,b) } of BB84 type is C4 -symmetric, if there exists unitary operator U satisfying U 4k = IB with k ∈ N, and it transforms them as follows U M(z,b) U † = M(x,b) , (5) 2 (6) U M(r,b) U †2 = M(r,1−b) . Intuitively, operator U corresponds to rotating a detector spatially by 45 degrees, when polarization encoding is used. It can be better seen if we newly define operators L0 , . . . , L3 as L2b = M(z,b) and L2b+1 = M(x,b) for b = 0, 1. The relations (5) and (6) can thus be rewritten as U Lc U † = Lc+1 , where modulo 4 is assumed in the summation of index c. Note here that, with U being a 45-degree rotation, we have U 8 = IB instead of U 4 = IB . This example demonstrates why we needed to consider cases of k > 1 in Definition 1. Theorem 1 If a given set of POVM elements {M(r,b) } of BB84 type is C4 -symmetric, and the rank of the corresponding observable Mz (or equivalently, Mx ) as a matrix Mr = |N ; r, 0ihN ; r, 0| − |N ; r, 1ihN ; r, 1| (7) for r ∈ {z, x}, where |N ; r, bi := AN (a†1rb )n1 (a†2rb )n2 · · · (a†mrb )nm |0i. (8) Note here that Mr has rank two because double-click events are replaced by a random bit in our model, and thus all states besides |N ; r, 0i and |N ; r, 1i are cancelled in the subtraction Mr = M(r,0) − M(r,1) (a similar argument can be found in [10].) Coefficient AN in (8) is the normalization constant for state |N ; r, bi, and a†irb are the creation operators for photons propagating in mode i, having bit value b of basis r. In accordance with the usual notations of Pauli matrices, creation operators a†irb for two  bases r = z, x are related as  a†ixb = √1 2 a†iz0 + (−1)b a†iz1 . The single-mode thresh- old detectors discussed in [7, 8] correspond to the special case of m = 1. C4 -symmetry can be shown by using an explicit form of the transforming operator UN , # "  i X † † UN = exp aiy0 aiy0 − aiy1 aiy1 . 2 i The creation operator along the y-axis appearing in the above equation is defined as a†iyb = (a†iz0 + √ i(−1)b a†iz1 )/ 2. From these facts, and also from Theorem 1, it immediately follows that a squash operator exists, not only for single-mode threshold detectors, but also for multi-mode threshold detectors. 3 Proof of Theorem 1. Here we give only the proof for k = 1, since all other cases (k ≥ 2) can be shown by exactly the same argument. As can be seen from U 2 Mz U †2 = −Mz , for each normalized eigenstate |vi of Mz with an eigenvalue 0 < λ ≤ 1, there always exists another eigenstate U 2 |vi having a different eigenvalue −λ, and thus is orthogonal hv|U 2 |vi = 0. (9) From this, and since the rank of Mz is two, it follows that Mz takes the form
(10) Mz = λ |vihv| − U 2 |vihv|U †2 . By using a basis that diagonalizes U , we can always decompose |vi as |vi = 3 X c=0 µc |vc i , (11) with U |vc i = ic |vc i. Then, from (9), we see that coefficients µi satisfy |µ0 |2 + |µ2 |2 = |µ1 |2 + |µ3 |2 = 1 . 2 (12) We now define a completely positive, but not necessarily trace-preserving map, F , with a set of Kraus operators F0 , F1 , . . . , F3 which take the form √ (13) Fc = 2λ (µc+1 |0y ihvc | + µc |1y ihvc+1 |) if µc µ∗c+1 6= 0, otherwise Fc = 0. In (13), modulo 4 is assumed for the summations of index c. From the linearity of F † , we obtain the following relation F † (σz + iσx ) = 3 X Fc† (σz + iσx )Fc c=0 = 2 3 X c=0 = λ 3 X c=0 Fc† |0y ih1y |Fc = 4λ 3 X c=0 µc µ∗c+1 |vc i hvc+1 | ic U c |vihv|U †c = Mz + iMx. (14) Similarly, from eqs. (12) and (13), we have F † (IC ) = P3 † c=0 Fc Fc ≤ IB . Furthermore, F can be modified such that it satisfies the trace-preserving condition (6), and also maintains relation F † (σz + iσx ) = Mz + iMx , obtained in (14). This can be done by introducing extra Kraus operators Fc , c > 3, having the form Fc = |by ihψc | with b = 0 or 1. That the CPTP map F thus obtained also satisfies (5) for r = z can be shown as F † (σz ) = 1 † 1 2 F ((σz + iσx ) + H.c.) = 2 (Mz + iMx ) + H.c. = Mz , where ‘H.c.’ denotes the Hermitian conjugate. The other relation for r = x can be shown similarly. (End of proof.) Does Symmetry Imply the Existence of Squash Operators? — A natural question that arises here is: Can we eliminate the restriction of ‘rank two’ appearing in Theorem 1? In other words, is cyclic symmetry C4 alone sufficient to guarantee the existence of a squash operator? Or more generally, is there any types of symmetry that is strong enough to ensure its existence? In the remaining half of this paper, we shall investigate this possibility. This question is interesting because if this were actually the case, we would need no knowledge about microscopic structures of a detector in order to ensure the existence of its squash operator. In other words, we would succeed in proving the unconditional security of QKD in a deviceindependent way (for security against collective attacks, see [13]). Indeed, C4 -symmetry is already realized in most conventional BB84 systems (c.f. the paragraph below Definition 1). For example, when polarization encoding is used, bases z, x can be switched by rotating the detector by 45 degrees. In addition, the receiver may interchange the assignment of two detectors to output bit b = 0, 1 randomly, by rotating them by 90 degrees and flipping b. This may be done, in order to cancel the mismatch between two detectors in terms of quantum bit error rate. These two types of rotation generate a C4 group. Moreover, for some QKD protocols, no knowledge about microscopic structures of any components besides detectors are needed to prove security. For example, consider the Bennett-Brassard-Mermin 1992 protocol [11], where an untrusted third party prepares an entangled state. It is clear that if symmetry could actually imply the existence of squash operators, we would be able to prove the security of a QKD system without knowing anything of the microscopic structure of the devices, only the macroscopic operations by Alice and Bob. However, as we shall show below, that is not actually the case. The fact is that we can prove a no-go theorem that denies all such possibilities. In order to discuss this point rigorously, we define general symmetries of POVM below, and then present a theorem. Definition 2 A set of POVM elements {M(r,b) } of BB84 type is symmetric under finite group G, if they transform under G as V (g)M(r,b) V † (g) = Mg(r,b) for g ∈ G, with V (g) being a unitary representation of group G. Here, map g : (r, b) 7→ (r′ , b′ ) determines how each POVM element M(r,b) is transformed into another element by g ∈ G. Theorem 2 No symmetry is sufficient by itself to guarantee the existence of a squash operator. That is, one cannot prove a theorem that states that ‘For an arbitrary G-symmetric set of POVM, there always exists a squash operator compatible with the BB84 protocol.’ We present below a proof of this theorem. The basic strategy here is to show that, if the type of theorems as quoted in Theorem 2 holds, it can be used to show 4 the improbable proposition that any arbitrary operator, whether symmetric or asymmetric, possesses a squash operator. Proof of Theorem 2. For an arbitrary set of operators M(r,b) of BB84 type, which may not be symmetric, one can always define other G-symmetric operators M̃(r,b) as M̃(r,b) := X g∈G Mg−1 (r,b) ⊗ |gihg| in HB ⊗ HD . Here, HD is an ancilla space which is spanned by orthonormal basis {|gi}g∈G , that is, a set of orthonormal states |gi labeled by all elements g ∈ G. M̃ is G-symmetric under unitary transformation Ṽ as defined by Ṽ (g) := idB ⊗ RD (g) with RD being the regular representation of G defined by RD (g)|hiD = |ghiD (see, e.g., [9]). Hence if one could prove the type of theorems quoted in Theorem 2, it would readily follow that there is a squash operator for M̃(r,b) . On the contrary, however, once such a F̃ is obtained, one can also construct squash operator F for the original operators M(r,b) . In order to see this, note that we have for an arbitrary ρB ∈ HB h i Tr [Mr ρB ] = Tr M̃r (ρB ⊗ |eihe|) i h = Tr σr F̃ (ρB ⊗ |eihe|) . with e being the identity element of G. Thus, applying F̃ on ρB ⊗ |eihe| serves as a correct squash operator for ρB . This result shows that any POVM M(r,b) of BB84 type, whether symmetric or not, possesses a squash operator. However, this leads to a contradiction because there exists the counterexample of POVM M0 defined by M0z = M0x = σz which has no squash operator. [1] C. H. Bennett and G. Brassard, in Proceeding of the IEEE International Conference on Computers, Systems, and Signal Processing, Bangalore, India (IEEE, New York, 1984), pp.175-179. [2] H. -K. Lo and H. F. Chau, Science 283, 2050, (1999); Shor and Preskill, Phys. Rev. Lett. 85, 441 (2000). [3] D. Gottesman, H. -K. Lo, N. Lütkenhaus, and J. Preskill, Quant. Inf. Comput. 5, 325 (2004). [4] M. Koashi, arXiv:quant-ph/0505108; New J. Phys. 11, 045018 (2009). [5] B. Kraus, N. Gisin and R. Renner, Phys. Rev. Lett. 95, 080501 (2005); M. Hayashi, Phys. Rev. A 76, 012329 (2007). [6] W.-Y. Hwang, Phys. Rev. Lett. 91, 057901 (2003); H. K. Lo, X. Ma, and K. Chen, Phys. Rev. Lett. 94, 230504 (2005); X. -B. Wang, Phys. Rev. Lett. 94, 230503 (2005). [7] T. Tsurumaru and K. Tamaki, Phys. Rev. A 78, 032302 The fact that M0 does not possess any squash operator can be shown, e.g, by the same argument as Beaudry, Moroder, and Lütkenhaus used for the six-state protocol [8], but it can alternatively be shown by the following simple argument. Consider the situation where Alice and Bob perform the BBM92 protocol using M0 as their detectors, and, as the entanglement source, Eve provides states |ψb i := |bz iA ⊗ |bz iB with a bit b ∈ {0, 1} of her choice. In this setup, clearly, all sifted key bits b are known to Eve, and thus Alice and Bob will never succeed in sharing secret keys. Hence, the existence of squash operator F for M0 would lead to a contradiction, since F could be used to prove the unconditional security of this system, with the quantum bit error rate measured by Alice and Bob being exactly zero. (End of proof.) Summary. — In this paper, we first showed that, if a given detector is C4 -symmetric, and the observable Mz associated with it has rank two, then there always exists a corresponding squash operator compatible with the BB84 protocol (Theorem 1). By using this result, we then proved that squash operators exist, not only for single-mode threshold detectors, but also for multi-mode threshold detectors. Next, we took up the question of whether this result can be generalized to symmetric detectors with arbitrary ranks, as an attempt toward the realization of deviceindependent and unconditionally secure QKD protocols. However, it turned out that the fact is quite opposite. That is, we have succeed in proving that, no matter what symmetry one imposes on the detectors, the symmetry is never sufficient, by itself, to guarantee the existence of a corresponding squash operator (Theorem 2). Acknowledgments — The author would like to thank M. Koashi and K. Tamaki for their valuable comments. This work was supported by the National Institute of Information and Communications Technology (NICT), Japan. (2008). [8] N. J. Beaudry, T. Moroder, and N. Lütkenhaus, Phys. Rev. Lett. 101, 093601 (2008). [9] J. -P. Serre, Linear Representations of Finite Groups, (Springer Verlag, New York, 1977). [10] M. Koashi, Y. Adachi, T. Yamamoto, and N. Imoto, arXiv:0806.0891. [11] C. H. Bennett, G. Brassard, and N. D. Mermin, Phys. Rev. Lett. 68, 557 (1992). [12] M. A. Nielsen and I. L. Chuang, Quantum Computation and Quantum Information, (Cambridge University Press, Cambridge, 2000). [13] A. Acin et al., Phys. Rev. Lett. 98, 230501 (2007); S. Pironio et al., New J. Phys. 11, 045021 (2009). [14] Squash operation is called ‘squashing model’ in [8].