METHODS AND SYSTEMS FOR A 2-QUBIT MULTI-USER QUANTUM KEY DISTRIBUTION PROTOCOL

Abstract

A method of quantum key distribution making use of 2-qubit entanglement, by which one entangled qubit is sent from an operator O to Alice and the other entangled qubit is sent from operator O to Bob, making for key-sharing among three parties (multi-user quantum key distribution, i.e. MU QKD). Alice and Bob each measures a respective sequence of qubits randomly along either one of two states, records the measurements in a respective list, and encodes the bits in an encoded list. The encoded lists are sent to operator O for entanglement to be verified with the CHSH inequality. Bob's verified list is sent to Alice and vice-versa, allowing Alice and Bob to further verify correlation. Non-entangled bits are rejected until Alice and Bob have a similar key, being a reconciled quantum-based key as sought.

Description

RELATED APPLICATIONS

This is the first application filed for the present invention.

FIELD OF THE INVENTION

This invention pertains generally to the field of quantum cryptography and in particular, to methods and systems for a quantum key distribution between 3 parties, using 2 entangled qubits.

BACKGROUND

It is generally believed that quantum objects can be utilized to provide communication security that is much improved over conventional, non-quantum methods. While the BB84 protocol (Bennet, Brassard, Quantum cryptography: Public key distribution and coin tossing, Proceedings of IEEE International Conference on Computers, Systems and Signal Processing, volume 175, page 8. New York, 1984) is a provable authentication protocol that can allow key distribution from one sending party to one receiving party, it is limited to two-party authentication and is not well suited for key distribution to multiple parties. Prior art methods for enabling quantum-based security between multiple users of communication equipment has, without loss of generality, been particularly focused on two fronts.

On a first front, the prior art has examined some methods of utilizing photonic devices to generate multiple entangled particles, for multiple users. In Kumavor et al. (Comparison of Four Multi-User Quantum Key Distribution Schemes Over Passive Optical Networks, Journal of Lightwave Technology, Vol. 23, No. 1, January 2005), the authors provide some survey information on recent quantum key distribution (QKD) protocol developments, as well as performance comparisons. The schemes considered in that paper consider entanglement scenarios for 2 parties, the sending party traditionally referred to as “Alice”, and the receiving party as “Bob”.

On a second front, prior art has addressed methods to generalize the BB84 protocol. These methods aim at supporting QKD for multiple users. Recent prior art on this front can be represented in a paper by Xue et al. (Efficient multiuser quantum cryptography network based on entanglement, Nature. Sci Rep 7, 45928, 2017). This paper considers a QKD scheme for multiple users, based on 3 entangled bits or more, systems that are difficult to implement physically.

On the first front, only two parties are considered, while on the second front, systems generally rely on systems with 3 entangled qubits, which are difficult to implement in practice.

On either front, the prior art lacks a practical approach to implement secured quantum entanglement-based communication links between 3 parties, using one pair of qubits. Methods and systems are therefore required to obviate or mitigate one or more limitations of the prior art, by facilitating quantum entanglement-based communication links between 3 parties, and considerably improving communication security between 3 parties.

This background information is provided to reveal information believed by the applicant to be of possible relevance to the present invention. No admission is necessarily intended, nor should be construed, that any of the preceding information constitutes prior art against the present invention.

SUMMARY

In the present invention, quantum entanglement is used to enable quantum key distribution among three parties. Embodiments include a multi-user (N≥2)-based quantum key distribution system in which the underlying security scheme is based on quantum entanglement and the Bell inequality violation, which are proved to provide the non-malleable and eavesdropping-proof security properties that are sought.

An aspect of the disclosure provides a method for an operator O to generate and distribute a multi-user shared key to multiple devices, for example, a receiver A and to a receiver B). The key is shared among Operator O and receiver A and receiver B. Such a method includes preparing pairs of entangled qubits in sequence, in which each pair of entangled qubits is in a state of 2-qubit entanglement. Such a method further includes sending, from each pair of entangled qubits, one entangled qubit to a receiver A, and the other entangled qubit to a receiver B. Such a method further includes receiving a reply from each of receiver A and receiver B: and sending the key to each of receiver A and receiver B.

In some embodiments, a reply from each of receiver A and receiver B includes receiving a list of encoded bits from receiver A and receiving a list of encoded bits from receiver B. For the list of encoded bits from receiver A, each bit having been: measured from a qubit sent by operator O, recorded in a list of recorded bits, and encoded in the list of encoded bits from receiver A. For the list of encoded bits from receiver B, each bit having been: measured from a qubit sent by operator O, recorded in a list of bits, and encoded in the list of encoded bits from receiver B.

In some embodiments, sending the key to each of receiver A and receiver B includes verifying the correlation between: the list of encoded bits from receiver A, and the list of encoded bits from receiver B. In such a method, verifying the correlation is performed using a quantum entanglement inequality. In some embodiments, the quantum entanglement inequality is the Clauser, Horne, Shimony, Holt (CHSH) inequality.

In some embodiments, sending the key to each of receiver A and receiver B includes sending to receiver A, the list of encoded bits from receiver B, for deriving a key according to

• • receiver A's list of measured bits, and
  • receiver A's list of encoded bits.

Such embodiments further includes sending to receiver B, the list of encoded bits from receiver A for deriving a key according to receiver B's

• • receiver B's list of measured bits, and
  • receiver B's list of encoded bits.

Such a method further includes receiving, through respective authenticated classical channels receiver A's derived key and receiver B's derived key. Such a method further includes performing quantum correlation between receiver A's derived key and receiver B's derived key using an entanglement inequality. In such embodiments, deriving a key comprises rejecting pairs of bits that were not entangled according to the entanglement inequality.

In some embodiments, the method further includes using a derived key as a reconciled key, if entanglement between receiver A's derived key and receiver B's is sufficient to ensure security.

In some embodiments, the method further includes discarding a derived key and aborting communication, if entanglement between receiver A's derived key and receiver B's is insufficient to ensure security.

In some embodiments, the method further includes a layer 2 iteration wherein operator O of claim 1 is substituted by receiver A of claim 1, receiver A of claim 1 is substituted by a USER-1, receiver B of claim 1 is substituted by a USER-2. In some embodiments, the method further includes a layer 2 iteration wherein operator O of claim 1 is substituted by receiver B of claim 1, receiver A of claim 1 is substituted by a USER-3, receiver B of claim 1 is substituted by a USER-4.

Further aspects of the disclosure are directed to a device, including a processor, and non-transient machine readable memory which executed by the processor, for implementing the method described above. Such a device may be operated by operator O.

Further aspects of the disclosure are directed to a receiver A device, including a processor, and non-transient machine readable memory which executed by the processor, for implementing the method described above. Similarly, further aspects of the disclosure are directed to a receiver B device, including a processor, and non-transient machine readable memory which executed by the processor, for implementing the method described above.

Further aspects of the disclosure are directed to a system, including an operator O device, receiver A and receiver B, with each device including a processor, and non-transient machine readable memory which executed by the processor, for implementing the method described above.

A further aspect of the disclosure provides a system for distributing a key. Such a system includes a photon source operative to send a sequence of photons, and a first beam splitting device. The first beam splitting device, is configured to prepare, from the sequence of photons, pairs of entangled qubits in sequence, with each pair of entangled qubits in a state of 2-qubit entanglement. The first beam splitting device, is further configured to send, from each entangled pair of qubits, one entangled qubit to a second beam splitting device, and the other entangled qubit to a third beam splitting device. In such a system, the second and third splitting devices are configured to measure a qubit as a bit, to record a bit in a list of measured bits, to encode a bit in a list of encoded bits, and to send a list of encoded bits to the first beam splitting device. In such a system the first beam splitting device is operative to receive lists of encoded bits, and calculate correlation between the lists of encoded bits using an entanglement inequality.

BRIEF DESCRIPTION OF THE DRAWINGS

Further features and advantages of the present invention will become apparent from the following detailed description, taken in combination with the appended drawings, in which:

FIG. 1 illustrates two computational bases, according to embodiments.

FIG. 2 illustrates an example implementation for distributing a quantum key, where the qubits are implemented as photons, a quantum key is a sequence of such photons, and quantum key distribution (QKD) is performed by sending sequences of photons to polarizing beam splitters, according to an embodiment.

FIG. 3 illustrates a method of quantum key distribution, according to embodiments.

FIG. 4 is a quantum computing circuit representing the preparation of a Bell state, as used by an operator O, according to an embodiment.

FIG. 5 illustrates a quantum computing circuit that can be prepared by receiver A (Alice), for measuring the state of qubit qr_0 along the z-axis (i.e. |1), according to embodiments.

FIG. 6 illustrates a quantum computing circuit that can be prepared by receiver A (Alice), for measuring the state of qubit qr_0 along the x-axis (i.e. |0), according to embodiments.

FIG. 7 illustrates a quantum computing circuit that can be used by receiver B (Bob), for measuring the state of qubit qr_1 along the w-axis (i.e. |\) of a vw-basis, according to embodiments.

FIG. 8 illustrates a quantum computing circuit that can be used by receiver B (Bob), for measuring the state of a qubit qr_1 along the v axis (i.e. |/) of a vw-basis, according to embodiments.

FIG. 9 illustrates two lists of bits as received by Alice and Bob, and respectively recorded by Alice and Bob, according to an embodiment.

FIG. 10 illustrates strings of bits received and recorded by Alice and Bob, some of which are rejected because of a lack of entanglement, according to embodiments.

FIG. 11 is a block diagram of an electronic device 952 within a computing and communications environment 950 that may be used for implementing devices and methods in accordance with representative embodiments of the present disclosure, according to embodiments.

DETAILED DESCRIPTION

As opposed to a bit of information, which can be in either of two states labeled as 0 and 1, and be implemented as a transistor being either off or on, a quantum bit, typically shortened to “qubit”, can be in either of two states labeled as 0 and 1, conventionally labelled |0 (ket zero) and | 1 (ket one), or in a superposition of states |0 and |1, which can be represented as:

$❘\psi \rangle =\alpha ❘0\rangle +\beta ❘1\rangle$

where:

• • |Ψ represents the state of interest,
  • |0 is identified as a computational basis state,
  • |1 is identified as another computational basis state,
  • α is a complex number, and
  • β is another complex number.

A qubit cannot be implemented with a conventional transistor, but many other physical systems can be designed to realize a qubit. One implementation of a qubit is a single photon, which is light of such low intensity that it cannot be dimmed any further without being absolutely off. Other physical systems can be used, including atoms, ions, nuclei, specially designed electronic circuits and others.

An embodiment is not restricted to any specific implementation but in any case, the state of a qubit can be represented by referring to a computational basis, which can be made of two computational basis states: computational basis state |0 and computational basis state |1. In an embodiment, there can be two computational bases, each having two computational basis states. A first computational basis can have as computational basis states |0 and |1, and a second computational basis can have as computational basis states |/ (ket slash) and |\ (ket backslash). In a graphical representation, computational basis states |/ and |\ can be tilted at 45° from the computational basis states |0 and |1 of the first computational basis. The computational basis having states |0 and | 1 can be referred to as the xz basis, and its states |0 and |1 can be said to be along the x-axis and the z-axis respectively. As for the computational basis having states |/ and |\, it can be referred to as the vw-basis and its states |/ and |/\ can be said to be along the v-axis and the w-axis respectively.

FIG. 1 illustrates two computational bases, according to embodiments. A first computational basis has a computational basis state |0 along an x-axis 110, and a second computational basis state | 1 along a z-axis 120. A second computational basis, having a third state |/130 and a fourth state |\140. In an embodiment where each qubit is implemented as a photon with linear polarization, the first computational basis can represent the two options of having a photon polarized at 90° (vertically) or at 0° (horizontally), and the second computational basis can represent the two options of having a photon polarized at either 45° or −45° from a horizontal state. The states |0, |1, |/ and |\ can respectively correspond to the x-axis, z-axis, v-axis and w-axis of FIG. 1. In an embodiment, such a system can be implemented on a network of mobile devices (e.g. user equipment UE) 255.

For representing any state of a single qubit, two states (e.g. |0 and |1) can be chosen to form a computational basis, and any other state can be represented as a super position of the two computational basis states. For example, the computational basis states can be:

$❘{\psi }_1\rangle =❘0\rangle ❘{\psi }_2\rangle =❘1\rangle$

Alternatively, each computational basis state can be represented as a vector:

$❘{\psi }_1\rangle =\left[\begin{array}{c}1\\ 0\end{array}\right]❘{\psi }_2\rangle =\left[\begin{array}{c}0\\ 1\end{array}\right]$

A general state |Ω can be a superposition and represented with any of:

$❘\psi \rangle =\alpha ❘{\psi }_1\rangle +\beta ❘{\psi }_1\rangle ❘\psi \rangle =\alpha ❘0\rangle +\beta ❘1\rangle ❘\psi \rangle =\alpha \left[\begin{array}{c}1\\ 0\end{array}\right]+\beta \left[\begin{array}{c}0\\ 1\end{array}\right]$

where each of a and B can be a complex number. For a system of two qubits, there are four possibilities as to the state of the system and these can be represented as:

$❘00\rangle ,❘10\rangle ,❘01\rangle ,\mathrm{and}❘11\rangle$

A qubit is said to be “measured” when its state is projected onto an axis of a computational basis such as the the xz-basis, producing an output of either |0 or |1. Alternatively, the state of a qubit can be measured along (projected onto) another computational basis, determined by states |/ and |\. In the case of a photon, computational basis states |0 and |1 can respectively represent vertical and horizontal linear polarizations, and computational basis states |/ and |\ can represent +45° and −45° linear polarizations (typically relative to horizontal linear polarization). In an embodiment, a receiver of a qubit can choose to make a measurement either with computational basis states |0 and |1, or with computational basis states |/ and |/\.

In an embodiment of a quantum key distribution protocol, an initial step can be for a quantum key distribution operator (O) to create a (n, 2) qubit system, where n is the key's length and 2 is the number of qubits. This system of 2 qubits can be prepared in the two-qubit state known as the Bell state, represented as:

$❘\psi \rangle =\frac{1}{\sqrt{2}}(❘00\rangle +❘11\rangle )$

which indicates that upon a measurement of one qubit, i.e. qr_0, there is a 50% probability of it being in state |0 and a 50% probability of it being in state | 1, and in either case, the second qubit will be in the same state |0 or |1. In other words, a state measurement of the two-qubit system can result in either state |00 or state |11 with equal probability.

Quantum entanglement is a physical phenomenon that occurs when a pair or a group of qubits, each of which can be a particle, is generated such that the quantum state of each qubit cannot be described independently. Instead, a quantum state must be described for the system as a whole. Using the Bell state as an example, if two qubits qr_0 and qr_1 are not entangled, measuring their states can result in four possibilities for their collective state: |00, |01, |10, |11, each having an equal measurement probability of ¼, as described above. However, if they are entangled, the possibilities are limited to |00, |11, each having an equal measurement probability of ½, and such is the case with the Bell state. To determine whether quantum states are entangled, a CHSH inequality (Clauser, Horne, Shimony, Holt) can be used.

FIG. 2 illustrates an implementation of a quantum key distribution scheme, according to an embodiment. A source of qubits 205, which can be a source of photons and be network based. An initial sequence of qubits can include a sequence of qubits that will form a quantum key 207. If the qubits are implemented as photons, they can be sent to a beam splitter 210, acting as an operator (O). From each photon, the beam splitter O 210 can create one entangled state of 2 qubits 215, sending one qubit qr_0 to a receiver A (Alice) 220, and the other qubit qr_1 to a receiver B (Bob) 225. If receivers Alice and Bob are also beam splitters themselves, they can repeat the process of creating further entangled states and distributing them to further users, such as USER-1235, USER-2104, USER-3145, USER-4150. Distribution from operator O to Alice and Bob can be referred to a Layer 1 distribution 255, and distribution from Alice and Bob to USER-1235, USER-2204, USER-3245, and USER-4250 can be referred to as a Layer 2 distribution. It should be appreciated that while an example is discussed using a beam splitter, as an alternative one can convert such entanglement between the polarization modes into entanglement between spatial modes, using a polarizing beam splitter. A beam splitter can also be a beam splitting device comprising a beam splitter, a processor, and memory.

In FIG. 2, each beam splitter can be configured to implement a quantum computing gate, or series of gates to incoming photons. But in embodiments where qubits are implemented otherwise than with photons, gates can be elements other than beam splitters.

Embodiments include methods for implementing gates to qubits, irrespective of how the qubits and gates are physically implemented, for distributing a quantum key to multiple users of a quantum communication channel.

FIG. 3 illustrates a method of quantum key distribution, according to embodiments. An operator O can prepare a pair of entangled qubits, qr_0 and qr_1, the state (i.e. eigenstate) of which being randomly chosen between two possibilities |00 and |11. The choice can be stored as a classical bit of either 0 or 1 (i.e. {0,1}), and a plurality of entangled qubits can be prepared such as to have a sequence o( )305. The operator O can send qr_0 to Alice 307 and qr_1 to Bob 309. In an embodiment, a receiver A (Alice) can uniformly randomly choose one of two measurement circuits, to measure each qubit qr_0 along either |0 or |1 (respectively the x- and z- axes of FIG. 1) 310. If Alice receives a string of qubits. If receiving a string of qubits, Alice can represent the chosen measurement circuits as a string a( ) Similarly, a receiver B (Bob) can randomly choose a measurement circuit to measure each qubit qr_1 along either l/ or |\ (respectively the v-axis and w-axis of FIG. 1) 315, and represent the chosen measurement circuits as a string b( )315.

The receiver A (Alice), can encode each measured qubit qr_0 in a list A[ ] of classical bits 320, and Bob can similarly encode each measured qubit qr_1 in a list B[ ] 325. Then, Alice can send the list of measurement choices a( ) and the list of encoded measurements A[ ] to the operator O 330, and Bob can do similarly 335.

An operator O can verify, using Alice's list of measurement choices a( ) and Bob's list of measurement choices b( ) whether Alice's encoded measurements A[ ] are entangled to Bob's list of encoded measurements B[ ], by verifying a CHSH inequality 340. If sufficient entanglement is confirmed with a CHSH inequality, an operator O can perform key reconciliation and derive keys K(O, AB) and K(O, BA) 345. Subsequently, an operator O can send to Alice the string of measurement axes used by Bob, signed with the reconciled key K(O-A-B), and to Bob, the string of measurement axes used by Alice, signed with the reconciled key K(O-A-B) 350. Alice and Bob can then each confirm the reconciled key K(O-A-B) by respectively deriving K(O, AB) and K(O, BA) 355.

In an embodiment, a quantum key distribution system can have two channels: a quantum channel, as represented in FIG. 2, and a classical channel, which can be a conventional communication system, such as Fiber Optics Networks. Through the quantum channel, O can send a qubit qr_0 to receiver A (Alice) and a qubit qr_1, which is entangled to qubit qr_0, to receiver B (Bob). Both qubit qr_0 and qubit qr_1 can be prepared to be in an initial state |0, and both can be operated on by a single Pauli-X gate X, which can be represented as a matrix:

$X=\left[\begin{array}{cc}0& 1\\ 1& 0\end{array}\right]$

In notation, qubit qr_0 can be in an initial state |Ψ=|0, and its preparation by an application of a Pauli-X gate H can be represented by:

$❘\psi \rangle =X❘0\rangle$ $❘\psi \rangle =\left[\begin{array}{cc}0& 1\\ 1& 0\end{array}\right]\left[\begin{array}{c}0\\ 1\end{array}\right]$ $❘\psi \rangle =\left[\begin{array}{c}1\\ 0\end{array}\right]$ $❘\psi \rangle =❘1\rangle$

Similarly, qubit qr_1 can also be in an initial state |Ψ=|0, and be prepared by an application of a Pauli-X gate, resulting in a similar state:

$❘\psi \rangle =X❘0\rangle$ $❘\psi \rangle =\left[\begin{array}{cc}0& 1\\ 1& 0\end{array}\right]\left[\begin{array}{c}0\\ 1\end{array}\right]$ $❘\psi \rangle =\left[\begin{array}{c}1\\ 0\end{array}\right]$ $❘\psi \rangle =❘1\rangle$

Once prepared as such, qubit qr_0 can be processed with a Hadamard gate H, which is represented by:

$H=\frac{1}{\sqrt{2}}\left[\begin{array}{cc}1& 1\\ 1& -1\end{array}\right]$

FIG. 4 is a quantum computing circuit representing the preparation of a Bell state 215, in accordance with embodiments. Each horizontal single line 405 represents the evolution of a qubit in time, and each double line 410 line similarly represents the evolution of a classical bit. A first qubit is qr_0415 and occupies the first single line. A second qubit is qr_1420 and occupies the second single line. The double lines are occupied by classical bits cr_0, cr_1, cr_2, cr_3. Each line is preceded by an identification of the bit 425, and identification of the bit's initial state 430. A Pauli-X gate 435 is applied on each one of qubit qr_0 and qr_1, and then a Hadamard gate H 440 is applied on qubit qr_0. At this point, qubit qr_1 can be an input to the same Hadamard gate.

In an embodiment, once a Bell state has been prepared, operator O can send a first qubit qr_0 to receiver A (Alice) 207 through a quantum channel. Alice's reception can be referred to as Alice's Measurement Preparation 210.

In order to make a state measurement of qubit qr_0, receiver A (Alice) can alternatively prepare 310 any one of two measurement circuits, each one for measuring along a different computational basis: either |0 or |1. Referring to FIG. 1, one measurement circuit can be to measure qubit qr_0 along the x-axis (i.e. |0), and another measurement circuit can be to measure qubit qr_0 along the z-axis (i.e. |1). To obtain the mapping onto the z-axis, the quantum computing circuit of FIG. 5 can be used.

FIG. 5 illustrates a quantum computing circuit that can be used by receiver A (Alice), for measuring the state of qubit qr_0 along the z-axis (i.e. |1). First, a Hadamard gate 510 can be applied to the qubit qr_0415. Then, a state measurement 520 of qubit qr_0415 can be made to classical bit cr_0530.

At the site of the receiver A (Alice), Alice can alternatively use a measurement circuit for measuring qubit qr_0 along the x-axis (i.e. |0). To do so, a single qubit qr_0 can be processed by a Pauli S-gate (i.e. a √{square root over (Z)}-gate or “Z**0.5” in some programming code), then a Hadamard gate, then a T-gate (i.e. a ⁴√{square root over (Z)}-gate or “Z**0.25” in some code), and then another Hadamard gate. The sequence can be followed by a measurement 625 of qubit qr_0 to classical bit cr_0530. The following are matrices corresponding to the S-gate and the T-gate:

$S=\sqrt{Z}=\left[\begin{array}{cc}1& 0\\ 0& i\end{array}\right]$ $T=\sqrt[4]{Z}=\left[\begin{array}{cc}1& 0\\ 0& e^{i\frac{\pi }{4}}\end{array}\right]$

FIG. 6 illustrates a quantum computing circuit that can be used by receiver A (Alice), for measuring the state of qubit qr_0 along the x-axis. To do so, a single qubit qr_0 can be operated on by a Pauli S-gate 605 (i.e. a √{square root over (Z)}-gate or “Z**0.5” in some code), then a Hadamard gate 610, then a T-gate (i.e. a ⁴√{square root over (Z)}-gate or “Z**0.25” in some programming code) 615, and then another Hadamard gate 620. The sequence can be followed by a measurement 625 of qubit qr_0415 to classical bit cr_0530.

In an embodiment, once a Bell state has been prepared by an operator O, the operator O can send not only a sequence of qubits qr_0, each one entangled to a qubit qr_1, to receiver A (Alice) 307, but also a sequence of qubits qr_1 each one entangled to a qubit qr_0, to receiver B (Bob) 309, such that qubit qr_0 and qubit qr_1 are in a state of 2-qubit entanglement. Bob's reception can be referred to as Bob's Measurement Preparation 315. Like Alice, Bob can alternatively and randomly prepare any one of two measurement circuits, for measuring a qubit along respective ones of two computational bases. Referring to FIG. 1: one measurement circuit is for measuring along a v-axis (i.e. |/), and the other is for measuring along an orthogonal w-axis (i.e. |\). The vw-basis is tilted from a xz-basis by 45°.

For mapping a state projection onto the w-axis (i.e. |\) of the vw-basis, the quantum computing circuit of FIG. 7 can be used.

FIG. 7 illustrates a quantum computing circuit that can be used by receiver B (Bob), for measuring the state of qubit qr_1 along the w-axis (i.e. |\) of a vw-basis. In this circuit, a series of gates are applied to qubit qr_1 in succession. First, a Pauli S gate 805 is applied, then a Hadamard gate 810. This is followed by a T gate 815, and another Hadamard gate 820. The sequence is followed by a measurement 825 of qubit qr_1420 to classical bit cr_1830.

Alternatively, Bob can also make a measurement along the v-axis (i.e. |/) the vw-basis. The quantum computing circuit of FIG. 8 can be used for this purpose.

FIG. 8 illustrates a quantum computing circuit that can be used by receiver B (Bob), for measuring the state of a qubit qr_1 along the v-axis of a vw-basis. The measurement 910 of qubit qr_1420 can be made to classical bit cr_1920.

In an embodiment, once Alice has made Measurement Preparations 310, Alice can measure and encode the received qubits as a key in classical bits 320, as either −1 or 1, i.e. {−1,1}, in response to each qubit measurement. Alice can generate the measured qubits as a list A[ ] and send it to an operator O 330.

Similarly, once Bob has made a Measurement Preparation 315, Bob can measure and encode the received qubits as a key in classical bits 325, as either −1 or 1, i.e. {-1,1}, in response to each qubit measurement. Bob can generate the measured qubits as a list B[ ] and send it to an operator O 335.

In an embodiment, the operator O can repeat the process of preparing 305 and sending two entangled qubits to Alice 307 and Bob 309 respectively. And Alice and Bob can keep receiving the qubits, making measurement preparations 310, 315, and encoding the qubits in classical bits 220, 225. The repetition causes two strings of qubits to be received respectively by Alice and Bob, each string representing a key, and because each qubit of one stream is entangled to a qubit of the other stream, Alice and Bob can be said to have the same key, in a perfect noiseless quantum channel transmission.

In an embodiment, when Alice and Bob have completed receiving and encoding their respective stream of n bits representing a key, they can send communicate to operator O, through authenticated classical channels, the corresponding streams of classical bits they have produced 320 325. Alice can therefore send a( ) and A[ ] to O 330, and Bob can send b( ) and B[ ] to O 335.

In an embodiment, when an operator O receives the encoded keys A[ ] and B[ ] through the classical channel, it can conduct a joint measurement of each pair of bits from A[ ] and B[ ], in order to verify whether 340 that the qubits it initially sent 305307 and that were received by Alice 310 and Bob 315 were entangled 340. If the joint measurement of two bits is such that the CHSH inequality is violated, then entanglement between those two bits is confirmed. The CHSH inequality can be expressed as:

$C=\mathrm{CHSH}\left(A\left[\right],B\left[\right]\right)<2$

In an embodiment, once quantum entanglement between each pair of bits has been verified with the CHSH inequality, a stream of bits can be made to include only those bits that were entangled. This can ensure that the bit streams from Alice and Bob are the same and include only bits that were entangled. Such a technique can be referred to as reconciliation 345, which can be defined as the technique needed to ensure that Alice's and Bob's key elements are equal.

To perform reconciliation, an operator O can send b( ) signed with K-O-A 350 to Alice, and it can send a( ) signed with K(O-A-B) 350 to Bob. Alice, who already has a( ) and A[ ], can use b( ) to calculate a key K(O, AB), and Bob, who already has b( ) and B [ ], can use a( ) to calculate a key K(O, BA). By using b( ) and a( ) to respectively derive K(O, AB) and K(O, BA), key distribution to Alice and Bob is complete. This last exchange can provide extra protection from an eavesdropper in the classical channel, however, in another embodiment, the operator O can send a common Key directly to Alice and Bob.

In an embodiment, Alice's measurements can be done along a xz-basis, and Bob's measurements can be done along a vw-basis, the axes of which are at 45° from the axes of the xz-basis. In a stream of entangled qubits there can be undesirable noise. In order to reduce the possibility of noise, a method as follows can be performed to generate uniformly distributed measurements.

In an embodiment, a method for generating uniformly distributed measurements and minimizing transmission noise, can begin with Alice randomly choosing a string of bits and preparing a list α( ) in which each element a; is either a bit 0 or a bit 1. This can be denoted as:

$a\left(\right),a_i=\left\{0,1\right\}$

Then, Alice can randomly prepare a list σ( ) in which each eigenstate o; is either in the xz-basis: α(|0, |1) (as in FIG. 1), or in the vw-basis: β(|/, |\) (as in FIG. 1). This can be expressed as:

$\sigma \left(\right),{\sigma }_i=\{a(❘0\rangle ,❘1\rangle ),\beta (❘/\rangle ,❘\setminus \rangle )\}$

where

• • α is a complex number corresponding to the xz basis (i.e. |0, |1), or xz-plane of FIG. 1, and
  • β is a complex number corresponding to the vw basis (i.e. |/, |\), or xz-plane of FIG. 1.

If α_i=0, then measurement can be performed along the α plane, and if α_i=1, then measurement can be performed along the β plane.

Each measured result can be recorded in a list A( ) in which each element A¿ is either −1 or 1:

$A\left(\right),A_i=\left\{-1,1\right\}$

Elements α_i and elements σ_i, respectively from list α( ) and list σ( ) can be seen as components of corresponding vector a and vector o. As such, the recording of the measured results in a list A( )can be seen as a tensor operation between vector a and vector o:

$A=a\otimes \sigma$

At Bob, similar measurements as those of Alice can be made. Bob can record measurements in a corresponding list B( ) in which each element B_i is either −1 or 1:

$B\left(\right),B_i=\left\{-1,1\right\}$

As with Alice, Bob's recordings can be represented with a tensor operation:

$B=b\otimes \sigma$

FIG. 9 illustrate two lists of bits as received by Alice and Bob, and respectively recorded by Alice and Bob, according to an embodiment. Alice receives a string α( )1100 of bits, each of which can be 0 or 1. Alice can record each bit in a list A[ ] 1105, according to tensor operation A=α⊗σ 1110. Similarly, Bob can receive a string b( )1115 of bits, each of which can be 0 or 1, and record them in a list B[ ] 1120, according to tensor operation B=b⊗σ 1125.

Each bit received by Alice and Bob can either be 0 or 1, which makes for four (4) different possibilities: 00, 01, 10 and 11. To each of these possibilities, a tensor operation can be defined, where E is a record notation such that E(0,0) is calculated when A_i is recorded on an α-plane and B_i is recorded on an α-plane, E(1,0) is calculated when A_i is recorded on a β-plane and B_i is recorded on an α-plane, E(0,1) is calculated when A_i is recorded on an α-plane and B_i is recorded on a β-plane, and E(1,1) is calculated when A_i is recorded on a β-plane and B_i is recorded on a β-plane.

$\begin{array}{cc}E\left(0,0\right)={\overrightarrow{A}}_i\otimes {\overrightarrow{B}}_i& 1130\end{array}$ $\begin{array}{cc}E\left(1,0\right)={\overrightarrow{A}}_i\otimes {\overrightarrow{B}}_i& 1135\end{array}$ $\begin{array}{cc}E\left(0,1\right)={\overrightarrow{A}}_i\otimes {\overrightarrow{B}}_i& 1140\end{array}$ $\begin{array}{cc}E\left(1,1\right)={\overrightarrow{A}}_i\otimes {\overrightarrow{B}}_i& 1145\end{array}$

Once Alice and Bob have recorded their measurements in lists A[ ] 1105 and B[ ] 1120, an operator O can use A[ ] and B[ ], as well as a( ) and b( ) to calculate C, a CHSH correlation between any two bits having been received at the same time. The value of C for two strings (i.e. lists) of bits can be calculated with:

$C=❘E\left(0,0\right)+E\left(0,1\right)❘+❘E\left(1,0\right)-E\left(1,1\right)❘$

Under locality and realism theory, CHSH correlation is C≤ 2, while under non-locality theory, in which quantum entanglement is defined, C≤ 2v2. Therefore, if CHSH correlation is between 2 and 2√{square root over (2)}, it shows that the strings of bits are entangled, i.e. for two strings to be sufficiently entangled, C must be within the must be in the range

$2<C\le 2\sqrt{2}$

In other words, such a value for C violates the Bell inequality, and confirms occurrence of quantum entanglement.

In an embodiment, if entanglement is not confirmed using a CHSH inequality, it can indicate excessive noise or interception, and communication can be aborted.

In an embodiment, if entanglement is confirmed 340, between a bit string sent to Alice, and a bit string sent to Bob, the operator O can conduct a key reconciliation 345. With the CHSH inequality, a key reconciliation can indicate that there is no eavesdropper interception during the transmission. Otherwise, O should abort the multi-user key distribution.

FIG. 10 illustrates strings of bits received and recorded by Alice and Bob, some of which are rejected because of a lack of entanglement, according to embodiments. From an operator O, Alice A can receive a string of qubits, each of which can be measured, such as to produce a string a( ) of classical bits 1205. Each bit of the string can be encoded, such as to produce a string A[ ] 1210. The same occurs at Bob, with a list of received qubits, entangled to qubits received by Alice and measured in a list of classical bits b( )1215, These are then encoded in a list B[ ] 1220.

In FIG. 10, the second bit of A[ ] 1212 is different than the second bit of B[ ] 1222. This indicates that the initial pair of qubits from which they were measured, measured as the second bit of a( )1207 and the second bit of b( )1217, were not entangled, and therefore they can be rejected 1225. Depending on a level of CHSH correlation between Alice's string and Bob's string, a certain number of bits can be rejected. The lesser the CHSH correlation, the greater the number of rejections, which would indicate either a high probability of interception, or too much noise. The non-rejected bits from list A[ ] forms Alice's key K(O, AB) 1225, and the non-rejected bits from list B[ ] forms Bob's key K(O, AB) 1230. If they are the same, they form the desired quantum key K(O-A-B).

FIG. 11 is a block diagram of an electronic device (ED) 952 illustrated within a computing and communications environment 950 that may be used for implementing the devices and methods disclosed herein. The electronic device 952 typically includes a processor 954, such as a central processing unit (CPU), and may further include specialized processors such as a graphics processing unit (GPU) or other such processor, a memory 956, a network interface 958 and a bus 960 to connect the components of ED 952. ED 952 may optionally also include components such as a mass storage device 962, a video adapter 964, and an I/O interface 968 (shown in dashed lines). In embodiments, an electronic device can be part of operator O, an electronic device can be part of receiver A (Alice), and an electronic device can be part of receiver B (Bob). In some embodiment, an electronic device part of receiver A (Alice) can be connected to an electronic device part of operator O and include a classical communication channel. In some embodiment, an electronic device part of receiver B (Bob) can be connected to an electronic device part of operator O and include a classical communication channel.

Embodiments have been described above in conjunctions with aspects of the present invention upon which they can be implemented. Those skilled in the art will appreciate that embodiments may be implemented in conjunction with the aspect with which they are described, but may also be implemented with other embodiments of that aspect. When embodiments are mutually exclusive, or are otherwise incompatible with each other, it will be apparent to those skilled in the art. Some embodiments may be described in relation to one aspect, but may also be applicable to other aspects, as will be apparent to those of skill in the art.

Although the present invention has been described with reference to specific features and embodiments thereof, it is evident that various modifications and combinations can be made thereto without departing from the invention. The specification and drawings are, accordingly, to be regarded simply as an illustration of the invention as defined by the appended claims, and are contemplated to cover any and all modifications, variations, combinations or equivalents that fall within the scope of the present invention.

Claims

1. A method for an operator O to generate and distribute a multi-user shared key to a receiver A and to a receiver B, comprising: preparing pairs of entangled qubits in sequence, each pair of entangled qubits in a state of 2-qubit entanglement;sending from each pair of entangled qubits, one entangled qubit to a receiver A andthe other entangled qubit to a receiver B;receiving a reply from each of receiver A and receiver B; andsending the key to each of receiver A and receiver B.

2. The method of claim 1, wherein receiving a reply from each of receiver A and receiver B comprises: receiving a list of encoded bits from receiver A, each bit having been measured from a qubit sent by operator O,recorded in a list of recorded bits, andencoded in the list of encoded bits from receiver A; andreceiving a list of encoded bits from receiver B, each bit having been measured from a qubit sent by operator O,recorded in a list of bits, andencoded in the list of encoded bits from receiver B.

3. The method of claim 1 or 2, wherein sending the key to each of receiver A and receiver B comprises: verifying the correlation between the list of encoded bits from receiver A, andthe list of encoded bits from receiver B;

4. The method of claim 3 wherein the quantum entanglement inequality is the Clauser, Horne, Shimony, Holt (CHSH) inequality.

5. The method of claim 1, wherein sending the key to each of receiver A and receiver B comprises: sending to receiver A, the list of encoded bits from receiver B, for deriving a key according to receiver A's list of measured bits, andreceiver A's list of encoded bits;sending to receiver B, the list of encoded bits from receiver A; for deriving a key according to receiver B's receiver B's list of measured bits, andreceiver B's list of encoded bits;receiving, through respective authenticated classical channels receiver A's derived key andreceiver B's derived key; andperforming quantum correlation between receiver A's derived key and receiver B's derived keyusing an entanglement inequality;

6. The method of claim 5, further comprising using a derived key as a reconciled key, if entanglement between receiver A's derived key and receiver B's is sufficient to ensure security.

7. The method of claim 5, further comprising discarding a derived key and aborting communication, if entanglement between receiver A's derived key and receiver B's is insufficient to ensure security.

8. The method of claim 1, further comprising a layer 2 iteration wherein operator O of claim 1 is substituted by receiver A of claim 1,receiver A of claim 1 is substituted by a USER-1,receiver B of claim 1 is substituted by a USER-2.

9. The method of claim 1, further comprising a layer 2 iteration wherein operator O of claim 1 is substituted by receiver B of claim 1, receiver A of claim 1 is substituted by a USER-3,receiver B of claim 1 is substituted by a USER-4.

10. A system for distributing a key, comprising: a photon source operative to send a sequence of photons,a first beam splitting device, configured to prepare, from the sequence of photons, pairs of entangled qubits in sequence,each pair of entangled qubits in a state of 2-qubit entanglement; andto send, from each entangled pair of qubits,one entangled qubit to a second beam splitting device, and the other entangled qubit to a third beam splitting device,the second and third splitting devices configured to measure a qubit as a bit,to record a bit in a list of measured bits,to encode a bit in a list of encoded bits, andto send a list of encoded bits to the first beam splitting device;

11. The system of claim 10, wherein the first beam splitting device is configured to: verify the correlation betweenthe list of encoded bits from the second beam splitting device, andthe list of encoded bits from the third beam splitting device;wherein verifying the correlation is performed using the quantum entanglement inequality.

12. A device for operation by an operator O to generate and distribute a multi-user shared key to a receiver A and to a receiver B, the device comprising a processor operatively coupled to memory and configured to: prepare pairs of entangled qubits in sequence, each pair of entangled qubits in a state of 2-qubit entanglement;send from each pair of entangled qubits, one entangled qubit to a receiver A andthe other entangled qubit to a receiver B;receive a reply from each of receiver A and receiver B; andsend the key to each of receiver A and receiver B.

13. The device of claim 12, wherein receiving a reply from each of receiver A and receiver B comprises: receiving a list of encoded bits from receiver A, each bit having been measured from a qubit sent by operator O,recorded in a list of recorded bits, andencoded in the list of encoded bits from receiver A; andreceiving a list of encoded bits from receiver B, each bit having been measured from a qubit sent by operator O,recorded in a list of bits, andencoded in the list of encoded bits from receiver B.

14. The device of claim 12, wherein sending the key to each of receiver A and receiver B comprises: verifying the correlation between the list of encoded bits from receiver A, andthe list of encoded bits from receiver B;

15. The device of claim 14 wherein the quantum entanglement inequality is the Clauser, Horne, Shimony, Holt (CHSH) inequality.

16. The device of claim 12, wherein sending the key to each of receiver A and receiver B comprises: sending to receiver A, the list of encoded bits from receiver B, for deriving a key according to receiver A's list of measured bits, andreceiver A's list of encoded bits;sending to receiver B, the list of encoded bits from receiver A; for deriving a key according to receiver B's receiver B's list of measured bits, andreceiver B's list of encoded bits;receiving, through respective authenticated classical channels receiver A's derived key andreceiver B's derived key; andperforming quantum correlation between receiver A's derived key and receiver B's derived keyusing an entanglement inequality;

17. The device of claim 16, further configured to use a derived key as a reconciled key, if entanglement between receiver A's derived key and receiver B's is sufficient to ensure security.

18. The device of claim 16, further configured to discard a derived key and abort communication, if entanglement between receiver A's derived key and receiver B's is insufficient to ensure security.

19. The device of claim 12, further configured to perform a layer 2 iteration wherein the operator O is substituted by the receiver A,the receiver A is substituted by a USER-1,the receiver B of is substituted by a USER-2.

20. The device of claim 12, further comprising a layer 2 iteration wherein the operator O is substituted by the receiver B,the receiver A is substituted by a USER-3,the receiver B is substituted by a USER-4.