A digital signature permits a sender to mark a digital transmission so that recipients of the transmission can confirm the origin of the transmission and detect tampering with the transmission. A transmission with a digital signature is thus secure to the extent that only an authorized party can provide the required digital signature authenticating the transmission. For transmissions with conventional digital signatures, the security of a transmission is based on assumptions regarding one-way mathematical functions that convert private information (e.g., a private key) to information for public transmission. However, the security of one-way functions against conventional computing power is generally unproven, and at least some one-way functions are insecure against quantum computing technology, thereby allowing an unauthorized party to extract private information from public transmissions and then forge digital signatures.
Quantum digital signature techniques such as described by Gottesman and Chuang, “Quantum Digital Signatures” (http://arxiv.org/abs/quant-ph/0105032) use fundamental principles of quantum physics for secure transmissions of information. These techniques allow a sender to sign a message using a quantum state as a signature. In particular, the sender can prepare copies of a quantum state corresponding to private information that only the sender knows. The sender can then distribute the copies of the quantum state to chosen recipients that use their copies of the quantum state to authenticate the message or detect tampering. The quantum no-cloning theorem prevents persons other than the sender from making further copies of the quantum state/signature, and interception and measurement destroy the quantum signature while providing only limited clues regarding the private information. Accordingly, with proper distribution methods, a quantum digital signature can be kept secure.
Certification of a quantum digital signature generally requires comparisons of copies of the quantum state representing the signature. Efficient methods for state comparisons are thus required.
In accordance with an aspect of the invention, quantum state comparison (QSC) systems can test quantum systems to detect properties such as the equality or entanglement of unknown states. For example, a QSC can be used to validate quantum signatures, test of the operation of a quantum gate, or detect entanglement of quantum states. Additionally, the effect of the QSC test on input states can be used to entangle the input states or to detect entanglements. One embodiment of the invention is a system including: a first photonic channel for input of a first quantum state; a second photonic channel for input of a second quantum state; a first beam splitter positioned to interfere the first photonic channel and the second photonic channel; and a detector system positioned to measure the second photonic channel. A probability of a first measurement outcome from the detector system is 100% when the first quantum state and the second quantum state satisfy a first relation (e.g., are the same) and is less than 100% when he first quantum state and the second quantum state satisfy a second relation (e.g., are not the same).
Use of the same reference symbols in different figures indicates similar or identical items.
In accordance with an aspect of the invention, a test using a controlled swap gate can compare two unknown quantum states to validate that the two compared states are the same. Such comparisons can be applied to authenticate a quantum signature associated with a message, to detect corruption in or tampering with a message having a quantum signature, to compare quantum gates, to detect entanglement, or to entangle input states.
Hadamard gates 120 and 130 transform the control channel qubit as indicated in Equations 1, where application of a basis state |1> to controlled swap gate 110 causes swapping of states |A> and |B> and application of a basis state |0> does not. In the illustrated embodiment, control qubit |C> is initially in the known state |0>, so that the output state of Hadamard gate 120 is known to be
In an alternative embodiment, Hadamard gate 120 can be eliminated and the desired control qubit state
can be generated using other techniques. Further, other choices of the initial known state of control qubit |C> (with or without use of Hadamard gate 120) can achieve similar comparison results as described further below.
Equation 2 indicates the action controlled swap gate 110 on the product state after operation of Hadamard gate 120 in
A detector 140 measures the control channel and particularly performs a projective measurement that distinguishes control state |0> from control state |1>. From Equation 3, the probability of a measurement corresponding to state |0> is
Accordingly, if states |A> and |B> are the same, the probability of a measurement corresponding to state |0> is one, and a measurement signal X from detector 140 will always have a value corresponding to state |0>. If states |A> and |B> have a small inner product, the probability of a measurement corresponding to state |0> will be less than one and will be one half if states |A> and |B> are orthogonal.
An important application of QSC system 100 uses measurements X to determine whether two unknown quantum states |A> and |B> differ. As described above, a single transformation and measurement of the control channel in QSC system 100 above will indicate that states |A> and |B> are not the same if the measurement outcome X has a value corresponding to state |1>. However, when states |A> and |B> differ, a single measurement outcome has a non-zero probability of corresponding to state |0>, which is the measurement outcome found 100% of the time when states |A> and |B> are the same. Accordingly, a single measurement will fail to detect a difference in states |A> and |B> with a probability of
which is less than one when states |A> and |B> differ.
Given k copies of states |A> and |B> and k repetitions of the transformation and measurement, the probability P(k) of all measurement outcomes Xk failing to detect the difference between states |A> and |B> falls exponentially with the number k as indicated in Equation 4. The probability P(k) of a failure to detect a difference between states |A> and |B> can thus be made arbitrarily small if the available number k of copies of the states |A> and |B> is sufficiently large.
QSC system 100 can also be used when the input states on the A and B channels may be mixed states ρ and σ. However, even when mixed states ρ and σ are identical, the probability of a measurement X of the control channel corresponding to state |0> is less than one. Upon applying QSC system 100 to two mixed states ρ and σ, a measurement with the outcome corresponding to control state ↑0> will be observed with probability ½+½Trace(ρ·σ) (where the trace is over the product of two density matrices for the mixed states ρ and σ). Accordingly, this measurement cannot detect whether two mixed states ρ and σ are identical, but QSC system 100 can detect “mixed” states ρ and σ that are actually identical pure states (e.g., ρ=σ=|φ><φ|). In particular, if an extended series of measurements all provide outcomes corresponding to control state |0>, the two “mixed” states ρ and σ must actually be equal pure states.
Quantum states |A>, |B>, and |C> can generally be quantum states of any physical system for which a controlled swap gate 110, Hadamard gates 120 and 130, and detector 140 can be implemented. In particular, when each state |A> or |B> corresponds to a qubit, one logical structure for controlled swap gate 110 includes three controlled controlled-NOT (CCNOT) gates or Toffoli gates 112, 114, and 116 as shown in
In an exemplary embodiment of the invention, each quantum state |A>, |B>, or |C> is a quantum state of one or more photon channels. For example, each of quantum states A> and |B> can be a linear combination of two or more states having definite photon number (i.e., Fock states), a coherent photon state, or a squeezed state. A photonic state on single photonic channel can thus represent quantum information such as a qubit, a qudit, or a qunats. In one specific embodiment, each states |A> and |B> represents one or more qubits with each qubit corresponding a separated photonic channel, and state |C> corresponds to a qubit on yet another photonic channel. The basis states |0> and |1> for each qubit can, for example, correspond to Fock states respectively corresponding to 0 and 1 photon in the channel, temporally separated photonic states of the channel, or orthogonal linear polarization states of photons in the channel.
In one application of QSC system 200, each state |A>, |B>, or |C> is a path-encoded qubit having basis states |0> and |1> respectively corresponding to the absence and presence of a single photon state on the corresponding channel A, B, or C. As will be appreciated by those skilled in the art, other types of qubit encodings such as a polarization encoding of qubits or a time division multiplexed (TDM) encoding can be converted to a path encoding for use of QSC 200. For example, a polarizing beam splitter can convert a polarization encoded qubit having basis states |0> and |1> respectively correspond horizontal and vertical polarization states |H> and |V> by directing one polarization away from the path into QSC 200. QSC system 200 is not limited to comparing state corresponding to qubits but can similarly compare states |A> and |B> that are coherent or squeezed photon states representing qudits or qunats as photon on channels A and B, respectively.
As shown in
In an exemplary embodiment of QSC system 200, states |A> and |B> path are encoded qubit states, and the operation beam splitter 212 transforms creation operators αA† and αB† for photons in input channels A and B as indicated in Equations 5A. In Equations 5A, operators αA†, and αB\, are creation operators for the output channels A′ and B′ of beam splitter 212. Implementation of the transformation of Equation 5A may require careful adjustment of the position of beam splitter 212 or addition of appropriate phase plates in channels A, B, A′, and/or B′ to achieve phase relationship of Equations 5A. Similarly, beam splitter 216 is positioned or augmented with phase plates to transform creation operators αA†, and αB†, as indicated in Equations 5B, where operators αA″† and αB″† are creation operators for the output channels A″ and B″ of beam splitter 216.
αA554=2−1/2(αA′†+αB′†) Equations 5A:
αB†=2−1/2(αA′†−αB′†)
αA′†=2−1/2(αA″†+αB″†) Equations 5B:
αB′†=2−1/2(αA″†−αB″†)
The product of states |A> and |B> have the form of Equation 6 for path encoded qubit states. In Equation 6, basis state |0>A is the vacuum state, basis state |1>A is a single photon state, and A0 and A1 are complex parameters for the quantum information represented in channel A. Similarly, for channel B, basis state |0>B is the vacuum state, basis state |1>B is a single photon state, and B0 and B1 are complex parameters for the quantum information represented by qubit state |B>.
|A>|B>=(A0|0>A+A1|1>A)(B0|0>B)=(A0+A1αA†)(B0+B1αB†)|0> Equation 6
Controlled phase gate 214 causes no phase shift when control channel C is in state |0>C′. The relative phase the states of channels A′ and B′ from beam splitter 212 are thus preserved, and applying the transformations of Equations 5A and 5B to Equation 6 yields an output product state of the form of Equation 7A. In contrast, when control channel C is in state |1>C′, controlled phase gate 214 causes a phase shift π, introducing a relative sign change between the states of the A′ and B′ channels, i.e., at, αB′†→−αB′†, and the product of output state on channels A″ and B″ is of the form given in Equation 7B. Accordingly, gate 210 performs the required controlled swap when input states |A> and |B> are qubit states as indicated in Equation 6.
A number of implementations suitable for controlled phase gate 214 are known for operations on photonic states. For example, controlled phase gate 214 can be implemented using linear optics. T. B. Pittman, B. C. Jacobs, and J. D. Franson, “Probabilistic quantum logic operations using polarizing beam splitters,” Phys. Rev. A 64, 062311 (2001), for example, describes using linear optics and measurements in implementations of quantum gates that are probabilistic. These probabilistic quantum gates have inherent probabilities of detected failures to perform the desired operations and therefore may inefficiently use quantum resources. Alternatively, controlled phase gate 214 can be implemented using systems providing electromagnetically induced transparency (EIT) or a cross-Kerr non-linearity as described in R. G. Beausoleil, W. J. Munro, and T. P. Spiller, J. Mod. Opt. 51, 1559 (2004).
Hadamard gates 120 and 130 and detector 140 in QSC system 200 can be implemented using optical elements that are selected according to the representation used for the control qubit in channel C. In particular, Hadamard gates can be implemented using beam splitters for path-encoded photonic qubits or waveplates for polarization-encoded photonic qubits. For a qubit represented using single photon states, detector 140 can be implemented with a photon detector and a filter that passes only photons corresponding to state |0> (or alternatively state |1>). Detection of a photon then projects the state of the control qubit channel C″ onto state |0> or |1>. Efficient single photon detector suitable for this use are described by W. J. Munro, Kae Nemoto, R. G. Beausoleil and T. P. Spiller, “A High-Efficiency Quantum Non-Demolition Single Photon Number Resolving Detector,” (http://arxiv.org/abs/quant-ph/0310066).
Repeated measurement of channel C″ in QSC system 200 by detector 140 can probabilistically determine whether input states |A> and |B> are equal or not equal in the same manner as described above in regard to Equation 4. Additionally, photons output on channels A″ and B″ of controlled swap gate 210 can be used elsewhere in a quantum information processing system (not shown). However, the full swap function of gate 210 is not required for determination of whether states |A> and |B> are equal. In particular, beam splitter 216, which completes the swap operation, can be omitted without affecting the comparison of state |A> and |B>.
QSC system 200 including gate 210 of
Principles of the swap gate implementation of
An alternative architecture for a multi-channel QSC system can test pairs of channels in parallel.
Analysis of QSC system 220 of
Starting with states |A> and |B> of Equation 9A, the operation of Hadamard gates 120 and 120′ transforms the state of the system as indicated in Equation 9B. Operation of controlled swap 250 then further transforms the state of the system to the form of Equation 9C, where exchanges among dummy indices i, j, r, and s are used to simplify the expression. Equation 9D indicates the output state |ψout> after operation of Hadamard gates 130 and 130′. If states |A> and |B> are the same, parameters Aif or Bij are equal for all i and j, and terms in Equation 9D associated with states |01> and |10> of channels C1″ and C2″ vanish identically. Accordingly, and output state |ψout> simplifies to the form of Equation 9E if states |A> and |B> are the same.
The second term in Equation 9E is zero for all i, j, r, and s if state |A> is an unentangled state, i.e., is a product state, but the second term has a non-zero value if state |A> is an entangled state. Accordingly, if states |A> and |B> are both unentangled states, all measurements X1 and X2 of the control channels will indicate the control channels C1″ and C2″ are in state |00> if states |A> and |B> are equal, and measurements X1 and X2 indicating control channels C1″ or C2″ are in state |01>, |10>, or |11> indicate that the unentangled states |A> and |B> are not equal.
If states |A> and |B> are entangled states, there is a non-zero probability that measurements X1 and X2 will indicate the corresponding control channels C1″ and C2″ are in state |1> even when states |A> and |B> are equal. QSC system 240 can thus be used as an entanglement detector. In particular, if QSC system 240 tests two copies of a state |A>, measurements X1 and X2 will always indicate that the respective control channels C1″ and C2″ are in state |00> if state |A> is an unentangled state. However, if state |A> is an entangled state, Equation 9E indicates there is a non-zero probability that measurements X1 and X2 will indicate that the control channels C1″ and C2″ is in state |11>. As a result, repeated testing of copies of a state |A> using QSC system 240 can distinguish to a high likelihood whether or not the state |A> is entangled. (An absence of any measurements X1 and X2 indicating control channels C1″ or C2″ are in state |01> or |10> provides confirmation that the input states are in fact equal.)
QSC system 240 operating as an entanglement detector as described above can detect entanglement of a pair of qubits. The architecture of QSC system 240 can be extended to test entanglements of three or more qubits using three or more measurements control channels.
In accordance with a further aspect of the invention, a QSC system can employ parity detection for comparisons of input states or entanglement detection.
Parity detector 310 determines whether the state of channel B′ contains an even number or odd number of photons. A measurement from parity detector 310 indicating an odd number of photons in channel B′ thus indicates that states |A> and |B> are not equal. A large number of repetitions of test of states |A> and |B> can thus determine to a high confidence level whether states |A> and |B> are equal. In an exemplary embodiment of the invention, parity detector 310 is a nonabsorbing, near-deterministic detector such as described in co-owned U.S. patent application Ser. No. 10/899,332, entitled “Nonlinear Electromagnetic Quantum Information Processing.” An advantage of using a nonabsorbing or nondestructive parity detector 310 is the output of photons on channels A″ and B″, for possible use elsewhere in a quantum information processing system. Alternatively, parity detector 310 can be an absorptive photon number detector, that absorbs photons in channel B′ and destroys the information in the input states, which may be desirable for security reasons.
Channels A′ and B′ after the measurement of channel B′ in parity detector 310 are the input channels to beam splitter 316. If parity detector 310 is nonabsorbing, beam splitter 316 will provide output photon states on output channels A″ and B″, and the output photons will be in states |A> and |B> if states are equal |A> and |B>. However, beam splitter 316 is not required for comparison of states |A> and |B>. Accordingly, beam splitter 316 may be omitted in embodiments of the invention where output photons are not required, for example, in systems where parity detector 310 is an absorptive photon detector.
Test systems using parity detection can be extended to test multi-channel input states |A> and |B> in a manner similar to the extension of QSC systems using measurement of the control qubits for one or more controlled swap gate.
The systems and processes for quantum state tests and comparisons described above are useful for the secure checking of quantum signatures.
The index i (1≦≦N) for quantum signature |ψi> is private (e.g., known only by sender 410), but sender 410 publicly distributes copies of quantum signature |ψi> to recipients 420. Sender 410 in general can send to each recipient 420 multiple copies of quantum signature |ψi> some or all of which are transmitted in parallel or in series. An important property here is that k copies of the quantum state quantum signature |ψi> give no more than k×log(D) qubits of information about the private index i. Since the index contains log(N) or typically about D bits of information, distribution of k quantum copies of quantum signature |ψi> is safe as long as the number k of copies is less than about D/log(D).
Recipients 420, which collectively have several public copies of signature |ψi>, request copies of the sender's signature from a validation service 430. Senders 420 then use QSC comparison systems 440 to verify that the quantum signatures associated with the message are the same as the signature from validation service 430.
To validate the quantum signature and/or the message, recipient 422 sends a query to a validation service 432 that has or can generate k copies of quantum signature |ψi>. In one embodiment, the query includes information from the sender's message, so that validation service 432 can use private information of sender 412 and the content of the message to generate the correct quantum signature |ψi>. Validation service 432 sends the k copies of quantum signature |ψi> to recipient 420. Recipient 422 can then use one or more comparison system 442 to perform k comparisons of the quantum signatures |ψi> from sender 412 to the quantum signatures |ψi> from validation service 432 and thus confirm to a high probability that the quantum signature |ψi> is valid. Recipient 422 can thus validate the identity of sender 412 and optionally confirm that the message was unaltered during transmission from sender 412. Additionally, the private information of sender 412 remains confidential to sender 412 and service 432 as long as public transmission of 2k copies of quantum signature |ψi> provides insufficient information for extraction of the private information.
In one variation of system 470, customer 414 gives certified copies 460 to bank 434 so that neither bank 434 nor vendor 424 has the private information of customer 414. Alternatively, both customer 414 and bank 434 have the same private information so that bank 434 can generate the k certified copies 460 based on the private information and on the order from vendor 424. Using QSC system 444 for quantum state comparison can then identify transactions that are invalid because customer 414 did not provide the quantum signature or because the order was altered after being placed by customer 414.
QSC comparisons can also be used for to provide data security in a system where the available dimension D of the quantum signature is small. For example, if each quantum signature is limited to being a qubit state, i.e., if dimension D of the quantum signature is two, four quantum signatures |ψ1>, |ψ2>, |ψ3>, and |Φ4> are available having inner products <ψi|ψj> equal to ⅓ for i not equal to j. Qubit signatures |ψ1>, |ψ2>, |ψ3>, and |ψ4> generally have coefficients corresponding to the vertices of a tetrahedron that is circumscribed by the unit sphere, while coefficients of a qubit generally correspond to a point on unit sphere.
In the illustrated embodiment of
Validation service 530 performs a comparison of quantum states |ψi> and |ψj> to check (probabilistically) that both parties 510 and 520 provided the same reply. An advantage of this protocol is that neither party 510 nor 520 publicly reveals any 2-bit answer. (Parties 510 and 520 only send one qubit of information per query.) Hence, neither party 510 nor 520 can wiretap the quantum transmission from the other party 520 or 510 and quickly repeat the information to fool validation service 530. The classical strings 512 and 522 can be arbitrarily long, making the number of different queries from verification service 530 large enough that no query will be used twice.
Another application of the controlled-swap test is efficient comparison of two unitary gates.
Corresponding channels of the output states of quantum gates 610 and 620 are applied to respective test system(s) 630. Observation of the control bit (or bits) can then probabilistically detect differences in the output states. In particular, if quantum gates 610 and 620 are identical and the input states |ψ> are identical, the output states from quantum gates 610 and 620 are identical, which gives a 100% probability of the measurement outcome in test systems 630 corresponding to control state |0> or even parity. If the input states |ψ> are identical but quantum gates 610 and 620 are not identical, repeated measurements will eventually produce an outcome corresponding in the control qubit state |1> or odd parity.
The controlled-swap system described above can also be use as an entanglement generator.
An input state to entanglement generator 700 is a product of a control qubit state |C> =|0>, a D-dimensional state |ψ>, and a D-dimensional state |ψ⊥> that is orthogonal to state |ψ>. As indicated by the left hand side of Equation 11, the output state of the coherent transformation (i.e., before detector 140 in entangler 700) is a maximally entangled state over the three parts (i.e., over the control channel and the two target channels). In each part, this entanglement occupies two dimensions, hence this state is equivalent (up to local transformations) to the GHZ state (|0,0,0>+|1,1,1>)/√{square root over (2)} if states |ψ> and |ψ⊥> represent qubits. Note therefore that the amount of entanglement between the two D-dimensional systems equals the entanglement of a single entangled pair and not of a full D-dimensional entangled state.
The measurement as shown in Equation 11 projects the transformed state to a state |ψ(X)), which depends on the measurement result X as indicated in Equations 12. If the measurement has an outcome corresponding to control bit state |0>, states |ψ> and |ψ⊥> are entangled in a two party way in an even parity state. If the measurement has an outcome corresponding to control bit state |1>, states |ψ> and |ψ⊥> entangled in a two party way into an odd parity state. If input states |ψ> and |ψ⊥> are not completely orthogonal, the output state will be less entangled, where the amount of entanglement equals the Von Neumann entropy of the mixed state |(|ψ><ψ|+|ψ⊥><ψ⊥|).
Although the invention has been described with reference to particular embodiments, the description is only an example of the invention's application and should not be taken as a limitation. Various adaptations and combinations of features of the embodiments disclosed are within the scope of the invention as defined by the following claims.